From 7364381c3baae714fbbcb108d8cb1ab3ef472364 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Tue, 25 Aug 2020 13:41:35 +0200 Subject: [PATCH 01/36] Cherry-pick #20717 to 7.9: Improve registry file migration performance (#20769) * Improve registry file migration performance (#20717) ## What does this PR do? Ensure that fsync is called only once after the migration of old state entries is complete. ## Why is it important? The registry uses a checkpoint-predicate that when true writes all state to disk and calls fsync. The checkpoint operation is supposed to be disabled when migration the old registry file. During migration, the old state will be directly copied (after cleanup and schema changes are applied). The old state will only be deleted after the migration of all states is complete. Unfortunately, the checkpoint predicate did return true, instead of false, which did trigger a checkpoint operation per state to be migrated. The fix disables fsync, and now finalizes the migration by calling Checkpoint directly. The PR also provides a benchmark (each "op" is one migration attempt). Before this fix (go test did kill the run after 10min for 10k entries): ``` BenchmarkMigration0To1/1-32 286 4203353 ns/op BenchmarkMigration0To1/10-32 34 35730680 ns/op BenchmarkMigration0To1/100-32 2 720890839 ns/op BenchmarkMigration0To1/1000-32 1 31633569085 ns/op ... test timed out after 10min ``` Benchmark results with the fix (migration 100k entries took ~7.6s): ``` BenchmarkMigration0To1/1-32 274 4371400 ns/op BenchmarkMigration0To1/10-32 259 4639209 ns/op BenchmarkMigration0To1/100-32 100 13374147 ns/op BenchmarkMigration0To1/1000-32 13 104220944 ns/op BenchmarkMigration0To1/10000-32 2 916656798 ns/op BenchmarkMigration0To1/100000-32 1 7616648790 ns/op PASS ``` Closes #20705 (cherry picked from commit 03748b32fef7018396750c25baf80321cf931459) * fix changelog Co-authored-by: Steffen Siering --- CHANGELOG.next.asciidoc | 1 + filebeat/registrar/migrate.go | 16 +- filebeat/registrar/migrate_bench_test.go | 141 ++++++++++++++++++ filebeat/registrar/registrar.go | 3 +- .../tests/system/test_registrar_upgrade.py | 2 +- libbeat/statestore/backend/memlog/store.go | 10 ++ 6 files changed, 165 insertions(+), 8 deletions(-) create mode 100644 filebeat/registrar/migrate_bench_test.go diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 55bee1f4c34..709fcb3044e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -71,6 +71,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fixed `cloudfoundry.access` to have the correct `cloudfoundry.app.id` contents. {pull}17847[17847] - Fixing `ingress_controller.` fields to be of type keyword instead of text. {issue}17834[17834] - Fixed typo in log message. {pull}17897[17897] +- Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] *Heartbeat* diff --git a/filebeat/registrar/migrate.go b/filebeat/registrar/migrate.go index 16e7b14744f..39b63636e3b 100644 --- a/filebeat/registrar/migrate.go +++ b/filebeat/registrar/migrate.go @@ -31,7 +31,6 @@ import ( helper "github.com/elastic/beats/v7/libbeat/common/file" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/paths" - "github.com/elastic/beats/v7/libbeat/statestore" "github.com/elastic/beats/v7/libbeat/statestore/backend/memlog" ) @@ -214,17 +213,15 @@ func (m *Migrator) updateToVersion1(regHome string) error { registryBackend, err := memlog.New(logp.NewLogger("migration"), memlog.Settings{ Root: m.dataPath, FileMode: m.permissions, - Checkpoint: func(_ uint64) bool { return true }, + Checkpoint: func(sz uint64) bool { return false }, IgnoreVersionCheck: true, }) if err != nil { return errors.Wrap(err, "failed to create new registry backend") } + defer registryBackend.Close() - reg := statestore.NewRegistry(registryBackend) - defer reg.Close() - - store, err := reg.Get("filebeat") + store, err := registryBackend.Access("filebeat") if err != nil { return errors.Wrap(err, "failed to open filebeat registry store") } @@ -234,6 +231,13 @@ func (m *Migrator) updateToVersion1(regHome string) error { return errors.Wrap(err, "failed to migrate registry states") } + if checkpointer, ok := store.(interface{ Checkpoint() error }); ok { + err := checkpointer.Checkpoint() + if err != nil { + return fmt.Errorf("failed to fsync filebeat storage state: %w", err) + } + } + if err := os.Remove(origDataFile); err != nil { return errors.Wrapf(err, "migration complete but failed to remove original data file: %v", origDataFile) } diff --git a/filebeat/registrar/migrate_bench_test.go b/filebeat/registrar/migrate_bench_test.go new file mode 100644 index 00000000000..2a1ba7820cb --- /dev/null +++ b/filebeat/registrar/migrate_bench_test.go @@ -0,0 +1,141 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build linux darwin + +package registrar + +import ( + "encoding/json" + "flag" + "fmt" + "io/ioutil" + "os" + "path/filepath" + "testing" + + "github.com/elastic/beats/v7/filebeat/input/file" + libfile "github.com/elastic/beats/v7/libbeat/common/file" +) + +var keep bool + +func init() { + flag.BoolVar(&keep, "keep", false, "do not delete test directories") +} + +func BenchmarkMigration0To1(b *testing.B) { + for _, entries := range []int{1, 10, 100, 1000, 10000, 100000} { + b.Run(fmt.Sprintf("%v", entries), func(b *testing.B) { + b.StopTimer() + + dataHome := tempDir(b) + registryHome := filepath.Join(dataHome, "filebeat") + mkDir(b, registryHome) + + metaPath := filepath.Join(registryHome, "meta.json") + dataPath := filepath.Join(registryHome, "data.json") + + states := make([]file.State, entries) + for i := range states { + states[i] = file.State{ + Id: fmt.Sprintf("123455-%v", i), + Source: fmt.Sprintf("/path/to/test/file-%v.log", i), + FileStateOS: libfile.StateOS{ + Inode: uint64(i), + Device: 123455, + }, + } + } + + for i := 0; i < b.N; i++ { + b.StopTimer() + clearDir(b, registryHome) + // cleanup older run + + writeFile(b, metaPath, []byte(`{"version": "0"}`)) + func() { + f, err := os.Create(dataPath) + if err != nil { + b.Fatal(err) + } + defer f.Close() + + enc := json.NewEncoder(f) + if err := enc.Encode(states); err != nil { + b.Fatal(err) + } + }() + + migrator := &Migrator{ + dataPath: dataHome, + permissions: 0600, + } + + b.StartTimer() + if err := migrator.updateToVersion1(registryHome); err != nil { + b.Fatal(err) + } + } + }) + } +} + +func tempDir(t testing.TB) string { + cwd, err := os.Getwd() + if err != nil { + t.Fatal(err) + } + + path, err := ioutil.TempDir(cwd, "") + if err != nil { + t.Fatal(err) + } + + if !keep { + t.Cleanup(func() { + os.RemoveAll(path) + }) + } + return path +} + +func mkDir(t testing.TB, path string) { + if err := os.MkdirAll(path, 0700); err != nil { + t.Fatal(err) + } +} + +func clearDir(t testing.TB, path string) { + old, err := ioutil.ReadDir(path) + if err != nil { + t.Fatal(err) + } + for _, info := range old { + if err := os.RemoveAll(info.Name()); err != nil { + t.Fatal(err) + } + } +} + +func writeFile(t testing.TB, path string, contents []byte) { + t.Helper() + err := ioutil.WriteFile(path, contents, 0600) + if err != nil { + t.Fatal(err) + } +} diff --git a/filebeat/registrar/registrar.go b/filebeat/registrar/registrar.go index 0faa8a38890..fa07048d205 100644 --- a/filebeat/registrar/registrar.go +++ b/filebeat/registrar/registrar.go @@ -29,6 +29,7 @@ import ( "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/monitoring" "github.com/elastic/beats/v7/libbeat/statestore" + "github.com/elastic/beats/v7/libbeat/statestore/backend" ) type Registrar struct { @@ -300,7 +301,7 @@ func readStatesFrom(store *statestore.Store) ([]file.State, error) { return states, nil } -func writeStates(store *statestore.Store, states []file.State) error { +func writeStates(store backend.Store, states []file.State) error { for i := range states { key := fileStatePrefix + states[i].Id if err := store.Set(key, states[i]); err != nil { diff --git a/filebeat/tests/system/test_registrar_upgrade.py b/filebeat/tests/system/test_registrar_upgrade.py index 7a077caea51..56367517fee 100644 --- a/filebeat/tests/system/test_registrar_upgrade.py +++ b/filebeat/tests/system/test_registrar_upgrade.py @@ -95,5 +95,5 @@ def validate_if_registry_is_moved_under_folder(self): assert os.path.isdir(migrated_registry_dir) assert os.path.isdir(migrated_registry_dir + "/filebeat") assert os.path.isfile(migrated_registry_dir + "/filebeat/log.json") - assert os.path.isfile(migrated_registry_dir + "/filebeat/1.json") + assert os.path.isfile(migrated_registry_dir + "/filebeat/2.json") assert os.path.isfile(migrated_registry_dir + "/filebeat/active.dat") diff --git a/libbeat/statestore/backend/memlog/store.go b/libbeat/statestore/backend/memlog/store.go index 29880a6aae8..55da9db06ed 100644 --- a/libbeat/statestore/backend/memlog/store.go +++ b/libbeat/statestore/backend/memlog/store.go @@ -196,6 +196,16 @@ func (s *store) Remove(key string) error { return s.logOperation(&opRemove{K: key}) } +// Checkpoint triggers a state checkpoint operation. All state will be written +// to a new transaction data file and fsync'ed. The log file will be reset after +// a successful write. +func (s *store) Checkpoint() error { + s.lock.Lock() + defer s.lock.Unlock() + + return s.disk.WriteCheckpoint(s.mem.table) +} + // lopOperation ensures that the diskstore reflects the recent changes to the // in memory store by either triggering a checkpoint operations or adding the // operation type to the update log file. From e5af2de5dab02c36a4f48d1d55665cfd59e766dd Mon Sep 17 00:00:00 2001 From: DeDe Morton Date: Tue, 25 Aug 2020 12:14:17 -0700 Subject: [PATCH 02/36] [docs] Update settings doc to indicate that they are configurable through the UI (#20741) (#20777) --- .../docs/elastic-agent-configuration.asciidoc | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc b/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc index 00df6b81468..d72c572370c 100644 --- a/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent-configuration.asciidoc @@ -4,19 +4,25 @@ beta[] +// TODO: This topic assumes users know what standalone and fleet are. When we +// add the settings reference, we should clean this up: describe the available +// options, then show how to configure them manually for standalone. We should +// assume Fleet is the common use case, even if it's not the default, and make +// sure this reference is useful for both use cases. + By default {agent} runs in standalone mode to ingest system data and send it to a local {es} instance running on port 9200. It uses the demo credentials of the -`elastic` user. It's also configured to monitor all {beats} managed by {agent} -and send the {beats} logs and metrics to the same {es} instance. - -To alter this behavior, configure the output and other configuration settings: +`elastic` user. It's also configured to monitor all programs managed by {agent} +and send the logs and metrics to the same {es} instance. -* <> -* <> -* <> +To alter this behavior, configure the output and other configuration settings. +When running the agent standalone, specify configuration settings in the +`elastic-agent.yml` file. When using {fleet}, do not modify settings in +the `elastic-agent.yml` file. Instead, use {ingest-manager} in {kib} to change +settings. -TIP: To get started quickly, use {fleet} in {ingest-manager} to generate a -standalone configuration. For more information, see <>. +TIP: To get started quickly, you can use {fleet} to generate a standalone +configuration. For more information, see <>. [discrete] [[elastic-agent-output-configuration]] From 1a3e42843d4fda0d3bf8c0698b729964cc8d2a9b Mon Sep 17 00:00:00 2001 From: Blake Rouse Date: Tue, 25 Aug 2020 16:30:26 -0400 Subject: [PATCH 03/36] Fix tests to use localhost. (#20776) (#20783) (cherry picked from commit 2b3f7d5602f1439326e90c053c1123a8fd2991e1) --- x-pack/elastic-agent/pkg/agent/operation/common_test.go | 2 +- .../elastic-agent/pkg/agent/operation/monitoring_test.go | 2 +- x-pack/elastic-agent/pkg/core/server/server.go | 9 +++++---- x-pack/elastic-agent/pkg/core/server/server_test.go | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/x-pack/elastic-agent/pkg/agent/operation/common_test.go b/x-pack/elastic-agent/pkg/agent/operation/common_test.go index 070f87a7432..cc17733c656 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/common_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/common_test.go @@ -58,7 +58,7 @@ func getTestOperator(t *testing.T, downloadPath string, installPath string, p *a if err != nil { t.Fatal(err) } - srv, err := server.New(l, ":0", &ApplicationStatusHandler{}) + srv, err := server.New(l, "localhost:0", &ApplicationStatusHandler{}) if err != nil { t.Fatal(err) } diff --git a/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go b/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go index 49eb3ea7187..eef904096f7 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go +++ b/x-pack/elastic-agent/pkg/agent/operation/monitoring_test.go @@ -122,7 +122,7 @@ func getMonitorableTestOperator(t *testing.T, installPath string, m monitoring.M if err != nil { t.Fatal(err) } - srv, err := server.New(l, ":0", &ApplicationStatusHandler{}) + srv, err := server.New(l, "localhost:0", &ApplicationStatusHandler{}) if err != nil { t.Fatal(err) } diff --git a/x-pack/elastic-agent/pkg/core/server/server.go b/x-pack/elastic-agent/pkg/core/server/server.go index 12885e2f012..c7eef7040d4 100644 --- a/x-pack/elastic-agent/pkg/core/server/server.go +++ b/x-pack/elastic-agent/pkg/core/server/server.go @@ -894,11 +894,12 @@ func (s *Server) getCertificate(chi *tls.ClientHelloInfo) (*tls.Certificate, err // getListenAddr returns the listening address of the server. func (s *Server) getListenAddr() string { - if s.listenAddr != ":0" { - return s.listenAddr + addr := strings.SplitN(s.listenAddr, ":", 2) + if len(addr) == 2 && addr[1] == "0" { + port := s.listener.Addr().(*net.TCPAddr).Port + return fmt.Sprintf("%s:%d", addr[0], port) } - port := s.listener.Addr().(*net.TCPAddr).Port - return fmt.Sprintf(":%d", port) + return s.listenAddr } type pendingAction struct { diff --git a/x-pack/elastic-agent/pkg/core/server/server_test.go b/x-pack/elastic-agent/pkg/core/server/server_test.go index 424efb14311..755cc0aaad2 100644 --- a/x-pack/elastic-agent/pkg/core/server/server_test.go +++ b/x-pack/elastic-agent/pkg/core/server/server_test.go @@ -634,7 +634,7 @@ func newErrorLogger(t *testing.T) *logger.Logger { func createAndStartServer(t *testing.T, handler Handler, extraConfigs ...func(*Server)) *Server { t.Helper() - srv, err := New(newErrorLogger(t), ":0", handler) + srv, err := New(newErrorLogger(t), "localhost:0", handler) require.NoError(t, err) for _, extra := range extraConfigs { extra(srv) From 72d87f67935452e20b0c0b27e68b2bb1505eb887 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Wed, 26 Aug 2020 17:58:51 +0200 Subject: [PATCH 04/36] Use older version of github.com/dop251/goja_nodejs (#20586) (#20599) (cherry picked from commit b5e04052203279be154536af9e21c8857a9a1bbf) --- go.mod | 1 + 1 file changed, 1 insertion(+) diff --git a/go.mod b/go.mod index a32792bd90d..8cc1a36c361 100644 --- a/go.mod +++ b/go.mod @@ -188,6 +188,7 @@ replace ( github.com/docker/docker => github.com/docker/engine v0.0.0-20191113042239-ea84732a7725 github.com/docker/go-plugins-helpers => github.com/elastic/go-plugins-helpers v0.0.0-20200207104224-bdf17607b79f github.com/dop251/goja => github.com/andrewkroh/goja v0.0.0-20190128172624-dd2ac4456e20 + github.com/dop251/goja_nodejs => github.com/dop251/goja_nodejs v0.0.0-20171011081505-adff31b136e6 github.com/fsnotify/fsevents => github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 github.com/fsnotify/fsnotify => github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d github.com/google/gopacket => github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 From a6c56a9c5669568bcc1412a2eac4fbf10e523638 Mon Sep 17 00:00:00 2001 From: Pier-Hugues Pellerin Date: Wed, 26 Aug 2020 12:04:50 -0400 Subject: [PATCH 05/36] [Elastic Agent] improve CI reporting (#20780) (#20785) The elastic agent used to be in his own repository and didn't have access to the beats toolchains and setup like testings. This PR move the custom mage test:unit implement to use the devtools' implementations. This changes will allow CI to correctly generates reports for failures. Fixes: #19822 (cherry picked from commit 930c5f10752657b3140c61083e392b70ac6c70f4) --- x-pack/elastic-agent/magefile.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go index bf71f7c5c0d..e72b32df9eb 100644 --- a/x-pack/elastic-agent/magefile.go +++ b/x-pack/elastic-agent/magefile.go @@ -7,6 +7,7 @@ package main import ( + "context" "errors" "fmt" "os" @@ -235,9 +236,10 @@ func (Test) All() { } // Unit runs all the unit tests. -func (Test) Unit() error { +func (Test) Unit(ctx context.Context) error { mg.Deps(Prepare.Env, Build.TestBinaries) - return RunGo("test", "-race", "-v", "-coverprofile", filepath.Join(buildDir, "coverage.out"), "./...") + params := devtools.DefaultGoTestUnitArgs() + return devtools.GoTest(ctx, params) } // Coverage takes the coverages report from running all the tests and display the results in the browser. From 485836f7e8082cb2f0e9e706139dd5d761a43fe8 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 27 Aug 2020 10:12:48 +0200 Subject: [PATCH 06/36] [Filebeat][auditd] Fix event types and categories to comply with ECS (#20652) (#20794) * Fix event types and categories to comply with ECS * Add CHANGELOG entry * Regenerate test files (cherry picked from commit 8d77c1ce3add45db9a2392d5d99337344cdbb537) --- CHANGELOG.next.asciidoc | 1 + .../module/auditd/log/ingest/pipeline.yml | 30 +++++++++++++++---- .../log/test/audit-rhel6.log-expected.json | 6 ++-- .../log/test/audit-rhel7.log-expected.json | 3 +- .../auditd/log/test/test.log-expected.json | 15 ++++++---- 5 files changed, 42 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 709fcb3044e..846ddbde2b4 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -72,6 +72,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fixing `ingress_controller.` fields to be of type keyword instead of text. {issue}17834[17834] - Fixed typo in log message. {pull}17897[17897] - Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] +- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] *Heartbeat* diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml index 2b7c114f10a..30ec300cf7e 100644 --- a/filebeat/module/auditd/log/ingest/pipeline.yml +++ b/filebeat/module/auditd/log/ingest/pipeline.yml @@ -137,24 +137,44 @@ processors: value: event - set: if: "ctx.auditd.log?.record_type == 'USER_AUTH'" - field: event.type + field: event.category value: authentication - set: - if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + if: "ctx.auditd.log?.record_type == 'USER_AUTH'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" + field: event.category value: driver - set: - if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + if: "ctx.auditd.log?.record_type == 'KERN_MODULE'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" + field: event.category value: package - set: - if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" + field: event.category value: host - set: - if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'" field: event.type + value: info +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.category value: process +- set: + if: "ctx.auditd.log?.record_type == 'SYSCALL' && ctx.auditd.log?.syscall == 'execve'" + field: event.type + value: info - set: if: "ctx.auditd.log?.record_type == 'VIRT_CONTROL' || ctx.auditd.log?.record_type == 'VIRT_MACHINE_ID'" field: event.category diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index a7bdfe6b83d..b2532651d2b 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -212,11 +212,12 @@ "auditd.log.sequence": 19623789, "auditd.log.ses": "6793", "event.action": "user_auth", + "event.category": "authentication", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "authentication", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 1926, @@ -234,11 +235,12 @@ "auditd.log.sequence": 19623807, "auditd.log.ses": "12286", "event.action": "user_auth", + "event.category": "authentication", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "authentication", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2122, diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json index 64ddfa2cc49..b25dde0881b 100644 --- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -45,11 +45,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 419, diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index 2306d330fa5..f122becadda 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -167,11 +167,12 @@ "auditd.log.sw": "gcc-4.8.5-39.el7.x86_64", "auditd.log.sw_type": "rpm", "event.action": "software_update", + "event.category": "package", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "package", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 1893, @@ -188,11 +189,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_boot", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2196, @@ -210,11 +212,12 @@ "auditd.log.ses": "4294967295", "auditd.log.subj": "system_u:system_r:init_t:s0", "event.action": "system_shutdown", + "event.category": "host", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", "event.outcome": "success", - "event.type": "host", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 2438, @@ -254,10 +257,11 @@ "auditd.log.syscall": "execve", "auditd.log.tty": "pts0", "event.action": "syscall", + "event.category": "process", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "process", + "event.type": "info", "fileset.name": "log", "host.architecture": "x86_64", "input.type": "log", @@ -283,10 +287,11 @@ "auditd.log.name": "mymodule", "auditd.log.sequence": 579397, "event.action": "kern_module", + "event.category": "driver", "event.dataset": "auditd.log", "event.kind": "event", "event.module": "auditd", - "event.type": "driver", + "event.type": "info", "fileset.name": "log", "input.type": "log", "log.offset": 3153, From 6fe0ceb30459ceeb832999bfd1429ac676c2cabf Mon Sep 17 00:00:00 2001 From: Pier-Hugues Pellerin Date: Thu, 27 Aug 2020 08:32:34 -0400 Subject: [PATCH 07/36] [Elastic Agent] Fix the changelog (#20787) (#20806) Clean the changelog of the Elastic Agent to correctly reflect the changes going into a specific releases. This uses the same strategy as beats with CHANGELOG.asciidoc and CHANGELOG.next.asciidoc. Ref: #20715 (cherry picked from commit 56f11f1a81bb8b8ae4a9c1375f6df2324a61cb80) --- x-pack/elastic-agent/CHANGELOG.asciidoc | 79 +++++++++++--------- x-pack/elastic-agent/CHANGELOG.next.asciidoc | 14 ++++ 2 files changed, 58 insertions(+), 35 deletions(-) create mode 100644 x-pack/elastic-agent/CHANGELOG.next.asciidoc diff --git a/x-pack/elastic-agent/CHANGELOG.asciidoc b/x-pack/elastic-agent/CHANGELOG.asciidoc index 8e36647da87..8a91c964831 100644 --- a/x-pack/elastic-agent/CHANGELOG.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.asciidoc @@ -3,13 +3,11 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ - -[[release-notes-8.0.0]] -=== Agent version 8.0.0 +[[release-notes-7.9.0]] +=== Elastic Agent version 7.9.0 ==== Breaking changes -- Rename agent to elastic-agent {pull}17391[17391] - Change fleet.yml structure, causes upgraded agent to register as new agent {pull}19248[19248] - Remove obfuscation of fleet.yml, causes re-enroll of agent to Fleet {pull}19678[19678] - Rename enroll --ca_sha256 to --ca-sha256 {pull}19900[19900] @@ -17,6 +15,46 @@ ==== Bugfixes +- Fix install service script for windows {pull}18814[18814] +- Properly stops subprocess on shutdown {pull}19567[19567] +- Forward revision number of the configuration to the endpoint. {pull}19759[19759] +- Remove support for logs type and use logfile {pull}19761[19761] +- Avoid comparing uncomparable types on enroll {issue}19976[19976] +- Fix issues with merging of elastic-agent.yml and fleet.yml {pull}20026[20026] +- Unzip failures on Windows 8/Windows server 2012 {pull}20088[20088] +- Fix failing unit tests on windows {pull}20127[20127] +- Prevent closing closed reader {pull}20214[20214] +- Improve GRPC stop to be more relaxed {pull}20118[20118] +- Fix Windows service installation script {pull}20203[20203] +- Fix timeout issue stopping service applications {pull}20256[20256] + +==== New features + +- Change monitoring defaults for agent {pull}18927[18927] +- Agent verifies packages before using them {pull}18876[18876] +- Change stream.* to dataset.* fields {pull}18967[18967] +- Agent now runs the GRPC server and spawned application connect by to Agent {pull}18973[18973] +- Rename input.type logs to logfile {pull}19360[19360] +- Agent now installs/uninstalls Elastic Endpoint {pull}19248[19248] +- Agent now downloads Elastic Endpoint {pull}19503[19503] +- Refuse invalid stream values in configuration {pull}19587[19587] +- Agent now load balances across multiple Kibana instances {pull}19628[19628] +- Configuration cleanup {pull}19848[19848] +- Agent now sends its own logs to elasticsearch {pull}19811[19811] +- Add --insecure option to enroll command {pull}19900[19900] +- Will retry to enroll if the server return a 429. {pull}19918[19811] +- Add --staging option to enroll command {pull}20026[20026] +- Add `event.dataset` to all events {pull}20076[20076] +- Send datastreams fields {pull}20416[20416] + +[[release-notes-7.8.0]] +=== Elastic Agent version 7.8.0 + +==== Breaking changes +- Rename agent to elastic-agent {pull}17391[17391] + +==== Bugfixes + - Fixed tests on windows {pull}16922[16922] - Fixed installers for SNAPSHOTs and windows {pull}17077[17077] - Fixed merge of config {pull}17399[17399] @@ -41,23 +79,11 @@ - Enable more granular control of monitoring {pull}18346[18346] - Fix jq: command not found {pull}18408[18408] - Avoid Chown on windows {pull}18512[18512] -- Remove fleet admin from setup script {pull}18611[18611] - Clean action store after enrolling to new configuration {pull}18656[18656] - Avoid watching monitor logs {pull}18723[18723] - Correctly report platform and family. {issue}18665[18665] - Guard against empty stream.datasource and namespace {pull}18769[18769] - Fix install service script for windows {pull}18814[18814] -- Properly stops subprocess on shutdown {pull}19567[19567] -- Forward revision number of the configuration to the endpoint. {pull}19759[19759] -- Remove support for logs type and use logfile {pull}19761[19761] -- Avoid comparing uncomparable types on enroll {issue}19976[19976] -- Fix issues with merging of elastic-agent.yml and fleet.yml {pull}20026[20026] -- Unzip failures on Windows 8/Windows server 2012 {pull}20088[20088] -- Fix failing unit tests on windows {pull}20127[20127] -- Prevent closing closed reader {pull}20214[20214] -- Improve GRPC stop to be more relaxed {pull}20118[20118] -- Fix Windows service installation script {pull}20203[20203] -- Fix timeout issue stopping service applications {pull}20256[20256] ==== New features @@ -79,24 +105,7 @@ - Do not require unnecessary configuration {pull}18003[18003] - Use nested objects so fleet can handle metadata correctly {pull}18234[18234] - Enable debug log level for Metricbeat and Filebeat when run under the Elastic Agent. {pull}17935[17935] -- More clear output of inspect command {pull}18405[18405] - Pick up version from libbeat {pull}18350[18350] -- Use shorter hash for application differentiator {pull}18770[18770] +- More clear output of inspect command {pull}18405[18405] - When not port are specified and the https is used fallback to 443 {pull}18844[18844] -- Change monitoring defaults for agent {pull}18927[18927] -- Agent verifies packages before using them {pull}18876[18876] -- Change stream.* to dataset.* fields {pull}18967[18967] -- Agent now runs the GRPC server and spawned application connect by to Agent {pull}18973[18973] -- Rename input.type logs to logfile {pull}19360[19360] -- Agent now installs/uninstalls Elastic Endpoint {pull}19248[19248] -- Agent now downloads Elastic Endpoint {pull}19503[19503] -- Refuse invalid stream values in configuration {pull}19587[19587] -- Agent now load balances across multiple Kibana instances {pull}19628[19628] -- Configuration cleanup {pull}19848[19848] -- Agent now sends its own logs to elasticsearch {pull}19811[19811] -- Add --insecure option to enroll command {pull}19900[19900] -- Will retry to enroll if the server return a 429. {pull}19918[19811] -- Add --staging option to enroll command {pull}20026[20026] -- Add `event.dataset` to all events {pull}20076[20076] -- Send datastreams fields {pull}20416[20416] -- Users of the Docker image can now pass `FLEET_ENROLL_INSECURE=1` to include the `--insecure` flag with the `elastic-agent enroll` command {issue}20312[20312] {pull}20713[20713] + diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc new file mode 100644 index 00000000000..ac0dbf64147 --- /dev/null +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -0,0 +1,14 @@ +// Use these for links to issue and pulls. Note issues and pulls redirect one to +// each other on Github, so don't worry too much on using the right prefix. +:issue: https://github.com/elastic/beats/issues/ +:pull: https://github.com/elastic/beats/pull/ + +=== Elastic Agent version HEAD + +==== Breaking changes + +==== Bugfixes + +==== New features + +- Users of the Docker image can now pass `FLEET_ENROLL_INSECURE=1` to include the `--insecure` flag with the `elastic-agent enroll` command {issue}20312[20312] {pull}20713[20713] From 7eed2ffbfc31896c00b6e165636b38c88fc51324 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Thu, 27 Aug 2020 18:08:45 +0200 Subject: [PATCH 08/36] Add missing country_name geo field in add host metadata (#20811) (#20817) Add `country_name` to the list of geo fields that can be added with `add_host_metadata` and `add_observer_metadata`. (cherry picked from commit 795c86f8a5331815e8a6cb76cc78c6b150931b6f) --- CHANGELOG.next.asciidoc | 1 + libbeat/processors/add_host_metadata/add_host_metadata_test.go | 1 + .../add_observer_metadata/add_observer_metadata_test.go | 1 + libbeat/processors/util/geo.go | 2 ++ 4 files changed, 5 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 846ddbde2b4..4cb75155e56 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -52,6 +52,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix `setup.dashboards.index` setting not working. {pull}17749[17749] - Fix Elasticsearch license endpoint URL referenced in error message. {issue}17880[17880] {pull}18030[18030] - Change `decode_json_fields` processor, to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958] +- Add missing country_name geo field in `add_host_metadata` and `add_observer_metadata` processors. {issue}20796[20796] {pull}20811[20811] *Auditbeat* diff --git a/libbeat/processors/add_host_metadata/add_host_metadata_test.go b/libbeat/processors/add_host_metadata/add_host_metadata_test.go index 500fc4ba9d8..a9227112577 100644 --- a/libbeat/processors/add_host_metadata/add_host_metadata_test.go +++ b/libbeat/processors/add_host_metadata/add_host_metadata_test.go @@ -153,6 +153,7 @@ func TestConfigGeoEnabled(t *testing.T) { "geo.name": "yerevan-am", "geo.location": "40.177200, 44.503490", "geo.continent_name": "Asia", + "geo.country_name": "Armenia", "geo.country_iso_code": "AM", "geo.region_name": "Erevan", "geo.region_iso_code": "AM-ER", diff --git a/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go b/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go index 69de476b7fd..3932d193d78 100644 --- a/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go +++ b/libbeat/processors/add_observer_metadata/add_observer_metadata_test.go @@ -120,6 +120,7 @@ func TestConfigGeoEnabled(t *testing.T) { "geo.name": "yerevan-am", "geo.location": "40.177200, 44.503490", "geo.continent_name": "Asia", + "geo.country_name": "Armenia", "geo.country_iso_code": "AM", "geo.region_name": "Erevan", "geo.region_iso_code": "AM-ER", diff --git a/libbeat/processors/util/geo.go b/libbeat/processors/util/geo.go index 48d39780d22..f37a4b7bc97 100644 --- a/libbeat/processors/util/geo.go +++ b/libbeat/processors/util/geo.go @@ -29,6 +29,7 @@ type GeoConfig struct { Name string `config:"name"` Location string `config:"location"` ContinentName string `config:"continent_name"` + CountryName string `config:"country_name"` CountryISOCode string `config:"country_iso_code"` RegionName string `config:"region_name"` RegionISOCode string `config:"region_iso_code"` @@ -59,6 +60,7 @@ func GeoConfigToMap(config GeoConfig) (common.MapStr, error) { "name": config.Name, "location": config.Location, "continent_name": config.ContinentName, + "country_name": config.CountryName, "country_iso_code": config.CountryISOCode, "region_name": config.RegionName, "region_iso_code": config.RegionISOCode, From 6f527c6bc295b44501c2fbf478a038db65bacd47 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 27 Aug 2020 22:05:32 +0200 Subject: [PATCH 09/36] [Filebeat][Cisco Module] Adding various smaller hotfixes related to github issues (#20565) (#20770) * applying fixes to existing message_ids, adding support for new message_ids, fixing nat mapping and a few more * adding the last missing fields * updating changelog * mage fmt update * Updating test data to be a bit more realistic instead of just localhost (cherry picked from commit 3f025e1df0fe45a2bcdc1e5ea44ed3c24a9f899a) Co-authored-by: Marius Iversen --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 110 + .../module/cisco/asa/_meta/fields.yml | 66 + .../cisco/asa/test/additional_messages.log | 69 + .../additional_messages.log-expected.json | 2953 +++++++++++++++++ .../cisco/asa/test/asa-fix.log-expected.json | 57 + .../cisco/asa/test/asa.log-expected.json | 1412 ++++++++ .../asa/test/dap_records.log-expected.json | 3 + .../cisco/asa/test/filtered.log-expected.json | 9 + .../asa/test/hostnames.log-expected.json | 8 + .../cisco/asa/test/not-ip.log-expected.json | 16 +- .../cisco/asa/test/sample.log-expected.json | 630 +++- x-pack/filebeat/module/cisco/fields.go | 2 +- .../cisco/ftd/test/asa-fix.log-expected.json | 27 + .../cisco/ftd/test/asa.log-expected.json | 1412 ++++++++ .../cisco/ftd/test/dns.log-expected.json | 126 + .../cisco/ftd/test/filtered.log-expected.json | 4 + .../firepower-management.log-expected.json | 102 + .../ftd/test/intrusion.log-expected.json | 24 + .../ftd/test/no-type-id.log-expected.json | 16 + .../cisco/ftd/test/not-ip.log-expected.json | 16 +- .../cisco/ftd/test/sample.log-expected.json | 645 +++- .../security-connection.log-expected.json | 60 + .../security-file-malware.log-expected.json | 40 + .../security-malware-site.log-expected.json | 6 + .../cisco/shared/ingest/asa-ftd-pipeline.yml | 178 +- 26 files changed, 7896 insertions(+), 96 deletions(-) create mode 100644 x-pack/filebeat/module/cisco/asa/test/additional_messages.log create mode 100644 x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4cb75155e56..1328c6db1ce 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -128,6 +128,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update documentation for system.process.memory fields to include clarification on Windows os's. {pull}17268[17268] - When using the `decode_json_fields` processor, decoded fields are now deep-merged into existing event. {pull}17958[17958] - Add keystore support for autodiscover static configurations. {pull]16306[16306] +- Added support for more message types for Cisco ASA and FTD. {pull}20565[20565] *Auditbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 96becc1120f..19a3bcb4604 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -20675,6 +20675,116 @@ type: keyword The assigned DAP records +type: keyword + +-- + +*`cisco.asa.command_line_arguments`*:: ++ +-- +The command line arguments logged by the local audit log + + +type: keyword + +-- + +*`cisco.asa.assigned_ip`*:: ++ +-- +The IP address assigned to a VPN client successfully connecting + + +type: ip + +-- + +*`cisco.asa.privilege.old`*:: ++ +-- +When a users privilege is changed this is the old value + + +type: keyword + +-- + +*`cisco.asa.privilege.new`*:: ++ +-- +When a users privilege is changed this is the new value + + +type: keyword + +-- + +*`cisco.asa.burst.object`*:: ++ +-- +The related object for burst warnings + + +type: keyword + +-- + +*`cisco.asa.burst.id`*:: ++ +-- +The related rate ID for burst warnings + + +type: keyword + +-- + +*`cisco.asa.burst.current_rate`*:: ++ +-- +The current burst rate seen + + +type: keyword + +-- + +*`cisco.asa.burst.configured_rate`*:: ++ +-- +The current configured burst rate + + +type: keyword + +-- + +*`cisco.asa.burst.avg_rate`*:: ++ +-- +The current average burst rate seen + + +type: keyword + +-- + +*`cisco.asa.burst.configured_avg_rate`*:: ++ +-- +The current configured average burst rate allowed + + +type: keyword + +-- + +*`cisco.asa.burst.cumulative_count`*:: ++ +-- +The total count of burst rate hits since the object was created or cleared + + type: keyword -- diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index 678615265fa..b3bb3b5eb1d 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -109,3 +109,69 @@ type: keyword description: > The assigned DAP records + + - name: command_line_arguments + default_field: false + type: keyword + description: > + The command line arguments logged by the local audit log + + - name: assigned_ip + default_field: false + type: ip + description: > + The IP address assigned to a VPN client successfully connecting + + - name: privilege.old + default_field: false + type: keyword + description: > + When a users privilege is changed this is the old value + + - name: privilege.new + default_field: false + type: keyword + description: > + When a users privilege is changed this is the new value + + - name: burst.object + default_field: false + type: keyword + description: > + The related object for burst warnings + + - name: burst.id + default_field: false + type: keyword + description: > + The related rate ID for burst warnings + + - name: burst.current_rate + default_field: false + type: keyword + description: > + The current burst rate seen + + - name: burst.configured_rate + default_field: false + type: keyword + description: > + The current configured burst rate + + - name: burst.avg_rate + default_field: false + type: keyword + description: > + The current average burst rate seen + + - name: burst.configured_avg_rate + default_field: false + type: keyword + description: > + The current configured average burst rate allowed + + - name: burst.cumulative_count + default_field: false + type: keyword + description: > + The total count of burst rate hits since the object was created or cleared diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log new file mode 100644 index 00000000000..f9ba86b8d0c --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -0,0 +1,69 @@ +May 5 17:51:17 dev01: %FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) +May 5 17:51:17 dev01: %FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500) +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 17:51:17 dev01: %FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00 +May 5 17:51:17 dev01: %FTD-7-609001: Built local-host net:192.168.2.2 +May 5 17:51:17 dev01: %FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1 +May 5 17:51:17 dev01: %FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111) +May 5 17:51:17 dev01: %FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443) +May 5 17:51:17 dev01: %FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67 +May 5 17:51:17 dev01: %FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log +May 5 17:51:17 dev01: %FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4 +May 5 17:51:17 dev01: %FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872. +May 5 18:16:21 dev01: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0 +May 5 18:22:35 dev01: %ASA-7-609001: Built local-host net:10.10.10.10 +May 5 18:24:31 dev01: %ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00 +May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0 +May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 +May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I +May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) +May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 +May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session +May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 +May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 +May 5 18:40:50 dev01: %ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585 +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638) +May 5 18:40:50 dev01: %ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group "out1111_access_out" [0x47e21ef4, 0x47e21ef4] +May 5 18:40:50 dev01: %ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111 +May 5 19:02:58 dev01: %ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111 +May 5 19:02:58 dev01: %ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111 +May 5 19:02:58 dev01: %ASA-6-302022: Built director stub TCP connection for fw1111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built forwarder stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.168.