diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml new file mode 100644 index 00000000000..8177cd731d2 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/activemq.yml @@ -0,0 +1,96 @@ +inputs: + - name: activemq/metrics-activemq + type: activemq/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.activemq.broker.enabled} == true or ${kubernetes.hints.activemq.enabled} == true + data_stream: + dataset: activemq.broker + type: metrics + hosts: + - ${kubernetes.hints.activemq.broker.host|'localhost:8161'} + metricsets: + - broker + password: ${kubernetes.hints.activemq.broker.password|'admin'} + path: /api/jolokia/?ignoreErrors=true&canonicalNaming=false + period: ${kubernetes.hints.activemq.broker.period|'10s'} + tags: + - forwarded + - activemq-broker + username: ${kubernetes.hints.activemq.broker.username|'admin'} + - condition: ${kubernetes.hints.activemq.queue.enabled} == true or ${kubernetes.hints.activemq.enabled} == true + data_stream: + dataset: activemq.queue + type: metrics + hosts: + - ${kubernetes.hints.activemq.queue.host|'localhost:8161'} + metricsets: + - queue + password: ${kubernetes.hints.activemq.queue.password|'admin'} + path: /api/jolokia/?ignoreErrors=true&canonicalNaming=false + period: ${kubernetes.hints.activemq.queue.period|'10s'} + tags: + - forwarded + - activemq-queue + username: ${kubernetes.hints.activemq.queue.username|'admin'} + - condition: ${kubernetes.hints.activemq.topic.enabled} == true or ${kubernetes.hints.activemq.enabled} == true + data_stream: + dataset: activemq.topic + type: metrics + hosts: + - ${kubernetes.hints.activemq.topic.host|'localhost:8161'} + metricsets: + - topic + password: ${kubernetes.hints.activemq.topic.password|'admin'} + path: /api/jolokia/?ignoreErrors=true&canonicalNaming=false + period: ${kubernetes.hints.activemq.topic.period|'10s'} + tags: + - forwarded + - activemq-topic + username: ${kubernetes.hints.activemq.topic.username|'admin'} + data_stream.namespace: default + - name: filestream-activemq + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.activemq.audit.enabled} == true or ${kubernetes.hints.activemq.enabled} == true + data_stream: + dataset: activemq.audit + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.activemq.audit.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - activemq-audit + - condition: ${kubernetes.hints.activemq.log.enabled} == true or ${kubernetes.hints.activemq.enabled} == true + data_stream: + dataset: activemq.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: '^\d{4}-\d{2}-\d{2} ' + parsers: + - container: + format: auto + stream: ${kubernetes.hints.activemq.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - activemq-log + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml new file mode 100644 index 00000000000..bdf487d2d5c --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/apache.yml @@ -0,0 +1,134 @@ +inputs: + - name: apache/metrics-apache + type: apache/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.apache.status.enabled} == true or ${kubernetes.hints.apache.enabled} == true + data_stream: + dataset: apache.status + type: metrics + hosts: + - ${kubernetes.hints.apache.status.host|'http://127.0.0.1'} + metricsets: + - status + period: ${kubernetes.hints.apache.status.period|'30s'} + server_status_path: /server-status + data_stream.namespace: default + - name: filestream-apache + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.apache.access.enabled} == true or ${kubernetes.hints.apache.enabled} == true + data_stream: + dataset: apache.access + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.apache.access.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - apache-access + - condition: ${kubernetes.hints.apache.error.enabled} == true or ${kubernetes.hints.apache.enabled} == true + data_stream: + dataset: apache.error + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.apache.error.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - apache-error + data_stream.namespace: default + - name: httpjson-apache + type: httpjson + use_output: default + streams: + - condition: ${kubernetes.hints.apache.access.enabled} == true and ${kubernetes.hints.apache.enabled} == true + config_version: "2" + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: apache.access + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="access*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - apache-access + - condition: ${kubernetes.hints.apache.error.enabled} == true and ${kubernetes.hints.apache.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: apache.error + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype=apache:error OR sourcetype=apache_error | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - apache-error + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml new file mode 100644 index 00000000000..296b330c807 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cassandra.yml @@ -0,0 +1,327 @@ +inputs: + - name: jolokia/metrics-cassandra + type: jolokia/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.cassandra.metrics.enabled} == true or ${kubernetes.hints.cassandra.enabled} == true + data_stream: + dataset: cassandra.metrics + type: metrics + hosts: + - ${kubernetes.hints.cassandra.metrics.host|'localhost:8778'} + jmx.mappings: + - attributes: + - attr: ReleaseVersion + field: system.version + - attr: ClusterName + field: system.cluster + - attr: LiveNodes + field: system.live_nodes + - attr: UnreachableNodes + field: system.unreachable_nodes + - attr: LeavingNodes + field: system.leaving_nodes + - attr: JoiningNodes + field: system.joining_nodes + - attr: MovingNodes + field: system.moving_nodes + mbean: org.apache.cassandra.db:type=StorageService + - attributes: + - attr: Datacenter + field: system.data_center + - attr: Rack + field: system.rack + mbean: org.apache.cassandra.db:type=EndpointSnitchInfo + - attributes: + - attr: Count + field: storage.total_hint_in_progress + mbean: org.apache.cassandra.metrics:name=TotalHintsInProgress,type=Storage + - attributes: + - attr: Count + field: storage.total_hints + mbean: org.apache.cassandra.metrics:name=TotalHints,type=Storage + - attributes: + - attr: Count + field: storage.exceptions + mbean: org.apache.cassandra.metrics:name=Exceptions,type=Storage + - attributes: + - attr: Count + field: storage.load + mbean: org.apache.cassandra.metrics:name=Load,type=Storage + - attributes: + - attr: OneMinuteRate + field: hits.succeeded_per_second + mbean: org.apache.cassandra.metrics:type=HintsService,name=HintsSucceeded + - attributes: + - attr: OneMinuteRate + field: hits.failed_per_second + mbean: org.apache.cassandra.metrics:type=HintsService,name=HintsFailed + - attributes: + - attr: OneMinuteRate + field: hits.timed_out_per_second + mbean: org.apache.cassandra.metrics:type=HintsService,name=HintsTimedOut + - attributes: + - attr: CollectionTime + field: gc.concurrent_mark_sweep.collection_time + - attr: CollectionCount + field: gc.concurrent_mark_sweep.collection_count + mbean: java.lang:type=GarbageCollector,name=ConcurrentMarkSweep + - attributes: + - attr: CollectionTime + field: gc.par_new.collection_time + - attr: CollectionCount + field: gc.par_new.collection_count + mbean: java.lang:type=GarbageCollector,name=ParNew + - attributes: + - attr: HeapMemoryUsage + field: memory.heap_usage + - attr: NonHeapMemoryUsage + field: memory.other_usage + mbean: java.lang:type=Memory + - attributes: + - attr: Value + field: task.complete + mbean: org.apache.cassandra.metrics:name=CompletedTasks,type=CommitLog + - attributes: + - attr: Value + field: task.pending + mbean: org.apache.cassandra.metrics:name=PendingTasks,type=CommitLog + - attributes: + - attr: Value + field: task.total_commitlog_size + mbean: org.apache.cassandra.metrics:name=TotalCommitLogSize,type=CommitLog + - attributes: + - attr: Count + field: client_request.write.timeouts + - attr: OneMinuteRate + field: client_request.write.timeoutsms + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=Timeouts,scope=Write + - attributes: + - attr: Count + field: client_request.write.unavailables + - attr: OneMinuteRate + field: client_request.write.unavailablesms + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=Unavailables,scope=Write + - attributes: + - attr: Count + field: client_request.write.count + - attr: OneMinuteRate + field: client_request.write.one_minute_rate + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=Latency,scope=Write + - attributes: + - attr: Count + field: client_request.write.total_latency + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=TotalLatency,scope=Write + - attributes: + - attr: Count + field: client_request.read.timeouts + - attr: OneMinuteRate + field: client_request.read.timeoutsms + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=Timeouts,scope=Read + - attributes: + - attr: Count + field: client_request.read.unavailables + - attr: OneMinuteRate + field: client_request.read.unavailablesms + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=Unavailables,scope=Read + - attributes: + - attr: Count + field: client_request.read.count + - attr: OneMinuteRate + field: client_request.read.one_minute_rate + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=Latency,scope=Read + - attributes: + - attr: Count + field: client_request.read.total_latency + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=TotalLatency,scope=Read + - attributes: + - attr: OneMinuteRate + field: client_request.range_slice.one_minute_rate + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=Latency,scope=RangeSlice + - attributes: + - attr: Count + field: client_request.range_slice.total_latency + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=TotalLatency,scope=RangeSlice + - attributes: + - attr: OneMinuteRate + field: client_request.caswrite.one_minute_rate + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=Latency,scope=CASWrite + - attributes: + - attr: OneMinuteRate + field: client_request.casread.one_minute_rate + mbean: org.apache.cassandra.metrics:type=ClientRequest,name=Latency,scope=CASRead + - attributes: + - attr: Value + field: client.connected_native_clients + mbean: org.apache.cassandra.metrics:type=Client,name=connectedNativeClients + - attributes: + - attr: Value + field: compaction.completed + mbean: org.apache.cassandra.metrics:name=CompletedTasks,type=Compaction + - attributes: + - attr: Value + field: compaction.pending + mbean: org.apache.cassandra.metrics:name=PendingTasks,type=Compaction + - attributes: + - attr: Value + field: table.live_ss_table_count + mbean: org.apache.cassandra.metrics:type=Table,name=LiveSSTableCount + - attributes: + - attr: Value + field: table.live_disk_space_used + mbean: org.apache.cassandra.metrics:type=Table,name=LiveDiskSpaceUsed + - attributes: + - attr: Value + field: table.all_memtables_heap_size + mbean: org.apache.cassandra.metrics:type=Table,name=AllMemtablesHeapSize + - attributes: + - attr: Value + field: table.all_memtables_off_heap_size + mbean: org.apache.cassandra.metrics:type=Table,name=AllMemtablesOffHeapSize + - attributes: + - attr: OneMinuteRate + field: cache.key_cache.requests.one_minute_rate + mbean: org.apache.cassandra.metrics:type=Cache,scope=KeyCache,name=Requests + - attributes: + - attr: Value + field: cache.key_cache.capacity + mbean: org.apache.cassandra.metrics:type=Cache,scope=KeyCache,name=Capacity + - attributes: + - attr: Value + field: cache.key_cache.one_minute_hit_rate + mbean: org.apache.cassandra.metrics:type=Cache,scope=KeyCache,name=OneMinuteHitRate + - attributes: + - attr: OneMinuteRate + field: cache.row_cache.requests.one_minute_rate + mbean: org.apache.cassandra.metrics:type=Cache,scope=RowCache,name=Requests + - attributes: + - attr: Value + field: cache.row_cache.capacity + mbean: org.apache.cassandra.metrics:type=Cache,scope=RowCache,name=Capacity + - attributes: + - attr: Value + field: cache.row_cache.one_minute_hit_rate + mbean: org.apache.cassandra.metrics:type=Cache,scope=RowCache,name=OneMinuteHitRate + - attributes: + - attr: Value + field: thread_pools.counter_mutation_stage.request.active + mbean: org.apache.cassandra.metrics:name=ActiveTasks,path=request,scope=CounterMutationStage,type=ThreadPools + - attributes: + - attr: Value + field: thread_pools.counter_mutation_stage.request.pending + mbean: org.apache.cassandra.metrics:name=PendingTasks,path=request,scope=CounterMutationStage,type=ThreadPools + - attributes: + - attr: Value + field: thread_pools.mutation_stage.request.active + mbean: org.apache.cassandra.metrics:name=ActiveTasks,path=request,scope=MutationStage,type=ThreadPools + - attributes: + - attr: Value + field: thread_pools.mutation_stage.request.pending + mbean: org.apache.cassandra.metrics:name=PendingTasks,path=request,scope=MutationStage,type=ThreadPools + - attributes: + - attr: Value + field: thread_pools.read_repair_stage.request.active + mbean: org.apache.cassandra.metrics:name=ActiveTasks,path=request,scope=ReadRepairStage,type=ThreadPools + - attributes: + - attr: Value + field: thread_pools.read_repair_stage.request.pending + mbean: org.apache.cassandra.metrics:name=PendingTasks,path=request,scope=ReadRepairStage,type=ThreadPools + - attributes: + - attr: Value + field: thread_pools.read_stage.request.active + mbean: org.apache.cassandra.metrics:name=ActiveTasks,path=request,scope=ReadStage,type=ThreadPools + - attributes: + - attr: Value + field: thread_pools.read_stage.request.pending + mbean: org.apache.cassandra.metrics:name=PendingTasks,path=request,scope=ReadStage,type=ThreadPools + - attributes: + - attr: Value + field: thread_pools.request_response_stage.request.active + mbean: org.apache.cassandra.metrics:name=ActiveTasks,path=request,scope=RequestResponseStage,type=ThreadPools + - attributes: + - attr: Value + field: thread_pools.request_response_stage.request.pending + mbean: org.apache.cassandra.metrics:name=PendingTasks,path=request,scope=RequestResponseStage,type=ThreadPools + - attributes: + - attr: Value + field: column_family.total_disk_space_used + mbean: org.apache.cassandra.metrics:name=TotalDiskSpaceUsed,type=ColumnFamily + - attributes: + - attr: Count + field: dropped_message.batch_remove + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=BATCH_REMOVE,name=Dropped + - attributes: + - attr: Count + field: dropped_message.batch_store + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=BATCH_STORE,name=Dropped + - attributes: + - attr: Count + field: dropped_message.counter_mutation + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=COUNTER_MUTATION,name=Dropped + - attributes: + - attr: Count + field: dropped_message.hint + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=HINT,name=Dropped + - attributes: + - attr: Count + field: dropped_message.mutation + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=MUTATION,name=Dropped + - attributes: + - attr: Count + field: dropped_message.paged_range + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=PAGED_RANGE,name=Dropped + - attributes: + - attr: Count + field: dropped_message.range_slice + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=RANGE_SLICE,name=Dropped + - attributes: + - attr: Count + field: dropped_message.read + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=READ,name=Dropped + - attributes: + - attr: Count + field: dropped_message.read_repair + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=READ_REPAIR,name=Dropped + - attributes: + - attr: Count + field: dropped_message.request_response + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=REQUEST_RESPONSE,name=Dropped + - attributes: + - attr: Count + field: dropped_message.trace + mbean: org.apache.cassandra.metrics:type=DroppedMessage,scope=_TRACE,name=Dropped + metricsets: + - jmx + namespace: metrics + password: ${kubernetes.hints.cassandra.metrics.password|'admin'} + path: /jolokia/?ignoreErrors=true&canonicalNaming=false + period: ${kubernetes.hints.cassandra.metrics.period|'10s'} + username: ${kubernetes.hints.cassandra.metrics.username|'admin'} + data_stream.namespace: default + - name: filestream-cassandra + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.cassandra.log.enabled} == true or ${kubernetes.hints.cassandra.enabled} == true + data_stream: + dataset: cassandra.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: ^([A-Z]) + parsers: + - container: + format: auto + stream: ${kubernetes.hints.cassandra.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - cassandra-systemlogs + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml new file mode 100644 index 00000000000..524cb6159f3 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cef.yml @@ -0,0 +1,51 @@ +inputs: + - name: filestream-cef + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.cef.log.enabled} == true or ${kubernetes.hints.cef.enabled} == true + data_stream: + dataset: cef.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.cef.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - rename: + fields: + - from: message + to: event.original + - decode_cef: + field: event.original + prospector: + scanner: + symlinks: true + tags: + - cef + - forwarded + data_stream.namespace: default + - name: udp-cef + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.cef.log.enabled} == true or ${kubernetes.hints.cef.enabled} == true + data_stream: + dataset: cef.log + type: logs + host: localhost:9003 + processors: + - rename: + fields: + - from: message + to: event.original + - decode_cef: + field: event.original + tags: + - cef + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml new file mode 100644 index 00000000000..c8d49475fb3 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/checkpoint.yml @@ -0,0 +1,62 @@ +inputs: + - name: filestream-checkpoint + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.checkpoint.firewall.enabled} == true or ${kubernetes.hints.checkpoint.enabled} == true + data_stream: + dataset: checkpoint.firewall + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.checkpoint.firewall.stream|'all'} + paths: null + processors: + - add_locale: null + - add_fields: + fields: + internal_zones: + - trust + target: _temp_ + - add_fields: + fields: + external_zones: + - untrust + target: _temp_ + prospector: + scanner: + symlinks: true + tags: + - forwarded + data_stream.namespace: default + - name: tcp-checkpoint + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.checkpoint.firewall.enabled} == true or ${kubernetes.hints.checkpoint.enabled} == true + data_stream: + dataset: checkpoint.firewall + type: logs + host: localhost:9001 + processors: + - add_locale: null + tags: + - forwarded + data_stream.namespace: default + - name: udp-checkpoint + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.checkpoint.firewall.enabled} == true or ${kubernetes.hints.checkpoint.enabled} == true + data_stream: + dataset: checkpoint.firewall + type: logs + host: localhost:9001 + processors: + - add_locale: null + tags: + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cloud_security_posture.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cloud_security_posture.yml new file mode 100644 index 00000000000..bbc867294c7 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cloud_security_posture.yml @@ -0,0 +1,93 @@ +inputs: + - name: cloudbeat/cis_k8s-cloud_security_posture + type: cloudbeat/cis_k8s + use_output: default + streams: + - condition: ${kubernetes.hints.cloud_security_posture.findings.enabled} == true or ${kubernetes.hints.cloud_security_posture.enabled} == true + data_stream: + dataset: cloud_security_posture.findings + type: logs + evaluator: + decision_logs: false + fetchers: + - name: kube-api + - directory: /hostfs + name: process + processes: + etcd: null + kube-apiserver: null + kube-controller: null + kube-scheduler: null + kubelet: + config-file-arguments: + - config + - name: file-system + patterns: + - /hostfs/etc/kubernetes/scheduler.conf + - /hostfs/etc/kubernetes/controller-manager.conf + - /hostfs/etc/kubernetes/admin.conf + - /hostfs/etc/kubernetes/kubelet.conf + - /hostfs/etc/kubernetes/manifests/etcd.yaml + - /hostfs/etc/kubernetes/manifests/kube-apiserver.yaml + - /hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml + - /hostfs/etc/kubernetes/manifests/kube-scheduler.yaml + - /hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf + - /hostfs/etc/kubernetes/pki/* + - /hostfs/var/lib/kubelet/config.yaml + - /hostfs/var/lib/etcd + - /hostfs/etc/kubernetes/pki + name: Findings + period: 4h + processors: + - add_cluster_id: null + data_stream.namespace: default + - name: cloudbeat/cis_eks-cloud_security_posture + type: cloudbeat/cis_eks + use_output: default + streams: + - condition: ${kubernetes.hints.cloud_security_posture.findings.enabled} == true and ${kubernetes.hints.cloud_security_posture.enabled} == true + data_stream: + dataset: cloud_security_posture.findings + type: logs + evaluator: + decision_logs: false + fetchers: + - name: kube-api + - directory: /hostfs + name: process + processes: + kubelet: + config-file-arguments: + - config + - name: aws-ecr + - name: aws-elb + - name: file-system + patterns: + - /hostfs/etc/kubernetes/kubelet/kubelet-config.json + - /hostfs/var/lib/kubelet/kubeconfig + name: Findings + period: 4h + processors: + - add_cluster_id: null + data_stream.namespace: default + - name: filestream-cloud_security_posture + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.cloud_security_posture.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml new file mode 100644 index 00000000000..531706b7345 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cockroachdb.yml @@ -0,0 +1,44 @@ +inputs: + - name: filestream-cockroachdb + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.cockroachdb.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default + - name: prometheus/metrics-cockroachdb + type: prometheus/metrics + use_output: default + streams: + - bearer_token_file: null + condition: ${kubernetes.hints.cockroachdb.status.enabled} == true or ${kubernetes.hints.cockroachdb.enabled} == true + data_stream: + dataset: cockroachdb.status + type: metrics + hosts: + - ${kubernetes.hints.cockroachdb.status.host|'localhost:8080'} + metrics_filters.exclude: null + metrics_filters.include: null + metrics_path: /_status/vars + metricsets: + - collector + password: null + period: ${kubernetes.hints.cockroachdb.status.period|'10s'} + ssl.certificate_authorities: null + use_types: true + username: null + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/crowdstrike.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/crowdstrike.yml new file mode 100644 index 00000000000..95a2730c18b --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/crowdstrike.yml @@ -0,0 +1,79 @@ +inputs: + - name: filestream-crowdstrike + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.crowdstrike.falcon.enabled} == true or ${kubernetes.hints.crowdstrike.enabled} == true + data_stream: + dataset: crowdstrike.falcon + type: logs + exclude_files: + - .gz$ + multiline.match: after + multiline.max_lines: 5000 + multiline.negate: true + multiline.pattern: ^{ + multiline.timeout: 10 + parsers: + - container: + format: auto + stream: ${kubernetes.hints.crowdstrike.falcon.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - crowdstrike-falcon + - condition: ${kubernetes.hints.crowdstrike.fdr.enabled} == true or ${kubernetes.hints.crowdstrike.enabled} == true + data_stream: + dataset: crowdstrike.fdr + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.crowdstrike.fdr.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - forwarded + - crowdstrike-fdr + data_stream.namespace: default + - name: aws-s3-crowdstrike + type: aws-s3 + use_output: default + streams: + - condition: ${kubernetes.hints.crowdstrike.fdr.enabled} == true or ${kubernetes.hints.crowdstrike.enabled} == true + data_stream: + dataset: crowdstrike.fdr + type: logs + queue_url: null + sqs.notification_parsing_script.source: | + function parse(n) { + var m = JSON.parse(n); + var evts = []; + var files = m.files; + var bucket = m.bucket; + if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { + return evts; + } + files.forEach(function(f){ + var evt = new S3EventV2(); + evt.SetS3BucketName(bucket); + evt.SetS3ObjectKey(f.path); + evts.push(evt); + }); + return evts; + } + tags: + - forwarded + - crowdstrike-fdr + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml new file mode 100644 index 00000000000..4dc9361aa41 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/cyberarkpas.yml @@ -0,0 +1,57 @@ +inputs: + - name: filestream-cyberarkpas + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true and ${kubernetes.hints.cyberarkpas.enabled} == true + data_stream: + dataset: cyberarkpas.audit + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.cyberarkpas.audit.stream|'all'} + paths: null + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - forwarded + - cyberarkpas-audit + data_stream.namespace: default + - name: tcp-cyberarkpas + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true or ${kubernetes.hints.cyberarkpas.enabled} == true + data_stream: + dataset: cyberarkpas.audit + type: logs + host: localhost:9301 + processors: + - add_locale: null + tags: + - cyberarkpas-audit + - forwarded + tcp: null + data_stream.namespace: default + - name: udp-cyberarkpas + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.cyberarkpas.audit.enabled} == true or ${kubernetes.hints.cyberarkpas.enabled} == true + data_stream: + dataset: cyberarkpas.audit + type: logs + host: localhost:9301 + processors: + - add_locale: null + tags: + - cyberarkpas-audit + - forwarded + udp: null + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml new file mode 100644 index 00000000000..49503b63346 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/elasticsearch.yml @@ -0,0 +1,288 @@ +inputs: + - name: filestream-elasticsearch + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.elasticsearch.audit.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.audit + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.elasticsearch.audit.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + - else: + - script: + id: elasticsearch_audit + lang: javascript + source: | + var requestRegex = new RegExp("request_body=\\\[(.*)\\\]$"); function process(event) { + var message = event.Get("message"); + if (message !== null) { + var matches = message.match(requestRegex); + if (matches && matches.length > 1) { + event.Put("_request", matches[1]); + } + } + } + if: + regexp: + message: ^{ + then: + - decode_json_fields: + fields: + - message + target: _json + - rename: + fields: + - from: _json.request.body + to: _request + ignore_missing: true + - drop_fields: + fields: + - _json + - detect_mime_type: + field: _request + target: http.request.mime_type + - drop_fields: + fields: + - _request + ignore_missing: true + prospector: + scanner: + symlinks: true + - condition: ${kubernetes.hints.elasticsearch.deprecation.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.deprecation + type: logs + exclude_files: + - .gz$ + - _slowlog.log$ + - _access.log$ + multiline: + match: after + negate: true + pattern: ^(\[[0-9]{4}-[0-9]{2}-[0-9]{2}|{) + parsers: + - container: + format: auto + stream: ${kubernetes.hints.elasticsearch.deprecation.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale.when.not.regexp.message: ^{ + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + prospector: + scanner: + symlinks: true + - condition: ${kubernetes.hints.elasticsearch.gc.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.gc + type: logs + exclude_files: + - .gz$ + exclude_lines: + - '^(OpenJDK|Java HotSpot).* Server VM ' + - '^CommandLine flags: ' + - '^Memory: ' + - ^{ + multiline: + match: after + negate: true + pattern: ^(\[?[0-9]{4}-[0-9]{2}-[0-9]{2}|{) + parsers: + - container: + format: auto + stream: ${kubernetes.hints.elasticsearch.gc.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + prospector: + scanner: + symlinks: true + - condition: ${kubernetes.hints.elasticsearch.server.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.server + type: logs + exclude_files: + - .gz$ + - _slowlog.log$ + - _access.log$ + - _deprecation.log$ + multiline: + match: after + negate: true + pattern: ^(\[[0-9]{4}-[0-9]{2}-[0-9]{2}|{) + parsers: + - container: + format: auto + stream: ${kubernetes.hints.elasticsearch.server.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale.when.not.regexp.message: ^{ + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + prospector: + scanner: + symlinks: true + - condition: ${kubernetes.hints.elasticsearch.slowlog.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.slowlog + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: ^(\[?[0-9]{4}-[0-9]{2}-[0-9]{2}|{) + parsers: + - container: + format: auto + stream: ${kubernetes.hints.elasticsearch.slowlog.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale.when.not.regexp.message: ^{ + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + prospector: + scanner: + symlinks: true + data_stream.namespace: default + - name: elasticsearch/metrics-elasticsearch + type: elasticsearch/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.elasticsearch.ccr.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.ccr + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.ccr.host|'http://localhost:9200'} + metricsets: + - ccr + period: null + scope: node + - condition: ${kubernetes.hints.elasticsearch.cluster_stats.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.cluster_stats + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.cluster_stats.host|'http://localhost:9200'} + metricsets: + - cluster_stats + period: null + scope: node + - condition: ${kubernetes.hints.elasticsearch.enrich.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.enrich + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.enrich.host|'http://localhost:9200'} + metricsets: + - enrich + period: null + scope: node + - condition: ${kubernetes.hints.elasticsearch.index.