From 047a35bd78e2671719ba3a64e0471c0c7f203536 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 1 Jun 2020 09:28:43 -0400 Subject: [PATCH] Disable host.* fields by default for Cisco module (#18753) For the Cisco module when data is forwarded to Filebeat from another host/device (this is most of the time) you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. Relates: #13920 --- CHANGELOG.next.asciidoc | 10 + filebeat/docs/modules/cisco.asciidoc | 24 +- .../filebeat/module/cisco/_meta/docs.asciidoc | 24 +- .../module/cisco/asa/config/input.yml | 3 +- x-pack/filebeat/module/cisco/asa/manifest.yml | 2 +- .../cisco/asa/test/asa-fix.log-expected.json | 15 +- .../cisco/asa/test/asa.log-expected.json | 300 ++++++++++++------ .../asa/test/dap_records.log-expected.json | 3 +- .../cisco/asa/test/filtered.log-expected.json | 6 +- .../asa/test/hostnames.log-expected.json | 6 +- .../cisco/asa/test/not-ip.log-expected.json | 9 +- .../cisco/asa/test/sample.log-expected.json | 216 ++++++++----- .../module/cisco/ftd/config/input.yml | 3 +- x-pack/filebeat/module/cisco/ftd/manifest.yml | 2 +- .../cisco/ftd/test/asa-fix.log-expected.json | 15 +- .../cisco/ftd/test/asa.log-expected.json | 300 ++++++++++++------ .../cisco/ftd/test/dns.log-expected.json | 63 ++-- .../cisco/ftd/test/filtered.log-expected.json | 3 +- .../firepower-management.log-expected.json | 102 ++++-- .../ftd/test/intrusion.log-expected.json | 12 +- .../ftd/test/no-type-id.log-expected.json | 12 +- .../cisco/ftd/test/not-ip.log-expected.json | 9 +- .../cisco/ftd/test/sample.log-expected.json | 216 ++++++++----- .../security-connection.log-expected.json | 30 +- .../security-file-malware.log-expected.json | 30 +- .../security-malware-site.log-expected.json | 3 +- .../module/cisco/ios/config/input.yml | 3 +- x-pack/filebeat/module/cisco/ios/manifest.yml | 2 +- .../test/cisco-ios-syslog.log-expected.json | 102 ++++-- 29 files changed, 1029 insertions(+), 496 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index aa856ec96cb..df5101043cd 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -23,10 +23,20 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630] *Filebeat* + - Improve ECS field mappings in panw module. event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910] - Improve ECS categorization field mappings for nginx module. http.request.referrer only populated when nginx sets a value {issue}16174[16174] {pull}17844[17844] - Improve ECS field mappings in santa module. move hash.sha256 to process.hash.sha256 & move certificate fields to santa.certificate . {issue}16180[16180] {pull}17982[17982] - With the default configuration the cloud modules (aws, azure, googlecloud, o365, okta) + will no longer send the `host` field that contains information about the host Filebeat is + running on. This is because the `host` field specifies the host on which the event + happened. {issue}13920[13920] {pull}18223[18223] +- With the default configuration the following modules will no longer send the `host` + field. You can revert this change by configuring tags for the module and omitting + `forwarded` from the list. {issue}13920[13920] +* CEF {pull}18223[18223] +* PANW {pull}18223[18223] +* Cisco {pull}18753[18753] will no longer send the `host` field that contains information about the host Filebeat is running on. This is because the `host` field specifies the host on which the event happened. {issue}13920[13920] {pull}18223[18223] diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc index e252aacbf68..ec13e658c7f 100644 --- a/filebeat/docs/modules/cisco.asciidoc +++ b/filebeat/docs/modules/cisco.asciidoc @@ -102,6 +102,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9001. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-asa, forwarded]`. + :has-dashboards!: :fileset_ex!: @@ -244,6 +250,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9003. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-ftd, forwarded]`. + :has-dashboards!: :fileset_ex!: @@ -275,6 +287,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9002. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-ios, forwarded]`. + include::../include/timezone-support.asciidoc[] :has-dashboards!: @@ -285,10 +303,10 @@ include::../include/timezone-support.asciidoc[] [[dynamic-script-compilations]] === Dynamic Script Compilations -The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and -make extensive use of script processors and painless conditions. This can cause +The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and +make extensive use of script processors and painless conditions. This can cause the pipelines to fail loading the first time the module is used, due to exceeding -the maximum script compilation limits. It is recommended to tune the following +the maximum script compilation limits. It is recommended to tune the following parameters on your Elasticsearch cluster: - {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc index b72070d4918..477bc2f86a1 100644 --- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc @@ -97,6 +97,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9001. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-asa, forwarded]`. + :has-dashboards!: :fileset_ex!: @@ -239,6 +245,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9003. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-ftd, forwarded]`. + :has-dashboards!: :fileset_ex!: @@ -270,6 +282,12 @@ Set to 0.0.0.0 to bind to all available interfaces. The UDP port to listen for syslog traffic. Defaults to 9002. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cisco-ios, forwarded]`. + include::../include/timezone-support.asciidoc[] :has-dashboards!: @@ -280,10 +298,10 @@ include::../include/timezone-support.asciidoc[] [[dynamic-script-compilations]] === Dynamic Script Compilations -The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and -make extensive use of script processors and painless conditions. This can cause +The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and +make extensive use of script processors and painless conditions. This can cause the pipelines to fail loading the first time the module is used, due to exceeding -the maximum script compilation limits. It is recommended to tune the following +the maximum script compilation limits. It is recommended to tune the following parameters on your Elasticsearch cluster: - {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]: diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 68e985ae544..d1eee3cd1a6 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -15,7 +15,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/cisco/asa/manifest.yml b/x-pack/filebeat/module/cisco/asa/manifest.yml index 9a87696d023..58b1bed572a 100644 --- a/x-pack/filebeat/module/cisco/asa/manifest.yml +++ b/x-pack/filebeat/module/cisco/asa/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/cisco-asa.log - name: tags - default: [cisco-asa] + default: [cisco-asa, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index de470786f66..d5e641cfc9a 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -31,7 +31,8 @@ "source.ip": "10.123.123.123", "source.port": 53723, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -60,7 +61,8 @@ "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -90,7 +92,8 @@ "source.ip": "10.123.123.123", "source.port": 6316, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -122,7 +125,8 @@ "source.ip": "10.123.123.123", "source.port": 57621, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -146,7 +150,8 @@ "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index bfd7eadebf8..a1c30ba9001 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -19,7 +19,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -42,7 +43,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -80,7 +82,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -118,7 +121,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -156,7 +160,8 @@ "source.ip": "100.66.185.90", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -194,7 +199,8 @@ "source.ip": "100.66.185.90", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -232,7 +238,8 @@ "source.ip": "100.66.160.197", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -270,7 +277,8 @@ "source.ip": "100.66.205.14", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -308,7 +316,8 @@ "source.ip": "100.66.124.33", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -346,7 +355,8 @@ "source.ip": "100.66.35.9", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -384,7 +394,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -422,7 +433,8 @@ "source.ip": "100.66.218.21", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -460,7 +472,8 @@ "source.ip": "100.66.198.27", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -498,7 +511,8 @@ "source.ip": "100.66.198.27", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -536,7 +550,8 @@ "source.ip": "100.66.202.211", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -574,7 +589,8 @@ "source.ip": "100.66.124.15", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -612,7 +628,8 @@ "source.ip": "100.66.124.15", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -650,7 +667,8 @@ "source.ip": "100.66.209.247", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -688,7 +706,8 @@ "source.ip": "100.66.35.162", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -711,7 +730,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -734,7 +754,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -772,7 +793,8 @@ "source.ip": "100.66.80.32", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -795,7 +817,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -833,7 +856,8 @@ "source.ip": "100.66.252.6", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -856,7 +880,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -879,7 +904,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -902,7 +928,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -925,7 +952,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -948,7 +976,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -971,7 +1000,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1009,7 +1039,8 @@ "source.ip": "100.66.238.126", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1047,7 +1078,8 @@ "source.ip": "100.66.93.51", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1070,7 +1102,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1093,7 +1126,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1116,7 +1150,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1139,7 +1174,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1162,7 +1198,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1200,7 +1237,8 @@ "source.ip": "100.66.240.126", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1238,7 +1276,8 @@ "source.ip": "100.66.44.45", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1261,7 +1300,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1284,7 +1324,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1307,7 +1348,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1330,7 +1372,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1368,7 +1411,8 @@ "source.ip": "100.66.157.232", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1406,7 +1450,8 @@ "source.ip": "100.66.178.133", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1429,7 +1474,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1452,7 +1498,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1490,7 +1537,8 @@ "source.ip": "100.66.133.112", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1513,7 +1561,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1551,7 +1600,8 @@ "source.ip": "100.66.157.232", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1589,7 +1639,8 @@ "source.ip": "100.66.204.197", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1612,7 +1663,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1635,7 +1687,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1658,7 +1711,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1681,7 +1735,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1704,7 +1759,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1727,7 +1783,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1750,7 +1807,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1788,7 +1846,8 @@ "source.ip": "100.66.100.4", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1811,7 +1870,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1834,7 +1894,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1857,7 +1918,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1880,7 +1942,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1903,7 +1966,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1941,7 +2005,8 @@ "source.ip": "100.66.198.40", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1964,7 +2029,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1987,7 +2053,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2025,7 +2092,8 @@ "source.ip": "100.66.1.107", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2048,7 +2116,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2071,7 +2140,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2094,7 +2164,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2117,7 +2188,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2140,7 +2212,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2163,7 +2236,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2186,7 +2260,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2209,7 +2284,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2232,7 +2308,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2255,7 +2332,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2278,7 +2356,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2316,7 +2395,8 @@ "source.ip": "100.66.115.46", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2354,7 +2434,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2377,7 +2458,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2400,7 +2482,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2435,7 +2518,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2470,7 +2554,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2505,7 +2590,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2540,7 +2626,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2575,7 +2662,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2610,7 +2698,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2645,7 +2734,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2680,7 +2770,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2715,7 +2806,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2750,7 +2842,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2785,7 +2878,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2820,7 +2914,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2855,7 +2950,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2878,7 +2974,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2901,7 +2998,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2924,7 +3022,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2947,7 +3046,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index 998044932f0..095a1a09764 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -28,7 +28,8 @@ "source.geo.region_name": "Moscow", "source.ip": "1.2.3.4", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ], "user.email": "firsname.lastname@domain.net" } diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index dbf8c27dc95..918c899a47d 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -17,7 +17,8 @@ "process.pid": 1234, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -49,7 +50,8 @@ "source.ip": "10.13.12.11", "source.port": 45321, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 10d495a94d6..5264b5568b5 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -23,7 +23,8 @@ "source.domain": "Prod-host.name.addr", "source.nat.ip": "10.0.55.66", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -52,7 +53,8 @@ "source.address": "192.0.2.134", "source.ip": "192.0.2.134", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 3ffb837b3ae..753a5e6e160 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -29,7 +29,8 @@ "source.port": 27218, "syslog.facility": 165, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -57,7 +58,8 @@ "source.address": "192.168.132.46", "source.ip": "192.168.132.46", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -100,7 +102,8 @@ "source.nat.port": "11234", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 67f16d4674f..123c3949203 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -28,7 +28,8 @@ "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -60,7 +61,8 @@ "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -93,7 +95,8 @@ "source.ip": "10.1.2.16", "source.port": 2241, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -126,7 +129,8 @@ "source.ip": "172.29.2.101", "source.port": 1039, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -159,7 +163,8 @@ "source.ip": "172.29.2.3", "source.port": 1065, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -179,7 +184,8 @@ "log.offset": 812, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -199,7 +205,8 @@ "log.offset": 938, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -219,7 +226,8 @@ "log.offset": 1110, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -239,7 +247,8 @@ "log.offset": 1237, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -259,7 +268,8 @@ "log.offset": 1405, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -279,7 +289,8 @@ "log.offset": 1531, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -314,7 +325,8 @@ "source.ip": "192.0.2.222", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -351,7 +363,8 @@ "source.ip": "192.0.2.222", "source.port": 53, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -379,7 +392,8 @@ "source.address": "192.168.132.46", "source.ip": "192.168.132.46", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -399,7 +413,8 @@ "log.offset": 2167, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -419,7 +434,8 @@ "log.offset": 2293, "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -450,7 +466,8 @@ "source.ip": "192.0.0.66", "source.port": 12981, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -482,7 +499,8 @@ "source.ip": "10.0.0.16", "source.port": 2006, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -514,7 +532,8 @@ "source.ip": "10.0.0.46", "source.port": 49734, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -546,7 +565,8 @@ "source.ip": "10.0.0.46", "source.port": 49735, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -578,7 +598,8 @@ "source.ip": "10.0.0.46", "source.port": 49736, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -610,7 +631,8 @@ "source.ip": "10.0.0.46", "source.port": 49737, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -642,7 +664,8 @@ "source.ip": "10.0.0.46", "source.port": 49738, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -674,7 +697,8 @@ "source.ip": "10.0.0.46", "source.port": 49746, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -706,7 +730,8 @@ "source.ip": "10.0.0.16", "source.port": 2007, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -738,7 +763,8 @@ "source.ip": "10.0.0.13", "source.port": 43013, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -770,7 +796,8 @@ "source.ip": "10.0.0.16", "source.port": 2008, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -801,7 +828,8 @@ "source.ip": "192.0.2.66", "source.port": 137, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -832,7 +860,8 @@ "source.ip": "192.0.2.66", "source.port": 12981, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -864,7 +893,8 @@ "source.ip": "10.0.0.16", "source.port": 2009, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -896,7 +926,8 @@ "source.ip": "10.0.0.46", "source.port": 49776, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -928,7 +959,8 @@ "source.ip": "10.0.0.16", "source.port": 2010, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -960,7 +992,8 @@ "source.ip": "10.0.0.16", "source.port": 2011, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -992,7 +1025,8 @@ "source.ip": "10.0.0.16", "source.port": 2012, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1024,7 +1058,8 @@ "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1056,7 +1091,8 @@ "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1088,7 +1124,8 @@ "source.ip": "10.0.0.46", "source.port": 49840, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1120,7 +1157,8 @@ "source.ip": "10.0.0.16", "source.port": 2013, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1153,7 +1191,8 @@ "source.ip": "10.0.0.16", "source.port": 2241, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1174,7 +1213,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1195,7 +1235,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1228,7 +1269,8 @@ "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1261,7 +1303,8 @@ "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1282,7 +1325,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1303,7 +1347,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1339,7 +1384,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1375,7 +1421,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1411,7 +1458,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1442,7 +1490,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1473,7 +1522,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1506,7 +1556,8 @@ "source.ip": "192.168.1.34", "source.port": 5679, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1527,7 +1578,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1548,7 +1600,8 @@ "process.name": "", "service.type": "cisco", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1584,7 +1637,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1619,7 +1673,8 @@ "source.ip": "10.44.4.4", "source.port": 500, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1646,7 +1701,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1673,7 +1729,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1700,7 +1757,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1727,7 +1785,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1754,7 +1813,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1781,7 +1841,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1808,7 +1869,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1835,7 +1897,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1868,7 +1931,8 @@ "source.ip": "192.0.2.95", "source.port": 24069, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1897,7 +1961,8 @@ "source.address": "10.2.3.5", "source.ip": "10.2.3.5", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1926,7 +1991,8 @@ "source.address": "172.16.30.2", "source.ip": "172.16.30.2", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -1966,7 +2032,8 @@ "source.nat.port": "7890", "source.port": 6798, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2006,7 +2073,8 @@ "source.nat.port": "33340", "source.port": 33340, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2046,7 +2114,8 @@ "source.nat.port": "33340", "source.port": 33340, "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ] }, { @@ -2071,7 +2140,8 @@ "source.address": "10.30.30.30", "source.ip": "10.30.30.30", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ], "url.original": "/app" }, @@ -2097,7 +2167,8 @@ "source.address": "10.5.111.32", "source.ip": "10.5.111.32", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ], "url.original": "http://example.com" }, @@ -2124,7 +2195,8 @@ "source.address": "10.69.6.39", "source.ip": "10.69.6.39", "tags": [ - "cisco-asa" + "cisco-asa", + "forwarded" ], "url.original": "http://www.example.net/images/favicon.ico" } diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index 9d23b77f2e4..f4dd703f40a 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -14,7 +14,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/cisco/ftd/manifest.yml b/x-pack/filebeat/module/cisco/ftd/manifest.yml index dfcd093ac86..e18956c1dc8 100644 --- a/x-pack/filebeat/module/cisco/ftd/manifest.yml +++ b/x-pack/filebeat/module/cisco/ftd/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/cisco-ftd.log - name: tags - default: [cisco-ftd] + default: [cisco-ftd, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index bf6c6b521da..7d4e7865cef 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -32,7 +32,8 @@ "source.ip": "10.123.123.123", "source.port": 53723, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -62,7 +63,8 @@ "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -93,7 +95,8 @@ "source.ip": "10.123.123.123", "source.port": 6316, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -126,7 +129,8 @@ "source.ip": "10.123.123.123", "source.port": 57621, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -151,7 +155,8 @@ "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 297696b3a01..6d92b864cda 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -18,7 +18,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -40,7 +41,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -77,7 +79,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -114,7 +117,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -151,7 +155,8 @@ "source.ip": "100.66.185.90", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -188,7 +193,8 @@ "source.ip": "100.66.185.90", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -225,7 +231,8 @@ "source.ip": "100.66.160.197", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -262,7 +269,8 @@ "source.ip": "100.66.205.14", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -299,7 +307,8 @@ "source.ip": "100.66.124.33", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -336,7 +345,8 @@ "source.ip": "100.66.35.9", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -373,7 +383,8 @@ "source.ip": "100.66.211.242", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -410,7 +421,8 @@ "source.ip": "100.66.218.21", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -447,7 +459,8 @@ "source.ip": "100.66.198.27", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -484,7 +497,8 @@ "source.ip": "100.66.198.27", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -521,7 +535,8 @@ "source.ip": "100.66.202.211", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -558,7 +573,8 @@ "source.ip": "100.66.124.15", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -595,7 +611,8 @@ "source.ip": "100.66.124.15", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -632,7 +649,8 @@ "source.ip": "100.66.209.247", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -669,7 +687,8 @@ "source.ip": "100.66.35.162", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -691,7 +710,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -713,7 +733,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -750,7 +771,8 @@ "source.ip": "100.66.80.32", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -772,7 +794,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -809,7 +832,8 @@ "source.ip": "100.66.252.6", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -831,7 +855,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -853,7 +878,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -875,7 +901,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -897,7 +924,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -919,7 +947,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -941,7 +970,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -978,7 +1008,8 @@ "source.ip": "100.66.238.126", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1015,7 +1046,8 @@ "source.ip": "100.66.93.51", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1037,7 +1069,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1059,7 +1092,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1081,7 +1115,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1103,7 +1138,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1125,7 +1161,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1162,7 +1199,8 @@ "source.ip": "100.66.240.126", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1199,7 +1237,8 @@ "source.ip": "100.66.44.45", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1221,7 +1260,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1243,7 +1283,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1265,7 +1306,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1287,7 +1329,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1324,7 +1367,8 @@ "source.ip": "100.66.157.232", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1361,7 +1405,8 @@ "source.ip": "100.66.178.133", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1383,7 +1428,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1405,7 +1451,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1442,7 +1489,8 @@ "source.ip": "100.66.133.112", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1464,7 +1512,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1501,7 +1550,8 @@ "source.ip": "100.66.157.232", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1538,7 +1588,8 @@ "source.ip": "100.66.204.197", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1560,7 +1611,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1582,7 +1634,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1604,7 +1657,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1626,7 +1680,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1648,7 +1703,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1670,7 +1726,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1692,7 +1749,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1729,7 +1787,8 @@ "source.ip": "100.66.100.4", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1751,7 +1810,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1773,7 +1833,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1795,7 +1856,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1817,7 +1879,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1839,7 +1902,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1876,7 +1940,8 @@ "source.ip": "100.66.198.40", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1898,7 +1963,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1920,7 +1986,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1957,7 +2024,8 @@ "source.ip": "100.66.1.107", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1979,7 +2047,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2001,7 +2070,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2023,7 +2093,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2045,7 +2116,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2067,7 +2139,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2089,7 +2162,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2111,7 +2185,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2133,7 +2208,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2155,7 +2231,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2177,7 +2254,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2199,7 +2277,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2236,7 +2315,8 @@ "source.ip": "100.66.115.46", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2273,7 +2353,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2295,7 +2376,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2317,7 +2399,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2351,7 +2434,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2385,7 +2469,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2419,7 +2504,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2453,7 +2539,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2487,7 +2574,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2521,7 +2609,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2555,7 +2644,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2589,7 +2679,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2623,7 +2714,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2657,7 +2749,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2691,7 +2784,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2725,7 +2819,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2759,7 +2854,8 @@ "source.ip": "100.66.19.254", "source.port": 80, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2781,7 +2877,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2803,7 +2900,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2825,7 +2923,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2847,7 +2946,8 @@ "process.pid": 999, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index ea8c71eeabd..66cd5472c56 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -74,7 +74,8 @@ "source.packets": 1, "source.port": 57379, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -156,7 +157,8 @@ "source.packets": 1, "source.port": 51389, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -236,7 +238,8 @@ "source.packets": 1, "source.port": 53033, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -318,7 +321,8 @@ "source.packets": 1, "source.port": 55371, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -399,7 +403,8 @@ "source.packets": 1, "source.port": 60441, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -479,7 +484,8 @@ "source.packets": 1, "source.port": 59714, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -562,7 +568,8 @@ "source.packets": 1, "source.port": 55105, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -642,7 +649,8 @@ "source.packets": 1, "source.port": 57141, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -723,7 +731,8 @@ "source.packets": 1, "source.port": 47260, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -805,7 +814,8 @@ "source.packets": 1, "source.port": 58082, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -888,7 +898,8 @@ "source.packets": 1, "source.port": 33973, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -964,7 +975,8 @@ "source.packets": 6, "source.port": 39541, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1045,7 +1057,8 @@ "source.packets": 1, "source.port": 41672, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1125,7 +1138,8 @@ "source.packets": 1, "source.port": 59577, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1206,7 +1220,8 @@ "source.packets": 1, "source.port": 35998, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1288,7 +1303,8 @@ "source.packets": 1, "source.port": 55105, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1368,7 +1384,8 @@ "source.packets": 1, "source.port": 47260, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1448,7 +1465,8 @@ "source.packets": 1, "source.port": 53033, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1528,7 +1546,8 @@ "source.packets": 1, "source.port": 57141, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1606,7 +1625,8 @@ "source.packets": 1, "source.port": 46093, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -1688,7 +1708,8 @@ "source.packets": 1, "source.port": 58082, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json index d7c81ec581d..1bb063843cb 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -18,7 +18,8 @@ "process.pid": 1234, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json index 8e55a34e1a4..465bbd1ea32 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/firepower-management.log-expected.json @@ -14,7 +14,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -32,7 +33,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -50,7 +52,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -68,7 +71,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -86,7 +90,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -104,7 +109,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -122,7 +128,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -140,7 +147,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -158,7 +166,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -176,7 +185,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -194,7 +204,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -212,7 +223,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -230,7 +242,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -248,7 +261,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -266,7 +280,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -284,7 +299,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -302,7 +318,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -320,7 +337,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -338,7 +356,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -356,7 +375,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -374,7 +394,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -392,7 +413,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -410,7 +432,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -428,7 +451,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -446,7 +470,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -464,7 +489,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -482,7 +508,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -500,7 +527,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -518,7 +546,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -536,7 +565,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -554,7 +584,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -572,7 +603,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -590,7 +622,8 @@ "service.type": "cisco", "syslog.facility": 14, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -609,7 +642,8 @@ "syslog.facility": 14, "syslog.priority": 2, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 0f75bd8cea8..c5b8b35aa11 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -55,7 +55,8 @@ "source.ip": "10.0.1.20", "source.port": 55644, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -116,7 +117,8 @@ "source.ip": "10.0.1.20", "source.port": 55868, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -173,7 +175,8 @@ "source.ip": "10.0.100.30", "source.port": 21, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -230,7 +233,8 @@ "source.ip": "10.0.100.30", "source.port": 21, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index 6355040fe6d..6d31cf04199 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -30,7 +30,8 @@ "source.address": "10.1.123.45", "source.ip": "10.1.123.45", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -56,7 +57,8 @@ "process.pid": 1234, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -82,7 +84,8 @@ "process.pid": 1234, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -124,7 +127,8 @@ "source.ip": "127.0.0.1", "source.port": 512, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index c5a4c9a8bf9..13b6f867d86 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -28,7 +28,8 @@ "source.port": 27218, "syslog.facility": 165, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -55,7 +56,8 @@ "source.address": "192.168.132.46", "source.ip": "192.168.132.46", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -97,7 +99,8 @@ "source.nat.port": "11234", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index ca93c4fea91..8dc33e7527d 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -27,7 +27,8 @@ "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -58,7 +59,8 @@ "source.ip": "10.1.2.30", "source.port": 63016, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -90,7 +92,8 @@ "source.ip": "10.1.2.16", "source.port": 2241, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -122,7 +125,8 @@ "source.ip": "172.29.2.101", "source.port": 1039, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -154,7 +158,8 @@ "source.ip": "172.29.2.3", "source.port": 1065, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -173,7 +178,8 @@ "log.offset": 812, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -192,7 +198,8 @@ "log.offset": 938, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -211,7 +218,8 @@ "log.offset": 1110, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -230,7 +238,8 @@ "log.offset": 1237, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -249,7 +258,8 @@ "log.offset": 1405, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -268,7 +278,8 @@ "log.offset": 1531, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -302,7 +313,8 @@ "source.ip": "192.0.2.222", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -338,7 +350,8 @@ "source.ip": "192.0.2.222", "source.port": 53, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -365,7 +378,8 @@ "source.address": "192.168.132.46", "source.ip": "192.168.132.46", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -384,7 +398,8 @@ "log.offset": 2167, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -403,7 +418,8 @@ "log.offset": 2293, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -433,7 +449,8 @@ "source.ip": "192.0.0.66", "source.port": 12981, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -464,7 +481,8 @@ "source.ip": "10.0.0.16", "source.port": 2006, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -495,7 +513,8 @@ "source.ip": "10.0.0.46", "source.port": 49734, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -526,7 +545,8 @@ "source.ip": "10.0.0.46", "source.port": 49735, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -557,7 +577,8 @@ "source.ip": "10.0.0.46", "source.port": 49736, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -588,7 +609,8 @@ "source.ip": "10.0.0.46", "source.port": 49737, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -619,7 +641,8 @@ "source.ip": "10.0.0.46", "source.port": 49738, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -650,7 +673,8 @@ "source.ip": "10.0.0.46", "source.port": 