From 4fb188cb29fce44555da22e1dfa503be9cdf4a8b Mon Sep 17 00:00:00 2001
From: Niels Hofmans <hello@ironpeak.be>
Date: Tue, 26 May 2020 12:52:43 +0200
Subject: [PATCH] fix: use type:tcp

---
 x-pack/filebeat/filebeat.reference.yml        | 681 +++++++++++++++++-
 .../checkpoint}/checkpoint/_meta/config.yml   |   0
 .../checkpoint/_meta/docs.asciidoc            |   0
 .../checkpoint}/checkpoint/_meta/fields.yml   |   0
 .../module/checkpoint}/checkpoint/fields.go   |   0
 .../checkpoint/firewall/_meta/fields.yml      |   0
 .../checkpoint/firewall/config/firewall.yml   |  25 +-
 .../checkpoint/firewall/ingest/pipeline.json  |   0
 .../checkpoint/firewall/manifest.yml          |   0
 .../checkpoint/firewall/test/checkpoint.log   |   0
 .../test/checkpoint.log-expected.json         |   0
 .../module/checkpoint}/checkpoint/module.yml  |   0
 .../checkpoint/firewall/config/firewall.yml   |  25 +-
 .../modules.d/checkpoint.yml.disabled         |   8 +-
 14 files changed, 702 insertions(+), 37 deletions(-)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/_meta/config.yml (100%)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/_meta/docs.asciidoc (100%)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/_meta/fields.yml (100%)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/fields.go (100%)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/_meta/fields.yml (100%)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/config/firewall.yml (55%)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/ingest/pipeline.json (100%)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/manifest.yml (100%)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/test/checkpoint.log (100%)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/firewall/test/checkpoint.log-expected.json (100%)
 rename {filebeat/module => x-pack/filebeat/module/checkpoint}/checkpoint/module.yml (100%)

diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
index f18b1247838..3ca1b4b6ccf 100644
--- a/x-pack/filebeat/filebeat.reference.yml
+++ b/x-pack/filebeat/filebeat.reference.yml
@@ -37,6 +37,24 @@ filebeat.modules:
     # can be added under this section.
     #input:
 
+#------------------------------- Activemq Module -------------------------------
+- module: activemq
+  # Audit logs
+  audit:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+  # Application logs
+  log:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #------------------------------- ActiveMQ Module -------------------------------
 - module: activemq
   # Audit logs
@@ -300,6 +318,212 @@ filebeat.modules:
     # AWS IAM Role to assume
     #var.role_arn: arn:aws:iam::123456789012:role/test-mb
 