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.index + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.index.host|'http://localhost:9200'} + metricsets: + - index + period: null + scope: node + - condition: ${kubernetes.hints.elasticsearch.index_recovery.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.index_recovery + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.index_recovery.host|'http://localhost:9200'} + metricsets: + - index_recovery + period: null + scope: node + - condition: ${kubernetes.hints.elasticsearch.index_summary.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.index_summary + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.index_summary.host|'http://localhost:9200'} + metricsets: + - index_summary + period: null + scope: node + - condition: ${kubernetes.hints.elasticsearch.ml_job.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.ml_job + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.ml_job.host|'http://localhost:9200'} + metricsets: + - ml_job + period: null + scope: node + - condition: ${kubernetes.hints.elasticsearch.node.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.node + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.node.host|'http://localhost:9200'} + metricsets: + - node + period: null + scope: node + - condition: ${kubernetes.hints.elasticsearch.node_stats.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.node_stats + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.node_stats.host|'http://localhost:9200'} + metricsets: + - node_stats + period: null + scope: node + - condition: ${kubernetes.hints.elasticsearch.pending_tasks.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.pending_tasks + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.pending_tasks.host|'http://localhost:9200'} + metricsets: + - pending_tasks + period: null + scope: node + - condition: ${kubernetes.hints.elasticsearch.shard.enabled} == true or ${kubernetes.hints.elasticsearch.enabled} == true + data_stream: + dataset: elasticsearch.stack_monitoring.shard + type: metrics + hosts: + - ${kubernetes.hints.elasticsearch.shard.host|'http://localhost:9200'} + metricsets: + - shard + period: null + scope: node + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/endpoint.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/endpoint.yml new file mode 100644 index 00000000000..178a6098f99 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/endpoint.yml @@ -0,0 +1,22 @@ +inputs: + - name: filestream-endpoint + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.endpoint.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml new file mode 100644 index 00000000000..8e226e0d925 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/fireeye.yml @@ -0,0 +1,59 @@ +inputs: + - name: tcp-fireeye + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.fireeye.nx.enabled} == true or ${kubernetes.hints.fireeye.enabled} == true + data_stream: + dataset: fireeye.nx + type: logs + fields_under_root: true + host: localhost:9523 + processors: + - add_locale: null + tags: + - fireeye-nx + - forwarded + tcp: null + data_stream.namespace: default + - name: filestream-fireeye + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.fireeye.nx.enabled} == true or ${kubernetes.hints.fireeye.enabled} == true + data_stream: + dataset: fireeye.nx + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.fireeye.nx.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - fireeye-nx + data_stream.namespace: default + - name: udp-fireeye + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.fireeye.nx.enabled} == true or ${kubernetes.hints.fireeye.enabled} == true + data_stream: + dataset: fireeye.nx + type: logs + fields_under_root: true + host: localhost:9523 + processors: + - add_locale: null + tags: + - fireeye-nx + - forwarded + udp: null + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml new file mode 100644 index 00000000000..0f1debdee34 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/haproxy.yml @@ -0,0 +1,68 @@ +inputs: + - name: haproxy/metrics-haproxy + type: haproxy/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.haproxy.info.enabled} == true or ${kubernetes.hints.haproxy.enabled} == true + data_stream: + dataset: haproxy.info + type: metrics + hosts: + - ${kubernetes.hints.haproxy.info.host|'tcp://127.0.0.1:14567'} + metricsets: + - info + password: ${kubernetes.hints.haproxy.info.password|'admin'} + period: ${kubernetes.hints.haproxy.info.period|'10s'} + username: ${kubernetes.hints.haproxy.info.username|'admin'} + - condition: ${kubernetes.hints.haproxy.stat.enabled} == true or ${kubernetes.hints.haproxy.enabled} == true + data_stream: + dataset: haproxy.stat + type: metrics + hosts: + - ${kubernetes.hints.haproxy.stat.host|'tcp://127.0.0.1:14567'} + metricsets: + - stat + password: ${kubernetes.hints.haproxy.stat.password|'admin'} + period: ${kubernetes.hints.haproxy.stat.period|'10s'} + username: ${kubernetes.hints.haproxy.stat.username|'admin'} + data_stream.namespace: default + - name: filestream-haproxy + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.haproxy.log.enabled} == true or ${kubernetes.hints.haproxy.enabled} == true + data_stream: + dataset: haproxy.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.haproxy.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - haproxy-log + data_stream.namespace: default + - name: syslog-haproxy + type: syslog + use_output: default + streams: + - condition: ${kubernetes.hints.haproxy.log.enabled} == true or ${kubernetes.hints.haproxy.enabled} == true + data_stream: + dataset: haproxy.log + type: logs + processors: + - add_locale: null + protocol.udp: + host: localhost:9001 + tags: + - forwarded + - haproxy-log + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/hashicorp_vault.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/hashicorp_vault.yml new file mode 100644 index 00000000000..19892110b74 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/hashicorp_vault.yml @@ -0,0 +1,73 @@ +inputs: + - name: filestream-hashicorp_vault + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.hashicorp_vault.audit.enabled} == true or ${kubernetes.hints.hashicorp_vault.enabled} == true + data_stream: + dataset: hashicorp_vault.audit + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.hashicorp_vault.audit.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - hashicorp-vault-audit + - condition: ${kubernetes.hints.hashicorp_vault.log.enabled} == true or ${kubernetes.hints.hashicorp_vault.enabled} == true + data_stream: + dataset: hashicorp_vault.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.hashicorp_vault.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - hashicorp-vault-log + data_stream.namespace: default + - name: tcp-hashicorp_vault + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.hashicorp_vault.audit.enabled} == true and ${kubernetes.hints.hashicorp_vault.enabled} == true + data_stream: + dataset: hashicorp_vault.audit + type: logs + host: localhost:9007 + max_message_size: 1 MiB + tags: + - hashicorp-vault-audit + - forwarded + data_stream.namespace: default + - name: prometheus/metrics-hashicorp_vault + type: prometheus/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.hashicorp_vault.metrics.enabled} == true or ${kubernetes.hints.hashicorp_vault.enabled} == true + data_stream: + dataset: hashicorp_vault.metrics + type: metrics + hosts: + - ${kubernetes.hints.hashicorp_vault.metrics.host|'http://localhost:8200'} + metrics_path: /v1/sys/metrics + metricsets: + - collector + period: ${kubernetes.hints.hashicorp_vault.metrics.period|'30s'} + query: + format: prometheus + rate_counters: true + use_types: true + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/hid_bravura_monitor.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/hid_bravura_monitor.yml new file mode 100644 index 00000000000..28d8f782d69 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/hid_bravura_monitor.yml @@ -0,0 +1,42 @@ +inputs: + - name: filestream-hid_bravura_monitor + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.hid_bravura_monitor.log.enabled} == true or ${kubernetes.hints.hid_bravura_monitor.enabled} == true + data_stream: + dataset: hid_bravura_monitor.log + type: logs + line_terminator: carriage_return_line_feed + parsers: + - multiline: + match: after + negate: true + pattern: ^[[:cntrl:]] + type: pattern + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_fields: + fields: + event.timezone: UTC + hid_bravura_monitor.environment: PRODUCTION + hid_bravura_monitor.instancename: default + hid_bravura_monitor.instancetype: Privilege-Identity-Password + hid_bravura_monitor.node: 0.0.0.0 + target: "" + prospector.scanner.exclude_files: + - .gz$ + tags: null + data_stream.namespace: default + - name: winlog-hid_bravura_monitor + type: winlog + use_output: default + streams: + - condition: ${kubernetes.hints.hid_bravura_monitor.winlog.enabled} == true or ${kubernetes.hints.hid_bravura_monitor.enabled} == true + data_stream: + dataset: hid_bravura_monitor.winlog + type: logs + name: Hitachi-Hitachi ID Systems-Hitachi ID Suite/Operational + tags: null + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml new file mode 100644 index 00000000000..44162f4ac6b --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/iis.yml @@ -0,0 +1,71 @@ +inputs: + - name: filestream-iis + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.iis.access.enabled} == true or ${kubernetes.hints.iis.enabled} == true + data_stream: + dataset: iis.access + type: logs + exclude_files: + - .gz$ + exclude_lines: + - ^# + parsers: + - container: + format: auto + stream: ${kubernetes.hints.iis.access.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - iis-access + - condition: ${kubernetes.hints.iis.error.enabled} == true or ${kubernetes.hints.iis.enabled} == true + data_stream: + dataset: iis.error + type: logs + exclude_files: + - .gz$ + exclude_lines: + - ^# + parsers: + - container: + format: auto + stream: ${kubernetes.hints.iis.error.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - iis-error + data_stream.namespace: default + - name: iis/metrics-iis + type: iis/metrics + use_output: default + streams: + - application_pool.name: null + condition: ${kubernetes.hints.iis.application_pool.enabled} == true or ${kubernetes.hints.iis.enabled} == true + data_stream: + dataset: iis.application_pool + type: metrics + metricsets: + - application_pool + period: ${kubernetes.hints.iis.application_pool.period|'10s'} + - condition: ${kubernetes.hints.iis.webserver.enabled} == true or ${kubernetes.hints.iis.enabled} == true + data_stream: + dataset: iis.webserver + type: metrics + metricsets: + - webserver + period: ${kubernetes.hints.iis.webserver.period|'10s'} + - condition: ${kubernetes.hints.iis.website.enabled} == true or ${kubernetes.hints.iis.enabled} == true + data_stream: + dataset: iis.website + type: metrics + metricsets: + - website + period: ${kubernetes.hints.iis.website.period|'10s'} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml new file mode 100644 index 00000000000..ad76a72b86b --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/infoblox_nios.yml @@ -0,0 +1,51 @@ +inputs: + - name: filestream-infoblox_nios + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.infoblox_nios.log.enabled} == true or ${kubernetes.hints.infoblox_nios.enabled} == true + data_stream: + dataset: infoblox_nios.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.infoblox_nios.log.stream|'all'} + paths: null + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - forwarded + - infoblox_nios-log + data_stream.namespace: default + - name: tcp-infoblox_nios + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.infoblox_nios.log.enabled} == true or ${kubernetes.hints.infoblox_nios.enabled} == true + data_stream: + dataset: infoblox_nios.log + type: logs + host: localhost:9027 + tags: + - forwarded + - infoblox_nios-log + data_stream.namespace: default + - name: udp-infoblox_nios + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.infoblox_nios.log.enabled} == true or ${kubernetes.hints.infoblox_nios.enabled} == true + data_stream: + dataset: infoblox_nios.log + type: logs + host: localhost:9028 + tags: + - forwarded + - infoblox_nios-log + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml new file mode 100644 index 00000000000..02d1d8330d3 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/iptables.yml @@ -0,0 +1,54 @@ +inputs: + - name: udp-iptables + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.iptables.log.enabled} == true or ${kubernetes.hints.iptables.enabled} == true + data_stream: + dataset: iptables.log + type: logs + host: localhost:9001 + processors: + - add_locale: null + tags: + - iptables-log + - forwarded + data_stream.namespace: default + - name: filestream-iptables + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.iptables.log.enabled} == true and ${kubernetes.hints.iptables.enabled} == true + data_stream: + dataset: iptables.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.iptables.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - iptables-log + - forwarded + data_stream.namespace: default + - name: journald-iptables + type: journald + use_output: default + streams: + - condition: ${kubernetes.hints.iptables.log.enabled} == true or ${kubernetes.hints.iptables.enabled} == true + data_stream: + dataset: iptables.log + type: logs + include_matches: + - _TRANSPORT=kernel + tags: + - iptables-log + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml new file mode 100644 index 00000000000..c35cff8619d --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/kafka.yml @@ -0,0 +1,61 @@ +inputs: + - name: kafka/metrics-kafka + type: kafka/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.kafka.broker.enabled} == true or ${kubernetes.hints.kafka.enabled} == true + data_stream: + dataset: kafka.broker + type: metrics + hosts: + - localhost:8778 + metricsets: + - broker + period: ${kubernetes.hints.kafka.broker.period|'10s'} + - condition: ${kubernetes.hints.kafka.consumergroup.enabled} == true or ${kubernetes.hints.kafka.enabled} == true + data_stream: + dataset: kafka.consumergroup + type: metrics + hosts: + - ${kubernetes.hints.kafka.consumergroup.host|'localhost:9092'} + metricsets: + - consumergroup + period: ${kubernetes.hints.kafka.consumergroup.period|'10s'} + - condition: ${kubernetes.hints.kafka.partition.enabled} == true or ${kubernetes.hints.kafka.enabled} == true + data_stream: + dataset: kafka.partition + type: metrics + hosts: + - ${kubernetes.hints.kafka.partition.host|'localhost:9092'} + metricsets: + - partition + period: ${kubernetes.hints.kafka.partition.period|'10s'} + data_stream.namespace: default + - name: filestream-kafka + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.kafka.log.enabled} == true or ${kubernetes.hints.kafka.enabled} == true + data_stream: + dataset: kafka.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: ^\[ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.kafka.log.stream|'all'} + paths: + - /opt/kafka*/var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - kafka-log + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/keycloak.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/keycloak.yml new file mode 100644 index 00000000000..794d014d41c --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/keycloak.yml @@ -0,0 +1,23 @@ +inputs: + - name: filestream-keycloak + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.keycloak.log.enabled} == true or ${kubernetes.hints.keycloak.enabled} == true + data_stream: + dataset: keycloak.log + type: logs + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + - add_fields: + fields: + only_user_events: false + tz_offset: local + target: _tmp + prospector.scanner.exclude_files: + - \.gz$ + tags: + - keycloak-log + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml new file mode 100644 index 00000000000..1c27b4830ab --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/kibana.yml @@ -0,0 +1,112 @@ +inputs: + - name: filestream-kibana + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.kibana.audit.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + data_stream: + dataset: kibana.audit + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.kibana.audit.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + - decode_json_fields: + fields: + - message + target: kibana._audit_temp + prospector: + scanner: + symlinks: true + - condition: ${kubernetes.hints.kibana.log.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + data_stream: + dataset: kibana.log + type: logs + exclude_files: + - .gz$ + json.add_error_key: true + json.keys_under_root: false + parsers: + - container: + format: auto + stream: ${kubernetes.hints.kibana.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + prospector: + scanner: + symlinks: true + data_stream.namespace: default + - name: kibana/metrics-kibana + type: kibana/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.kibana.cluster_actions.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + data_stream: + dataset: kibana.stack_monitoring.cluster_actions + type: metrics + hosts: + - ${kubernetes.hints.kibana.cluster_actions.host|'http://localhost:5601'} + metricsets: + - cluster_actions + period: null + - condition: ${kubernetes.hints.kibana.cluster_rules.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + data_stream: + dataset: kibana.stack_monitoring.cluster_rules + type: metrics + hosts: + - ${kubernetes.hints.kibana.cluster_rules.host|'http://localhost:5601'} + metricsets: + - cluster_rules + period: null + - condition: ${kubernetes.hints.kibana.node_actions.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + data_stream: + dataset: kibana.stack_monitoring.node_actions + type: metrics + hosts: + - ${kubernetes.hints.kibana.node_actions.host|'http://localhost:5601'} + metricsets: + - node_actions + period: null + - condition: ${kubernetes.hints.kibana.node_rules.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + data_stream: + dataset: kibana.stack_monitoring.node_rules + type: metrics + hosts: + - ${kubernetes.hints.kibana.node_rules.host|'http://localhost:5601'} + metricsets: + - node_rules + period: null + - condition: ${kubernetes.hints.kibana.stats.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + data_stream: + dataset: kibana.stack_monitoring.stats + type: metrics + hosts: + - ${kubernetes.hints.kibana.stats.host|'http://localhost:5601'} + metricsets: + - stats + period: null + - condition: ${kubernetes.hints.kibana.status.enabled} == true or ${kubernetes.hints.kibana.enabled} == true + data_stream: + dataset: kibana.stack_monitoring.status + type: metrics + hosts: + - ${kubernetes.hints.kibana.status.host|'http://localhost:5601'} + metricsets: + - status + period: null + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml new file mode 100644 index 00000000000..b4627a13814 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/log.yml @@ -0,0 +1,18 @@ +inputs: + - name: filestream-log + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.log.log.enabled} == true or ${kubernetes.hints.log.enabled} == true + data_stream: + dataset: log.log + type: logs + parsers: + - container: + format: auto + stream: ${kubernetes.hints.log.log.stream|'all'} + paths: null + prospector: + scanner: + symlinks: true + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml new file mode 100644 index 00000000000..6ba62de3274 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/logstash.yml @@ -0,0 +1,75 @@ +inputs: + - name: filestream-logstash + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.logstash.log.enabled} == true or ${kubernetes.hints.logstash.enabled} == true + data_stream: + dataset: logstash.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: ^((\[[0-9]{4}-[0-9]{2}-[0-9]{2}[^\]]+\])|({.+})) + parsers: + - container: + format: auto + stream: ${kubernetes.hints.logstash.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale.when.not.regexp.message: ^{ + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + prospector: + scanner: + symlinks: true + - condition: ${kubernetes.hints.logstash.slowlog.enabled} == true or ${kubernetes.hints.logstash.enabled} == true + data_stream: + dataset: logstash.slowlog + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.logstash.slowlog.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale.when.not.regexp.message: ^{ + - add_fields: + fields: + ecs.version: 1.10.0 + target: "" + prospector: + scanner: + symlinks: true + data_stream.namespace: default + - name: logstash/metrics-logstash + type: logstash/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.logstash.node.enabled} == true or ${kubernetes.hints.logstash.enabled} == true + data_stream: + dataset: logstash.stack_monitoring.node + type: metrics + hosts: + - ${kubernetes.hints.logstash.node.host|'http://localhost:9600'} + metricsets: + - node + period: ${kubernetes.hints.logstash.node.period|'10s'} + - condition: ${kubernetes.hints.logstash.node_stats.enabled} == true or ${kubernetes.hints.logstash.enabled} == true + data_stream: + dataset: logstash.stack_monitoring.node_stats + type: metrics + hosts: + - ${kubernetes.hints.logstash.node_stats.host|'http://localhost:9600'} + metricsets: + - node_stats + period: ${kubernetes.hints.logstash.node_stats.period|'10s'} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml new file mode 100644 index 00000000000..de5c8932af1 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mattermost.yml @@ -0,0 +1,22 @@ +inputs: + - name: filestream-mattermost + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.mattermost.audit.enabled} == true or ${kubernetes.hints.mattermost.enabled} == true + data_stream: + dataset: mattermost.audit + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.mattermost.audit.stream|'all'} + paths: null + prospector: + scanner: + symlinks: true + tags: + - mattermost-audit + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml new file mode 100644 index 00000000000..5ac70293051 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/microsoft_sqlserver.yml @@ -0,0 +1,127 @@ +inputs: + - name: winlog-microsoft_sqlserver + type: winlog + use_output: default + streams: + - condition: ${kubernetes.hints.microsoft_sqlserver.audit.enabled} == true or ${kubernetes.hints.microsoft_sqlserver.enabled} == true + data_stream: + dataset: microsoft_sqlserver.audit + type: logs + event_id: 33205 + ignore_older: 72h + name: Security + data_stream.namespace: default + - name: filestream-microsoft_sqlserver + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.microsoft_sqlserver.log.enabled} == true and ${kubernetes.hints.microsoft_sqlserver.enabled} == true + data_stream: + dataset: microsoft_sqlserver.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: ^\d{4}-\d{2}-\d{2} + parsers: + - container: + format: auto + stream: ${kubernetes.hints.microsoft_sqlserver.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - mssql-logs + data_stream.namespace: default + - name: sql/metrics-microsoft_sqlserver + type: sql/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.microsoft_sqlserver.performance.enabled} == true and ${kubernetes.hints.microsoft_sqlserver.enabled} == true + data_stream: + dataset: microsoft_sqlserver.performance + type: metrics + driver: mssql + dynamic_counter_name: Memory Grants Pending + hosts: + - sqlserver://${kubernetes.hints.microsoft_sqlserver.performance.username|'domain\username'}:${kubernetes.hints.microsoft_sqlserver.performance.password|'verysecurepassword'}@${kubernetes.hints.microsoft_sqlserver.performance.host|'localhost'}:1433 + metricsets: + - query + period: ${kubernetes.hints.microsoft_sqlserver.performance.period|'60s'} + raw_data.enabled: true + sql_queries: + - query: SELECT cntr_value As 'user_connections' FROM sys.dm_os_performance_counters WHERE counter_name= 'User Connections' + response_format: table + - query: SELECT cntr_value As 'active_temp_tables' FROM sys.dm_os_performance_counters WHERE counter_name = 'Active Temp Tables' AND object_name like '%General Statistics%' + response_format: table + - query: SELECT cntr_value As 'buffer_cache_hit_ratio' FROM sys.dm_os_performance_counters WHERE counter_name = 'Buffer cache hit ratio' AND object_name like '%Buffer Manager%' + response_format: table + - query: SELECT cntr_value As 'page_splits_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Page splits/sec' + response_format: table + - query: SELECT cntr_value As 'lock_waits_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Lock Waits/sec' AND instance_name = '_Total' + response_format: table + - query: SELECT cntr_value As 'compilations_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'SQL Compilations/sec' + response_format: table + - query: SELECT cntr_value As 'batch_requests_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Batch Requests/sec' + response_format: table + - query: SELECT cntr_value As 'buffer_checkpoint_pages_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Checkpoint pages/sec' AND object_name like '%Buffer Manager%' + response_format: table + - query: SELECT cntr_value As 'buffer_database_pages' FROM sys.dm_os_performance_counters WHERE counter_name = 'Database pages' AND object_name like '%Buffer Manager%' + response_format: table + - query: SELECT cntr_value As 'buffer_page_life_expectancy' FROM sys.dm_os_performance_counters WHERE counter_name = 'Page life expectancy' AND object_name like '%Buffer Manager%' + response_format: table + - query: SELECT cntr_value As 'buffer_target_pages' FROM sys.dm_os_performance_counters WHERE counter_name = 'Target pages' AND object_name like '%Buffer Manager%' + response_format: table + - query: SELECT cntr_value As 'connection_reset_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Connection Reset/sec' AND object_name like '%Buffer Manager%' + response_format: table + - query: SELECT cntr_value As 'logins_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Logins/sec' AND object_name like '%General Statistics%' + response_format: table + - query: SELECT cntr_value As 'logouts_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'Logouts/sec' AND object_name like '%General Statistics%' + response_format: table + - query: SELECT cntr_value As 'transactions' FROM sys.dm_os_performance_counters WHERE counter_name = 'Transactions' AND object_name like '%General Statistics%' + response_format: table + - query: SELECT cntr_value As 're_compilations_per_sec' FROM sys.dm_os_performance_counters WHERE counter_name = 'SQL Re-Compilations/sec' + response_format: table + - query: SELECT counter_name As 'dynamic_counter.name', cntr_value As 'dynamic_counter.value' FROM sys.dm_os_performance_counters WHERE counter_name= 'Memory Grants Pending' + response_format: table + - condition: ${kubernetes.hints.microsoft_sqlserver.transaction_log.enabled} == true and ${kubernetes.hints.microsoft_sqlserver.enabled} == true + data_stream: + dataset: microsoft_sqlserver.transaction_log + type: metrics + driver: mssql + hosts: + - sqlserver://${kubernetes.hints.microsoft_sqlserver.transaction_log.username|'domain\username'}:${kubernetes.hints.microsoft_sqlserver.transaction_log.password|'verysecurepassword'}@${kubernetes.hints.microsoft_sqlserver.transaction_log.host|'localhost'}:1433 + metricsets: + - query + period: ${kubernetes.hints.microsoft_sqlserver.transaction_log.period|'60s'} + raw_data.enabled: true + sql_queries: + - query: SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=1; + response_format: table + - query: SELECT 'master' As database_name, database_id,total_log_size_mb,active_log_size_mb,log_backup_time,log_since_last_log_backup_mb,log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(1) master + response_format: table + - query: SELECT 'master' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage master + response_format: table + - query: SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=2; + response_format: table + - query: SELECT 'tempdb' As 'database_name', database_id,total_log_size_mb,active_log_size_mb As active_log_size,log_backup_time,log_since_last_log_backup_mb, log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(2) tempdb + response_format: table + - query: SELECT 'tempdb' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage tempdb + response_format: table + - query: SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=3; + response_format: table + - query: SELECT 'model' As 'database_name', database_id,total_log_size_mb,active_log_size_mb As active_log_size,log_backup_time,log_since_last_log_backup_mb, log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(3) model + response_format: table + - query: SELECT 'model' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage model + response_format: table + - query: SELECT name As 'database_name', database_id FROM sys.databases WHERE database_id=4; + response_format: table + - query: SELECT 'msdb' As 'database_name', database_id,total_log_size_mb,active_log_size_mb As active_log_size,log_backup_time,log_since_last_log_backup_mb, log_since_last_checkpoint_mb,log_recovery_size_mb FROM sys.dm_db_log_stats(4) msdb + response_format: table + - query: SELECT 'msdb' As 'database_name', total_log_size_in_bytes As total_log_size_bytes, used_log_space_in_bytes As used_log_space_bytes, used_log_space_in_percent As used_log_space_pct, log_space_in_bytes_since_last_backup FROM sys.dm_db_log_space_usage msdb + response_format: table + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml new file mode 100644 index 00000000000..23139e47852 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mimecast.yml @@ -0,0 +1,381 @@ +inputs: + - name: httpjson-mimecast + type: httpjson + use_output: default + streams: + - condition: ${kubernetes.hints.mimecast.audit_events.