From b99361fd7109f0a057b4bd938e8a6f2fb552dbad Mon Sep 17 00:00:00 2001 From: Fae Charlton Date: Tue, 14 Sep 2021 08:09:00 -0400 Subject: [PATCH 01/12] fix the kafka container's health check (#27905) --- testing/environments/docker/kafka/Dockerfile | 8 ++++++-- testing/environments/docker/kafka/healthcheck.sh | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/testing/environments/docker/kafka/Dockerfile b/testing/environments/docker/kafka/Dockerfile index 484b294c39a..ff38db49e39 100644 --- a/testing/environments/docker/kafka/Dockerfile +++ b/testing/environments/docker/kafka/Dockerfile @@ -22,7 +22,11 @@ ADD healthcheck.sh /healthcheck.sh EXPOSE 9092 EXPOSE 2181 -# Healthcheck creates an empty topic foo. As soon as a topic is created, it assumes broke is available -HEALTHCHECK --interval=1s --retries=600 CMD /healthcheck.sh +# healthcheck.sh tries to create and delete an empty kafka topic (the topic +# string is based on the timestamp), and reports healthy if topic creation +# was successful. +# With these parameters, Docker will consider the container unhealthy if the +# Kafka server is unresponsive for 3 minutes. +HEALTHCHECK --start-period=10s --interval=5s --timeout=5s --retries=36 CMD /healthcheck.sh ENTRYPOINT ["/run.sh"] diff --git a/testing/environments/docker/kafka/healthcheck.sh b/testing/environments/docker/kafka/healthcheck.sh index feebbb8786d..99e533c4634 100755 --- a/testing/environments/docker/kafka/healthcheck.sh +++ b/testing/environments/docker/kafka/healthcheck.sh @@ -8,5 +8,5 @@ if [[ $rc != 0 ]]; then exit $rc fi -${KAFKA_HOME}/bin/kafka-topic.sh --zookeeper=127.0.0.1:2181 --delete --topic "${TOPIC}" +${KAFKA_HOME}/bin/kafka-topics.sh --zookeeper=127.0.0.1:2181 --delete --topic "${TOPIC}" exit 0 From 5bc8572a6f194ba46dab2fd1ad914bfd90433134 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Tue, 14 Sep 2021 08:43:37 -0500 Subject: [PATCH 02/12] [Filebeat] ASA Ingest Pipeline fixes (#26879) * #26869: ASA Ingest Pipeline fixes * Update changelog * Update 106023 & 302016 grok patterns * Update addtional grok patterns per comments * Fix per comment * update fields from master * Updated via last comment * Update pipeline * update pipeline to address #27137 --- CHANGELOG.next.asciidoc | 2 +- filebeat/docs/fields.asciidoc | 30 + .../module/cisco/asa/_meta/fields.yml | 12 + .../cisco/asa/test/additional_messages.log | 9 +- .../additional_messages.log-expected.json | 509 +++++++- .../cisco/asa/test/asa-fix.log-expected.json | 21 +- .../cisco/asa/test/asa.log-expected.json | 268 +++- .../cisco/asa/test/filtered.log-expected.json | 1 + .../asa/test/hostnames.log-expected.json | 1 + .../cisco/asa/test/not-ip.log-expected.json | 2 + .../filebeat/module/cisco/asa/test/sample.log | 15 + .../cisco/asa/test/sample.log-expected.json | 1151 ++++++++++++++++- x-pack/filebeat/module/cisco/fields.go | 2 +- .../module/cisco/ftd/_meta/fields.yml | 6 + .../cisco/ftd/test/asa-fix.log-expected.json | 16 +- .../cisco/ftd/test/asa.log-expected.json | 268 +++- .../cisco/ftd/test/dns.log-expected.json | 21 + .../ftd/test/intrusion.log-expected.json | 4 + .../cisco/ftd/test/not-ip.log-expected.json | 2 + .../cisco/ftd/test/sample.log-expected.json | 66 +- .../security-connection.log-expected.json | 10 + .../security-file-malware.log-expected.json | 10 + .../security-malware-site.log-expected.json | 1 + .../cisco/shared/ingest/asa-ftd-pipeline.yml | 125 +- 24 files changed, 2481 insertions(+), 71 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 200399b6b4f..69ac4ec1732 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -753,7 +753,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add `join` and `sprintf` functions to `httpjson` input. {pull}27735[27735] - Improve memory usage of line reader of `log` and `filestream` input. {pull}27782[27782] - Add `ignore_empty_value` flag to `httpjson` `split` processor. {pull}27880[27880] - +- Update Cisco ASA/FTD ingest pipeline grok/dissect patterns for multiple message IDs. {issue}26869[26869] {pull}26879[26879] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 6e40ec0107f..5d95c482caa 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -21809,6 +21809,26 @@ type: keyword The WebVPN group name the user belongs to +type: keyword + +-- + +*`cisco.asa.termination_initiator`*:: ++ +-- +Interface name of the side that initiated the teardown + + +type: keyword + +-- + +*`cisco.asa.tunnel_type`*:: ++ +-- +SA type (remote access or L2L) + + type: keyword -- @@ -22047,6 +22067,16 @@ type: keyword The WebVPN group name the user belongs to +type: keyword + +-- + +*`cisco.ftd.termination_initiator`*:: ++ +-- +Interface name of the side that initiated the teardown + + type: keyword -- diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index f41b0383a11..e321a6cf3a2 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -187,3 +187,15 @@ default_field: false description: > The WebVPN group name the user belongs to + + - name: termination_initiator + type: keyword + default_field: false + description: > + Interface name of the side that initiated the teardown + + - name: tunnel_type + type: keyword + default_field: false + description: > + SA type (remote access or L2L) diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log index 0c3aef67223..e1666f72432 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log @@ -17,7 +17,7 @@ May 5 