+#--------------------------------- AWS Module ---------------------------------
+- module: aws
+  cloudtrail:
+    enabled: false
+
+    # AWS SQS queue url
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+
+    # Filename of AWS credential file
+    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
+    # "%UserProfile%\.aws\credentials" is used on Windows
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+
+    # Profile name for aws credential
+    # If not set the default profile is used
+    #var.credential_profile_name: fb-aws
+
+    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+
+    # The duration that the received messages are hidden from ReceiveMessage request
+    # Default to be 300s
+    #var.visibility_timeout: 300s
+
+    # Maximum duration before AWS API request will be interrupted
+    # Default to be 120s
+    #var.api_timeout: 120s
+
+    # Custom endpoint used to access AWS APIs
+    #var.endpoint: amazonaws.com
+
+    # AWS IAM Role to assume
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+
+  cloudwatch:
+    enabled: false
+
+    # AWS SQS queue url
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+
+    # Filename of AWS credential file
+    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
+    # "%UserProfile%\.aws\credentials" is used on Windows
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+
+    # Profile name for aws credential
+    # If not set the default profile is used
+    #var.credential_profile_name: fb-aws
+
+    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+
+    # The duration that the received messages are hidden from ReceiveMessage request
+    # Default to be 300s
+    #var.visibility_timeout: 300s
+
+    # Maximum duration before AWS API request will be interrupted
+    # Default to be 120s
+    #var.api_timeout: 120s
+
+    # Custom endpoint used to access AWS APIs
+    #var.endpoint: amazonaws.com
+
+    # AWS IAM Role to assume
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+
+  ec2:
+    enabled: false
+
+    # AWS SQS queue url
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+
+    # Filename of AWS credential file
+    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
+    # "%UserProfile%\.aws\credentials" is used on Windows
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+
+    # Profile name for aws credential
+    # If not set the default profile is used
+    #var.credential_profile_name: fb-aws
+
+    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+
+    # The duration that the received messages are hidden from ReceiveMessage request
+    # Default to be 300s
+    #var.visibility_timeout: 300s
+
+    # Maximum duration before AWS API request will be interrupted
+    # Default to be 120s
+    #var.api_timeout: 120s
+
+    # Custom endpoint used to access AWS APIs
+    #var.endpoint: amazonaws.com
+
+    # AWS IAM Role to assume
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+
+  elb:
+    enabled: false
+
+    # AWS SQS queue url
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+
+    # Filename of AWS credential file
+    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
+    # "%UserProfile%\.aws\credentials" is used on Windows
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+
+    # Profile name for aws credential
+    # If not set the default profile is used
+    #var.credential_profile_name: fb-aws
+
+    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+
+    # The duration that the received messages are hidden from ReceiveMessage request
+    # Default to be 300s
+    #var.visibility_timeout: 300s
+
+    # Maximum duration before AWS API request will be interrupted
+    # Default to be 120s
+    #var.api_timeout: 120s
+
+    # Custom endpoint used to access AWS APIs
+    #var.endpoint: amazonaws.com
+
+    # AWS IAM Role to assume
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+
+  s3access:
+    enabled: false
+
+    # AWS SQS queue url
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+
+    # Filename of AWS credential file
+    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
+    # "%UserProfile%\.aws\credentials" is used on Windows
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+
+    # Profile name for aws credential
+    # If not set the default profile is used
+    #var.credential_profile_name: fb-aws
+
+    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+
+    # The duration that the received messages are hidden from ReceiveMessage request
+    # Default to be 300s
+    #var.visibility_timeout: 300s
+
+    # Maximum duration before AWS API request will be interrupted
+    # Default to be 120s
+    #var.api_timeout: 120s
+
+    # Custom endpoint used to access AWS APIs
+    #var.endpoint: amazonaws.com
+
+    # AWS IAM Role to assume
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+
+  vpcflow:
+    enabled: false
+
+    # AWS SQS queue url
+    #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue
+
+    # Filename of AWS credential file
+    # If not set "$HOME/.aws/credentials" is used on Linux/Mac
+    # "%UserProfile%\.aws\credentials" is used on Windows
+    #var.shared_credential_file: /etc/filebeat/aws_credentials
+
+    # Profile name for aws credential
+    # If not set the default profile is used
+    #var.credential_profile_name: fb-aws
+
+    # Use access_key_id, secret_access_key and/or session_token instead of shared credential file
+    #var.access_key_id: access_key_id
+    #var.secret_access_key: secret_access_key
+    #var.session_token: session_token
+
+    # The duration that the received messages are hidden from ReceiveMessage request
+    # Default to be 300s
+    #var.visibility_timeout: 300s
+
+    # Maximum duration before AWS API request will be interrupted
+    # Default to be 120s
+    #var.api_timeout: 120s
+
+    # Custom endpoint used to access AWS APIs
+    #var.endpoint: amazonaws.com
+
+    # AWS IAM Role to assume
+    #var.role_arn: arn:aws:iam::123456789012:role/test-mb
+
 #-------------------------------- Azure Module --------------------------------
 - module: azure
   # All logs
@@ -334,6 +558,48 @@ filebeat.modules:
  #     storage_account: ""
  #     storage_account_key: ""
 