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true + config_version: "2" + cursor: + next_date: + value: '[[.first_event.eventTime]]' + data_stream: + dataset: mimecast.audit_events + type: logs + interval: 5m + request.method: POST + request.transforms: + - set: + target: body.meta.pagination.pageSize + value: 500 + - set: + default: '[{"endDateTime": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "startDateTime":"[[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05+0700"]]"}]' + target: body.data + value: '[{"endDateTime": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "startDateTime":"[[.cursor.next_date]]"}]' + value_type: json + - set: + target: header.x-mc-app-id + value: null + - set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' + - set: + target: header.x-mc-req-id + value: '[[uuid]]' + - set: + fail_on_template_error: true + target: header.Authorization + value: MC :[[hmacBase64 "sha1" (base64Decode "") (sprintf "%s:%s:/api/audit/get-audit-events:" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]] + request.url: https://eu-api.mimecast.com/api/audit/get-audit-events + response.decode_as: application/json + response.pagination: + - set: + fail_on_template_error: true + target: body.meta.pagination.pageToken + value: '[[.last_response.body.meta.pagination.next]]' + response.split: + target: body.data + tags: + - forwarded + - mimecast-audit-events + - condition: ${kubernetes.hints.mimecast.dlp_logs.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true + config_version: "2" + cursor: null + data_stream: + dataset: mimecast.dlp_logs + type: logs + interval: 5m + next_date: + value: '[[.first_event.eventTime]]' + request.method: POST + request.transforms: + - set: + default: '[{"to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05+0700"]]"}]' + target: body.data + value: '[{"to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[.cursor.eventTime]]"}]' + value_type: json + - set: + target: header.x-mc-app-id + value: null + - set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' + - set: + target: header.x-mc-req-id + value: '[[uuid]]' + - set: + fail_on_template_error: true + target: header.Authorization + value: MC :[[hmacBase64 "sha1" (base64Decode "") (sprintf "%s:%s:/api/dlp/get-logs:" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]] + request.url: https://eu-api.mimecast.com/api/dlp/get-logs + response.decode_as: application/json + response.pagination: + - set: + fail_on_template_error: true + target: body.meta.pagination.pageToken + value: '[[.last_response.body.meta.pagination.next]]' + response.split: + split: + target: body.dlpLogs + target: body.data + tags: + - forwarded + - mimecast-dlp-logs + - condition: ${kubernetes.hints.mimecast.siem_logs.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true + config_version: "2" + cursor: + next_token: + value: '[[.last_response.header.Get "mc-siem-token"]]' + data_stream: + dataset: mimecast.siem_logs + type: logs + interval: 5m + request.method: POST + request.transforms: + - set: + default: '[{"type":"MTA","fileFormat":"json", "compress":true}]' + target: body.data + value: '[{"type":"MTA","fileFormat":"json", "compress":true, "token": "[[.cursor.next_token]]"}]' + value_type: json + - set: + target: header.x-mc-app-id + value: null + - set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' + - set: + target: header.x-mc-req-id + value: '[[uuid]]' + - set: + fail_on_template_error: true + target: header.Authorization + value: MC :[[hmacBase64 "sha1" (base64Decode "") (sprintf "%s:%s:/api/audit/get-siem-logs:" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]] + - set: + target: header.Accept + value: '*/*' + request.url: https://eu-api.mimecast.com/api/audit/get-siem-logs + response.decode_as: application/zip + response.pagination: + - set: + target: body.data + value: '[{"type":"MTA","fileFormat":"json", "compress":true, "token": "[[.last_response.header.Get "mc-siem-token"]]"}]' + value_type: json + response.split: + target: body.data + transforms: + - set: + target: body.Content-Disposition + value: '[[.last_response.header.Get "Content-Disposition"]]' + tags: + - forwarded + - mimecast-siem-logs + - condition: ${kubernetes.hints.mimecast.threat_intel_malware_customer.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true + config_version: "2" + cursor: + next_date: + value: '[[.first_event.created]]' + data_stream: + dataset: mimecast.threat_intel_malware_customer + type: logs + interval: 5m + request.method: POST + request.transforms: + - set: + default: '[{"feedType": "malware_customer","fileType": "stix","compress": false,"end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05+0700"]]"}]' + target: body.data + value: '[{"feedType": "malware_customer","fileType": "stix","compress": false,"end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[formatDate (.cursor.next_date) "2006-01-02T15:04:05+0700"]]"}]' + value_type: json + - set: + target: header.x-mc-app-id + value: null + - set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' + - set: + target: header.x-mc-req-id + value: '[[uuid]]' + - set: + fail_on_template_error: true + target: header.Authorization + value: MC :[[hmacBase64 "sha1" (base64Decode "") (sprintf "%s:%s:/api/ttp/threat-intel/get-feed:" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]] + request.url: https://eu-api.mimecast.com/api/ttp/threat-intel/get-feed + response.decode_as: application/json + response.pagination: + - set: + target: body.data + value: '[{"feedType": "malware_customer","fileType": "stix","compress": false,"token": "[[.last_response.header.Get "x-mc-threat-feed-next-token"]]","end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[.cursor.next_date]]"}]' + value_type: json + response.split: + target: body.objects + transforms: + - set: + target: body.Content-Disposition + value: '[[.last_response.header.Get "Content-Disposition"]]' + tags: + - forwarded + - mimecast-threat-intel-feed-malware-customer + - condition: ${kubernetes.hints.mimecast.threat_intel_malware_grid.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true + config_version: "2" + cursor: + next_date: + value: '[[.first_event.created]]' + data_stream: + dataset: mimecast.threat_intel_malware_grid + type: logs + interval: 5m + request.method: POST + request.transforms: + - set: + default: '[{"feedType": "malware_grid","fileType": "stix","compress": false,"end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05+0700"]]"}]' + target: body.data + value: '[{"feedType": "malware_grid","fileType": "stix","compress": false,"end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[formatDate (.cursor.next_date) "2006-01-02T15:04:05+0700"]]"}]' + value_type: json + - set: + target: header.x-mc-app-id + value: null + - set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' + - set: + target: header.x-mc-req-id + value: '[[uuid]]' + - set: + fail_on_template_error: true + target: header.Authorization + value: MC :[[hmacBase64 "sha1" (base64Decode "") (sprintf "%s:%s:/api/ttp/threat-intel/get-feed:" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]] + request.url: https://eu-api.mimecast.com/api/ttp/threat-intel/get-feed + response.decode_as: application/json + response.pagination: + - set: + target: body.data + value: '[{"feedType": "malware_grid","fileType": "stix","compress": false,"token": "[[.last_response.header.Get "x-mc-threat-feed-next-token"]]","end": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "start":"[[.cursor.next_date]]"}]' + value_type: json + response.split: + target: body.objects + transforms: + - set: + target: body.Content-Disposition + value: '[[.last_response.header.Get "Content-Disposition"]]' + tags: + - forwarded + - mimecast-threat-intel-feed-malware-grid + - condition: ${kubernetes.hints.mimecast.ttp_ap_logs.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true + config_version: "2" + cursor: null + data_stream: + dataset: mimecast.ttp_ap_logs + type: logs + interval: 5m + next_date: + value: '[[.first_event.date]]' + request.method: POST + request.transforms: + - set: + default: '[{"oldestFirst": false, "route": "all", "result":"all","to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05+0700"]]"}]' + target: body.data + value: '[{"oldestFirst": false, "route": "all", "result":"all","to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[.cursor.next_date]]"}]' + value_type: json + - set: + target: header.x-mc-app-id + value: null + - set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' + - set: + target: header.x-mc-req-id + value: '[[uuid]]' + - set: + fail_on_template_error: true + target: header.Authorization + value: MC :[[hmacBase64 "sha1" (base64Decode "") (sprintf "%s:%s:/api/ttp/attachment/get-logs:" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]] + request.url: https://eu-api.mimecast.com/api/ttp/attachment/get-logs + response.decode_as: application/json + response.pagination: + - set: + fail_on_template_error: true + target: body.meta.pagination.pageToken + value: '[[.last_response.body.meta.pagination.next]]' + response.split: + split: + target: body.attachmentLogs + target: body.data + tags: + - forwarded + - mimecast-ttp-ap + - condition: ${kubernetes.hints.mimecast.ttp_ip_logs.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true + config_version: "2" + cursor: null + data_stream: + dataset: mimecast.ttp_ip_logs + type: logs + interval: 5m + next_date: + value: '[[.first_event.eventTime]]' + request.method: POST + request.transforms: + - set: + default: '[{"oldestFirst": false,"to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05+0700"]]"}]' + target: body.data + value: '[{"oldestFirst": false,"to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[.cursor.next_date]]"}]' + value_type: json + - set: + target: header.x-mc-app-id + value: null + - set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' + - set: + target: header.x-mc-req-id + value: '[[uuid]]' + - set: + fail_on_template_error: true + target: header.Authorization + value: MC :[[hmacBase64 "sha1" (base64Decode "") (sprintf "%s:%s:/api/ttp/impersonation/get-logs:" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]] + request.url: https://eu-api.mimecast.com/api/ttp/impersonation/get-logs + response.decode_as: application/json + response.pagination: + - set: + fail_on_template_error: true + target: body.meta.pagination.pageToken + value: '[[.last_response.body.meta.pagination.next]]' + response.split: + split: + target: body.impersonationLogs + target: body.data + tags: + - forwarded + - mimecast-ttp-ip + - condition: ${kubernetes.hints.mimecast.ttp_url_logs.enabled} == true or ${kubernetes.hints.mimecast.enabled} == true + config_version: "2" + cursor: + next_date: + value: '[[.first_event.date]]' + data_stream: + dataset: mimecast.ttp_url_logs + type: logs + interval: 5m + request.method: POST + request.transforms: + - set: + default: '[{"oldestFirst": false,"scanResult": "all","route":"all","to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[formatDate (now (parseDuration "-5m")) "2006-01-02T15:04:05+0700"]]"}]' + target: body.data + value: '[{"oldestFirst": false,"scanResult": "all","route":"all","to": "[[formatDate (now) "2006-01-02T15:04:05+0700"]]", "from":"[[.cursor.next_date]]"}]' + value_type: json + - set: + target: header.x-mc-app-id + value: null + - set: + target: header.x-mc-date + value: '[[formatDate (now) "RFC1123"]]' + - set: + target: header.x-mc-req-id + value: '[[uuid]]' + - set: + fail_on_template_error: true + target: header.Authorization + value: MC :[[hmacBase64 "sha1" (base64Decode "") (sprintf "%s:%s:/api/ttp/url/get-logs:" (.header.Get "x-mc-date") (.header.Get "x-mc-req-id"))]] + request.url: https://eu-api.mimecast.com/api/ttp/url/get-logs + response.decode_as: application/json + response.pagination: + - set: + fail_on_template_error: true + target: body.meta.pagination.pageToken + value: '[[.last_response.body.meta.pagination.next]]' + response.split: + split: + target: body.clickLogs + target: body.data + tags: + - forwarded + - mimecast-ttp-url + data_stream.namespace: default + - name: filestream-mimecast + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.mimecast.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml new file mode 100644 index 00000000000..cc9e109d5ed --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/modsecurity.yml @@ -0,0 +1,28 @@ +inputs: + - name: filestream-modsecurity + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.modsecurity.auditlog.enabled} == true or ${kubernetes.hints.modsecurity.enabled} == true + data_stream: + dataset: modsecurity.auditlog + type: logs + exclude_files: + - .gz$ + fields: + tz_offset: null + fields_under_root: true + parsers: + - container: + format: auto + stream: ${kubernetes.hints.modsecurity.auditlog.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - modsec-audit + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml new file mode 100644 index 00000000000..bf47b9628da --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mongodb.yml @@ -0,0 +1,73 @@ +inputs: + - name: mongodb/metrics-mongodb + type: mongodb/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.mongodb.collstats.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true + data_stream: + dataset: mongodb.collstats + type: metrics + hosts: + - ${kubernetes.hints.mongodb.collstats.host|'localhost:27017'} + metricsets: + - collstats + period: ${kubernetes.hints.mongodb.collstats.period|'10s'} + - condition: ${kubernetes.hints.mongodb.dbstats.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true + data_stream: + dataset: mongodb.dbstats + type: metrics + hosts: + - ${kubernetes.hints.mongodb.dbstats.host|'localhost:27017'} + metricsets: + - dbstats + period: ${kubernetes.hints.mongodb.dbstats.period|'10s'} + - condition: ${kubernetes.hints.mongodb.metrics.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true + data_stream: + dataset: mongodb.metrics + type: metrics + hosts: + - ${kubernetes.hints.mongodb.metrics.host|'localhost:27017'} + metricsets: + - metrics + period: ${kubernetes.hints.mongodb.metrics.period|'10s'} + - condition: ${kubernetes.hints.mongodb.replstatus.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true + data_stream: + dataset: mongodb.replstatus + type: metrics + hosts: + - ${kubernetes.hints.mongodb.replstatus.host|'localhost:27017'} + metricsets: + - replstatus + period: ${kubernetes.hints.mongodb.replstatus.period|'10s'} + - condition: ${kubernetes.hints.mongodb.status.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true + data_stream: + dataset: mongodb.status + type: metrics + hosts: + - ${kubernetes.hints.mongodb.status.host|'localhost:27017'} + metricsets: + - status + period: ${kubernetes.hints.mongodb.status.period|'10s'} + data_stream.namespace: default + - name: filestream-mongodb + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.mongodb.log.enabled} == true or ${kubernetes.hints.mongodb.enabled} == true + data_stream: + dataset: mongodb.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.mongodb.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - mongodb-logs + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql.yml new file mode 100644 index 00000000000..234caeeb40c --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql.yml @@ -0,0 +1,82 @@ +inputs: + - name: filestream-mysql + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.mysql.error.enabled} == true or ${kubernetes.hints.mysql.enabled} == true + data_stream: + dataset: mysql.error + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: ^([0-9]{4}-[0-9]{2}-[0-9]{2}|[0-9]{6}) + parsers: + - container: + format: auto + stream: ${kubernetes.hints.mysql.error.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + - condition: ${kubernetes.hints.mysql.slowlog.enabled} == true or ${kubernetes.hints.mysql.enabled} == true + data_stream: + dataset: mysql.slowlog + type: logs + exclude_files: + - .gz$ + exclude_lines: + - '^[\/\w\.]+, Version: .* started with:.*' + - ^# Time:.* + multiline: + match: after + negate: true + pattern: '^(# User@Host: |# Time: )' + parsers: + - container: + format: auto + stream: ${kubernetes.hints.mysql.slowlog.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + data_stream.namespace: default + - name: mysql/metrics-mysql + type: mysql/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.mysql.galera_status.enabled} == true and ${kubernetes.hints.mysql.enabled} == true + data_stream: + dataset: mysql.galera_status + type: metrics + hosts: + - ${kubernetes.hints.mysql.galera_status.host|'tcp(127.0.0.1:3306)/'} + metricsets: + - galera_status + password: ${kubernetes.hints.mysql.galera_status.password|'test'} + period: ${kubernetes.hints.mysql.galera_status.period|'10s'} + username: ${kubernetes.hints.mysql.galera_status.username|'root'} + - condition: ${kubernetes.hints.mysql.performance.enabled} == true and ${kubernetes.hints.mysql.enabled} == true + data_stream: + dataset: mysql.performance + type: metrics + metricsets: + - performance + - condition: ${kubernetes.hints.mysql.status.enabled} == true or ${kubernetes.hints.mysql.enabled} == true + data_stream: + dataset: mysql.status + type: metrics + hosts: + - ${kubernetes.hints.mysql.status.host|'tcp(127.0.0.1:3306)/'} + metricsets: + - status + password: ${kubernetes.hints.mysql.status.password|'test'} + period: ${kubernetes.hints.mysql.status.period|'10s'} + username: ${kubernetes.hints.mysql.status.username|'root'} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql_enterprise.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql_enterprise.yml new file mode 100644 index 00000000000..d943bb661ff --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/mysql_enterprise.yml @@ -0,0 +1,18 @@ +inputs: + - name: filestream-mysql_enterprise + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.mysql_enterprise.audit.enabled} == true or ${kubernetes.hints.mysql_enterprise.enabled} == true + data_stream: + dataset: mysql_enterprise.audit + type: logs + exclude_files: + - .gz$ + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + tags: + - mysql_enterprise-audit + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/nats.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/nats.yml new file mode 100644 index 00000000000..91525210374 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/nats.yml @@ -0,0 +1,82 @@ +inputs: + - name: filestream-nats + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.nats.log.enabled} == true or ${kubernetes.hints.nats.enabled} == true + data_stream: + dataset: nats.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.nats.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - nats-log + data_stream.namespace: default + - name: nats/metrics-nats + type: nats/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.nats.connection.enabled} == true and ${kubernetes.hints.nats.enabled} == true + data_stream: + dataset: nats.connection + type: metrics + hosts: + - ${kubernetes.hints.nats.connection.host|'localhost:8222'} + metricsets: + - connection + period: ${kubernetes.hints.nats.connection.period|'10s'} + - condition: ${kubernetes.hints.nats.connections.enabled} == true or ${kubernetes.hints.nats.enabled} == true + data_stream: + dataset: nats.connections + type: metrics + hosts: + - ${kubernetes.hints.nats.connections.host|'localhost:8222'} + metricsets: + - connections + period: ${kubernetes.hints.nats.connections.period|'10s'} + - condition: ${kubernetes.hints.nats.route.enabled} == true and ${kubernetes.hints.nats.enabled} == true + data_stream: + dataset: nats.route + type: metrics + hosts: + - ${kubernetes.hints.nats.route.host|'localhost:8222'} + metricsets: + - route + period: ${kubernetes.hints.nats.route.period|'10s'} + - condition: ${kubernetes.hints.nats.routes.enabled} == true or ${kubernetes.hints.nats.enabled} == true + data_stream: + dataset: nats.routes + type: metrics + hosts: + - ${kubernetes.hints.nats.routes.host|'localhost:8222'} + metricsets: + - routes + period: ${kubernetes.hints.nats.routes.period|'10s'} + - condition: ${kubernetes.hints.nats.stats.enabled} == true or ${kubernetes.hints.nats.enabled} == true + data_stream: + dataset: nats.stats + type: metrics + hosts: + - ${kubernetes.hints.nats.stats.host|'localhost:8222'} + metricsets: + - stats + period: ${kubernetes.hints.nats.stats.period|'10s'} + - condition: ${kubernetes.hints.nats.subscriptions.enabled} == true or ${kubernetes.hints.nats.enabled} == true + data_stream: + dataset: nats.subscriptions + type: metrics + hosts: + - ${kubernetes.hints.nats.subscriptions.host|'localhost:8222'} + metricsets: + - subscriptions + period: ${kubernetes.hints.nats.subscriptions.period|'10s'} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml new file mode 100644 index 00000000000..d2bb80601df --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/netflow.yml @@ -0,0 +1,47 @@ +inputs: + - name: netflow-netflow + type: netflow + use_output: default + streams: + - condition: ${kubernetes.hints.netflow.log.enabled} == true or ${kubernetes.hints.netflow.enabled} == true + data_stream: + dataset: netflow.log + type: logs + detect_sequence_reset: true + expiration_timeout: 30m + host: localhost:2055 + max_message_size: 10KiB + protocols: + - v1 + - v5 + - v6 + - v7 + - v8 + - v9 + - ipfix + queue_size: 8192 + tags: + - netflow + - forwarded + data_stream.namespace: default + - name: filestream-netflow + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.netflow.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml new file mode 100644 index 00000000000..f0c166bbfbb --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx.yml @@ -0,0 +1,142 @@ +inputs: + - name: filestream-nginx + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.nginx.access.enabled} == true or ${kubernetes.hints.nginx.enabled} == true + data_stream: + dataset: nginx.access + type: logs + exclude_files: + - .gz$ + ignore_older: 72h + parsers: + - container: + format: auto + stream: ${kubernetes.hints.nginx.access.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - nginx-access + - condition: ${kubernetes.hints.nginx.error.enabled} == true or ${kubernetes.hints.nginx.enabled} == true + data_stream: + dataset: nginx.error + type: logs + exclude_files: + - .gz$ + ignore_older: 72h + multiline: + match: after + negate: true + pattern: '^\d{4}\/\d{2}\/\d{2} ' + parsers: + - container: + format: auto + stream: ${kubernetes.hints.nginx.error.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - nginx-error + data_stream.namespace: default + - name: httpjson-nginx + type: httpjson + use_output: default + streams: + - condition: ${kubernetes.hints.nginx.access.enabled} == true and ${kubernetes.hints.nginx.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: nginx.access + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype=nginx:plus:access | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - nginx-access + - condition: ${kubernetes.hints.nginx.error.enabled} == true and ${kubernetes.hints.nginx.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: nginx.error + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype=nginx:plus:error | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - nginx-error + data_stream.namespace: default + - name: nginx/metrics-nginx + type: nginx/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.nginx.stubstatus.enabled} == true or ${kubernetes.hints.nginx.enabled} == true + data_stream: + dataset: nginx.stubstatus + type: metrics + hosts: + - ${kubernetes.hints.nginx.stubstatus.host|'http://127.0.0.1:80'} + metricsets: + - stubstatus + period: ${kubernetes.hints.nginx.stubstatus.period|'10s'} + server_status_path: /nginx_status + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx_ingress_controller.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx_ingress_controller.yml new file mode 100644 index 00000000000..5f9ba9bc7e4 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/nginx_ingress_controller.yml @@ -0,0 +1,53 @@ +inputs: + - name: filestream-nginx_ingress_controller + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.nginx_ingress_controller.access.enabled} == true or ${kubernetes.hints.nginx_ingress_controller.enabled} == true + data_stream: + dataset: nginx_ingress_controller.access + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.nginx_ingress_controller.access.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - nginx-ingress-controller-access + - condition: ${kubernetes.hints.nginx_ingress_controller.error.enabled} == true or ${kubernetes.hints.nginx_ingress_controller.enabled} == true + data_stream: + dataset: nginx_ingress_controller.error + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: '^[A-Z]{1}[0-9]{4} ' + parsers: + - container: + format: auto + stream: ${kubernetes.hints.nginx_ingress_controller.error.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - drop_event: + when: + not: + regexp: + message: '^[A-Z]{1}[0-9]{4} ' + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - nginx-ingress-controller-error + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/oracle.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/oracle.yml new file mode 100644 index 00000000000..8e846586d4b --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/oracle.yml @@ -0,0 +1,82 @@ +inputs: + - name: filestream-oracle + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.oracle.database_audit.enabled} == true or ${kubernetes.hints.oracle.enabled} == true + data_stream: + dataset: oracle.database_audit + type: logs + exclude_files: + - .gz$ + exclude_lines: + - ^Audit file + parsers: + - multiline: + match: after + negate: true + pattern: ^[A-Za-z]{3}\s+[A-Za-z]{3}\s+[0-9]{1,2}\s[0-9]{2}:[0-9]{2}:[0-9]{2}\s[0-9]{4}\s\S[0-9]{2}:[0-9]{2} + timeout: 10 + type: pattern + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + tags: + - oracle-database_audit + data_stream.namespace: default + - name: sql/metrics-oracle + type: sql/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.oracle.performance.enabled} == true and ${kubernetes.hints.oracle.enabled} == true + data_stream: + dataset: oracle.performance + type: metrics + driver: oracle + hosts: + - ${kubernetes.hints.oracle.performance.host|'oracle://sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1'} + metricsets: + - query + period: ${kubernetes.hints.oracle.performance.period|'60s'} + raw_data.enabled: true + sql_queries: + - query: SELECT name, physical_reads, db_block_gets, consistent_gets, 1 - (physical_reads / (db_block_gets + consistent_gets)) "Hit_Ratio" FROM V$BUFFER_POOL_STATISTICS + response_format: table + - query: SELECT sum(a.value) total_cur, avg(a.value) avg_cur, max(a.value) max_cur, S.username, s.machine FROM v$sesstat a, v$statname b, v$session s WHERE a.statistic# = b.statistic# AND s.sid = a.sid GROUP BY s.username, s.machine + response_format: table + - query: SELECT total_cursors, current_cursors, sess_cur_cache_hits, parse_count_total, sess_cur_cache_hits / total_cursors as cachehits_totalcursors_ratio , sess_cur_cache_hits - parse_count_total as real_parses FROM ( SELECT sum ( decode ( name, 'opened cursors cumulative', value, 0)) total_cursors, sum ( decode ( name, 'opened cursors current',value,0)) current_cursors, sum ( decode ( name, 'session cursor cache hits',value,0)) sess_cur_cache_hits, sum ( decode ( name, 'parse count (total)',value,0)) parse_count_total FROM v$sysstat WHERE name IN ( 'opened cursors cumulative','opened cursors current','session cursor cache hits', 'parse count (total)' )) + response_format: table + - query: SELECT 'lock_requests' "Ratio" , AVG(gethitratio) FROM V$LIBRARYCACHE UNION SELECT 'pin_requests' "Ratio", AVG(pinhitratio) FROM V$LIBRARYCACHE UNION SELECT 'io_reloads' "Ratio", (SUM(reloads) / SUM(pins)) FROM V$LIBRARYCACHE + response_format: variables + - condition: ${kubernetes.hints.oracle.sysmetric.enabled} == true and ${kubernetes.hints.oracle.enabled} == true + data_stream: + dataset: oracle.sysmetric + type: metrics + driver: oracle + dynamic_metric_name_filter: '%' + hosts: + - ${kubernetes.hints.oracle.sysmetric.host|'oracle://sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1'} + metricsets: + - query + period: ${kubernetes.hints.oracle.sysmetric.period|'60s'} + raw_data.enabled: true + sql_queries: + - query: SELECT METRIC_NAME, VALUE FROM V$SYSMETRIC WHERE GROUP_ID = 2 and METRIC_NAME LIKE '%' + response_format: variables + - condition: ${kubernetes.hints.oracle.tablespace.enabled} == true and ${kubernetes.hints.oracle.enabled} == true + data_stream: + dataset: oracle.tablespace + type: metrics + driver: oracle + dynamic_metric_name_filter: "" + hosts: + - ${kubernetes.hints.oracle.tablespace.host|'oracle://sys:Oradoc_db1@0.0.0.0:1521/ORCLCDB.localdomain?sysdba=1'} + metricsets: + - query + period: ${kubernetes.hints.oracle.tablespace.period|'60s'} + raw_data.enabled: true + sql_queries: + - query: WITH data_files AS (SELECT file_name, file_id, tablespace_name, bytes, status, maxbytes, user_bytes, online_status FROM sys.dba_data_files UNION SELECT file_name, file_id, tablespace_name, bytes, status, maxbytes, user_bytes, status AS ONLINE_STATUS FROM sys.dba_temp_files), spaces AS (SELECT b.tablespace_name TB_NAME, tbs_size TB_SIZE_USED, a.free_space TB_SIZE_FREE FROM (SELECT tablespace_name, SUM(bytes) AS free_space FROM dba_free_space GROUP BY tablespace_name) a, (SELECT tablespace_name, SUM(bytes) AS tbs_size FROM dba_data_files GROUP BY tablespace_name) b WHERE a.tablespace_name(+) = b.tablespace_name AND a.tablespace_name != 'TEMP'), temp_spaces AS (SELECT tablespace_name, tablespace_size, allocated_space, free_space FROM dba_temp_free_space WHERE tablespace_name = 'TEMP'), details AS (SELECT df.file_name, df.file_id, df.tablespace_name, df.bytes, df.status, df.maxbytes, df.user_bytes, df.online_status, sp.tb_size_used, sp.tb_size_free FROM data_files df, spaces sp WHERE df.tablespace_name = sp.tb_name UNION SELECT df.file_name, df.file_id, df.tablespace_name, df.bytes, df.status, df.maxbytes, df.user_bytes, df.online_status, tsp.tablespace_size - tsp.free_space AS TB_SIZE_USED, tsp.free_space AS TB_SIZE_FREE FROM data_files df, temp_spaces tsp WHERE df.tablespace_name = tsp.tablespace_name) SELECT file_name, file_id, tablespace_name, bytes, status, maxbytes, user_bytes, online_status, tb_size_used, tb_size_free, SUM(bytes) over() AS TOTAL_BYTES FROM details + response_format: table + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery.yml new file mode 100644 index 00000000000..6ebd2f12c46 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery.yml @@ -0,0 +1,23 @@ +inputs: + - name: filestream-osquery + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.osquery.result.enabled} == true or ${kubernetes.hints.osquery.enabled} == true + data_stream: + dataset: osquery.result + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.osquery.result.