From 392f7f2701e849c8054aac821a51681bc315e093 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 5 Feb 2019 19:53:11 +0100 Subject: [PATCH] Suricata: Rename event.type to suricata.eve.event_type (#10575) `event.type` is reserved for future use in ECS. Fallback to the original Suricata field. This undoes a previous aliasing to `event.type` in 7.0. Also sets `event.kind` to `event`. --- CHANGELOG.next.asciidoc | 1 + dev-tools/ecs-migration.yml | 11 ++-- filebeat/docs/fields.asciidoc | 4 +- .../Filebeat-Suricata-Alert-Overview.json | 4 +- .../dashboard/Filebeat-Suricata-Overview.json | 14 ++--- .../module/suricata/eve/_meta/fields.yml | 3 +- .../module/suricata/eve/ingest/pipeline.json | 8 ++- .../eve/test/eve-alerts.log-expected.json | 60 ++++++++++++------- .../eve/test/eve-small.log-expected.json | 24 +++++--- x-pack/filebeat/module/suricata/fields.go | 2 +- 10 files changed, 81 insertions(+), 50 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index a47837da860..de7d0d3608b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -84,6 +84,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d still used for matcher. {issue}10505[10505] {pull}10506[10506] - Change type of haproxy.source from text to keyword. {pull}10506[10506] - Populate more ECS fields in the Suricata module. {pull}10006[10006] +- Rename `event.type` to `suricata.eve.event_type` in Suricata module because event.type is reserved for future use by ECS. {pull}10575[10575] *Heartbeat* diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml index e9f38345fb8..ce2b1c79228 100644 --- a/dev-tools/ecs-migration.yml +++ b/dev-tools/ecs-migration.yml @@ -349,11 +349,6 @@ alias: true beat: filebeat -- from: suricata.eve.event_type - to: event.type - alias: true - beat: filebeat - - from: suricata.eve.fileinfo.filename to: file.path alias: true @@ -444,6 +439,12 @@ alias: true beat: filebeat +- from: event.type + to: suricata.eve.event_type + alias: false + beat: auditbeat + comment: event.type is reserved for future use by ECS. + ## System module - from: system.syslog.hostname diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 54d0e13f01b..61f290e26f6 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -11324,9 +11324,7 @@ Fields exported by the EVE JSON logs *`suricata.eve.event_type`*:: + -- -type: alias - -alias to: event.type +type: keyword -- diff --git a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json index 26be4f57616..e8d82f4dc4a 100644 --- a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json +++ b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Alert-Overview.json @@ -246,7 +246,7 @@ "alias": null, "disabled": false, "index": "filebeat-*", - "key": "event.type", + "key": "suricata.eve.event_type", "negate": false, "params": { "query": "alert", @@ -257,7 +257,7 @@ }, "query": { "match": { - "event.type": { + "suricata.eve.event_type": { "query": "alert", "type": "phrase" } diff --git a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json index 92a7047df8a..6170c3a1a8d 100644 --- a/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json +++ b/x-pack/filebeat/module/suricata/_meta/kibana/7/dashboard/Filebeat-Suricata-Overview.json @@ -42,7 +42,7 @@ "enabled": true, "id": "3", "params": { - "field": "event.type", + "field": "suricata.eve.event_type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -161,7 +161,7 @@ "enabled": true, "id": "2", "params": { - "field": "event.type", + "field": "suricata.eve.event_type", "missingBucket": false, "missingBucketLabel": "Missing", "order": "desc", @@ -396,7 +396,7 @@ "attributes": { "columns": [ "host.name", - "event.type", + "suricata.eve.event_type", "suricata.eve.flow_id", "network.transport", "source.ip", @@ -419,7 +419,7 @@ "alias": null, "disabled": false, "index": "filebeat-*", - "key": "event.type", + "key": "suricata.eve.event_type", "negate": true, "params": { "query": "stats", @@ -430,7 +430,7 @@ }, "query": { "match": { - "event.type": { + "suricata.eve.event_type": { "query": "stats", "type": "phrase" } @@ -691,7 +691,7 @@ "alias": null, "disabled": false, "index": "filebeat-*", - "key": "event.type", + "key": "suricata.eve.event_type", "negate": false, "params": { "query": "stats", @@ -702,7 +702,7 @@ }, "query": { "match": { - "event.type": { + "suricata.eve.event_type": { "query": "stats", "type": "phrase" } diff --git a/x-pack/filebeat/module/suricata/eve/_meta/fields.yml b/x-pack/filebeat/module/suricata/eve/_meta/fields.yml index eb2971b3888..7529cba1b52 100644 --- a/x-pack/filebeat/module/suricata/eve/_meta/fields.yml +++ b/x-pack/filebeat/module/suricata/eve/_meta/fields.yml @@ -4,8 +4,7 @@ Fields exported by the EVE JSON logs fields: - name: event_type - type: alias - path: event.type + type: keyword - name: app_proto_orig type: keyword diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json index 0983321a2f0..67ec81b85a5 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.json @@ -124,7 +124,6 @@ { "lowercase": { "field": "suricata.eve.event_type", - "target_field": "event.type", "ignore_missing": true } }, @@ -244,7 +243,6 @@ "remove": { "field": [ "suricata.eve.app_proto", - "suricata.eve.event_type", "suricata.eve.flow.end", "suricata.eve.flow.start", "suricata.eve.http.http_method", @@ -254,6 +252,12 @@ ], "ignore_missing": true } + }, + { + "set": { + "field": "event.kind", + "value": "event" + } } ], "on_failure": [ diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 48533546e48..346691a4a2c 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -17,11 +17,11 @@ "event.dataset": "suricata.eve", "event.duration": 223000000, "event.end": "2018-10-03T14:42:44.836Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T14:42:44.613Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1121, @@ -43,6 +43,7 @@ "suricata.eve.alert.rev": 4, "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 2191386088856669, "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", @@ -77,11 +78,11 @@ "event.dataset": "suricata.eve", "event.duration": 244000000, "event.end": "2018-10-03T16:16:26.711Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:16:26.467Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1121, @@ -103,6 +104,7 @@ "suricata.eve.alert.rev": 4, "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 678269478904081, "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", @@ -137,11 +139,11 @@ "event.dataset": "suricata.eve", "event.duration": 