18:29:32 dev01: %ASA-6-302020: Built inbound ICMP connection for faddr 10 May 5 18:29:32 dev01: %ASA-6-302020: Built outbound ICMP connection for faddr 10.10.10.10/0 gaddr 8.8.8.8/0 laddr 192.168.2.2/0 type 3 code 3 May 5 18:29:32 dev01: %ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I May 5 18:29:32 dev01: %ASA-6-302013: Built outbound TCP connection 1588662 for intfacename:192.168.2.2/80 (8.8.8.8/80) to net:10.10.10.10/54839 (8.8.8.8/54839) -May 5 18:29:32 dev01: %ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 +May 5 18:29:32 dev01: %ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00 May 5 18:40:50 dev01: %ASA-4-313004: Denied ICMP type=0, from laddr 10.10.10.10 on interface fw502 to 192.168.2.2: no matching session May 5 18:40:50 dev01: %ASA-6-305011: Built dynamic TCP translation from fw111:10.10.10.10/57006 to out111:192.168.2.2/57006 May 5 18:40:50 dev01: %ASA-2-106001: Inbound TCP connection denied from 192.168.2.2/43803 to 10.10.10.10/14322 flags SYN on interface out111 @@ -83,3 +83,10 @@ Apr 27 2020 02:03:03 dev01: %ASA-6-713904: All IPSec SA proposals found unaccept Apr 27 2020 02:03:03 dev01: %ASA-6-713903: IP = 192.128.1.1, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713902: Group = 100.60.140.10, All IPSec SA proposals found unacceptable! Apr 27 2020 02:03:03 dev01: %ASA-6-713901: Group = 100.60.140.10, IP = 192.128.1.1, All IPSec SA proposals found unacceptable! +Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group "inbound" +Apr 27 2020 02:03:03 dev01: %ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group "OUTSIDE_in" +Apr 27 2020 02:03:03 dev01: %ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944 +May 5 19:02:25 dev01: %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269 +May 5 19:02:25 dev01: %ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018 +May 5 19:02:25 dev01: %ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466 +May 5 19:02:25 dev01: %ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index cbe5e2b82eb..8866c2baa1b 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -31,6 +31,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "network.community_id": "1:Fw2gM6G3TtQ3pHWsZKBU6LW96pQ=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", @@ -91,6 +92,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 162, + "network.community_id": "1:IVpSg0ysDmubwwgwjXBIZ47C7h0=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -338,7 +340,9 @@ "input.type": "log", "log.level": "informational", "log.offset": 770, - "network.transport": "tcp flow", + "network.community_id": "1:fZKugXq2jG4PzddJfuy6XDBSNb4=", + "network.iana_number": 6, + "network.transport": "tcp", "observer.egress.interface.name": "fw111", "observer.hostname": "dev01", "observer.ingress.interface.name": "fw111", @@ -395,6 +399,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 932, + "network.community_id": "1:RAjPAJDWj8kCZQnmEJzqMl9E6h8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw109", @@ -446,6 +451,7 @@ "input.type": "log", "log.level": "debug", "log.offset": 1119, + "network.community_id": "1:7GE6gaRtd6w4KEJWhDLHwfgp1Do=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "fw111", @@ -619,6 +625,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1722, + "network.community_id": "1:adLbp2MSbpgtKlYEN938sSARKPs=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "dev01", @@ -860,6 +867,7 @@ "log.level": "informational", "log.offset": 2298, "network.bytes": 0, + "network.community_id": "1:4wndP8OTPk0tlCwv5mj9vURDLQ0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw111", @@ -916,6 +924,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2462, + "network.community_id": "1:N0ZlFq5yxkndvN9h3uigv6XgVms=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -945,7 +954,7 @@ }, { "cisco.asa.destination_interface": "out111", - "cisco.asa.message_id": "302012", + "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "fw111", "destination.address": "192.168.2.2", "destination.ip": "192.168.2.2", @@ -954,13 +963,13 @@ "event.category": [ "network" ], - "event.code": 302012, + "event.code": 305012, "event.dataset": "cisco.asa", "event.duration": 0, "event.end": "2021-05-05T18:29:32.000-02:00", "event.kind": "event", "event.module": "cisco", - "event.original": "%ASA-6-302012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", + "event.original": "%ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00", "event.severity": 6, "event.start": "2021-05-05T20:29:32.000Z", "event.timezone": "-02:00", @@ -973,6 +982,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2623, + "network.community_id": "1:PyQWTuzAdzYav2//+TQFcJTt2os=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "out111", @@ -1024,6 +1034,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 2768, + "network.community_id": "1:adLbp2MSbpgtKlYEN938sSARKPs=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "dev01", @@ -1072,6 +1083,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2904, + "network.community_id": "1:hoENwaIuofrQAf7gW+y4f0XXbxc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "out111", @@ -1123,6 +1135,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 3029, + "network.community_id": "1:+xI89PlchTpu6dxTMHpkmkd99Ns=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1189,6 +1202,7 @@ "log.level": "critical", "log.offset": 3172, "network.bytes": 