+#-------------------------------- Azure Module --------------------------------
+- module: azure
+  # All logs
+  activitylogs:
+    enabled: true
+    var:
+      # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub
+      eventhub: "insights-operational-logs"
+      # consumer group name that has access to the event hub, we advise creating a dedicated consumer group for the azure module
+      consumer_group: "$Default"
+      # the connection string required to communicate with Event Hubs, steps to generate one here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string
+      connection_string: ""
+      # the name of the storage account the state/offsets will be stored and updated
+      storage_account: ""
+      # the storage account key, this key will be used to authorize access to data in your storage account
+      storage_account_key: ""
+
+  auditlogs:
+    enabled: false
+ #   var:
+ #     eventhub: "insights-logs-auditlogs"
+ #     consumer_group: "$Default"
+ #     connection_string: ""
+ #     storage_account: ""
+ #     storage_account_key: ""
+  signinlogs:
+    enabled: false
+ #   var:
+ #     eventhub: "insights-logs-signinlogs"
+ #     consumer_group: "$Default"
+ #     connection_string: ""
+ #     storage_account: ""
+ #     storage_account_key: ""
+
+#--------------------------------- CEF Module ---------------------------------
+- module: cef
+  log:
+    enabled: true
+    var:
+      syslog_host: localhost
+      syslog_port: 9003
+
 #--------------------------------- CEF Module ---------------------------------
 - module: cef
   log:
@@ -357,6 +623,84 @@ filebeat.modules:
     # The UDP port to listen for syslog traffic. Defaults to 9001.
     #var.syslog_port: 9001
 
+    # Set the log level from 1 (alerts only) to 7 (include all messages).
+    # Messages with a log level higher than the specified will be dropped.
+    # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
+    #var.log_level: 7
+#------------------------------ Checkpoint Module ------------------------------
+- module: checkpoint
+  firewall:
+    enabled: true
+
+    # Set which input to use between syslog (default) or file.
+    #var.input: syslog
+
+    # The interface to listen to UDP based syslog traffic. Defaults to
+    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
+    #var.syslog_host: localhost
+
+    # The UDP port to listen for syslog traffic. Defaults to 9001.
+    #var.syslog_port: 9001
+
+    # Set the log level from 1 (alerts only) to 7 (include all messages).
+    # Messages with a log level higher than the specified will be dropped.
+    # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
+    #var.log_level: 7
+#-------------------------------- Cisco Module --------------------------------
+- module: cisco
+  asa:
+    enabled: true
+
+    # Set which input to use between syslog (default) or file.
+    #var.input: syslog
+
+    # The interface to listen to UDP based syslog traffic. Defaults to
+    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
+    #var.syslog_host: localhost
+
+    # The UDP port to listen for syslog traffic. Defaults to 9001.
+    #var.syslog_port: 9001
+
+    # Set the log level from 1 (alerts only) to 7 (include all messages).
+    # Messages with a log level higher than the specified will be dropped.
+    # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
+    #var.log_level: 7
+
+  ftd:
+    enabled: true
+
+    # Set which input to use between syslog (default) or file.
+    #var.input: syslog
+
+    # The interface to listen to UDP based syslog traffic. Defaults to
+    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
+    #var.syslog_host: localhost
+
+    # The UDP port to listen for syslog traffic. Defaults to 9003.
+    #var.syslog_port: 9003
+
+    # Set the log level from 1 (alerts only) to 7 (include all messages).
+    # Messages with a log level higher than the specified will be dropped.
+    # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html
+    #var.log_level: 7
+
+  ios:
+    enabled: true
+
+    # Set which input to use between syslog (default) or file.
+    #var.input: syslog
+
+    # The interface to listen to UDP based syslog traffic. Defaults to
+    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
+    #var.syslog_host: localhost
+
+    # The UDP port to listen for syslog traffic. Defaults to 9002.
+    #var.syslog_port: 9002
+
+    # Set custom paths for the log files when using file input. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #-------------------------------- Cisco Module --------------------------------
 - module: cisco
   asa:
@@ -422,6 +766,26 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#------------------------------- Coredns Module -------------------------------
+- module: coredns
+  # Fileset for native deployment
+  log: 
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
+#----------------------------- Crowdstrike Module -----------------------------
+- module: crowdstrike
+  
+  falcon:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #----------------------------- Crowdstrike Module -----------------------------
 - module: crowdstrike
   