233000000, "event.end": "2018-10-03T16:44:50.813Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:44:50.580Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1126, @@ -163,6 +165,7 @@ "suricata.eve.alert.rev": 4, "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 1170030461115650, "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", @@ -197,11 +200,11 @@ "event.dataset": "suricata.eve", "event.duration": 231000000, "event.end": "2018-10-03T16:45:09.267Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:45:09.036Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1121, @@ -223,6 +226,7 @@ "suricata.eve.alert.rev": 4, "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 49628113637132, "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", @@ -257,11 +261,11 @@ "event.dataset": "suricata.eve", "event.duration": 229000000, "event.end": "2018-10-03T16:45:34.481Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T16:45:34.252Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1121, @@ -283,6 +287,7 @@ "suricata.eve.alert.rev": 4, "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 116307482565223, "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", @@ -317,11 +322,11 @@ "event.dataset": "suricata.eve", "event.duration": 301000000, "event.end": "2018-10-03T17:02:38.900Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 2, "event.start": "2018-10-03T17:02:38.599Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1126, @@ -343,6 +348,7 @@ "suricata.eve.alert.rev": 4, "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 1205867738178946, "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", @@ -377,11 +383,11 @@ "event.dataset": "suricata.eve", "event.duration": 85000000, "event.end": "2018-10-04T09:34:59.009Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1138, @@ -403,6 +409,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 764842923400056, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -437,11 +444,11 @@ "event.dataset": "suricata.eve", "event.duration": 242000000, "event.end": "2018-10-04T09:34:59.168Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 0, @@ -463,6 +470,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 112424506237238, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -497,11 +505,11 @@ "event.dataset": "suricata.eve", "event.duration": 362000000, "event.end": "2018-10-04T09:34:59.288Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2601, @@ -523,6 +531,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 112424506237238, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -557,11 +566,11 @@ "event.dataset": "suricata.eve", "event.duration": 365000000, "event.end": "2018-10-04T09:34:59.289Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1241, @@ -583,6 +592,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 764842923400056, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -617,11 +627,11 @@ "event.dataset": "suricata.eve", "event.duration": 432000000, "event.end": "2018-10-04T09:34:59.356Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2687, @@ -643,6 +653,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 764842923400056, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -677,11 +688,11 @@ "event.dataset": "suricata.eve", "event.duration": 