64585, + "network.community_id": "1:eOIoJBMMmanddR7cRZ0I9vTVI7o=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "net", @@ -1245,6 +1259,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 3328, + "network.community_id": "1:QsMj86uzy+H1c1pPwrevpSOTh6Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1305,6 +1320,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 3491, + "network.community_id": "1:QsMj86uzy+H1c1pPwrevpSOTh6Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1362,6 +1378,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 3654, + "network.community_id": "1:mPK7q/c5ZVhrh2fX6Uqp5314u3M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "out111", @@ -1461,6 +1478,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 3935, + "network.community_id": "1:CQXm0MA6TgkTzvcatvgQvikqqes=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -1512,6 +1530,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4053, + "network.community_id": "1:CctaOB5wLrJrIATPwYjXODlSpRk=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "dev01", @@ -1562,6 +1581,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4197, + "network.community_id": "1:ghA7Jv5D0sCP4HhHb948hjqh3H4=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "dev01", @@ -1612,6 +1632,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4337, + "network.community_id": "1:daEI7UiyuAFNVP1xsUsb/AHJ/1I=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "dev01", @@ -1661,6 +1682,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4472, + "network.community_id": "1:1Rjth0DOphFZyLUBP572S4VdEu0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "net", @@ -1711,6 +1733,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4631, + "network.community_id": "1:1Rjth0DOphFZyLUBP572S4VdEu0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "net", @@ -1816,6 +1839,7 @@ "log.level": "informational", "log.offset": 4949, "network.bytes": 0, + "network.community_id": "1:A692g/lxHLbLsT0d0M1RFfiHIs0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "net", @@ -1871,6 +1895,7 @@ "log.level": "informational", "log.offset": 5142, "network.bytes": 0, + "network.community_id": "1:pcILvYGm5J7rxuqU5/TRGZGGe3E=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "unknown", @@ -2002,6 +2027,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5571, + "network.community_id": "1:XgYjYk8hbPPlEnBcHqCD172wQQE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw111", @@ -2055,6 +2081,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5743, + "network.community_id": "1:a99mceIcFv0NTz6Aw/+bwE1TnPA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "fw111", @@ -2174,6 +2201,7 @@ "input.type": "log", "log.level": "debug", "log.offset": 6256, + "network.community_id": "1:pXZbIlTv2J4XdRhqORC4IQqpKKg=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "net", @@ -2292,6 +2320,7 @@ "input.type": "log", "log.level": "error", "log.offset": 6722, + "network.community_id": "1:4MHSMLtBw+4q7Wke3ztBRVwtgt0=", "network.direction": "inbound", "network.iana_number": 1, "network.transport": "icmp", @@ -2384,6 +2413,7 @@ "input.type": "log", "log.level": "error", "log.offset": 7071, + "network.community_id": "1:frDwW4LN1XFwCsYClx5AmXSlEBE=", "network.direction": "inbound", "network.transport": "sctp", "observer.egress.interface.name": "fw111", @@ -2433,6 +2463,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 7178, + "network.community_id": "1:gZP3lWRSgL55d5cZvFu18yXen5M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "out111", @@ -2688,6 +2719,7 @@ "log.level": "informational", "log.offset": 7808, "network.bytes": 245, + "network.community_id": "1:GUlUhGicslkTpg27XLqbp4L0H68=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "server.deflan", @@ -2749,6 +2781,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 8003, + "network.community_id": "1:B0rqhFg9+Gx1GmU4JRhiyO3+xmE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "srv", @@ -3437,6 +3470,7 @@ "input.type": "log", "log.level": "error", "log.offset": 9934, + "network.community_id": "1:9NRUY+1nxDxjlLBwQoakpBYA9sc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3704,6 +3738,122 @@ "forwarded" ] }, + { + "cisco.asa.message_id": "602303", + "cisco.asa.tunnel_type": "LAN-to-LAN", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "created", + "event.code": 602303, + "event.dataset": "cisco.asa", + "event.module": "cisco", + "event.original": "%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been created.", + "event.outcome": "success", + "event.severity": 6, + "event.timezone": "-02:00", + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 10775, + "network.direction": "outbound", + "network.type": "ipsec", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "91.240.17.178" + ], + "related.user": [ + "admin" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "admin" + }, + { + "cisco.asa.message_id": "602304", + "cisco.asa.tunnel_type": "LAN-to-LAN", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "event.action": "deleted", + "event.category": [ + "network" + ], + "event.code": 602304, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xF81283) between 91.240.17.178 and 192.168.2.2 (user= admin) has been deleted.", + "event.outcome": "success", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "deletion", + "info", + "user" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "informational", + "log.offset": 