@@ -476,20 +840,86 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#------------------------------ Envoyproxy Module ------------------------------
+- module: envoyproxy
+  # Fileset for native deployment
+  log: 
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #------------------------------- Fortinet Module -------------------------------
 - module: fortinet
   firewall:
     enabled: true
 
-    # Set which input to use between tcp, udp (default) or file.
-    #var.input: udp
+    # Set which input to use between tcp, udp (default) or file.
+    #var.input: udp
+
+    # The interface to listen to syslog traffic. Defaults to
+    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
+    #var.syslog_host: localhost
+
+    # The port to listen for syslog traffic. Defaults to 9004.
+    #var.syslog_port: 9004
+
+#----------------------------- Google Cloud Module -----------------------------
+- module: googlecloud
+  vpcflow:
+    enabled: true
+
+    # Google Cloud project ID.
+    var.project_id: my-gcp-project-id
+
+    # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be
+    # configured to use this topic as a sink for VPC flow logs.
+    var.topic: googlecloud-vpc-flowlogs
+
+    # Google Pub/Sub subscription for the topic. Filebeat will create this
+    # subscription if it does not exist.
+    var.subscription_name: filebeat-googlecloud-vpc-flowlogs-sub
+
+    # Credentials file for the service account with authorization to read from
+    # the subscription.
+    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
+
+  firewall:
+    enabled: true
+
+    # Google Cloud project ID.
+    var.project_id: my-gcp-project-id
+
+    # Google Pub/Sub topic containing firewall logs. Stackdriver must be
+    # configured to use this topic as a sink for firewall logs.
+    var.topic: googlecloud-vpc-firewall
+
+    # Google Pub/Sub subscription for the topic. Filebeat will create this
+    # subscription if it does not exist.
+    var.subscription_name: filebeat-googlecloud-firewall-sub
+
+    # Credentials file for the service account with authorization to read from
+    # the subscription.
+    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
+
+  audit:
+    enabled: true
+
+    # Google Cloud project ID.
+    var.project_id: my-gcp-project-id
 
-    # The interface to listen to syslog traffic. Defaults to
-    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
-    #var.syslog_host: localhost
+    # Google Pub/Sub topic containing firewall logs. Stackdriver must be
+    # configured to use this topic as a sink for firewall logs.
+    var.topic: googlecloud-vpc-audit
 
-    # The port to listen for syslog traffic. Defaults to 9004.
-    #var.syslog_port: 9004
+    # Google Pub/Sub subscription for the topic. Filebeat will create this
+    # subscription if it does not exist.
+    var.subscription_name: filebeat-googlecloud-audit
+
+    # Credentials file for the service account with authorization to read from
+    # the subscription.
+    var.credentials_file: ${path.config}/gcp-service-account-xyz.json
 
 #----------------------------- Google Cloud Module -----------------------------
 - module: googlecloud
@@ -570,6 +1000,16 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#-------------------------------- Ibmmq Module --------------------------------
+- module: ibmmq
+  # All logs
+  errorlog:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #-------------------------------- Icinga Module --------------------------------
 #- module: icinga
   # Main logs
@@ -646,6 +1086,18 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#------------------------------- Iptables Module -------------------------------
+- module: iptables
+  log:
+    enabled: true
+
+    # Set which input to use between syslog (default) or file.
+    #var.input:
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #-------------------------------- Kafka Module --------------------------------
 - module: kafka
   # All logs
@@ -707,6 +1159,25 @@ filebeat.modules:
     #    verification_mode: none
     #  }
 
+#--------------------------------- MISP Module ---------------------------------
+- module: misp
+  threat:
+    enabled: true
+    # API key to access MISP
+    #var.api_key
+
+    # Array object in MISP response
+    #var.json_objects_array
+
+    # URL of the MISP REST API
+    #var.url
+   
+    # You can also pass SSL options. For example:
+    #var.ssl: |-
+    #  {
+    #    verification_mode: none
+    #  }
+
 #------------------------------- Mongodb Module -------------------------------
 #- module: mongodb
   # Logs
@@ -731,6 +1202,16 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#-------------------------------- Mssql Module --------------------------------
+- module: mssql
+  # Fileset for native deployment
+  log:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #-------------------------------- MySQL Module --------------------------------
 #- module: mysql
   # Error logs
@@ -775,6 +1256,14 @@ filebeat.modules:
       netflow_host: localhost
       netflow_port: 2055
 
