From 59918e149bb100053217340ac02f7aae6494c8d7 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Mon, 12 Apr 2021 13:21:24 -0500 Subject: [PATCH] [Filebeat] Fix IPtables pipeline (#24928) * #24878: Fix IPtables pipeline - fix dashboards - populate additional event.actions - move community_id processor to ingest node - set observer.name (cherry picked from commit ddcf8f1aa3ce91619b13c38c78ab2ca03fbc241d) --- CHANGELOG.next.asciidoc | 1 + ...t-Iptables-Ubiquiti-Firewall-Overview.json | 4 +-- .../module/iptables/log/config/input.yml | 32 ----------------- .../module/iptables/log/ingest/pipeline.yml | 34 +++++++++++++++---- .../filebeat/module/iptables/log/manifest.yml | 2 -- .../iptables/log/test/geo.log-expected.json | 1 + .../iptables/log/test/icmp.log-expected.json | 2 ++ .../log/test/iptables.log-expected.json | 30 ++++++++++++++++ .../iptables/log/test/ipv6.log-expected.json | 11 ++++++ .../log/test/ubiquiti.log-expected.json | 5 +++ 10 files changed, 79 insertions(+), 43 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index dfc720bc33eb..095ef60f9cc7 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -239,6 +239,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve PanOS parsing and ingest pipeline. {issue}22413[22413] {issue}22748[22748] {pull}24799[24799] - Fix S3 input validation for non amazonaws.com domains. {issue}24420[24420] {pull}24861[24861] - Fix google_workspace and okta modules pagination when next page template is empty. {pull}24967[24967] +- Fix IPtables Pipeline and Ubiquiti dashboard. {issue}24878[24878] {pull}24928[24928] *Heartbeat* diff --git a/x-pack/filebeat/module/iptables/_meta/kibana/7/dashboard/Filebeat-Iptables-Ubiquiti-Firewall-Overview.json b/x-pack/filebeat/module/iptables/_meta/kibana/7/dashboard/Filebeat-Iptables-Ubiquiti-Firewall-Overview.json index 94b0e96fab8f..16233a61341c 100644 --- a/x-pack/filebeat/module/iptables/_meta/kibana/7/dashboard/Filebeat-Iptables-Ubiquiti-Firewall-Overview.json +++ b/x-pack/filebeat/module/iptables/_meta/kibana/7/dashboard/Filebeat-Iptables-Ubiquiti-Firewall-Overview.json @@ -628,7 +628,7 @@ "index": "filebeat-*", "query": { "language": "kuery", - "query": "iptables.ubiquiti.rule_set :* and event.outcome : \"deny\"" + "query": "iptables.ubiquiti.rule_set :* and event.action : \"drop\"" }, "version": true } @@ -659,7 +659,7 @@ "index": "filebeat-*", "query": { "language": "kuery", - "query": "iptables.ubiquiti.rule_set :* and event.outcome : \"allow\"" + "query": "iptables.ubiquiti.rule_set :* and event.action : \"accept\"" }, "version": true } diff --git a/x-pack/filebeat/module/iptables/log/config/input.yml b/x-pack/filebeat/module/iptables/log/config/input.yml index 7c605fbde941..792ce917fd37 100644 --- a/x-pack/filebeat/module/iptables/log/config/input.yml +++ b/x-pack/filebeat/module/iptables/log/config/input.yml @@ -19,38 +19,6 @@ tags: {{.tags}} processors: - add_locale: ~ -{{ if .community_id }} - - dissect: - tokenizer: "%{} SRC=%{source.ip} DST=%{destination.ip} " - field: "message" - target_prefix: "" - - dissect: - tokenizer: "%{} PROTO=%{network.transport} " - field: "message" - target_prefix: "" - - if: - or: - - equals.network.transport: TCP - - equals.network.transport: UDP - - equals.network.transport: SCTP - then: - dissect: - tokenizer: "%{} SPT=%{source.port} DPT=%{destination.port} " - field: "message" - target_prefix: "" - else: - dissect: - when:or: - - equals.network.transport: ICMP - - equals.network.transport: ICMPv6 - tokenizer: "%{} TYPE=%{iptables.icmp.type} CODE=%{iptables.icmp.code} " - field: "message" - target_prefix: "" - - community_id: - fields: - icmp_type: iptables.icmp.type - icmp_code: iptables.icmp.code -{{ end}} - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml index ecaa40ce67c6..3afa3d818863 100644 --- a/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml @@ -6,11 +6,13 @@ processors: - grok: field: message patterns: - - '%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}' - - '%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}%{IPTABLES}%{SPACE}' + - '%{SYSLOGTIMESTAMP:iptables.raw_date}%{SPACE}%{IPTABLES_HOSTNAME}%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}' + - '%{SYSLOGTIMESTAMP:iptables.raw_date}%{SPACE}%{IPTABLES_ACTION}%{GREEDYDATA}%{IPTABLES}%{SPACE}' - '%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}' - '%{GREEDYDATA}%{IPTABLES}%{SPACE}' pattern_definitions: + IPTABLES_HOSTNAME: '%{HOSTNAME:observer.name}%{SPACE}kernel:' + IPTABLES_ACTION: '(:?