10937, + "network.direction": "outbound", + "network.type": "ipsec", + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "192.168.2.2", + "91.240.17.178" + ], + "related.user": [ + "admin" + ], + "service.type": "cisco", + "source.address": "91.240.17.178", + "source.as.number": 201126, + "source.as.organization.name": "CDW Ltd", + "source.geo.city_name": "London", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.5888, + "source.geo.location.lon": -0.0247, + "source.geo.region_iso_code": "GB-ENG", + "source.geo.region_name": "England", + "source.ip": "91.240.17.178", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "admin" + }, { "cisco.asa.message_id": "750002", "destination.address": "192.168.2.2", @@ -4117,5 +4267,356 @@ "cisco-asa", "forwarded" ] + }, + { + "cisco.asa.destination_interface": "inside", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "inbound", + "cisco.asa.source_interface": "outside", + "destination.address": "172.31.98.44", + "destination.ip": "172.31.98.44", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny protocol 47 src outside:100.66.124.24 dst inside:172.31.98.44 by access-group \"inbound\"", + "event.outcome": "failure", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "denied", + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 12205, + "network.community_id": "1:Uo11LCySQ1S0c9jtHZVIb4Pm/2k=", + "network.iana_number": 47, + "observer.egress.interface.name": "inside", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "outside", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "100.66.124.24", + "172.31.98.44" + ], + "service.type": "cisco", + "source.address": "100.66.124.24", + "source.ip": "100.66.124.24", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "106023", + "cisco.asa.rule_name": "OUTSIDE_in", + "cisco.asa.source_interface": "OUTSIDE", + "destination.address": "fe00:afa0::1", + "destination.ip": "fe00:afa0::1", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 106023, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-106023: Deny icmp src OUTSIDE:2a05:d016:add:4002:91f2:a9b2:e09a:6fc6 dst OUTSIDE:fe00:afa0::1 (type 128, code 0) by access-group \"OUTSIDE_in\"", + "event.outcome": "failure", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "denied", + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 12341, + "network.community_id": "1:VA3lwFPBuRus2kxMs1BexFp+gp4=", + "network.iana_number": 1, + "network.transport": "icmp", + "observer.egress.interface.name": "OUTSIDE", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", + "fe00:afa0::1" + ], + "service.type": "cisco", + "source.address": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", + "source.as.number": 16509, + "source.as.organization.name": "Amazon.com, Inc.", + "source.geo.city_name": "Stockholm", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "SE", + "source.geo.country_name": "Sweden", + "source.geo.location.lat": 59.3333, + "source.geo.location.lon": 18.05, + "source.geo.region_iso_code": "SE-AB", + "source.geo.region_name": "Stockholm", + "source.ip": "2a05:d016:add:4002:91f2:a9b2:e09a:6fc6", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.connection_id": "123364823", + "cisco.asa.destination_interface": "identity", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "OUTSIDE", + "destination.address": "85.0.0.1", + "destination.as.number": 3303, + "destination.as.organization.name": "Bluewin", + "destination.geo.city_name": "Kolliken", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", + "destination.geo.location.lat": 47.3388, + "destination.geo.location.lon": 8.0264, + "destination.geo.region_iso_code": "CH-AG", + "destination.geo.region_name": "Aargau", + "destination.ip": "85.0.0.1", + "destination.port": 500, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302016, + "event.dataset": "cisco.asa", + "event.duration": 332660000000000, + "event.end": "2020-04-27T02:03:03.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-302016: Teardown UDP connection 123364823 for OUTSIDE:82.0.0.1/500 to identity:85.0.0.1/500 duration 92:24:20 bytes 4671944", + "event.severity": 4, + "event.start": "2020-04-23T07:38:43.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 12518, + "network.bytes": 4671944, + "network.community_id": "1:rwM9yFUsWh6N2utKviU7S94dS9U=", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "identity", + "observer.hostname": "dev01", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "related.ip": [ + "82.0.0.1", + "85.0.0.1" + ], + "service.type": "cisco", + "source.address": "82.0.0.1", + "source.as.number": 5089, + "source.as.organization.name": "Virgin Media Limited", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", + "source.geo.location.lat": 51.4964, + "source.geo.location.lon": -0.1224, + "source.ip": "82.0.0.1", + "source.port": 500, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "5", + "cisco.asa.burst.configured_avg_rate": "4", + "cisco.asa.burst.configured_rate": "8", + "cisco.asa.burst.cumulative_count": "19269", + "cisco.asa.burst.current_rate": "0", + "cisco.asa.burst.id": "rate-2", + "cisco.asa.burst.object": "Scanning", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 0 per second, max configured rate is 8; Current average rate is 5 per second, max configured rate is 4; Cumulative total count is 