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - osquery + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery_manager.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery_manager.yml new file mode 100644 index 00000000000..6620de9c7de --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/osquery_manager.yml @@ -0,0 +1,33 @@ +inputs: + - name: osquery-osquery_manager + type: osquery + use_output: default + streams: + - condition: ${kubernetes.hints.osquery_manager.result.enabled} == true or ${kubernetes.hints.osquery_manager.enabled} == true + data_stream: + dataset: osquery_manager.result + type: logs + id: null + query: null + data_stream.namespace: default + - name: filestream-osquery_manager + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.osquery_manager.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml new file mode 100644 index 00000000000..93c07883f03 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/panw.yml @@ -0,0 +1,94 @@ +inputs: + - name: tcp-panw + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.panw.panos.enabled} == true or ${kubernetes.hints.panw.enabled} == true + data_stream: + dataset: panw.panos + type: logs + host: localhost:9001 + max_message_size: 50KiB + processors: + - add_locale: null + - syslog: + field: message + format: auto + timezone: Local + - add_fields: + fields: + internal_zones: + - trust + target: _conf + - add_fields: + fields: + external_zones: + - untrust + target: _conf + tags: + - panw-panos + - forwarded + data_stream.namespace: default + - name: udp-panw + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.panw.panos.enabled} == true or ${kubernetes.hints.panw.enabled} == true + data_stream: + dataset: panw.panos + type: logs + host: localhost:9001 + max_message_size: 50KiB + processors: + - add_locale: null + - syslog: + field: message + format: auto + timezone: Local + - add_fields: + fields: + internal_zones: + - trust + target: _conf + - add_fields: + fields: + external_zones: + - untrust + target: _conf + tags: + - panw-panos + - forwarded + data_stream.namespace: default + - name: filestream-panw + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.panw.panos.enabled} == true or ${kubernetes.hints.panw.enabled} == true + data_stream: + dataset: panw.panos + type: logs + exclude_files: + - .gz$ + fields: + _conf: + external_zones: + - untrust + internal_zones: + - trust + tz_offset: local + fields_under_root: true + parsers: + - container: + format: auto + stream: ${kubernetes.hints.panw.panos.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - panw-panos + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/panw_cortex_xdr.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/panw_cortex_xdr.yml new file mode 100644 index 00000000000..ec6a58fd9b2 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/panw_cortex_xdr.yml @@ -0,0 +1,90 @@ +inputs: + - name: httpjson-panw_cortex_xdr + type: httpjson + use_output: default + streams: + - condition: ${kubernetes.hints.panw_cortex_xdr.alerts.enabled} == true or ${kubernetes.hints.panw_cortex_xdr.enabled} == true + config_version: "2" + cursor: + next_ts: + value: '[[.last_event.detection_timestamp]]' + data_stream: + dataset: panw_cortex_xdr.alerts + type: logs + interval: 5m + request.method: POST + request.rate_limit: + limit: '[[.last_response.header.Get "X-Rate-Limit-Limit"]]' + remaining: '[[.last_response.header.Get "X-Rate-Limit-Remaining"]]' + reset: '[[(parseDate (.last_response.header.Get "X-Rate-Limit-Reset")).Unix]]' + request.timeout: 30s + request.transforms: + - set: + target: header.Authorization + value: null + - set: + target: header.x-xdr-auth-id + value: 1 + - set: + target: body.request_data.sort.field + value: creation_time + - set: + target: body.request_data.sort.keyword + value: asc + - append: + default: |- + { + "field": "creation_time", + "operator": "gte", + "value": [[ mul (add (now (parseDuration "-24h")).Unix) 1000 ]] + } + target: body.request_data.filters + value: |- + { + "field": "creation_time", + "operator": "gte", + "value": [[ .cursor.next_ts ]] + } + value_type: json + request.url: https://test.xdr.eu.paloaltonetworks.com/public_api/v1/alerts/get_alerts_multi_events + response.pagination: + - set: + fail_on_template_error: true + target: body.request_data.search_from + value: '[[if (ne (len .last_response.body.reply.alerts) 0)]][[mul .last_response.page 100]][[end]]' + value_type: int + - set: + fail_on_template_error: true + target: body.request_data.search_to + value: '[[if (ne (len .last_response.body.reply.alerts) 0)]][[add (mul .last_response.page 100) 100]][[end]]' + value_type: int + response.split: + split: + keep_parent: true + target: body.events + target: body.reply.alerts + tags: + - forwarded + - panw_cortex_xdr + data_stream.namespace: default + - name: filestream-panw_cortex_xdr + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.panw_cortex_xdr.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml new file mode 100644 index 00000000000..e4541f90639 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/pfsense.yml @@ -0,0 +1,62 @@ +inputs: + - name: udp-pfsense + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.pfsense.log.enabled} == true or ${kubernetes.hints.pfsense.enabled} == true + data_stream: + dataset: pfsense.log + type: logs + host: localhost:9001 + processors: + - add_locale: null + - add_fields: + fields: + internal_networks: + - private + tz_offset: local + target: _tmp + tags: + - pfsense + - forwarded + data_stream.namespace: default + - name: tcp-pfsense + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.pfsense.log.enabled} == true and ${kubernetes.hints.pfsense.enabled} == true + data_stream: + dataset: pfsense.log + type: logs + host: localhost:9001 + processors: + - add_locale: null + - add_fields: + fields: + tz_offset: local + target: _tmp + tags: + - pfsense + - forwarded + data_stream.namespace: default + - name: filestream-pfsense + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.pfsense.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml new file mode 100644 index 00000000000..a9abf518a9a --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/postgresql.yml @@ -0,0 +1,68 @@ +inputs: + - name: filestream-postgresql + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.postgresql.log.enabled} == true or ${kubernetes.hints.postgresql.enabled} == true + data_stream: + dataset: postgresql.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: '^\d{4}-\d{2}-\d{2} ' + parsers: + - container: + format: auto + stream: ${kubernetes.hints.postgresql.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - postgresql-log + data_stream.namespace: default + - name: postgresql/metrics-postgresql + type: postgresql/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.postgresql.activity.enabled} == true or ${kubernetes.hints.postgresql.enabled} == true + data_stream: + dataset: postgresql.activity + type: metrics + hosts: + - ${kubernetes.hints.postgresql.activity.host|'postgres://localhost:5432'} + metricsets: + - activity + period: ${kubernetes.hints.postgresql.activity.period|'10s'} + - condition: ${kubernetes.hints.postgresql.bgwriter.enabled} == true or ${kubernetes.hints.postgresql.enabled} == true + data_stream: + dataset: postgresql.bgwriter + type: metrics + hosts: + - ${kubernetes.hints.postgresql.bgwriter.host|'postgres://localhost:5432'} + metricsets: + - bgwriter + period: ${kubernetes.hints.postgresql.bgwriter.period|'10s'} + - condition: ${kubernetes.hints.postgresql.database.enabled} == true or ${kubernetes.hints.postgresql.enabled} == true + data_stream: + dataset: postgresql.database + type: metrics + hosts: + - ${kubernetes.hints.postgresql.database.host|'postgres://localhost:5432'} + metricsets: + - database + period: ${kubernetes.hints.postgresql.database.period|'10s'} + - condition: ${kubernetes.hints.postgresql.statement.enabled} == true or ${kubernetes.hints.postgresql.enabled} == true + data_stream: + dataset: postgresql.statement + type: metrics + hosts: + - ${kubernetes.hints.postgresql.statement.host|'postgres://localhost:5432'} + metricsets: + - statement + period: ${kubernetes.hints.postgresql.statement.period|'10s'} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml new file mode 100644 index 00000000000..2a7e630c9cf --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/prometheus.yml @@ -0,0 +1,90 @@ +inputs: + - name: prometheus/metrics-prometheus + type: prometheus/metrics + use_output: default + streams: + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + condition: ${kubernetes.hints.prometheus.collector.enabled} == true or ${kubernetes.hints.prometheus.enabled} == true + data_stream: + dataset: prometheus.collector + type: metrics + hosts: + - ${kubernetes.hints.prometheus.collector.host|'localhost:9090'} + metrics_filters.exclude: null + metrics_filters.include: null + metrics_path: /metrics + metricsets: + - collector + password: ${kubernetes.hints.prometheus.collector.password|'secret'} + period: ${kubernetes.hints.prometheus.collector.period|'10s'} + rate_counters: true + ssl.certificate_authorities: + - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt + use_types: true + username: ${kubernetes.hints.prometheus.collector.username|'user'} + - condition: ${kubernetes.hints.prometheus.query.enabled} == true and ${kubernetes.hints.prometheus.enabled} == true + data_stream: + dataset: prometheus.query + type: metrics + hosts: + - ${kubernetes.hints.prometheus.query.host|'localhost:9090'} + metricsets: + - query + period: ${kubernetes.hints.prometheus.query.period|'10s'} + queries: + - name: instant_vector + params: + query: sum(rate(prometheus_http_requests_total[1m])) + path: /api/v1/query + - name: range_vector + params: + end: "2019-12-21T00:00:00.000Z" + query: up + start: "2019-12-20T00:00:00.000Z" + step: 1h + path: /api/v1/query_range + - name: scalar + params: + query: "100" + path: /api/v1/query + - name: string + params: + query: some_value + path: /api/v1/query + - condition: ${kubernetes.hints.prometheus.remote_write.enabled} == true and ${kubernetes.hints.prometheus.enabled} == true + data_stream: + dataset: prometheus.remote_write + type: metrics + host: localhost + metricsets: + - remote_write + port: 9201 + rate_counters: true + ssl.certificate: /etc/pki/server/cert.pem + ssl.enabled: null + ssl.key: null + types_patterns.exclude: null + types_patterns.include: null + use_types: true + data_stream.namespace: default + - name: filestream-prometheus + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.prometheus.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml new file mode 100644 index 00000000000..a7358abd781 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/qnap_nas.yml @@ -0,0 +1,60 @@ +inputs: + - name: filestream-qnap_nas + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.qnap_nas.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default + - name: tcp-qnap_nas + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.qnap_nas.log.enabled} == true or ${kubernetes.hints.qnap_nas.enabled} == true + data_stream: + dataset: qnap_nas.log + type: logs + host: localhost:9301 + processors: + - add_locale: null + - add_fields: + fields: + tz_offset: local + target: _tmp + tags: + - qnap-nas + - forwarded + data_stream.namespace: default + - name: udp-qnap_nas + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.qnap_nas.log.enabled} == true and ${kubernetes.hints.qnap_nas.enabled} == true + data_stream: + dataset: qnap_nas.log + type: logs + host: localhost:9301 + processors: + - add_locale: null + - add_fields: + fields: + tz_offset: local + target: _tmp + tags: + - qnap-nas + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml new file mode 100644 index 00000000000..942c4fa6911 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/rabbitmq.yml @@ -0,0 +1,79 @@ +inputs: + - name: filestream-rabbitmq + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.rabbitmq.log.enabled} == true or ${kubernetes.hints.rabbitmq.enabled} == true + data_stream: + dataset: rabbitmq.log + type: logs + exclude_files: + - .gz$ + multiline: + match: after + negate: true + pattern: '[0-9]{4}-[0-9]{2}-[0-9]{2}' + parsers: + - container: + format: auto + stream: ${kubernetes.hints.rabbitmq.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - forwarded + data_stream.namespace: default + - name: rabbitmq/metrics-rabbitmq + type: rabbitmq/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.rabbitmq.connection.enabled} == true or ${kubernetes.hints.rabbitmq.enabled} == true + data_stream: + dataset: rabbitmq.connection + type: metrics + hosts: + - ${kubernetes.hints.rabbitmq.connection.host|'localhost:15672'} + metricsets: + - connection + password: ${kubernetes.hints.rabbitmq.connection.password|''} + period: ${kubernetes.hints.rabbitmq.connection.period|'10s'} + username: ${kubernetes.hints.rabbitmq.connection.username|''} + - condition: ${kubernetes.hints.rabbitmq.exchange.enabled} == true or ${kubernetes.hints.rabbitmq.enabled} == true + data_stream: + dataset: rabbitmq.exchange + type: metrics + hosts: + - ${kubernetes.hints.rabbitmq.exchange.host|'localhost:15672'} + metricsets: + - exchange + password: ${kubernetes.hints.rabbitmq.exchange.password|''} + period: ${kubernetes.hints.rabbitmq.exchange.period|'10s'} + username: ${kubernetes.hints.rabbitmq.exchange.username|''} + - condition: ${kubernetes.hints.rabbitmq.node.enabled} == true or ${kubernetes.hints.rabbitmq.enabled} == true + data_stream: + dataset: rabbitmq.node + type: metrics + hosts: + - ${kubernetes.hints.rabbitmq.node.host|'localhost:15672'} + metricsets: + - node + node.collect: node + password: ${kubernetes.hints.rabbitmq.node.password|''} + period: ${kubernetes.hints.rabbitmq.node.period|'10s'} + username: ${kubernetes.hints.rabbitmq.node.username|''} + - condition: ${kubernetes.hints.rabbitmq.queue.enabled} == true or ${kubernetes.hints.rabbitmq.enabled} == true + data_stream: + dataset: rabbitmq.queue + type: metrics + hosts: + - ${kubernetes.hints.rabbitmq.queue.host|'localhost:15672'} + metricsets: + - queue + password: ${kubernetes.hints.rabbitmq.queue.password|''} + period: ${kubernetes.hints.rabbitmq.queue.period|'10s'} + username: ${kubernetes.hints.rabbitmq.queue.username|''} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml new file mode 100644 index 00000000000..31731f6c1a5 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/redis.yml @@ -0,0 +1,84 @@ +inputs: + - name: filestream-redis + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.redis.log.enabled} == true or ${kubernetes.hints.redis.enabled} == true + data_stream: + dataset: redis.log + type: logs + exclude_files: + - .gz$ + exclude_lines: + - ^\s+[\-`('.|_] + parsers: + - container: + format: auto + stream: ${kubernetes.hints.redis.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - redis-log + data_stream.namespace: default + - name: redis-redis + type: redis + use_output: default + streams: + - condition: ${kubernetes.hints.redis.slowlog.enabled} == true or ${kubernetes.hints.redis.enabled} == true + data_stream: + dataset: redis.slowlog + type: logs + hosts: + - ${kubernetes.hints.redis.slowlog.host|'127.0.0.1:6379'} + password: ${kubernetes.hints.redis.slowlog.password|''} + data_stream.namespace: default + - name: redis/metrics-redis + type: redis/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.redis.info.enabled} == true or ${kubernetes.hints.redis.enabled} == true + data_stream: + dataset: redis.info + type: metrics + hosts: + - ${kubernetes.hints.redis.info.host|'127.0.0.1:6379'} + idle_timeout: 20s + maxconn: 10 + metricsets: + - info + network: tcp + password: ${kubernetes.hints.redis.info.password|''} + period: ${kubernetes.hints.redis.info.period|'10s'} + - condition: ${kubernetes.hints.redis.key.enabled} == true or ${kubernetes.hints.redis.enabled} == true + data_stream: + dataset: redis.key + type: metrics + hosts: + - ${kubernetes.hints.redis.key.host|'127.0.0.1:6379'} + idle_timeout: 20s + key.patterns: + - limit: 20 + pattern: '*' + maxconn: 10 + metricsets: + - key + network: tcp + password: ${kubernetes.hints.redis.key.password|''} + period: ${kubernetes.hints.redis.key.period|'10s'} + - condition: ${kubernetes.hints.redis.keyspace.enabled} == true or ${kubernetes.hints.redis.enabled} == true + data_stream: + dataset: redis.keyspace + type: metrics + hosts: + - ${kubernetes.hints.redis.keyspace.host|'127.0.0.1:6379'} + idle_timeout: 20s + maxconn: 10 + metricsets: + - keyspace + network: tcp + password: ${kubernetes.hints.redis.keyspace.password|''} + period: ${kubernetes.hints.redis.keyspace.period|'10s'} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/santa.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/santa.yml new file mode 100644 index 00000000000..d60bfeb744a --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/santa.yml @@ -0,0 +1,23 @@ +inputs: + - name: filestream-santa + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.santa.log.enabled} == true or ${kubernetes.hints.santa.enabled} == true + data_stream: + dataset: santa.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.santa.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - santa-log + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/security_detection_engine.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/security_detection_engine.yml new file mode 100644 index 00000000000..990a4372e8b --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/security_detection_engine.yml @@ -0,0 +1,22 @@ +inputs: + - name: filestream-security_detection_engine + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.security_detection_engine.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml new file mode 100644 index 00000000000..dcd117dc994 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/sentinel_one.yml @@ -0,0 +1,217 @@ +inputs: + - name: filestream-sentinel_one + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.sentinel_one.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default + - name: httpjson-sentinel_one + type: httpjson + use_output: default + streams: + - condition: ${kubernetes.hints.sentinel_one.activity.enabled} == true or ${kubernetes.hints.sentinel_one.enabled} == true + config_version: 2 + cursor: + last_create_at: + value: '[[.last_event.createdAt]]' + data_stream: + dataset: sentinel_one.activity + type: logs + interval: 1m + request.method: GET + request.transforms: + - set: + target: header.Authorization + value: 'ApiToken ' + - set: + target: url.params.limit + value: "100" + - set: + target: url.params.sortBy + value: createdAt + - set: + target: url.params.sortOrder + value: asc + - set: + default: '[[formatDate (now (parseDuration "-24h"))]]' + target: url.params.createdAt__gte + value: '[[formatDate (parseDate .cursor.last_create_at)]]' + request.url: /web/api/v2.1/activities + response.pagination: + - set: + fail_on_template_error: true + target: url.params.cursor + value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' + response.split: + target: body.data + tags: + - forwarded + - sentinel_one-activity + - condition: ${kubernetes.hints.sentinel_one.agent.enabled} == true or ${kubernetes.hints.sentinel_one.enabled} == true + config_version: 2 + cursor: + last_update_at: + value: '[[.last_event.updatedAt]]' + data_stream: + dataset: sentinel_one.agent + type: logs + interval: 5m + request.method: GET + request.transforms: + - set: + target: header.Authorization + value: 'ApiToken ' + - set: + target: url.params.limit + value: "100" + - set: + target: url.params.sortBy + value: updatedAt + - set: + target: url.params.sortOrder + value: asc + - set: + default: '[[formatDate (now (parseDuration "-24h"))]]' + target: url.params.updatedAt__gte + value: '[[formatDate (parseDate .cursor.last_update_at)]]' + request.url: /web/api/v2.1/agents + response.pagination: + - set: + fail_on_template_error: true + target: url.params.cursor + value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' + response.split: + target: body.data + tags: + - forwarded + - sentinel_one-agent + - condition: ${kubernetes.hints.sentinel_one.alert.enabled} == true or ${kubernetes.hints.sentinel_one.enabled} == true + config_version: 2 + cursor: + last_create_at: + value: '[[.last_event.alertInfo.createdAt]]' + data_stream: + dataset: sentinel_one.alert + type: logs + interval: 5m + request.method: GET + request.transforms: + - set: + target: header.Authorization + value: 'ApiToken ' + - set: + target: url.params.limit + value: "100" + - set: + target: url.params.sortBy + value: alertInfoCreatedAt + - set: + target: url.params.sortOrder + value: asc + - set: + default: '[[formatDate (now (parseDuration "-24h"))]]' + target: url.params.createdAt__gte + value: '[[formatDate (parseDate .cursor.last_create_at)]]' + request.url: /web/api/v2.1/cloud-detection/alerts + response.pagination: + - set: + fail_on_template_error: true + target: url.params.cursor + value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' + response.split: + target: body.data + tags: + - forwarded + - sentinel_one-alert + - condition: ${kubernetes.hints.sentinel_one.group.enabled} == true or ${kubernetes.hints.sentinel_one.enabled} == true + config_version: 2 + cursor: + last_update_at: + value: '[[.last_event.updatedAt]]' + data_stream: + dataset: sentinel_one.group + type: logs + interval: 5m + request.method: GET + request.transforms: + - set: + target: header.Authorization + value: 'ApiToken ' + - set: + target: url.params.limit + value: "100" + - set: + target: url.params.sortBy + value: updatedAt + - set: + target: url.params.sortOrder + value: asc + - set: + default: '[[formatDate (now (parseDuration "-24h"))]]' + target: url.params.updatedAt__gte + value: '[[formatDate (parseDate .cursor.last_update_at)]]' + request.url: /web/api/v2.1/groups + response.pagination: + - set: + fail_on_template_error: true + target: url.params.cursor + value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' + response.split: + target: body.data + tags: + - forwarded + - sentinel_one-group + - condition: ${kubernetes.hints.sentinel_one.threat.enabled} == true or ${kubernetes.hints.sentinel_one.enabled} == true + config_version: 2 + cursor: + last_update_at: + value: '[[.last_event.threatInfo.updatedAt]]' + data_stream: + dataset: sentinel_one.threat + type: logs + interval: 5m + request.method: GET + request.transforms: + - set: + target: header.Authorization + value: 'ApiToken ' + - set: + target: url.params.limit + value: "100" + - set: + target: url.params.sortBy + value: updatedAt + - set: + target: url.params.sortOrder + value: asc + - set: + default: '[[formatDate (now (parseDuration "-24h"))]]' + target: url.params.updatedAt__gte + value: '[[formatDate (parseDate .cursor.last_update_at)]]' + request.url: /web/api/v2.1/threats + response.pagination: + - set: + fail_on_template_error: true + target: url.params.cursor + value: '[[if (ne .last_response.body.pagination.nextCursor nil)]][[.last_response.body.pagination.nextCursor]][[else]][[.last_response.terminate_pagination]][[end]]' + response.split: + target: body.data + tags: + - forwarded + - sentinel_one-threat + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml new file mode 100644 index 00000000000..80ed6df384a --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/snort.yml @@ -0,0 +1,53 @@ +inputs: + - name: filestream-snort + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.snort.log.enabled} == true or ${kubernetes.hints.snort.enabled} == true + data_stream: + dataset: snort.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.snort.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - add_locale: null + - add_fields: + fields: + internal_networks: + - private + tz_offset: local + target: _tmp + prospector: + scanner: + symlinks: true + tags: + - forwarded + - snort.log + data_stream.namespace: default + - name: udp-snort + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.snort.log.enabled} == true or ${kubernetes.hints.snort.enabled} == true + data_stream: + dataset: snort.log + type: logs + host: localhost:9514 + processors: + - add_locale: null + - add_fields: + fields: + internal_networks: + - private + tz_offset: local + target: _tmp + tags: + - forwarded + - snort.log + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/snyk.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/snyk.yml new file mode 100644 index 00000000000..aef353751ec --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/snyk.yml @@ -0,0 +1,139 @@ +inputs: + - name: filestream-snyk + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.snyk.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default + - name: httpjson-snyk + type: httpjson + use_output: default + streams: + - condition: ${kubernetes.hints.snyk.audit.enabled} == true or ${kubernetes.hints.snyk.enabled} == true + config_version: 2 + cursor: + interval: + value: -24h + data_stream: + dataset: snyk.audit + type: logs + interval: 10s + request.body: + filters: null + request.method: POST + request.transforms: + - set: + target: header.Authorization + value: token + - set: + target: url.params.to + value: '[[ formatDate (now) "2006-01-02" ]]' + - set: + default: '[[ formatDate (now (parseDuration "-720h")) "2006-01-02" ]]' + target: url.params.from + value: '[[ formatDate (now (parseDuration .cursor.interval)) "2006-01-02" ]]' + request.url: https://snyk.io/api/v1/org//audit?page=1&sortOrder=ASC + response.pagination: + - set: + fail_on_template_error: true + target: url.params.page + value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 1]][[end]]' + response.request_body_on_pagination: true + tags: + - forwarded + - snyk-audit + - condition: ${kubernetes.hints.snyk.vulnerabilities.enabled} == true or ${kubernetes.hints.snyk.enabled} == true + config_version: 2 + cursor: + interval: + value: -24h + data_stream: + dataset: snyk.vulnerabilities + type: logs + interval: 24h + request.body: + filters: + exploitMaturity: + - mature + - proof-of-concept + - no-known-exploit + - no-data + fixable: false + identifier: null + ignored: false + isFixed: false + isPatchable: false + isPinnable: false + isUpgradable: false + languages: + - javascript + - ruby + - java + - scala + - python + - golang + - php + - dotnet + - swift-objective-c + - elixir + - docker + - terraform + - kubernetes + - helm + - cloudformation + orgs: null + patched: false + priorityScore: + max: 1000 + min: 0 + projects: null + severity: + - critical + - high + - medium + - low + types: + - vuln + - license + - configuration + request.method: POST + request.timeout: 120s + request.transforms: + - set: + target: header.Authorization + value: token + - set: + target: url.params.to + value: '[[ formatDate (now) "2006-01-02" ]]' + - set: + default: '[[ formatDate (now (parseDuration "-24h")) "2006-01-02" ]]' + target: url.params.from + value: '[[ formatDate (now (parseDuration .cursor.interval)) "2006-01-02" ]]' + request.url: https://snyk.io/api/v1/reporting/issues/?page=1&perPage=10&sortBy=issueTitle&order=asc&groupBy=issue + response.pagination: + - set: + fail_on_template_error: true + target: url.params.page + value: '[[if (ne (len .last_response.body.response) 0)]][[add .last_response.page 1]][[end]]' + response.request_body_on_pagination: true + response.split: + target: body.results + tags: + - forwarded + - snyk-vulnerabilities + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/stan.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/stan.yml new file mode 100644 index 00000000000..9fdee28a731 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/stan.yml @@ -0,0 +1,56 @@ +inputs: + - name: filestream-stan + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.stan.log.enabled} == true or ${kubernetes.hints.stan.enabled} == true + data_stream: + dataset: stan.log + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.stan.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - stan-log + data_stream.namespace: default + - name: stan/metrics-stan + type: stan/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.stan.channels.enabled} == true or ${kubernetes.hints.stan.enabled} == true + data_stream: + dataset: stan.channels + type: metrics + hosts: + - ${kubernetes.hints.stan.channels.host|'localhost:8222'} + metricsets: + - channels + period: ${kubernetes.hints.stan.channels.period|'60s'} + - condition: ${kubernetes.hints.stan.stats.enabled} == true or ${kubernetes.hints.stan.enabled} == true + data_stream: + dataset: stan.stats + type: metrics + hosts: + - ${kubernetes.hints.stan.stats.host|'localhost:8222'} + metricsets: + - stats + period: ${kubernetes.hints.stan.stats.period|'60s'} + - condition: ${kubernetes.hints.stan.subscriptions.enabled} == true or ${kubernetes.hints.stan.enabled} == true + data_stream: + dataset: stan.subscriptions + type: metrics + hosts: + - ${kubernetes.hints.stan.subscriptions.host|'localhost:8222'} + metricsets: + - subscriptions + period: ${kubernetes.hints.stan.subscriptions.period|'60s'} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/suricata.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/suricata.yml new file mode 100644 index 00000000000..374d369783e --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/suricata.yml @@ -0,0 +1,24 @@ +inputs: + - name: filestream-suricata + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.suricata.eve.enabled} == true or ${kubernetes.hints.suricata.enabled} == true + data_stream: + dataset: suricata.eve + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.suricata.eve.