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302022: Built backup stub TCP connection for fw111:10.10.10.10/38540 (8.8.8.5/38540) to net:192.1682.2.2/10051 (8.8.8.8/10051) +May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner +May 5 19:02:58 dev01: %ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow +May 5 19:03:27 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief +May 5 19:02:26 dev01: %ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief +May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000] +May 5 19:02:26 dev01: %ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000] +May 5 19:02:26 dev01: %ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner +May 5 19:02:26 dev01: %ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8) +May 5 19:02:26 dev01: %ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985 +May 5 19:02:26 dev01: %ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout +May 5 19:02:26 dev01: %ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123) +May 5 19:02:26 dev01: %ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0) +May 5 19:02:25 dev01: %ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063 +May 5 19:02:25 dev01: %ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2 +May 5 19:02:25 dev01: %ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet. +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/ +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0] +Apr 27 17:54:52 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23 +Apr 27 04:18:49 dev01: %ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/ +Apr 27 04:12:23 dev01: %ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout +Apr 27 02:02:02 dev01: %ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group "global_access_1" +Oct 20 2019 15:15:15 dev01: %ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000] +Apr 27 02:03:03 dev01: %ASA-5-111004: console end configuration: OK +Apr 27 02:03:03 dev01: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear' +Apr 27 02:03:03 dev01: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15 +Apr 27 02:03:03 dev01: %ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user "*****" +Apr 27 02:03:03 dev01: %ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin +Apr 27 02:03:03 dev01: %ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user "admin" +Apr 27 02:03:03 dev01: %ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin +Apr 27 02:03:03 dev01: %ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d +Apr 27 02:03:03 dev01: %ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested +Apr 27 02:03:03 dev01: %ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session +Apr 27 02:03:03 dev01: %ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested. +Apr 27 02:03:03 dev01: %ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json new file mode 100644 index 00000000000..8d8b28fe30f --- /dev/null +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -0,0 +1,2953 @@ +[ + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 53500, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 53500, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "net", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 53500, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302013: Built inbound TCP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 0, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 53500, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 53500, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 53500, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "net", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 53500, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302015: Built inbound UDP connection 111111111 for net:10.10.10.10/53500 (8.8.8.8/53500) to fw111:192.168.2.2/53500 (8.8.5.4/53500)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 162, + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 53500, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 324, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609002", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609002, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T17:51:17.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00", + "event.severity": 7, + "event.start": "2020-05-05T19:51:17.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 466, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609001", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-609001: Built local-host net:192.168.2.2", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 557, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 1", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 628, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "111111111", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.mapped_destination_ip": "8.8.5.4", + "cisco.asa.mapped_destination_port": 111, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 111, + "cisco.asa.message_id": "805001", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.5.4", + "destination.port": 111, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 805001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-805001: Offloaded TCP Flow for connection 111111111 from fw111:10.10.10.10/111 (8.8.8.8/111) to fw111:192.168.2.2/111 (8.8.5.4/111)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 770, + "network.transport": "tcp flow", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "source.port": 111, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "941243214", + "cisco.asa.destination_interface": "fw109", + "cisco.asa.mapped_destination_ip": "10.192.70.66", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "10.192.18.4", + "cisco.asa.mapped_source_port": 51261, + "cisco.asa.message_id": "805002", + "cisco.asa.source_interface": "net", + "destination.address": "10.192.70.66", + "destination.ip": "10.192.70.66", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 805002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-805002: TCP Flow is no longer offloaded for connection 941243214 from net:10.192.18.4/51261 (10.192.18.4/51261) to fw109:10.192.70.66/443 (10.192.70.66/443)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 932, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw109", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.192.18.4", + "10.192.70.66" + ], + "service.type": "cisco", + "source.address": "10.192.18.4", + "source.ip": "10.192.18.4", + "source.port": 51261, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "710005", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 67, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-710005: UDP request discarded from 192.168.2.2/68 to fw111:10.10.10.10/67", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1119, + "network.iana_number": 17, + "network.transport": "udp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 68, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "303002", + "cisco.asa.source_interface": "net", + "client.user.name": "testuser", + "destination.address": "10.192.18.4", + "destination.ip": "10.192.18.4", + "destination.port": 21, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 303002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-6-303002: FTP connection from net:192.168.2.2/63656 to fw111:10.192.18.4/21, user testuser Stored file /export/home/sysm/ftproot/sdsdsds/tmp.log", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "file.path": "/export/home/sysm/ftproot/sdsdsds/tmp.log", + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 1223, + "network.protocol": "ftp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.192.18.4" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 63656, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "710006", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710006, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-7-710006: VRRP request discarded from 192.168.2.2 to fw111:192.18.4", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1396, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "313005", + "cisco.asa.source_interface": "fw111", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%FTD-4-313005: No matching connection for ICMP error message: icmp src fw111:10.192.33.100 dst fw111:192.18.4 (type 3, code 3) on fw111 interface. Original IP payload: udp src 192.18.4/53 dst 8.8.8.8/10872.", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 1492, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302021", + "cisco.asa.source_username": "type", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.2/0 gaddr 8.8.8.8/2 laddr 10.10.10.10/2 type 8 code 0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 1722, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609001", + "cisco.asa.source_interface": "net", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-609001: Built local-host net:10.10.10.10", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1859, + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "609002", + "cisco.asa.source_interface": "identity", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 609002, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:24:31.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00", + "event.severity": 7, + "event.start": "2020-05-05T20:24:31.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 1930, + "observer.egress.interface.name": "identity", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302020: Built inbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 10.192.46.90/0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2026, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.192.46.90", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.192.46.90", + "source.ip": "10.192.46.90", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.message_id": "302020", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2155, + "network.direction": "outbound", + "network.protocol": "icmp", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "2960892904", + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "out111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 55225, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302014, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:29:32.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I", + "event.severity": 6, + "event.start": "2020-05-05T20:29:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2298, + "network.bytes": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 443, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1588662", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 54839, + "cisco.asa.mapped_source_ip": "8.8.8.8", + "cisco.asa.mapped_source_port": 80, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "intfacename", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.nat.ip": "8.8.8.8", + "destination.port": 54839, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2462, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.nat.ip": "8.8.8.8", + "source.port": 80, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "302012", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 54230, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302012, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-05-05T18:29:32.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "event.severity": 6, + "event.start": "2020-05-05T20:29:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2623, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 54230, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.icmp_type": 0, + "cisco.asa.message_id": "313004", + "cisco.asa.source_interface": "fw502", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 313004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 2768, + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw502", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 57006, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 305011, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 2904, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 57006, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106001", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 14322, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3029, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 43803, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1671727", + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.186.2.2", + "destination.as.number": 395776, + "destination.as.organization.name": "FEDERAL ONLINE GROUP LLC", + "destination.geo.city_name": "Thousand Oaks", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.location.lat": 34.197, + "destination.geo.location.lon": -118.8199, + "destination.geo.region_iso_code": "US-CA", + "destination.geo.region_name": "California", + "destination.ip": "192.186.2.2", + "destination.port": 53356, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302016, + "event.dataset": "cisco.asa", + "event.duration": 124000000000, + "event.end": "2020-05-05T18:40:50.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585", + "event.severity": 2, + "event.start": "2020-05-05T20:38:46.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3172, + "network.bytes": 64585, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.186.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1743372", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 22638, + "cisco.asa.mapped_source_ip": "8.8.8.4", + "cisco.asa.mapped_source_port": 161, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.8.8", + "destination.port": 22638, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3328, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.4", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "1743372", + "cisco.asa.destination_interface": "net", + "cisco.asa.mapped_destination_ip": "8.8.8.8", + "cisco.asa.mapped_destination_port": 22638, + "cisco.asa.mapped_source_ip": "8.8.8.4", + "cisco.asa.mapped_source_port": 161, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "intfacename", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.nat.ip": "8.8.8.8", + "destination.port": 22638, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-302015: Built outbound UDP connection 1743372 for intfacename:10.10.10.10/161 (8.8.8.4/161) to net:192.168.2.2/22638 (8.8.8.8/22638)", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3491, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "intfacename", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.nat.ip": "8.8.8.4", + "source.port": 161, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "out1111_access_out", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src fw111:10.10.10.10/64388 dst out111:192.168.2.2/443 by access-group \"out1111_access_out\" [0x47e21ef4, 0x47e21ef4]", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 3654, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 64388, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106021", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106021: Deny TCP reverse path check from 192.168.2.2 to 10.10.10.10 on interface fw111", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 3818, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106006", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 65020, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106006, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-2-106006: Deny inbound UDP from 192.168.2.2/65020 to 10.10.10.10/65020 on interface fw111", + "event.outcome": "deny", + "event.severity": 2, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "critical", + "log.offset": 3935, + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 65020, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/53089 to 10.10.10.10/443 flags FIN PSH ACK on interface out111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4053, + "network.transport": "(no", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 53089, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "out111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/17127 to 10.10.10.10/443 flags PSH ACK on interface out111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4197, + "network.transport": "(no", + "observer.egress.interface.name": "out111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 17127, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "106015", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.168.2.2/24223 to 10.10.10.10/443 flags RST on interface fw111", + "event.outcome": "tcp", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4337, + "network.transport": "(no", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 24223, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302023", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 4949, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302023", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5142, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "show access-list fw211111_access_out brief", + "cisco.asa.message_id": "111009", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list fw211111_access_out brief", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "aaaa", + "input.type": "log", + "log.level": "debug", + "log.offset": 5369, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "show access-list aaa_out brief", + "cisco.asa.message_id": "111009", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111009, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-111009: User 'aaaa' executed cmd: show access-list aaa_out brief", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "aaaa", + "input.type": "log", + "log.level": "debug", + "log.offset": 5476, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "fw111_out", + "cisco.asa.source_interface": "ptaaac", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 3452, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp ptaaac/192.168.2.2(62157) -> fw111/10.10.10.10(3452) hit-cnt 1 first hit [0x38ff326b, 0x00000000]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5571, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "ptaaac", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 62157, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "fw111_out", + "cisco.asa.source_interface": "net", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 6007, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-106100: access-list fw111_out permitted tcp net/192.168.2.2(49033) -> fw111/10.10.10.10(6007) hit-cnt 2 300-second interval [0x38ff326b, 0x00000000]", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5743, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.2.2", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "192.168.2.2", + "source.ip": "192.168.2.2", + "source.port": 49033, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302027", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302027, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302027: Teardown stub ICMP connection for fw1111:10.10.10.10/6426 to net:192.168.2.2/0 duration 1:00:04 forwarded bytes 56 Cluster flow with CLU closed on owner", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 5922, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302026", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302026, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302026: Built director stub ICMP connection for fw111:10.10.10.10/32004 (8.8.8.5) to net:192.168.2.2/0 (8.8.8.8)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6113, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "net", + "cisco.asa.message_id": "710005", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 1985, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-7-710005: UDP request discarded from 10.10.10.10/1985 to net:192.168.2.2/1985", + "event.severity": 7, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "debug", + "log.offset": 6256, + "network.iana_number": 17, + "network.transport": "udp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 1985, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302025", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302025, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302025: Teardown stub UDP connection for net:192.168.2.2/123 to unknown:10.10.10.10/123 duration 0:01:00 forwarded bytes 48 Cluster flow with CLU removed from due to idle timeout", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6362, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "302024", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302024, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302024: Built backup stub UDP connection for net:192.168.2.2/9051 (8.8.8.5(19051) to fw111:10.10.10.10/123 (8.8.8.8/123)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 6571, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106014", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10(type", + "destination.ip": "10.10.10.10", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106014, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-106014: Deny inbound icmp src fw111:10.10.10.10 dst fw111:10.10.10.10(type 8, code 0)", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 6722, + "network.direction": "inbound", + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "7", + "cisco.asa.burst.configured_avg_rate": "-4", + "cisco.asa.burst.configured_rate": "-4", + "cisco.asa.burst.cumulative_count": "9063", + "cisco.asa.burst.current_rate": "0", + "cisco.asa.burst.id": "rate-1", + "cisco.asa.burst.object": "192.168.2.2", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [192.168.2.2] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is -4; Current average rate is 7 per second, max configured rate is -4; Cumulative total count is 9063", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 6838, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "fw111", + "cisco.asa.message_id": "106010", + "cisco.asa.source_interface": "fw111", + "destination.address": "10.10.10.10", + "destination.ip": "10.10.10.10", + "destination.port": 2, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106010, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-106010: Deny inbound sctp src fw111:10.10.10.10/5114 dst fw111:10.10.10.10/2", + "event.outcome": "deny", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 7071, + "network.direction": "inbound", + "network.transport": "sctp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "fw111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "10.10.10.10" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 5114, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "out111", + "cisco.asa.message_id": "507003", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 80, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 507003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-507003: tcp flow from fw111:10.10.10.10/49574 to out111:192.168.2.2/80 terminated by inspection engine, reason - disconnected, dropped packet.", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 7178, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "out111", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 49574, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL 10.20.30.40:http://10.20.30.40/", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7351, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed URL someuser@10.20.30.40:http://10.20.30.40/IOFUHSIU98[0]", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7446, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/IOFUHSIU98[0]" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL 10.20.30.40:http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7563, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/some/longer/url-asd-er9789870[0]_=23" + }, + { + "cisco.asa.message_id": "304001", + "destination.address": "10.20.30.40", + "destination.ip": "10.20.30.40", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: 10.20.30.40 Accessed JAVA URL someuser@10.20.30.40:http://10.20.30.40/", + "event.outcome": "allow", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 7699, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.20.30.40", + "10.20.30.40" + ], + "service.type": "cisco", + "source.address": "10.20.30.40", + "source.ip": "10.20.30.40", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.original": "http://10.20.30.40/" + }, + { + "cisco.asa.connection_id": "2751765169", + "cisco.asa.destination_interface": "server.deflan", + "cisco.asa.message_id": "302304", + "cisco.asa.source_interface": "server.deflan", + "destination.address": "2.3.4.5", + "destination.as.number": 3215, + "destination.as.organization.name": "Orange", + "destination.geo.city_name": "Clermont-Ferrand", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "FR", + "destination.geo.location.lat": 45.7838, + "destination.geo.location.lon": 3.0966, + "destination.geo.region_iso_code": "FR-63", + "destination.geo.region_name": "Puy-de-D\u00f4me", + "destination.ip": "2.3.4.5", + "destination.port": 9101, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302304, + "event.dataset": "cisco.asa", + "event.duration": 3602000000000, + "event.end": "2020-04-27T04:12:23.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:1.2.3.4/54242 to server.deflan:2.3.4.5/9101 duration 1:00:02 bytes 245 Connection timeout", + "event.severity": 6, + "event.start": "2020-04-27T05:12:21.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 7808, + "network.bytes": 245, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "server.deflan", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "server.deflan", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "1.2.3.4", + "2.3.4.5" + ], + "service.type": "cisco", + "source.address": "1.2.3.4", + "source.geo.city_name": "Moscow", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "RU", + "source.geo.location.lat": 55.7527, + "source.geo.location.lon": 37.6172, + "source.geo.region_iso_code": "RU-MOW", + "source.geo.region_name": "Moscow", + "source.ip": "1.2.3.4", + "source.port": 54242, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "srv", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "global_access_1", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 51635, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny tcp src outside:10.10.10.2/56444 dst srv:192.168.2.2/51635(testhostname.domain) by access-group \"global_access_1\"", + "event.outcome": "deny", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 8003, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "srv", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.10.2", + "192.168.2.2" + ], + "service.type": "cisco", + "source.address": "10.10.10.2", + "source.ip": "10.10.10.2", + "source.port": 56444, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "106100", + "cisco.asa.rule_name": "testrulename", + "cisco.asa.source_interface": "insideintf", + "destination.address": "195.122.12.242", + "destination.as.number": 12578, + "destination.as.organization.name": "SIA Tet", + "destination.geo.city_name": "Riga", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "LV", + "destination.geo.location.lat": 56.9496, + "destination.geo.location.lon": 24.0978, + "destination.geo.region_iso_code": "LV-RIX", + "destination.geo.region_name": "Riga", + "destination.ip": "195.122.12.242", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-106100: access-list testrulename denied tcp insideintf/somedomainname.local(27218) -> OUTSIDE/195.122.12.242(53) hit-cnt 1 first hit [0x16847359, 0x00000000]", + "event.outcome": "deny", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 8160, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "insideintf", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "195.122.12.242" + ], + "service.type": "cisco", + "source.address": "somedomainname.local", + "source.domain": "somedomainname.local", + "source.port": 27218, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "111004", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-111004: console end configuration: OK", + "event.outcome": "success", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 8353, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "source.address": "console", + "source.domain": "console", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.command_line_arguments": "'clear'", + "cisco.asa.message_id": "111010", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 111010, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.10.0.87, executed 'clear'", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "enable_15", + "input.type": "log", + "log.level": "notification", + "log.offset": 8421, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "502103", + "cisco.asa.privilege.new": "15", + "cisco.asa.privilege.old": "1", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 502103, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "enable_15", + "input.type": "log", + "log.level": "notification", + "log.offset": 8528, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "FCD-FS-LAN", + "cisco.asa.message_id": "605004", + "destination.address": "10.10.1.254", + "destination.ip": "10.10.1.254", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 605004, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-605004: Login denied from 10.10.1.212/51923 to FCD-FS-LAN:10.10.1.254/https for user \"*****\"", + "event.outcome": "deny", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "denied" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 8623, + "network.protocol": "https", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "FCD-FS-LAN", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.1.212", + "10.10.1.254" + ], + "service.type": "cisco", + "source.address": "10.10.1.212", + "source.ip": "10.10.1.212", + "source.port": 51923, + "source.user.name": "*****", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "611102", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 611102, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-611102: User authentication failed: IP address: 10.10.0.87, Uname: admin", + "event.outcome": "failed", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "admin", + "input.type": "log", + "log.level": "informational", + "log.offset": 8746, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "FCD-FS-LAN", + "cisco.asa.message_id": "605005", + "destination.address": "10.10.1.254", + "destination.ip": "10.10.1.254", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 605005, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-605005: Login permitted from 10.10.0.87/6651 to FCD-FS-LAN:10.10.1.254/ssh for user \"admin\"", + "event.outcome": "allow", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info", + "allowed" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 8849, + "network.protocol": "ssh", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "FCD-FS-LAN", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87", + "10.10.1.254" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "source.port": 6651, + "source.user.name": "admin", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "611101", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 611101, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-611101: User authentication succeeded: IP address: 10.10.0.87, Uname: admin", + "event.outcome": "succeeded", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "host.user.name": "admin", + "input.type": "log", + "log.level": "informational", + "log.offset": 8971, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.10.0.87" + ], + "service.type": "cisco", + "source.address": "10.10.0.87", + "source.ip": "10.10.0.87", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "713049", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 713049, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-713049: Group = 91.240.17.178, IP = 91.240.17.178, Security negotiation complete for LAN-to-LAN Group (91.240.17.178) Responder, Inbound SPI = 0x276b1da2, Outbound SPI = 0x0e1a581d", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "notification", + "log.offset": 9077, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "113019", + "destination.address": "91.240.17.178", + "destination.as.number": 201126, + "destination.as.organization.name": "CDW Ltd", + "destination.bytes": 1216163, + "destination.geo.city_name": "London", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5888, + "destination.geo.location.lon": -0.0247, + "destination.geo.region_iso_code": "GB-ENG", + "destination.geo.region_name": "England", + "destination.ip": "91.240.17.178", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 113019, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2020-04-27T02:03:03.