+#------------------------------- NetFlow Module -------------------------------
+- module: netflow
+  log:
+    enabled: true
+    var:
+      netflow_host: localhost
+      netflow_port: 2055
+
 #-------------------------------- Nginx Module --------------------------------
 #- module: nginx
   # Access logs
@@ -856,6 +1345,69 @@ filebeat.modules:
     #   max_requests_per_minute: 2000
     #   poll_interval: 3m
 
+#------------------------------ Office 365 Module ------------------------------
+- module: o365
+  audit:
+    enabled: true
+
+    # Set the application_id (also known as client ID):
+    var.application_id: "<MyApplicationID>"
+
+    # Configure the tenants to monitor:
+    # Use the tenant ID (also known as directory ID) and the domain name.
+    # var.tenants:
+    #  - id: "tenant_id_1"
+    #    name: "mydomain.onmicrosoft.com"
+    #  - id: "tenant_id_2"
+    #    name: "mycompany.com"
+    var.tenants:
+     - id: "<MyTenantID>"
+       name: "mytenant.onmicrosoft.com"
+
+    # List of content-types to fetch. By default all known content-types
+    # are retrieved:
+    # var.content_type:
+    #  - "Audit.AzureActiveDirectory"
+    #  - "Audit.Exchange"
+    #  - "Audit.SharePoint"
+    #  - "Audit.General"
+    #  - "DLP.All"
+
+    # Use the following settings to enable certificate-based authentication:
+    # var.certificate: "/path/to/certificate.pem"
+    # var.key: "/path/to/private_key.pem"
+    # var.key_passphrase: "myPrivateKeyPassword"
+
+    # Client-secret based authentication:
+    # Comment the following line if using certificate authentication.
+    var.client_secret: "<YourClientSecretHere>"
+
+    # Advanced settings, use with care:
+    # var.api:
+    #   # Settings for custom endpoints:
+    #   authentication_endpoint: "https://login.microsoftonline.us/"
+    #   resource: "https://manage.office365.us"
+    #
+    #   max_retention: 7d
+    #   max_requests_per_minute: 2000
+    #   poll_interval: 3m
+
+#--------------------------------- Okta Module ---------------------------------
+- module: okta
+  system:
+    enabled: true
+    # API key to access Okta
+    #var.api_key
+
+    # URL of the Okta REST API
+    #var.url
+
+    # Disable SSL verification 
+    #var.ssl: |-
+    #  {
+    #    "verification_mode": "none"
+    #  }
+
 #--------------------------------- Okta Module ---------------------------------
 - module: okta
   system:
@@ -898,6 +1450,18 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#--------------------------------- Panw Module ---------------------------------
+- module: panw
+  panos:
+    enabled: true
+
+    # Set which input to use between syslog (default) or file.
+    #var.input:
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #------------------------------ PostgreSQL Module ------------------------------
 #- module: postgresql
   # Logs
@@ -922,6 +1486,16 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"]
 
+#------------------------------- RabbitMQ Module -------------------------------
+- module: rabbitmq
+  # All logs
+  log:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths: ["/var/log/rabbitmq/rabbit@localhost.log*"]
+
 #-------------------------------- Redis Module --------------------------------
 #- module: redis
   # Main logs
@@ -960,6 +1534,16 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#------------------------------- Suricata Module -------------------------------
+- module: suricata
+  # All logs
+  eve:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #------------------------------- Traefik Module -------------------------------
 #- module: traefik
   # Access logs
@@ -1057,6 +1641,89 @@ filebeat.modules:
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
 