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - suricata-eve + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml new file mode 100644 index 00000000000..fac3f6cbd93 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/symantec_endpoint.yml @@ -0,0 +1,67 @@ +inputs: + - name: filestream-symantec_endpoint + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true and ${kubernetes.hints.symantec_endpoint.enabled} == true + data_stream: + dataset: symantec_endpoint.log + type: logs + exclude_files: + - .gz$ + fields: + _conf: + remove_mapped_fields: false + tz_offset: UTC + fields_under_root: true + parsers: + - container: + format: auto + stream: ${kubernetes.hints.symantec_endpoint.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - symantec-endpoint-log + - forwarded + data_stream.namespace: default + - name: tcp-symantec_endpoint + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true and ${kubernetes.hints.symantec_endpoint.enabled} == true + data_stream: + dataset: symantec_endpoint.log + type: logs + fields: + _conf: + remove_mapped_fields: false + tz_offset: UTC + fields_under_root: true + host: localhost:9008 + max_message_size: 1 MiB + tags: + - symantec-endpoint-log + - forwarded + data_stream.namespace: default + - name: udp-symantec_endpoint + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.symantec_endpoint.log.enabled} == true or ${kubernetes.hints.symantec_endpoint.enabled} == true + data_stream: + dataset: symantec_endpoint.log + type: logs + fields: + _conf: + remove_mapped_fields: false + tz_offset: UTC + fields_under_root: true + host: localhost:9008 + max_message_size: 1 MiB + tags: + - symantec-endpoint-log + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml new file mode 100644 index 00000000000..2f375b1a3f0 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/synthetics.yml @@ -0,0 +1,148 @@ +inputs: + - name: synthetics/http-synthetics + type: synthetics/http + use_output: default + streams: + - __ui: null + check.request.method: null + condition: ${kubernetes.hints.synthetics.http.enabled} == true and ${kubernetes.hints.synthetics.enabled} == true + data_stream: + dataset: http + type: synthetics + enabled: true + max_redirects: null + name: null + processors: + - add_observer_metadata: + geo: + name: Fleet managed + - add_fields: + fields: + monitor.fleet_managed: true + target: "" + response.include_body: null + response.include_headers: null + schedule: '@every 3m' + timeout: null + type: http + urls: null + data_stream.namespace: default + - name: synthetics/tcp-synthetics + type: synthetics/tcp + use_output: default + streams: + - __ui: null + condition: ${kubernetes.hints.synthetics.tcp.enabled} == true and ${kubernetes.hints.synthetics.enabled} == true + data_stream: + dataset: tcp + type: synthetics + enabled: true + hosts: ${kubernetes.hints.synthetics.tcp.host|''} + name: null + processors: + - add_observer_metadata: + geo: + name: Fleet managed + - add_fields: + fields: + monitor.fleet_managed: true + target: "" + proxy_use_local_resolver: false + schedule: '@every 3m' + timeout: null + type: tcp + data_stream.namespace: default + - name: synthetics/icmp-synthetics + type: synthetics/icmp + use_output: default + streams: + - __ui: null + condition: ${kubernetes.hints.synthetics.icmp.enabled} == true and ${kubernetes.hints.synthetics.enabled} == true + data_stream: + dataset: icmp + type: synthetics + enabled: true + hosts: ${kubernetes.hints.synthetics.icmp.host|''} + name: null + processors: + - add_observer_metadata: + geo: + name: Fleet managed + - add_fields: + fields: + monitor.fleet_managed: true + target: "" + schedule: '@every 3m' + timeout: null + type: icmp + wait: 1s + data_stream.namespace: default + - name: synthetics/browser-synthetics + type: synthetics/browser + use_output: default + streams: + - __ui: null + condition: ${kubernetes.hints.synthetics.browser.enabled} == true or ${kubernetes.hints.synthetics.enabled} == true + data_stream: + dataset: browser + type: synthetics + enabled: true + name: null + processors: + - add_observer_metadata: + geo: + name: Fleet managed + - add_fields: + fields: + monitor.fleet_managed: true + target: "" + schedule: '@every 3m' + throttling: null + timeout: null + type: browser + - condition: ${kubernetes.hints.synthetics.browser_network.enabled} == true or ${kubernetes.hints.synthetics.enabled} == true + data_stream: + dataset: browser.network + type: synthetics + processors: + - add_observer_metadata: + geo: + name: Fleet managed + - add_fields: + fields: + monitor.fleet_managed: true + target: "" + - condition: ${kubernetes.hints.synthetics.browser_screenshot.enabled} == true or ${kubernetes.hints.synthetics.enabled} == true + data_stream: + dataset: browser.screenshot + type: synthetics + processors: + - add_observer_metadata: + geo: + name: Fleet managed + - add_fields: + fields: + monitor.fleet_managed: true + target: "" + data_stream.namespace: default + - name: filestream-synthetics + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.synthetics.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml new file mode 100644 index 00000000000..34c8d0d984e --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/tcp.yml @@ -0,0 +1,32 @@ +inputs: + - name: filestream-tcp + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.tcp.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default + - name: tcp-tcp + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.tcp.generic.enabled} == true or ${kubernetes.hints.tcp.enabled} == true + data_stream: + dataset: tcp.generic + type: logs + host: localhost:8080 + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml new file mode 100644 index 00000000000..1355b57befa --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/tomcat.yml @@ -0,0 +1,8296 @@ +inputs: + - name: udp-tomcat + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.tomcat.log.enabled} == true or ${kubernetes.hints.tomcat.enabled} == true + data_stream: + dataset: tomcat.log + type: logs + fields: + observer: + product: TomCat + type: Web + vendor: Apache + fields_under_root: true + host: localhost:9523 + processors: + - script: + lang: javascript + params: + debug: false + ecs: true + keep_raw: false + rsa: true + tz_offset: local + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + ]); + + var msg1 = msg("ABCD", dup7); + + var msg2 = msg("BADMETHOD", dup7); + + var msg3 = msg("BADMTHD", dup7); + + var msg4 = msg("BDMTHD", dup7); + + var msg5 = msg("INDEX", dup7); + + var msg6 = msg("CFYZ", dup7); + + var msg7 = msg("CONNECT", dup7); + + var msg8 = msg("DELETE", dup7); + + var msg9 = msg("DETECT_METHOD_TYPE", dup7); + + var msg10 = msg("FGET", dup7); + + var msg11 = msg("GET", dup7); + + var msg12 = msg("get", dup7); + + var msg13 = msg("HEAD", dup7); + + var msg14 = msg("id", dup7); + + var msg15 = msg("LOCK", dup7); + + var msg16 = msg("MKCOL", dup7); + + var msg17 = msg("NCIRCLE", dup7); + + var msg18 = msg("OPTIONS", dup7); + + var msg19 = msg("POST", dup7); + + var msg20 = msg("PRONECT", dup7); + + var msg21 = msg("PROPFIND", dup7); + + var msg22 = msg("PUT", dup7); + + var msg23 = msg("QUALYS", dup7); + + var msg24 = msg("SEARCH", dup7); + + var msg25 = msg("TRACK", dup7); + + var msg26 = msg("TRACE", dup7); + + var msg27 = msg("uGET", dup7); + + var msg28 = msg("null", dup7); + + var msg29 = msg("rndmmtd", dup7); + + var msg30 = msg("RNDMMTD", dup7); + + var msg31 = msg("asdf", dup7); + + var msg32 = msg("DEBUG", dup7); + + var msg33 = msg("COOK", dup7); + + var msg34 = msg("nGET", dup7); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "ABCD": msg1, + "BADMETHOD": msg2, + "BADMTHD": msg3, + "BDMTHD": msg4, + "CFYZ": msg6, + "CONNECT": msg7, + "COOK": msg33, + "DEBUG": msg32, + "DELETE": msg8, + "DETECT_METHOD_TYPE": msg9, + "FGET": msg10, + "GET": msg11, + "HEAD": msg13, + "INDEX": msg5, + "LOCK": msg15, + "MKCOL": msg16, + "NCIRCLE": msg17, + "OPTIONS": msg18, + "POST": msg19, + "PRONECT": msg20, + "PROPFIND": msg21, + "PUT": msg22, + "QUALYS": msg23, + "RNDMMTD": msg30, + "SEARCH": msg24, + "TRACE": msg26, + "TRACK": msg25, + "asdf": msg31, + "get": msg12, + "id": msg14, + "nGET": msg34, + "null": msg28, + "rndmmtd": msg29, + "uGET": msg27, + }), + ]); + + var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + ])); + - community_id: null + - registered_domain: + field: dns.question.name + ignore_failure: true + ignore_missing: true + target_etld_field: dns.question.top_level_domain + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + - registered_domain: + field: client.domain + ignore_failure: true + ignore_missing: true + target_etld_field: client.top_level_domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + - registered_domain: + field: server.domain + ignore_failure: true + ignore_missing: true + target_etld_field: server.top_level_domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + - registered_domain: + field: destination.domain + ignore_failure: true + ignore_missing: true + target_etld_field: destination.top_level_domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + - registered_domain: + field: source.domain + ignore_failure: true + ignore_missing: true + target_etld_field: source.top_level_domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + - registered_domain: + field: url.domain + ignore_failure: true + ignore_missing: true + target_etld_field: url.top_level_domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + - add_locale: null + tags: + - tomcat-log + - forwarded + udp: null + data_stream.namespace: default + - name: tcp-tomcat + type: tcp + use_output: default + streams: + - condition: ${kubernetes.hints.tomcat.log.enabled} == true or ${kubernetes.hints.tomcat.enabled} == true + data_stream: + dataset: tomcat.log + type: logs + fields: + observer: + product: TomCat + type: Web + vendor: Apache + fields_under_root: true + host: localhost:9523 + processors: + - script: + lang: javascript + params: + debug: false + ecs: true + keep_raw: false + rsa: true + tz_offset: local + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + ]); + + var msg1 = msg("ABCD", dup7); + + var msg2 = msg("BADMETHOD", dup7); + + var msg3 = msg("BADMTHD", dup7); + + var msg4 = msg("BDMTHD", dup7); + + var msg5 = msg("INDEX", dup7); + + var msg6 = msg("CFYZ", dup7); + + var msg7 = msg("CONNECT", dup7); + + var msg8 = msg("DELETE", dup7); + + var msg9 = msg("DETECT_METHOD_TYPE", dup7); + + var msg10 = msg("FGET", dup7); + + var msg11 = msg("GET", dup7); + + var msg12 = msg("get", dup7); + + var msg13 = msg("HEAD", dup7); + + var msg14 = msg("id", dup7); + + var msg15 = msg("LOCK", dup7); + + var msg16 = msg("MKCOL", dup7); + + var msg17 = msg("NCIRCLE", dup7); + + var msg18 = msg("OPTIONS", dup7); + + var msg19 = msg("POST", dup7); + + var msg20 = msg("PRONECT", dup7); + + var msg21 = msg("PROPFIND", dup7); + + var msg22 = msg("PUT", dup7); + + var msg23 = msg("QUALYS", dup7); + + var msg24 = msg("SEARCH", dup7); + + var msg25 = msg("TRACK", dup7); + + var msg26 = msg("TRACE", dup7); + + var msg27 = msg("uGET", dup7); + + var msg28 = msg("null", dup7); + + var msg29 = msg("rndmmtd", dup7); + + var msg30 = msg("RNDMMTD", dup7); + + var msg31 = msg("asdf", dup7); + + var msg32 = msg("DEBUG", dup7); + + var msg33 = msg("COOK", dup7); + + var msg34 = msg("nGET", dup7); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "ABCD": msg1, + "BADMETHOD": msg2, + "BADMTHD": msg3, + "BDMTHD": msg4, + "CFYZ": msg6, + "CONNECT": msg7, + "COOK": msg33, + "DEBUG": msg32, + "DELETE": msg8, + "DETECT_METHOD_TYPE": msg9, + "FGET": msg10, + "GET": msg11, + "HEAD": msg13, + "INDEX": msg5, + "LOCK": msg15, + "MKCOL": msg16, + "NCIRCLE": msg17, + "OPTIONS": msg18, + "POST": msg19, + "PRONECT": msg20, + "PROPFIND": msg21, + "PUT": msg22, + "QUALYS": msg23, + "RNDMMTD": msg30, + "SEARCH": msg24, + "TRACE": msg26, + "TRACK": msg25, + "asdf": msg31, + "get": msg12, + "id": msg14, + "nGET": msg34, + "null": msg28, + "rndmmtd": msg29, + "uGET": msg27, + }), + ]); + + var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + ])); + - community_id: null + - registered_domain: + field: dns.question.name + ignore_failure: true + ignore_missing: true + target_etld_field: dns.question.top_level_domain + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + - registered_domain: + field: client.domain + ignore_failure: true + ignore_missing: true + target_etld_field: client.top_level_domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + - registered_domain: + field: server.domain + ignore_failure: true + ignore_missing: true + target_etld_field: server.top_level_domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + - registered_domain: + field: destination.domain + ignore_failure: true + ignore_missing: true + target_etld_field: destination.top_level_domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + - registered_domain: + field: source.domain + ignore_failure: true + ignore_missing: true + target_etld_field: source.top_level_domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + - registered_domain: + field: url.domain + ignore_failure: true + ignore_missing: true + target_etld_field: url.top_level_domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + - add_locale: null + tags: + - tomcat-log + - forwarded + tcp: null + data_stream.namespace: default + - name: filestream-tomcat + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.tomcat.log.enabled} == true and ${kubernetes.hints.tomcat.enabled} == true + data_stream: + dataset: tomcat.log + type: logs + exclude_files: + - .gz$ + fields: + observer: + product: TomCat + type: Web + vendor: Apache + fields_under_root: true + parsers: + - container: + format: auto + stream: ${kubernetes.hints.tomcat.log.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + processors: + - script: + lang: javascript + params: + debug: false + ecs: true + keep_raw: false + rsa: true + tz_offset: local + source: | + // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + // or more contributor license agreements. Licensed under the Elastic License; + // you may not use this file except in compliance with the Elastic License. + + /* jshint -W014,-W016,-W097,-W116 */ + + var processor = require("processor"); + var console = require("console"); + + var FLAG_FIELD = "log.flags"; + var FIELDS_OBJECT = "nwparser"; + var FIELDS_PREFIX = FIELDS_OBJECT + "."; + + var defaults = { + debug: false, + ecs: true, + rsa: false, + keep_raw: false, + tz_offset: "local", + strip_priority: true + }; + + var saved_flags = null; + var debug; + var map_ecs; + var map_rsa; + var keep_raw; + var device; + var tz_offset; + var strip_priority; + + // Register params from configuration. + function register(params) { + debug = params.debug !== undefined ? params.debug : defaults.debug; + map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; + map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; + keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; + tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); + strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; + device = new DeviceProcessor(); + } + + function parse_tz_offset(offset) { + var date; + var m; + switch(offset) { + // local uses the tz offset from the JS VM. + case "local": + date = new Date(); + // Reversing the sign as we the offset from UTC, not to UTC. + return parse_local_tz_offset(-date.getTimezoneOffset()); + // event uses the tz offset from event.timezone (add_locale processor). + case "event": + return offset; + // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. + default: + m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); + if (m === null || m.length !== 4) { + throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); + } + return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); + } + } + + function parse_local_tz_offset(minutes) { + var neg = minutes < 0; + minutes = Math.abs(minutes); + var min = minutes % 60; + var hours = Math.floor(minutes / 60); + var pad2digit = function(n) { + if (n < 10) { return "0" + n;} + return "" + n; + }; + return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); + } + + function process(evt) { + // Function register is only called by the processor when `params` are set + // in the processor config. + if (device === undefined) { + register(defaults); + } + return device.process(evt); + } + + function processor_chain(subprocessors) { + var builder = new processor.Chain(); + subprocessors.forEach(builder.Add); + return builder.Build().Run; + } + + function linear_select(subprocessors) { + return function (evt) { + var flags = evt.Get(FLAG_FIELD); + var i; + for (i = 0; i < subprocessors.length; i++) { + evt.Delete(FLAG_FIELD); + if (debug) console.warn("linear_select trying entry " + i); + subprocessors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) == null) break; + if (debug) console.warn("linear_select failed entry " + i); + } + if (flags !== null) { + evt.Put(FLAG_FIELD, flags); + } + if (debug) { + if (i < subprocessors.length) { + console.warn("linear_select matched entry " + i); + } else { + console.warn("linear_select didn't match"); + } + } + }; + } + + function conditional(opt) { + return function(evt) { + if (opt.if(evt)) { + opt.then(evt); + } else if (opt.else) { + opt.else(evt); + } + }; + } + + var strip_syslog_priority = (function() { + var isEnabled = function() { return strip_priority === true; }; + var fetchPRI = field("_pri"); + var fetchPayload = field("payload"); + var removePayload = remove(["payload"]); + var cleanup = remove(["_pri", "payload"]); + var onMatch = function(evt) { + var pri, priStr = fetchPRI(evt); + if (priStr != null + && 0 < priStr.length && priStr.length < 4 + && !isNaN((pri = Number(priStr))) + && 0 <= pri && pri < 192) { + var severity = pri & 7, + facility = pri >> 3; + setc("_severity", "" + severity)(evt); + setc("_facility", "" + facility)(evt); + // Replace message with priority stripped. + evt.Put("message", fetchPayload(evt)); + removePayload(evt); + } else { + // not a valid syslog PRI, cleanup. + cleanup(evt); + } + }; + return conditional({ + if: isEnabled, + then: cleanup_flags(match( + "STRIP_PRI", + "message", + "<%{_pri}>%{payload}", + onMatch + )) + }); + })(); + + function match(id, src, pattern, on_success) { + var dissect = new processor.Dissect({ + field: src, + tokenizer: pattern, + target_prefix: FIELDS_OBJECT, + ignore_failure: true, + overwrite_keys: true, + trim_values: "right" + }); + return function (evt) { + var msg = evt.Get(src); + dissect.Run(evt); + var failed = evt.Get(FLAG_FIELD) != null; + if (debug) { + if (failed) { + console.debug("dissect fail: " + id + " field:" + src); + } else { + console.debug("dissect OK: " + id + " field:" + src); + } + console.debug(" expr: <<" + pattern + ">>"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null && !failed) { + on_success(evt); + } + }; + } + + function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } + } + + function cleanup_flags(processor) { + return function(evt) { + processor(evt); + evt.Delete(FLAG_FIELD); + }; + } + + function all_match(opts) { + return function (evt) { + var i; + for (i = 0; i < opts.processors.length; i++) { + evt.Delete(FLAG_FIELD); + opts.processors[i](evt); + // Dissect processor succeeded? + if (evt.Get(FLAG_FIELD) != null) { + if (debug) console.warn("all_match failure at " + i); + if (opts.on_failure != null) opts.on_failure(evt); + return; + } + if (debug) console.warn("all_match success at " + i); + } + if (opts.on_success != null) opts.on_success(evt); + }; + } + + function msgid_select(mapping) { + return function (evt) { + var msgid = evt.Get(FIELDS_PREFIX + "messageid"); + if (msgid == null) { + if (debug) console.warn("msgid_select: no messageid captured!"); + return; + } + var next = mapping[msgid]; + if (next === undefined) { + if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); + return; + } + if (debug) console.info("msgid_select: matched key=" + msgid); + return next(evt); + }; + } + + function msg(msg_id, match) { + return function (evt) { + match(evt); + if (evt.Get(FLAG_FIELD) == null) { + evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); + } + }; + } + + var start; + + function save_flags(evt) { + saved_flags = evt.Get(FLAG_FIELD); + evt.Put("event.original", evt.Get("message")); + } + + function restore_flags(evt) { + if (saved_flags !== null) { + evt.Put(FLAG_FIELD, saved_flags); + } + evt.Delete("message"); + } + + function constant(value) { + return function (evt) { + return value; + }; + } + + function field(name) { + var fullname = FIELDS_PREFIX + name; + return function (evt) { + return evt.Get(fullname); + }; + } + + function STRCAT(args) { + var s = ""; + var i; + for (i = 0; i < args.length; i++) { + s += args[i]; + } + return s; + } + + // TODO: Implement + function DIRCHK(args) { + unimplemented("DIRCHK"); + } + + function strictToInt(str) { + return str * 1; + } + + function CALC(args) { + if (args.length !== 3) { + console.warn("skipped call to CALC with " + args.length + " arguments."); + return; + } + var a = strictToInt(args[0]); + var b = strictToInt(args[2]); + if (isNaN(a) || isNaN(b)) { + console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); + return; + } + var result; + switch (args[1]) { + case "+": + result = a + b; + break; + case "-": + result = a - b; + break; + case "*": + result = a * b; + break; + default: + // Only * and + seen in the parsers. + console.warn("unknown CALC operation '" + args[1] + "'."); + return; + } + // Always return a string + return result !== undefined ? "" + result : result; + } + + var quoteChars = "\"'`"; + function RMQ(args) { + if(args.length !== 1) { + console.warn("RMQ: only one argument expected"); + return; + } + var value = args[0].trim(); + var n = value.length; + var char; + return n > 1 + && (char=value.charAt(0)) === value.charAt(n-1) + && quoteChars.indexOf(char) !== -1? + value.substr(1, n-2) + : value; + } + + function call(opts) { + var args = new Array(opts.args.length); + return function (evt) { + for (var i = 0; i < opts.args.length; i++) + if ((args[i] = opts.args[i](evt)) == null) return; + var result = opts.fn(args); + if (result != null) { + evt.Put(opts.dest, result); + } + }; + } + + function nop(evt) { + } + + function appendErrorMsg(evt, msg) { + var value = evt.Get("error.message"); + if (value == null) { + value = [msg]; + } else if (msg instanceof Array) { + value.push(msg); + } else { + value = [value, msg]; + } + evt.Put("error.message", value); + } + + function unimplemented(name) { + appendErrorMsg("unimplemented feature: " + name); + } + + function lookup(opts) { + return function (evt) { + var key = opts.key(evt); + if (key == null) return; + var value = opts.map.keyvaluepairs[key]; + if (value === undefined) { + value = opts.map.default; + } + if (value !== undefined) { + evt.Put(opts.dest, value(evt)); + } + }; + } + + function set(fields) { + return new processor.AddFields({ + target: FIELDS_OBJECT, + fields: fields, + }); + } + + function setf(dst, src) { + return function (evt) { + var val = evt.Get(FIELDS_PREFIX + src); + if (val != null) evt.Put(FIELDS_PREFIX + dst, val); + }; + } + + function setc(dst, value) { + return function (evt) { + evt.Put(FIELDS_PREFIX + dst, value); + }; + } + + function set_field(opts) { + return function (evt) { + var val = opts.value(evt); + if (val != null) evt.Put(opts.dest, val); + }; + } + + function dump(label) { + return function (evt) { + console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); + }; + } + + function date_time_join_args(evt, arglist) { + var str = ""; + for (var i = 0; i < arglist.length; i++) { + var fname = FIELDS_PREFIX + arglist[i]; + var val = evt.Get(fname); + if (val != null) { + if (str !== "") str += " "; + str += val; + } else { + if (debug) console.warn("in date_time: input arg " + fname + " is not set"); + } + } + return str; + } + + function to2Digit(num) { + return num? (num < 10? "0" + num : num) : "00"; + } + + // Make two-digit dates 00-69 interpreted as 2000-2069 + // and dates 70-99 translated to 1970-1999. + var twoDigitYearEpoch = 70; + var twoDigitYearCentury = 2000; + + // This is to accept dates up to 2 days in the future, only used when + // no year is specified in a date. 2 days should be enough to account for + // time differences between systems and different tz offsets. + var maxFutureDelta = 2*24*60*60*1000; + + // DateContainer stores date fields and then converts those fields into + // a Date. Necessary because building a Date using its set() methods gives + // different results depending on the order of components. + function DateContainer(tzOffset) { + this.offset = tzOffset === undefined? "Z" : tzOffset; + } + + DateContainer.prototype = { + setYear: function(v) {this.year = v;}, + setMonth: function(v) {this.month = v;}, + setDay: function(v) {this.day = v;}, + setHours: function(v) {this.hours = v;}, + setMinutes: function(v) {this.minutes = v;}, + setSeconds: function(v) {this.seconds = v;}, + + setUNIX: function(v) {this.unix = v;}, + + set2DigitYear: function(v) { + this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; + }, + + toDate: function() { + if (this.unix !== undefined) { + return new Date(this.unix * 1000); + } + if (this.day === undefined || this.month === undefined) { + // Can't make a date from this. + return undefined; + } + if (this.year === undefined) { + // A date without a year. Set current year, or previous year + // if date would be in the future. + var now = new Date(); + this.year = now.getFullYear(); + var date = this.toDate(); + if (date.getTime() - now.getTime() > maxFutureDelta) { + date.setFullYear(now.getFullYear() - 1); + } + return date; + } + var MM = to2Digit(this.month); + var DD = to2Digit(this.day); + var hh = to2Digit(this.hours); + var mm = to2Digit(this.minutes); + var ss = to2Digit(this.seconds); + return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); + } + } + + function date_time_try_pattern(fmt, str, tzOffset) { + var date = new DateContainer(tzOffset); + var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); + return pos !== undefined? date.toDate() : undefined; + } + + function date_time_try_pattern_at_pos(fmt, str, pos, date) { + var len = str.length; + for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { + pos = fmt[proc](str, pos, date); + } + return pos; + } + + function date_time(opts) { + return function (evt) { + var tzOffset = opts.tz || tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); + if (date !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, date); + return; + } + } + if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); + }; + } + + var uA = 60 * 60 * 24; + var uD = 60 * 60 * 24; + var uF = 60 * 60; + var uG = 60 * 60 * 24 * 30; + var uH = 60 * 60; + var uI = 60 * 60; + var uJ = 60 * 60 * 24; + var uM = 60 * 60 * 24 * 30; + var uN = 60 * 60; + var uO = 1; + var uS = 1; + var uT = 60; + var uU = 60; + var uc = dc; + + function duration(opts) { + return function(evt) { + var str = date_time_join_args(evt, opts.args); + for (var i = 0; i < opts.fmts.length; i++) { + var seconds = duration_try_pattern(opts.fmts[i], str); + if (seconds !== undefined) { + evt.Put(FIELDS_PREFIX + opts.dest, seconds); + return; + } + } + if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); + }; + } + + function duration_try_pattern(fmt, str) { + var secs = 0; + var pos = 0; + for (var i=0; i [ month_id , how many chars to skip if month in long form ] + "Jan": [0, 4], + "Feb": [1, 5], + "Mar": [2, 2], + "Apr": [3, 2], + "May": [4, 0], + "Jun": [5, 1], + "Jul": [6, 1], + "Aug": [7, 3], + "Sep": [8, 6], + "Oct": [9, 4], + "Nov": [10, 5], + "Dec": [11, 4], + "jan": [0, 4], + "feb": [1, 5], + "mar": [2, 2], + "apr": [3, 2], + "may": [4, 0], + "jun": [5, 1], + "jul": [6, 1], + "aug": [7, 3], + "sep": [8, 6], + "oct": [9, 4], + "nov": [10, 5], + "dec": [11, 4], + }; + + // var dC = undefined; + var dR = dateMonthName(true); + var dB = dateMonthName(false); + var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); + var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); + var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); + var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); + var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); + var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 + var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); + var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); + var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); + var dP = parseAMPM; // AM|PM + var dQ = parseAMPM; // A.M.