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-113019: Group = 91.240.17.178, Username = 91.240.17.178, IP = 91.240.17.178, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested", + "event.severity": 4, + "event.start": "2020-04-27T04:03:03.000Z", + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 9288, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "91.240.17.178" + ], + "service.type": "cisco", + "source.bytes": 297103, + "source.user.name": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.assigned_ip": "8.8.4.4", + "cisco.asa.message_id": "722051", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 722051, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-722051: Group some-policy User testuser IP 8.8.8.8 IPv4 Address 8.8.4.4 IPv6 address 2001:4860:4860::8888 assigned to session", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 9527, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "8.8.8.8" + ], + "service.type": "cisco", + "source.address": "8.8.8.8", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "source.user.name": "testuser", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.message_id": "716002", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 716002, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-716002: Group another-policy User testuser IP 8.8.8.8 WebVPN session terminated: User Requested.", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 9683, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "8.8.8.8" + ], + "service.type": "cisco", + "source.address": "8.8.8.8", + "source.as.number": 15169, + "source.as.organization.name": "Google LLC", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "8.8.8.8", + "source.user.name": "testuser", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "outside", + "cisco.asa.message_id": "710003", + "destination.address": "195.74.114.34", + "destination.as.number": 8468, + "destination.as.organization.name": "Entanet", + "destination.geo.city_name": "Stoke Newington", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "GB", + "destination.geo.location.lat": 51.5638, + "destination.geo.location.lon": -0.0765, + "destination.geo.region_iso_code": "GB-HCK", + "destination.geo.region_name": "Hackney", + "destination.ip": "195.74.114.34", + "destination.port": 23, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 710003, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-3-710003: TCP access denied by ACL from 104.46.88.19/6370 to outside:195.74.114.34/23", + "event.severity": 3, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "error", + "log.offset": 9810, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "104.46.88.19", + "195.74.114.34" + ], + "service.type": "cisco", + "source.address": "104.46.88.19", + "source.as.number": 8075, + "source.as.organization.name": "Microsoft Corporation", + "source.geo.city_name": "Dublin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "IE", + "source.geo.location.lat": 53.3338, + "source.geo.location.lon": -6.2488, + "source.geo.region_iso_code": "IE-L", + "source.geo.region_name": "Leinster", + "source.ip": "104.46.88.19", + "source.port": 6370, + "tags": [ + "cisco-asa", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 75f12d9b6b1..90ec4ed3a8f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -34,6 +34,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -77,6 +83,12 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -119,6 +131,11 @@ "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -164,6 +181,12 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -202,6 +225,10 @@ "input.type": "log", "log.level": "critical", "log.offset": 734, + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -242,6 +269,11 @@ "log.offset": 853, "network.iana_number": 58, "network.transport": "ipv6-icmp", + "observer.egress.interface.name": "ISP1", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "fe80::1ff:fe23:4567:890a" ], @@ -287,6 +319,11 @@ "log.offset": 989, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.ingress.interface.name": "identity", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.255.0.206", "10.12.31.51" @@ -330,6 +367,11 @@ "log.offset": 1171, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz2", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "127.2.3.4", "127.3.4.5" @@ -373,6 +415,11 @@ "log.offset": 1334, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz2", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "127.2.3.4", "127.3.4.5" @@ -417,6 +464,11 @@ "log.offset": 1514, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.20", "10.223.223.40" @@ -470,6 +522,11 @@ "log.offset": 1723, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.3", "1.2.33.40" diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 09cce4899fc..18ea450c55f 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -1,7 +1,12 @@ [ { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8256, "event.action": "firewall-rule", "event.category": [ "network" @@ -22,9 +27,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1772, "tags": [ "cisco-asa", "forwarded" @@ -32,7 +52,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11757", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1772, + "cisco.asa.mapped_source_ip": "100.66.205.104", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1772, "event.action": "firewall-rule", "event.category": [ "network" @@ -53,9 +83,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.104", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.104", + "source.ip": "100.66.205.104", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -97,6 +143,12 @@ "network.bytes": 38110, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -148,6 +200,12 @@ "network.bytes": 44010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -199,6 +257,12 @@ "network.bytes": 7652, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -250,6 +314,12 @@ "network.bytes": 7062, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -301,6 +371,12 @@ "network.bytes": 5738, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -352,6 +428,12 @@ "network.bytes": 4176, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -403,6 +485,12 @@ "network.bytes": 1715, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -454,6 +542,12 @@ "network.bytes": 45595, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -505,6 +599,12 @@ "network.bytes": 27359, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -556,6 +656,12 @@ "network.bytes": 4457, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -607,6 +713,12 @@ "network.bytes": 26709, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -658,6 +770,12 @@ "network.bytes": 22097, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -709,6 +827,12 @@ "network.bytes": 2209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -760,6 +884,12 @@ "network.bytes": 10404, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -811,6 +941,12 @@ "network.bytes": 123694, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -862,6 +998,12 @@ "network.bytes": 35835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -913,6 +1055,12 @@ "network.bytes": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -930,7 +1078,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1188, "event.action": "firewall-rule", "event.category": [ "network" @@ -951,9 +1104,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3552, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -961,7 +1129,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11758", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.80.32", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -982,9 +1160,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3703, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.80.32", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.80.32", + "source.ip": "100.66.80.32", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1026,6 +1220,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1043,7 +1243,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11759", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.252.6", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1064,9 +1274,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4071, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.6", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.6", + "source.ip": "100.66.252.6", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1108,6 +1334,12 @@ "network.bytes": 164, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1125,7 +1357,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8257, "event.action": "firewall-rule", "event.category": [ "network" @@ -1146,9 +1383,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4439, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1773, "tags": [ "cisco-asa", "forwarded" @@ -1156,7 +1408,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11760", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1773, + "cisco.asa.mapped_source_ip": "100.66.252.226", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1773, "event.action": "firewall-rule", "event.category": [ "network" @@ -1177,9 +1439,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4589, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1187,7 +1465,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8258, "event.action": "firewall-rule", "event.category": [ "network" @@ -1208,9 +1491,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4784, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1774, "tags": [ "cisco-asa", "forwarded" @@ -1218,7 +1516,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11761", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1774, + "cisco.asa.mapped_source_ip": "100.66.252.226", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1774, "event.action": "firewall-rule", "event.category": [ "network" @@ -1239,9 +1547,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4934, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1249,7 +1573,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11762", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.238.126", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1270,9 +1604,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5129, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.238.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.238.126", + "source.ip": "100.66.238.126", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1280,7 +1630,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11763", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.93.51", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1301,9 +1661,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5326, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.93.51", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.93.51", + "source.ip": "100.66.93.51", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1345,6 +1721,12 @@ "network.bytes": 111, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1396,6 +1778,12 @@ "network.bytes": 237, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1413,7 +1801,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8259, "event.action": "firewall-rule", "event.category": [ "network" @@ -1434,9 +1827,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5871, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1775, "tags": [ "cisco-asa", "forwarded" @@ -1444,7 +1852,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11764", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1775, + "cisco.asa.mapped_source_ip": "100.66.225.103", + "cisco.asa.mapped_source_port": 443, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1775, "event.action": "firewall-rule", "event.category": [ "network" @@ -1465,9 +1883,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6021, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.225.103", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.225.103", + "source.ip": "100.66.225.103", + "source.port": 443, "tags": [ "cisco-asa", "forwarded" @@ -1475,7 +1909,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1189, "event.action": "firewall-rule", "event.category": [ "network" @@ -1496,9 +1935,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6218, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -1506,7 +1960,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11772", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.240.126", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1527,9 +1991,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6369, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.240.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.240.126", + "source.ip": "100.66.240.126", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1537,7 +2017,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11773", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.44.45", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1558,9 +2048,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6566, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.44.45", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.44.45", + "source.ip": "100.66.44.45", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1602,6 +2108,12 @@ "network.bytes": 87, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1653,6 +2165,12 @@ "network.bytes": 221, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1670,7 +2188,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8265, "event.action": "firewall-rule", "event.category": [ "network" @@ -1691,9 +2214,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7110, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1452, "tags": [ "cisco-asa", "forwarded" @@ -1701,7 +2239,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11774", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1452, + "cisco.asa.mapped_source_ip": "100.66.179.219", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1452, "event.action": "firewall-rule", "event.category": [ "network" @@ -1722,9 +2270,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7260, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.179.219", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.179.219", + "source.ip": "100.66.179.219", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1732,7 +2296,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11775", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.157.232", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1753,9 +2327,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7455, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.157.232", + "source.ip": "100.66.157.232", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1763,7 +2353,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11776", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.178.133", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1784,9 +2384,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7652, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.178.133", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.178.133", + "source.ip": "100.66.178.133", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -1828,6 +2444,12 @@ "network.bytes": 101, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1879,6 +2501,12 @@ "network.bytes": 126, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1896,7 +2524,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8266, "event.action": "firewall-rule", "event.category": [ "network" @@ -1917,9 +2550,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8203, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1453, "tags": [ "cisco-asa", "forwarded" @@ -1927,7 +2575,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11777", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1453, + "cisco.asa.mapped_source_ip": "100.66.133.112", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1453, "event.action": "firewall-rule", "event.category": [ "network" @@ -1948,9 +2606,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8353, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.133.112", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.133.112", + "source.ip": "100.66.133.112", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -1992,6 +2666,12 @@ "network.bytes": 862, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2009,7 +2689,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11779", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.204.197", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2030,9 +2720,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8733, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.204.197", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.204.197", + "source.ip": "100.66.204.197", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2074,6 +2780,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2125,6 +2837,12 @@ "network.bytes": 176, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2142,7 +2860,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, "event.action": "firewall-rule", "event.category": [ "network" @@ -2163,9 +2886,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9284, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-asa", "forwarded" @@ -2173,7 +2911,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11780", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1454, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1454, "event.action": "firewall-rule", "event.category": [ "network" @@ -2194,9 +2942,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9434, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2204,7 +2968,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, "event.action": "firewall-rule", "event.category": [ "network" @@ -2225,9 +2994,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9625, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-asa", "forwarded" @@ -2235,7 +3019,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11781", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1455, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1455, "event.action": "firewall-rule", "event.category": [ "network" @@ -2256,9 +3050,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9775, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2266,7 +3076,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, "event.action": "firewall-rule", "event.category": [ "network" @@ -2287,9 +3102,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9966, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-asa", "forwarded" @@ -2297,7 +3127,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11782", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1456, + "cisco.asa.mapped_source_ip": "100.66.128.3", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1456, "event.action": "firewall-rule", "event.category": [ "network" @@ -2318,9 +3158,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10116, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2328,7 +3184,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11783", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.100.4", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2349,9 +3215,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10307, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.100.4", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.100.4", + "source.ip": "100.66.100.4", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2393,6 +3275,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2410,7 +3298,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, "event.action": "firewall-rule", "event.category": [ "network" @@ -2431,9 +3324,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10675, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-asa", "forwarded" @@ -2441,7 +3349,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11784", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1457, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1457, "event.action": "firewall-rule", "event.category": [ "network" @@ -2462,9 +3380,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10825, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2472,7 +3406,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, "event.action": "firewall-rule", "event.category": [ "network" @@ -2493,9 +3432,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11018, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-asa", "forwarded" @@ -2503,7 +3457,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11785", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1458, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1458, "event.action": "firewall-rule", "event.category": [ "network" @@ -2524,9 +3488,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11168, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2534,7 +3514,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11786", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.1.107", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2555,9 +3545,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11361, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.1.107", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.1.107", + "source.ip": "100.66.1.107", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -2599,6 +3605,12 @@ "network.bytes": 593, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2616,7 +3628,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, "event.action": "firewall-rule", "event.category": [ "network" @@ -2637,9 +3654,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11738, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-asa", "forwarded" @@ -2647,7 +3679,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11787", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1459, + "cisco.asa.mapped_source_ip": "100.66.198.40", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1459, "event.action": "firewall-rule", "event.category": [ "network" @@ -2668,9 +3710,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11888, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2712,6 +3770,12 @@ "network.bytes": 375, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2729,7 +3793,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, "event.action": "firewall-rule", "event.category": [ "network" @@ -2750,9 +3819,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12256, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-asa", "forwarded" @@ -2760,7 +3844,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11788", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1460, + "cisco.asa.mapped_source_ip": "100.66.192.44", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1460, "event.action": "firewall-rule", "event.category": [ "network" @@ -2781,9 +3875,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12406, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.192.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.192.44", + "source.ip": "100.66.192.44", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2812,6 +3922,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12599, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2822,7 +3936,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8277, "event.action": "firewall-rule", "event.category": [ "network" @@ -2843,9 +3962,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12769, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1385, "tags": [ "cisco-asa", "forwarded" @@ -2853,7 +3987,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11797", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.156.80", + "cisco.asa.mapped_destination_port": 1385, + "cisco.asa.mapped_source_ip": "100.66.19.254", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1385, "event.action": "firewall-rule", "event.category": [ "network" @@ -2874,9 +4018,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12920, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.19.254", + "source.ip": "100.66.19.254", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -2905,6 +4065,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13115, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2936,6 +4100,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13285, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2967,6 +4135,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13455, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2998,6 +4170,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13625, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3029,6 +4205,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13795, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3060,6 +4240,10 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13965, + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3104,6 +4288,12 @@ "network.bytes": 575, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3155,6 +4345,12 @@ "network.bytes": 5391, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3172,7 +4368,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8278, "event.action": "firewall-rule", "event.category": [ "network" @@ -3193,9 +4394,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14509, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1386, "tags": [ "cisco-asa", "forwarded" @@ -3203,7 +4419,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11798", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.156.80", + "cisco.asa.mapped_destination_port": 1386, + "cisco.asa.mapped_source_ip": "100.66.115.46", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1386, "event.action": "firewall-rule", "event.category": [ "network" @@ -3224,9 +4450,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14660, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.115.46", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.115.46", + "source.ip": "100.66.115.46", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -3265,6 +4507,12 @@ "log.offset": 14855, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3313,6 +4561,12 @@ "log.offset": 15020, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3361,6 +4615,12 @@ "log.offset": 15185, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3409,6 +4669,12 @@ "log.offset": 15350, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3457,6 +4723,12 @@ "log.offset": 15515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3505,6 +4777,12 @@ "log.offset": 15680, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3553,6 +4831,12 @@ "log.offset": 15845, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3601,6 +4885,12 @@ "log.offset": 16010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3649,6 +4939,12 @@ "log.offset": 16175, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3697,6 +4993,12 @@ "log.offset": 16340, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3745,6 +5047,12 @@ "log.offset": 16505, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3793,6 +5101,12 @@ "log.offset": 16670, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3841,6 +5155,12 @@ "log.offset": 16835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3858,7 +5178,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8279, "event.action": "firewall-rule", "event.category": [ "network" @@ -3879,9 +5204,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17000, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1275, "tags": [ "cisco-asa", "forwarded" @@ -3889,7 +5229,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11799", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 1275, + "cisco.asa.mapped_source_ip": "100.66.205.99", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1275, "event.action": "firewall-rule", "event.category": [ "network" @@ -3910,9 +5260,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.99", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.99", + "source.ip": "100.66.205.99", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -3920,7 +5286,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1190, "event.action": "firewall-rule", "event.category": [ "network" @@ -3941,9 +5312,24 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17343, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-asa", "forwarded" @@ -3951,7 +5337,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.connection_id": "11800", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "172.31.98.44", + "cisco.asa.mapped_destination_port": 56132, + "cisco.asa.mapped_source_ip": "100.66.14.30", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -3972,9 +5368,25 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17494, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.14.30", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.14.30", + "source.ip": "100.66.14.30", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index cff051f89ae..bb691462f78 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -24,6 +24,9 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "1.2.3.4" ], diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 0cdbce9fc70..e0c78694ae9 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -20,6 +20,10 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.hostname": "beats", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, "service.type": "cisco", @@ -58,6 +62,11 @@ "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "beats", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 5af2ac66dca..7d010afe62c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -27,6 +27,10 @@ "log.offset": 0, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "service.type": "cisco", "source.domain": "Prod-host.name.addr", "source.nat.ip": "10.0.55.66", @@ -65,6 +69,10 @@ "log.offset": 169, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "MYHOSTNAME", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.134", "192.0.2.15" diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 8747c17b868..74097780ab2 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -31,6 +31,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "LB-DMZ", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "203.0.113.42" ], @@ -73,6 +78,10 @@ "log.offset": 201, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -100,7 +109,6 @@ "destination.address": "172.24.177.3", "destination.domain": "example.org", "destination.ip": "172.24.177.3", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -126,6 +134,12 @@ "log.offset": 360, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "wan", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index ce31629c9fc..d27f89ab5b9 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -31,6 +31,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -76,6 +81,11 @@ "log.offset": 139, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -122,6 +132,11 @@ "log.offset": 294, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.16", "192.0.0.89" @@ -168,6 +183,12 @@ "log.offset": 465, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -214,6 +235,12 @@ "log.offset": 632, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -229,7 +256,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 12834, "event.action": "firewall-rule", "event.category": [ "network" @@ -249,7 +281,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 812, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4952, "tags": [ "cisco-asa", "forwarded" @@ -257,7 +303,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743274", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.3.42", + "cisco.asa.mapped_destination_port": 12834, + "cisco.asa.mapped_source_ip": "192.0.2.43", + "cisco.asa.mapped_source_port": 443, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.port": "12834", + "destination.port": 4952, "event.action": "firewall-rule", "event.category": [ "network" @@ -277,7 +334,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 938, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.43", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.43", + "source.ip": "192.0.2.43", + "source.port": 443, "tags": [ "cisco-asa", "forwarded" @@ -285,7 +357,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 25882, "event.action": "firewall-rule", "event.category": [ "network" @@ -305,7 +382,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1110, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.1.35", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.1.35", + "source.ip": "10.123.1.35", + "source.port": 52925, "tags": [ "cisco-asa", "forwarded" @@ -313,7 +404,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743275", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.1.35", + "cisco.asa.mapped_destination_port": 25882, + "cisco.asa.mapped_source_ip": "192.0.2.43", + "cisco.asa.mapped_source_port": 53, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.1.35", + "destination.ip": "10.123.1.35", + "destination.nat.port": "25882", + "destination.port": 52925, "event.action": "firewall-rule", "event.category": [ "network" @@ -333,7 +435,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1237, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.nat.ip": "192.0.2.43", + "source.port": 53, "tags": [ "cisco-asa", "forwarded" @@ -341,7 +459,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 45392, "event.action": "firewall-rule", "event.category": [ "network" @@ -361,7 +484,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1405, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4953, "tags": [ "cisco-asa", "forwarded" @@ -369,7 +506,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743276", + "cisco.asa.destination_interface": "outside", + "cisco.asa.mapped_destination_ip": "10.123.3.130", + "cisco.asa.mapped_destination_port": 45392, + "cisco.asa.mapped_source_ip": "192.0.2.1", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.ip": "10.123.3.130", + "destination.nat.port": "45392", + "destination.port": 4953, "event.action": "firewall-rule", "event.category": [ "network" @@ -389,7 +538,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1531, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.1", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.1", + "source.ip": "192.0.2.1", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -430,6 +594,11 @@ "network.bytes": 140, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -480,6 +649,11 @@ "network.bytes": 9999999, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -522,6 +696,10 @@ "log.offset": 2012, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "FJSG2NRFW01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -536,7 +714,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", + "cisco.asa.source_interface": "inside", + "destination.address": "192.0.0.130", + "destination.ip": "192.0.0.130", + "destination.port": 10879, "event.action": "firewall-rule", "event.category": [ "network" @@ -556,7 +739,21 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2167, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.3.42", + "192.0.0.130" + ], "service.type": "cisco", + "source.address": "192.168.3.42", + "source.ip": "192.168.3.42", + "source.port": 4954, "tags": [ "cisco-asa", "forwarded" @@ -564,7 +761,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.asa.connection_id": "89743277", + "cisco.asa.destination_interface": "inside", + "cisco.asa.mapped_destination_ip": "10.0.0.130", + "cisco.asa.mapped_destination_port": 10879, + "cisco.asa.mapped_source_ip": "192.0.0.17", + "cisco.asa.mapped_source_port": 80, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.3.42", + "destination.ip": "192.168.3.42", + "destination.nat.ip": "10.0.0.130", + "destination.nat.port": "10879", + "destination.port": 4954, "event.action": "firewall-rule", "event.category": [ "network" @@ -584,7 +793,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2293, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.0.17", + "192.168.3.42" + ], "service.type": "cisco", + "source.address": "192.0.0.17", + "source.ip": "192.0.0.17", + "source.port": 80, "tags": [ "cisco-asa", "forwarded" @@ -621,6 +845,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.0.66", "10.1.2.60" @@ -666,6 +893,11 @@ "log.offset": 2567, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -711,6 +943,11 @@ "log.offset": 2726, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -756,6 +993,11 @@ "log.offset": 2887, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -801,6 +1043,11 @@ "log.offset": 3048, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -846,6 +1093,11 @@ "log.offset": 3209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -891,6 +1143,11 @@ "log.offset": 3370, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -936,6 +1193,11 @@ "log.offset": 3531, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -981,6 +1243,11 @@ "log.offset": 3692, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1026,6 +1293,11 @@ "log.offset": 3851, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.13", "192.168.33.31" @@ -1071,6 +1343,11 @@ "log.offset": 4008, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1115,6 +1392,10 @@ "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.2.42" @@ -1159,6 +1440,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.5.60" @@ -1204,6 +1488,11 @@ "log.offset": 4387, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1249,6 +1538,11 @@ "log.offset": 4546, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1294,6 +1588,11 @@ "log.offset": 4707, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1339,6 +1638,11 @@ "log.offset": 4866, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1384,6 +1688,11 @@ "log.offset": 5022, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1429,6 +1738,11 @@ "log.offset": 5178, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1474,6 +1788,11 @@ "log.offset": 5325, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1519,6 +1838,11 @@ "log.offset": 5472, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1564,6 +1888,11 @@ "log.offset": 5635, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1610,6 +1939,11 @@ "log.offset": 5796, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.99" @@ -1625,7 +1959,17 @@ }, { "@timestamp": "2018-12-11T08:01:24.000-02:00", + "cisco.asa.connection_id": "447235", + "cisco.asa.destination_interface": "identity", + "cisco.asa.mapped_destination_ip": "10.0.13.13", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_ip": "192.168.77.12", + "cisco.asa.mapped_source_port": 11180, "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "outside", + "destination.address": "10.0.13.13", + "destination.ip": "10.0.13.13", + "destination.port": 80, "event.action": "firewall-rule", "event.category": [ "network" @@ -1645,37 +1989,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 5967, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "identity", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", - "service.type": "cisco", - "tags": [ - "cisco-asa", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-11T08:01:24.000-02:00", - "cisco.asa.message_id": "302015", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302015, - "event.dataset": "cisco.asa", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" + "related.ip": [ + "192.168.77.12", + "10.0.13.13" ], - "fileset.name": "asa", - "input.type": "log", - "log.file.path": "sample.log", - "log.level": "informational", - "log.offset": 6142, - "process.name": "", "service.type": "cisco", + "source.address": "192.168.77.12", + "source.ip": "192.168.77.12", + "source.port": 11180, "tags": [ "cisco-asa", "forwarded" @@ -1713,6 +2043,11 @@ "log.offset": 6322, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.33", @@ -1759,6 +2094,11 @@ "log.offset": 6472, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.33", @@ -1775,7 +2115,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.asa.connection_id": "447236", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_host": "OCSP_Server", + "cisco.asa.mapped_destination_port": 5678, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1795,8 +2145,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 6622, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -1804,7 +2168,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.asa.connection_id": "447236", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_host": "OCSP_Server", + "cisco.asa.mapped_destination_port": 5678, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1824,8 +2198,22 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 6792, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -1866,6 +2254,11 @@ "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1915,6 +2308,11 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1964,6 +2362,11 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -1994,20 +2397,22 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7459, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2038,20 +2443,22 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "asa", "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7601, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2098,6 +2505,11 @@ "log.offset": 7743, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.168.1.34", @@ -2114,7 +2526,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.asa.connection_id": "447237", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_ip": "192.168.1.34", + "cisco.asa.mapped_destination_port": 65000, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2134,8 +2556,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7894, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -2143,7 +2580,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.asa.connection_id": "447237", + "cisco.asa.destination_interface": "dmz", + "cisco.asa.mapped_destination_ip": "192.168.1.34", + "cisco.asa.mapped_destination_port": 65000, + "cisco.asa.mapped_source_ip": "192.0.2.222", + "cisco.asa.mapped_source_port": 1234, "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2163,8 +2610,23 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 8068, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-asa", "forwarded" @@ -2205,6 +2667,11 @@ "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "dmz", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "", "related.ip": [ "192.0.2.222", @@ -2254,6 +2721,11 @@ "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.44.4.4", "10.44.2.2" @@ -2295,6 +2767,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8549, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2335,6 +2812,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8670, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2375,6 +2857,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8791, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2415,6 +2902,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 8912, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2455,6 +2947,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9033, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2495,6 +2992,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9154, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2535,6 +3037,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9275, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2575,6 +3082,11 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 9397, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2620,6 +3132,12 @@ "log.offset": 9519, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "GIFRCHN01", + "observer.ingress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -2663,6 +3181,11 @@ "log.offset": 9673, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "GIFRCHN01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.2.3.5" ], @@ -2704,6 +3227,10 @@ "log.offset": 9783, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.16.30.2", "172.16.1.10" @@ -2753,6 +3280,11 @@ "log.offset": 9919, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.45", "192.88.99.129" @@ -2806,6 +3338,11 @@ "log.offset": 10170, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2814,7 +3351,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-asa", @@ -2859,6 +3395,11 @@ "log.offset": 10469, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2867,7 +3408,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-asa", @@ -2900,6 +3440,9 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10766, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.30.30.30", "192.0.2.1" @@ -2939,6 +3482,9 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10843, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.5.111.32", "192.0.2.32" @@ -2979,6 +3525,10 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 10935, + "observer.egress.interface.name": "inside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.69.6.39", "192.0.0.19" diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index 695aec368e4..79f0ee61a35 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zIzeSIPx9fgUeRzznbofMttsve+Ob3QutpB7rpl+0re723sVEVICoJAmrCqgGUKToX3+BBKpYrEKREgVQ6j3Phwm3SCYSiUQi3/NbcgPrXwjjmsm/EGK4KeAXcub/mYNmileGS/EL+be/EELIG5nXBZCZVGRBRV5wMXdfJwLMSqobksOSMyCFnOvJXwiZcShy/ctf8Nf2f98SQUvwa06opu0nhJh1Bb+QuZJ11flrAI3mf68QOqLjsDi9PiWvuIIVLYpJ56sNGpu/NHiUoDWdQ8bzLcgOlRtYr6Ta/mQHOoR8WEAHEw+b8ByE4TMOaoNTABVdz2b89o5owC0tK3taGrTmUtwdx3f4d1r49QidGVDk/7cI3xVRWSsGGRcG1IwyiEG5a4RJWph4qGYBZFbIFZGKwBKE2YlWDtpwQS38uLidbwA/CEFVF5DZ/4yB1FtaApEzROGUMdCanElhlCzIa64NLkbMghpSUsMWkBOz4PoOWPrTrTWoFLhauA4vrvEPbj1Pzjth2D3oo6HZWfQ+uJa0qiDPmitTBfDs/XGvgDGKCl1QA3lDu8srQvNcgdb3wGUhtbkz1Wa0LkyGYvQXMqOFhofibJe/B7aVVCFsCynmD8XEgr4LJlvyJfJBdrnrfqfZxeqxjrSL/V3PtYt3isPt4rT3hM1CATVZAUso4ugBFh5BeCgtSlqsqALygkylEWAsprMZZxPyTqDMWYJaf1vI1Qmx/9cDV8ocFDVwQhZ8vrCPDX7d/uMu22LUwFyqdYydnXlY7fM3vrNX9lFs1JQlV7U+8d/p788o+TsVJwQM27kfJoUA5i5gFH3to+Cf666Chtui+KbvxISzssrsogEs9KLPzjtxuDx7c4W/3L8gk3msBS2ou9J6ZJ9pxMqnq7edtcnW2iFdgFaZAiZVru+HyAM0fKo1nwvIyfnpFekvvm3gzEwe1cCxxk0lV6AaEXMOMxAanojV8+rD+Zdl9ViE/7R6/rR6/rR6vmirh3zUQC7Orv1HE0HNhFd/GkMHGkMhcj5hK6lFt/P5PVjgTwtqP07bbNGn85/21Z/21Z/21daCe+0rDaxW3ISYRk5/Bza+YG+593TlNX0k7rWHSy7sK73bhfSF23gpUbyHjceljmrjXb67buNnzf/GTTmKWnBW8Hs8XHfUBu0T63RsC30nJ80o40WYm3facdcXZ/c7l2YhYiRZLThbOCHpbU4FM1CaPJttROMJuX775uqEXP/v6xNChVV0emBnUpnF8wk53QBnVJApEEoWVOUofl1c84RQUilpJJPFCUFRVrqQqJz1Za5V8tfaQEm0nBkLZEIuDclBSANbRoCX9IzWuqW9+2n/nXLbnAwY0UdfJ62dNulZB3IJaqW4sY+WqmHAr8ND2nOFdhxUl4WasPDGgFwtQAF+5h8ysqCaTAEEkVMNagn5cH9qK068bzPDy7dzK+N3C7EWdFtlGV99bP3QEh1tTs97x7xrhV23qncqH6ytdgNra8vV2prCkjBamdrTX9FVe3HQ5mOyBG03Le3nPdCEvJZzcg72YVPhjThYvI/Uodtp4KK5abVdFhmwRzgx9T3J3Y1nUhj7LNv7wYU2VJgGDR3E0fDyEARzavofDLHzNr5dglDjxSltfGtkwY0mlLwF8xs3wj4D/vQnA9ZoN6sXsi5yImAJykrQhu8qqjSQN2CoRY2SmZJlZ6lnr+Vcv7ii7AaMfj4Af84VMFOsT5z/gVu03oMTFo7DRQfNSZCQQ9vjbpQcmFA9Sp5DpYChwWQxyWHGrdogRYFoGTotrBJfhbEq9byvasflQH/Gb/w9vzz/nixpUfsb3yrm7ltwS5mxuoc7LzU4CNwdR6XNcQt+zx5HRZXhrC6owt/7g52McsYA9EGcEuKMAeRxThk9kuVxz+Tln2ey+0zsqmkO5GHXV05/z3Aj/WN5Mtgt6SFCLzlqCpzu+xRxs2RLdf8fhpk21EAJwjxF5Gidc5Oxgvbu8BNBD4TpeeieCGKLgdfpiSDGxWGIpdWYGsnxdDktB3qI9EhLthm4iEEsG2pErwnZmZ0vNm4Bi81ADxkoCQ+zInp6yAD6HitinIqDwOtRqCg6XpUg+Ry5BtuMRD4SoOC9yceOoVbXg5hDs3//p/W2UXsmBbOPAzXyqVu2I+JmydOKwy51z+wyfMYZ7d7n13Lu4g1NRkstclDoLAUvqAZbn/FbyIkGY4Fs/Xh7DT1usDSHMID9YIOlPYQB6HsdytATGN+/dBhjDvZ1D5rcjwaDkHoSvvxVatMVkUWfIzWInIt586EOsU3Hh/Tl0JcfwmCDH40S9vJq+WOTaTF63fvEHezeyC+VuMufU5P35/93yTuIOieRDX254BxpXW9ZTiiZ8yWI1kn25SoClkSH+S/SWiD5U1T+voyIxqhDQ1brTMHnBGfdDR7iAeO+p2uk8oVbmlzhRTrx3mxDyYd1BYTRoQSZAgFuFqDIx0thvv+ZSEVeFZKaH16SKdXIRU2AbMbntULVb8++D1F3v+B9Yxg0nfEZwb8QTIQ7inXcrPzFOxikWlGVJ1PqOhKts+0uJS+vPm3pe5QoKGj/SEmT2+IeUY82ptuD41TtiGf/LRWfc6y9cL/Z1lb20CGV/rUjMeLy6tPPARKEc3JIBBK0GA2pHOP12TDqUHE89PVZAM1BHSV2/SsuRS7PHxIldfh2g6UI5rBY6ZN2shUsS+5no42idblRtPCiWNPlTBYFMCPVlyiALfUeIefG8hzXhDnSQW4x3VJUX8u+2kJ2EPoJWnwlmz4VVbWUGpPdSinIdD04NEIUfK5BYxGU5mVVrP052S9joi5QtiCa50CefUfMQtXk5U8/PScrqokGEO0qOyjxJJTXO1BCV1JoSEcK9sVwBZO1aAvjRF1OndCzV1kHIZBndCqX0CEGF8HMyka8aaOAlqP3h30xbPPIpIKc1309LQahvgppjq1jgc8IN/+sX373/V+1E+kvKhSgDdL/HOzmn9YefE3XoMhLciEYrXRduMiKNSnvJddD0B8Y/AjkVoZW+eEl+Ve73RPyww/kXwmTyurLuAu/6An5b4X5H/aLXJNtonwVPEIh80DR8BOxdcUKMkaLYkrZTVoN2CHXFAxQ4+wKS0QQeSW5MGiaGAgnOCNzZKCUTJSfttEHdQWM0wIxRky1kcpq1mLttA77wZIWPHeMEUKKkJmsRW5fmAIQeS7mXjnam7y4fSMGkGPEAv112BE2GjmFdSFp/lTeOY8O0fwPICUYxVnA6vCmcPfLaAu7574RwvbZp2aj0cpZc2wT8qtc2aMZ2pxcEKmsMWYkuQGo9hDtSbx4XwjRlMRisCXPszxV1PWikTxzEFg1q7GsqnZ2tLcLl1yZmhbWaN/yvYuAi4OX3JrdGCtHYrhd+Kt+eU6UldYaHSpINKrmYNqv7aWEVomSnh6dEk3N/i5KqCShoKHgvzxvfK/voZQGyLXnd6YAH9rpekxQEuw24gIxX0Dgxa+U6argKTMbnrQ5r/lA7X8SupmVuQn5HW+dfQOaMk3PdY3V4p+Q/xoRRideZrx4hBi9XdUaR1dnp1de9/VFubyspOprvASfyC8uDaJ+Gu4P36YBDXE03UOu1G1Tvt78ZGOwOz0HLfMJefnTz2SFdC+BCkKLIuwrQKc+qkkb/xFZgQIHFtt8UG2IFL1ykW0iPrqa+GUTMXBXU4RtPe1+kypHwmFWE7CFkIWcr/uBuBlXAy2WkJ8IW1BFmXFEtJd6jfij01yQWvicnmLLZz5aURu7oNsF6lMGEXbELtGiKK2SKUUTRlB0NSrTULL21ErKUGN1MQrhfQ6SsVo1ELWhIqcqJ0Kqkhb8j1B+r1RlkD65z3I4mESyng6epHsRaYN1i8yLgs8Adxww8DUwKfIRBXtz3Jk2Kf0sOzbEBZNlVYAJMsCoE5WiAm8U74nBTr2ZMo/EyNd27SA7j7HyNmeOsl8phVlEOqZNfWqsnJdNllP+SIS/EHkKsluQf0iRutvCDrFoV29UTJde+6FP4YGISnajT4mBW+MvH1mC0p1yinxXHljgfB/KbGugsba5KdNjUuWQp3sHfZKNf6Z0u2KjYzSZNu0Xu/H14WulZDlBqDUW5WsGgiounVpf1oXh3xoOitCqKprql00vm5IKOg+V5hJSYHhnq61P01CKcPO1JnIlXGTM0LLqewY9xth/U8lh8hE3mrAFt9aNzEFPyJtaGzSTukDtraRmJC+XGjjwkHYKsNnM4r2EY2hCeMjNgo522AoKBHMMQa1qnfMlz61mg/wQFmTXjSD70CNeeJO3FVdH2+HmPF0s6NZyIjfFuul7ZSTqaxYp15xxp2804qGPunBOrDRu5dlksGSbTibr2BKoHChyD4XY0j/2VUEN8nMN9dFYyXK346KNfFxRTRCJfIRvELnvYxM1olKwRdAEMm1emgSv77xMgWuVJUC1ylJoz1VMUbQN9GV0qAl0pc4r8jgmZM98DL4xg+fyXm/OoWJzn1w7JFiweSB63RBiO4IoGyjxMRRrXRepw04jVpSsDZMlvHA4tMYLZmUPGmASyxeOBFsG5AiDwBIG7XCPtrFmdV8E2Ins7HL5pC1eHPQOdK90W+lioWHcqQLGZ3xj+IS1W9/KfYSnvK6cPpspcACti5Hnm4KJxkWV+yBLEG9vNh/rED5tW+ldS1Aq8u7ap8Zy3SQE9P1qxPeF7Q1QIFtVkrqSmkcUHHfiLTSnRe46TGEqf3N3R7vw1IUZNsx+LFEk6hIUZ/eVRcG9HaGKbcfGupVs7c1wYsnd78HWliByqXzC7M6dyenvj9C9pgntBtqadxFLXws+ILeVoLsRc5I+Za+6r4YX0lf9ezHjvVwL2uYWC2kIxTERFslwAm0h51mTqPIoQr1hxHsL9WP0TNmSfX/HdCvsWo3iI6z4y4Kzderbs0MuXCECvrm2KNYjcjk4bCkxAd/XBSBiYXEqhYHb1Bpri9ClcP66TT9Umufa/h8+qrRoEAo1gNnzOLMFFXPIBKxSy4KxwCWsOqF+VEKMUXxaG+hIiGGOvnaoW229+/yFRYeu+hPEHm61sIIna1u5i2hoCPbzixwyXf0tYNxiBZglWNNwUG9yvtQS1IRcgzuUWoOa0DlgK2+f6T6TqsFhALsB4/R25oZuud93+lZIRaZKruxnzV+9runMrtF+0pf5FVUmtpuuBRzbo+LvlBxUhx7rTskib9XGVFdKVuADiqne4lNBaAHKtNlFarOo/5sLb3nx0WkCgElIAYU5J0KKbxVUgJbMruwHNBuO+eSwWil7YVp7BU8S9bgX3EXYmvDPYGcrbhZeWXaynpzjglOsNhFEim/n0v73jpcAlZQsoDgm3DftBANfIAIWSTkjVjoYDnpCrjcypT/YoFtZlQbjM1fOV2trxLiSUZdsk3vx6wlPCStqbRqG9P8YHBP+hGt7kr4m2vs3rOKLn46rQEfXftwNC1v0ri1TOqXs632Gl8XyHLEgVGvJOPpL7WkE7Uk8sNf8Bn4hlFSLteaMFiTn+uaEVApnouAosa/DijJV9JDay3s+9K7ORtESDChNKqqxi5fGRg6uFwGTZWmlmNwK2g9La7amopHh0+Teg8fS+DpnmOBhcuKbybKqh3cwwbFRsuIilyufT8ukYFCZkzaTYpQYg23O6qJYk881LZzzM5cl5cJLDdFZqJAjT1fX6xlLXdqxdasSvubiBnJfC9QkolON3ilvoNhPvmpRm/B818EVg64QSUVdd7KTc0v0EWjQe3f9WHi9q7znlVwP2/W0QWdQJe8PdkrtYvVrIraO/3dr2j9E1rRnvEh/x9stv8LV2musIK8ZkCZyBGF3mwbFaZEFXtNkj8g1Ltmozf33sfMA2hdm1C8A7EYf1HIghsfYr24fugXVi/aGWrUwUGVYs4XL/G1qbNoyw7MGUq9FmN1Iu8xEK2Z/1f57WGlKrDwXhGPOXS1YAVTZP2EjvA1qvoBwMwTPFXbujz444VcP+zw96ReLyXLazNOVs60Hy5eNqnu8Xjjw9dievq42ggiMe/yOEyANXIkzt7rryTjuKXUWXHLXeEs+52W+PCdvnaR55hs3EDdtzxf9Wtyeh/Vq54B+DF9+x/18eY4k9SVvrZgYeg+2I3IuDdBtYeKYyMqCFddhI3Wp1yl72W9HdX2BtlMXdvqxR4YjJ750Z5tJuZfnezXZWP65PZqsReylyDca7YScufpM3++0cB/s1mYRQbX9je+/8u64aW3ayk1p2seoFgVoRxnpHpSVJEuqOJ0WgypA15SBC1IVdEQQaBA6aX+UrQPtqqpu5YmVVFbDaOoLuT3n6xeXV30dmviWsc6jMFaXfeBAwTvXQm4iLQ5JcikMueZzQVFYjLBoJVXK5rVfD+SXZdKrRneT2NUR/9Mi0h0+bbkslwHGefvuA+GCFXUOVpz5QbZuEP6zi2aA8ZVziDiwKL0nYb8IRuaOHttE59TmaQljxvWNVbkPwOsepXgdN+Zb/zS85/pmR8jVKD6fg0o3wi5Msk/dWIDHwY1oVqAXssgt9zhbfWTS6Fbo/QiehWHs3UvlZ++djvG8bcZxeR4uI7lzdJ7JssqOnHeFp+Jzr3CMq/Pv6Xr6rUVHCqxPnbnZ3HnNxqw0r5Y+UtZYF/NWWkqFnQesXG/wG5kS5weRP4oCOOyqP8PZ5+4hspsYaY38zApRSt5Q1vRTDiu3VgQd1Y6R4ttGQVW7pZCzNaMPtVZAdfTcYG2oqWMpzq0/ivLi0cwOu/hU3hKevxh/v+zLWh8DQ4vRx0HjY3cXLBbhq9u8Y4mn7w2Y/Hw4d++Q54wLWceKcXbqSPQ8+p2ykjSm02Hgkf0xMuDUnRm3WOK0KKzcI7pmDLSe1QW5sOsTJnPQliWaZr9hy4KLHG4jE6Dg2hymeT5QtuDCaIqpBokpKIxvllTxAjN4Ah48F38Xc0KRiN/a3wZ3JhLwoZy65kKPpBH71cmzNp+zAqUrX3TrJMyAZF5F2CTENx2eno8UGTo31/A9Tp1Q4pSvNsnL+6rct+2HlAtNcjCUFwEnw1TWpvO7ka3J4ui5mY3HlrZ5bIjH+ENqoKyKZNk8pySHGfUhIN/5sonh+2xNqxUvQRV0jYVcRvrHlTwL3Ej7AVrd/tcwa6rAna9eG25qbMxIghvb2AbDhk0Pva5Ro1gd/w6jsTFNIKuYLEt7n9Kw0ZmDTngn2bdScslz5z9rusiVoEcToXLJDg803t9b9ooXG62RdfPywqrBbYVJT48j65vV08r63+X0QL/Twdv7X3LqAzDh21XxdI1zzzGh2J389dUluRwoVF00knWt9dUluzGIWNjVVsPOoxrS9/GH+dzqsHLvREQ2lXnqiq9BxV1f6fC4EIvLiHq0iN8twYUMjlB53nEB+9Jhl0DbxkP4nOdtKGfEiVfGthoHZeARXv54Sl6776pO+Uw1072vPrruOU0gCpM1boHVXS+CS/2aQqi8tenCtCtx4wiOkKBXPN92iLTVlXRJeUGHgQzSusIJ1lfOQKmRSQvuDh3i648Xd/PGSukbQLkA7GBLPt1A8/lkRCLyMpvWeb6O7p/hZRa1DqgDt9ZwWKPznV6q+BAVlxG7HPRK7DJdH6Mggetu9qrruUrrnJu2sm7TF81jFBpst6nYcKJkE17YvUmXJRabgsujWeVnny7IM18r8akurK485QUWcGAe2MVtJbX95nPy7dDRIPpRmBshV2LLENLAamxmsdyGPjJpk9EjuOD6aaFnTZX7W1+a9BrmlK3Jx1FzreBTRR+jKN8vvEViLkhJuZgpWsLOdIyKKpzam75PwpZyeYXLkrcyd8nRm7aAnayzAFJkj/aFqQKWEKkspO2+cW9hRX6tBZqSb2QOBXnGxXLyzQnhkp2Qqf0/sP9HBS3WmuvJN+H4omFVNivoYHJ+bB1qW8M/uyK4KPq6UE6um+FXcrazUYORSTF1f516PJs2CBqUZeQgQssyrtztYfbpzW9UAfngEoC/+ebTm99O3198843LuV1SRfkoT66kuolZsrz3gv3WLNiNsI06waiIrUT4mp24XUra54Ay+1ysE5gwM6lAaM5iCpCOKykBxmV8L0ggPhALaLaifDic+MHeAex9HhuovT6xS9R1PU10Kcw010bFrnzHeu1kDrHuWxrtHW1qPtI5SQ8tdtkMBhuoNL7YZFP34utdLIgZH3U0NVtN5og9dKvBbkSBbfbLe8JC+eB+gvd3XFjkvf7/frjqRmV2k/8ehcXyjo/eI7ITyUdhjiaOuws/KY+QtLV1sh279JlpM9qbLDvsk/kc3W4Dzt0fmW5aVvNjxMOw6GtGeWFp3TRzufIy4/K8W9uGnbisOWhgHmhhMJ5V2ORcZ1ZFPGA/hyReY7q1rz46k2VZi74naoCdOKxx00Oxewu35u8Q1qlb3PRhmvVDcbumIv93GY6abXAz1PBDJMODsRsuvIWcrnXFGZfRskSPZcEj9iuqxDDo8NRR16KsMplKGF+/fXNF3jk/6iYpNYzI56OmElz/x2vyuQY10ru1LkSmoN+pM21yQ8chuibvm6KzYFpXq6WziA9pF6iMPUbAAq0Ochztg2oCwbEHw83jD2igBVVlgtOyYBO4F2gVsQC5BVrn0abSbsGM2+1qC3ROTV8rfCjcKQi2KKmKVVbSwl1XdDC++MHRJ8oG6VRRYGaL6LzAYBa3gKoFPJtjq6UEYOX09wRQKxp9EobrOBWdvTDonvHYD47v3FaCVT2jIy0yynAwSvzyEwtbi4jGewfwdF4tfxS3ZhH9fWciY0ZluY7ad70D3UI+LPJ0B8DLgkaXGCIDMeciYlHkEHSK3GiRzTK94oZFlx8imxVypWkZP3elC1uYZTroCaIuTGRcpBQnXFSgyuk6WsL7AHbFbtIAX9IiBa/wKquUNDKLH5JC6MsfM/Q4xoddJLubhZxneQpiW8Dx89+YyEp6mxkTy22wDdhydAEJHoWSi0RIc5EO6arQWTEtsthh0S3Y3yUEHr0zeAd27F6IXdixq3q7sH9KCPvnhLD/JSHs/54Q9l/TwDayKugUUoiUFnp880xkZV2g8j1dJ3gnG+DVTQK9pKwLPi+rNNq31TJpMY+dhOQh8xRKiYbPLL5vRGTaJSQmOEGtWBpr0gJOY03qta6rBLNImWjLqpOYqkYaa3rAbQIRYqSxhlkq2GjWJAFeC34rqJAaWAImXP5sqZLoUVj+LCuzAJoncKvJsspYkcCHbQEnCJIgXDVdm/huUQtZJ4Fc1VmCmAZT3HBGiwQFRDqjcxBsHTHrqgtb0GL9B+TTFHgvM2wDmgSyaweTBmuXWJsE+nReLX9O44PW2ZSbvyZpNMZ0FndWXA+wktFFtU5yzREqMBW/yk07H3+0WVsdwGAWzs8f3znigKPalwS46yYfr4NcB/aMF5DChtHZLMUh8lnM4uxtwCl0A53xCpMUsySijlfLH3NtqkEz/0iwtWJJYBd8BinMGI2O5hJyHq1gdBs2F2m4pJR5XYBmMgW1PXA+TyCbZKVX1ESd+d+BHsogjwJYwZxro2h8T8gGdgKNT0GVitQqGa01diJXieSry8x3LJ4AulFAywSKpCsFSoV2OuV6tZBcZ27CbHzoa6poEgbPRwphY0Beuvn2seFybaiIPuc412Zaq1jDAhuo4GYFpYBaR8c1vh7d1CTHBouTG2bxh10f2mlgF8w5zfPYd4DnscOqTeugBG8RLzOmpCyTdCWygBOYabzM0iRH+o5HKchc3URvz1Tp+C1LeaUrxSMDLajhpo6efVZwAfFa7Gyg6qgTdVq4WHwb361VSNf1NJsVMvpz3gJPkPJvbd7oUscCTSBxrA2dANXouQmFnCdhXTFPcoErqWILsHJaz1Ncs5JrlkIslDoJw6aYAyHAYHOl6HCjy3DXADp2xp+DGjsdT6xWsS2QJBVl0g2Ajm6JyviakVR8ngXmcT0Y7kqAiv9mVZkbyhsdbNTJ1BuwbsRrEiZLULjpZ+LEFgYebGxpUGXOkRQdXaq1/TBji1h1/gPQcFvx6IGAClQ5V1SYQc/dGJBXSQDHf3pdJ7KPH3tTQCMAVnKeUV1FHBjQBa1obKgKaJFCv1PAkA6u62gi4PGJbCHHbeHagSxVngDj+I5MncA3rJ1vOEE+gIbYiQBu4HEC40TD5/gMEGrQGg1qAlNK83kCwaur2F42rViKe6BYHl2R1oqFuuJGAGzijdjqwqx19K6aSyZiF0oEp8U+FKhr0hl7+2Zu4rOVAxo/otfO9IwNd11F79Za59Mkeei1KhK8hbUGleU8dtV7krEVTWQoBRkM04aWsb3By4wLbegsgWaw5MqkUMOXlUjQuslIVYuYbtZQW7RAR9HT2kjyvhZksHSbPZJwWN4nWvCcnCnIuSFnVOW+m6HG9u9hdNzkrIRUGpsQimBwiD7B/gZMFiRUqtPmQ3CRjnIXZVXINQwGC+6l30zW0Zp635HHLA2dzwjnnSmYwy0pab/RwiYWK+Z1fxhIciQLrnE4Q7O6P3psoER0XVVSGTJsPErIakEN4YZUCmZjrPCAtNz7DKEIEd5bHS0KhAvf2X2kL3TBReqJ/B1U7WpdPDUxcg5mAWqy+b5eyHrwohEiYAmqHUdkJKmo0kDegKE4EdzdVdqS4NlrOdcvrlzZ63Ny7kd8nRCzCEwpwmbA78GPPka0BXkL5jduBOjwOQ+ZOgnxZjiyu71FuLjbrAaq2GLCBQ/ihzN3j9Bfuyc+cRYGJkO8KGgtcNbvvMY5rk0T93AD916/9h17St+Ou91T24Tbzy8eMfbtQWQRa5ru1nkVlyUf4NbgrRhzFxxjGvWIQNoMrnuLE6pFMTLxErvnJhwHjv1zNRii4HMN2uxo2n14tvL9e+U7lQHH8rhVncTue6TavNNtd8ounBxGGBvb+jt2aNe/BHcec/b//vmGdrHL80Yo4Nph3kCrIV4S7z1Z2D4uU6qBuHTtFhsyuFXtKflfPA6+oh0F32IulWtfHyQjIVQTDYDjzujueVWKCk3ZEcb7DjpMu6UFqr0bpmG1wglou5CuQJXcqRvHQnqzpBvMwZe8gDmQApZQEKo1nwt3cJt5/WHWx5bMjyi/cf0dnD59lEnPFrNa8M819Mck0vDl6+B7WMfEw6agNBoNz92FZFIIwNwKsuJmMSYoCAlUhrQau4KDyovubVpYcqI8aZ+oQs45owWxGIyYPojF42KHS42MaXw82lWLtQ6j10lnW8leVmvsB54WnOpsIZPbBM6Ia801nKWyGWpkpWJ3BE+4HwBxl8Zii2+aH8TCCqBqclpoaQ3xrft2jsFy8qv/xYScinX7rwF0g7a8FobQfMJkWdUGVFgMJ3Hj242lM8++6p8FzljcOhBu/lm//O77v1rb97xzHA3Fvgqi7fk0ixsxu6vjhq5BkX9pfXL6hUcDkQvf+tj1P+l5Xmxw3uL6nedxYPLyPtn2dX9gil1nQt6++3Bh9w4KnPME/aU510xBRQVbW63Sq2dFPxeEIIVOyIc3v5BLYX54eUIu355f/Ocv5OOlMD//SJ6tFmsigJsFKMIWUvtRaVIpYAa/9f3P//P/e/51kCJgFgllXJ8eKFMnJQ2P49GJue+e1/za8eJlg1T4iudPC+mubNqD+YEN4+78wIfw7SmmG+vkE1empgV5ffo2iOwfUkA6X9ZhnPF/pIBJmLYW3S9GhOJG9gtPPIKn+AbvOIc5NbCijzAiHbn7ipzmuUI/rePyEDrt08vK6tA450NjIZdnb67cqzQaHiupPmL0Y8up5DRV/3aTyyuLyoj3y9LwwEkQUWho1x6nYaOJZW661nEFRAddmufcfpkWm4BtZ5Z/+J07IgNYkxAvuPQ3/HybBQaobHKtk+h1d33SKHnrMbySyrQieSB0cwyw4QFws94vefWRae/2w8W8eUyabb0ZI7yAkN14LC+uxw4tX6q1ZNyqnM5vNNBxiJXLioo5TFrTiUkx4/NaQU6ma4QJIsesobCcqQ5sPTAoGh3RloOLzhL0Oygi6v7dEq7oDgAFpTSQ+czu+HlG8UmbC53RzKXiJwBdGZUG+CwBS8wSVAsXKa5Dqv4nVQKi0jxrPHHp1PK+BW/3Memv1nUmPIIGe2EWoAQY8mFdwQn52Dxjr9EB9gO5ahxgg5fg3Zim1ozqOYIyMWIaN0h7v/gJoUURVCaqzRcxwY0qTMxbgrJvIBdGEm3wMeeCfLwcFSgME2STyavoItsClVWCsW8WsAIdO6PXgk1Q4uJexNip6OhvT4CtG62QFSDm0SdFIs5W+UiohY5ooE7loUUnACMIw3SCGaHklVQrqvLhnG5CTueY7KUItTf+FnPppmBWACKsekbumnjfGLc0tOiG6hwyBFvGY2bEYIdc+DxXTEsoubFiyY/YCG9xWVBxjDj+HRyUTYJIx0U52OC2y3ITSVlaC3aOBuz2yxM7UgkMuxAs4/WDu1vEnirDWV1QRbBfNGmQeHZx+8trOZezWXj6O7DMLCD58W4h+8Eu6G5jB+8Li7dF97Q2CxDGJ4uPoq3rmJ0T7pbQ45YcR/2jBjWKsKwNk8eltF9yHOHrmjHQegRn7Dx+WHO0wxJPEC9iVdy5VGsSKEwY4HYM4bSFI/RwtFIJA3y6ksK+K1ZuhZTD9odkoCht72oZrx/dyLtJietaijUDBYe83Y/3w/T0YS6I5qYOyE+CxQXgRbSHuqCa0FxW9nUxC+CKyJXYHJkjnKG3UshyJK8WZ3Jo7lrUH1eJsMo9F7mVP1LplgCUvOIFkFOP2GRAhrs4e0W7MXcnRxPG2/0/SrrCKAmufdZCXCqE9hggRMx69wcQwuXrXft6jdiUGE8IncqU1QOBzU9hQZdc1qhdMllWSpZ8JEMRjo3chaDTAovIZuRsN25cLFuxkxDJPoZbWicJIrCFYdThMgcgGFi/xS/16XZe2c19G2W7TZllLUy/nC22Rp9jGXjGDjHr76QF4Xs8BwGKs2ZLSBBM9OunFnCzwKc2NNuNeGQn7PuJNmo8+Nns6ZC2W4+2p5e79+TVC7dWwn0FTdPWCDe8BG3lutP2FFQwGkTypxCtKcTeg8DGgw88BnVH1jqkd/ejsdYPd9vT95mONuT0zlvzDuN9OxzsDXe8EQh3EAZf7u5e7t2dOurZuYsWZW9q/8lF66V6HAGyR463AuTLZccf9h9ZrNEGxzmyu8lHdVQJEvOO3UF+HJUdY+5twIytUo8laD0/dfTKndosshLMQj5ClIRueZKJQ8N/bfTAsZeSkkm9TjuiOu9l4f21FpEdfJnIE/Kfk5+++448e31+evWcnHNtuJjXXC8gx1L4IC6FnMvkfYF2RcIwW3bm8PDHjF8cyRhTMrFXcVf9pz3VEAbtjUGPfLShz/e5LgzT/tu6347jD3EKxUypCLVJ32SK0SJWd7reRt7TnNfarUCkIpqXvKDKiScrNu0dYviuh8ur8J5rnh+z00g3U/6jZYTGi9jri7m55OnqLE7FrruOYQ1fadjx/3onEX4y4AXvuIFOWUYedmVKlTIxYBCyQVJLNaeC/7Ejq1qkY4W7EvsASnd5aoTcM66CtaSJuv68ssvha+FafLneRVtZzb8CLcyCUQWkUpDLkgsaLLjriKcrajgIo/emxxf0mLt9TR91s671I1SJGNdena+t4KqoMtgMabPV3WL1iM2OvLC5i0SdQQ6KGsizaEllO/jDCp9XzYpt8OxKySXP2+Zh/nu0qgqvqQ4Ywzf/sc/atk4bVnA2m+T5kXbZLul7/Zn1yDaDw0Mxc3LJXfR80VfcR1rAtUpnzKHg99U84RZ1ps6POpXQ88BGnY6KGivVRBupnMS30EowFFf7Gr81sd/6Orz7kud5AceTcm9wvbvKucDxduTeQXKuGY9xnO1e+dU6HYbEuonOnpCqoPbI7PssFQHB1Loa8/JjKuQR7Mk7ZNCp1rb8VWpD3lC24GLEpMtpIsnxVZ/WHwVm+lcKrPiw+pFrcqYn5HVOK/IJ/+H0o1wKV3f6z+HjSRZ0CVZzKoAq8rkGtSbYg1BXUmhoNKpwcardb4a/OY689D3wmIWseNMFUrjtu75843g2WzoCqhsGeu+bo94VU5zylNZh1ufxprX0VhMjaxv6h5dromohgnasPmlfHhd5dm2kRmrsPMTMW5jpD4KSFRe5XGmiK2B8xpn95CRUJ+jzZIcXxG7P4bvJuSHPsCMsCLZ5hjB0+bxDLVILfMdfw5yyNfmotxvfthHYsl9IGz271q5wBIN95LXvmlqICtaqIZPZF3FA8bYPQKD6f6vSFMt5huTb3nZ6hXqsO69TrwM7xh0GGc3/5oDNHievd2yrPsPXu94bWXeBWx/vAjrczXEcdm3AYPtsNgmZ7hgGJxRuSLG/+BnLBmKOBBytcMMt5zDjwvvqUThhV7+SViNNBxG7gwrFEuG2ccD01L/YgrH12abeu++lNNKbsvVhG0PZojxyC/zNqkhwMrCOuseRZMjLlIt4E8Si3g27ZSwqTPt4BoRUt2wHj8W10d6U9wemdg6wTvv27cG6oqrhKfvnk81WVgs+aKVO7O2wtqxLfr/T9kz0mSWurYVU63QH/jddUfFvezvGNIhsd1Fv1PPQ02TJ8rcXCH3P3h5NJRrsqum3vntXo1yQgTBKVoeIjlzW04Fz4U487te01jbsKUdAHF11x3Hv4ZksKyrW7X3Ea4fj9J29sgRln6GMi5kMKwVU36SuEdojP3pWZIPZCtJ2RZ99TpUj8KouijX5j5oWfMYhJ+dY9+ycg0FUVjDNmJQ3/JGC7r/BlLj1N/YzLca0+ejdZjfh8Ko2qHIfOMJ0/11/3y7hp+x4d7TzyU/Ih3Xltr7xHFjiuBMcPzwFsyxqM9ke2hYH54hQX+tQ29o+Msdw1bXK5TZ2zrNYSdV4+zHE/P71yJF3euVEZqeGFlXaOUQ7SGFX3uu5b9BUUibSRLaRsuvY8yAVNWHXJBMZ1TGj/R3AypfTR4ZcqyLiMXegRjyV1hjNahXLG9KBqUFldB7PptyAjv48bYOOmv64DdpzfQLBArcGBKpW8Y0TCz8aN7eK3kJBL1UmtkblljhGLeGWzP2Ay6J69cL/95lH4YX/D5/XFHL70wJUODvPb+cRo+duM93gOXpcO6PWBtvJ/UA0a1JxMQOlRuKuw30fZV9dxX8v6YPu2SMg2fQlnnWOIXClMKwtk16pwBJHY78LF7e3bPcBM4hV90//gGGC1vjAT14tQB3HH2F1dp/x9OwMRz8+J2e4fhg1UOZIzVJG6HwGyg//hK0szB3NeSFp6LhDyM6B20W/1p1O0TtPmv9xqFfy/q1RwqdNrvkfYW8Nv0kkUy7/cUEEzKXh7gCrBdUjE6A0O3Zboc5RusXHhwvao042AWqQ4NLjsaZxelN/E05I0Xx+jIqK7f5G7dTDD6ODlq004VrX0ZVOhIzJUum8dQ+LoSCGoFRSH+jgULrS88IuTq4xOL1LOh0lQ6LtDO6jyM+uMbVz92PUkZ6HIXl/6bkDx3ERqnWRLVO+6P2QqndkB5HJM8t6tI7eplGnAsxvwFvUiZobfLUZV9J9kFC2/kg0xuukIpfXp/94c0Wu7DtF3omR6SsbbBNVUh+C7YeVDGOLYogtgN3og5zIdxPCaXuQhYbOtf062xZhmAbqRxBupOAOLRcUHzSFfAQl1+HRdgUZNRoQZ0NNfbQJn10sl7TguWPEABJ9QXi0rta7BCFS7AbWui+2I3F+k0AaGfbCmEpnHGfQJgGNR5mCIIw+gdvE56KpfJGKm/WeG8VkWSbtE3dHvB0e3iEULsFfcQVF39KM7WJZFVRkWj/WwFu7spPhv/ndNjVaQWxdqXFWSX6MtOoQwg4DghggUmFrAMnKFlSIQeOM1O2m/KqIyEjM9khtm9uHxc88/O316Vv/7r3oLd8+KEaqvu8/es82rm+ypSzqVAQ4beY4Cz/npp2M3YzzrQU3mjxzSOjn2K0DC3ubibo98ASRDu6mqBNJs9ce14+CG58uMNkuOliCwkyBWV0QJgWDylhD+dqd4Uh7hdUqpfR1hLcGezNC2yJaSWWItPT99d9PQym4QbLH5jup5sdPsOwXGGy5WKfUNTsJNor5+8W7q8sr8obellzk7Vjv8LHavR09DXNriOLItvw2Brvbta1WfQqXLEZPz3ZVjtnseAWbj12E32w5udqx5SzzUvny3Hfp9VjsxLA43qE8cq+AZsflf/m64bYwR+RDTTL27UZ/iTWhHym70Y+rRiu+DeqWrrj3hOg6kKJONfmbNkqK+b9NC8puCq4N5H974f920n7KxQxY+KMZV7CiRVCRodOi8xtCRU60JCNsqWDOtVFra9kfU1hU1Cx8s/4WB9LHYYAkOqWOhaYrhHb1WkyqThfyVp9sMQdh1Pov/zcAAP//rhmfyQ==" + return "eJzsvW1zIzeSJ/5+PgX+jvifux0y224/7I1vdi+0knqsm37QtrrbexcTUQFWJUlYKKAaQJGiP/0FEqhisQpFShRAqffsFw5bJBM/JIBEZiIfviU3sP6F5Ezn8i+EGGY4/ELO/P8WoHPFKsOk+IX8218IIeSNLGoOZCYVWVBRcCbm7utEgFlJdUMKWLIcCJdzPfkLITMGvNC//AV/bf/5lghagh9zQjVtPyHErCv4hcyVrKvOXwMwmn9eIXWE41CcXp+SV0zBinI+6Xy1gbH5S4OjBK3pHDJWbFF2UG5gvZJq+5MdcAj5sIAOEk+bsAKEYTMGaoMpAEXXsxm7vSMMuKVlZVdLg9ZMirtjfId/p9yPR+jMgCL/vwV8V6CyVjlkTBhQM5pDDM5dI03S0sRFNQsgMy5XRCoCSxBmJ6wCtGGCWvpxsZ1vCD8IoKo5ZPY/Y4B6S0sgcoYQTvMctCZnUhglOXnNtMHBiFlQQ0pq8gUUxCyYvgNKv7q1BpUCq6XrcDGNf3DjeXbeCWF3oY8GszPofbCWtKqgyJojUwVw9v64V8AYRYXm1EDR8O7yitCiUKD1PbAspDZ35tqM1txkKEZ/ITPKNTwUsx3+HmgrqUJouRTzhyKxpO+CZEu+RF7I7u6632p2UT3WknbR33Vdu7hTLG4X094VNgsF1GQclsDj6AGWHkF6KC1KyldUAXlBptIIMBbpbMbyCXknUOYsQa2/5XJ1Quy/euRKWYCiBk7Igs0X9rLBr9v/ucu0cmpgLtU6xszOPK32+huf2St7KTZqypKpWp/47/TnZ5T8nYoTAibfOZ9cCgG5O4BR9LWPgn2uuwoaTovinb4TCcvLKrODBlDoRX8778RwefbmCn+5f8BcFrEGtKTuyuuReaYRK5+u3nbGJltjh3QBWmUKcqkKfT8gD9DwqdZsLqAg56dXpD94kJVlSUWRcSYgo2pelyDM8eD64YkdnrTDWxNtDgWZrvEYc5lTTmhdMGM/2TWdZvr9S/COc7jvLbm5DjeMN5JQt1M4A2GIrlEDntWcr9vdI3bOolJsyTjMYSL5PffwgWvx2wIEoahZ6s3wVr/MF1TMGw3d65uSF2RJeb1z928mIWD1BCchYLV/EtNaaTOR098h70uxdIdCgVMT3LAo9hEHWVElmJjvPNAOMTvOtumitUoAuTw/CG5eKwXCZJbG8WSPG9SDRfgaQNwBrRQzNq8VFI8DeDN+B/t+2HQ5fxy8dAmKzuFBjH408B1mB+ZBOZcrKO6yw8uaU8OWkOWyFscTJkYaygmOaXX5DvYFM5poJnJwQt1JmxXVJLequRVAiuQcqOpMcNtHOjNdNA/3kb5iCiq5AtVYKecwA6HhiThOX304/7Icpxbwn47TPx2nfzpOv2jHKfmogVycXfuPJoKaCav+9Kce6E8NsfMJO1pbuJ3P77EF/nTC7se0vS36fP7TRfuni/ZPF+3WgHtdtBryWjET2jRBb8pmwN5w7+nKa/rI3GtPl1zYW3r3K9QX7iZOCXGnm3jbxmNSR7XxLt9dtyE4zT/jphxFLTjj7B4X1x21QXvFOh3bUt+5k2Y0Zzy8m3facdcXZ/dbl2YgYiRZLVi+cELS25wKZqA0eTbbiMYTcv32zdUJuf7f1yeECqvo9MjOpDKL5xNyuiGeU0GmQChZUFWg+HWhUSeEkkpJI3PJTwiKstJFVclZX+ZaJX+tDZREy5mxRCbk0pAChDSwZQR4SZ/TWre8dz/t31NumpPBRvQBXJPWTpv0rAO5BLVSzNhLS9Uw2K/DRdpzhHYsVHcLNZFlGwNytQDl/Cn+IiMLqskUQBA51aCWUAznp7ZCzfZNZnj4dk5l/GwhakG3VZbx0cfGDw3R0eb0vLfMu0bYdap6q/LB2mo3sLa2XK3dw0tOK1N7/iu6ag8O2ny5LEHbSUv7eY80Ia/lnJyDvdhUeCKOFuuDOnQ6DV00N622m0cm7AEn5r5nuTvxuRQGH/DkjDChDRWmgaGDGA0rDwFY9D3BIXTexrdDEGq8OKWNb825Pyl5C+Y3ZoS9BvzqTwZbo52sXsiaF0TAEpSVoM2+q6jSQN6AoRYaJTMly85Qz17LuX5xRfMbMPr5gPw5U5Abvj5p36coeQ9OWLgdLjowJ0FGDm2Pu3FyYEL1OHkOlYIcDSaLpIAZs2qDFBxhGTrlVomvwqhKPe+r2nF3oF/jN/6cX55/7970vJenUczdt+CW5viC7NZLDRYCZ8dQaXO7Bb9nl6OiyrC85lTh7/3CTkZ3xoD0QTsltDMGlMd3yuiSLI+7Ji//XJPda2JHTbMgDzu+cvp7hhPpL8uTQbekhwi95NAUON33KWKzbEt1/h+GTBtqoITe4+gTAYfhR1nOae8MPxF4IEzPQ/dEgC0GXqcnAoyJw4Cl1ZgayfF0d1oB9BDpkZZtM3AvBrFsqBG9JmRndr7YuAUsmoEeMlASHmZF9PSQAfU9VsQ4FwcPr0fhouh4VYLsc+waTDMS+0iAg/dmX34MtboevDk08/d/Wm8btWdS5PZyoEY+dct2RNwsWVpx2OXumR2GzVhOu+f5tZy794YmoqUWBSh0loIXVIOpz9gtFEQDRl1t/Xh7DD1usDSLMKD9YIOlXYQB6XstytATGN+/dNjGHMzrHjy5Hw8GT+pJ9uWvUpuuiOT9HalBFEzMmw91aNt0fEhfDn/ZIRts8KNRxl5eLX9sY/jHjnufuYPZG/mlMnf5c2r2/vz/LnsHr85JZENfLjhHWtdbVhBK5mwJonWSfbmKgGXRYf6LtBZI8RSVvy/jRWPUoSGrdabgc4K17j4e4gLjvH2+2YUbmlzhQTrx3mxDyYd1BSSnQwkyBQLMLECRj5fCfP8zkYq84pKaH16SKdW4i5oHMswmQNVvz7wPUXe/4HnjM2g64zOCfyEYCHcU67gZ+Yt3MEi1omqQnRlN6+hItM60u5y8vPq0pe9RzF/rLylpYlvcJephY7g9uJ2qHfMwcUaxOcPcC/ebbW1lDx9S6V87AiMurz79HGBBOCaHRGBBi2jI5Ri3z2ajDhXHQ2+fBdAC1FHern/Focjl+UNeSR3e7mMpkjnsrfRJO9l4niX3s9FG0brcKFp4UKzpciY5h9xI9SUKYMu9R4i5sXuOaZI71kFhkW4pqq9lX20hOxj9BC2+Mp8+FVW1lBqD3UopyHQ9WDRCFHyuQWMSlGZlxdd+neyXMVAXaL4gmhVAnn1HzELV5OVPPz3H1FANINpRdnDiSSivd+CErqTQkI4V+RezK1yKcONTqMupE3r2KOsgBfKMTuUSOsxgIhhZ2Yg3bRTQcvT85F/MtnlkVkHB6r6eFoNRX4U0x9axwGaEmX/WL7/7/q/aifQXFQrQBvQ/B7P5p7UHX9M1KPKSXIicVhqT4KVAk/Jecj1E/YGPH4HYytAoP7wk/2qne0J++IH8K8mlwpIXuExu0BPy37j5H/aLTJNtpnwVXEIhi0DS8BOxdcUKspxyPqX5TVoN2IFrEgaocXaFZSKIopJMmKa6SBAobo4MlJKJ4tM2+qCuIGeUI2JEqo1UVrMWa6d12A+WlLPCbYwQKEJmshaFvWE4IHgm5l452hu8uH0iBpRjvAX647Dj2WhkFdZc0uKp3HMeDtHsDyAlGMXygNXhTeHul9EWdtd9I4TttU/NRqOVs2bZJuRXubJLM7Q5mSBSWWPMSHIDUO1h2pO48b4QpimJyWBLVmRFqlfXi0byzEFg1qzGtKra2dHeLlwyZWrKrdG+5XsXARcHK5k1u/GtHJnhZuGP+uU5UVZaa3SoINOomoNpv7aXE1olCnp6dE40Ofu7OKGSPAUNBf/leeN7fQ+lNECu/X5vauVM12OCkmC1EfcQ8wU8vPiRMl1xljKy4Umb85oN1P4noZtZmZtwv+Ops3dAk6bpd11jtfgr5L/GC6MTLzPGH+GN3o5qjaOrs9Mrr/v6pFxWVlL1NV6CV+QXFwZRPw33hy/TgIb4sPgaca7UbVO+3vxkY7A7PQct8wl5+dPPZIV8L4EKQjkP+wrQqY9q0sZ/RFagXA08gmU+qDZEil66yDYTH11N/LKZGDirKZ5tPe9+k6pAxmFUE+QLIbmcr/sPcTOmBlosIT+RfEEVzY1joj3Ua8SPTnNBauFjeviWz3w0ozZ2Qrd7qE/5iLDj7RItitIqmVI0zwiKrkZlGkrWnlpJc9RY3RuF8D4HmedY4xEpakNFQVVBhFQl5eyPUHyvVGWQP4WPcjiYRbKeDq6kezFpg7oF84KzGeCMAwa+hlyKYkTB3ix3pk1KP8uOCTGRy7LiYIIbYNSJSlGBN4r1xGAn30yZR9rI13bs4HYe28rbO3N0+5VSmEWkZdrkp8aKedlEORWPxPgLUaRguyX5hxSpqy3sEIt29EbFdOG1H/ocHoioZCf6lBi4Nf7wkSUo3UmnKHbFgQXW96GbbQ001jQ3aXq5VAUU6e5BH2TjryndjtjoGE2kTfvF7vv68LZSspwg1RqT8nUOgiomnVpf1tywbw0DRWhV8Sb7ZVPLpqSCzkOpuYRwfN7ZKuvTFJQizHytiVwJ9zJmaFn1PYMeMdbfVHIYfMSMJvmCWetGFqAn5E2tDZpJXaL2VFIzEpdLDRy4SDsF2GxmcS/hGJoQLnIzoOMdloICkbsNQa1qXbAlK6xmg/shLMiuG0H2oce88CRvK6aONsPNerq3oFu7E5nh66bulZGor1lQrjjjTt9oxEUfdeGcWGncyrPJYMg2nEzWsSVQOVDkHkqx5X/so4Ia5Oca6qNtJbu73S7ayMcV1QRBFCP7BsF9H5upEZWCLYYmkGnz0iS4fedlCqxVlgBqlaXQnquYomib6MvoVBPoSp1b5HFMyJ75GLxjBtflve6cQ8XmPrl2yGPB5oLoVUOI7Qii+UCJj6FY65qnfnYasaJkbXJZwguHoTVeMCp7UACT2H3hWLBlQI5sEFjCoBzu0SbWjO6TADsvO7tcPmmTFwe1A90t3Wa6WGr47lRBzmZsY/iEtVtfyn1kT3ldOX00U2ABWhcjKzYJE42LqvCPLEHc3mw+1iJ82rbSu5agVOTdtQ+NZboJCOj71YivC9troEC2siR1JTWLKDjutLfQnBaFqzCFofzN2R2twlNzMyyY/ViiSNQlKJbfVxYF53aELLYdE+tmsrUnw4kld74HU1uCKKTyAbM7Zyanvz9C9ZrmaTdQ1rwLLH0u+IDdVoLuBuYkfcpadV8ND6TP+vdixnu5FrSNLRbSEIptIizIcAAtl/OsCVR5FKHebMR7C/Vj1EzZkn1/x3ArrFq93e6wi6qSnOXr1Kdnh1y4QgC+uLbg6xG5HGy2lJiB72sOCCwsTqUwcJtaY20BXQrnr9vUQ6VFoe2/8FLFVm8IKFQAZs/l7LpkZv12nQlkwdjDZdOSs60VQo1RbFob6EiIYYy+b/BptfXu9RcWHbrqdxB7uNXiWr0e/+SgIdiPL/J9Zzv6W8C4xQwwy7Cm4KDexHypJagJuQa3KLUGNaFzwFLePtJ9JlWDYUC7IeP09tw13XK/79StkIpMlVzZz5q/el3TmV2j9aQviyuqTGw3XUs4tkfFn6l+H9/jnam2V2/CIyUr8A+Kqe7iU0EoB2Xa6CK1GdT/zT1vefHRKQKAQUgBhbkgQopvFVSAlsyu6Ac0G4555TTNR1t7xbQNOl8w98LWPP8MZrZiZuGVZSfryTkOOMVsE0Gk+HYu7X/vuAlQSckCimPCedPOY+ALBGBByhmx0sEw0BNyvZEp/cYG3cyqNIjPXDpfra0R41JGXbBN4cWvZzwlOa+1aTak/5/BMuFPmLYr6XOivX/DKr746bgKdHTtx52wsEXvyjKlU8q+3md4WZTniIJQrWXO0F9qVyNoT+KCvWY38AuhpFqsNcspJwXTNyekUtgTBVuJfR1WlKmih+Re3vOid3k2ipZgsJk51VjFS2MhB1eLoGmdL7ce7YepNVtd0cjwanL3wWNpfJ01THAxOfGdy7Kqh2cwwbJRsmKikCsfT5tLkUNlTtpIilFmDKY5qzlfk8815c75WciSMuGlhugMxOXI1dX1esZSl3ZM3aqEr5m4gcLnAjWB6FSjd8obKPaTr1poE1bsWjg+qAqRVNR1Ozs5t0QfQAPv3fVj4XpXec8ruR6W62kfnUGVrN/YKbWL1Y+JaN3+361p/xBZ054xnv6Mt1N+haO1x1hBUedAmpcjCLvbNChGeRa4TZNdItc4ZKM29+/HzgVob5hRvwDkN/qgkgMxPMZ+dHvRLahetCfUqoWBLMM6X7jI3ybHpk0zPGso9UqE2Ym0w0y0yrHxffP/w0xTYuW5IAxj7mqBLfLtn7AQ3gaaTyDcNMFziZ37Xx+c8KuHdZ6e9I2Vy3La9NOVs60Ly6eNqnvcXtjw9dievq42ggDGPX7HeSANHIkzN7qryTjuKXUWXHLXeMs+52W+PCdvnaR55gs3ENdtzyf9WmzPw3q1c0A/hi+/436+PEeW+pS3VkwMvQfbL3IuDNBNYeI2kZUFK6bDRupSr1PWst9+1fUJ2k5d2OnHHmmOnPjQnW065V6e79VkY/nn9miyFthLUWw02gk5c/mZvt4pdx/s1mYRoNr+xvdfeXfctDZt5qY07WVUCw7acUa6C2UlyZIqRqd8kAXoijIwQSpORwSBBqGT1kfZWtCuqupGnlhJZTWMJr+Q2XW+fnF51dehiS8Z6zwKY3nZBzYUvHMu5OalxYEkl8KQazYXFIXFyBatpEpZvPbrgfyym/Sq0d0kVnXE/7RAus2n7S4rZGDjvH33gTCR87oAK858I1vXCP/ZRdPA+Mo5RBxZlN6TsF8EX+aO/raJzqnN1RJGxvSNVbkPwHWPVLyOG/OtvxreM32z48nVKDafg0rXwi7Msk/dtwCPwbVoVqAXkhd29zhbfaTT6NbT+xE8C8O3dy+Vn713OsbzthjH5Xk4jeTOr/O5LKvsyHFXuCo+9grbuDr/nq6n31o4UmB+6sz15i7qfMxK82rpI0WNdZG30lIqrDxg5XqDb6RLnG9E/igK4LCq/gx7n7uLyE5ipDTyMytEKXlD86aecli5tSLoqHaMFN82CqraLYWcrRm9qbUCqqPHBmtDTR1LcW79UZTxRzM77OBTeUtY8WL8/rI3a30MhBbRx0HhY3cWLIrw0W3uscTd9wab/HzYd++Q64wJWcd64+zkkeh59DNlJWlMp8PAI/tjZMKpKzNubYlTzq3cI7rOc9B6VnNyYccnuSxA2y3RFPsNWxZMFHAbmQGcaXOY5vlA2YIDoymmGhBTUPi+WVLFOEbwBDx47v1dzAlFJn5rfxucmUiwD+XUFRd6JI3Yj06etfGcFShd+aRbJ2EGLPMqwiYgvqnw9HwkydC5uYb3ceqAEqd8tUFe3lflvm0/pExoUoChjAecDFNZm87vRqYm+dFjMxuPLW3j2BDH+EVqoKx4smieU1LAjPonIF/5snnD99GaViteguJ0jYlcRvrLlTwLnEj7AVrd/tcwa7LAna9eG2ZqLMxIghPb2AbDgk0PPa5RX7E6/p2cxkaaQFblsizteUqzjc4cdcI6wb6VkktWOP9ZU0WuBD0aCFXI/PCHxvt7y14xvtEa825cXlg1uK0w6OlxZH0zelpZ/7ucHuh3Onh6/0tO/QNM+HRVLF3h3HMMKHYrf311SS4HClUXRrKqtT67ZDeCiIldbTbsPKohfR9/mI+tDiv3TkRkU1mkzvgaZNz1lQ6PhVgsI+rRIn61BPdkcITM844L2KcOuwDa9j2EzVnRPuWMOPHK2FbjIA08ws0fT8lr513VKa+pprv31UdXPad5iMJgjVvI664XwYV+TSGU3tpUYdoVuHEER0jQK15sO0Ta7Eq6pIzT4UMGaV3hBPMrZ6DUSKcFd4YO8fXHe3fzxkrpC0C5B9jBlHy4gWbzyYhEZGU2rYtiHd0/w8osah5Qh26t4bBC5zu9VPEpKiYjVjnopdhluj5GQgLT3ehVV3OV1gUzbWbdpi6aRxRqbLfJ2HCiZPO8sHuSLkosNgeXR7PKzz5dkGc+V+JTza2uPGUcEzgwDuzitpLafvM5+XboaBD9V5gbIVdiyxDSkNdYzGK5TX2k02ZOj+CC64eFnjVZ7m99atJrmNN8TT6OmmucTRV9jKR8P/AWi5kgJWVipmgJO8MxKqqwa2/6OglbyuUVDkveysIFR2/KAnaizgKgyB7tC0MFLCNSWUjbdePewor8Wgs0Jd/IAjh5xsRy8s0JYTI/IVP7L7D/ooLytWZ68k34fdHkVTbjdNA5P7YOta3hn10RHBR9XSgn103zKznbWajByKRI3V+nHmdTBkGDshs5CGhZxpW7PWSf3vxGFZAPLgD4m28+vfnt9P3FN9+4mNslVZSN7smVVDcxU5b3HrDfmgG7L2yjTjAqYisRPmcnbpWS9jqgub0u1glMmJlUIDTLYwqQjispAeIyvhck8D4Qi2i2omzYnPjB3gGsfR6bqD0+sVPUdT1NdCjMtNBGxc58x3ztZA6x7l0a7R5tcj7SOUkPTXbZNAYbqDQ+2WST9+LzXSyJGRt1NDVTTeaIPXSqwWpEgWn203vCQvngeoL3d1xY8F7/fz8cdaMyu85/j7LFio6P3gPZCfJRNkfzjrsLn5RHCNraWtmOXfrMtBHtTZQd1sl8jm63wc7d/zLdlKxmx3gPw6SvGWXc8rop5nLlZcbleTe3DStxWXPQwDxQwmA8qrCJuc6sinjAfA4JvMZwa599dCbLshZ9T9QAnTiscNND0b2FW/N3COvULTZ9mGb9UGzXVBT/LsOvZhtshhp2iGR4MLrhwFvgdK0rljMZLUr0WBY8ol9RJYaPDk8duhZllclUwvj67Zsr8s75UTdBqWEgn48aSnD9H6/J5xrUSO3WmotMQb9SZ9rgho5DdE3eN0lnwbCuVkvPI16kXaIydhsBS7Q6yHG0j6oJPI49mG4Rv0ED5VSVCVbLkk3gXqBVxATklmhdROtKu0UzbrWrLdIFNX2t8KF0pyDyRUlVrLSSlu66ooP2xQ9+faL5IJwqCs1sEX0v5DCLm0DVEp7NsdRSArJy+nsCqhWN3gnDVZyKvr3w0T1jsS8cX7mtBKt6RgctMppjY5T46SeWthYRjfcO4em8Wv4obs0i+v2eiyw3Kit01LrrHeqW8mEvT3cgvOQ0usQQGYg5ExGTIoekU8RGi2yW6RUzeXT5IbIZlytNy/ixK13awizTUU/w6pKLjImU4oSJClQ5XUcLeB/QrvKbNMSXlKfYK6zKKiWNzOI/SSH15Y8Zehzj0+bJziaX86xIwWxLOH78Wy6ykt5mxsRyG2wTtjuaQ4JLoWQiEWgm0oGuuM74lGexn0W3aH+XkHj0yuAd2rFrIXZpx87q7dL+KSHtnxPS/peEtP97Qtp/TUPbyIrTKaQQKS31+OaZyMqao/I9XSe4Jxvi1U0CvaSsOZuXVRrt22qZlM9jByF5yiyFUqLhcx7fNyIy7QISE6ygVnkaa9ISTmNN6rWuqwS9SHPRplUnMVWNNNb0gNsEIsRIYw2zVLTRrElCvBbsVlAhNeQJNuHyZ8uVRJfC8mdZmQXQIoFbTZZVlvMEPmxLOMEjCdJV07WJ7xa1lHUSylWdJXjTyBUzLKc8QQKRzugcRL6OGHXVpS0oX/8BxTQF7mWGZUCTUHblYNKgdoG1SahP59Xy5zQ+aJ1NmflrkkJjuc7i9orrEVYyuqjWSY45UoVcxc9y087HH63XVocwmIXz88d3jjjiqPYlIe6qycerINehPWMcUtgwOpulWEQ2i5mcvU04hW6gM1ZhkGKWRNSxavljoU01KOYfibZWeRLanM0ghRmj0dFcQsGiJYxu02YizS4pZVFz0LlMwW1PnM0TyCZZ6RU1UXv+d6iHIsijEFYwZ9ooGt8TsqGdQONTUKVitUrGa42VyFUi+eoi890WT0DdKKBlAkXSpQKlgp1OuV4tJNOZ6zAbn/qaKppkgxcjibAxKC9df/vYdJk2VETvc1xoM61VrGaBDVVwvYJSUK2jY42vRzc5ybHJYueGWfxm14dWGthFc06LIvYZYEXsZ9WmdFCCu4iVWa6kLJNUJbKEE5hprMzSBEf6ikcp2FzdRC/PVOn4JUtZpSvFIhPl1DBTR48+40xAvBI7G6o6akedli4m38Z3a3Hpqp5mMy6jX+ct8QQh/9bmjS51LNEEEsfa0AmgRo9N4HKeZOuKeZIDXEkVW4CV03qe4piVTOcpxEKpk2zYFH0gBBgsrhSdbnQZ7gpAx474c1Rjh+OJ1Sq2BZIko0y6BtDRLVEZXzOSis2zQD+uB9NdCVDx76wqc015o5ON2pl6Q9a1eE2yyRIkbvqeOLGFgScbWxpUmXMkRYdLtbYfZvkiVp7/gDTcViz6Q0AFqpwrKsyg5m4MyqskhONfva4S2cePvS6gEQgrOc+oriI2DOiSVjQ2VQWUp9DvFOTIB1d1NBHx+Ey2lOOWcO1QlqpIgDi+I1Mn8A1r5xtOEA+gIXYggGt4nMA40fA5/gYIFWiNRjWBKaXZPIHg1VVsL5tWeYpzoPIiuiKtVR6qihuBsInXYqtLs9bRq2oucxE7USLYLfahRF2RztjTN3MTf1s5ovFf9NqenrHprqvo1VrrYpokDr1WPMFdWGtQWcFiZ70naVvRvAylYIPJtaFlbG/wMmNCGzpLoBksmTIp1PBlJRKUbjJS1SKmmzVUFi1QUfS0NpK8rwUZDN1GjyRslveJclaQMwUFM+SMqsJXM9RY/j0Mx3XOSsilsQ6hSAab6BOsb5BLTkKpOm08BBPpOHdRVlyuYdBYcC//ZrKOVtT7jnvM8tD5jLDfmYI53JKS9gstbN5ixbzuNwNJDpIzjc0ZmtH90mMBJaLrqpLKkGHhUUJWC2oIM6RSMBvbCg8Iy71PE4oQ473V0UIgTPjK7iN1oTkTqTvyd6Da0bo4NTFyDmYBarL5vl7IenCjESJgCaptR2QkqajSQN6AodgR3J1V2rLg2Ws51y+uXNrrc3LuW3ydELMIdCnCYsDvwbc+RtiCvAXzGzMCdHidh5s6CfNm2LK7PUU4uJusBqryxYQJFsSHPXePUF+7Jz6xFwYGQ7zgtBbY63deYx/Xpoh7uIB7r177jjmlL8fdzqktwu37F48Y+3Yhsog5TXervIrDkg9wa/BUjLkLjtGNekQgbRrXvcUO1YKPdLzE6rkJ24Fj/VwNhij4XIM2O4p2Hx6tfP9a+U5lwLY8blQnsfseqTbudNudsguTQ4RvY1t/xwrt+pfgzGP2/t/f39AOdnneCAUcO7w30GqIF8R7zy1sL5cp1UBcuHaLhgxOVbtK/hePg1e0reBb5FK58vVBNhJCNdEA2O6M7u5XpajQND9Ce99BhWk3tEC1d7Np8lphB7RdoCtQJXPqxrFAb4Z0jTnYknGYA+GwBE6o1mwu3MJt+vWHtz6WZH5E+Y3j79jp00fp9GyR1YJ9rqHfJpGGD18H72EVEw/rgtJoNKxwBzKXQgDGVpAVM4sxQUFIIDOk1dgVHJRedG/TwrIT5Ul7RXE5ZznlxCIYMX0QxeOiw6FG2jQ+Hu+qxVqH4XXC2VayF9Ua+4KnnFGdLWRym8AZca25hr1UNk2NrFTstuAJ1wMg7tBYtHin+UYsOQeqJqdcS2uIb523c3wsJ7/6X0zIqVi3/zegbtCW18IQWkxyWVa1ARUWw0nc+HZi6cyzr/prgT0WtxaEmX/WL7/7/q/W9j3vLEfDsa+CsP0+zeK+mN3VcUPXoMi/tD45/cLDQHDhUx87/yf9nhcbzFu7fud6HBi8vE+2fd1vmGLHmZC37z5c2LmDAuc8QX9pwXSuoKIiX1ut0qtnvB8LQpBDJ+TDm1/IpTA/vDwhl2/PL/7zF/LxUpiffyTPVos1EcDMAhTJF1L7VmlSKcgNfuv7n//n//f86yBHwCwSyrg+P1CmTkoabsejE+++ex7za7cXLxtQ4SNePC3QXdm0B/mBBePufMGH8PYU04118okpU1NOXp++DYL9QwpI58s6bGf8HylgEuathfvFiFCcyH7hiUvwFO/gHeswpwZW9BFapOPuviKnRaHQT+t2eQhOe/XmZXXoO+dD30Iuz95cuVtp9HmspPqIrx9bTiWnqfq7m1xeWSgj3i/LwwM7QUThoR17nIeNJpa57lrHFRAduLQomP0y5ZsH204v//A9d8QNYE1CPODSn/Dz7S0wgLKJtU6i1931SqPkrUd4JZVpRfJA6Bb4wIYLwMx6v+TVR+a9mw8T8+Yyaab1ZozxAkJ247G8uB4dWr5Ua5kzq3I6v9FAxyFWLisq5jBpTadcihmb1woKMl0jTRAFRg2F5Ux1YOmBQdLoiLYcHHSWoN4Bj6j7d1O4ojsAFJTSQOYju+PHGcVnbSF0RjMXip+AdGVUGuKzBFtiliBbmKc4Dqnqn1QJmEqLrPHEpVPL+xa8ncekP1rXmfAIGuyFWYASYMiHdQUn5GNzjb1GB9gP5KpxgA1ugndjmlrTqucIysSIadyA9n7xE0I5DyoT1eaLGOBGFQbmLUHZO5AJI4k2eJkzQT5ejgqUHANkk8mr6CLbEpVVgrZvlrACHTui15JNkOLibsTYoejob0+A1rVWyDiIefROkYjZKh8JtdARDdSpPJR3HmAEyTGcYEYoeSXViqpi2KebkNM5BnspQu2Jv8VYuimYFYAIq56Rqybe941bGsq7T3UODMGS8RgZMZghEz7OFcMSSmasWPItNsJTXHIqjvGOfwcHZRMg0nFRDia47bLcvKQsrQU7RwN2++aJ/VIJOVYhWMarB3e3F3uqDMtrThXBetGkAfHs4vaX13IuZ7Nw93fIM7OA5Mu7BfaDHdCdxg7uC4vbwj2tzQKE8cHio7B1HbNywt0CetyQ49A/alCjgGVtcnlcTvshxwFf13kOWo9gxsrjhxVHOyzwBHERq+LOpVqTQGLCANsxhNMWRuhhtFIJH/h0JYW9V6zcCimH7Q/JQFHantUyXj26kXuTEle1FHMGOIOinY/3w/T0YSaIZqYOyE+CyQXgRbSnuqCa0EJW9nYxC2CKyJXYLJljnKG3UshyJK4We3Jo5krUH1eJsMo9E4WVP1LplgGUvGIcyKkHNhmw4S7OXtFOzJ3J0YDxdv6PEq4wyoJrH7UQlwuhOQYYETPf/QGMcPF61z5fIzYnxgNCpzJl9kBg8lNY0CWTNWqXuSwrJUs2EqEIxwZ3IeiUYxLZjJztxsbEshU7CUH2EW5pnSQIYAth1OYyBwAMjN/iS726nVt2c95Gt90mzbIWpp/OFlujLzANPMsPMevvpAXhfTwHAYrlzZSQIRjo1w8tYGaBV22otxvxYCf59xNt1PjjZzOnQ8puPdqcXu6ek1cv3FgJ5xU0TVsj3LAStJXrTttTUMHoI5JfhWhFIfYuBBYefOAyqDturUNqdz/a1vrhbnP6PtPRmpzeeWreYbxvhoO54Yw3AuEOwuDLnd3LvbNTR107d9CizE3tX7lotVSPI0D2yPFWgHy52/GH/UsWq7XBcZbsbvJRHVWCxDxjd5AfR92OMec22IytUo8paD0/dfTMndosshLMQj7CKwnd8iQTB8N/bXTBsZaSkkm9Tjtedd5L7v21FsiOfZnIE/Kfk5+++448e31+evWcnDNtmJjXTC+gwFT4IBYu5zJ5XaBdL2EYLTtzOPwy4xdHIsaUTOxV3JX/aVc1hKA9MeiRj9b0+T7HJcew/zbvt+P4Q0yhN1MqQmXSN5FilMeqTtebyHtasFq7EYhURLOScaqceLJi056hHO/1cHoVnnPNimNWGulGyn+0G6HxIvbqYm4Oebo8i1Ox66zjs4bPNOz4f72TCD8Z7AXvuIFOWkYRdmVKlTIwYPBkg6yWak4F+2NHVLVItxXuyuwDON3dUyPsnjEVzCVNVPXnlR0ObwtX4svVLtqKav4VKDeLnCoglYJClkzQYMJdRzxdUcNAGL03PJ7TY872NX3UybrSj1Al2rj26HxtBVdFlcFiSJup7harRyx25IXNXSTqDApQ1ECRRQsq27E/rPB51YzYPp5dKblkRVs8zH+PVhX3mupgY/jiP/Za29ZpwwrOZpKsONIs2yF9rT+zHplmsHkoRk4umXs9X/QV95EScK3SGbMp+H01T7hFnanzo04m9DwwUaejosZKNdFGKifxLbUSDMXRvsZvTey3vg7PvmRFweF4Uu4NjndXORdY3o7cO0jONe0xjjPdKz9ap8KQWDevsyek4tQumb2fpSIgcrWuxrz8GAp5BHvyDhF0qrUtf5XakDc0XzAxYtIVNJHk+KrP648CI/0rBVZ8WP3IFTnTE/K6oBX5hP/j9KNCCpd3+s/h5UkWdAlWc+JAFflcg1oTrEGoKyk0NBpVODnVzjfD3xxHXvoaeLmlrFhTBVK46bu6fOM4mykdAepmA733xVHvihS7PKV1mPX3eFNaequIkbUN/cXLNFG1EEE7Vp+0N497eXZlpEZy7DzFzFuY6ReCkhUThVxpoivI2Yzl9pOTUJ6gj5MdHhA7PYd3E3NDnmFFWBD55hrCp8vnHW6RWuA9/hrmNF+Tj3q78G37Alv2E2mjR9faEY5gsI/c9l1TC6FgrhpuMnsjDjje1gEIZP9vZZpiOs+QfdvTTq9Qj1Xndep1YMY4w+BG8785YLLHiesdm6qP8PWu90bWXeDUx6uADmdzHIdd+2CwvTabgEy3DIMVChek2J/8jGkDMVsCjma44ZQLmDHhffUonLCqX0mrkaKDiO6gRLFE2DYOmJ76F1swtj7b1HP3tZRGalO2PmxjaL4oj1wCfzMqMpwMrKPuciRp8jJlIl4Hsahnw04ZkwrTXp4BIdVN28FlcWW0N+n9ga6dA9Rp7749qCuqmj1l/3yymcpqwQal1Ik9HdaWdcHvd5qeid6zxJW1kGqdbsH/pisq/m1vxZgGyHYV9UY9D11Nli1/e4HU98zt0VSiwayaeuu7ZzW6CzIQRsnqENFRyHo6cC7caY/7Ma21DXvSERCjy+447jk8k2VFxbo9j3jssJ2+s1eWoOw1lDExk2GlgOqb1DlCe+RHz4pskK0gbVX02edUMQKvas7X5D9qytmMQUHOMe/ZOQeDUFYwzXIpb9gjPbr/BlPixt/Yz5SPafPRq81unsOr2qDKfWAL0/1n/X07hO+y493Rzic/IR/WlZv6xnNgmeNWcHzxFMyyqMVke7AtBueIUF/rUNnaPphjuOpa5XIbnfMsVlI13n58Yn7/emTJO7VyIm+nhhdV2j5EO1hhR97ruW9gKikTaSLboOw4dj1IRU3YNZmLjOqYr/0dwsqn00emXCsecZk7VCOuSmuMZrWK5Q3p0NSgMjqPZ1NuSEe/nrZJRw1/3Cbtd30CwQK3BgSqVvGNE0s/2m5uFb2Fgl6oTGyNyg1xjFzCLZn7AYdF9eqF/+8zD+GF/w8f1xRy+1MOKhyd56fziK/nbjLdx3P0uHZarQ2mU/iGaNakYmIGSo28uw7nfZR5dRX/vawPumePALKpSzzrLEPgSOGztkx6pAJDHG37Xbh3e7vtPmAEser+6R8wDNAab/jJqgWo4/gjrM7uI56enWHrx+fkDMcPQwNljlQsZYTPZ6B880/YisLcUZwXkj4ddxjZWXA76Ne6Uyl650qzPw71St6/NEp4tck1+yPsrWE3iWTK5T8uiIC5NMwtYLWgeqQDlM6PXVaos5Ru8PHmgnapk3WAGgS49PZYUzi9yb8JB6RoNj9GRsV2faO26+GH0UbLVpowrevoSidSxmCpdN66h72hIEJQKqkPdLAoXel5YQcn1/g4vUs6HSVCoq0M7l+Rn11jaOfuy6gjPQ8DeX/puQPjuAjVmmfLlDd6/0nVO7KDYIrMbj1aRy/TqFMRZjfgLepExQ2+2rQr6V5IKFt/JBrf66Qil9en/3hzRa7sPUXeiZHuKxu0iTKpD0H7YSXDaFEM5QvIb/RBTuS7CeG0NchCTefaep1tiTAMA/UtCDdScIeWC4oNikI+gpLrcLRVQUaNBsRsqKmP1uGzi3JJOSvcRgyA6AvCo1W13iUIkWM3sNZ9sR1p5zcBpJFpL4ypdMawB20S0riUKRiS0ydwmthcNJkvUjGz3nOiclmWSevE3RG3w+EdQuEU/BVTwPuWZmwXy4pTkWn9WA1v7chOhv/mZ9vkaAXRulTjrJLsGGHVIcAOAUEECCpsDSBb8wUVYlA4I3W5KT8qAhl5sz1S2eb2YvE9D397ffrW33svesO3F4qRqu/7j16zjembbCl5nYoBp00fZ+H73LSdsZt2vrVgRpNnDoR+jtU6MLG36ajbI08QdHA2vE4kzV57rB8FMz5cYLKddLAEhZECs5qTXIocKmMN5Wu3hiPlFVarlNLXMd4a7E0LbQu0ksoQafn767+fhkJwg2yPve+kmh8/wLKfYLDlYp1SV+wkWCjm7xfvri6vyBt6WzJRtG29w8tq53b0MMytJooj0/LTGMxu17Ra9Smcshg9PNtlOWaz4yVsPnYSfjPl5GrHlrPMS+XLc1+l16PYiZAfb1EeuVZAM+Pyv3zecJuYI4qhJhn7dKO/xJrQjxTd6NtVoxXfPuqWLrn3hOg6EKJONfmbNkqK+b9NOc1vONMGir+98H87aT9lYgZ5+KMZU7CiPKjI0Cnv/IZQURAtyci2VDBn2qi1teyPKSwqaha+WH+LgfQxDECiU+pYMF0itMvXyqXqVCFv9ckWOQij1n/5vwEAAP//HijnmA==" } diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 94cd0b8b7bd..21dc57d3315 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -35,6 +35,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -79,6 +85,12 @@ "log.offset": 200, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -122,6 +134,11 @@ "log.offset": 381, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -168,6 +185,12 @@ "log.offset": 545, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "Inside", + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.ingress.interface.name": "Outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -207,6 +230,10 @@ "input.type": "log", "log.level": "critical", "log.offset": 734, + "observer.hostname": "SNL-ASA-VPN-A01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.123.123.123", "10.123.123.123" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 37b0b3de1b6..b1b3a633ad1 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -1,7 +1,12 @@ [ { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8256, "event.action": "firewall-rule", "event.category": [ "network" @@ -21,9 +26,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1772, "tags": [ "cisco-ftd", "forwarded" @@ -31,7 +51,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11757", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1772, + "cisco.ftd.mapped_source_ip": "100.66.205.104", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1772, "event.action": "firewall-rule", "event.category": [ "network" @@ -51,9 +81,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.104", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.104", + "source.ip": "100.66.205.104", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -94,6 +140,12 @@ "network.bytes": 38110, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -144,6 +196,12 @@ "network.bytes": 44010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -194,6 +252,12 @@ "network.bytes": 7652, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -244,6 +308,12 @@ "network.bytes": 7062, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -294,6 +364,12 @@ "network.bytes": 5738, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -344,6 +420,12 @@ "network.bytes": 4176, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -394,6 +476,12 @@ "network.bytes": 1715, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -444,6 +532,12 @@ "network.bytes": 45595, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -494,6 +588,12 @@ "network.bytes": 27359, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -544,6 +644,12 @@ "network.bytes": 4457, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -594,6 +700,12 @@ "network.bytes": 26709, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -644,6 +756,12 @@ "network.bytes": 22097, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -694,6 +812,12 @@ "network.bytes": 2209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -744,6 +868,12 @@ "network.bytes": 10404, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -794,6 +924,12 @@ "network.bytes": 123694, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -844,6 +980,12 @@ "network.bytes": 35835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -894,6 +1036,12 @@ "network.bytes": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -911,7 +1059,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1188, "event.action": "firewall-rule", "event.category": [ "network" @@ -931,9 +1084,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 3552, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -941,7 +1109,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11758", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.80.32", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -961,9 +1139,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 3703, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.80.32", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.80.32", + "source.ip": "100.66.80.32", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1004,6 +1198,12 @@ "network.bytes": 148, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1021,7 +1221,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11759", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.252.6", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1041,9 +1251,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 4071, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.6", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.6", + "source.ip": "100.66.252.6", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1084,6 +1310,12 @@ "network.bytes": 164, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1101,7 +1333,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8257, "event.action": "firewall-rule", "event.category": [ "network" @@ -1121,9 +1358,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 4439, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1773, "tags": [ "cisco-ftd", "forwarded" @@ -1131,7 +1383,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11760", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1773, + "cisco.ftd.mapped_source_ip": "100.66.252.226", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1773, "event.action": "firewall-rule", "event.category": [ "network" @@ -1151,9 +1413,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 4589, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1161,7 +1439,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8258, "event.action": "firewall-rule", "event.category": [ "network" @@ -1181,9 +1464,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 4784, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1774, "tags": [ "cisco-ftd", "forwarded" @@ -1191,7 +1489,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11761", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1774, + "cisco.ftd.mapped_source_ip": "100.66.252.226", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1774, "event.action": "firewall-rule", "event.category": [ "network" @@ -1211,9 +1519,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 4934, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.252.226", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.252.226", + "source.ip": "100.66.252.226", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1221,7 +1545,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11762", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.238.126", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1241,9 +1575,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 5129, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.238.