49746, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -681,7 +705,8 @@ "source.ip": "10.0.0.16", "source.port": 2007, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -712,7 +737,8 @@ "source.ip": "10.0.0.13", "source.port": 43013, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -743,7 +769,8 @@ "source.ip": "10.0.0.16", "source.port": 2008, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -773,7 +800,8 @@ "source.ip": "192.0.2.66", "source.port": 137, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -803,7 +831,8 @@ "source.ip": "192.0.2.66", "source.port": 12981, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -834,7 +863,8 @@ "source.ip": "10.0.0.16", "source.port": 2009, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -865,7 +895,8 @@ "source.ip": "10.0.0.46", "source.port": 49776, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -896,7 +927,8 @@ "source.ip": "10.0.0.16", "source.port": 2010, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -927,7 +959,8 @@ "source.ip": "10.0.0.16", "source.port": 2011, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -958,7 +991,8 @@ "source.ip": "10.0.0.16", "source.port": 2012, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -989,7 +1023,8 @@ "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1020,7 +1055,8 @@ "source.ip": "192.0.2.126", "source.port": 53638, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1051,7 +1087,8 @@ "source.ip": "10.0.0.46", "source.port": 49840, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1082,7 +1119,8 @@ "source.ip": "10.0.0.16", "source.port": 2013, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1114,7 +1152,8 @@ "source.ip": "10.0.0.16", "source.port": 2241, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1134,7 +1173,8 @@ "log.offset": 5967, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1154,7 +1194,8 @@ "log.offset": 6147, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1186,7 +1227,8 @@ "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1218,7 +1260,8 @@ "source.ip": "192.168.1.33", "source.port": 5555, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1238,7 +1281,8 @@ "log.offset": 6642, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1258,7 +1302,8 @@ "log.offset": 6817, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1293,7 +1338,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1328,7 +1374,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1363,7 +1410,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1393,7 +1441,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1423,7 +1472,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1455,7 +1505,8 @@ "source.ip": "192.168.1.34", "source.port": 5679, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1475,7 +1526,8 @@ "log.offset": 7954, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1495,7 +1547,8 @@ "log.offset": 8133, "service.type": "cisco", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1530,7 +1583,8 @@ "source.ip": "192.0.2.222", "source.port": 1234, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1564,7 +1618,8 @@ "source.ip": "10.44.4.4", "source.port": 500, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1590,7 +1645,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1616,7 +1672,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1642,7 +1699,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1668,7 +1726,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1694,7 +1753,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1720,7 +1780,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1746,7 +1807,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1772,7 +1834,8 @@ "source.address": "0.0.0.0", "source.ip": "0.0.0.0", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1804,7 +1867,8 @@ "source.ip": "192.0.2.95", "source.port": 24069, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1832,7 +1896,8 @@ "source.address": "10.2.3.5", "source.ip": "10.2.3.5", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1860,7 +1925,8 @@ "source.address": "172.16.30.2", "source.ip": "172.16.30.2", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1899,7 +1965,8 @@ "source.nat.port": "7890", "source.port": 6798, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1940,7 +2007,8 @@ "source.nat.port": "33340", "source.port": 33340, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -1981,7 +2049,8 @@ "source.nat.port": "33340", "source.port": 33340, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ] }, { @@ -2005,7 +2074,8 @@ "source.address": "10.30.30.30", "source.ip": "10.30.30.30", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "/app" }, @@ -2030,7 +2100,8 @@ "source.address": "10.5.111.32", "source.ip": "10.5.111.32", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://example.com" }, @@ -2056,7 +2127,8 @@ "source.address": "10.69.6.39", "source.ip": "10.69.6.39", "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://www.example.net/images/favicon.ico" } diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 810c9574832..0ca5801a669 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -56,7 +56,8 @@ "source.ip": "10.0.100.30", "source.packets": 1, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -122,7 +123,8 @@ "source.ip": "10.0.100.30", "source.packets": 1, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -197,7 +199,8 @@ "source.packets": 1, "source.port": 50074, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -278,7 +281,8 @@ "source.packets": 2, "source.port": 49264, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -347,7 +351,8 @@ "source.packets": 2, "source.port": 43228, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -434,7 +439,8 @@ "source.packets": 1359, "source.port": 43228, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.domain": "eu-central-1.ec2.archive.ubuntu.com", "url.original": "http://eu-central-1.ec2.archive.ubuntu.com/ubuntu/pool/main/m/manpages/manpages-dev_4.15-1_all.deb", @@ -506,7 +512,8 @@ "source.packets": 2, "source.port": 46000, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -589,7 +596,8 @@ "source.packets": 6, "source.port": 46000, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.domain": "www.eicar.org", "url.original": "http://www.eicar.org/download/eicar_com.zip", @@ -650,7 +658,8 @@ "source.ip": "10.0.100.30", "source.packets": 0, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "user.id": "No Authentication Required", "user.name": "No Authentication Required" @@ -726,7 +735,8 @@ "source.packets": 4, "source.port": 41544, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.domain": "10.0.100.30:8000", "url.original": "http://10.0.100.30:8000/eicar_com.zip", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index da2bd878525..dbba62884a4 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -45,7 +45,8 @@ "source.ip": "10.0.1.20", "source.port": 41522, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/exploit.exe", "user.id": "No Authentication