532000000, "event.end": "2018-10-04T09:34:59.456Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.924Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2688, @@ -703,6 +714,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 764842923400056, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -737,11 +749,11 @@ "event.dataset": "suricata.eve", "event.duration": 821000000, "event.end": "2018-10-04T09:34:59.747Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2601, @@ -763,6 +775,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 112424506237238, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -797,11 +810,11 @@ "event.dataset": "suricata.eve", "event.duration": 1027000000, "event.end": "2018-10-04T09:34:59.953Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2687, @@ -823,6 +836,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 112424506237238, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -857,11 +871,11 @@ "event.dataset": "suricata.eve", "event.duration": 1324000000, "event.end": "2018-10-04T09:35:00.250Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2688, @@ -883,6 +897,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 112424506237238, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -917,11 +932,11 @@ "event.dataset": "suricata.eve", "event.duration": 1475000000, "event.end": "2018-10-04T09:35:00.401Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2687, @@ -943,6 +958,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 112424506237238, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -977,11 +993,11 @@ "event.dataset": "suricata.eve", "event.duration": 1850000000, "event.end": "2018-10-04T09:35:00.776Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2691, @@ -1003,6 +1019,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 112424506237238, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -1037,11 +1054,11 @@ "event.dataset": "suricata.eve", "event.duration": 1971000000, "event.end": "2018-10-04T09:35:00.897Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 2687, @@ -1063,6 +1080,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 112424506237238, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -1097,11 +1115,11 @@ "event.dataset": "suricata.eve", "event.duration": 2436000000, "event.end": "2018-10-04T09:35:01.362Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 0, @@ -1122,6 +1140,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 112424506237238, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -1156,11 +1175,11 @@ "event.dataset": "suricata.eve", "event.duration": 2649000000, "event.end": "2018-10-04T09:35:01.575Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 3, "event.start": "2018-10-04T09:34:58.926Z", - "event.type": "alert", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 0, @@ -1181,6 +1200,7 @@ "suricata.eve.alert.rev": 5, "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 112424506237238, "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 96807730840..f7aa462b334 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -6,8 +6,8 @@ "ecs.version": "1.0.0-beta2", "event.dataset": "suricata.eve", "event.end": "2018-07-05T19:01:09.820Z", + "event.kind": "event", "event.module": "suricata", - "event.type": "ssh", "fileset.name": "eve", "input.type": "log", "log.offset": 