%{WORD:event.action}:|%{IPTABLES_HOSTNAME}%{SPACE}iptables%{SPACE}%{WORD:event.action}|%{IPTABLES_HOSTNAME})' UNSIGNED_INT: '[0-9]+' ETHTYPE: (?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}) ETHTYPE_DISCARD: (?::[A-Fa-f0-9]{2})* @@ -59,7 +61,7 @@ processors: pattern_definitions: UBIQUITI_FIELD: '[^-]*' - date: - if: ctx.event.timezone == null + if: ctx?.iptables?.raw_date != null && ctx.event.timezone == null field: iptables.raw_date formats: - MMM d HH:mm:ss @@ -69,7 +71,7 @@ processors: field: error.message value: '{{ _ingest.on_failure_message }}' - date: - if: ctx.event.timezone != null + if: ctx?.iptables?.raw_date != null && ctx.event.timezone != null field: iptables.raw_date formats: - MMM d HH:mm:ss @@ -82,9 +84,22 @@ processors: - remove: field: iptables.raw_date ignore_missing: true +- set: + field: observer.name + value: "{{hostname}}" + ignore_empty_value: true + if: ctx?.observer?.name == null +- set: + field: observer.hostname + value: "{{hostname}}" + ignore_empty_value: true + if: ctx?.observer?.name == null - lowercase: field: network.transport ignore_missing: true +- lowercase: + field: event.action + ignore_missing: true - geoip: field: source.ip target_field: source.geo @@ -145,8 +160,8 @@ processors: object: event key: action map: - D: drop - A: accept + d: drop + a: accept - source: object: event key: action @@ -156,6 +171,8 @@ processors: map: drop: denied accept: allowed + deny: denied + drop_input: denied - source: object: network key: transport @@ -181,7 +198,10 @@ processors: } } } - +- community_id: + ignore_missing: true + icmp_type: iptables.icmp.type + icmp_code: iptables.icmp.code - script: lang: painless params: diff --git a/x-pack/filebeat/module/iptables/log/manifest.yml b/x-pack/filebeat/module/iptables/log/manifest.yml index b93377397b9f..b0a56bafede1 100644 --- a/x-pack/filebeat/module/iptables/log/manifest.yml +++ b/x-pack/filebeat/module/iptables/log/manifest.yml @@ -12,8 +12,6 @@ var: default: 9001 - name: input default: syslog - - name: community_id - default: true ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json index 5ceaaa02e3a6..e42e0bc7929f 100644 --- a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json @@ -44,6 +44,7 @@ "network.type": "ipv4", "observer.egress.zone": "lan", "observer.ingress.zone": "wan", + "observer.name": "Hostname", "related.ip": [ "158.109.0.1", "10.4.0.5" diff --git a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json index fc5e515461cb..e986c450d85b 100644 --- a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json @@ -2,6 +2,7 @@ { "destination.ip": "192.0.2.83", "destination.mac": "90:10:28:5f:62:24", + "event.action": "deny", "event.category": [ "network" ], @@ -10,6 +11,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", diff --git a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json index 5589e8dc6027..a18c274ec632 100644 --- a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json @@ -3,6 +3,7 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.action": "drop_input", "event.category": [ "network" ], @@ -11,6 +12,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", @@ -36,6 +38,7 @@ "network.community_id": "1:VD3aeZ6cGYX6uwOAUQ9NuxbobMI=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "example-host", "related.ip": [ "203.0.113.36", "172.16.54.114" @@ -52,6 +55,7 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 1433, + "event.action": "drop_input", "event.category": [ "network" ], @@ -60,6 +64,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", @@ -82,6 +87,7 @@ "network.community_id": "1:r9MnuXFtcWUKzbVQ2vXn7XSQ2Fg=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "example-host", "related.ip": [ "198.51.100.198", "172.16.54.114" @@ -98,6 +104,7 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.action": "drop_input", "event.category": [ "network" ], @@ -106,6 +113,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", @@ -131,6 +139,7 @@ "network.community_id": "1:vgBSpDUKSSgxOm6Y52jw6tCgiN8=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "example-host", "related.ip": [ "203.0.113.201", "172.16.54.114" @@ -147,6 +156,7 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 80, + "event.action": "drop_input", "event.category": [ "network" ], @@ -155,6 +165,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", @@ -180,6 +191,7 @@ "network.community_id": "1:PCNGbo6CtVQoE5Hch+6oMfbeTP4=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "example-host", "related.ip": [ "203.0.113.246", "172.16.54.114" @@ -196,6 +208,7 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.action": "drop_input", "event.category": [ "network" ], @@ -204,6 +217,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", @@ -229,6 +243,7 @@ "network.community_id": "1:Wb/3DTwtWE8C20/hm2JpmBAhsro=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "example-host", "related.ip": [ "203.0.113.208", "172.16.54.114" @@ -245,6 +260,7 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.action": "drop_input", "event.category": [ "network" ], @@ -253,6 +269,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", @@ -275,6 +292,7 @@ "network.community_id": "1:+s7vkEgPnzTAoksA2Q0gAzgymfI=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "example-host", "related.ip": [ "198.51.100.160", "172.16.54.114" @@ -291,6 +309,7 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.action": "drop_input", "event.category": [ "network" ], @@ -299,6 +318,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", @@ -324,6 +344,7 @@ "network.community_id": "1:6Pvyzf2+vqgsRxWx+eU9MXEhAFE=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "example-host", "related.ip": [ "198.51.100.115", "172.16.54.114" @@ -340,6 +361,7 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.action": "drop_input", "event.category": [ "network" ], @@ -348,6 +370,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", @@ -373,6 +396,7 @@ "network.community_id": "1:g+bRFDuqViJEc5vzlOapz2LPhFo=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "example-host", "related.ip": [ "198.51.100.167", "172.16.54.114" @@ -389,6 +413,7 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 139, + "event.action": "drop_input", "event.category": [ "network" ], @@ -397,6 +422,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", @@ -419,6 +445,7 @@ "network.community_id": "1:a/4LVq88msR/LgVGzZeIkmlNXz4=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "example-host", "related.ip": [ "198.51.100.19", "172.16.54.114" @@ -435,6 +462,7 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 8088, + "event.action": "drop_input", "event.category": [ "network" ], @@ -443,6 +471,7 @@ "event.module": "iptables", "event.timezone": "-02:00", "event.type": [ + "denied", "connection" ], "fileset.name": "log", @@ -465,6 +494,7 @@ "network.community_id": "1:1l65fWlqrJCJB7vBaqSgHnJoMbQ=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "example-host", "related.ip": [ "198.51.100.68", "172.16.54.114" diff --git a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json index 8bed25072d70..403b6c69e204 100644 --- a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json @@ -27,6 +27,7 @@ "log.original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "observer.name": "ubuntu-bionic", "related.ip": [ "2001:0db8:0000:0000:0000:0000:0000:0001", "2001:0db8:0000:0000:0000:0000:0000:0002" @@ -65,6 +66,7 @@ "log.original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459695] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=1 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "observer.name": "ubuntu-bionic", "related.ip": [ "2001:0db8:0000:0000:0000:0000:0000:0001", "2001:0db8:0000:0000:0000:0000:0000:0002" @@ -103,6 +105,7 @@ "log.original": "Jan 22 09:05:06 ubuntu-bionic kernel: [16572.482458] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=2 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "observer.name": "ubuntu-bionic", "related.ip": [ "2001:0db8:0000:0000:0000:0000:0000:0001", "2001:0db8:0000:0000:0000:0000:0000:0002" @@ -141,6 +144,7 @@ "log.original": "Jan 22 09:05:06 ubuntu-bionic kernel: [16572.482476] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=2 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "observer.name": "ubuntu-bionic", "related.ip": [ "2001:0db8:0000:0000:0000:0000:0000:0001", "2001:0db8:0000:0000:0000:0000:0000:0002" @@ -179,6 +183,7 @@ "log.original": "Jan 22 09:05:07 ubuntu-bionic kernel: [16573.506336] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=3 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "observer.name": "ubuntu-bionic", "related.ip": [ "2001:0db8:0000:0000:0000:0000:0000:0001", "2001:0db8:0000:0000:0000:0000:0000:0002" @@ -217,6 +222,7 @@ "log.original": "Jan 22 09:05:07 ubuntu-bionic kernel: [16573.506356] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=3 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "observer.name": "ubuntu-bionic", "related.ip": [ "2001:0db8:0000:0000:0000:0000:0000:0001", "2001:0db8:0000:0000:0000:0000:0000:0002" @@ -255,6 +261,7 @@ "log.original": "Jan 22 09:05:08 ubuntu-bionic kernel: [16574.533989] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=4 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "observer.name": "ubuntu-bionic", "related.ip": [ "2001:0db8:0000:0000:0000:0000:0000:0001", "2001:0db8:0000:0000:0000:0000:0000:0002" @@ -293,6 +300,7 @@ "log.original": "Jan 22 09:05:08 ubuntu-bionic kernel: [16574.534007] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=4 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "observer.name": "ubuntu-bionic", "related.ip": [ "2001:0db8:0000:0000:0000:0000:0000:0001", "2001:0db8:0000:0000:0000:0000:0000:0002" @@ -331,6 +339,7 @@ "log.original": "Jan 22 09:05:09 ubuntu-bionic kernel: [16575.553704] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=5 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "observer.name": "ubuntu-bionic", "related.ip": [ "2001:0db8:0000:0000:0000:0000:0000:0001", "2001:0db8:0000:0000:0000:0000:0000:0002" @@ -369,6 +378,7 @@ "log.original": "Jan 22 09:05:09 ubuntu-bionic kernel: [16575.553722] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=5 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "observer.name": "ubuntu-bionic", "related.ip": [ "2001:0db8:0000:0000:0000:0000:0000:0001", "2001:0db8:0000:0000:0000:0000:0000:0002" @@ -408,6 +418,7 @@ "network.community_id": "1:XZrSeKYMvsI3xGPWG5JqrtsD87U=", "network.transport": "ipv6-icmp", "network.type": "ipv6", + "observer.name": "ubuntu-bionic", "related.ip": [ "fe80:0000:0000:0000:0084:88ff:feae:790a", "ff02:0000:0000:0000:0000:0000:0000:0016" diff --git a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json index 486a34c850f9..af2bb0c1ff60 100644 --- a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json @@ -33,6 +33,7 @@ "network.community_id": "1:3qoibVBmc9hsnHpP4Ms5HO6ls7Q=", "network.transport": "udp", "network.type": "ipv4", + "observer.name": "MainFirewall", "related.ip": [ "192.168.48.137", "255.55.174.225" @@ -89,6 +90,7 @@ "network.community_id": "1:7bPQdYPL4yePwQJZt0I1dvVXLHc=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "MainFirewall", "related.ip": [ "192.168.134.158", "192.0.2.25" @@ -148,6 +150,7 @@ "network.type": "ipv4", "observer.egress.zone": "dest", "observer.ingress.zone": "source", + "observer.name": "MainFirewall", "related.ip": [ "192.168.110.116", "192.0.2.25" @@ -203,6 +206,7 @@ "network.community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "MainFirewall", "related.ip": [ "192.168.110.116", "192.0.2.25" @@ -258,6 +262,7 @@ "network.community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", "network.transport": "tcp", "network.type": "ipv4", + "observer.name": "MainFirewall", "related.ip": [ "192.168.110.116", "192.0.2.25"