diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2cca08ee1ce..447c8146f4d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -38,6 +38,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS field mappings in panw module. event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910] - Improve ECS categorization field mappings for nginx module. http.request.referrer only populated when nginx sets a value {issue}16174[16174] {pull}17844[17844] - Improve ECS field mappings in santa module. move hash.sha256 to process.hash.sha256 & move certificate fields to santa.certificate . {issue}16180[16180] {pull}17982[17982] +- With the default configuration the following modules will no longer send the `host` + field. You can revert this change by configuring tags for the module and omitting + `forwarded` from the list. {issue}13920[13920] +* Cisco {pull}18753[18753] - Preserve case of http.request.method. ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, nginx/access, nginx/ingress_controller, aws/elb, suricata/eve, zeek/http. {issue}18154[18154] {pull}18359[18359] *Heartbeat* diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index 03ec85cae7f..939928fd3db 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -104,6 +104,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9001. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-asa, forwarded]`. + :has-dashboards!: :fileset_ex!: @@ -246,6 +252,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9003. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-ftd, forwarded]`. + :has-dashboards!: :fileset_ex!: @@ -277,6 +289,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9002. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-ios, forwarded]`. + include::../include/timezone-support.asciidoc[] :has-dashboards!: @@ -287,10 +305,10 @@ include::../include/timezone-support.asciidoc[] [[dynamic-script-compilations]] === Dynamic Script Compilations -The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and -make extensive use of script processors and painless conditions. This can cause +The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and +make extensive use of script processors and painless conditions. This can cause the pipelines to fail loading the first time the module is used, due to exceeding -the maximum script compilation limits. It is recommended to tune the following +the maximum script compilation limits. It is recommended to tune the following parameters on your Elasticsearch cluster: - {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index 6c58bc43397..7cc6a1996f0 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -99,6 +99,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9001. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-asa, forwarded]`. + :has-dashboards!: :fileset_ex!: @@ -241,6 +247,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9003. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-ftd, forwarded]`. + :has-dashboards!: :fileset_ex!: @@ -272,6 +284,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9002. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-ios, forwarded]`. + include::../include/timezone-support.asciidoc[] :has-dashboards!: @@ -282,10 +300,10 @@ include::../include/timezone-support.asciidoc[] [[dynamic-script-compilations]] === Dynamic Script Compilations -The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and -make extensive use of script processors and painless conditions. This can cause +The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and +make extensive use of script processors and painless conditions. This can cause the pipelines to fail loading the first time the module is used, due to exceeding -the maximum script compilation limits. It is recommended to tune the following +the maximum script compilation limits. It is recommended to tune the following parameters on your Elasticsearch cluster: - {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 36678692964..0cffa76a01f 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -15,7 +15,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/cisco/asa/manifest.yml b/x-pack/filebeat/module/cisco/asa/manifest.yml index 9a87696d023..58b1bed572a 100644 --- a/x-pack/filebeat/module/cisco/asa/manifest.yml +++ b/x-pack/filebeat/module/cisco/asa/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/cisco-asa.log - name: tags - default: [cisco-asa] + default: [cisco-asa, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 46b614d3c3a..09cce4899fc 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -26,7 +26,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -56,7 +57,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -106,7 +108,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -156,7 +159,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -206,7 +210,8 @@ "source.ip": "100.66.185.90", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -256,7 +261,8 @@ "source.ip": "100.66.185.90", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -306,7 +312,8 @@ "source.ip": "100.66.160.197", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -356,7 +363,8 @@ "source.ip": "100.66.205.14", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -406,7 +414,8 @@ "source.ip": "100.66.124.33", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -456,7 +465,8 @@ "source.ip": "100.66.35.9", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -506,7 +516,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -556,7 +567,8 @@ "source.ip": "100.66.218.21", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -606,7 +618,8 @@ "source.ip": "100.66.198.27", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -656,7 +669,8 @@ "source.ip": "100.66.198.27", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -706,7 +720,8 @@ "source.ip": "100.66.202.211", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -756,7 +771,8 @@ "source.ip": "100.66.124.15", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -806,7 +822,8 @@ "source.ip": "100.66.124.15", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -856,7 +873,8 @@ "source.ip": "100.66.209.247", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -906,7 +924,8 @@ "source.ip": "100.66.35.162", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -936,7 +955,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -966,7 +986,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1016,7 +1037,8 @@ "source.ip": "100.66.80.32", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1046,7 +1068,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1096,7 +1119,8 @@ "source.ip": "100.66.252.6", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1126,7 +1150,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1156,7 +1181,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1186,7 +1212,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1216,7 +1243,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1246,7 +1274,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1276,7 +1305,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1326,7 +1356,8 @@ "source.ip": "100.66.238.126", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1376,7 +1407,8 @@ "source.ip": "100.66.93.51", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1406,7 +1438,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1436,7 +1469,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1466,7 +1500,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1496,7 +1531,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1526,7 +1562,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1576,7 +1613,8 @@ "source.ip": "100.66.240.126", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1626,7 +1664,8 @@ "source.ip": "100.66.44.45", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1656,7 +1695,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1686,7 +1726,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1716,7 +1757,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1746,7 +1788,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1796,7 +1839,8 @@ "source.ip": "100.66.157.232", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1846,7 +1890,8 @@ "source.ip": "100.66.178.133", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1876,7 +1921,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1906,7 +1952,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1956,7 +2003,8 @@ "source.ip": "100.66.133.112", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1986,7 +2034,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2036,7 +2085,8 @@ "source.ip": "100.66.157.232", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2086,7 +2136,8 @@ "source.ip": "100.66.204.197", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2116,7 +2167,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2146,7 +2198,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2176,7 +2229,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2206,7 +2260,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2236,7 +2291,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2266,7 +2322,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2296,7 +2353,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2346,7 +2404,8 @@ "source.ip": "100.66.100.4", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2376,7 +2435,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2406,7 +2466,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2436,7 +2497,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2466,7 +2528,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2496,7 +2559,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2546,7 +2610,8 @@ "source.ip": "100.66.198.40", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2576,7 +2641,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2606,7 +2672,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2656,7 +2723,8 @@ "source.ip": "100.66.1.107", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2686,7 +2754,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2716,7 +2785,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2746,7 +2816,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2776,7 +2847,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2806,7 +2878,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2836,7 +2909,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2866,7 +2940,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2896,7 +2971,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2926,7 +3002,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2956,7 +3033,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2986,7 +3064,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3036,7 +3115,8 @@ "source.ip": "100.66.115.46", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3086,7 +3166,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3116,7 +3197,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3146,7 +3228,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3193,7 +3276,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3240,7 +3324,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3287,7 +3372,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3334,7 +3420,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3381,7 +3468,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3428,7 +3516,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3475,7 +3564,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3522,7 +3612,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3569,7 +3660,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3616,7 +3708,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3663,7 +3756,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3710,7 +3804,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3757,7 +3852,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3787,7 +3883,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3817,7 +3914,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3847,7 +3945,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -3877,7 +3976,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index e006b92f418..cff051f89ae 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -38,7 +38,8 @@ "source.geo.region_name": "Moscow", "source.ip": "1.2.3.4", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ], "user.email": "firsname.lastname@domain.net" } diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index d72bda89a9a..0cdbce9fc70 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -24,7 +24,8 @@ "process.pid": 1234, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -68,7 +69,8 @@ "source.ip": "10.13.12.11", "source.port": 45321, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 9e998757735..5af2ac66dca 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -31,7 +31,8 @@ "source.domain": "Prod-host.name.addr", "source.nat.ip": "10.0.55.66", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -72,7 +73,8 @@ "source.address": "192.0.2.134", "source.ip": "192.0.2.134", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index dcb44cd1565..8747c17b868 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -40,7 +40,8 @@ "source.port": 27218, "syslog.facility": 165, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -80,7 +81,8 @@ "source.address": "192.168.132.46", "source.ip": "192.168.132.46", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -135,7 +137,8 @@ "source.nat.port": "11234", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index dda06bb5f40..ce31629c9fc 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -40,7 +40,8 @@ "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -84,7 +85,8 @@ "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -129,7 +131,8 @@ "source.ip": "10.1.2.16", "source.port": 2241, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -174,7 +177,8 @@ "source.ip": "172.29.2.101", "source.port": 1039, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -219,7 +223,8 @@ "source.ip": "172.29.2.3", "source.port": 1065, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -246,7 +251,8 @@ "log.offset": 812, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -273,7 +279,8 @@ "log.offset": 938, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -300,7 +307,8 @@ "log.offset": 1110, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -327,7 +335,8 @@ "log.offset": 1237, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -354,7 +363,8 @@ "log.offset": 1405, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -381,7 +391,8 @@ "log.offset": 1531, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -428,7 +439,8 @@ "source.ip": "192.0.2.222", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -477,7 +489,8 @@ "source.ip": "192.0.2.222", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -517,7 +530,8 @@ "source.address": "192.168.132.46", "source.ip": "192.168.132.46", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -544,7 +558,8 @@ "log.offset": 2167, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -571,7 +586,8 @@ "log.offset": 2293, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -614,7 +630,8 @@ "source.ip": "192.0.0.66", "source.port": 12981, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -658,7 +675,8 @@ "source.ip": "10.0.0.16", "source.port": 2006, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -702,7 +720,8 @@ "source.ip": "10.0.0.46", "source.port": 49734, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -746,7 +765,8 @@ "source.ip": "10.0.0.46", "source.port": 49735, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -790,7 +810,8 @@ "source.ip": "10.0.0.46", "source.port": 49736, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -834,7 +855,8 @@ "source.ip": "10.0.0.46", "source.port": 49737, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -878,7 +900,8 @@ "source.ip": "10.0.0.46", "source.port": 49738, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -922,7 +945,8 @@ "source.ip": "10.0.0.46", "source.port": 49746, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -966,7 +990,8 @@ "source.ip": "10.0.0.16", "source.port": 2007, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1010,7 +1035,8 @@ "source.ip": "10.0.0.13", "source.port": 43013, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1054,7 +1080,8 @@ "source.ip": "10.0.0.16", "source.port": 2008, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1097,7 +1124,8 @@ "source.ip": "192.0.2.66", "source.port": 137, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1140,7 +1168,8 @@ "source.ip": "192.0.2.66", "source.port": 12981, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1184,7 +1213,8 @@ "source.ip": "10.0.0.16", "source.port": 2009, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1228,7 +1258,8 @@ "source.ip": "10.0.0.46", "source.port": 49776, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1272,7 +1303,8 @@ "source.ip": "10.0.0.16", "source.port": 2010, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1316,7 +1348,8 @@ "source.ip": "10.0.0.16", "source.port": 2011, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1360,7 +1393,8 @@ "source.ip": "10.0.0.16", "source.port": 2012, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1404,7 +1438,8 @@ "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1448,7 +1483,8 @@ "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1492,7 +1528,8 @@ "source.ip": "10.0.0.46", "source.port": 49840, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1536,7 +1573,8 @@ "source.ip": "10.0.0.16", "source.port": 2013, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1581,7 +1619,8 @@ "source.ip": "10.0.0.16", "source.port": 2241, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1609,7 +1648,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1637,7 +1677,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1682,7 +1723,8 @@ "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1727,7 +1769,8 @@ "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1755,7 +1798,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1783,7 +1827,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1831,7 +1876,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1879,7 +1925,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1927,7 +1974,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1970,7 +2018,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2013,7 +2062,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2058,7 +2108,8 @@ "source.ip": "192.168.1.34", "source.port": 5679, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2086,7 +2137,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2114,7 +2166,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2162,7 +2215,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2209,7 +2263,8 @@ "source.ip": "10.44.4.4", "source.port": 500, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2248,7 +2303,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2287,7 +2343,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2326,7 +2383,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2365,7 +2423,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2404,7 +2463,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2443,7 +2503,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2482,7 +2543,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2521,7 +2583,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2566,7 +2629,8 @@ "source.ip": "192.0.2.95", "source.port": 24069, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2606,7 +2670,8 @@ "source.address": "10.2.3.5", "source.ip": "10.2.3.5", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2647,7 +2712,8 @@ "source.address": "172.16.30.2", "source.ip": "172.16.30.2", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2699,7 +2765,8 @@ "source.nat.port": "7890", "source.port": 6798, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2750,7 +2817,8 @@ "source.nat.port": "33340", "source.port": 33340, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2802,7 +2870,8 @@ "source.nat.port": "33340", "source.port": 33340, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2839,7 +2908,8 @@ "source.address": "10.30.30.30", "source.ip": "10.30.30.30", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ], "url.original": "/app" }, @@ -2877,7 +2947,8 @@ "source.address": "10.5.111.32", "source.ip": "10.5.111.32", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ], "url.original": "http://example.com" }, @@ -2916,7 +2987,8 @@ "source.address": "10.69.6.39", "source.ip": "10.69.6.39", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ], "url.original": "http://www.example.net/images/favicon.ico" } diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index b5fd241282f..a505d3030eb 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -14,7 +14,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/cisco/ftd/manifest.yml b/x-pack/filebeat/module/cisco/ftd/manifest.yml index dfcd093ac86..e18956c1dc8 100644 --- a/x-pack/filebeat/module/cisco/ftd/manifest.yml +++ b/x-pack/filebeat/module/cisco/ftd/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/cisco-ftd.log - name: tags - default: [cisco-ftd] + default: [cisco-ftd, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index e1c713385bf..37b0b3de1b6 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -25,7 +25,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -54,7 +55,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -103,7 +105,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -152,7 +155,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -201,7 +205,8 @@ "source.ip": "100.66.185.90", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -250,7 +255,8 @@ "source.ip": "100.66.185.90", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -299,7 +305,8 @@ "source.ip": "100.66.160.197", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -348,7 +355,8 @@ "source.ip": "100.66.205.14", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -397,7 +405,8 @@ "source.ip": "100.66.124.33", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -446,7 +455,8 @@ "source.ip": "100.66.35.9", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -495,7 +505,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -544,7 +555,8 @@ "source.ip": "100.66.218.21", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -593,7 +605,8 @@ "source.ip": "100.66.198.27", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -642,7 +655,8 @@ "source.ip": "100.66.198.27", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -691,7 +705,8 @@ "source.ip": "100.66.202.211", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -740,7 +755,8 @@ "source.ip": "100.66.124.15", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -789,7 +805,8 @@ "source.ip": "100.66.124.15", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -838,7 +855,8 @@ "source.ip": "100.66.209.247", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -887,7 +905,8 @@ "source.ip": "100.66.35.162", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -916,7 +935,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -945,7 +965,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -994,7 +1015,8 @@ "source.ip": "100.66.80.32", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1023,7 +1045,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1072,7 +1095,8 @@ "source.ip": "100.66.252.6", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1101,7 +1125,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1130,7 +1155,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1159,7 +1185,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1188,7 +1215,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1217,7 +1245,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1246,7 +1275,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1295,7 +1325,8 @@ "source.ip": "100.66.238.126", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1344,7 +1375,8 @@ "source.ip": "100.66.93.51", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1373,7 +1405,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1402,7 +1435,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1431,7 +1465,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1460,7 +1495,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1489,7 +1525,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1538,7 +1575,8 @@ "source.ip": "100.66.240.126", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1587,7 +1625,8 @@ "source.ip": "100.66.44.45", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1616,7 +1655,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1645,7 +1685,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1674,7 +1715,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1703,7 +1745,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1752,7 +1795,8 @@ "source.ip": "100.66.157.232", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1801,7 +1845,8 @@ "source.ip": "100.66.178.133", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1830,7 +1875,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1859,7 +1905,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1908,7 +1955,8 @@ "source.ip": "100.66.133.112", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1937,7 +1985,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1986,7 +2035,8 @@ "source.ip": "100.66.157.232", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2035,7 +2085,8 @@ "source.ip": "100.66.204.197", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2064,7 +2115,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2093,7 +2145,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2122,7 +2175,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2151,7 +2205,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2180,7 +2235,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2209,7 +2265,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2238,7 +2295,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2287,7 +2345,8 @@ "source.ip": "100.66.100.4", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2316,7 +2375,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2345,7 +2405,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2374,7 +2435,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2403,7 +2465,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2432,7 +2495,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2481,7 +2545,8 @@ "source.ip": "100.66.198.40", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2510,7 +2575,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2539,7 +2605,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2588,7 +2655,8 @@ "source.ip": "100.66.1.107", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2617,7 +2685,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2646,7 +2715,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2675,7 +2745,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2704,7 +2775,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2733,7 +2805,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2762,7 +2835,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2791,7 +2865,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2820,7 +2895,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2849,7 +2925,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2878,7 +2955,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2907,7 +2985,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2956,7 +3035,8 @@ "source.ip": "100.66.115.46", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3005,7 +3085,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3034,7 +3115,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3063,7 +3145,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3109,7 +3192,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3155,7 +3239,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3201,7 +3286,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3247,7 +3333,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3293,7 +3380,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3339,7 +3427,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3385,7 +3474,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3431,7 +3521,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3477,7 +3568,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3523,7 +3615,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3569,7 +3662,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3615,7 +3709,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3661,7 +3756,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3690,7 +3786,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3719,7 +3816,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3748,7 +3846,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -3777,7 +3876,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index 568eb22518c..b18307a7571 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -90,7 +90,8 @@ "source.packets": 1, "source.port": 57379, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -188,7 +189,8 @@ "source.packets": 1, "source.port": 51389, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -284,7 +286,8 @@ "source.packets": 1, "source.port": 53033, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -382,7 +385,8 @@ "source.packets": 1, "source.port": 55371, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -479,7 +483,8 @@ "source.packets": 1, "source.port": 60441, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -575,7 +580,8 @@ "source.packets": 1, "source.port": 59714, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -674,7 +680,8 @@ "source.packets": 1, "source.port": 55105, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -770,7 +777,8 @@ "source.packets": 1, "source.port": 57141, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -867,7 +875,8 @@ "source.packets": 1, "source.port": 47260, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -965,7 +974,8 @@ "source.packets": 1, "source.port": 58082, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1064,7 +1074,8 @@ "source.packets": 1, "source.port": 33973, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1156,7 +1167,8 @@ "source.packets": 6, "source.port": 39541, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1253,7 +1265,8 @@ "source.packets": 1, "source.port": 41672, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1349,7 +1362,8 @@ "source.packets": 1, "source.port": 59577, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1446,7 +1460,8 @@ "source.packets": 1, "source.port": 35998, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1544,7 +1559,8 @@ "source.packets": 1, "source.port": 55105, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1640,7 +1656,8 @@ "source.packets": 1, "source.port": 47260, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1736,7 +1753,8 @@ "source.packets": 1, "source.port": 53033, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1832,7 +1850,8 @@ "source.packets": 1, "source.port": 57141, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1926,7 +1945,8 @@ "source.packets": 1, "source.port": 46093, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -2024,7 +2044,8 @@ "source.packets": 1, "source.port": 58082, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json index 85785d1bcbb..4397eb76e17 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -25,7 +25,8 @@ "process.pid": 1234, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json index 8e55a34e1a4..465bbd1ea32 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json @@ -14,7 +14,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -32,7 +33,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -50,7 +52,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -68,7 +71,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -86,7 +90,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -104,7 +109,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -122,7 +128,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -140,7 +147,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -158,7 +166,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -176,7 +185,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -194,7 +204,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -212,7 +223,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -230,7 +242,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -248,7 +261,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -266,7 +280,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -284,7 +299,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -302,7 +318,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -320,7 +337,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -338,7 +356,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -356,7 +375,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -374,7 +394,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -392,7 +413,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -410,7 +432,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -428,7 +451,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -446,7 +470,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -464,7 +489,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -482,7 +508,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -500,7 +527,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -518,7 +546,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -536,7 +565,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -554,7 +584,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -572,7 +603,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -590,7 +622,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -609,7 +642,8 @@ "syslog.facility": 14, "syslog.priority": 2, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 4330b36cfad..ba0bb71f417 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -69,7 +69,8 @@ "source.ip": "10.0.1.20", "source.port": 55644, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -144,7 +145,8 @@ "source.ip": "10.0.1.20", "source.port": 55868, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -215,7 +217,8 @@ "source.ip": "10.0.100.30", "source.port": 21, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -286,7 +289,8 @@ "source.ip": "10.0.100.30", "source.port": 21, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index 2aec48c9f5b..2b46be5b166 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -41,7 +41,8 @@ "source.address": "10.1.123.45", "source.ip": "10.1.123.45", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -74,7 +75,8 @@ "process.pid": 1234, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -108,7 +110,8 @@ "process.pid": 1234, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -161,7 +164,8 @@ "source.ip": "127.0.0.1", "source.port": 512, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index b5e22670221..36a494d8f89 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -39,7 +39,8 @@ "source.port": 27218, "syslog.facility": 165, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -78,7 +79,8 @@ "source.address": "192.168.132.46", "source.ip": "192.168.132.46", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -132,7 +134,8 @@ "source.nat.port": "11234", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 66dd7e0e6d7..05fc4af2cbc 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -39,7 +39,8 @@ "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -82,7 +83,8 @@ "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -126,7 +128,8 @@ "source.ip": "10.1.2.16", "source.port": 2241, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -170,7 +173,8 @@ "source.ip": "172.29.2.101", "source.port": 1039, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -214,7 +218,8 @@ "source.ip": "172.29.2.3", "source.port": 1065, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -240,7 +245,8 @@ "log.offset": 812, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -266,7 +272,8 @@ "log.offset": 938, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -292,7 +299,8 @@ "log.offset": 1110, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -318,7 +326,8 @@ "log.offset": 1237, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -344,7 +353,8 @@ "log.offset": 1405, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -370,7 +380,8 @@ "log.offset": 1531, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -416,7 +427,8 @@ "source.ip": "192.0.2.222", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -464,7 +476,8 @@ "source.ip": "192.0.2.222", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -503,7 +516,8 @@ "source.address": "192.168.132.46", "source.ip": "192.168.132.46", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -529,7 +543,8 @@ "log.offset": 2167, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -555,7 +570,8 @@ "log.offset": 2293, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -597,7 +613,8 @@ "source.ip": "192.0.0.66", "source.port": 12981, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -640,7 +657,8 @@ "source.ip": "10.0.0.16", "source.port": 2006, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -683,7 +701,8 @@ "source.ip": "10.0.0.46", "source.port": 49734, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -726,7 +745,8 @@ "source.ip": "10.0.0.46", "source.port": 49735, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -769,7 +789,8 @@ "source.ip": "10.0.0.46", "source.port": 49736, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -812,7 +833,8 @@ "source.ip": "10.0.0.46", "source.port": 49737, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -855,7 +877,8 @@ "source.ip": "10.0.0.46", "source.port": 49738, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -898,7 +921,8 @@ "source.ip": "10.0.0.46", "source.port": 49746, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -941,7 +965,8 @@ "source.ip": "10.0.0.16", "source.port": 2007, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -984,7 +1009,8 @@ "source.ip": "10.0.0.13", "source.port": 43013, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1027,7 +1053,8 @@ "source.ip": "10.0.0.16", "source.port": 2008, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1069,7 +1096,8 @@ "source.ip": "192.0.2.66", "source.port": 137, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1111,7 +1139,8 @@ "source.ip": "192.0.2.66", "source.port": 12981, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1154,7 +1183,8 @@ "source.ip": "10.0.0.16", "source.port": 2009, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1197,7 +1227,8 @@ "source.ip": "10.0.0.46", "source.port": 49776, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1240,7 +1271,8 @@ "source.ip": "10.0.0.16", "source.port": 2010, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1283,7 +1315,8 @@ "source.ip": "10.0.0.16", "source.port": 2011, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1326,7 +1359,8 @@ "source.ip": "10.0.0.16", "source.port": 2012, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1369,7 +1403,8 @@ "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1412,7 +1447,8 @@ "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1455,7 +1491,8 @@ "source.ip": "10.0.0.46", "source.port": 49840, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1498,7 +1535,8 @@ "source.ip": "10.0.0.16", "source.port": 2013, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1542,7 +1580,8 @@ "source.ip": "10.0.0.16", "source.port": 2241, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1569,7 +1608,8 @@ "log.offset": 5967, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1596,7 +1636,8 @@ "log.offset": 6147, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1640,7 +1681,8 @@ "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1684,7 +1726,8 @@ "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1711,7 +1754,8 @@ "log.offset": 6642, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1738,7 +1782,8 @@ "log.offset": 6817, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1785,7 +1830,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1832,7 +1878,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1879,7 +1926,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1921,7 +1969,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1963,7 +2012,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2007,7 +2057,8 @@ "source.ip": "192.168.1.34", "source.port": 5679, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2034,7 +2085,8 @@ "log.offset": 7954, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2061,7 +2113,8 @@ "log.offset": 8133, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2108,7 +2161,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2154,7 +2208,8 @@ "source.ip": "10.44.4.4", "source.port": 500, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2192,7 +2247,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2230,7 +2286,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2268,7 +2325,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2306,7 +2364,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2344,7 +2403,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2382,7 +2442,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2420,7 +2481,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2458,7 +2520,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2502,7 +2565,8 @@ "source.ip": "192.0.2.95", "source.port": 24069, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2541,7 +2605,8 @@ "source.address": "10.2.3.5", "source.ip": "10.2.3.5", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2581,7 +2646,8 @@ "source.address": "172.16.30.2", "source.ip": "172.16.30.2", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2632,7 +2698,8 @@ "source.nat.port": "7890", "source.port": 6798, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2684,7 +2751,8 @@ "source.nat.port": "33340", "source.port": 33340, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2737,7 +2805,8 @@ "source.nat.port": "33340", "source.port": 33340, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2773,7 +2842,8 @@ "source.address": "10.30.30.30", "source.ip": "10.30.30.30", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "/app" }, @@ -2810,7 +2880,8 @@ "source.address": "10.5.111.32", "source.ip": "10.5.111.32", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://example.com" }, @@ -2848,7 +2919,8 @@ "source.address": "10.69.6.39", "source.ip": "10.69.6.39", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://www.example.net/images/favicon.ico" } diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 37339bb71a8..51da7aa889f 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -72,7 +72,8 @@ "source.ip": "10.0.100.30", "source.packets": 1, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -154,7 +155,8 @@ "source.ip": "10.0.100.30", "source.packets": 1, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -245,7 +247,8 @@ "source.packets": 1, "source.port": 50074, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -342,7 +345,8 @@ "source.packets": 2, "source.port": 49264, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -427,7 +431,8 @@ "source.packets": 2, "source.port": 43228, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -530,7 +535,8 @@ "source.packets": 1359, "source.port": 43228, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.domain": "eu-central-1.ec2.archive.ubuntu.com", "url.original": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", @@ -618,7 +624,8 @@ "source.packets": 2, "source.port": 46000, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -717,7 +724,8 @@ "source.packets": 6, "source.port": 46000, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.domain": "www.eicar.org", "url.original": "http://www.eicar.org/download/eicar_com.zip", @@ -794,7 +802,8 @@ "source.ip": "10.0.100.30", "source.packets": 0, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -886,7 +895,8 @@ "source.packets": 4, "source.port": 41544, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.domain": "10.0.100.30:8000", "url.original": "http://10.0.100.30:8000/eicar_com.zip", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index dd7237971cd..2d02ecd67d3 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -59,7 +59,8 @@ "source.ip": "10.0.1.20", "source.port": 41522, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/exploit.exe", "user.id": "No Authentication Required", @@ -125,7 +126,8 @@ "source.ip": "10.0.1.20", "source.port": 41526, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/exploit.exe", "user.id": "No Authentication Required", @@ -191,7 +193,8 @@ "source.ip": "10.0.1.20", "source.port": 41530, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/eicar.com", "user.id": "No Authentication Required", @@ -257,7 +260,8 @@ "source.ip": "10.0.1.20", "source.port": 41534, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/eicar.com.txt", "user.id": "No Authentication Required", @@ -332,7 +336,8 @@ "source.ip": "10.0.1.20", "source.port": 41540, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/eicar_com.zip", "user.id": "No Authentication Required", @@ -407,7 +412,8 @@ "source.ip": "10.0.1.20", "source.port": 41542, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/eicar_com.zip", "user.id": "No Authentication Required", @@ -486,7 +492,8 @@ "source.ip": "10.0.1.20", "source.port": 41544, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/eicar_com.zip", "user.id": "No Authentication Required", @@ -573,7 +580,8 @@ "source.ip": "10.0.1.20", "source.port": 46004, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://www.eicar.org/download/eicar_com.zip", "user.id": "No Authentication Required", @@ -651,7 +659,8 @@ "source.ip": "10.0.1.20", "source.port": 55378, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "user.id": "No Authentication Required", @@ -739,7 +748,8 @@ "source.ip": "10.0.1.20", "source.port": 47926, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "user.id": "No Authentication Required", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 3b9a518bff7..e9a6b15f242 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -101,7 +101,8 @@ "source.packets": 4, "source.port": 65090, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.domain": "eyedropper-color-pick.info", "url.original": "http://bad-malwaresite-grr.info/favicon.ico", diff --git a/x-pack/filebeat/module/cisco/ios/config/input.yml b/x-pack/filebeat/module/cisco/ios/config/input.yml index 828fa0e6c0f..2ed8ae959c2 100644 --- a/x-pack/filebeat/module/cisco/ios/config/input.yml +++ b/x-pack/filebeat/module/cisco/ios/config/input.yml @@ -15,7 +15,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/cisco/ios/manifest.yml b/x-pack/filebeat/module/cisco/ios/manifest.yml index d429cd994b1..e67f5c2f729 100644 --- a/x-pack/filebeat/module/cisco/ios/manifest.yml +++ b/x-pack/filebeat/module/cisco/ios/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/cisco-ios.log - name: tags - default: [cisco-ios] + default: [cisco-ios, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json index e6e720e71c8..3485b3ff583 100644 --- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json +++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json @@ -40,7 +40,8 @@ "source.ip": "198.51.100.197", "source.packets": 1, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -85,7 +86,8 @@ "source.ip": "198.51.100.2", "source.packets": 1, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -129,7 +131,8 @@ "source.ip": "198.51.100.1", "source.packets": 1, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -175,7 +178,8 @@ "source.packets": 9, "source.port": 1027, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -221,7 +225,8 @@ "source.packets": 1, "source.port": 55250, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -267,7 +272,8 @@ "source.ip": "198.51.100.1", "source.packets": 1, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -313,7 +319,8 @@ "source.packets": 1, "source.port": 60677, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -365,7 +372,8 @@ "source.packets": 1, "source.port": 59825, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -411,7 +419,8 @@ "source.packets": 1, "source.port": 56723, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -457,7 +466,8 @@ "source.packets": 1, "source.port": 54473, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -503,7 +513,8 @@ "source.packets": 1, "source.port": 33568, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -549,7 +560,8 @@ "source.packets": 1, "source.port": 35207, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -595,7 +607,8 @@ "source.packets": 1, "source.port": 37063, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -641,7 +654,8 @@ "source.packets": 1, "source.port": 54309, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -661,7 +675,8 @@ "message": "access-list logging rate-limited or missed 18 packets", "service.type": "cisco", "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -707,7 +722,8 @@ "source.packets": 1, "source.port": 43989, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -753,7 +769,8 @@ "source.packets": 1, "source.port": 53432, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -799,7 +816,8 @@ "source.packets": 1, "source.port": 58674, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -851,7 +869,8 @@ "source.packets": 1, "source.port": 59830, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -897,7 +916,8 @@ "source.packets": 1, "source.port": 52377, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -943,7 +963,8 @@ "source.packets": 1, "source.port": 42695, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -989,7 +1010,8 @@ "source.packets": 1, "source.port": 58393, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1041,7 +1063,8 @@ "source.packets": 1, "source.port": 59832, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1087,7 +1110,8 @@ "source.packets": 1, "source.port": 60908, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1139,7 +1163,8 @@ "source.packets": 1, "source.port": 59415, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1191,7 +1216,8 @@ "source.packets": 1, "source.port": 53, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1211,7 +1237,8 @@ "message": "access-list logging rate-limited or missed 23 packets", "service.type": "cisco", "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1257,7 +1284,8 @@ "source.ip": "198.51.100.12", "source.packets": 32, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1309,7 +1337,8 @@ "source.packets": 1, "source.port": 59834, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1355,7 +1384,8 @@ "source.packets": 1, "source.port": 54532, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1401,7 +1431,8 @@ "source.packets": 1, "source.port": 57831, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1447,7 +1478,8 @@ "source.packets": 1, "source.port": 138, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1493,7 +1525,8 @@ "source.packets": 1, "source.port": 42988, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1545,7 +1578,8 @@ "source.packets": 1, "source.port": 59836, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] } ] \ No newline at end of file