|P.M + var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); + var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); + var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); + var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); + var dZ = parseHMS; + var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); + + // parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. + // Only works if this modifier appears after the hour has been read from logs + // which is always the case in the 300 devices. + function parseAMPM(str, pos, date) { + var n = str.length; + var start = skipws(str, pos); + if (start + 2 > n) return; + var head = str.substr(start, 2).toUpperCase(); + var isPM = false; + var skip = false; + switch (head) { + case "A.": + skip = true; + /* falls through */ + case "AM": + break; + case "P.": + skip = true; + /* falls through */ + case "PM": + isPM = true; + break; + default: + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); + return; + } + pos = start + 2; + if (skip) { + if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { + if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); + return; + } + pos += 2; + } + var hh = date.hours; + if (isPM) { + // Accept existing hour in 24h format. + if (hh < 12) hh += 12; + } else { + if (hh === 12) hh = 0; + } + date.setHours(hh); + return pos; + } + + function parseHMS(str, pos, date) { + return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); + } + + function skipws(str, pos) { + for ( var n = str.length; + pos < n && str.charAt(pos) === " "; + pos++) + ; + return pos; + } + + function skipdigits(str, pos) { + var c; + for (var n = str.length; + pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; + pos++) + ; + return pos; + } + + function dSkip(str, pos, date) { + var chr; + for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} + return pos < str.length? pos : undefined; + } + + function dateVariableWidthNumber(fmtChar, min, max, setter) { + return function (str, pos, date) { + var start = skipws(str, pos); + pos = skipdigits(str, start); + var s = str.substr(start, pos - start); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos; + } + return; + }; + } + + function dateFixedWidthNumber(fmtChar, width, min, max, setter) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + width > n) return; + var s = str.substr(pos, width); + var value = parseInt(s, 10); + if (value >= min && value <= max) { + setter.call(date, value); + return pos + width; + } + return; + }; + } + + // Short month name (Jan..Dec). + function dateMonthName(long) { + return function (str, pos, date) { + pos = skipws(str, pos); + var n = str.length; + if (pos + 3 > n) return; + var mon = str.substr(pos, 3); + var idx = shortMonths[mon]; + if (idx === undefined) { + idx = shortMonths[mon.toLowerCase()]; + } + if (idx === undefined) { + //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); + return; + } + date.setMonth(idx[0]+1); + return pos + 3 + (long ? idx[1] : 0); + }; + } + + function url_wrapper(dst, src, fn) { + return function(evt) { + var value = evt.Get(FIELDS_PREFIX + src), result; + if (value != null && (result = fn(value))!== undefined) { + evt.Put(FIELDS_PREFIX + dst, result); + } else { + console.debug(fn.name + " failed for '" + value + "'"); + } + }; + } + + // The following regular expression for parsing URLs from: + // https://github.com/wizard04wsu/URI_Parsing + // + // The MIT License (MIT) + // + // Copyright (c) 2014 Andrew Harrison + // + // Permission is hereby granted, free of charge, to any person obtaining a copy of + // this software and associated documentation files (the "Software"), to deal in + // the Software without restriction, including without limitation the rights to + // use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of + // the Software, and to permit persons to whom the Software is furnished to do so, + // subject to the following conditions: + // + // The above copyright notice and this permission notice shall be included in all + // copies or substantial portions of the Software. + // + // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS + // FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR + // COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER + // IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + // CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; + + var uriScheme = 1; + var uriDomain = 5; + var uriPort = 6; + var uriPath = 7; + var uriPathAlt = 9; + var uriQuery = 11; + + function domain(dst, src) { + return url_wrapper(dst, src, extract_domain); + } + + function split_url(value) { + var m = value.match(uriRegExp); + if (m && m[uriDomain]) return m; + // Support input in the form "www.example.net/path", but not "/path". + m = ("null://" + value).match(uriRegExp); + if (m) return m; + } + + function extract_domain(value) { + var m = split_url(value); + if (m && m[uriDomain]) return m[uriDomain]; + } + + var extFromPage = /\.[^.]+$/; + function extract_ext(value) { + var page = extract_page(value); + if (page) { + var m = page.match(extFromPage); + if (m) return m[0]; + } + } + + function ext(dst, src) { + return url_wrapper(dst, src, extract_ext); + } + + function fqdn(dst, src) { + // TODO: fqdn and domain(eTLD+1) are currently the same. + return domain(dst, src); + } + + var pageFromPathRegExp = /\/([^\/]+)$/; + var pageName = 1; + + function extract_page(value) { + value = extract_path(value); + if (!value) return undefined; + var m = value.match(pageFromPathRegExp); + if (m) return m[pageName]; + } + + function page(dst, src) { + return url_wrapper(dst, src, extract_page); + } + + function extract_path(value) { + var m = split_url(value); + return m? m[uriPath] || m[uriPathAlt] : undefined; + } + + function path(dst, src) { + return url_wrapper(dst, src, extract_path); + } + + // Map common schemes to their default port. + // port has to be a string (will be converted at a later stage). + var schemePort = { + "ftp": "21", + "ssh": "22", + "http": "80", + "https": "443", + }; + + function extract_port(value) { + var m = split_url(value); + if (!m) return undefined; + if (m[uriPort]) return m[uriPort]; + if (m[uriScheme]) { + return schemePort[m[uriScheme]]; + } + } + + function port(dst, src) { + return url_wrapper(dst, src, extract_port); + } + + function extract_query(value) { + var m = split_url(value); + if (m && m[uriQuery]) return m[uriQuery]; + } + + function query(dst, src) { + return url_wrapper(dst, src, extract_query); + } + + function extract_root(value) { + var m = split_url(value); + if (m && m[uriDomain] && m[uriDomain]) { + var scheme = m[uriScheme] && m[uriScheme] !== "null"? + m[uriScheme] + "://" : ""; + var port = m[uriPort]? ":" + m[uriPort] : ""; + return scheme + m[uriDomain] + port; + } + } + + function root(dst, src) { + return url_wrapper(dst, src, extract_root); + } + + function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + ' *(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } + } + + var ecs_mappings = { + "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, + "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, + "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, + "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, + "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, + "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, + "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, + "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, + "application": {to:[{field: "network.application", setter: fld_set}]}, + "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, + "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, + "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, + "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, + "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, + "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, + "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, + "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, + "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, + "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, + "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, + "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, + "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, + "direction": {to:[{field: "network.direction", setter: fld_set}]}, + "directory": {to:[{field: "file.directory", setter: fld_set}]}, + "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, + "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, + "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, + "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, + "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, + "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, + "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, + "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, + "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, + "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, + "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, + "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, + "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, + "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, + "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, + "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, + "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, + "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, + "filepath": {to:[{field: "file.path", setter: fld_set}]}, + "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, + "group": {to:[{field: "group.name", setter: fld_set}]}, + "groupid": {to:[{field: "group.id", setter: fld_set}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, + "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, + "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, + "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, + "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, + "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, + "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, + "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, + "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, + "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, + "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, + "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, + "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, + "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, + "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, + "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, + "method": {to:[{field: "http.request.method", setter: fld_set}]}, + "msg": {to:[{field: "message", setter: fld_set}]}, + "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, + "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, + "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, + "parent_pid": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 0}]}, + "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, + "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, + "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, + "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, + "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, + "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, + "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, + "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, + "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, + "process_id_src": {convert: to_long, to:[{field: "process.parent.pid", setter: fld_prio, prio: 1}]}, + "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, + "product": {to:[{field: "observer.product", setter: fld_set}]}, + "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, + "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, + "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, + "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, + "rulename": {to:[{field: "rule.name", setter: fld_set}]}, + "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_set},{field: "related.ip", setter: fld_append}]}, + "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, + "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, + "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, + "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, + "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, + "severity": {to:[{field: "log.level", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, + "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, + "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, + "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, + "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, + "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, + "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, + "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, + "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, + "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, + "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, + "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, + "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, + "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, + "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, + "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, + "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, + "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, + "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, + "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, + "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, + "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, + "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, + "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, + "version": {to:[{field: "observer.version", setter: fld_set}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, + "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, + "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, + "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, + "web_root": {to:[{field: "url.path", setter: fld_set}]}, + "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, + }; + + var rsa_mappings = { + "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, + "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, + "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, + "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, + "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, + "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, + "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, + "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, + "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, + "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, + "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, + "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, + "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, + "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, + "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, + "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, + "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, + "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, + "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, + "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, + "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, + "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, + "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, + "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, + "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, + "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, + "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, + "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, + "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, + "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, + "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, + "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, + "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, + "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, + "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, + "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, + "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, + "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, + "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, + "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, + "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, + "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, + "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, + "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, + "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, + "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, + "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, + "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, + "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, + "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, + "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, + "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, + "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, + "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, + "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, + "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, + "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, + "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, + "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, + "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, + "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, + "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, + "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, + "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, + "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, + "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, + "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, + "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, + "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, + "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, + "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, + "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, + "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, + "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, + "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, + "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, + "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, + "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, + "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, + "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, + "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, + "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, + "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, + "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, + "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, + "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, + "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, + "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, + "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, + "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, + "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, + "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, + "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, + "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, + "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, + "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, + "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, + "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, + "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, + "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, + "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, + "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, + "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, + "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, + "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, + "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, + "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, + "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, + "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, + "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, + "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, + "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, + "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, + "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, + "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, + "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, + "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, + "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, + "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, + "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, + "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, + "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, + "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, + "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, + "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, + "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, + "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, + "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, + "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, + "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, + "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, + "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, + "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, + "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, + "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, + "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, + "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, + "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, + "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, + "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, + "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, + "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, + "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, + "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, + "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, + "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, + "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, + "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, + "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, + "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, + "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, + "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, + "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, + "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, + "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, + "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, + "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, + "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, + "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, + "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, + "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, + "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, + "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, + "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, + "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, + "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, + "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, + "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, + "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, + "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, + "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, + "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, + "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, + "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, + "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, + "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, + "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, + "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, + "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, + "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, + "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, + "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, + "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, + "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, + "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, + "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, + "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, + "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, + "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, + "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, + "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, + "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, + "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, + "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, + "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, + "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, + "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, + "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, + "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, + "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, + "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, + "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, + "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, + "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, + "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, + "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, + "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, + "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, + "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, + "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, + "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, + "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, + "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, + "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, + "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, + "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, + "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, + "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, + "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, + "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, + "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, + "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, + "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, + "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, + "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, + "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, + "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, + "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, + "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, + "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, + "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, + "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, + "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, + "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, + "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, + "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, + "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, + "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, + "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, + "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, + "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, + "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, + "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, + "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, + "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, + "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, + "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, + "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, + "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, + "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, + "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, + "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, + "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, + "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, + "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, + "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, + "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, + "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, + "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, + "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, + "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, + "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, + "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, + "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, + "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, + "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, + "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, + "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, + "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, + "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, + "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, + "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, + "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, + "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, + "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, + "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, + "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, + "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, + "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, + "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, + "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, + "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, + "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, + "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, + "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, + "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, + "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, + "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, + "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, + "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, + "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, + "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, + "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, + "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, + "