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.238.126", + "source.ip": "100.66.238.126", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1251,7 +1601,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11763", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.93.51", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1271,9 +1631,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 5326, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.93.51", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.93.51", + "source.ip": "100.66.93.51", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1314,6 +1690,12 @@ "network.bytes": 111, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1364,6 +1746,12 @@ "network.bytes": 237, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1381,7 +1769,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8259, "event.action": "firewall-rule", "event.category": [ "network" @@ -1401,9 +1794,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 5871, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1775, "tags": [ "cisco-ftd", "forwarded" @@ -1411,7 +1819,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11764", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1775, + "cisco.ftd.mapped_source_ip": "100.66.225.103", + "cisco.ftd.mapped_source_port": 443, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1775, "event.action": "firewall-rule", "event.category": [ "network" @@ -1431,9 +1849,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 6021, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.225.103", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.225.103", + "source.ip": "100.66.225.103", + "source.port": 443, "tags": [ "cisco-ftd", "forwarded" @@ -1441,7 +1875,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1189, "event.action": "firewall-rule", "event.category": [ "network" @@ -1461,9 +1900,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 6218, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -1471,7 +1925,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11772", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.240.126", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1491,9 +1955,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 6369, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.240.126", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.240.126", + "source.ip": "100.66.240.126", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1501,7 +1981,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11773", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.44.45", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1521,9 +2011,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 6566, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.44.45", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.44.45", + "source.ip": "100.66.44.45", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1564,6 +2070,12 @@ "network.bytes": 87, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1614,6 +2126,12 @@ "network.bytes": 221, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1631,7 +2149,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8265, "event.action": "firewall-rule", "event.category": [ "network" @@ -1651,9 +2174,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 7110, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1452, "tags": [ "cisco-ftd", "forwarded" @@ -1661,7 +2199,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11774", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1452, + "cisco.ftd.mapped_source_ip": "100.66.179.219", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1452, "event.action": "firewall-rule", "event.category": [ "network" @@ -1681,9 +2229,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 7260, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.179.219", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.179.219", + "source.ip": "100.66.179.219", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1691,7 +2255,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11775", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.157.232", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1711,9 +2285,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 7455, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.157.232", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.157.232", + "source.ip": "100.66.157.232", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1721,7 +2311,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11776", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.178.133", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1741,9 +2341,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 7652, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.178.133", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.178.133", + "source.ip": "100.66.178.133", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -1784,6 +2400,12 @@ "network.bytes": 101, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1834,6 +2456,12 @@ "network.bytes": 126, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1851,7 +2479,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8266, "event.action": "firewall-rule", "event.category": [ "network" @@ -1871,9 +2504,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 8203, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1453, "tags": [ "cisco-ftd", "forwarded" @@ -1881,7 +2529,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11777", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1453, + "cisco.ftd.mapped_source_ip": "100.66.133.112", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1453, "event.action": "firewall-rule", "event.category": [ "network" @@ -1901,9 +2559,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 8353, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.133.112", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.133.112", + "source.ip": "100.66.133.112", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -1944,6 +2618,12 @@ "network.bytes": 862, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -1961,7 +2641,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11779", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.204.197", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -1981,9 +2671,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 8733, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.204.197", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.204.197", + "source.ip": "100.66.204.197", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2024,6 +2730,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2074,6 +2786,12 @@ "network.bytes": 176, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2091,7 +2809,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, "event.action": "firewall-rule", "event.category": [ "network" @@ -2111,9 +2834,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 9284, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-ftd", "forwarded" @@ -2121,7 +2859,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11780", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1454, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1454, "event.action": "firewall-rule", "event.category": [ "network" @@ -2141,9 +2889,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 9434, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2151,7 +2915,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, "event.action": "firewall-rule", "event.category": [ "network" @@ -2171,9 +2940,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 9625, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-ftd", "forwarded" @@ -2181,7 +2965,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11781", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1455, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1455, "event.action": "firewall-rule", "event.category": [ "network" @@ -2201,9 +2995,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 9775, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2211,7 +3021,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, "event.action": "firewall-rule", "event.category": [ "network" @@ -2231,9 +3046,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 9966, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-ftd", "forwarded" @@ -2241,7 +3071,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11782", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1456, + "cisco.ftd.mapped_source_ip": "100.66.128.3", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1456, "event.action": "firewall-rule", "event.category": [ "network" @@ -2261,9 +3101,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 10116, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.128.3", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.128.3", + "source.ip": "100.66.128.3", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2271,7 +3127,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11783", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.100.4", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2291,9 +3157,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 10307, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.100.4", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.100.4", + "source.ip": "100.66.100.4", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2334,6 +3216,12 @@ "network.bytes": 104, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2351,7 +3239,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, "event.action": "firewall-rule", "event.category": [ "network" @@ -2371,9 +3264,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 10675, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-ftd", "forwarded" @@ -2381,7 +3289,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11784", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1457, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1457, "event.action": "firewall-rule", "event.category": [ "network" @@ -2401,9 +3319,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 10825, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2411,7 +3345,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, "event.action": "firewall-rule", "event.category": [ "network" @@ -2431,9 +3370,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 11018, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-ftd", "forwarded" @@ -2441,7 +3395,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11785", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1458, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1458, "event.action": "firewall-rule", "event.category": [ "network" @@ -2461,9 +3425,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 11168, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2471,7 +3451,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11786", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.1.107", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -2491,9 +3481,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 11361, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.1.107", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.1.107", + "source.ip": "100.66.1.107", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -2534,6 +3540,12 @@ "network.bytes": 593, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2551,7 +3563,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, "event.action": "firewall-rule", "event.category": [ "network" @@ -2571,9 +3588,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 11738, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-ftd", "forwarded" @@ -2581,7 +3613,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11787", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1459, + "cisco.ftd.mapped_source_ip": "100.66.198.40", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1459, "event.action": "firewall-rule", "event.category": [ "network" @@ -2601,9 +3643,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 11888, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.198.40", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.198.40", + "source.ip": "100.66.198.40", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2644,6 +3702,12 @@ "network.bytes": 375, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -2661,7 +3725,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, "event.action": "firewall-rule", "event.category": [ "network" @@ -2681,9 +3750,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 12256, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-ftd", "forwarded" @@ -2691,7 +3775,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11788", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1460, + "cisco.ftd.mapped_source_ip": "100.66.192.44", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1460, "event.action": "firewall-rule", "event.category": [ "network" @@ -2711,9 +3805,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 12406, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.192.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.192.44", + "source.ip": "100.66.192.44", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2741,6 +3851,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 12599, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2751,7 +3865,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8277, "event.action": "firewall-rule", "event.category": [ "network" @@ -2771,9 +3890,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 12769, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1385, "tags": [ "cisco-ftd", "forwarded" @@ -2781,7 +3915,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11797", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.156.80", + "cisco.ftd.mapped_destination_port": 1385, + "cisco.ftd.mapped_source_ip": "100.66.19.254", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1385, "event.action": "firewall-rule", "event.category": [ "network" @@ -2801,9 +3945,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 12920, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.19.254", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.19.254", + "source.ip": "100.66.19.254", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -2831,6 +3991,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13115, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2861,6 +4025,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13285, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2891,6 +4059,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13455, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2921,6 +4093,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13625, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2951,6 +4127,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13795, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -2981,6 +4161,10 @@ "input.type": "log", "log.level": "informational", "log.offset": 13965, + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "service.type": "cisco", @@ -3024,6 +4208,12 @@ "network.bytes": 575, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3074,6 +4264,12 @@ "network.bytes": 5391, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3091,7 +4287,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8278, "event.action": "firewall-rule", "event.category": [ "network" @@ -3111,9 +4312,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 14509, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.156.80", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.156.80", + "source.ip": "172.31.156.80", + "source.port": 1386, "tags": [ "cisco-ftd", "forwarded" @@ -3121,7 +4337,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11798", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.156.80", + "cisco.ftd.mapped_destination_port": 1386, + "cisco.ftd.mapped_source_ip": "100.66.115.46", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.156.80", + "destination.ip": "172.31.156.80", + "destination.port": 1386, "event.action": "firewall-rule", "event.category": [ "network" @@ -3141,9 +4367,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 14660, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.115.46", + "172.31.156.80" + ], "service.type": "cisco", + "source.address": "100.66.115.46", + "source.ip": "100.66.115.46", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -3181,6 +4423,12 @@ "log.offset": 14855, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3228,6 +4476,12 @@ "log.offset": 15020, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3275,6 +4529,12 @@ "log.offset": 15185, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3322,6 +4582,12 @@ "log.offset": 15350, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3369,6 +4635,12 @@ "log.offset": 15515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3416,6 +4688,12 @@ "log.offset": 15680, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3463,6 +4741,12 @@ "log.offset": 15845, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3510,6 +4794,12 @@ "log.offset": 16010, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3557,6 +4847,12 @@ "log.offset": 16175, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3604,6 +4900,12 @@ "log.offset": 16340, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3651,6 +4953,12 @@ "log.offset": 16505, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3698,6 +5006,12 @@ "log.offset": 16670, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3745,6 +5059,12 @@ "log.offset": 16835, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, "related.ip": [ @@ -3762,7 +5082,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8279, "event.action": "firewall-rule", "event.category": [ "network" @@ -3782,9 +5107,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 17000, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1275, "tags": [ "cisco-ftd", "forwarded" @@ -3792,7 +5132,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11799", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 1275, + "cisco.ftd.mapped_source_ip": "100.66.205.99", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 1275, "event.action": "firewall-rule", "event.category": [ "network" @@ -3812,9 +5162,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 17150, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.205.99", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.205.99", + "source.ip": "100.66.205.99", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -3822,7 +5188,12 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 1190, "event.action": "firewall-rule", "event.category": [ "network" @@ -3842,9 +5213,24 @@ "input.type": "log", "log.level": "informational", "log.offset": 17343, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "172.31.98.44", + "100.66.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 56132, "tags": [ "cisco-ftd", "forwarded" @@ -3852,7 +5238,17 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.connection_id": "11800", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "172.31.98.44", + "cisco.ftd.mapped_destination_port": 56132, + "cisco.ftd.mapped_source_ip": "100.66.14.30", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "destination.port": 56132, "event.action": "firewall-rule", "event.category": [ "network" @@ -3872,9 +5268,25 @@ "input.type": "log", "log.level": "informational", "log.offset": 17494, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.ip": [ + "100.66.14.30", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "100.66.14.30", + "source.ip": "100.66.14.30", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index b18307a7571..ae2b729ada8 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -76,6 +76,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -175,6 +181,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -272,6 +284,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -371,6 +389,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -469,6 +493,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -566,6 +596,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -666,6 +702,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -763,6 +805,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -861,6 +909,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -960,6 +1014,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1060,6 +1120,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "205.251.196.144" @@ -1153,6 +1219,12 @@ "network.iana_number": 6, "network.protocol": "dns", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1251,6 +1323,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1348,6 +1426,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1446,6 +1530,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1545,6 +1635,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1642,6 +1738,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1739,6 +1841,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1836,6 +1944,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1931,6 +2045,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -2030,6 +2150,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json index 4397eb76e17..2364b5ed1a1 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -21,6 +21,10 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json index 3540a3f6a15..605eba1e2a7 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json @@ -11,6 +11,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 0, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -31,6 +34,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 194, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -51,6 +57,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 386, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ChangeReconciliation.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -71,6 +80,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 568, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -91,6 +103,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 774, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "lights_out_mgmt.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -111,6 +126,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 943, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -131,6 +149,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1072, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -151,6 +172,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1191, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -171,6 +195,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1316, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -191,6 +218,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1440, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -211,6 +241,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1575, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -231,6 +264,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1721, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -251,6 +287,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1867, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -271,6 +310,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 1984, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -291,6 +333,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2128, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -311,6 +356,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2285, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -331,6 +379,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2436, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -351,6 +402,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2580, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -371,6 +425,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2737, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -391,6 +448,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 2888, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -411,6 +471,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3032, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -431,6 +494,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3143, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -451,6 +517,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3267, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -471,6 +540,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3440, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -491,6 +563,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3564, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ActionQueueScrape.pl", "service.type": "cisco", "syslog.facility": 14, @@ -511,6 +586,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3739, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -531,6 +609,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 3874, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -551,6 +632,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4002, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "sfdccsm", "service.type": "cisco", "syslog.facility": 14, @@ -571,6 +655,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4113, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -591,6 +678,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4238, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "index.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -611,6 +701,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4357, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "mojo_server.pl", "service.type": "cisco", "syslog.facility": 14, @@ -631,6 +724,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4492, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -651,6 +747,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4686, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, @@ -671,6 +770,9 @@ "input.type": "log", "log.level": "debug", "log.offset": 4870, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "platformSettingEdit.cgi", "service.type": "cisco", "syslog.facility": 14, diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index ba0bb71f417..83616ceec8b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -56,6 +56,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -132,6 +138,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -204,6 +216,12 @@ "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -276,6 +294,12 @@ "message": "APP-DETECT failed FTP login attempt", "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index 2b46be5b166..e2939392ef5 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -31,6 +31,10 @@ "message": "Intrusion attempt", "network.application": "webserver", "network.protocol": "http", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "related.ip": [ @@ -71,6 +75,10 @@ "log.level": "debug", "log.offset": 150, "message": "Some message here (1:36330:2).", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "service.type": "cisco", @@ -106,6 +114,10 @@ "log.level": "debug", "log.offset": 247, "message": "Some message here (1:36330:2)", + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "service.type": "cisco", @@ -153,6 +165,10 @@ "This one has a type id", "And two messages" ], + "observer.hostname": "beats", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 36a494d8f89..90fd65d46cd 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -30,6 +30,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "LB-DMZ", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "203.0.113.42" ], @@ -71,6 +76,10 @@ "log.offset": 201, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "localhost", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -98,7 +107,6 @@ "destination.address": "172.24.177.3", "destination.domain": "example.org", "destination.ip": "172.24.177.3", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -123,6 +131,12 @@ "log.offset": 360, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "eth0", + "observer.hostname": "localhost", + "observer.ingress.interface.name": "wan", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 05fc4af2cbc..371218e511b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -30,6 +30,11 @@ "log.offset": 0, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -74,6 +79,11 @@ "log.offset": 139, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "dmz", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.30", "192.0.0.8" @@ -119,6 +129,11 @@ "log.offset": 294, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.2.16", "192.0.0.89" @@ -164,6 +179,12 @@ "log.offset": 465, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -209,6 +230,12 @@ "log.offset": 632, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "INT-FW01", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -224,7 +251,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 12834, "event.action": "firewall-rule", "event.category": [ "network" @@ -243,7 +275,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 812, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4952, "tags": [ "cisco-ftd", "forwarded" @@ -251,7 +297,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743274", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.3.42", + "cisco.ftd.mapped_destination_port": 12834, + "cisco.ftd.mapped_source_ip": "192.0.2.43", + "cisco.ftd.mapped_source_port": 443, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.port": "12834", + "destination.port": 4952, "event.action": "firewall-rule", "event.category": [ "network" @@ -270,7 +327,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 938, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.43", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.43", + "source.ip": "192.0.2.43", + "source.port": 443, "tags": [ "cisco-ftd", "forwarded" @@ -278,7 +350,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 25882, "event.action": "firewall-rule", "event.category": [ "network" @@ -297,7 +374,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 1110, + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.1.35", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.1.35", + "source.ip": "10.123.1.35", + "source.port": 52925, "tags": [ "cisco-ftd", "forwarded" @@ -305,7 +396,18 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743275", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.1.35", + "cisco.ftd.mapped_destination_port": 25882, + "cisco.ftd.mapped_source_ip": "192.0.2.43", + "cisco.ftd.mapped_source_port": 53, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.1.35", + "destination.ip": "10.123.1.35", + "destination.nat.port": "25882", + "destination.port": 52925, "event.action": "firewall-rule", "event.category": [ "network" @@ -324,7 +426,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 1237, + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "10.123.1.35" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.nat.ip": "192.0.2.43", + "source.port": 53, "tags": [ "cisco-ftd", "forwarded" @@ -332,7 +450,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.0.2.130", + "destination.ip": "192.0.2.130", + "destination.port": 45392, "event.action": "firewall-rule", "event.category": [ "network" @@ -351,7 +474,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 1405, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.123.3.42", + "192.0.2.130" + ], "service.type": "cisco", + "source.address": "10.123.3.42", + "source.ip": "10.123.3.42", + "source.port": 4953, "tags": [ "cisco-ftd", "forwarded" @@ -359,7 +496,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743276", + "cisco.ftd.destination_interface": "outside", + "cisco.ftd.mapped_destination_ip": "10.123.3.130", + "cisco.ftd.mapped_destination_port": 45392, + "cisco.ftd.mapped_source_ip": "192.0.2.1", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.123.3.42", + "destination.ip": "10.123.3.42", + "destination.nat.ip": "10.123.3.130", + "destination.nat.port": "45392", + "destination.port": 4953, "event.action": "firewall-rule", "event.category": [ "network" @@ -378,7 +527,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 1531, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.1", + "10.123.3.42" + ], "service.type": "cisco", + "source.address": "192.0.2.1", + "source.ip": "192.0.2.1", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -418,6 +582,11 @@ "network.bytes": 140, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -467,6 +636,11 @@ "network.bytes": 9999999, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.123.1.35" @@ -508,6 +682,10 @@ "log.offset": 2012, "network.iana_number": 1, "network.transport": "icmp", + "observer.hostname": "FJSG2NRFW01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -522,7 +700,12 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305011", + "cisco.ftd.source_interface": "inside", + "destination.address": "192.0.0.130", + "destination.ip": "192.0.0.130", + "destination.port": 10879, "event.action": "firewall-rule", "event.category": [ "network" @@ -541,7 +724,21 @@ "input.type": "log", "log.level": "informational", "log.offset": 2167, + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.3.42", + "192.0.0.130" + ], "service.type": "cisco", + "source.address": "192.168.3.42", + "source.ip": "192.168.3.42", + "source.port": 4954, "tags": [ "cisco-ftd", "forwarded" @@ -549,7 +746,19 @@ }, { "@timestamp": "2013-04-29T12:59:50.000-02:00", + "cisco.ftd.connection_id": "89743277", + "cisco.ftd.destination_interface": "inside", + "cisco.ftd.mapped_destination_ip": "10.0.0.130", + "cisco.ftd.mapped_destination_port": 10879, + "cisco.ftd.mapped_source_ip": "192.0.0.17", + "cisco.ftd.mapped_source_port": 80, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.3.42", + "destination.ip": "192.168.3.42", + "destination.nat.ip": "10.0.0.130", + "destination.nat.port": "10879", + "destination.port": 4954, "event.action": "firewall-rule", "event.category": [ "network" @@ -568,7 +777,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 2293, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.0.17", + "192.168.3.42" + ], "service.type": "cisco", + "source.address": "192.0.0.17", + "source.ip": "192.0.0.17", + "source.port": 80, "tags": [ "cisco-ftd", "forwarded" @@ -604,6 +828,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.0.66", "10.1.2.60" @@ -648,6 +875,11 @@ "log.offset": 2567, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -692,6 +924,11 @@ "log.offset": 2726, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -736,6 +973,11 @@ "log.offset": 2887, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -780,6 +1022,11 @@ "log.offset": 3048, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -824,6 +1071,11 @@ "log.offset": 3209, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -868,6 +1120,11 @@ "log.offset": 3370, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -912,6 +1169,11 @@ "log.offset": 3531, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -956,6 +1218,11 @@ "log.offset": 3692, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1000,6 +1267,11 @@ "log.offset": 3851, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.13", "192.168.33.31" @@ -1044,6 +1316,11 @@ "log.offset": 4008, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1087,6 +1364,10 @@ "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.2.42" @@ -1130,6 +1411,9 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.66", "10.1.5.60" @@ -1174,6 +1458,11 @@ "log.offset": 4387, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1218,6 +1507,11 @@ "log.offset": 4546, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1262,6 +1556,11 @@ "log.offset": 4707, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1306,6 +1605,11 @@ "log.offset": 4866, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1350,6 +1654,11 @@ "log.offset": 5022, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1394,6 +1703,11 @@ "log.offset": 5178, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1438,6 +1752,11 @@ "log.offset": 5325, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.126", "10.0.0.132" @@ -1482,6 +1801,11 @@ "log.offset": 5472, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.46", "192.0.0.88" @@ -1526,6 +1850,11 @@ "log.offset": 5635, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.89" @@ -1571,6 +1900,11 @@ "log.offset": 5796, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.0.16", "192.0.0.99" @@ -1586,7 +1920,17 @@ }, { "@timestamp": "2018-12-11T08:01:24.000-02:00", + "cisco.ftd.connection_id": "447235", + "cisco.ftd.destination_interface": "identity", + "cisco.ftd.mapped_destination_ip": "10.0.13.13", + "cisco.ftd.mapped_destination_port": 80, + "cisco.ftd.mapped_source_ip": "192.168.77.12", + "cisco.ftd.mapped_source_port": 