+#--------------------------------- Zeek Module ---------------------------------
+- module: zeek
+  capture_loss:
+    enabled: true
+  connection:
+    enabled: true
+  dce_rpc:
+    enabled: true
+  dhcp:
+    enabled: true
+  dnp3:
+    enabled: true
+  dns:
+    enabled: true
+  dpd:
+    enabled: true
+  files:
+    enabled: true
+  ftp:
+    enabled: true
+  http:
+    enabled: true
+  intel:
+    enabled: true    
+  irc:
+    enabled: true
+  kerberos:
+    enabled: true
+  modbus:
+    enabled: true
+  mysql:
+    enabled: true
+  notice:
+    enabled: true
+  ntlm:
+    enabled: true
+  ocsp:
+    enabled: true
+  pe:
+    enabled: true
+  radius:
+    enabled: true
+  rdp:
+    enabled: true
+  rfb:
+    enabled: true
+  signatures:
+    enabled: true
+  sip:
+    enabled: true
+  smb_cmd:
+    enabled: true
+  smb_files:
+    enabled: true
+  smb_mapping:
+    enabled: true
+  smtp:
+    enabled: true
+  snmp:
+    enabled: true
+  socks:
+    enabled: true
+  ssh:
+    enabled: true
+  ssl:
+    enabled: true
+  stats:
+    enabled: true
+  syslog:
+    enabled: true
+  traceroute:
+    enabled: true
+  tunnel:
+    enabled: true
+  weird:
+    enabled: true
+  x509:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 
 
 #=========================== Filebeat inputs =============================
diff --git a/filebeat/module/checkpoint/_meta/config.yml b/x-pack/filebeat/module/checkpoint/checkpoint/_meta/config.yml
similarity index 100%
rename from filebeat/module/checkpoint/_meta/config.yml
rename to x-pack/filebeat/module/checkpoint/checkpoint/_meta/config.yml
diff --git a/filebeat/module/checkpoint/_meta/docs.asciidoc b/x-pack/filebeat/module/checkpoint/checkpoint/_meta/docs.asciidoc
similarity index 100%
rename from filebeat/module/checkpoint/_meta/docs.asciidoc
rename to x-pack/filebeat/module/checkpoint/checkpoint/_meta/docs.asciidoc
diff --git a/filebeat/module/checkpoint/_meta/fields.yml b/x-pack/filebeat/module/checkpoint/checkpoint/_meta/fields.yml
similarity index 100%
rename from filebeat/module/checkpoint/_meta/fields.yml
rename to x-pack/filebeat/module/checkpoint/checkpoint/_meta/fields.yml
diff --git a/filebeat/module/checkpoint/fields.go b/x-pack/filebeat/module/checkpoint/checkpoint/fields.go
similarity index 100%
rename from filebeat/module/checkpoint/fields.go
rename to x-pack/filebeat/module/checkpoint/checkpoint/fields.go
diff --git a/filebeat/module/checkpoint/firewall/_meta/fields.yml b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/_meta/fields.yml
similarity index 100%
rename from filebeat/module/checkpoint/firewall/_meta/fields.yml
rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/_meta/fields.yml
diff --git a/filebeat/module/checkpoint/firewall/config/firewall.yml b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/config/firewall.yml
similarity index 55%
rename from filebeat/module/checkpoint/firewall/config/firewall.yml
rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/config/firewall.yml
index 558bdab1644..5bb6a91d37a 100644
--- a/filebeat/module/checkpoint/firewall/config/firewall.yml
+++ b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/config/firewall.yml
@@ -6,19 +6,20 @@ protocol.udp:
   {{ if ne .pipeline "" }}
   pipeline: "{{.pipeline}}"
   {{ end }}
+
 {{ else if eq .input "tls" }}
-type: syslog
-protocol.tcp:
-  host: "{{.syslog_host}}:{{.syslog_port}}"
-  ssl:
-    enabled: true
-    certificate_authorities: ["{{.cafile}}"]
-    certificate: "{{.certfile}}"
-    key: "{{.keyfile}}"
-    client_authentication: "required"
-  {{ if ne .pipeline "" }}
-  pipeline: "{{.pipeline}}"
-  {{ end }}
+type: tcp
+host: "{{.syslog_host}}:{{.syslog_port}}"
+ssl:
+  enabled: true
+  certificate_authorities: ["{{.cafile}}"]
+  certificate: "{{.certfile}}"
+  key: "{{.keyfile}}"
+  client_authentication: "required"
+{{ if ne .pipeline "" }}
+pipeline: "{{.pipeline}}"
+{{ end }}
+
 {{ else if eq .input "file" }}
 