19269", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 12677, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "5", + "cisco.asa.burst.configured_avg_rate": "5", + "cisco.asa.burst.configured_rate": "10", + "cisco.asa.burst.cumulative_count": "6018", + "cisco.asa.burst.current_rate": "0", + "cisco.asa.burst.id": "rate-1", + "cisco.asa.burst.object": "192.168.0.1", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [ 192.168.0.1] drop rate-1 exceeded. Current burst rate is 0 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 6018", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 12907, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "20", + "cisco.asa.burst.configured_avg_rate": "5", + "cisco.asa.burst.configured_rate": "10", + "cisco.asa.burst.cumulative_count": "12466", + "cisco.asa.burst.current_rate": "8", + "cisco.asa.burst.id": "rate-1", + "cisco.asa.burst.object": "Port-5432 5432", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [ Port-5432 5432] drop rate-1 exceeded. Current burst rate is 8 per second, max configured rate is 10; Current average rate is 20 per second, max configured rate is 5; Cumulative total count is 12466", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 13142, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "cisco.asa.burst.avg_rate": "5", + "cisco.asa.burst.configured_avg_rate": "5", + "cisco.asa.burst.configured_rate": "10", + "cisco.asa.burst.cumulative_count": "3054", + "cisco.asa.burst.current_rate": "63", + "cisco.asa.burst.id": "rate-1", + "cisco.asa.burst.object": "RDP 3389", + "cisco.asa.message_id": "733100", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 733100, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-4-733100: [ RDP 3389] drop rate-1 exceeded. Current burst rate is 63 per second, max configured rate is 10; Current average rate is 5 per second, max configured rate is 5; Cumulative total count is 3054", + "event.severity": 4, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "host.hostname": "dev01", + "input.type": "log", + "log.level": "warning", + "log.offset": 13384, + "observer.hostname": "dev01", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "dev01" + ], + "service.type": "cisco", + "tags": [ + "cisco-asa", + "forwarded" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 39e67069061..9335237a31b 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -4,7 +4,7 @@ "cisco.asa.destination_interface": "Inside", "cisco.asa.message_id": "302016", "cisco.asa.source_interface": "Outside", - "cisco.asa.source_username": "(LOCAL\\Elastic)", + "cisco.asa.source_username": "LOCAL\\Elastic", "cisco.asa.termination_user": "zzzzzz", "destination.address": "10.233.123.123", "destination.ip": "10.233.123.123", @@ -33,6 +33,7 @@ "log.level": "informational", "log.offset": 0, "network.bytes": 148, + "network.community_id": "1:9aBQ+NznvYals1agEGRVJm37dvQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Inside", @@ -48,10 +49,14 @@ "10.123.123.123", "10.233.123.123" ], + "related.user": [ + "Elastic" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 53723, + "source.user.name": "Elastic", "tags": [ "cisco-asa", "forwarded" @@ -85,6 +90,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 200, + "network.community_id": "1:kV/6Jt4iMhVyUT1AW+UO0itOhqU=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "Outside", @@ -135,6 +141,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 381, + "network.community_id": "1:7nrIUULEgk5A+nhbh4kNmEkwL3o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -159,7 +166,7 @@ "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "Inside_access_in", "cisco.asa.source_interface": "Inside", - "cisco.asa.source_username": "(LOCAL\\Elastic)", + "cisco.asa.source_username": "LOCAL\\Elastic", "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "destination.port": 57621, @@ -184,6 +191,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 545, + "network.community_id": "1:LM0R4Wi8tEf+1pe2ukofXQKxfMc=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Outside", @@ -198,10 +206,14 @@ "related.ip": [ "10.123.123.123" ], + "related.user": [ + "Elastic" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 57621, + "source.user.name": "Elastic", "tags": [ "cisco-asa", "forwarded" @@ -329,6 +341,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 989, + "network.community_id": "1:/zjqku0IM1BTHL37aH0DvJSecYY=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "identity", @@ -377,6 +390,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1171, + "network.community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -425,6 +439,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1334, + "network.community_id": "1:F0lY+M777B6QL2SDSKa9RfuUJ7s=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -474,6 +489,7 @@ "input.type": "log", "log.level": "error", "log.offset": 1514, + "network.community_id": "1:kRCfRJ9T/IeRNAhAhzOsF6EjIV4=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -533,6 +549,7 @@ "input.type": "log", "log.level": "alert", "log.offset": 1723, + "network.community_id": "1:cJpy7sqGDQbchRUXDtR8k10HinM=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "outside", diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 59fdb927a87..81c80ebf991 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -27,6 +27,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 