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, + "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, + "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, + "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, + "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, + "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, + "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, + "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, + "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, + "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, + "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, + "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, + "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, + "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, + "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, + "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, + "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, + "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, + "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, + "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, + "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, + "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, + "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, + "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, + "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, + "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, + "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, + "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, + "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, + "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, + "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, + "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, + "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, + "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, + "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, + "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, + "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, + "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, + "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, + "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, + "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, + "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, + "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, + "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, + "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, + "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, + "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, + "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, + "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, + "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, + "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, + "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, + "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, + "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, + "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, + "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, + "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, + "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, + "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, + "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, + "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, + "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, + "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, + "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, + "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, + "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, + "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, + "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, + "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, + "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, + "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, + "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, + "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, + "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, + "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, + "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, + "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, + "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, + "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, + "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, + "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, + "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, + "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, + "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, + "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, + "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, + "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, + "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, + "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, + "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, + "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, + "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, + "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, + "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, + "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, + "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, + "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, + "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, + "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, + "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, + "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, + "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, + "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, + "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, + "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, + "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, + "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, + "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, + "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, + "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, + "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, + "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, + "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, + "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, + "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, + "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, + "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, + "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, + "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, + "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, + "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, + "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, + "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, + "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, + "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, + "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, + "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, + "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, + "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, + "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, + "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, + "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, + "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, + "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, + "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, + "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, + "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, + "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, + "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, + "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, + "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, + "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, + "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, + "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, + "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, + "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, + "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, + "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, + "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, + "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, + "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, + "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, + "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, + "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, + "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, + "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, + "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, + "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, + "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, + "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, + "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, + "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, + "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, + "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, + "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, + "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, + "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, + "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, + "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, + "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, + "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, + "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, + "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, + "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, + "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, + "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, + "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, + "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, + "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, + "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, + "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, + "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, + "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, + "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, + "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, + "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, + "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, + "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, + "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, + "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, + "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, + "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, + "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, + "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, + "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, + "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, + "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, + "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, + "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, + "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, + "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, + "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, + "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, + "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, + "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, + "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, + "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, + "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, + "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, + "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, + "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, + "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, + "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, + "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, + "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, + "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, + "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, + "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, + "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, + "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, + "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, + "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, + "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, + "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, + "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, + "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, + "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, + "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, + "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, + "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, + "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, + "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, + "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, + "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, + "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, + "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, + "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, + "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, + "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, + "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, + "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, + "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, + "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, + "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, + "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, + "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, + "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, + "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, + "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, + "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, + "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, + "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, + "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, + "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, + "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, + "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, + "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, + "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, + "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, + "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, + "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, + "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, + "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, + "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, + "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, + "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, + "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, + "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, + "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, + "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, + "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, + "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, + "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, + "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, + "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, + "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, + "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, + "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, + "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, + "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, + "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, + "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, + "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, + "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, + "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, + "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, + "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, + "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, + "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, + "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, + "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, + "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, + "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, + "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, + "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, + "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, + "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, + "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, + "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, + "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, + "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, + "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, + "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, + "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, + "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, + "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, + "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, + "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, + "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, + "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, + "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, + "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, + "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, + "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, + "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, + "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, + "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, + "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, + "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, + "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, + "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, + "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, + "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, + "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, + "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, + "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, + "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, + "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, + "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, + "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, + "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, + "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, + "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, + "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, + "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, + "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, + "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, + "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, + "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, + "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, + "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, + "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, + "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, + "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, + "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, + "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, + "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, + "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, + "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, + "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, + "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, + "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, + "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, + "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, + "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, + "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, + "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, + "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, + "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, + "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, + "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, + "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, + "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, + "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, + "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, + "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, + "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, + "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, + "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, + "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, + "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, + "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, + "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, + "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, + "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, + "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, + "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, + "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, + "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, + "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, + "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, + "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, + "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, + "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, + "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, + "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, + "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, + "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, + "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, + }; + + function to_date(value) { + switch (typeof (value)) { + case "object": + // This is a Date. But as it was obtained from evt.Get(), the VM + // doesn't see it as a JS Date anymore, thus value instanceof Date === false. + // Have to trust that any object here is a valid Date for Go. + return value; + case "string": + var asDate = new Date(value); + if (!isNaN(asDate)) return asDate; + } + } + + // ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. + var maxSafeInt = Math.pow(2, 53) - 1; + var minSafeInt = -maxSafeInt; + + function to_long(value) { + var num = parseInt(value); + // Better not to index a number if it's not safe (above 53 bits). + return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; + } + + function to_ip(value) { + if (value.indexOf(":") === -1) + return to_ipv4(value); + return to_ipv6(value); + } + + var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; + var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; + + function to_ipv4(value) { + var result = ipv4_regex.exec(value); + if (result == null || result.length !== 5) return; + for (var i = 1; i < 5; i++) { + var num = strictToInt(result[i]); + if (isNaN(num) || num < 0 || num > 255) return; + } + return value; + } + + function to_ipv6(value) { + var sqEnd = value.indexOf("]"); + if (sqEnd > -1) { + if (value.charAt(0) !== "[") return; + value = value.substr(1, sqEnd - 1); + } + var zoneOffset = value.indexOf("%"); + if (zoneOffset > -1) { + value = value.substr(0, zoneOffset); + } + var parts = value.split(":"); + if (parts == null || parts.length < 3 || parts.length > 8) return; + var numEmpty = 0; + var innerEmpty = 0; + for (var i = 0; i < parts.length; i++) { + if (parts[i].length === 0) { + numEmpty++; + if (i > 0 && i + 1 < parts.length) innerEmpty++; + } else if (!parts[i].match(ipv6_hex_regex) && + // Accept an IPv6 with a valid IPv4 at the end. + ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { + return; + } + } + return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; + } + + function to_double(value) { + return parseFloat(value); + } + + function to_mac(value) { + // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. + return value; + } + + function to_lowercase(value) { + // to_lowercase is used against keyword fields, which can accept + // any other type (numbers, dates). + return typeof(value) === "string"? value.toLowerCase() : value; + } + + function fld_set(dst, value) { + dst[this.field] = { v: value }; + } + + function fld_append(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: [value] }; + } else { + var base = dst[this.field]; + if (base.v.indexOf(value)===-1) base.v.push(value); + } + } + + function fld_prio(dst, value) { + if (dst[this.field] === undefined) { + dst[this.field] = { v: value, prio: this.prio}; + } else if(this.prio < dst[this.field].prio) { + dst[this.field].v = value; + dst[this.field].prio = this.prio; + } + } + + var valid_ecs_outcome = { + 'failure': true, + 'success': true, + 'unknown': true + }; + + function fld_ecs_outcome(dst, value) { + value = value.toLowerCase(); + if (valid_ecs_outcome[value] === undefined) { + value = 'unknown'; + } + if (dst[this.field] === undefined) { + dst[this.field] = { v: value }; + } else if (dst[this.field].v === 'unknown') { + dst[this.field] = { v: value }; + } + } + + function map_all(evt, targets, value) { + for (var i = 0; i < targets.length; i++) { + evt.Put(targets[i], value); + } + } + + function populate_fields(evt) { + var base = evt.Get(FIELDS_OBJECT); + if (base === null) return; + alternate_datetime(evt); + if (map_ecs) { + do_populate(evt, base, ecs_mappings); + } + if (map_rsa) { + do_populate(evt, base, rsa_mappings); + } + if (keep_raw) { + evt.Put("rsa.raw", base); + } + evt.Delete(FIELDS_OBJECT); + } + + var datetime_alt_components = [ + {field: "day", fmts: [[dF]]}, + {field: "year", fmts: [[dW]]}, + {field: "month", fmts: [[dB],[dG]]}, + {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, + {field: "hour", fmts: [[dN]]}, + {field: "min", fmts: [[dU]]}, + {field: "secs", fmts: [[dO]]}, + {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, + ]; + + function alternate_datetime(evt) { + if (evt.Get(FIELDS_PREFIX + "event_time") != null) { + return; + } + var tzOffset = tz_offset; + if (tzOffset === "event") { + tzOffset = evt.Get("event.timezone"); + } + var container = new DateContainer(tzOffset); + for (var i=0; i} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + ])); + + var hdr1 = match("HEADER#0:0001", "message", "%APACHETOMCAT-%{level}-%{messageid}: %{payload}", processor_chain([ + setc("header_id","0001"), + ])); + + var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hostname->} %APACHETOMCAT- %{messageid}: %{payload}", processor_chain([ + setc("header_id","0002"), + ])); + + var select1 = linear_select([ + hdr1, + hdr2, + ]); + + var msg1 = msg("ABCD", dup7); + + var msg2 = msg("BADMETHOD", dup7); + + var msg3 = msg("BADMTHD", dup7); + + var msg4 = msg("BDMTHD", dup7); + + var msg5 = msg("INDEX", dup7); + + var msg6 = msg("CFYZ", dup7); + + var msg7 = msg("CONNECT", dup7); + + var msg8 = msg("DELETE", dup7); + + var msg9 = msg("DETECT_METHOD_TYPE", dup7); + + var msg10 = msg("FGET", dup7); + + var msg11 = msg("GET", dup7); + + var msg12 = msg("get", dup7); + + var msg13 = msg("HEAD", dup7); + + var msg14 = msg("id", dup7); + + var msg15 = msg("LOCK", dup7); + + var msg16 = msg("MKCOL", dup7); + + var msg17 = msg("NCIRCLE", dup7); + + var msg18 = msg("OPTIONS", dup7); + + var msg19 = msg("POST", dup7); + + var msg20 = msg("PRONECT", dup7); + + var msg21 = msg("PROPFIND", dup7); + + var msg22 = msg("PUT", dup7); + + var msg23 = msg("QUALYS", dup7); + + var msg24 = msg("SEARCH", dup7); + + var msg25 = msg("TRACK", dup7); + + var msg26 = msg("TRACE", dup7); + + var msg27 = msg("uGET", dup7); + + var msg28 = msg("null", dup7); + + var msg29 = msg("rndmmtd", dup7); + + var msg30 = msg("RNDMMTD", dup7); + + var msg31 = msg("asdf", dup7); + + var msg32 = msg("DEBUG", dup7); + + var msg33 = msg("COOK", dup7); + + var msg34 = msg("nGET", dup7); + + var chain1 = processor_chain([ + select1, + msgid_select({ + "ABCD": msg1, + "BADMETHOD": msg2, + "BADMTHD": msg3, + "BDMTHD": msg4, + "CFYZ": msg6, + "CONNECT": msg7, + "COOK": msg33, + "DEBUG": msg32, + "DELETE": msg8, + "DETECT_METHOD_TYPE": msg9, + "FGET": msg10, + "GET": msg11, + "HEAD": msg13, + "INDEX": msg5, + "LOCK": msg15, + "MKCOL": msg16, + "NCIRCLE": msg17, + "OPTIONS": msg18, + "POST": msg19, + "PRONECT": msg20, + "PROPFIND": msg21, + "PUT": msg22, + "QUALYS": msg23, + "RNDMMTD": msg30, + "SEARCH": msg24, + "TRACE": msg26, + "TRACK": msg25, + "asdf": msg31, + "get": msg12, + "id": msg14, + "nGET": msg34, + "null": msg28, + "rndmmtd": msg29, + "uGET": msg27, + }), + ]); + + var part1 = match("MESSAGE#0:ABCD", "nwparser.payload", "%{saddr}||%{fld5}||%{username}||[%{fld7->} %{timezone}]||%{web_method}||%{web_host}||%{webpage}||%{web_query}||%{network_service}||%{resultcode}||%{sbytes}||%{web_referer}||%{user_agent}||%{web_cookie}", processor_chain([ + dup1, + dup2, + dup3, + dup4, + dup5, + dup6, + ])); + - community_id: null + - registered_domain: + field: dns.question.name + ignore_failure: true + ignore_missing: true + target_etld_field: dns.question.top_level_domain + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + - registered_domain: + field: client.domain + ignore_failure: true + ignore_missing: true + target_etld_field: client.top_level_domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + - registered_domain: + field: server.domain + ignore_failure: true + ignore_missing: true + target_etld_field: server.top_level_domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + - registered_domain: + field: destination.domain + ignore_failure: true + ignore_missing: true + target_etld_field: destination.top_level_domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + - registered_domain: + field: source.domain + ignore_failure: true + ignore_missing: true + target_etld_field: source.top_level_domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + - registered_domain: + field: url.domain + ignore_failure: true + ignore_missing: true + target_etld_field: url.top_level_domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + - add_locale: null + prospector: + scanner: + symlinks: true + tags: + - tomcat-log + - forwarded + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/traefik.