 type: log
diff --git a/filebeat/module/checkpoint/firewall/ingest/pipeline.json b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/ingest/pipeline.json
similarity index 100%
rename from filebeat/module/checkpoint/firewall/ingest/pipeline.json
rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/ingest/pipeline.json
diff --git a/filebeat/module/checkpoint/firewall/manifest.yml b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/manifest.yml
similarity index 100%
rename from filebeat/module/checkpoint/firewall/manifest.yml
rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/manifest.yml
diff --git a/filebeat/module/checkpoint/firewall/test/checkpoint.log b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/test/checkpoint.log
similarity index 100%
rename from filebeat/module/checkpoint/firewall/test/checkpoint.log
rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/test/checkpoint.log
diff --git a/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json b/x-pack/filebeat/module/checkpoint/checkpoint/firewall/test/checkpoint.log-expected.json
similarity index 100%
rename from filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json
rename to x-pack/filebeat/module/checkpoint/checkpoint/firewall/test/checkpoint.log-expected.json
diff --git a/filebeat/module/checkpoint/module.yml b/x-pack/filebeat/module/checkpoint/checkpoint/module.yml
similarity index 100%
rename from filebeat/module/checkpoint/module.yml
rename to x-pack/filebeat/module/checkpoint/checkpoint/module.yml
diff --git a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml
index 0655a4a1e5e..5bb6a91d37a 100644
--- a/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml
+++ b/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml
@@ -6,19 +6,20 @@ protocol.udp:
   {{ if ne .pipeline "" }}
   pipeline: "{{.pipeline}}"
   {{ end }}
+
 {{ else if eq .input "tls" }}
-type: syslog
-protocol.tcp:
-  host: "{{.syslog_host}}:{{.syslog_port}}"
-  ssl:
-    enabled: true
-    certificate_authorities: ["{{.cafile}}"]
-    certificate: "{{.certfile}}"
-    key: "{{.keyfile}}"
-    client_authentication: "full"
-  {{ if ne .pipeline "" }}
-  pipeline: "{{.pipeline}}"
-  {{ end }}
+type: tcp
+host: "{{.syslog_host}}:{{.syslog_port}}"
+ssl:
+  enabled: true
+  certificate_authorities: ["{{.cafile}}"]
+  certificate: "{{.certfile}}"
+  key: "{{.keyfile}}"
+  client_authentication: "required"
+{{ if ne .pipeline "" }}
+pipeline: "{{.pipeline}}"
+{{ end }}
+
 {{ else if eq .input "file" }}
 
 type: log
diff --git a/x-pack/filebeat/modules.d/checkpoint.yml.disabled b/x-pack/filebeat/modules.d/checkpoint.yml.disabled
index ba2d98acfb0..9bb681447fb 100644
--- a/x-pack/filebeat/modules.d/checkpoint.yml.disabled
+++ b/x-pack/filebeat/modules.d/checkpoint.yml.disabled
@@ -5,8 +5,7 @@
   firewall:
     enabled: true
 
-    # Set which input to use between syslog (default), file or tls
-    # if you set tls, also set cafile, certfile and keyfile to their respective file paths
+    # Set which input to use between syslog (default) or file.
     #var.input: syslog
 
     # The interface to listen to UDP based syslog traffic. Defaults to
@@ -19,7 +18,4 @@
     # Set the log level from 1 (alerts only) to 7 (include all messages).
     # Messages with a log level higher than the specified will be dropped.
     # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
-    #var.log_level: 7
-    
-    # If using pipelines, specify the pipeline name
-    #var.pipeline: mypipeline
+    #var.log_level: 7
\ No newline at end of file