11180, "cisco.ftd.message_id": "302015", + "cisco.ftd.source_interface": "outside", + "destination.address": "10.0.13.13", + "destination.ip": "10.0.13.13", + "destination.port": 80, "event.action": "firewall-rule", "event.category": [ "network" @@ -1606,35 +1950,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 5967, - "service.type": "cisco", - "tags": [ - "cisco-ftd", - "forwarded" - ] - }, - { - "@timestamp": "2018-12-11T08:01:24.000-02:00", - "cisco.ftd.message_id": "302015", - "event.action": "firewall-rule", - "event.category": [ - "network" - ], - "event.code": 302015, - "event.dataset": "cisco.ftd", - "event.kind": "event", - "event.module": "cisco", - "event.original": "%FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80)", - "event.severity": 6, - "event.timezone": "-02:00", - "event.type": [ - "info" + "network.direction": "outbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "identity", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.77.12", + "10.0.13.13" ], - "fileset.name": "ftd", - "host.hostname": "127.0.0.1", - "input.type": "log", - "log.level": "informational", - "log.offset": 6147, "service.type": "cisco", + "source.address": "192.168.77.12", + "source.ip": "192.168.77.12", + "source.port": 11180, "tags": [ "cisco-ftd", "forwarded" @@ -1672,6 +2004,12 @@ "log.offset": 6332, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -1717,6 +2055,12 @@ "log.offset": 6487, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -1732,7 +2076,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.ftd.connection_id": "447236", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_host": "OCSP_Server", + "cisco.ftd.mapped_destination_port": 5678, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1752,7 +2106,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 6642, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -1760,7 +2129,17 @@ }, { "@timestamp": "2018-12-11T08:01:31.000-02:00", + "cisco.ftd.connection_id": "447236", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_host": "OCSP_Server", + "cisco.ftd.mapped_destination_port": 5678, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "OCSP_Server", + "destination.domain": "OCSP_Server", + "destination.port": 5678, "event.action": "firewall-rule", "event.category": [ "network" @@ -1780,7 +2159,22 @@ "input.type": "log", "log.level": "informational", "log.offset": 6817, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -1821,6 +2215,12 @@ "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -1869,6 +2269,12 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -1917,6 +2323,12 @@ "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -1946,20 +2358,23 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7504, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -1989,20 +2404,23 @@ "event.kind": "event", "event.module": "cisco", "event.original": "%FTD-6-106015: Deny TCP (no connection) from 192.0.2.222/1234 to 192.168.1.34/5679 flags RST on interface outside", - "event.outcome": "deny", + "event.outcome": "tcp", "event.severity": 6, "event.timezone": "-02:00", "event.type": [ - "info", - "denied" + "info" ], "fileset.name": "ftd", "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", "log.offset": 7651, - "network.iana_number": 6, - "network.transport": "tcp", + "network.transport": "(no", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2048,6 +2466,12 @@ "log.offset": 7798, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "dmz", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.168.1.34", "192.0.0.12" @@ -2063,7 +2487,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.ftd.connection_id": "447237", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_ip": "192.168.1.34", + "cisco.ftd.mapped_destination_port": 65000, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2083,7 +2517,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 7954, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -2091,7 +2541,17 @@ }, { "@timestamp": "2018-12-11T08:01:53.000-02:00", + "cisco.ftd.connection_id": "447237", + "cisco.ftd.destination_interface": "dmz", + "cisco.ftd.mapped_destination_ip": "192.168.1.34", + "cisco.ftd.mapped_destination_port": 65000, + "cisco.ftd.mapped_source_ip": "192.0.2.222", + "cisco.ftd.mapped_source_port": 1234, "cisco.ftd.message_id": "302013", + "cisco.ftd.source_interface": "outside", + "destination.address": "192.168.1.34", + "destination.ip": "192.168.1.34", + "destination.port": 65000, "event.action": "firewall-rule", "event.category": [ "network" @@ -2111,7 +2571,23 @@ "input.type": "log", "log.level": "informational", "log.offset": 8133, + "network.direction": "outbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.0.2.222", + "192.168.1.34" + ], "service.type": "cisco", + "source.address": "192.0.2.222", + "source.ip": "192.0.2.222", + "source.port": 1234, "tags": [ "cisco-ftd", "forwarded" @@ -2152,6 +2628,12 @@ "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "127.0.0.1", + "observer.ingress.interface.name": "dmz", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.222", "10.10.10.10" @@ -2199,6 +2681,11 @@ "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", + "observer.egress.interface.name": "outside", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.44.4.4", "10.44.2.2" @@ -2239,6 +2726,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8624, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2278,6 +2770,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8745, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2317,6 +2814,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8866, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2356,6 +2858,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 8987, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2395,6 +2902,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9108, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2434,6 +2946,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9229, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2473,6 +2990,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9350, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2512,6 +3034,11 @@ "input.type": "log", "log.level": "critical", "log.offset": 9472, + "observer.egress.interface.name": "Mobile_Traffic", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -2556,6 +3083,12 @@ "log.offset": 9594, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "outside", + "observer.hostname": "GIFRCHN01", + "observer.ingress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -2598,6 +3131,11 @@ "log.offset": 9748, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "Outside", + "observer.hostname": "GIFRCHN01", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.2.3.5" ], @@ -2638,6 +3176,10 @@ "log.offset": 9858, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "172.16.30.2", "172.16.1.10" @@ -2686,6 +3228,11 @@ "log.offset": 9994, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.45", "192.88.99.129" @@ -2717,7 +3264,6 @@ "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", "destination.nat.ip": "192.0.2.225", - "destination.nat.port": "80", "destination.port": 80, "event.action": "firewall-rule", "event.category": [ @@ -2740,6 +3286,11 @@ "log.offset": 10245, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2748,7 +3299,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-ftd", @@ -2769,7 +3319,6 @@ "cisco.ftd.threat_level": "very-high", "destination.address": "192.0.2.223", "destination.ip": "192.0.2.223", - "destination.nat.ip": "192.0.2.223", "destination.nat.port": "8080", "destination.port": 80, "event.action": "firewall-rule", @@ -2794,6 +3343,11 @@ "log.offset": 10544, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.ingress.interface.name": "outsidet", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.1.1.1", "192.0.2.223" @@ -2802,7 +3356,6 @@ "source.address": "10.1.1.1", "source.ip": "10.1.1.1", "source.nat.ip": "10.2.1.1", - "source.nat.port": "33340", "source.port": 33340, "tags": [ "cisco-ftd", @@ -2834,6 +3387,9 @@ "input.type": "log", "log.level": "notification", "log.offset": 10843, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.30.30.30", "192.0.2.1" @@ -2872,6 +3428,9 @@ "input.type": "log", "log.level": "notification", "log.offset": 10920, + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.5.111.32", "192.0.2.32" @@ -2911,6 +3470,10 @@ "input.type": "log", "log.level": "notification", "log.offset": 11012, + "observer.egress.interface.name": "inside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.69.6.39", "192.0.0.19" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 89bd797ebff..7d48283bdaa 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -59,6 +59,12 @@ "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -142,6 +148,12 @@ "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -233,6 +245,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -331,6 +349,12 @@ "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -417,6 +441,12 @@ "log.offset": 2515, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -521,6 +551,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -610,6 +646,12 @@ "log.offset": 3919, "network.iana_number": 6, "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -710,6 +752,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "inside", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "outside", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -789,6 +837,12 @@ "log.offset": 5177, "network.iana_number": 1, "network.transport": "icmp", + "observer.egress.interface.name": "output", + "observer.hostname": "firepower", + "observer.ingress.interface.name": "input", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -881,6 +935,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "input", + "observer.hostname": "siem-ftd", + "observer.ingress.interface.name": "output", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 2d02ecd67d3..c9105b957ab 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -47,6 +47,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -114,6 +118,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -181,6 +189,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -248,6 +260,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -321,6 +337,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -397,6 +417,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -477,6 +501,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "siem-ftd", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -565,6 +593,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], @@ -644,6 +676,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], @@ -733,6 +769,10 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.hostname": "firepower", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index e9a6b15f242..2fe9194946a 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -79,6 +79,12 @@ "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", + "observer.egress.interface.name": "s1p1", + "observer.hostname": "CISCO-SENSOR-3D", + "observer.ingress.interface.name": "s1p2", + "observer.product": "ftd", + "observer.type": "firewall", + "observer.vendor": "Cisco", "process.name": "Alerts", "related.ip": [ "3.3.3.3", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 1d5d0d86ade..74764882cd3 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -193,10 +193,11 @@ processors: if: "ctx._temp_.cisco.message_id == '106007'" field: "message" pattern: "%{event.outcome} %{network.direction} %{network.transport} from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} due to %{network.protocol} %{}" - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106010'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} %{} dst %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} %{}" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address}/%{POSINT:source.port} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{POSINT:destination.port}(%{GREEDYDATA})?" - dissect: if: "ctx._temp_.cisco.message_id == '106013'" field: "message" @@ -209,14 +210,16 @@ processors: if: "ctx._temp_.cisco.message_id == '106013'" field: "network.direction" value: inbound - - dissect: + - grok: if: "ctx._temp_.cisco.message_id == '106014'" field: "message" - pattern: "%{event.outcome} %{network.direction} %{network.transport} src %{_temp_.cisco.source_interface}:%{source.address} %{}dst %{_temp_.cisco.destination_interface}:%{destination.address} %{}" - - dissect: + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{NOTSPACE:source.address} (%{DATA})?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}(%{GREEDYDATA})?" + - grok: if: "ctx._temp_.cisco.message_id == '106015'" field: "message" - pattern: "%{event.outcome} %{network.transport} (no connection) from %{source.address}/%{source.port} to %{destination.address}/%{destination.port} flags %{} on interface %{_temp_.cisco.source_interface}" + patterns: + - "%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} %{NOTSPACE} from %{IP:source.address}/%{POSINT:source.port} to %{IP:destination.address}/%{POSINT:destination.port} flags %{DATA} on interface %{NOTSPACE:_temp_.cisco.source_interface}" - dissect: if: "ctx._temp_.cisco.message_id == '106016'" field: "message" @@ -259,9 +262,64 @@ processors: field: "message" pattern: "access-list %{_temp_.cisco.list_id} %{event.outcome} %{network.transport} for user %{user.name} %{_temp_.cisco.source_interface}/%{source.address}(%{source.port})%{}-> %{_temp_.cisco.destination_interface}/%{destination.address}(%{destination.port})%{}" - dissect: + if: "ctx._temp_.cisco.message_id == '111004'" + field: "message" + pattern: "%{source.address} end configuration: %{_temp_.cisco.cli_outcome}" + - set: + field: event.outcome + value: "success" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'OK'" + - set: + field: event.outcome + value: "failure" + if: "ctx._temp_.cisco.message_id == '111004' && ctx?._temp_?.cisco?.cli_outcome == 'FAILED'" + - remove: + field: _temp_.cisco.cli_outcome + ignore_missing: true + - append: + field: event.type + value: "change" + if: "ctx._temp_.cisco.message_id == '111004'" + - grok: + if: "ctx._temp_.cisco.message_id == '111009'" + field: "message" + patterns: + - "^%{NOTSPACE} '%{NOTSPACE:host.user.name}' executed %{NOTSPACE} %{GREEDYDATA:_temp_.cisco.command_line_arguments}" + - grok: + if: "ctx._temp_.cisco.message_id == '111010'" + field: "message" + patterns: + - "User '%{NOTSPACE:host.user.name}', running %{QUOTEDSTRING} from IP %{IP:source.address}, executed %{QUOTEDSTRING:_temp_.cisco.command_line_arguments}" + - dissect: + if: "ctx._temp_.cisco.message_id == '113019'" + field: "message" + pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" + - dissect: + if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: "Built %{network.direction} %{network.transport} connection %{_temp_.cisco.connection_id} for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '303002'" + field: "message" + pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302012'" + field: "message" + pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + - grok: + if: "ctx._temp_.cisco.message_id == '302020'" + field: "message" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr %{IP:destination.address}/%{NUMBER} (%{DATA})?gaddr %{IP:_temp_.natsrcip}/%{NUMBER} laddr %{IP:source.address}/%{NUMBER}(%{GREEDYDATA})?" + - dissect: + if: "ctx._temp_.cisco.message_id == '302022'" + field: "message" + pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - grok: if: "ctx._temp_.cisco.message_id == '304001'" field: "message" - pattern: "%{source.address} %{}ccessed URL %{destination.address}:%{url.original}" + patterns: + - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -270,6 +328,10 @@ processors: if: "ctx._temp_.cisco.message_id == '304002'" field: "message" pattern: "Access %{event.outcome} URL %{url.original} SRC %{source.address} %{}EST %{destination.address} on interface %{_temp_.cisco.source_interface}" + - dissect: + if: "ctx._temp_.cisco.message_id == '305011'" + field: "message" + pattern: "Built %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" - dissect: if: "ctx._temp_.cisco.message_id == '313001'" field: "message" @@ -432,10 +494,76 @@ processors: field: "server.port" value: "{{source.port}}" ignore_empty_value: true + - dissect: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "message" + pattern: "User priv level changed: Uname: %{host.user.name} From: %{_temp_.cisco.privilege.old} To: %{_temp_.cisco.privilege.new}" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.type" + value: + - "group" + - "change" + - append: + if: "ctx._temp_.cisco.message_id == '502103'" + field: "event.category" + value: "iam" + - dissect: + if: "ctx._temp_.cisco.message_id == '507003'" + field: "message" + pattern: "%{network.transport} flow from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} terminated by inspection engine, reason - %{message}" + - dissect: + if: '["605004", "605005"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: 'Login %{event.outcome} from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{network.protocol} for user "%{source.user.name}"' + - dissect: + if: "ctx._temp_.cisco.message_id == '609001'" + field: "message" + pattern: "Built local-host %{_temp_.cisco.source_interface}:%{source.address}" + - dissect: + if: "ctx._temp_.cisco.message_id == '609002'" + field: "message" + pattern: "Teardown local-host %{_temp_.cisco.source_interface}:%{source.address} duration %{_temp_.duration_hms}" + - dissect: + if: '["611102", "611101"].contains(ctx._temp_.cisco.message_id)' + field: "message" + pattern: 'User authentication %{event.outcome}: IP address: %{source.address}, Uname: %{host.user.name}' + - dissect: + if: "ctx._temp_.cisco.message_id == '710003'" + field: "message" + pattern: "%{network.transport} access denied by ACL from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '710005'" + field: "message" + pattern: "%{network.transport} request discarded from %{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '713049'" + field: "message" + pattern: "Group = %{}, IP = %{source.address}, Security negotiation complete for LAN-to-LAN Group (%{}) %{}, Inbound SPI = %{}, Outbound SPI = %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '716002'" + field: "message" + pattern: "Group %{} User %{source.user.name} IP %{source.address} WebVPN session terminated: User Requested." + - dissect: + if: "ctx._temp_.cisco.message_id == '722051'" + field: "message" + pattern: "Group %{} User %{source.user.name} IP %{source.address} IPv4 Address %{_temp_.cisco.assigned_ip} %{}" + - dissect: + if: "ctx._temp_.cisco.message_id == '733100'" + field: "message" + pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" pattern: "DAP: User %{user.email}, Addr %{source.address}, Connection %{_temp_.cisco.connection_type}: The following DAP records were selected for this connection: %{_temp_.cisco.dap_records->}" + - dissect: + if: "ctx._temp_.cisco.message_id == '805001'" + field: "message" + pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + - dissect: + if: "ctx._temp_.cisco.message_id == '805002'" + field: "message" + pattern: "%{network.transport} Flow is no longer offloaded for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - split: field: "_temp_.cisco.dap_records" separator: ",\\s+" @@ -445,7 +573,7 @@ processors: # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - set: - if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' + if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" - grok: @@ -1242,22 +1370,22 @@ processors: - set: field: source.nat.ip value: "{{_temp_.cisco.mapped_source_ip}}" - if: "(ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip || ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port)" + if: "ctx?._temp_?.cisco?.mapped_source_ip != ctx?.source?.ip" ignore_empty_value: true - set: field: source.nat.port value: "{{_temp_.cisco.mapped_source_port}}" - if: "(ctx?._temp_?.cisco.mapped_source_ip != ctx?.source?.ip || ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port)" + if: "ctx?._temp_?.cisco?.mapped_source_port != ctx?.source?.port" ignore_empty_value: true - set: field: destination.nat.ip value: "{{_temp_.cisco.mapped_destination_ip}}" - if: "(ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip || ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port)" + if: "ctx?._temp_?.cisco.mapped_destination_ip != ctx?.destination?.ip" ignore_empty_value: true - set: field: destination.nat.port value: "{{_temp_.cisco.mapped_destination_port}}" - if: "(ctx?._temp_?.cisco?.mapped_destination_ip != ctx?.destination?.ip || ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port)" + if: "ctx?._temp_?.cisco?.mapped_destination_port != ctx?.destination?.port" ignore_empty_value: true # @@ -1374,6 +1502,32 @@ processors: ctx.event.type.add('denied'); } } + + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. + - set: + field: observer.hostname + value: "{{ host.hostname }}" + ignore_empty_value: true + - set: + field: observer.vendor + value: "Cisco" + ignore_empty_value: true + - set: + field: observer.type + value: "firewall" + ignore_empty_value: true + - set: + field: observer.product + value: "{< .internal_prefix >}" + ignore_empty_value: true + - set: + field: observer.egress.interface.name + value: "{{ cisco.{< .internal_prefix >}.source_interface }}" + ignore_empty_value: true + - set: + field: observer.ingress.interface.name + value: "{{ cisco.{< .internal_prefix >}.destination_interface }}" + ignore_empty_value: true - append: field: related.ip value: "{{source.ip}}" From f0fe53ab0a606243f387f4faa3b32984e2a23ddc Mon Sep 17 00:00:00 2001 From: Mariana Dima Date: Mon, 31 Aug 2020 11:13:18 +0200 Subject: [PATCH 10/36] windows/perfmon fix for `There is more data to return than will fit in the supplied buffer` (#20630) (#20818) * mofidy doc * fix * changelog (cherry picked from commit 49e8024953a4edb0c55a06f751bc9deca1b9638a) --- CHANGELOG.next.asciidoc | 1 + metricbeat/helper/windows/pdh/pdh_query_windows.go | 6 ++++++ metricbeat/module/windows/perfmon/perfmon.go | 2 +- metricbeat/module/windows/perfmon/reader.go | 9 ++++++++- 4 files changed, 16 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1328c6db1ce..8f71b7eb445 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -105,6 +105,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add required option for `metrics` in app_insights. {pull}20406[20406] - Groups same timestamp metric values to one event in the app_insights metricset. {pull}20403[20403] - Updates vm_compute metricset with more info on guest metrics. {pull}20448[20448] +- Add fallback for PdhExpandWildCardPathW failing in perfmon metricset. {issue}20139[20139] {pull}20630[20630] - Fix resource tags in aws cloudwatch metricset {issue}20326[20326] {pull}20385[20385] *Packetbeat* diff --git a/metricbeat/helper/windows/pdh/pdh_query_windows.go b/metricbeat/helper/windows/pdh/pdh_query_windows.go index 65ad0372fcb..3c51df5073a 100644 --- a/metricbeat/helper/windows/pdh/pdh_query_windows.go +++ b/metricbeat/helper/windows/pdh/pdh_query_windows.go @@ -212,6 +212,12 @@ func (q *Query) ExpandWildCardPath(wildCardPath string) ([]string, error) { expdPaths, err = PdhExpandCounterPath(utfPath) } else { expdPaths, err = PdhExpandWildCardPath(utfPath) + // rarely the PdhExpandWildCardPathW will not retrieve the expanded buffer size initially so the next call will encounter the PDH_MORE_DATA error since the specified size on the input is still less than + // the required size. If this is the case we will fallback on the PdhExpandCounterPathW api since it looks to act in a more stable manner. The PdhExpandCounterPathW api does come with some limitations but will + // satisfy most cases and return valid paths. + if err == PDH_MORE_DATA { + expdPaths, err = PdhExpandCounterPath(utfPath) + } } if err != nil { return nil, err diff --git a/metricbeat/module/windows/perfmon/perfmon.go b/metricbeat/module/windows/perfmon/perfmon.go index 7f4712a5f3b..52865a28107 100644 --- a/metricbeat/module/windows/perfmon/perfmon.go +++ b/metricbeat/module/windows/perfmon/perfmon.go @@ -61,7 +61,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { func (m *MetricSet) Fetch(report mb.ReporterV2) error { // if the ignore_non_existent_counters flag is set and no valid counter paths are found the Read func will still execute, a check is done before if len(m.reader.query.Counters) == 0 { - return errors.New("no counters to read") + m.log.Error("no counter paths were found") } // refresh performance counter list diff --git a/metricbeat/module/windows/perfmon/reader.go b/metricbeat/module/windows/perfmon/reader.go index c65c4a8118a..6f90b18e348 100644 --- a/metricbeat/module/windows/perfmon/reader.go +++ b/metricbeat/module/windows/perfmon/reader.go @@ -38,6 +38,7 @@ const ( defaultInstanceField = "instance" defaultObjectField = "object" replaceUpperCaseRegex = `(?:[^A-Z_\W])([A-Z])[^A-Z]` + collectFailedMsg = "failed collecting counter values" ) // Reader will contain the config options @@ -152,7 +153,13 @@ func (re *Reader) Read() ([]mb.Event, error) { // Some counters, such as rate counters, require two counter values in order to compute a displayable value. In this case we must call PdhCollectQueryData twice before calling PdhGetFormattedCounterValue. // For more information, see Collecting Performance Data (https://docs.microsoft.com/en-us/windows/desktop/PerfCtrs/collecting-performance-data). if err := re.query.CollectData(); err != nil { - return nil, errors.Wrap(err, "failed querying counter values") + // users can encounter the case no counters are found (services/processes stopped), this should not generate an event with the error message, + //could be the case the specific services are started after and picked up by the next RefreshCounterPaths func + if err == pdh.PDH_NO_COUNTERS { + re.log.Warnf("%s %v", collectFailedMsg, err) + } else { + return nil, errors.Wrap(err, collectFailedMsg) + } } // Get the values. From ce013580b66a6881672bb870a64768475283cd85 Mon Sep 17 00:00:00 2001 From: Mariana Dima Date: Mon, 31 Aug 2020 12:33:31 +0200 Subject: [PATCH 11/36] Cherry-pick #20689 to 7.9: Rename cloud.provider to `azure` instead of `az` in add_cloud_metadata processor (#20823) * Rename cloud.provider to `azure` instead of `az` in add_cloud_metadata processor (#20689) * mofidy doc * rename azure provider in cloud data * changelo (cherry picked from commit d34d1b654b17a3e87069f8f8354c0d3390a44bd9) * changelog --- CHANGELOG.next.asciidoc | 1 + .../add_cloud_metadata/docs/add_cloud_metadata.asciidoc | 2 +- libbeat/processors/add_cloud_metadata/provider_azure_vm.go | 2 +- libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 8f71b7eb445..ffb111bd9b1 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -52,6 +52,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix `setup.dashboards.index` setting not working. {pull}17749[17749] - Fix Elasticsearch license endpoint URL referenced in error message. {issue}17880[17880] {pull}18030[18030] - Change `decode_json_fields` processor, to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958] +- Rename cloud.provider `az` value to `azure` inside the add_cloud_metadata processor. {pull}20689[20689] - Add missing country_name geo field in `add_host_metadata` and `add_observer_metadata` processors. {issue}20796[20796] {pull}20811[20811] *Auditbeat* diff --git a/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc b/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc index 9a5fcfcbf91..41c0dd6d9f3 100644 --- a/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc +++ b/libbeat/processors/add_cloud_metadata/docs/add_cloud_metadata.asciidoc @@ -143,7 +143,7 @@ _Azure Virtual Machine_ ------------------------------------------------------------------------------- { "cloud": { - "provider": "az", + "provider": "azure", "instance.id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e", "instance.name": "test-az-vm", "machine.type": "Standard_D3_v2", diff --git a/libbeat/processors/add_cloud_metadata/provider_azure_vm.go b/libbeat/processors/add_cloud_metadata/provider_azure_vm.go index 077e9b610dd..9cd3eba55b8 100644 --- a/libbeat/processors/add_cloud_metadata/provider_azure_vm.go +++ b/libbeat/processors/add_cloud_metadata/provider_azure_vm.go @@ -46,7 +46,7 @@ var azureVMMetadataFetcher = provider{ return out } - fetcher, err := newMetadataFetcher(config, "az", azHeaders, metadataHost, azSchema, azMetadataURI) + fetcher, err := newMetadataFetcher(config, "azure", azHeaders, metadataHost, azSchema, azMetadataURI) return fetcher, err }, } diff --git a/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go b/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go index 57f26c8ecd5..307ac60abad 100644 --- a/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go +++ b/libbeat/processors/add_cloud_metadata/provider_azure_vm_test.go @@ -79,7 +79,7 @@ func TestRetrieveAzureMetadata(t *testing.T) { expected := common.MapStr{ "cloud": common.MapStr{ - "provider": "az", + "provider": "azure", "instance": common.MapStr{ "id": "04ab04c3-63de-4709-a9f9-9ab8c0411d5e", "name": "test-az-vm", From feeed7276e0f9ccd387639c2da114b3e456b4591 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 31 Aug 2020 13:36:22 +0200 Subject: [PATCH 12/36] Fix path in hits docs (#20447) (#20854) (cherry picked from commit f2956098ef62b0fec1ae02e7cb9659dd6b9e6fe9) --- filebeat/docs/autodiscover-hints.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/filebeat/docs/autodiscover-hints.asciidoc b/filebeat/docs/autodiscover-hints.asciidoc index 9c1893c8367..de678011763 100644 --- a/filebeat/docs/autodiscover-hints.asciidoc +++ b/filebeat/docs/autodiscover-hints.asciidoc @@ -112,7 +112,7 @@ filebeat.autodiscover: hints.default_config: type: container paths: - - /var/log/container/*-${container.id}.log # CRI path + - /var/log/containers/*-${data.container.id}.log # CRI path ----- You can also disable default settings entirely, so only Pods annotated like `co.elastic.logs/enabled: true` @@ -215,7 +215,7 @@ filebeat.autodiscover: hints.default_config: type: container paths: - - /var/log/container/*-${container.id}.log # CRI path + - /var/log/containers/*-${data.container.id}.log # CRI path ----- You can also disable default settings entirely, so only containers labeled with `co.elastic.logs/enabled: true` From 80db33af1a324ff6db9a623d719bec004777860a Mon Sep 17 00:00:00 2001 From: kaiyan-sheng Date: Mon, 31 Aug 2020 07:29:46 -0600 Subject: [PATCH 13/36] Cherry-pick #20736 to 7.9: Fill cloud.account.name with accountID if account alias doesn't exist (#20835) * Fill cloud.account.name with accountID if account alias doesn't exist (#20736) * Fill cloud.account.name with accountID if account alias doesn't exist (cherry picked from commit d2a09994435272f55a96499fa54bcea672bb665e) --- CHANGELOG.next.asciidoc | 1 + x-pack/metricbeat/module/aws/aws.go | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index ffb111bd9b1..6daae9f746f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -108,6 +108,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Updates vm_compute metricset with more info on guest metrics. {pull}20448[20448] - Add fallback for PdhExpandWildCardPathW failing in perfmon metricset. {issue}20139[20139] {pull}20630[20630] - Fix resource tags in aws cloudwatch metricset {issue}20326[20326] {pull}20385[20385] +- Fill cloud.account.name with accountID if account alias doesn't exist. {pull}20736[20736] *Packetbeat* diff --git a/x-pack/metricbeat/module/aws/aws.go b/x-pack/metricbeat/module/aws/aws.go index 983d44ee47b..1d7b059a2df 100644 --- a/x-pack/metricbeat/module/aws/aws.go +++ b/x-pack/metricbeat/module/aws/aws.go @@ -103,19 +103,24 @@ func NewMetricSet(base mb.BaseMetricSet) (*MetricSet, error) { default: awsConfig.Region = "us-east-1" } + svcIam := iam.New(awscommon.EnrichAWSConfigWithEndpoint( config.AWSConfig.Endpoint, "iam", "", awsConfig)) req := svcIam.ListAccountAliasesRequest(&iam.ListAccountAliasesInput{}) output, err := req.Send(context.TODO()) if err != nil { base.Logger().Warn("failed to list account aliases, please check permission setting: ", err) + metricSet.AccountName = metricSet.AccountID } else { + // When there is no account alias, account ID will be used as cloud.account.name + if len(output.AccountAliases) == 0 { + metricSet.AccountName = metricSet.AccountID + } + // There can be more than one aliases for each account, for now we are only // collecting the first one. - if output.AccountAliases != nil { - metricSet.AccountName = output.AccountAliases[0] - base.Logger().Debug("AWS Credentials belong to account name: ", metricSet.AccountName) - } + metricSet.AccountName = output.AccountAliases[0] + base.Logger().Debug("AWS Credentials belong to account name: ", metricSet.AccountName) } // Get IAM account id From 575f5ed409ab0af3269f0bc754d212f6f860cce0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Mon, 31 Aug 2020 16:06:04 +0200 Subject: [PATCH 14/36] Add Known issues section with an issue about Functionbeat (#20859) --- CHANGELOG.asciidoc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index f1c4db82e8c..58d0850a0f9 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -229,6 +229,12 @@ field. You can revert this change by configuring tags for the module and omittin - Deprecate tags config parameter in cloudwatch metricset. {pull}16733[16733] - Deprecate tags.resource_type_filter config parameter and replace with resource_type. {pull}19688[19688] +==== Known Issues + +*Functionbeat* + +- Functionbeat cannot be deployed on Google Cloud Platform. {issue}20830[20830] + [[release-notes-7.8.1]] === Beats version 7.8.1 https://github.com/elastic/beats/compare/v7.8.0...v7.8.1[View commits] From ad823eca4cc74439d1a44351c596c12ab51054f5 Mon Sep 17 00:00:00 2001 From: Mariana Dima Date: Mon, 31 Aug 2020 16:51:59 +0200 Subject: [PATCH 15/36] Update filebeat azure module documentation (#20815) (#20862) * mofidy doc * fix doc * changelog (cherry picked from commit 7fbbdca91b5cdfcb943ff7f7b7312219ae9986c0) --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/modules/azure.asciidoc | 8 ++++---- x-pack/filebeat/module/azure/_meta/docs.asciidoc | 8 ++++---- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6daae9f746f..4570781a08f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -75,6 +75,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fixed typo in log message. {pull}17897[17897] - Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] - Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] +- Update documentation in the azure module filebeat. {pull}20815[20815] *Heartbeat* diff --git a/filebeat/docs/modules/azure.asciidoc b/filebeat/docs/modules/azure.asciidoc index b194b7c320c..853fba43756 100644 --- a/filebeat/docs/modules/azure.asciidoc +++ b/filebeat/docs/modules/azure.asciidoc @@ -58,7 +58,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi signinlogs: enabled: false var: - eventhub: ["insights-logs-signinlogs"] + eventhub: "insights-logs-signinlogs" consumer_group: "$Default" connection_string: "" storage_account: "" @@ -69,9 +69,9 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi `eventhub` :: - _[]string_ -Is a fully managed, real-time data ingestion service. -Default value `insights-operational-logs` + _string_ +Is the fully managed, real-time data ingestion service. +Default value `insights-operational-logs`. `consumer_group` :: _string_ diff --git a/x-pack/filebeat/module/azure/_meta/docs.asciidoc b/x-pack/filebeat/module/azure/_meta/docs.asciidoc index eea82995532..aa5c854b457 100644 --- a/x-pack/filebeat/module/azure/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/azure/_meta/docs.asciidoc @@ -53,7 +53,7 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi signinlogs: enabled: false var: - eventhub: ["insights-logs-signinlogs"] + eventhub: "insights-logs-signinlogs" consumer_group: "$Default" connection_string: "" storage_account: "" @@ -64,9 +64,9 @@ Will retrieve azure Active Directory audit logs. The audit logs provide traceabi `eventhub` :: - _[]string_ -Is a fully managed, real-time data ingestion service. -Default value `insights-operational-logs` + _string_ +Is the fully managed, real-time data ingestion service. +Default value `insights-operational-logs`. `consumer_group` :: _string_ From 5329bf26fe6cb075bed5dc96e13526607a0347be Mon Sep 17 00:00:00 2001 From: Ivan Fernandez Calvo Date: Tue, 1 Sep 2020 10:51:19 +0200 Subject: [PATCH 16/36] fix: update test environment (#20857) --- testing/environments/latest.yml | 6 +++--- testing/environments/snapshot-oss.yml | 6 +++--- testing/environments/snapshot.yml | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/testing/environments/latest.yml b/testing/environments/latest.yml index f6efeea73f5..be1061d65c1 100644 --- a/testing/environments/latest.yml +++ b/testing/environments/latest.yml @@ -3,7 +3,7 @@ version: '2.3' services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.6.2 + image: docker.elastic.co/elasticsearch/elasticsearch:7.9.0 healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9200"] retries: 300 @@ -16,7 +16,7 @@ services: - "xpack.security.enabled=false" logstash: - image: docker.elastic.co/logstash/logstash:7.6.2 + image: docker.elastic.co/logstash/logstash:7.9.0 healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9600/_node/stats"] retries: 300 @@ -26,7 +26,7 @@ services: - ./docker/logstash/pki:/etc/pki:ro kibana: - image: docker.elastic.co/kibana/kibana:7.6.2 + image: docker.elastic.co/kibana/kibana:7.9.0 healthcheck: test: ["CMD", "curl", "-f", "http://localhost:5601"] retries: 300 diff --git a/testing/environments/snapshot-oss.yml b/testing/environments/snapshot-oss.yml index 1d1a5b58a6e..81eaa476a4e 100644 --- a/testing/environments/snapshot-oss.yml +++ b/testing/environments/snapshot-oss.yml @@ -3,7 +3,7 @@ version: '2.3' services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.9.0-SNAPSHOT + image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.9.1-SNAPSHOT healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9200"] retries: 300 @@ -15,7 +15,7 @@ services: - "http.host=0.0.0.0" logstash: - image: docker.elastic.co/logstash/logstash-oss:7.9.0-SNAPSHOT + image: docker.elastic.co/logstash/logstash-oss:7.9.1-SNAPSHOT healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9600/_node/stats"] retries: 600 @@ -25,7 +25,7 @@ services: - ./docker/logstash/pki:/etc/pki:ro kibana: - image: docker.elastic.co/kibana/kibana-oss:7.9.0-SNAPSHOT + image: docker.elastic.co/kibana/kibana-oss:7.9.1-SNAPSHOT healthcheck: test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://localhost:5601/api/status"); data = json.loads(response.read()); exit(1) if data["status"]["overall"]["state"] != "green" else exit(0);'''] retries: 600 diff --git a/testing/environments/snapshot.yml b/testing/environments/snapshot.yml index f093ad7bf54..5f09cc0e8c3 100644 --- a/testing/environments/snapshot.yml +++ b/testing/environments/snapshot.yml @@ -3,7 +3,7 @@ version: '2.3' services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.9.0-SNAPSHOT + image: docker.elastic.co/elasticsearch/elasticsearch:7.9.1-SNAPSHOT healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9200"] retries: 300 @@ -16,7 +16,7 @@ services: - "xpack.security.enabled=false" logstash: - image: docker.elastic.co/logstash/logstash:7.9.0-SNAPSHOT + image: docker.elastic.co/logstash/logstash:7.9.1-SNAPSHOT healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9600/_node/stats"] retries: 600 @@ -26,7 +26,7 @@ services: - ./docker/logstash/pki:/etc/pki:ro kibana: - image: docker.elastic.co/kibana/kibana:7.9.0-SNAPSHOT + image: docker.elastic.co/kibana/kibana:7.9.1-SNAPSHOT healthcheck: test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://localhost:5601/api/status"); data = json.loads(response.read()); exit(1) if data["status"]["overall"]["state"] != "green" else exit(0);'''] retries: 600 From f74a98f56a8b71d76b4cfb54c51bc6f11187ac41 Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Tue, 1 Sep 2020 12:29:48 -0700 Subject: [PATCH 17/36] docs: update cipher suites (#20697) (#20879) --- libbeat/docs/shared-ssl-config.asciidoc | 54 ++++++++++++++----------- 1 file changed, 30 insertions(+), 24 deletions(-) diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc index e578c2d60f8..f850aeedd68 100644 --- a/libbeat/docs/shared-ssl-config.asciidoc +++ b/libbeat/docs/shared-ssl-config.asciidoc @@ -155,34 +155,39 @@ The default is `full`. ==== `cipher_suites` The list of cipher suites to use. The first entry has the highest priority. -If this option is omitted, the Go crypto library's default -suites are used (recommended). Note that TLS 1.3 cipher suites are not +If this option is omitted, the Go crypto library's https://golang.org/pkg/crypto/tls/[default suites] +are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list. +// tag::cipher_suites[] The following cipher suites are available: -* ECDHE-ECDSA-AES-128-CBC-SHA -* ECDHE-ECDSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default) -* ECDHE-ECDSA-AES-128-GCM-SHA256 (TLS 1.2 only) -* ECDHE-ECDSA-AES-256-CBC-SHA -* ECDHE-ECDSA-AES-256-GCM-SHA384 (TLS 1.2 only) -* ECDHE-ECDSA-CHACHA20-POLY1305 (TLS 1.2 only) -* ECDHE-ECDSA-RC4-128-SHA (disabled by default - RC4 not recommended) -* ECDHE-RSA-3DES-CBC3-SHA -* ECDHE-RSA-AES-128-CBC-SHA -* ECDHE-RSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default) -* ECDHE-RSA-AES-128-GCM-SHA256 (TLS 1.2 only) -* ECDHE-RSA-AES-256-CBC-SHA -* ECDHE-RSA-AES-256-GCM-SHA384 (TLS 1.2 only) -* ECDHE-RSA-CHACHA20-POLY1205 (TLS 1.2 only) -* ECDHE-RSA-RC4-128-SHA (disabled by default- RC4 not recommended) -* RSA-3DES-CBC3-SHA -* RSA-AES-128-CBC-SHA -* RSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default) -* RSA-AES-128-GCM-SHA256 (TLS 1.2 only) -* RSA-AES-256-CBC-SHA -* RSA-AES-256-GCM-SHA384 (TLS 1.2 only) -* RSA-RC4-128-SHA (disabled by default - RC4 not recommended) +[options="header"] +|=== +| Cypher | Notes +| ECDHE-ECDSA-AES-128-CBC-SHA | +| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| ECDHE-ECDSA-AES-256-CBC-SHA | +| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. +| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +| ECDHE-RSA-3DES-CBC3-SHA | +| ECDHE-RSA-AES-128-CBC-SHA | +| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| ECDHE-RSA-AES-256-CBC-SHA | +| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. +| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +| RSA-3DES-CBC3-SHA | +| RSA-AES-128-CBC-SHA | +| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| RSA-AES-256-CBC-SHA | +| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +|=== Here is a list of acronyms used in defining the cipher suites: @@ -212,6 +217,7 @@ Here is a list of acronyms used in defining the cipher suites: * SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384. +// end::cipher_suites[] [float] ==== `curve_types` From f96ce60d1f1468e98817886a39e7c1a9c34e04eb Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Tue, 1 Sep 2020 12:30:28 -0700 Subject: [PATCH 18/36] docs: Add `processor.event` info to Logstash output (#20721) (#20882) --- .../outputs/logstash/docs/logstash.asciidoc | 113 ++++++++++-------- 1 file changed, 62 insertions(+), 51 deletions(-) diff --git a/libbeat/outputs/logstash/docs/logstash.asciidoc b/libbeat/outputs/logstash/docs/logstash.asciidoc index e0cfdd0e4e0..8371b53083a 100644 --- a/libbeat/outputs/logstash/docs/logstash.asciidoc +++ b/libbeat/outputs/logstash/docs/logstash.asciidoc @@ -5,8 +5,8 @@ Logstash ++++ -The Logstash output sends events directly to Logstash by using the lumberjack -protocol, which runs over TCP. Logstash allows for additional processing and routing of +The {ls} output sends events directly to {ls} by using the lumberjack +protocol, which runs over TCP. {ls} allows for additional processing and routing of generated events. // tag::shared-logstash-config[] @@ -26,11 +26,10 @@ If you want to use {ls} to perform additional processing on the data collected b To do this, you edit the {beatname_uc} configuration file to disable the {es} output by commenting it out and enable the {ls} output by uncommenting the -logstash section: +{ls} section: [source,yaml] ------------------------------------------------------------------------------ -#----------------------------- Logstash output -------------------------------- output.logstash: hosts: ["127.0.0.1:5044"] ------------------------------------------------------------------------------ @@ -51,8 +50,8 @@ endif::[] ==== Accessing metadata fields -Every event sent to Logstash contains the following metadata fields that you can -use in Logstash for indexing and filtering: +Every event sent to {ls} contains the following metadata fields that you can +use in {ls} for indexing and filtering: ifndef::apm-server[] ["source","json",subs="attributes"] @@ -65,12 +64,15 @@ ifndef::apm-server[] } } ------------------------------------------------------------------------------ -<1> {beatname_uc} uses the `@metadata` field to send metadata to Logstash. See the -{logstash-ref}/event-dependent-configuration.html#metadata[Logstash documentation] +<1> {beatname_uc} uses the `@metadata` field to send metadata to {ls}. See the +{logstash-ref}/event-dependent-configuration.html#metadata[{ls} documentation] for more about the `@metadata` field. <2> The default is {beat_default_index_prefix}. To change this value, set the <> option in the {beatname_uc} config file. <3> The current version of {beatname_uc}. + +You can access this metadata from within the {ls} config file to set values +dynamically based on the contents of the metadata. endif::[] ifdef::apm-server[] @@ -85,24 +87,24 @@ ifdef::apm-server[] } } ------------------------------------------------------------------------------ -<1> {beatname_uc} uses the `@metadata` field to send metadata to Logstash. See the -{logstash-ref}/event-dependent-configuration.html#metadata[Logstash documentation] +<1> {beatname_uc} uses the `@metadata` field to send metadata to {ls}. See the +{logstash-ref}/event-dependent-configuration.html#metadata[{ls} documentation] for more about the `@metadata` field. <2> The default is {beat_default_index_prefix}. To change this value, set the <> option in the {beatname_uc} config file. <3> The default pipeline configuration: `apm`. Additional pipelines can be enabled -with a {logstash-ref}/use-ingest-pipelines.html[Logstash pipeline config]. +with a {logstash-ref}/use-ingest-pipelines.html[{ls} pipeline config]. <4> The current version of {beatname_uc}. -endif::[] -You can access this metadata from within the Logstash config file to set values -dynamically based on the contents of the metadata. - -For example, the following Logstash configuration file tells -Logstash to use the index reported by {beatname_uc} for indexing events -into Elasticsearch: +In addition to metadata, {beatname_uc} provides the `processor.event` field, which +can be used to separate {apm-overview-ref-v}/apm-data-model.html[event types] into different indices. +endif::[] ifndef::apm-server[] +For example, the following {ls} configuration file tells +{ls} to use the index reported by {beatname_uc} for indexing events +into {es}: + [source,logstash] ------------------------------------------------------------------------------ @@ -126,6 +128,10 @@ the Beat's version. For example: endif::[] ifdef::apm-server[] +For example, the following {ls} configuration file tells +{ls} to use the index and event types reported by {beatname_uc} for indexing events +into {es}: + [source,logstash] ------ input { @@ -156,26 +162,26 @@ output { } ------ <1> Creates a new field named `@metadata.index`. -`%{[@metadata][beat]}` sets the first part of the index name to the value of the `beat` metadata field. +`%{[@metadata][beat]}` sets the first part of the index name to the value of the `metadata.beat` field. `%{[@metadata][version]}` sets the second part to {beatname_uc}'s version. `%{[processor][event]}` sets the final part based on the APM event type. For example: +{beat_default_index_prefix}-{version}-sourcemap+. -<2> In addition to the above rules, this pattern appends a date to the `index` name so Logstash creates a new index each day. +<2> In addition to the above rules, this pattern appends a date to the `index` name so {ls} creates a new index each day. For example: +{beat_default_index_prefix}-{version}-transaction-{sample_date_0}+. endif::[] -Events indexed into Elasticsearch with the Logstash configuration shown here -will be similar to events directly indexed by {beatname_uc} into Elasticsearch. +Events indexed into {es} with the {ls} configuration shown here +will be similar to events directly indexed by {beatname_uc} into {es}. ifndef::apm-server[] -NOTE: If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so Logstash creates an index per day, based on the `@timestamp` value of the events coming from Beats. +NOTE: If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so {ls} creates an index per day, based on the `@timestamp` value of the events coming from Beats. endif::[] ifdef::apm-server[] -==== Logstash and ILM +==== {ls} and ILM -When used with {apm-server-ref}/manual-ilm-setup.html[Index lifecycle management], Logstash does not need to create a new index each day. -Here's a sample Logstash configuration file that would accomplish this: +When used with {apm-server-ref}/ilm.html[Index lifecycle management], {ls} does not need to create a new index each day. +Here's a sample {ls} configuration file that would accomplish this: [source,logstash] ------ @@ -188,15 +194,20 @@ input { output { elasticsearch { hosts => ["http://localhost:9200"] - index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{[processor][event]}" + index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{[processor][event]}" <1> } } ------ +<1> Outputs documents to an index: +`%{[@metadata][beat]}` sets the first part of the index name to the value of the `metadata.beat` field. +`%{[@metadata][version]}` sets the second part to {beatname_uc}'s version. +`%{[processor][event]}` sets the final part based on the APM event type. +For example: +{beat_default_index_prefix}-{version}-sourcemap+. endif::[] ==== Compatibility -This output works with all compatible versions of Logstash. See the +This output works with all compatible versions of {ls}. See the https://www.elastic.co/support/matrix#matrix_compatibility[Elastic Support Matrix]. @@ -215,18 +226,18 @@ The default value is `true`. [[hosts]] ===== `hosts` -The list of known Logstash servers to connect to. If load balancing is disabled, but +The list of known {ls} servers to connect to. If load balancing is disabled, but multiple hosts are configured, one host is selected randomly (there is no precedence). If one host becomes unreachable, another one is selected randomly. -All entries in this list can contain a port number. The default port number 5044 will be used, if no number is given. +All entries in this list can contain a port number. The default port number 5044 will be used if no number is given. ===== `compression_level` The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression). -Increasing the compression level will reduce the network usage but will increase the cpu usage. +Increasing the compression level will reduce the network usage but will increase the CPU usage. The default value is 3. @@ -238,15 +249,15 @@ The default value is `false`. ===== `worker` -The number of workers per configured host publishing events to Logstash. This +The number of workers per configured host publishing events to {ls}. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host). [[loadbalance]] ===== `loadbalance` -If set to true and multiple Logstash hosts are configured, the output plugin -load balances published events onto all Logstash hosts. If set to false, +If set to true and multiple {ls} hosts are configured, the output plugin +load balances published events onto all {ls} hosts. If set to false, the output plugin sends all events to only one host (determined at random) and will switch to another host if the selected one becomes unresponsive. The default value is false. @@ -260,28 +271,28 @@ output.logstash: ===== `ttl` -Time to live for a connection to Logstash after which the connection will be re-established. -Useful when Logstash hosts represent load balancers. Since the connections to Logstash hosts +Time to live for a connection to {ls} after which the connection will be re-established. +Useful when {ls} hosts represent load balancers. Since the connections to {ls} hosts are sticky, operating behind load balancers can lead to uneven load distribution between the instances. Specifying a TTL on the connection allows to achieve equal connection distribution between the instances. Specifying a TTL of 0 will disable this feature. The default value is 0. -NOTE: The "ttl" option is not yet supported on an async Logstash client (one with the "pipelining" option set). +NOTE: The "ttl" option is not yet supported on an async {ls} client (one with the "pipelining" option set). ===== `pipelining` -Configures number of batches to be sent asynchronously to logstash while waiting -for ACK from logstash. Output only becomes blocking once number of `pipelining` +Configures the number of batches to be sent asynchronously to {ls} while waiting +for ACK from {ls}. Output only becomes blocking once number of `pipelining` batches have been written. Pipelining is disabled if a value of 0 is configured. The default value is 2. ===== `proxy_url` -The URL of the SOCKS5 proxy to use when connecting to the Logstash servers. The +The URL of the SOCKS5 proxy to use when connecting to the {ls} servers. The value must be a URL with a scheme of `socks5://`. The protocol used to -communicate to Logstash is not based on HTTP so a web-proxy cannot be used. +communicate to {ls} is not based on HTTP so a web-proxy cannot be used. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL as shown in the example. @@ -300,8 +311,8 @@ output.logstash: [[logstash-proxy-use-local-resolver]] ===== `proxy_use_local_resolver` -The `proxy_use_local_resolver` option determines if Logstash hostnames are -resolved locally when using a proxy. The default value is false which means +The `proxy_use_local_resolver` option determines if {ls} hostnames are +resolved locally when using a proxy. The default value is false, which means that when a proxy is used the name resolution occurs on the proxy server. [[logstash-index]] @@ -312,17 +323,17 @@ example +"{beat_default_index_prefix}"+ generates +"[{beat_default_index_prefix} indices (for example, +"{beat_default_index_prefix}-{version}-2017.04.26"+). NOTE: This parameter's value will be assigned to the `metadata.beat` field. It -can then be accessed in Logstash's output section as `%{[@metadata][beat]}`. +can then be accessed in {ls}'s output section as `%{[@metadata][beat]}`. ===== `ssl` -Configuration options for SSL parameters like the root CA for Logstash connections. See +Configuration options for SSL parameters like the root CA for {ls} connections. See <> for more information. To use SSL, you must also configure the https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html[Beats input plugin for Logstash] to use SSL/TLS. ===== `timeout` -The number of seconds to wait for responses from the Logstash server before timing out. The default is 30 (seconds). +The number of seconds to wait for responses from the {ls} server before timing out. The default is 30 (seconds). ===== `max_retries` @@ -341,7 +352,7 @@ endif::[] ===== `bulk_max_size` -The maximum number of events to bulk in a single Logstash request. The default is 2048. +The maximum number of events to bulk in a single {ls} request. The default is 2048. If the Beat sends single events, the events are collected into batches. If the Beat publishes a large batch of events (larger than the value specified by `bulk_max_size`), the batch is @@ -359,15 +370,15 @@ number of events to be contained in a batch. ===== `slow_start` -If enabled only a subset of events in a batch of events is transferred per transaction. +If enabled, only a subset of events in a batch of events is transferred per transaction. The number of events to be sent increases up to `bulk_max_size` if no error is encountered. -On error the number of events per transaction is reduced again. +On error, the number of events per transaction is reduced again. The default is `false`. ===== `backoff.init` -The number of seconds to wait before trying to reconnect to Logstash after +The number of seconds to wait before trying to reconnect to {ls} after a network error. After waiting `backoff.init` seconds, {beatname_uc} tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The @@ -376,4 +387,4 @@ default is 1s. ===== `backoff.max` The maximum number of seconds to wait before attempting to connect to -Logstash after a network error. The default is 60s. +{ls} after a network error. The default is 60s. From 7745b9bde616b4d82d0eea178d512331635d7a27 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 2 Sep 2020 15:35:30 +0200 Subject: [PATCH 19/36] Include python docs in devguide index (#20917) (#20922) Python docs were not included on any page, and thus not generated in the final docs. (cherry picked from commit 13d20fed1a97b05229693182c6325456c1f52848) --- docs/devguide/index.asciidoc | 2 ++ docs/devguide/python.asciidoc | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/devguide/index.asciidoc b/docs/devguide/index.asciidoc index 213dc7cccaf..6cc701592f0 100644 --- a/docs/devguide/index.asciidoc +++ b/docs/devguide/index.asciidoc @@ -27,6 +27,8 @@ include::./fields-yml.asciidoc[] include::./event-conventions.asciidoc[] +include::./python.asciidoc[] + include::./newdashboards.asciidoc[] include::./new_protocol.asciidoc[] diff --git a/docs/devguide/python.asciidoc b/docs/devguide/python.asciidoc index 4f9902af205..3e21b4ae1af 100644 --- a/docs/devguide/python.asciidoc +++ b/docs/devguide/python.asciidoc @@ -1,5 +1,5 @@ [[python-beats]] -== Python in Beats +=== Python in Beats Python is used for Beats development, it is the language used to implement system tests and some other tools. Python dependencies are managed by the use of @@ -9,7 +9,7 @@ https://docs.python.org/3/library/venv.html[venv]. Beats development requires Python >= {python}. [[installing-python]] -=== Installing Python and venv +==== Installing Python and venv Python uses to be installed in many operating systems. If it is not installed in your system you can follow the instructions available in https://www.python.org/downloads/ @@ -32,7 +32,7 @@ sudo apt-get install python3.7 python3.7-venv It is recommended to use Python >= {python}. [[python-virtual-environments]] -=== Working with virtual environments +==== Working with virtual environments All `make` and `mage` targets manage their own virtual environments in a transparent way, so for the most common operations required when contributing to beats, @@ -65,7 +65,7 @@ To recreate a virtual environment, remove its directory. All virtual environments are also removed with `make clean`. [[python-older-versions]] -=== Working with older versions +==== Working with older versions Older versions of Beats were not compatible with Python 3, if you need to temporary work on one of these versions of Beats, and you don't want to remove From 4bc088b6d5b7a5c74a0022d15a2d4df39019d504 Mon Sep 17 00:00:00 2001 From: Pier-Hugues Pellerin Date: Wed, 2 Sep 2020 09:59:13 -0400 Subject: [PATCH 20/36] Cherry-pick #20827 to 7.9: [Build] Make mage-linux-amd64 statically compiled. (#20838) * [Build] Make mage-linux-amd64 statically compiled. (#20827) * [Build] Make mage-linux-amd64 statically compiled. When I've upgraded my arch system, they have upgraded the libc library, that libary is much newer than the library used in the crossbuild docker images. This made building beats impossible because the mage-linux-amd64 is compiled dynamically and used in all our docker build. This PR make the mage binary to be statically compiled so it doesn't rely on any installed libraries. (cherry picked from commit 273ecae934b916e0344c59932aca650d0c0d72f5) * changelog quirks --- CHANGELOG-developer.next.asciidoc | 1 + dev-tools/mage/crossbuild.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 8b473f0d68b..c1723e24364 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -92,3 +92,4 @@ The list below covers the major changes between 7.0.0-rc2 and master only. - Added SQL helper that can be used from any Metricbeat module {pull}18955[18955] - Update Go version to 1.14.4. {pull}19753[19753] - Update Go version to 1.14.7. {pull}20508[20508] +- Make the mage binary used by the build process in the docker container to be statically compiled. {pull}20827[20827] diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go index 6a11f7666cd..22b0ae574df 100644 --- a/dev-tools/mage/crossbuild.go +++ b/dev-tools/mage/crossbuild.go @@ -173,7 +173,7 @@ func CrossBuildXPack(options ...CrossBuildOption) error { // values for Docker. It has the benefit of speeding up the build because the // mage -compile is done only once rather than in each Docker container. func buildMage() error { - return sh.Run("mage", "-f", "-goos=linux", "-goarch=amd64", + return sh.RunWith(map[string]string{"CGO_ENABLED": "0"}, "mage", "-f", "-goos=linux", "-goarch=amd64", "-compile", CreateDir(filepath.Join("build", "mage-linux-amd64"))) } From 7d3e559edabf0fb070a40204fe19023e2939c0a2 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Wed, 2 Sep 2020 15:34:46 +0100 Subject: [PATCH 21/36] [packaging] Normalise GCP bucket folder structure (#20903) (#20924) --- .ci/packaging.groovy | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/.ci/packaging.groovy b/.ci/packaging.groovy index 7d1f9d6027a..57cae89167f 100644 --- a/.ci/packaging.groovy +++ b/.ci/packaging.groovy @@ -229,11 +229,11 @@ def withMacOSEnv(Closure body){ def publishPackages(baseDir){ def bucketUri = "gs://${JOB_GCS_BUCKET}/snapshots" - if (env.CHANGE_ID?.trim()) { + if (isPR()) { bucketUri = "gs://${JOB_GCS_BUCKET}/pull-requests/pr-${env.CHANGE_ID}" } - - googleStorageUpload(bucket: "${bucketUri}", + def beatsFolderName = getBeatsName(baseDir) + googleStorageUpload(bucket: "${bucketUri}/${beatsFolderName}", credentialsId: "${JOB_GCS_CREDENTIALS}", pathPrefix: "${baseDir}/build/distributions/", pattern: "${baseDir}/build/distributions/**/*", @@ -242,6 +242,18 @@ def publishPackages(baseDir){ ) } +/** +* There is a specific folder structure in https://staging.elastic.co/ and https://artifacts.elastic.co/downloads/ +* therefore the storage bucket in GCP should follow the same folder structure. +* This is required by https://github.com/elastic/beats-tester +* e.g. +* baseDir=name -> return name +* baseDir=name1/name2/name3-> return name2 +*/ +def getBeatsName(baseDir) { + return basedir.replace('x-pack/', '') +} + def withBeatsEnv(Closure body) { withMageEnv(){ withEnv([ From 68e664fb028438ef01f9ecdcfec3dc3ccc3c157b Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Wed, 2 Sep 2020 17:08:17 +0100 Subject: [PATCH 22/36] [CI] fix regression with variable name (#20930) (#20932) --- .ci/packaging.groovy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/packaging.groovy b/.ci/packaging.groovy index 57cae89167f..556316e15ef 100644 --- a/.ci/packaging.groovy +++ b/.ci/packaging.groovy @@ -251,7 +251,7 @@ def publishPackages(baseDir){ * baseDir=name1/name2/name3-> return name2 */ def getBeatsName(baseDir) { - return basedir.replace('x-pack/', '') + return baseDir.replace('x-pack/', '') } def withBeatsEnv(Closure body) { From 5e5e6db1de7d44d71c521090ac9b1288be56ea15 Mon Sep 17 00:00:00 2001 From: Ivan Fernandez Calvo Date: Wed, 2 Sep 2020 18:46:11 +0200 Subject: [PATCH 23/36] fix: update test environment 7.9.1 (#20934) --- deploy/kubernetes/auditbeat-kubernetes.yaml | 2 +- deploy/kubernetes/filebeat-kubernetes.yaml | 2 +- deploy/kubernetes/metricbeat-kubernetes.yaml | 4 ++-- metricbeat/docker-compose.yml | 12 ++++++------ metricbeat/module/logstash/docker-compose.yml | 8 ++++---- x-pack/metricbeat/docker-compose.yml | 4 ++-- 6 files changed, 16 insertions(+), 16 deletions(-) diff --git a/deploy/kubernetes/auditbeat-kubernetes.yaml b/deploy/kubernetes/auditbeat-kubernetes.yaml index 2c72ffad202..c47632c43fd 100644 --- a/deploy/kubernetes/auditbeat-kubernetes.yaml +++ b/deploy/kubernetes/auditbeat-kubernetes.yaml @@ -109,7 +109,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: auditbeat - image: docker.elastic.co/beats/auditbeat:7.9.0 + image: docker.elastic.co/beats/auditbeat:7.9.1 args: [ "-c", "/etc/auditbeat.yml", "-e", diff --git a/deploy/kubernetes/filebeat-kubernetes.yaml b/deploy/kubernetes/filebeat-kubernetes.yaml index 1fc3d7d996d..95e22235b13 100644 --- a/deploy/kubernetes/filebeat-kubernetes.yaml +++ b/deploy/kubernetes/filebeat-kubernetes.yaml @@ -64,7 +64,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: filebeat - image: docker.elastic.co/beats/filebeat:7.9.0 + image: docker.elastic.co/beats/filebeat:7.9.1 args: [ "-c", "/etc/filebeat.yml", "-e", diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index 84ab9ef7927..caf597b1070 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -114,7 +114,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: metricbeat - image: docker.elastic.co/beats/metricbeat:7.9.0 + image: docker.elastic.co/beats/metricbeat:7.9.1 args: [ "-c", "/etc/metricbeat.yml", "-e", @@ -270,7 +270,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: metricbeat - image: docker.elastic.co/beats/metricbeat:7.9.0 + image: docker.elastic.co/beats/metricbeat:7.9.1 args: [ "-c", "/etc/metricbeat.yml", "-e", diff --git a/metricbeat/docker-compose.yml b/metricbeat/docker-compose.yml index b8c10f95c18..bb39912eefb 100644 --- a/metricbeat/docker-compose.yml +++ b/metricbeat/docker-compose.yml @@ -15,11 +15,11 @@ services: # Used by base tests elasticsearch: - image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.9.0}-1 build: context: ./module/elasticsearch/_meta args: - ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.7.0} + ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.9.0} environment: - "ES_JAVA_OPTS=-Xms256m -Xmx256m" - "network.host=" @@ -37,11 +37,11 @@ services: # Used by base tests kibana: - image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.9.0}-1 build: context: ./module/kibana/_meta args: - KIBANA_VERSION: ${KIBANA_VERSION:-7.7.0} + KIBANA_VERSION: ${KIBANA_VERSION:-7.9.0} depends_on: - elasticsearch ports: @@ -49,11 +49,11 @@ services: # Used by base tests metricbeat: - image: docker.elastic.co/integrations-ci/beats-metricbeat:${BEAT_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-metricbeat:${BEAT_VERSION:-7.9.0}-1 build: context: ./module/beat/_meta args: - BEAT_VERSION: ${BEAT_VERSION:-7.7.0} + BEAT_VERSION: ${BEAT_VERSION:-7.9.0} command: '-e' ports: - 5066 diff --git a/metricbeat/module/logstash/docker-compose.yml b/metricbeat/module/logstash/docker-compose.yml index f717242a21c..a776d6d4b66 100644 --- a/metricbeat/module/logstash/docker-compose.yml +++ b/metricbeat/module/logstash/docker-compose.yml @@ -2,22 +2,22 @@ version: '2.3' services: logstash: - image: docker.elastic.co/integrations-ci/beats-logstash:${LOGSTASH_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-logstash:${LOGSTASH_VERSION:-7.9.0}-1 build: context: ./_meta args: - LOGSTASH_VERSION: ${LOGSTASH_VERSION:-7.7.0} + LOGSTASH_VERSION: ${LOGSTASH_VERSION:-7.9.0} ports: - 9600 depends_on: - elasticsearch elasticsearch: - image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-elasticsearch:${ELASTICSEARCH_VERSION:-7.9.0}-1 build: context: ../elasticsearch/_meta args: - ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.7.0} + ELASTICSEARCH_VERSION: ${ELASTICSEARCH_VERSION:-7.9.0} environment: - "network.host=" - "transport.host=127.0.0.1" diff --git a/x-pack/metricbeat/docker-compose.yml b/x-pack/metricbeat/docker-compose.yml index b5e752886d6..ad95961aada 100644 --- a/x-pack/metricbeat/docker-compose.yml +++ b/x-pack/metricbeat/docker-compose.yml @@ -24,11 +24,11 @@ services: kibana: # Copied configuration from OSS metricbeat because services with depends_on # cannot be extended with extends - image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.7.0}-1 + image: docker.elastic.co/integrations-ci/beats-kibana:${KIBANA_VERSION:-7.9.0}-1 build: context: ../../metricbeat/module/kibana/_meta args: - KIBANA_VERSION: ${KIBANA_VERSION:-7.7.0} + KIBANA_VERSION: ${KIBANA_VERSION:-7.9.0} depends_on: - elasticsearch ports: From 69d50611c00584b26ba981b4fe8375cedb2e9252 Mon Sep 17 00:00:00 2001 From: Ivan Fernandez Calvo Date: Wed, 2 Sep 2020 19:50:29 +0200 Subject: [PATCH 24/36] fix: make update revert some changes (#20940) --- deploy/kubernetes/auditbeat-kubernetes.yaml | 2 +- deploy/kubernetes/filebeat-kubernetes.yaml | 2 +- deploy/kubernetes/metricbeat-kubernetes.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/kubernetes/auditbeat-kubernetes.yaml b/deploy/kubernetes/auditbeat-kubernetes.yaml index c47632c43fd..2c72ffad202 100644 --- a/deploy/kubernetes/auditbeat-kubernetes.yaml +++ b/deploy/kubernetes/auditbeat-kubernetes.yaml @@ -109,7 +109,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: auditbeat - image: docker.elastic.co/beats/auditbeat:7.9.1 + image: docker.elastic.co/beats/auditbeat:7.9.0 args: [ "-c", "/etc/auditbeat.yml", "-e", diff --git a/deploy/kubernetes/filebeat-kubernetes.yaml b/deploy/kubernetes/filebeat-kubernetes.yaml index 95e22235b13..1fc3d7d996d 100644 --- a/deploy/kubernetes/filebeat-kubernetes.yaml +++ b/deploy/kubernetes/filebeat-kubernetes.yaml @@ -64,7 +64,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: filebeat - image: docker.elastic.co/beats/filebeat:7.9.1 + image: docker.elastic.co/beats/filebeat:7.9.0 args: [ "-c", "/etc/filebeat.yml", "-e", diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index caf597b1070..84ab9ef7927 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -114,7 +114,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: metricbeat - image: docker.elastic.co/beats/metricbeat:7.9.1 + image: docker.elastic.co/beats/metricbeat:7.9.0 args: [ "-c", "/etc/metricbeat.yml", "-e", @@ -270,7 +270,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: metricbeat - image: docker.elastic.co/beats/metricbeat:7.9.1 + image: docker.elastic.co/beats/metricbeat:7.9.0 args: [ "-c", "/etc/metricbeat.yml", "-e", From e0c4b52275826b1de4f1c659d88dd710ad9f1a7a Mon Sep 17 00:00:00 2001 From: DeDe Morton Date: Wed, 2 Sep 2020 11:11:18 -0700 Subject: [PATCH 25/36] Document how to set the ES host and Kibana URLs in Ingest Manager (#20874) (#20909) * Document how to set the ES host and Kibana URLs in Ingest Manager * Change wording about setting URL to include port --- x-pack/elastic-agent/docs/run-elastic-agent.asciidoc | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc index 34613ae9696..7c48084b8fb 100644 --- a/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc +++ b/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc @@ -22,9 +22,15 @@ To enroll an {agent} to {fleet}: . Stop {agent}, if it's already running. -. In {ingest-manager}, select **{fleet}**, then click **Add agent** to -get an enrollment token. See <> for -detailed steps. +. In {ingest-manager}, click **Settings** and change the defaults, if necessary. +For self-managed installations, set the URLs for {es} and {kib}, including +the http ports, then save your changes. ++ +[role="screenshot"] +image::images/kibana-ingest-manager-settings.png[{ingest-manager} settings] + +. Select **{fleet}**, then click **Add agent** to get an enrollment token. See +<> for detailed steps. . Change to the directory where {agent} is installed, and enroll the agent to {fleet}: From dcf7528c1a9deadd5f57aff52d43715a32fc8dc0 Mon Sep 17 00:00:00 2001 From: Ivan Fernandez Calvo Date: Thu, 3 Sep 2020 09:56:30 +0200 Subject: [PATCH 26/36] Close changelog for 7.9.1 --- CHANGELOG.asciidoc | 46 +++++++++++++++++++++++++++++++++++ CHANGELOG.next.asciidoc | 18 -------------- libbeat/docs/release.asciidoc | 1 + 3 files changed, 47 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 58d0850a0f9..3266d989697 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,52 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-7.9.1]] +=== Beats version 7.9.1 +https://github.com/elastic/beats/compare/v7.9.0...v7.9.1[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Removed experimental modules `citrix`, `kaspersky`, `rapid7` and `tenable`. {pull}20706[20706] + +==== Bugfixes + +*Affecting all Beats* + +- Update replicaset group to apps/v1 {pull}15854[15854] +- Rename cloud.provider `az` value to `azure` inside the add_cloud_metadata processor. {pull}20689[20689] +- Add missing country_name geo field in `add_host_metadata` and `add_observer_metadata` processors. {issue}20796[20796] {pull}20811[20811] + +*Filebeat* + +- Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] +- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] +- Update documentation in the azure module filebeat. {pull}20815[20815] + +*Heartbeat* + +- Stop rescheduling tasks of stopped monitors. {pull}20570[20570] + +*Metricbeat* + +- Updates vm_compute metricset with more info on guest metrics. {pull}20448[20448] +- Add fallback for PdhExpandWildCardPathW failing in perfmon metricset. {issue}20139[20139] {pull}20630[20630] +- Fix resource tags in aws cloudwatch metricset {issue}20326[20326] {pull}20385[20385] +- Fill cloud.account.name with accountID if account alias doesn't exist. {pull}20736[20736] + +*Winlogbeat* + +- Fix duplicated field error when exporting index-pattern with migration.6_to_7.enabled. {issue}20521[20521] {pull}20540[20540] +- Fix `event.outcome` in the security module for non-English languages. {issue}20079[20079] {pull}20564[20564] + +==== Added + +*Affecting all Beats* + +- Added support for more message types for Cisco ASA and FTD. {pull}20565[20565] + [[release-notes-7.9.0]] === Beats version 7.9.0 https://github.com/elastic/beats/compare/v7.8.1...v7.9.0[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4570781a08f..1a368be63c3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -19,7 +19,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* - Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547] -- Removed experimental modules `citrix`, `kaspersky`, `rapid7` and `tenable`. {pull}20706[20706] *Heartbeat* @@ -46,14 +45,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix a race condition with the Kafka pipeline client, it is possible that `Close()` get called before `Connect()` . {issue}11945[11945] - Allow users to configure only `cluster_uuid` setting under `monitoring` namespace. {pull}14338[14338] -- Update replicaset group to apps/v1 {pull}15854[15854] - Fix missing output in dockerlogbeat {pull}15719[15719] - Do not rotate log files on startup when interval is configured and rotateonstartup is disabled. {pull}17613[17613] - Fix `setup.dashboards.index` setting not working. {pull}17749[17749] - Fix Elasticsearch license endpoint URL referenced in error message. {issue}17880[17880] {pull}18030[18030] - Change `decode_json_fields` processor, to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958] -- Rename cloud.provider `az` value to `azure` inside the add_cloud_metadata processor. {pull}20689[20689] -- Add missing country_name geo field in `add_host_metadata` and `add_observer_metadata` processors. {issue}20796[20796] {pull}20811[20811] *Auditbeat* @@ -73,13 +69,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fixed `cloudfoundry.access` to have the correct `cloudfoundry.app.id` contents. {pull}17847[17847] - Fixing `ingress_controller.