0, @@ -15,6 +15,7 @@ "service.type": "suricata", "source.ip": "192.168.86.85", "source.port": 55406, + "suricata.eve.event_type": "ssh", "suricata.eve.flow_id": 298824096901438, "suricata.eve.in_iface": "en0", "suricata.eve.ssh.client.proto_version": "2.0", @@ -35,11 +36,11 @@ "event.dataset": "suricata.eve", "event.duration": 1251000000, "event.end": "2018-07-05T19:07:20.910Z", + "event.kind": "event", "event.module": "suricata", "event.outcome": "allowed", "event.severity": 1, "event.start": "2018-07-05T19:07:19.659Z", - "event.type": "alert", "fileset.name": "eve", "input.type": "log", "log.offset": 350, @@ -58,6 +59,7 @@ "suricata.eve.alert.rev": 3, "suricata.eve.alert.signature": "ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)", "suricata.eve.alert.signature_id": 2024833, + "suricata.eve.event_type": "alert", "suricata.eve.flow_id": 904992230150281, "suricata.eve.in_iface": "en0", "suricata.eve.tls.session_resumed": true, @@ -76,8 +78,8 @@ "ecs.version": "1.0.0-beta2", "event.dataset": "suricata.eve", "event.end": "2018-07-05T19:43:47.690Z", + "event.kind": "event", "event.module": "suricata", - "event.type": "http", "fileset.name": "eve", "http.request.method": "get", "http.response.body.bytes": 1155, @@ -88,6 +90,7 @@ "service.type": "suricata", "source.ip": "192.168.86.85", "source.port": 56119, + "suricata.eve.event_type": "http", "suricata.eve.flow_id": 2115002772430095, "suricata.eve.http.http_content_type": "text/xml", "suricata.eve.http.protocol": "HTTP/1.1", @@ -115,8 +118,8 @@ "ecs.version": "1.0.0-beta2", "event.dataset": "suricata.eve", "event.end": "2018-07-05T19:44:33.222Z", + "event.kind": "event", "event.module": "suricata", - "event.type": "fileinfo", "file.path": "/ssdp/device-desc.xml", "file.size": 1071, "fileset.name": "eve", @@ -130,6 +133,7 @@ "service.type": "suricata", "source.ip": "192.168.86.28", "source.port": 8008, + "suricata.eve.event_type": "fileinfo", "suricata.eve.fileinfo.gaps": false, "suricata.eve.fileinfo.md5": "427b7337ff37eeb24d74f47d8e04cf21", "suricata.eve.fileinfo.sha1": "313573490192c685e9e53abef25453ed0d5e2aee", @@ -162,8 +166,8 @@ "ecs.version": "1.0.0-beta2", "event.dataset": "suricata.eve", "event.end": "2018-07-05T19:51:20.213Z", + "event.kind": "event", "event.module": "suricata", - "event.type": "dns", "fileset.name": "eve", "input.type": "log", "log.offset": 2347, @@ -178,6 +182,7 @@ "suricata.eve.dns.rrtype": "A", "suricata.eve.dns.ttl": 299, "suricata.eve.dns.type": "answer", + "suricata.eve.event_type": "dns", "suricata.eve.flow_id": 1684780223079543, "suricata.eve.in_iface": "en0", "tags": [ @@ -189,12 +194,13 @@ "ecs.version": "1.0.0-beta2", "event.dataset": "suricata.eve", "event.end": "2018-07-05T19:51:23.009Z", + "event.kind": "event", "event.module": "suricata", - "event.type": "stats", "fileset.name": "eve", "input.type": "log", "log.offset": 2687, "service.type": "suricata", + "suricata.eve.event_type": "stats", "suricata.eve.stats.app_layer.flow.dcerpc_tcp": 0, "suricata.eve.stats.app_layer.flow.dcerpc_udp": 0, "suricata.eve.stats.app_layer.flow.dns_tcp": 0, @@ -326,8 +332,8 @@ "ecs.version": "1.0.0-beta2", "event.dataset": "suricata.eve", "event.end": "2018-07-05T19:51:50.666Z", + "event.kind": "event", "event.module": "suricata", - "event.type": "tls", "fileset.name": "eve", "input.type": "log", "log.offset": 4683, @@ -335,6 +341,7 @@ "service.type": "suricata", "source.ip": "192.168.86.85", "source.port": 56187, + "suricata.eve.event_type": "tls", "suricata.eve.flow_id": 89751777876473, "suricata.eve.in_iface": "en0", "suricata.eve.tls.fingerprint": "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47", @@ -359,9 +366,9 @@ "event.dataset": "suricata.eve", "event.duration": 30548000000, "event.end": "2018-07-05T19:51:54.001Z", + "event.kind": "event", "event.module": "suricata", "event.start": "2018-07-05T19:51:23.453Z", - "event.type": "flow", "fileset.name": "eve", "input.type": "log", "log.offset": 5308, @@ -374,6 +381,7 @@ "source.ip": "fe80:0000:0000:0000:fada:0cff:fedc:87f1", "source.packets": 1, "source.port": 546, + "suricata.eve.event_type": "flow", "suricata.eve.flow.age": 0, "suricata.eve.flow.alerted": false, "suricata.eve.flow.reason": "timeout", diff --git a/x-pack/filebeat/module/suricata/fields.go b/x-pack/filebeat/module/suricata/fields.go index 66e8b7e5c75..4d1c0de9a8c 100644 --- a/x-pack/filebeat/module/suricata/fields.go +++ b/x-pack/filebeat/module/suricata/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSuricata returns asset data. // This is the base64 encoded gzipped contents of module/suricata. func AssetSuricata() string { - return "eJzsXEuP27oV3udXaDerGE3QBMUsim7SRYG2iwDdEsfkkcyar5CUPe6vLyR7PLJFyuIDc3Fzk1UwCT+e94tH87HZ4+m5cb3lFDx8aBrPvcDn5vvbTxg6arnxXKvn5q8fmqZp/qlZL7BptW12oJjgqmv8Dptv//nW/OP7v//VCN25xljNeoqs2Z6ueJsPTdNyFMw9j0gfGwUSbygY/viTweems7o3l58EqBj+/H3Ealqr5UjB6z0jKUJ3TcsFbi7/fXrx9HI84PVnobsX7p/QgC9GW39mdyaMyYF7Ku4oUZ4MFNz88ytRIDi4u38x4HeXg5ubg8ELwBhirPaaaMu74CV7PB21Zcs4nprg4XuxxRi+QSKtgO6er1XkvMEYt4sAbLUWCOoRwJUO4mkZKUD3ZaS4kyoE8ODvLSiRiYk4CjVjnS/jpuVZ4ng7LpCrVleyV7eDT2UCGQga/hZBCTn5q5uP0Wz460P1vRDOIhcIrbp3sCDntcUYDStV34GJWd9aV9jB5y9fyziR7EuhKPj/srV9czZo4JxKE88ZcW2/nmfoPBlyV2LOGc5xBUNK3NwcD97iLM25xOneUlyBP2a1RHCF/qjtfuMtKLfiCgqGUBVm4bGcBwnwcNp8yP/kXFiH6v54dj6eG1JqwLc1MBYi5FoM9lZQZkKUhlHvRcFpSzUrlEEG9dc0JfRxzn1CjYgS+D372VnXg++zCpGbKJfsftMY98gHxzgcUNlage+8r1VUL4prKeUMNGwsOqOVw80Z5panmK0i4xZprNRbaa7D9aR3aAl0OAu0axh4O7wZOhyuQDy6dMwcVMc8NYV0iy3afLH/6NH5zQhiJziRG3sbI3lRQFaslsxOO59ZqQ7XMC2BP6zQBKrOx5q39ba61ey02Z48ulWakuh3OhYcV6vqDmXpQqqVjzT3aZ03l+g8yNRI9vS368mnB3FMEd4CDYexVTSCwEihlx7KKHjstD0VVuB4QMt9DGVJ4efRygwgGgcPBRm/K2vaeKfA97awZgA6pLtsSeneUy0fJowrsTkV1hVkNvXJNjPB4wknBBcDvMsr5IDWhcS5UikTXnXrj2CxFPHNJewhmqx+Io6nNVGtJomCWfCzPOHt0SoUxADdY2DmtiYQzMCY1YEBShYUb/PBrhWLGXJQQYRj6OM1Zp7YQ7kqjahA3V5GkkRJYX4sTW0SZe/msk5hrOUCyTjGq8qeNqjIgF1mTAxbC/dPGIWChxcygJIdL/ZAbg5/jkKEyYsTeFv+6T5I3Tr6Juq10ElUVbAsgnMotyIw8V2LNpHcfGD7S3KP3VXoY1V38HToaHOjyCTsswrBrDwiokTbEakZElQeQ48T2YA6VEqloc2fVFMROJVLrpMAEo9c60CcgUDSePcEFhJpUX3rsGeatMDD3pokIqfI2azHKq1Ua8qh9YSBh9EWBZiRzFIi0Q2Fd2kuPMutlJaTCr2s58tJaStBVBFT4MH+3Yx9ytwBBGeE7pDuXS+LlT8muYpWerHMOjoU3PkaygvtJyQKylsESRgavyMWge6Ko8O1KjiRKqYxweuKFfAaYBhvWxJ8ZEvDU5oEa5e0boBqVnmcAYeOmL0nwef7NBZvB9N5GOUFgoU8IU8iuSml4SBAkR9c/SjEeVK9EE+FIMIPKFGQ/GajV643533A8MR/LaUT0e898VoTJyFIclauKJRfV1zlLbbJFfrFlWa9r9HvfyVckQrUcLPkqPlG+VofcLMwUU2OB/q3bw/Z7LGqqSCuug43xL3SOoMGBo2JdSa81EppYwddWtRLI0odzy0E8N9b34zWmWIzQb9Dq7C0qh0ic62Ahoh/+dPnTzB/5k+q8QKNaPmcnXRCb6HUhi5Y4b3Z95/cC30ksqtbDlt9dGTbu/kjehp/A3GOXMaxVbCUroM2cuj23JjiBo4K7ZARY3tVjKXwWAfoLC2LUh+KsbYnM7SUlVgcV5DrsXgxB8JVeet8RhxnKuVt/QAl4UVgaZC3lYlCaQLbMSkxB4whAk6Ve/DFwUDBY1Cw7Eh+BwrWY6kowffjDGLGqTQJV9OpYEy5ikjhyUUqkpM15VSHJunye6ilNaYcFC6Dk71khVG0htbS/hmslgFss1Gujv/yK5r8wQNAHW/7+dwkbs1x/1hek1Pab7GN7w+xabMUweDO9WhZbB917bKj4mUAsYFZGhXn51Ri0fWy9NvIlqsOrbE8ura6fhGUB/rfJAylPbQ+WvutUbTrt//N/IBkWoKed1Ajm56rUAIlZ64DjM8+xOvF7eKllerp90erPm5wHgLrjI8vumy535yOXGH2vhpP99uukSuhK9karfAx86siF5eml5i+fMe5SocWwZWGmouSSuldqR9UsWC2xvPHFdy8cDjz/KDjPv4CePYNWDgzBj4HXZtVJ7Hp/vdLJMSmQAmUG5ssNZ7MBJZoZhK4IK3V812TJJgdiixC5sLFF4N0bkxJ4X/+y0gey/j/AQAA///OxI1d" + return "eJzsXEuP27oV3udXaDerGE3QBMUsim7SRYG2iwDdEsfkkcyar5CUPe6vLyR7PLJFyuIDc3Fzk1UwCT+e94tH87HZ4+m5cb3lFDx8aBrPvcDn5vvbTxg6arnxXKvn5q8fmqZp/qlZL7BptW12oJjgqmv8Dptv//nW/OP7v//VCN25xljNeoqs2Z6ueJsPTdNyFMw9j0gfGwUSbygY/viTweems7o3l58EqBj+/H3Ealqr5UjB6z0jKUJ3TcsFbi7/fXrx9HI84PVnobsX7p/QgC9GW39mdyaMyYF7Ku4oUZ4MFNz88ytRezwdtWXXfwtigDHEWO010ZZ3+TiemuDhe8nEeLpBIq2AGymsJucNxrhdBGCrtUBQjwCudBBPy0gBui8jxZ1UIYAHf28kiUxMxFGoGet8GTctzxLH23GBXLW6kr26HXwqE8hA0PC3CAoIDnORG/C789HN8NeH6nshnEUuEFp172BBzmuLMRpWqr4DE7O+ta6wg89fvpZxItmXQlHw/2Vr++Zs0MA5lSaeFuLafj3P0HkypKfg+RCBZ/KGc1zBkPU2N8eDtzhLcy5xurcUV+CPWS0RXKE/arvfeAvKrbiCgiFUhVl4LOdBAjycNh/yPzkX1qG6P56dj+eGlBrwbQ2MhQi5FoO91YyZEKVh1HtRcNpSzQplkEH9NU0JfZxzn1AjogR+z3521vXg+6xC5CbKJbvfNMY98sExDgdUtlbgO+9rFdWL4lpKOQMNG4vOaOVwc4a55Slmq8i4RRor9Vaa63A96R1aAh3OAu0aBt4Ob4YOhysQjy4dMwfVMU9NId1iizZf7D96dH4zgtgJTuTG3sZIXhSQFasls9POZ1aqwzVMS+APKzSBqvOx5m29rW41O222J49ulaYk+p2OBcfVqrpDWbqQauUj/Xta580lOg8yNZI9/e168ulBHFOEt0BLpgwCI4Veeiij4LHT9lRYgeMBLfcxlCWFj2OXzQwgGgcPBRm/K2vaeKfA97awZgA6pLtsSeneUy0fJowrsTkV1hVkNvXJNjPB4wknBBcDvMsr5IDWhcS5UikTXnXrj2CxFPHNJewhmqx+Io6nNVGtJomCWfCzPOHt0SoUxADdY2DmtiYQzMCY1YEBShYUb/PBrhWLGXJQQYRj6OM1Zp7YQ7kqjahA3V5GkkRJYX4sTW0SZe/msk5hrOUCyTjGq8qeNqjIgF1mTAxbC/dPGIWChxcygJIdL/ZAbg5/jkKEyYsTeFv+6T5I3Tr6Juq10ElUVbAsgnMotyIw8V2LNpHcfGD7S3KP3VXoY1V38HToaHOjyCTsswrBrDwiokTbEakZElQeQ48T2YA6VEqloc2fVFMROJVLrpMAEo9c60CcgUDSePcEFhJpUX3rsGeatMDD3pokIqfI2azHKq1Ua8qh9YSBh9EWBZiRzFIi0Q2Fd2kuPMutlJaTCr2s58tJaStBVBFT4MH+3Yx9ytwBBGeE7pDuXS+LlT8muYpWerHMOjoU3PkaygvtJyQKylsESRgavyMWge6Ko8O1KjiRKqYxweuKFfAaYBhvWxJ8ZEvDU5oEa5e0boBqVnmcAYeOmL0nwef7NBZvB9N5GOUFgoU8IU8iuSml4SBAkR9c/SjEeVK9EE+FIMIPKFGQ/GajV64355W/8MR/LaUT0e898VoTJyFIclauKJRfV1zlLbbJFfrFlWa9r9HvfyVckQrUcLPkqPlG+VofcLMwUU2OB/q3bw/Z7LGqqSCuug43xL3SOoMGBo2JdSa81EppYwddWtRLI0odzy0E8N9b34zWmWIzQb9Dq7C0qh0ic62Ahoh/+dPnTzB/5k+q8QKNaPmcnXRCb6HUhi5Y4b3Z95/cC30ksqtbDlt9dGTbu/kjehp/A3GOXMaxVbCUroM2cuj23JjiBo4K7ZARY3tVjKXwWAfoLC2LUh+KsbYnM7SUlVgcV5DrsXgxB8JVeet8RhxnKuVt/QAl4UVgaZC3lYlCaQLbMSkxB4whAk6Ve/DFwUDBY1Cw7Eh+BwrWY6kowffjDGLGqTQJV9OpYEy5ikjhyUUqkpM15VSHJunye6ilNaYcFC6Dk71khVG0htbS/hmslgFss1Gujv/yK5r8wQNAHW/7+dwkbs1x/1hek1Pab7GN7w+xabMUweDO9WhZbB917bKj4mUAsYFZGhXn51Ri0fWy9NvIlqsOrbE8ura6fhGUB/rfJAylPbQ+WvutUbTrt//N/IBkWoKed1Ajm56rUAIlZ64DjM8+xOvF7eKllerp90erPm5wHgLrjI8vumy535yOXGH2vhpP99uukSuhK9karfAx86siF5eml5i+fMe5SocWwZWGmouSSuldqR9UsWC2xvPHFdy8cDjz/KDjPv4CePYNWDgzBj4HXZtVJ7Hp/vdLJMSmQAmUG5ssNZ7MBJZoZhK4IK3V812TJJgdiixC5sLFF4N0bkxJ4X/+y0gey/j/AQAA//93dIZ1" }