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/traefik.yml new file mode 100644 index 00000000000..4ab26982389 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/traefik.yml @@ -0,0 +1,37 @@ +inputs: + - name: filestream-traefik + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.traefik.access.enabled} == true or ${kubernetes.hints.traefik.enabled} == true + data_stream: + dataset: traefik.access + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.traefik.access.stream|'all'} + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + data_stream.namespace: default + - name: traefik/metrics-traefik + type: traefik/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.traefik.health.enabled} == true or ${kubernetes.hints.traefik.enabled} == true + data_stream: + dataset: traefik.health + type: metrics + hosts: + - ${kubernetes.hints.traefik.health.host|'localhost:8080'} + metricsets: + - health + period: ${kubernetes.hints.traefik.health.period|'10s'} + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml new file mode 100644 index 00000000000..60fa5ebf598 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/udp.yml @@ -0,0 +1,33 @@ +inputs: + - name: udp-udp + type: udp + use_output: default + streams: + - condition: ${kubernetes.hints.udp.generic.enabled} == true or ${kubernetes.hints.udp.enabled} == true + data_stream: + dataset: udp.generic + type: logs + host: localhost:8080 + max_message_size: 10KiB + data_stream.namespace: default + - name: filestream-udp + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.udp.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml new file mode 100644 index 00000000000..22bcc875894 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/zeek.yml @@ -0,0 +1,2271 @@ +inputs: + - name: filestream-zeek + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.zeek.capture_loss.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.capture_loss + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.capture_loss.stream|'all'} + paths: + - /var/log/bro/current/capture_loss.log + - /opt/zeek/logs/current/capture_loss.log + - /usr/local/var/spool/zeek/capture_loss.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-capture-loss + - condition: ${kubernetes.hints.zeek.connection.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.connection + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.connection.stream|'all'} + paths: + - /var/log/bro/current/conn.log + - /opt/zeek/logs/current/conn.log + - /usr/local/var/spool/zeek/conn.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-connection + - condition: ${kubernetes.hints.zeek.dce_rpc.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.dce_rpc + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.dce_rpc.stream|'all'} + paths: + - /var/log/bro/current/dce_rpc.log + - /opt/zeek/logs/current/dce_rpc.log + - /usr/local/var/spool/zeek/dce_rpc.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-dce-rpc + - condition: ${kubernetes.hints.zeek.dhcp.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.dhcp + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.dhcp.stream|'all'} + paths: + - /var/log/bro/current/dhcp.log + - /opt/zeek/logs/current/dhcp.log + - /usr/local/var/spool/zeek/dhcp.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-dhcp + - condition: ${kubernetes.hints.zeek.dnp3.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.dnp3 + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.dnp3.stream|'all'} + paths: + - /var/log/bro/current/dnp3.log + - /opt/zeek/logs/current/dnp3.log + - /usr/local/var/spool/zeek/dnp3.log + prospector: + scanner: + symlinks: true + tags: + - zeek-dnp3 + - condition: ${kubernetes.hints.zeek.dns.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.dns + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.dns.stream|'all'} + paths: + - /var/log/bro/current/dns.log + - /opt/zeek/logs/current/dns.log + - /usr/local/var/spool/zeek/dns.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-dns + - condition: ${kubernetes.hints.zeek.dpd.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.dpd + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.dpd.stream|'all'} + paths: + - /var/log/bro/current/dpd.log + - /opt/zeek/logs/current/dpd.log + - /usr/local/var/spool/zeek/dpd.log + prospector: + scanner: + symlinks: true + tags: + - zeek-dpd + - condition: ${kubernetes.hints.zeek.files.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.files + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.files.stream|'all'} + paths: + - /var/log/bro/current/files.log + - /opt/zeek/logs/current/files.log + - /usr/local/var/spool/zeek/files.log + prospector: + scanner: + symlinks: true + tags: + - zeek-files + - condition: ${kubernetes.hints.zeek.ftp.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.ftp + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.ftp.stream|'all'} + paths: + - /var/log/bro/current/ftp.log + - /opt/zeek/logs/current/ftp.log + - /usr/local/var/spool/zeek/ftp.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-ftp + - condition: ${kubernetes.hints.zeek.http.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.http + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.http.stream|'all'} + paths: + - /var/log/bro/current/http.log + - /opt/zeek/logs/current/http.log + - /usr/local/var/spool/zeek/http.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-http + - condition: ${kubernetes.hints.zeek.intel.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.intel + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.intel.stream|'all'} + paths: + - /var/log/bro/current/intel.log + - /opt/zeek/logs/current/intel.log + - /usr/local/var/spool/zeek/intel.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-intel + - condition: ${kubernetes.hints.zeek.irc.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.irc + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.irc.stream|'all'} + paths: + - /var/log/bro/current/irc.log + - /opt/zeek/logs/current/irc.log + - /usr/local/var/spool/zeek/irc.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-irc + - condition: ${kubernetes.hints.zeek.kerberos.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.kerberos + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.kerberos.stream|'all'} + paths: + - /var/log/bro/current/kerberos.log + - /opt/zeek/logs/current/kerberos.log + - /usr/local/var/spool/zeek/kerberos.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-kerberos + - condition: ${kubernetes.hints.zeek.known_certs.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.known_certs + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.known_certs.stream|'all'} + paths: + - /var/log/bro/current/known_certs.log + - /opt/zeek/logs/current/known_certs.log + - /usr/local/var/spool/zeek/known_certs.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-known_certs + - condition: ${kubernetes.hints.zeek.known_hosts.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.known_hosts + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.known_hosts.stream|'all'} + paths: + - /var/log/bro/current/known_hosts.log + - /opt/zeek/logs/current/known_hosts.log + - /usr/local/var/spool/zeek/known_hosts.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-known_hosts + - condition: ${kubernetes.hints.zeek.known_services.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.known_services + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.known_services.stream|'all'} + paths: + - /var/log/bro/current/known_services.log + - /opt/zeek/logs/current/known_services.log + - /usr/local/var/spool/zeek/known_services.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-known_services + - condition: ${kubernetes.hints.zeek.modbus.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.modbus + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.modbus.stream|'all'} + paths: + - /var/log/bro/current/modbus.log + - /opt/zeek/logs/current/modbus.log + - /usr/local/var/spool/zeek/modbus.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-modbus + - condition: ${kubernetes.hints.zeek.mysql.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.mysql + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.mysql.stream|'all'} + paths: + - /var/log/bro/current/mysql.log + - /opt/zeek/logs/current/mysql.log + - /usr/local/var/spool/zeek/mysql.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-mysql + - condition: ${kubernetes.hints.zeek.notice.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.notice + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.notice.stream|'all'} + paths: + - /var/log/bro/current/notice.log + - /opt/zeek/logs/current/notice.log + - /usr/local/var/spool/zeek/notice.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-notice + - condition: ${kubernetes.hints.zeek.ntlm.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.ntlm + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.ntlm.stream|'all'} + paths: + - /var/log/bro/current/ntlm.log + - /opt/zeek/logs/current/ntlm.log + - /usr/local/var/spool/zeek/ntlm.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-ntlm + - condition: ${kubernetes.hints.zeek.ntp.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.ntp + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.ntp.stream|'all'} + paths: + - /var/log/bro/current/ntp.log + - /opt/zeek/logs/current/ntp.log + - /usr/local/var/spool/zeek/ntp.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-ntp + - condition: ${kubernetes.hints.zeek.ocsp.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.ocsp + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.ocsp.stream|'all'} + paths: + - /var/log/bro/current/ocsp.log + - /opt/zeek/logs/current/ocsp.log + - /usr/local/var/spool/zeek/ocsp.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-ocsp + - condition: ${kubernetes.hints.zeek.pe.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.pe + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.pe.stream|'all'} + paths: + - /var/log/bro/current/pe.log + - /opt/zeek/logs/current/pe.log + - /usr/local/var/spool/zeek/pe.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-pe + - condition: ${kubernetes.hints.zeek.radius.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.radius + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.radius.stream|'all'} + paths: + - /var/log/bro/current/radius.log + - /opt/zeek/logs/current/radius.log + - /usr/local/var/spool/zeek/radius.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-radius + - condition: ${kubernetes.hints.zeek.rdp.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.rdp + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.rdp.stream|'all'} + paths: + - /var/log/bro/current/rdp.log + - /opt/zeek/logs/current/rdp.log + - /usr/local/var/spool/zeek/rdp.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-rdp + - condition: ${kubernetes.hints.zeek.rfb.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.rfb + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.rfb.stream|'all'} + paths: + - /var/log/bro/current/rfb.log + - /opt/zeek/logs/current/rfb.log + - /usr/local/var/spool/zeek/rfb.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-rfb + - condition: ${kubernetes.hints.zeek.signature.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.signature + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.signature.stream|'all'} + paths: + - /var/log/bro/current/signature.log + - /opt/zeek/logs/current/signature.log + - /usr/local/var/spool/zeek/signature.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-signature + - condition: ${kubernetes.hints.zeek.sip.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.sip + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.sip.stream|'all'} + paths: + - /var/log/bro/current/sip.log + - /opt/zeek/logs/current/sip.log + - /usr/local/var/spool/zeek/sip.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-sip + - condition: ${kubernetes.hints.zeek.smb_cmd.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.smb_cmd + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.smb_cmd.stream|'all'} + paths: + - /var/log/bro/current/smb_cmd.log + - /opt/zeek/logs/current/smb_cmd.log + - /usr/local/var/spool/zeek/smb_cmd.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-smb-cmd + - condition: ${kubernetes.hints.zeek.smb_files.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.smb_files + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.smb_files.stream|'all'} + paths: + - /var/log/bro/current/smb_files.log + - /opt/zeek/logs/current/smb_files.log + - /usr/local/var/spool/zeek/smb_files.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-smb-files + - condition: ${kubernetes.hints.zeek.smb_mapping.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.smb_mapping + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.smb_mapping.stream|'all'} + paths: + - /var/log/bro/current/smb_mapping.log + - /opt/zeek/logs/current/smb_mapping.log + - /usr/local/var/spool/zeek/smb_mapping.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek.smb_mapping + - condition: ${kubernetes.hints.zeek.smtp.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.smtp + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.smtp.stream|'all'} + paths: + - /var/log/bro/current/smtp.log + - /opt/zeek/logs/current/smtp.log + - /usr/local/var/spool/zeek/smtp.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-smtp + - condition: ${kubernetes.hints.zeek.snmp.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.snmp + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.snmp.stream|'all'} + paths: + - /var/log/bro/current/snmp.log + - /opt/zeek/logs/current/snmp.log + - /usr/local/var/spool/zeek/snmp.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-snmp + - condition: ${kubernetes.hints.zeek.socks.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.socks + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.socks.stream|'all'} + paths: + - /var/log/bro/current/socks.log + - /opt/zeek/logs/current/socks.log + - /usr/local/var/spool/zeek/socks.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-socks + - condition: ${kubernetes.hints.zeek.software.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.software + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.software.stream|'all'} + paths: + - /var/log/bro/current/software.log + - /opt/zeek/logs/current/software.log + - /usr/local/var/spool/zeek/software.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-software + - condition: ${kubernetes.hints.zeek.ssh.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.ssh + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.ssh.stream|'all'} + paths: + - /var/log/bro/current/ssh.log + - /opt/zeek/logs/current/ssh.log + - /usr/local/var/spool/zeek/ssh.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-ssh + - condition: ${kubernetes.hints.zeek.ssl.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.ssl + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.ssl.stream|'all'} + paths: + - /var/log/bro/current/ssl.log + - /opt/zeek/logs/current/ssl.log + - /usr/local/var/spool/zeek/ssl.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-ssl + - condition: ${kubernetes.hints.zeek.stats.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.stats + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.stats.stream|'all'} + paths: + - /var/log/bro/current/stats.log + - /opt/zeek/logs/current/stats.log + - /usr/local/var/spool/zeek/stats.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-stats + - condition: ${kubernetes.hints.zeek.syslog.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.syslog + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.syslog.stream|'all'} + paths: + - /var/log/bro/current/syslog.log + - /opt/zeek/logs/current/syslog.log + - /usr/local/var/spool/zeek/syslog.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-syslog + - condition: ${kubernetes.hints.zeek.traceroute.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.traceroute + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.traceroute.stream|'all'} + paths: + - /var/log/bro/current/traceroute.log + - /opt/zeek/logs/current/traceroute.log + - /usr/local/var/spool/zeek/traceroute.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-traceroute + - condition: ${kubernetes.hints.zeek.tunnel.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.tunnel + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.tunnel.stream|'all'} + paths: + - /var/log/bro/current/tunnel.log + - /opt/zeek/logs/current/tunnel.log + - /usr/local/var/spool/zeek/tunnel.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-tunnel + - condition: ${kubernetes.hints.zeek.weird.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.weird + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.weird.stream|'all'} + paths: + - /var/log/bro/current/weird.log + - /opt/zeek/logs/current/weird.log + - /usr/local/var/spool/zeek/weird.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-weird + - condition: ${kubernetes.hints.zeek.x509.enabled} == true or ${kubernetes.hints.zeek.enabled} == true + data_stream: + dataset: zeek.x509 + type: logs + exclude_files: + - .gz$ + parsers: + - container: + format: auto + stream: ${kubernetes.hints.zeek.x509.stream|'all'} + paths: + - /var/log/bro/current/x509.log + - /opt/zeek/logs/current/x509.log + - /usr/local/var/spool/zeek/x509.log + prospector: + scanner: + symlinks: true + tags: + - forwarded + - zeek-x509 + data_stream.namespace: default + - name: httpjson-zeek + type: httpjson + use_output: default + streams: + - condition: ${kubernetes.hints.zeek.capture_loss.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.capture_loss + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="capture_loss-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-capture-loss + - condition: ${kubernetes.hints.zeek.connection.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.connection + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="conn-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-connection + - condition: ${kubernetes.hints.zeek.dce_rpc.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.dce_rpc + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="dce_rpc-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-dce-rpc + - condition: ${kubernetes.hints.zeek.dhcp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.dhcp + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="dhcp-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-dhcp + - condition: ${kubernetes.hints.zeek.dnp3.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.dnp3 + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="dnp3-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-dnp3 + - condition: ${kubernetes.hints.zeek.dns.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.dns + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="dns-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-dns + - condition: ${kubernetes.hints.zeek.dpd.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.dpd + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="dpd-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-dpd + - condition: ${kubernetes.hints.zeek.files.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.files + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="files-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-files + - condition: ${kubernetes.hints.zeek.ftp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.ftp + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="ftp-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-ftp + - condition: ${kubernetes.hints.zeek.http.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.http + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="http-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-http + - condition: ${kubernetes.hints.zeek.intel.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.intel + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="intel-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-intel + - condition: ${kubernetes.hints.zeek.irc.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.irc + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="irc-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-irc + - condition: ${kubernetes.hints.zeek.kerberos.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.kerberos + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="kerberos-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-kerberos + - condition: ${kubernetes.hints.zeek.modbus.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.modbus + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="modbus-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-modbus + - condition: ${kubernetes.hints.zeek.mysql.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.mysql + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="mysql-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-mysql + - condition: ${kubernetes.hints.zeek.notice.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.notice + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="notice-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-notice + - condition: ${kubernetes.hints.zeek.ntlm.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.ntlm + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="ntlm-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-ntlm + - condition: ${kubernetes.hints.zeek.ntp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.ntp + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="ntp-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-ntp + - condition: ${kubernetes.hints.zeek.ocsp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.ocsp + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="ocsp-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-ocsp + - condition: ${kubernetes.hints.zeek.pe.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.pe + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="pe-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-pe + - condition: ${kubernetes.hints.zeek.radius.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.radius + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="radius-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-radius + - condition: ${kubernetes.hints.zeek.rdp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.rdp + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="rdp-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-rdp + - condition: ${kubernetes.hints.zeek.rfb.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.rfb + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="rfb-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-rfb + - condition: ${kubernetes.hints.zeek.signature.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.signature + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="signature-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-signature + - condition: ${kubernetes.hints.zeek.sip.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.sip + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="sip-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-sip + - condition: ${kubernetes.hints.zeek.smb_cmd.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.smb_cmd + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="smb_cmd-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-smb-cmd + - condition: ${kubernetes.hints.zeek.smb_files.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.smb_files + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="smb_files-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-smb-files + - condition: ${kubernetes.hints.zeek.smb_mapping.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.smb_mapping + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="smb_mapping-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - condition: ${kubernetes.hints.zeek.smtp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.smtp + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="smtp-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-smtp + - condition: ${kubernetes.hints.zeek.snmp.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.snmp + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="snmp-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-snmp + - condition: ${kubernetes.hints.zeek.socks.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.socks + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="socks-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-socks + - condition: ${kubernetes.hints.zeek.ssh.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.ssh + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="ssh-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-ssh + - condition: ${kubernetes.hints.zeek.ssl.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.ssl + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="ssl-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-ssl + - condition: ${kubernetes.hints.zeek.stats.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.stats + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="stats-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-stats + - condition: ${kubernetes.hints.zeek.syslog.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.syslog + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="syslog-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-syslog + - condition: ${kubernetes.hints.zeek.traceroute.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.traceroute + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="traceroute-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-traceroute + - condition: ${kubernetes.hints.zeek.tunnel.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.tunnel + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="tunnel-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-tunnel + - condition: ${kubernetes.hints.zeek.weird.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.weird + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="weird-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-weird + - condition: ${kubernetes.hints.zeek.x509.enabled} == true and ${kubernetes.hints.zeek.enabled} == true + config_version: 2 + cursor: + index_earliest: + value: '[[.last_event.result.max_indextime]]' + data_stream: + dataset: zeek.x509 + type: logs + interval: 10s + request.method: POST + request.transforms: + - set: + target: url.params.search + value: search sourcetype="x509-*" | streamstats max(_indextime) AS max_indextime + - set: + target: url.params.output_mode + value: json + - set: + default: '[[(now (parseDuration "-10s")).Unix]]' + target: url.params.index_earliest + value: '[[ .cursor.index_earliest ]]' + - set: + target: url.params.index_latest + value: '[[(now).Unix]]' + - set: + target: header.Content-Type + value: application/x-www-form-urlencoded + request.url: https://server.example.com:8089/services/search/jobs/export + response.decode_as: application/x-ndjson + response.split: + delimiter: |4+ + target: body.result._raw + type: string + tags: + - forwarded + - zeek-x509 + data_stream.namespace: default diff --git a/deploy/kubernetes/elastic-agent-standalone/templates.d/zookeeper.yml b/deploy/kubernetes/elastic-agent-standalone/templates.d/zookeeper.yml new file mode 100644 index 00000000000..5199734c315 --- /dev/null +++ b/deploy/kubernetes/elastic-agent-standalone/templates.d/zookeeper.yml @@ -0,0 +1,54 @@ +inputs: + - name: zookeeper/metrics-zookeeper + type: zookeeper/metrics + use_output: default + streams: + - condition: ${kubernetes.hints.zookeeper.connection.enabled} == true or ${kubernetes.hints.zookeeper.enabled} == true + data_stream: + dataset: zookeeper.connection + type: metrics + hosts: + - ${kubernetes.hints.zookeeper.connection.host|'localhost:2181'} + metricsets: + - connection + period: ${kubernetes.hints.zookeeper.connection.period|'10s'} + - condition: ${kubernetes.hints.zookeeper.mntr.enabled} == true or ${kubernetes.hints.zookeeper.enabled} == true + data_stream: + dataset: zookeeper.mntr + type: metrics + hosts: + - ${kubernetes.hints.zookeeper.mntr.host|'localhost:2181'} + metricsets: + - mntr + period: ${kubernetes.hints.zookeeper.mntr.period|'10s'} + - condition: ${kubernetes.hints.zookeeper.server.enabled} == true or ${kubernetes.hints.zookeeper.enabled} == true + data_stream: + dataset: zookeeper.server + type: metrics + hosts: + - ${kubernetes.hints.zookeeper.server.host|'localhost:2181'} + metricsets: + - server + period: ${kubernetes.hints.zookeeper.server.period|'10s'} + data_stream.namespace: default + - name: filestream-zookeeper + type: filestream + use_output: default + streams: + - condition: ${kubernetes.hints.zookeeper.container_logs.enabled} == true + data_stream: + dataset: kubernetes.container_logs + type: logs + exclude_files: [] + exclude_lines: [] + parsers: + - container: + format: auto + stream: all + paths: + - /var/log/containers/*${kubernetes.hints.container_id}.log + prospector: + scanner: + symlinks: true + tags: [] + data_stream.namespace: default