` fields to be of type keyword instead of text. {issue}17834[17834] - Fixed typo in log message. {pull}17897[17897] -- Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] -- Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] -- Update documentation in the azure module filebeat. {pull}20815[20815] *Heartbeat* -- Stop rescheduling tasks of stopped monitors. {pull}20570[20570] *Journalbeat* @@ -103,21 +95,12 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix storage metricset to allow config without region/zone. {issue}17623[17623] {pull}17624[17624] - Fix overflow on Prometheus rates when new buckets are added on the go. {pull}17753[17753] - Add a switch to the driver definition on SQL module to use pretty names {pull}17378[17378] -- Modify doc for app_insights metricset to contain example of config. {pull}20185[20185] -- Add required option for `metrics` in app_insights. {pull}20406[20406] -- Groups same timestamp metric values to one event in the app_insights metricset. {pull}20403[20403] -- Updates vm_compute metricset with more info on guest metrics. {pull}20448[20448] -- Add fallback for PdhExpandWildCardPathW failing in perfmon metricset. {issue}20139[20139] {pull}20630[20630] -- Fix resource tags in aws cloudwatch metricset {issue}20326[20326] {pull}20385[20385] -- Fill cloud.account.name with accountID if account alias doesn't exist. {pull}20736[20736] *Packetbeat* *Winlogbeat* -- Fix duplicated field error when exporting index-pattern with migration.6_to_7.enabled. {issue}20521[20521] {pull}20540[20540] -- Fix `event.outcome` in the security module for non-English languages. {issue}20079[20079] {pull}20564[20564] *Functionbeat* @@ -132,7 +115,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update documentation for system.process.memory fields to include clarification on Windows os's. {pull}17268[17268] - When using the `decode_json_fields` processor, decoded fields are now deep-merged into existing event. {pull}17958[17958] - Add keystore support for autodiscover static configurations. {pull]16306[16306] -- Added support for more message types for Cisco ASA and FTD. {pull}20565[20565] *Auditbeat* diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index e86253e63fe..4215186d430 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -8,6 +8,7 @@ This section summarizes the changes in each release. Also read <> for more detail about changes that affect upgrade. +* <> * <> * <> * <> From e8714688b5a32b647393d993243e402602032641 Mon Sep 17 00:00:00 2001 From: Ivan Fernandez Calvo Date: Thu, 3 Sep 2020 14:51:22 +0200 Subject: [PATCH 27/36] docs: update docs versions 7.9.1 (#20873) * fix: update docs * fix: make check * fix: make check --- deploy/kubernetes/auditbeat-kubernetes.yaml | 2 +- deploy/kubernetes/filebeat-kubernetes.yaml | 2 +- deploy/kubernetes/heartbeat-kubernetes.yaml | 2 +- deploy/kubernetes/metricbeat-kubernetes.yaml | 4 ++-- libbeat/docs/version.asciidoc | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/kubernetes/auditbeat-kubernetes.yaml b/deploy/kubernetes/auditbeat-kubernetes.yaml index 2c72ffad202..c47632c43fd 100644 --- a/deploy/kubernetes/auditbeat-kubernetes.yaml +++ b/deploy/kubernetes/auditbeat-kubernetes.yaml @@ -109,7 +109,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: auditbeat - image: docker.elastic.co/beats/auditbeat:7.9.0 + image: docker.elastic.co/beats/auditbeat:7.9.1 args: [ "-c", "/etc/auditbeat.yml", "-e", diff --git a/deploy/kubernetes/filebeat-kubernetes.yaml b/deploy/kubernetes/filebeat-kubernetes.yaml index 1fc3d7d996d..95e22235b13 100644 --- a/deploy/kubernetes/filebeat-kubernetes.yaml +++ b/deploy/kubernetes/filebeat-kubernetes.yaml @@ -64,7 +64,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: filebeat - image: docker.elastic.co/beats/filebeat:7.9.0 + image: docker.elastic.co/beats/filebeat:7.9.1 args: [ "-c", "/etc/filebeat.yml", "-e", diff --git a/deploy/kubernetes/heartbeat-kubernetes.yaml b/deploy/kubernetes/heartbeat-kubernetes.yaml index 8938124bf17..bb56fe998e7 100644 --- a/deploy/kubernetes/heartbeat-kubernetes.yaml +++ b/deploy/kubernetes/heartbeat-kubernetes.yaml @@ -74,7 +74,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: heartbeat - image: docker.elastic.co/beats/heartbeat:7.9.0 + image: docker.elastic.co/beats/heartbeat:7.9.1 args: [ "-c", "/etc/heartbeat.yml", "-e", diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index 84ab9ef7927..caf597b1070 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -114,7 +114,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: metricbeat - image: docker.elastic.co/beats/metricbeat:7.9.0 + image: docker.elastic.co/beats/metricbeat:7.9.1 args: [ "-c", "/etc/metricbeat.yml", "-e", @@ -270,7 +270,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: metricbeat - image: docker.elastic.co/beats/metricbeat:7.9.0 + image: docker.elastic.co/beats/metricbeat:7.9.1 args: [ "-c", "/etc/metricbeat.yml", "-e", diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index d13656d04b6..ee50cf4ec0c 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,4 +1,4 @@ -:stack-version: 7.9.0 +:stack-version: 7.9.1 :doc-branch: 7.9 :go-version: 1.14.7 :release-state: released From ad73faff7c77a81d8e7e78f96741e606d3048835 Mon Sep 17 00:00:00 2001 From: Ivan Fernandez Calvo Date: Thu, 3 Sep 2020 17:40:45 +0200 Subject: [PATCH 28/36] docs: Update docs to 7.9.2 (#20871) * fix: update docs * fix: make update --- deploy/kubernetes/auditbeat-kubernetes.yaml | 2 +- deploy/kubernetes/filebeat-kubernetes.yaml | 2 +- deploy/kubernetes/heartbeat-kubernetes.yaml | 2 +- deploy/kubernetes/metricbeat-kubernetes.yaml | 4 ++-- libbeat/docs/version.asciidoc | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy/kubernetes/auditbeat-kubernetes.yaml b/deploy/kubernetes/auditbeat-kubernetes.yaml index c47632c43fd..3171889a72d 100644 --- a/deploy/kubernetes/auditbeat-kubernetes.yaml +++ b/deploy/kubernetes/auditbeat-kubernetes.yaml @@ -109,7 +109,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: auditbeat - image: docker.elastic.co/beats/auditbeat:7.9.1 + image: docker.elastic.co/beats/auditbeat:7.9.2 args: [ "-c", "/etc/auditbeat.yml", "-e", diff --git a/deploy/kubernetes/filebeat-kubernetes.yaml b/deploy/kubernetes/filebeat-kubernetes.yaml index 95e22235b13..5ee62a2cb03 100644 --- a/deploy/kubernetes/filebeat-kubernetes.yaml +++ b/deploy/kubernetes/filebeat-kubernetes.yaml @@ -64,7 +64,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: filebeat - image: docker.elastic.co/beats/filebeat:7.9.1 + image: docker.elastic.co/beats/filebeat:7.9.2 args: [ "-c", "/etc/filebeat.yml", "-e", diff --git a/deploy/kubernetes/heartbeat-kubernetes.yaml b/deploy/kubernetes/heartbeat-kubernetes.yaml index bb56fe998e7..e95bcabd168 100644 --- a/deploy/kubernetes/heartbeat-kubernetes.yaml +++ b/deploy/kubernetes/heartbeat-kubernetes.yaml @@ -74,7 +74,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: heartbeat - image: docker.elastic.co/beats/heartbeat:7.9.1 + image: docker.elastic.co/beats/heartbeat:7.9.2 args: [ "-c", "/etc/heartbeat.yml", "-e", diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index caf597b1070..06ebca728be 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -114,7 +114,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: metricbeat - image: docker.elastic.co/beats/metricbeat:7.9.1 + image: docker.elastic.co/beats/metricbeat:7.9.2 args: [ "-c", "/etc/metricbeat.yml", "-e", @@ -270,7 +270,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: metricbeat - image: docker.elastic.co/beats/metricbeat:7.9.1 + image: docker.elastic.co/beats/metricbeat:7.9.2 args: [ "-c", "/etc/metricbeat.yml", "-e", diff --git a/libbeat/docs/version.asciidoc b/libbeat/docs/version.asciidoc index ee50cf4ec0c..55e315a126e 100644 --- a/libbeat/docs/version.asciidoc +++ b/libbeat/docs/version.asciidoc @@ -1,4 +1,4 @@ -:stack-version: 7.9.1 +:stack-version: 7.9.2 :doc-branch: 7.9 :go-version: 1.14.7 :release-state: released From 3ecdddc81a1a3e91bf852fb9aaecb6c3c4b368c9 Mon Sep 17 00:00:00 2001 From: Ivan Fernandez Calvo Date: Thu, 3 Sep 2020 18:26:48 +0200 Subject: [PATCH 29/36] fix: update version (#20869) --- libbeat/version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libbeat/version/version.go b/libbeat/version/version.go index 8f65127047e..19041afc13f 100644 --- a/libbeat/version/version.go +++ b/libbeat/version/version.go @@ -18,4 +18,4 @@ // Code generated by dev-tools/set_version package version -const defaultBeatVersion = "7.9.1" +const defaultBeatVersion = "7.9.2" From 343fa9aa6db524db00f2770a9ab485c9a2aa78db Mon Sep 17 00:00:00 2001 From: Ivan Fernandez Calvo Date: Fri, 4 Sep 2020 11:14:15 +0200 Subject: [PATCH 30/36] feat: Update test environments 7.9.2 (#20870) * fix: update test enviroments * fix: make update --- testing/environments/snapshot-oss.yml | 6 +++--- testing/environments/snapshot.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/testing/environments/snapshot-oss.yml b/testing/environments/snapshot-oss.yml index 81eaa476a4e..feb8c3e9f0c 100644 --- a/testing/environments/snapshot-oss.yml +++ b/testing/environments/snapshot-oss.yml @@ -3,7 +3,7 @@ version: '2.3' services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.9.1-SNAPSHOT + image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.9.2-SNAPSHOT healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9200"] retries: 300 @@ -15,7 +15,7 @@ services: - "http.host=0.0.0.0" logstash: - image: docker.elastic.co/logstash/logstash-oss:7.9.1-SNAPSHOT + image: docker.elastic.co/logstash/logstash-oss:7.9.2-SNAPSHOT healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9600/_node/stats"] retries: 600 @@ -25,7 +25,7 @@ services: - ./docker/logstash/pki:/etc/pki:ro kibana: - image: docker.elastic.co/kibana/kibana-oss:7.9.1-SNAPSHOT + image: docker.elastic.co/kibana/kibana-oss:7.9.2-SNAPSHOT healthcheck: test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://localhost:5601/api/status"); data = json.loads(response.read()); exit(1) if data["status"]["overall"]["state"] != "green" else exit(0);'''] retries: 600 diff --git a/testing/environments/snapshot.yml b/testing/environments/snapshot.yml index 5f09cc0e8c3..1dd87f4d413 100644 --- a/testing/environments/snapshot.yml +++ b/testing/environments/snapshot.yml @@ -3,7 +3,7 @@ version: '2.3' services: elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:7.9.1-SNAPSHOT + image: docker.elastic.co/elasticsearch/elasticsearch:7.9.2-SNAPSHOT healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9200"] retries: 300 @@ -16,7 +16,7 @@ services: - "xpack.security.enabled=false" logstash: - image: docker.elastic.co/logstash/logstash:7.9.1-SNAPSHOT + image: docker.elastic.co/logstash/logstash:7.9.2-SNAPSHOT healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9600/_node/stats"] retries: 600 @@ -26,7 +26,7 @@ services: - ./docker/logstash/pki:/etc/pki:ro kibana: - image: docker.elastic.co/kibana/kibana:7.9.1-SNAPSHOT + image: docker.elastic.co/kibana/kibana:7.9.2-SNAPSHOT healthcheck: test: ["CMD-SHELL", 'python -c ''import urllib, json; response = urllib.urlopen("http://localhost:5601/api/status"); data = json.loads(response.read()); exit(1) if data["status"]["overall"]["state"] != "green" else exit(0);'''] retries: 600 From 5be9bcdb453e3b8f61e68078caf000ab2c2d986b Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Fri, 4 Sep 2020 11:45:50 +0200 Subject: [PATCH 31/36] Cherry-pick #20898 to 7.9: Avoid generating incomplete configurations in autodiscover (#20920) Handle errors when configuration unpacking fails. In principle this can only happen when some variable is missing, because configuration has been previously parsed as YAML. Errors on unpacking were previously ignored. When a variable is missing, this is clearly logged at the debug level. This changes the behaviour, previously an incomplete configuration was generated on this case. (cherry picked from commit 99fd545d87df4c66a9f876a7813e3f3c761de18d) --- CHANGELOG.next.asciidoc | 2 ++ libbeat/autodiscover/template/config.go | 16 ++++++++-- libbeat/autodiscover/template/config_test.go | 31 ++++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1a368be63c3..87b46bdb789 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -12,6 +12,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update to Golang 1.12.1. {pull}11330[11330] - Disable Alibaba Cloud and Tencent Cloud metadata providers by default. {pull}13812[12812] +- Autodiscover doesn't generate any configuration when a variable is missing. Previously it generated an incomplete configuration. {pull}20898[20898] *Auditbeat* @@ -50,6 +51,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix `setup.dashboards.index` setting not working. {pull}17749[17749] - Fix Elasticsearch license endpoint URL referenced in error message. {issue}17880[17880] {pull}18030[18030] - Change `decode_json_fields` processor, to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958] +- Explicitly detect missing variables in autodiscover configuration, log them at the debug level. {issue}20568[20568] {pull}20898[20898] *Auditbeat* diff --git a/libbeat/autodiscover/template/config.go b/libbeat/autodiscover/template/config.go index a34cec10444..a1f87d2bcfc 100644 --- a/libbeat/autodiscover/template/config.go +++ b/libbeat/autodiscover/template/config.go @@ -18,7 +18,10 @@ package template import ( + "fmt" + "github.com/elastic/go-ucfg" + "github.com/elastic/go-ucfg/parse" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/bus" @@ -123,7 +126,16 @@ func ApplyConfigTemplate(event bus.Event, configs []*common.Config, options ...u if err != nil { logp.Err("Error building config: %v", err) } + opts := []ucfg.Option{ + // Catch-all resolve function to log fields not resolved in any other way, + // it needs to be the first resolver added, so it is executed the last one. + // Being the last one, its returned error will be the one returned by `Unpack`, + // this is important to give better feedback in case of failure. + ucfg.Resolve(func(name string) (string, parse.Config, error) { + return "", parse.Config{}, fmt.Errorf("field '%s' not available in event or environment", name) + }), + ucfg.PathSep("."), ucfg.Env(vars), ucfg.ResolveEnv, @@ -139,9 +151,9 @@ func ApplyConfigTemplate(event bus.Event, configs []*common.Config, options ...u } // Unpack config to process any vars in the template: var unpacked map[string]interface{} - c.Unpack(&unpacked, opts...) + err = c.Unpack(&unpacked, opts...) if err != nil { - logp.Err("Error unpacking config: %v", err) + logp.Debug("autodiscover", "Configuration template cannot be resolved: %v", err) continue } // Repack again: diff --git a/libbeat/autodiscover/template/config_test.go b/libbeat/autodiscover/template/config_test.go index 87e9ef5592a..7964ba24126 100644 --- a/libbeat/autodiscover/template/config_test.go +++ b/libbeat/autodiscover/template/config_test.go @@ -28,9 +28,12 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/bus" "github.com/elastic/beats/v7/libbeat/keystore" + "github.com/elastic/beats/v7/libbeat/logp" ) func TestConfigsMapping(t *testing.T) { + logp.TestingSetup() + config, _ := common.NewConfigFrom(map[string]interface{}{ "correct": "config", }) @@ -40,6 +43,13 @@ func TestConfigsMapping(t *testing.T) { "hosts": [1]string{"1.2.3.4:8080"}, }) + const envValue = "valuefromenv" + configFromEnv, _ := common.NewConfigFrom(map[string]interface{}{ + "correct": envValue, + }) + + os.Setenv("CONFIGS_MAPPING_TESTENV", envValue) + tests := []struct { mapping string event bus.Event @@ -79,6 +89,16 @@ func TestConfigsMapping(t *testing.T) { }, expected: []*common.Config{config}, }, + // No condition, value from environment + { + mapping: ` +- config: + - correct: ${CONFIGS_MAPPING_TESTENV}`, + event: bus.Event{ + "foo": 3, + }, + expected: []*common.Config{configFromEnv}, + }, // Match config and replace data.host and data.ports. properly { mapping: ` @@ -111,6 +131,17 @@ func TestConfigsMapping(t *testing.T) { }, expected: []*common.Config{configPorts}, }, + // Missing variable, config is not generated + { + mapping: ` +- config: + - module: something + hosts: ["${not.exists.host}"]`, + event: bus.Event{ + "host": "1.2.3.4", + }, + expected: nil, + }, } for _, test := range tests { From 3e64b90018c5a43c705b4c866c10bf3321206ecf Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Mon, 7 Sep 2020 20:05:52 -0400 Subject: [PATCH 32/36] Cherry-pick to 7.9: Only request wildcard expansion for hidden indices if supported (#20938) (#20962) * Only request wildcard expansion for hidden indices if supported (#20938) * Refactoring: inverting logic to make room for another case * Expand hidden indices wildcards if monitored ES supports that option * Adding CHANGELOG entry * Fixing formatting * Avoid unnecessary setting * Removing unnecessary suffix existence checks * Fixing feature version * Add test cases to unit test * Updating test # Conflicts: # metricbeat/module/elasticsearch/index/index_test.go * Fixing CHANGELOG --- CHANGELOG.next.asciidoc | 1 + .../module/elasticsearch/elasticsearch.go | 22 +++++++++++------- .../module/elasticsearch/index/index.go | 23 ++++++++++--------- .../module/elasticsearch/index/index_test.go | 22 ++++++++++++++---- 4 files changed, 45 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 87b46bdb789..6f218bba321 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -97,6 +97,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix storage metricset to allow config without region/zone. {issue}17623[17623] {pull}17624[17624] - Fix overflow on Prometheus rates when new buckets are added on the go. {pull}17753[17753] - Add a switch to the driver definition on SQL module to use pretty names {pull}17378[17378] +- The `elasticsearch/index` metricset only requests wildcard expansion for hidden indices if the monitored Elasticsearch cluster supports it. {pull}20938[20938] *Packetbeat* diff --git a/metricbeat/module/elasticsearch/elasticsearch.go b/metricbeat/module/elasticsearch/elasticsearch.go index ff0e6e7e456..c93e7ebd511 100644 --- a/metricbeat/module/elasticsearch/elasticsearch.go +++ b/metricbeat/module/elasticsearch/elasticsearch.go @@ -60,17 +60,23 @@ func NewModule(base mb.BaseModule) (mb.Module, error) { return elastic.NewModule(&base, xpackEnabledMetricSets, logp.NewLogger(ModuleName)) } -// CCRStatsAPIAvailableVersion is the version of Elasticsearch since when the CCR stats API is available. -var CCRStatsAPIAvailableVersion = common.MustNewVersion("6.5.0") +var ( + // CCRStatsAPIAvailableVersion is the version of Elasticsearch since when the CCR stats API is available. + CCRStatsAPIAvailableVersion = common.MustNewVersion("6.5.0") + + // EnrichStatsAPIAvailableVersion is the version of Elasticsearch since when the Enrich stats API is available. + EnrichStatsAPIAvailableVersion = common.MustNewVersion("7.5.0") -// EnrichStatsAPIAvailableVersion is the version of Elasticsearch since when the Enrich stats API is available. -var EnrichStatsAPIAvailableVersion = common.MustNewVersion("7.5.0") + // BulkStatsAvailableVersion is the version since when bulk indexing stats are available + BulkStatsAvailableVersion = common.MustNewVersion("8.0.0") -// BulkStatsAvailableVersion is the version since when bulk indexing stats are available -var BulkStatsAvailableVersion = common.MustNewVersion("8.0.0") + //ExpandWildcardsHiddenAvailableVersion is the version since when the "expand_wildcards" query parameter to + // the Indices Stats API can accept "hidden" as a value. + ExpandWildcardsHiddenAvailableVersion = common.MustNewVersion("7.7.0") -// Global clusterIdCache. Assumption is that the same node id never can belong to a different cluster id. -var clusterIDCache = map[string]string{} + // Global clusterIdCache. Assumption is that the same node id never can belong to a different cluster id. + clusterIDCache = map[string]string{} +) // ModuleName is the name of this module. const ModuleName = "elasticsearch" diff --git a/metricbeat/module/elasticsearch/index/index.go b/metricbeat/module/elasticsearch/index/index.go index 372f9a2dc82..96cfc437323 100644 --- a/metricbeat/module/elasticsearch/index/index.go +++ b/metricbeat/module/elasticsearch/index/index.go @@ -38,8 +38,12 @@ func init() { } const ( - statsMetrics = "docs,fielddata,indexing,merge,search,segments,store,refresh,query_cache,request_cache" - statsPath = "/_stats/" + statsMetrics + "?filter_path=indices&expand_wildcards=open,hidden" + statsMetrics = "docs,fielddata,indexing,merge,search,segments,store,refresh,query_cache,request_cache" + expandWildcards = "expand_wildcards=open" + statsPath = "/_stats/" + statsMetrics + "?filter_path=indices&" + expandWildcards + + bulkSuffix = ",bulk" + hiddenSuffix = ",hidden" ) // MetricSet type defines all fields of the MetricSet @@ -118,21 +122,18 @@ func (m *MetricSet) updateServicePath(esVersion common.Version) error { func getServicePath(esVersion common.Version) (string, error) { currPath := statsPath - if esVersion.LessThan(elasticsearch.BulkStatsAvailableVersion) { - // Can't request bulk stats so don't change service URI - return currPath, nil - } - u, err := url.Parse(currPath) if err != nil { return "", err } - if strings.HasSuffix(u.Path, ",bulk") { - // Bulk stats already being requested so don't change service URI - return currPath, nil + if !esVersion.LessThan(elasticsearch.BulkStatsAvailableVersion) { + u.Path += bulkSuffix + } + + if !esVersion.LessThan(elasticsearch.ExpandWildcardsHiddenAvailableVersion) { + u.RawQuery = strings.Replace(u.RawQuery, expandWildcards, expandWildcards+hiddenSuffix, 1) } - u.Path += ",bulk" return u.String(), nil } diff --git a/metricbeat/module/elasticsearch/index/index_test.go b/metricbeat/module/elasticsearch/index/index_test.go index 3f6119180ae..fe44dca6ba9 100644 --- a/metricbeat/module/elasticsearch/index/index_test.go +++ b/metricbeat/module/elasticsearch/index/index_test.go @@ -27,18 +27,29 @@ import ( "github.com/stretchr/testify/require" ) -func TestGetServiceURI(t *testing.T) { +func TestGetServiceURIExpectedPath(t *testing.T) { + path770 := strings.Replace(statsPath, expandWildcards, expandWildcards+hiddenSuffix, 1) + path800 := strings.Replace(path770, statsMetrics, statsMetrics+bulkSuffix, 1) + tests := map[string]struct { esVersion *common.Version expectedPath string }{ "bulk_stats_unavailable": { - esVersion: common.MustNewVersion("7.7.0"), + esVersion: common.MustNewVersion("7.6.0"), expectedPath: statsPath, }, "bulk_stats_available": { esVersion: common.MustNewVersion("8.0.0"), - expectedPath: strings.Replace(statsPath, statsMetrics, statsMetrics+",bulk", 1), + expectedPath: path800, + }, + "expand_wildcards_hidden_unavailable": { + esVersion: common.MustNewVersion("7.6.0"), + expectedPath: statsPath, + }, + "expand_wildcards_hidden_available": { + esVersion: common.MustNewVersion("7.7.0"), + expectedPath: path770, }, } @@ -52,6 +63,9 @@ func TestGetServiceURI(t *testing.T) { } func TestGetServiceURIMultipleCalls(t *testing.T) { + path := strings.Replace(statsPath, expandWildcards, expandWildcards+hiddenSuffix, 1) + path = strings.Replace(path, statsMetrics, statsMetrics+bulkSuffix, 1) + err := quick.Check(func(r uint) bool { numCalls := 2 + (r % 10) // between 2 and 11 @@ -64,7 +78,7 @@ func TestGetServiceURIMultipleCalls(t *testing.T) { } } - return err == nil && uri == strings.Replace(statsPath, statsMetrics, statsMetrics+",bulk", 1) + return err == nil && uri == path }, nil) require.NoError(t, err) } From ecee52a42510702d01b736c60f573e0b954d8d62 Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Tue, 8 Sep 2020 15:47:43 -0700 Subject: [PATCH 33/36] Adding cborbeat to community beats (#20884) (#20904) --- libbeat/docs/communitybeats.asciidoc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libbeat/docs/communitybeats.asciidoc b/libbeat/docs/communitybeats.asciidoc index 371ba0886c2..b5821aa72fe 100644 --- a/libbeat/docs/communitybeats.asciidoc +++ b/libbeat/docs/communitybeats.asciidoc @@ -23,11 +23,11 @@ endif::[] NOTE: Elastic provides no warranty or support for community-sourced Beats. [horizontal] -https://github.com/visasimbu/IIBBeat[IIBBeat]:: Periodically executes shell commands or batch commands to collect IBM Integration node, Integration server, app status, bar file deployment time and bar file location to Logstash or Elasticsearch. https://github.com/awormuth/amazonbeat[amazonbeat]:: Reads data from a specified Amazon product. https://github.com/radoondas/apachebeat[apachebeat]:: Reads status from Apache HTTPD server-status. https://github.com/verticle-io/apexbeat[apexbeat]:: Extracts configurable contextual data and metrics from Java applications via the http://toolkits.verticle.io[APEX] toolkit. -https://github.com/hsngerami/hsnburrowbeat[hsnburrowbeat]:: Monitors Kafka consumer lag for Burrow V1.0.0(API V3). +https://github.com/MelonSmasher/browserbeat[browserbeat]:: Reads and ships browser history (Chrome, Firefox, & Safari) to an Elastic output. +https://github.com/toravir/cborbeat[cborbeat]:: Reads from cbor encoded files (specifically log files). More: https://cbor.io[CBOR Encoding] https://github.com/toravir/csd[Decoder] https://github.com/hartfordfive/cloudflarebeat[cloudflarebeat]:: Indexes log entries from the Cloudflare Enterprise Log Share API. https://github.com/jarl-tornroos/cloudfrontbeat[cloudfrontbeat]:: Reads log events from Amazon Web Services https://aws.amazon.com/cloudfront/[CloudFront]. https://github.com/aidan-/cloudtrailbeat[cloudtrailbeat]:: Reads events from Amazon Web Services' https://aws.amazon.com/cloudtrail/[CloudTrail]. @@ -59,8 +59,10 @@ https://github.com/ullaakut/hackerbeat[hackerbeat]:: Indexes the top stories of https://github.com/YaSuenag/hsbeat[hsbeat]:: Reads all performance counters in Java HotSpot VM. https://github.com/christiangalsterer/httpbeat[httpbeat]:: Polls multiple HTTP(S) endpoints and sends the data to Logstash or Elasticsearch. Supports all HTTP methods and proxies. +https://github.com/hsngerami/hsnburrowbeat[hsnburrowbeat]:: Monitors Kafka consumer lag for Burrow V1.0.0(API V3). https://github.com/jasperla/hwsensorsbeat[hwsensorsbeat]:: Reads sensors information from OpenBSD. https://github.com/icinga/icingabeat[icingabeat]:: Icingabeat ships events and states from Icinga 2 to Elasticsearch or Logstash. +https://github.com/visasimbu/IIBBeat[IIBBeat]:: Periodically executes shell commands or batch commands to collect IBM Integration node, Integration server, app status, bar file deployment time and bar file location to Logstash or Elasticsearch. https://github.com/devopsmakers/iobeat[iobeat]:: Reads IO stats from /proc/diskstats on Linux. https://github.com/radoondas/jmxproxybeat[jmxproxybeat]:: Reads Tomcat JMX metrics exposed over 'JMX Proxy Servlet' to HTTP. https://github.com/mheese/journalbeat[journalbeat]:: Used for log shipping from systemd/journald based Linux systems. From 0f9fe4f418c49b19c0374a385efc80fcaf6731f2 Mon Sep 17 00:00:00 2001 From: Brandon Morelli Date: Tue, 8 Sep 2020 15:47:57 -0700 Subject: [PATCH 34/36] docs: Update beats for APM (#20881) (#20906) --- libbeat/docs/howto/load-index-templates.asciidoc | 7 ++++--- libbeat/docs/shared/configuring-intro.asciidoc | 8 +++++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/libbeat/docs/howto/load-index-templates.asciidoc b/libbeat/docs/howto/load-index-templates.asciidoc index 0cdd4ed80fb..bd5e249b90c 100644 --- a/libbeat/docs/howto/load-index-templates.asciidoc +++ b/libbeat/docs/howto/load-index-templates.asciidoc @@ -4,7 +4,7 @@ {es} uses {ref}/indices-templates.html[index templates] to define: * Settings that control the behavior of your indices. The settings include the -lifecycle policy used to manage indices as they grow and age. +lifecycle policy used to manage indices as they grow and age. * Mappings that determine how fields are analyzed. Each mapping sets the {ref}/mapping-types.html[{es} datatype] to use for a specific data field. @@ -17,7 +17,7 @@ it's not overwritten unless you configure {beatname_uc} to do so. ifndef::no-output-logstash[] NOTE: A connection to {es} is required to load the index template. If the output is not {es} (or {ess}), you must -<>. +<>. endif::[] This page shows how to change the default template loading behavior to: @@ -83,9 +83,10 @@ The examples here assume that Logstash output is enabled. endif::[] You can omit the `-E` flags if {es} output is already enabled. - +ifndef::apm-server[] If you are connecting to a secured {es} cluster, make sure you've configured credentials as described in the <<{beatname_lc}-installation-configuration>>. +endif::[] If the host running {beatname_uc} does not have direct connectivity to {es}, see <>. diff --git a/libbeat/docs/shared/configuring-intro.asciidoc b/libbeat/docs/shared/configuring-intro.asciidoc index e7be5e4f24c..82812c34bd1 100644 --- a/libbeat/docs/shared/configuring-intro.asciidoc +++ b/libbeat/docs/shared/configuring-intro.asciidoc @@ -1,12 +1,14 @@ +ifndef::apm-server[] TIP: To get started quickly, read <<{beatname_lc}-installation-configuration>>. +endif::[] To configure {beatname_uc}, edit the configuration file. The default configuration file is called +{beatname_lc}.yml+. The location of the file -varies by platform. To locate the file, see <>. +varies by platform. To locate the file, see <>. -ifeval::["{beatname_lc}"!="apm-server"] -There’s also a full example configuration file called +{beatname_lc}.reference.yml+ +ifndef::apm-server[] +There’s also a full example configuration file called +{beatname_lc}.reference.yml+ that shows all non-deprecated options. endif::[] From 768dfc9068f227b29625eba23af99660f21bfd76 Mon Sep 17 00:00:00 2001 From: Chris Mark Date: Wed, 9 Sep 2020 13:34:24 +0300 Subject: [PATCH 35/36] Cherry-pick #20984 to 7.9: Add container ECS fields in kubernetes metadata (#21034) --- CHANGELOG.next.asciidoc | 1 + go.mod | 2 +- .../autodiscover/providers/kubernetes/pod.go | 24 +++++-- .../providers/kubernetes/pod_test.go | 72 ++++++++++++++----- .../add_kubernetes_metadata/indexers.go | 31 ++++++-- .../add_kubernetes_metadata/indexers_test.go | 24 +++++-- .../add_kubernetes_metadata/kubernetes.go | 19 ++++- 7 files changed, 136 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6f218bba321..58d4d4efab8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -118,6 +118,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update documentation for system.process.memory fields to include clarification on Windows os's. {pull}17268[17268] - When using the `decode_json_fields` processor, decoded fields are now deep-merged into existing event. {pull}17958[17958] - Add keystore support for autodiscover static configurations. {pull]16306[16306] +- Add container ECS fields in kubernetes metadata. {pull}20984[20984] *Auditbeat* diff --git a/go.mod b/go.mod index 8cc1a36c361..32766dfa309 100644 --- a/go.mod +++ b/go.mod @@ -166,7 +166,7 @@ require ( golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 golang.org/x/text v0.3.2 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 - golang.org/x/tools v0.0.0-20200701041122-1837592efa10 + golang.org/x/tools v0.0.0-20200904185747-39188db58858 google.golang.org/api v0.15.0 google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb google.golang.org/grpc v1.29.1 diff --git a/libbeat/autodiscover/providers/kubernetes/pod.go b/libbeat/autodiscover/providers/kubernetes/pod.go index 033146a84d4..b8679f59ef9 100644 --- a/libbeat/autodiscover/providers/kubernetes/pod.go +++ b/libbeat/autodiscover/providers/kubernetes/pod.go @@ -335,19 +335,29 @@ func (p *pod) emitEvents(pod *kubernetes.Pod, flag string, containers []kubernet // so it works also on `stop` if containers have been already deleted. eventID := fmt.Sprintf("%s.%s", pod.GetObjectMeta().GetUID(), c.Name) + meta := p.metagen.Generate( + pod, + metadata.WithFields("container.name", c.Name), + metadata.WithFields("container.image", c.Image), + ) + cmeta := common.MapStr{ - "id": cid, - "name": c.Name, - "image": c.Image, + "id": cid, + "image": common.MapStr{ + "name": c.Image, + }, "runtime": runtimes[c.Name], } - meta := p.metagen.Generate(pod, metadata.WithFields("container.name", c.Name), - metadata.WithFields("container.image", c.Image)) // Information that can be used in discovering a workload kubemeta := meta.Clone() - kubemeta["container"] = cmeta kubemeta["annotations"] = annotations + kubemeta["container"] = common.MapStr{ + "id": cid, + "name": c.Name, + "image": c.Image, + "runtime": runtimes[c.Name], + } if len(nsAnn) != 0 { kubemeta["namespace_annotations"] = nsAnn } @@ -364,6 +374,7 @@ func (p *pod) emitEvents(pod *kubernetes.Pod, flag string, containers []kubernet "kubernetes": kubemeta, "meta": common.MapStr{ "kubernetes": meta, + "container": cmeta, }, } events = append(events, event) @@ -380,6 +391,7 @@ func (p *pod) emitEvents(pod *kubernetes.Pod, flag string, containers []kubernet "kubernetes": kubemeta, "meta": common.MapStr{ "kubernetes": meta, + "container": cmeta, }, } events = append(events, event) diff --git a/libbeat/autodiscover/providers/kubernetes/pod_test.go b/libbeat/autodiscover/providers/kubernetes/pod_test.go index f22bfc64cea..5456781d883 100644 --- a/libbeat/autodiscover/providers/kubernetes/pod_test.go +++ b/libbeat/autodiscover/providers/kubernetes/pod_test.go @@ -446,15 +446,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "id": "foobar", + "runtime": "docker", }, }, "config": []*common.Config{}, @@ -565,15 +571,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "runtime": "docker", + "id": "foobar", }, }, "config": []*common.Config{}, @@ -604,15 +616,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "id": "foobar", + "runtime": "docker", }, }, "config": []*common.Config{}, @@ -769,15 +787,21 @@ func TestEmitEvent(t *testing.T) { "meta": common.MapStr{ "kubernetes": common.MapStr{ "namespace": "default", - "container": common.MapStr{ - "name": "filebeat", - "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, + "container": common.MapStr{ + "name": "filebeat", + "image": "elastic/filebeat:6.3.0", + }, + }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "runtime": "", + "id": "", }, }, "config": []*common.Config{}, @@ -874,13 +898,19 @@ func TestEmitEvent(t *testing.T) { "container": common.MapStr{ "name": "filebeat", "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + }, + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "id": "", + "runtime": "", + }, }, "config": []*common.Config{}, }, @@ -976,13 +1006,19 @@ func TestEmitEvent(t *testing.T) { "container": common.MapStr{ "name": "filebeat", "image": "elastic/filebeat:6.3.0", - }, "pod": common.MapStr{ + }, + "pod": common.MapStr{ "name": "filebeat", "uid": "005f3b90-4b9d-12f8-acf0-31020a840133", }, "node": common.MapStr{ "name": "node", }, }, + "container": common.MapStr{ + "image": common.MapStr{"name": "elastic/filebeat:6.3.0"}, + "runtime": "", + "id": "", + }, }, "config": []*common.Config{}, }, diff --git a/libbeat/processors/add_kubernetes_metadata/indexers.go b/libbeat/processors/add_kubernetes_metadata/indexers.go index 76c9c002c11..017913771fc 100644 --- a/libbeat/processors/add_kubernetes_metadata/indexers.go +++ b/libbeat/processors/add_kubernetes_metadata/indexers.go @@ -183,14 +183,19 @@ func NewContainerIndexer(_ common.Config, metaGen metadata.MetaGen) (Indexer, er func (c *ContainerIndexer) GetMetadata(pod *kubernetes.Pod) []MetadataIndex { var m []MetadataIndex for _, status := range append(pod.Status.ContainerStatuses, pod.Status.InitContainerStatuses...) { - cID := kubernetes.ContainerID(status) + cID, runtime := kubernetes.ContainerIDWithRuntime(status) if cID == "" { continue } m = append(m, MetadataIndex{ Index: cID, - Data: c.metaGen.Generate(pod, metadata.WithFields("container.name", status.Name), - metadata.WithFields("container.image", status.Image)), + Data: c.metaGen.Generate( + pod, + metadata.WithFields("container.name", status.Name), + metadata.WithFields("container.image", status.Image), + metadata.WithFields("container.id", cID), + metadata.WithFields("container.runtime", runtime), + ), }) } @@ -234,14 +239,30 @@ func (h *IPPortIndexer) GetMetadata(pod *kubernetes.Pod) []MetadataIndex { Data: h.metaGen.Generate(pod), }) + cIDs := make(map[string]string) + runtimes := make(map[string]string) + for _, status := range append(pod.Status.ContainerStatuses, pod.Status.InitContainerStatuses...) { + cID, runtime := kubernetes.ContainerIDWithRuntime(status) + if cID == "" { + continue + } + cIDs[status.Name] = cID + runtimes[status.Name] = runtime + } + for _, container := range pod.Spec.Containers { for _, port := range container.Ports { if port.ContainerPort != 0 { m = append(m, MetadataIndex{ Index: fmt.Sprintf("%s:%d", pod.Status.PodIP, port.ContainerPort), - Data: h.metaGen.Generate(pod, metadata.WithFields("container.name", container.Name), - metadata.WithFields("container.image", container.Image)), + Data: h.metaGen.Generate( + pod, + metadata.WithFields("container.name", container.Name), + metadata.WithFields("container.image", container.Image), + metadata.WithFields("container.id", cIDs[container.Name]), + metadata.WithFields("container.runtime", runtimes[container.Name]), + ), }) } } diff --git a/libbeat/processors/add_kubernetes_metadata/indexers_test.go b/libbeat/processors/add_kubernetes_metadata/indexers_test.go index 5eca3050fae..6d584c395cb 100644 --- a/libbeat/processors/add_kubernetes_metadata/indexers_test.go +++ b/libbeat/processors/add_kubernetes_metadata/indexers_test.go @@ -211,14 +211,18 @@ func TestContainerIndexer(t *testing.T) { assert.Equal(t, indices[1], "fghij") expected["container"] = common.MapStr{ - "name": container, - "image": containerImage, + "name": container, + "image": containerImage, + "id": "abcde", + "runtime": "docker", } assert.Equal(t, expected.String(), indexers[0].Data.String()) expected["container"] = common.MapStr{ - "name": initContainer, - "image": initContainerImage, + "name": initContainer, + "image": initContainerImage, + "id": "fghij", + "runtime": "docker", } assert.Equal(t, expected.String(), indexers[1].Data.String()) } @@ -372,7 +376,8 @@ func TestIpPortIndexer(t *testing.T) { }, Status: v1.PodStatus{ - PodIP: ip, + PodIP: ip, + ContainerStatuses: make([]kubernetes.PodContainerStatus, 0), }, } @@ -414,6 +419,13 @@ func TestIpPortIndexer(t *testing.T) { }, }, } + pod.Status.ContainerStatuses = []kubernetes.PodContainerStatus{ + { + Name: container, + Image: containerImage, + ContainerID: "docker://foobar", + }, + } nodeName := "testnode" pod.Spec.NodeName = nodeName @@ -429,6 +441,6 @@ func TestIpPortIndexer(t *testing.T) { assert.Equal(t, fmt.Sprintf("%s:%d", ip, port), indices[1]) assert.Equal(t, expected.String(), indexers[0].Data.String()) - expected["container"] = common.MapStr{"name": container, "image": containerImage} + expected["container"] = common.MapStr{"name": container, "image": containerImage, "id": "foobar", "runtime": "docker"} assert.Equal(t, expected.String(), indexers[1].Data.String()) } diff --git a/libbeat/processors/add_kubernetes_metadata/kubernetes.go b/libbeat/processors/add_kubernetes_metadata/kubernetes.go index 94bc3739145..2a5f4d2faed 100644 --- a/libbeat/processors/add_kubernetes_metadata/kubernetes.go +++ b/libbeat/processors/add_kubernetes_metadata/kubernetes.go @@ -218,8 +218,25 @@ func (k *kubernetesAnnotator) Run(event *beat.Event) (*beat.Event, error) { return event, nil } + metaClone := metadata.Clone() + metaClone.Delete("container.name") + containerImage, err := metadata.GetValue("container.image") + if err == nil { + metaClone.Delete("container.image") + metaClone.Put("container.image.name", containerImage) + } + cmeta, err := metaClone.Clone().GetValue("container") + if err == nil { + event.Fields.DeepUpdate(common.MapStr{ + "container": cmeta, + }) + } + + kubeMeta := metadata.Clone() + kubeMeta.Delete("container.id") + kubeMeta.Delete("container.runtime") event.Fields.DeepUpdate(common.MapStr{ - "kubernetes": metadata.Clone(), + "kubernetes": kubeMeta, }) return event, nil From 100f8ec0ce88abab47fdf1e44e59de851f4d23d2 Mon Sep 17 00:00:00 2001 From: DeDe Morton Date: Wed, 9 Sep 2020 23:25:53 -0700 Subject: [PATCH 36/36] Update api-keys.asciidoc - API key prerequisites (#21026) (#21028) * Update api-keys.asciidoc - API key prerequisites Add references to required privileges within the API key examples * Update libbeat/docs/security/api-keys.asciidoc Co-authored-by: DeDe Morton Co-authored-by: DeDe Morton Co-authored-by: Rob Waight <43173714+rwaight@users.noreply.github.com> --- libbeat/docs/security/api-keys.asciidoc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libbeat/docs/security/api-keys.asciidoc b/libbeat/docs/security/api-keys.asciidoc index 403fd011122..aa397ff5fee 100644 --- a/libbeat/docs/security/api-keys.asciidoc +++ b/libbeat/docs/security/api-keys.asciidoc @@ -14,6 +14,8 @@ API key. For different clusters, you need to use an API key per cluster. NOTE: For security reasons, we recommend using a unique API key per {beatname_uc} instance. You can create as many API keys per user as necessary. +IMPORTANT: Review <> before creating API keys for {beatname_uc}. + [float] [[beats-api-key-publish]] === Create an API key for publishing @@ -41,6 +43,8 @@ POST /_security/api_key <1> Name of the API key <2> Granted privileges, see <> +NOTE: See <> for the list of privileges required to publish events. + The return value will look something like this: [source,console-result,subs="attributes,callouts"] @@ -89,6 +93,8 @@ POST /_security/api_key <1> Name of the API key <2> Granted privileges, see <> +NOTE: See <> for the list of privileges required to send monitoring data. + The return value will look something like this: [source,console-result,subs="attributes,callouts"]