Required", @@ -97,7 +98,8 @@ "source.ip": "10.0.1.20", "source.port": 41526, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/exploit.exe", "user.id": "No Authentication Required", @@ -149,7 +151,8 @@ "source.ip": "10.0.1.20", "source.port": 41530, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/eicar.com", "user.id": "No Authentication Required", @@ -201,7 +204,8 @@ "source.ip": "10.0.1.20", "source.port": 41534, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/eicar.com.txt", "user.id": "No Authentication Required", @@ -259,7 +263,8 @@ "source.ip": "10.0.1.20", "source.port": 41540, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/eicar_com.zip", "user.id": "No Authentication Required", @@ -317,7 +322,8 @@ "source.ip": "10.0.1.20", "source.port": 41542, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/eicar_com.zip", "user.id": "No Authentication Required", @@ -379,7 +385,8 @@ "source.ip": "10.0.1.20", "source.port": 41544, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30:8000/eicar_com.zip", "user.id": "No Authentication Required", @@ -449,7 +456,8 @@ "source.ip": "10.0.1.20", "source.port": 46004, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://www.eicar.org/download/eicar_com.zip", "user.id": "No Authentication Required", @@ -510,7 +518,8 @@ "source.ip": "10.0.1.20", "source.port": 55378, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://10.0.100.30/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "user.id": "No Authentication Required", @@ -581,7 +590,8 @@ "source.ip": "10.0.1.20", "source.port": 47926, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.original": "http://18.197.225.123/public/infected/dd3dee576d0cb4abfed00f97f0c71c1d", "user.id": "No Authentication Required", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 9be3704d462..ea330b35b27 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -85,7 +85,8 @@ "source.packets": 4, "source.port": 65090, "tags": [ - "cisco-ftd" + "cisco-ftd", + "forwarded" ], "url.domain": "eyedropper-color-pick.info", "url.original": "http://bad-malwaresite-grr.info/favicon.ico", diff --git a/x-pack/filebeat/module/cisco/ios/config/input.yml b/x-pack/filebeat/module/cisco/ios/config/input.yml index eea92c15693..a2f1396fdc4 100644 --- a/x-pack/filebeat/module/cisco/ios/config/input.yml +++ b/x-pack/filebeat/module/cisco/ios/config/input.yml @@ -15,7 +15,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/cisco/ios/manifest.yml b/x-pack/filebeat/module/cisco/ios/manifest.yml index d429cd994b1..e67f5c2f729 100644 --- a/x-pack/filebeat/module/cisco/ios/manifest.yml +++ b/x-pack/filebeat/module/cisco/ios/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/cisco-ios.log - name: tags - default: [cisco-ios] + default: [cisco-ios, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json index 50f8ddcd825..2b2fb9ff840 100644 --- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json +++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json @@ -33,7 +33,8 @@ "source.ip": "198.51.100.197", "source.packets": 1, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -71,7 +72,8 @@ "source.ip": "198.51.100.2", "source.packets": 1, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -108,7 +110,8 @@ "source.ip": "198.51.100.1", "source.packets": 1, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -147,7 +150,8 @@ "source.packets": 9, "source.port": 1027, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -186,7 +190,8 @@ "source.packets": 1, "source.port": 55250, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -225,7 +230,8 @@ "source.ip": "198.51.100.1", "source.packets": 1, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -264,7 +270,8 @@ "source.packets": 1, "source.port": 60677, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -309,7 +316,8 @@ "source.packets": 1, "source.port": 59825, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -348,7 +356,8 @@ "source.packets": 1, "source.port": 56723, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -387,7 +396,8 @@ "source.packets": 1, "source.port": 54473, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -426,7 +436,8 @@ "source.packets": 1, "source.port": 33568, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -465,7 +476,8 @@ "source.packets": 1, "source.port": 35207, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -504,7 +516,8 @@ "source.packets": 1, "source.port": 37063, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -543,7 +556,8 @@ "source.packets": 1, "source.port": 54309, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -563,7 +577,8 @@ "message": "access-list logging rate-limited or missed 18 packets", "service.type": "cisco", "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -602,7 +617,8 @@ "source.packets": 1, "source.port": 43989, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -641,7 +657,8 @@ "source.packets": 1, "source.port": 53432, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -680,7 +697,8 @@ "source.packets": 1, "source.port": 58674, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -725,7 +743,8 @@ "source.packets": 1, "source.port": 59830, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -764,7 +783,8 @@ "source.packets": 1, "source.port": 52377, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -803,7 +823,8 @@ "source.packets": 1, "source.port": 42695, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -842,7 +863,8 @@ "source.packets": 1, "source.port": 58393, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -887,7 +909,8 @@ "source.packets": 1, "source.port": 59832, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -926,7 +949,8 @@ "source.packets": 1, "source.port": 60908, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -971,7 +995,8 @@ "source.packets": 1, "source.port": 59415, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1016,7 +1041,8 @@ "source.packets": 1, "source.port": 53, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1036,7 +1062,8 @@ "message": "access-list logging rate-limited or missed 23 packets", "service.type": "cisco", "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1075,7 +1102,8 @@ "source.ip": "198.51.100.12", "source.packets": 32, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1120,7 +1148,8 @@ "source.packets": 1, "source.port": 59834, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1159,7 +1188,8 @@ "source.packets": 1, "source.port": 54532, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1198,7 +1228,8 @@ "source.packets": 1, "source.port": 57831, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1237,7 +1268,8 @@ "source.packets": 1, "source.port": 138, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1276,7 +1308,8 @@ "source.packets": 1, "source.port": 42988, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] }, { @@ -1321,7 +1354,8 @@ "source.packets": 1, "source.port": 59836, "tags": [ - "cisco-ios" + "cisco-ios", + "forwarded" ] } ] \ No newline at end of file