0, + "network.community_id": "1:ygCOhTlTMVGn+PXlTgyzRveBJ9g=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -86,6 +87,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 150, + "network.community_id": "1:aH+Rcp4nenimMGZQ733uys/x0js=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -148,6 +150,7 @@ "log.level": "informational", "log.offset": 345, "network.bytes": 38110, + "network.community_id": "1:nawleoAMDhKg7pshv6H5enEaKV8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -209,6 +212,7 @@ "log.level": "informational", "log.offset": 535, "network.bytes": 44010, + "network.community_id": "1:XqwLVHNEt7Z1fB2ZZXj1piBH4PM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -270,6 +274,7 @@ "log.level": "informational", "log.offset": 725, "network.bytes": 7652, + "network.community_id": "1:Q18EvtK0EmoGK6hViBJu2B9syjc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -331,6 +336,7 @@ "log.level": "informational", "log.offset": 913, "network.bytes": 7062, + "network.community_id": "1:k3K4xSa45aJwCWLM9eIJsqCydLQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -392,6 +398,7 @@ "log.level": "informational", "log.offset": 1101, "network.bytes": 5738, + "network.community_id": "1:Qq/qwMDt7lmCdvQnPYJ86wHp5mY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -453,6 +460,7 @@ "log.level": "informational", "log.offset": 1290, "network.bytes": 4176, + "network.community_id": "1:ezm9yQGN1cdh1QEJ2nw19295QfU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -514,6 +522,7 @@ "log.level": "informational", "log.offset": 1478, "network.bytes": 1715, + "network.community_id": "1:dV1ILqqOHNIkUwdYUt2iodkCTIg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -575,6 +584,7 @@ "log.level": "informational", "log.offset": 1666, "network.bytes": 45595, + "network.community_id": "1:M9jSkRNBaw+CV8aYYGLeh+1c4LQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -636,6 +646,7 @@ "log.level": "informational", "log.offset": 1853, "network.bytes": 27359, + "network.community_id": "1:kcIahkhuYMj1cJNDgmYdpgb8b5o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -697,6 +708,7 @@ "log.level": "informational", "log.offset": 2043, "network.bytes": 4457, + "network.community_id": "1:Oll9UOQVtF14Vb1gAqDgbQ8GVN0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -758,6 +770,7 @@ "log.level": "informational", "log.offset": 2231, "network.bytes": 26709, + "network.community_id": "1:SRok/PbYRZCXwEJ9MQDvhiR0OZc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -819,6 +832,7 @@ "log.level": "informational", "log.offset": 2420, "network.bytes": 22097, + "network.community_id": "1:agnIkBJhbPXkAM0Ai6Q8vvm22FM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -880,6 +894,7 @@ "log.level": "informational", "log.offset": 2609, "network.bytes": 2209, + "network.community_id": "1:dyOBaLTo8f2aK6FSqmPQ8iEKQCM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -941,6 +956,7 @@ "log.level": "informational", "log.offset": 2798, "network.bytes": 10404, + "network.community_id": "1:JG3x+PLXI8vDNUP0xc2b7cGmtO8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1002,6 +1018,7 @@ "log.level": "informational", "log.offset": 2987, "network.bytes": 123694, + "network.community_id": "1:aVhOiCMAQUL3DYMg+b1hd6++Tsw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1063,6 +1080,7 @@ "log.level": "informational", "log.offset": 3177, "network.bytes": 35835, + "network.community_id": "1:yvanaru1i/rrH9fF3MeSmHfJVH0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1124,6 +1142,7 @@ "log.level": "informational", "log.offset": 3367, "network.bytes": 0, + "network.community_id": "1:h36yIuCF0zHqn+9q0Z5lLEIz2FE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1178,6 +1197,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3552, + "network.community_id": "1:tCQw5Th130a6dZONq7h6PjILJZY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -1237,6 +1257,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 3703, + "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1298,6 +1319,7 @@ "log.level": "informational", "log.offset": 3896, "network.bytes": 148, + "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1357,6 +1379,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4071, + "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1418,6 +1441,7 @@ "log.level": "informational", "log.offset": 4264, "network.bytes": 164, + "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1472,6 +1496,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4439, + "network.community_id": "1:IqCv9QrYpJkgySoRM91LE2Ao1Ug=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1531,6 +1556,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4589, + "network.community_id": "1:sxPO5rXtxG30Oh+QP2ncQZ0N1U8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1586,6 +1612,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4784, + "network.community_id": "1:MZcBg2aQ/SdpVmPXf2Ze+Ng4g9Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1645,6 +1672,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 4934, + "network.community_id": "1:G5HU7oEz3i/eGfSUoq5HuDVo7u4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1705,6 +1733,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5129, + "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1765,6 +1794,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5326, + "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1826,6 +1856,7 @@ "log.level": "informational", "log.offset": 5519, "network.bytes": 111, + "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1886,6 +1917,7 @@ "log.level": "informational", "log.offset": 5696, "network.bytes": 237, + "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1940,6 +1972,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 5871, + "network.community_id": "1:/KJCwT2FUqlgb+8c7f4b8fvqWFE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1999,6 +2032,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6021, + "network.community_id": "1:gFO9U+lgj3sty9R349zScds2rBg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2054,6 +2088,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6218, + "network.community_id": "1:kpfWE+K4tPLbC1LWM9M8v5zQqyk=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2113,6 +2148,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6369, + "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2173,6 +2209,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 6566, + "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2234,6 +2271,7 @@ "log.level": "informational", "log.offset": 6759, "network.bytes": 87, + "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2294,6 +2332,7 @@ "log.level": "informational", "log.offset": 6935, "network.bytes": 221, + "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2348,6 +2387,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7110, + "network.community_id": "1:J8j4D9Hm6tPmF+enIkcOgaYzEg4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2407,6 +2447,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7260, + "network.community_id": "1:2VKYvyM6qODR0XAXnVUFrYSP/IU=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2467,6 +2508,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7455, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2527,6 +2569,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 7652, + "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2588,6 +2631,7 @@ "log.level": "informational", "log.offset": 7849, "network.bytes": 101, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2648,6 +2692,7 @@ "log.level": "informational", "log.offset": 8026, "network.bytes": 126, + "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2702,6 +2747,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8203, + "network.community_id": "1:TO0ui5exOUfDCukU8mR9bJIjkLY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2761,6 +2807,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8353, + "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2823,6 +2870,7 @@ "log.level": "informational", "log.offset": 8548, "network.bytes": 862, + "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -2882,6 +2930,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 8733, + "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2943,6 +2992,7 @@ "log.level": "informational", "log.offset": 8930, "network.bytes": 104, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3003,6 +3053,7 @@ "log.level": "informational", "log.offset": 9107, "network.bytes": 176, + "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3057,6 +3108,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9284, + "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3116,6 +3168,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9434, + "network.community_id": "1:2YT6PqWSIyoyRYVbl2cIXiGcMsw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3171,6 +3224,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9625, + "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3230,6 +3284,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9775, + "network.community_id": "1:XheyUG03AcgRSOyMnpafZQNi3wY=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3285,6 +3340,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 9966, + "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3344,6 +3400,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10116, + "network.community_id": "1:cKgOVwHWv3CzYQlpMkVbynKHE30=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3404,6 +3461,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10307, + "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3465,6 +3523,7 @@ "log.level": "informational", "log.offset": 10500, "network.bytes": 104, + "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3519,6 +3578,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10675, + "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3578,6 +3638,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 10825, + "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3633,6 +3694,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11018, + "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3692,6 +3754,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11168, + "network.community_id": "1:wH3OQfGQv6qlex3KDY6fleRZ3W4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3752,6 +3815,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11361, + "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3814,6 +3878,7 @@ "log.level": "informational", "log.offset": 11554, "network.bytes": 593, + "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3868,6 +3933,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11738, + "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3927,6 +3993,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 11888, + "network.community_id": "1:9aaIbdVfxtctEtHtisDVEKYc8wI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3988,6 +4055,7 @@ "log.level": "informational", "log.offset": 12081, "network.bytes": 375, + "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -4042,6 +4110,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12256, + "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4101,6 +4170,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12406, + "network.community_id": "1:CUxMKGQ8Da35o4Z5ZJ3cqjyBcjE=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4130,20 +4200,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4151,7 +4230,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12599, + "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4160,7 +4244,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-asa", "forwarded" @@ -4194,6 +4285,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12769, + "network.community_id": "1:24J8khLuXWoetlU/J6WYj+4RnIU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4253,6 +4345,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 12920, + "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4282,20 +4375,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4303,7 +4405,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13115, + "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4312,7 +4419,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-asa", "forwarded" @@ -4320,20 +4434,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4341,7 +4464,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13285, + "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4350,7 +4478,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-asa", "forwarded" @@ -4358,20 +4493,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4379,7 +4523,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13455, + "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4388,7 +4537,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-asa", "forwarded" @@ -4396,20 +4552,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4417,7 +4582,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13625, + "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4426,7 +4596,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-asa", "forwarded" @@ -4434,20 +4611,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4455,7 +4641,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13795, + "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4464,7 +4655,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-asa", "forwarded" @@ -4472,20 +4670,29 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", - "event.action": "firewall-rule", + "cisco.asa.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.asa", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "asa", "host.hostname": "localhost", @@ -4493,7 +4700,12 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 13965, + "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4502,7 +4714,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-asa", "forwarded" @@ -4543,6 +4762,7 @@ "log.level": "informational", "log.offset": 14135, "network.bytes": 575, + "network.community_id": "1:pux42VCSy7BX42P3cpyd4c/X1M8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4604,6 +4824,7 @@ "log.level": "informational", "log.offset": 14320, "network.bytes": 5391, + "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4658,6 +4879,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14509, + "network.community_id": "1:mWEQuMzgDppOFGfUpnRU2SOVLC4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4717,6 +4939,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 14660, + "network.community_id": "1:WPQ7PgW0xK/OsH/dwOA4osO4W+M=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4775,6 +4998,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 14855, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4832,6 +5056,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15020, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4889,6 +5114,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15185, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4946,6 +5172,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15350, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5003,6 +5230,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15515, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5060,6 +5288,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15680, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5117,6 +5346,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 15845, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5174,6 +5404,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16010, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5231,6 +5462,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16175, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5288,6 +5520,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16340, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5345,6 +5578,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16505, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5402,6 +5636,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16670, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5459,6 +5694,7 @@ "log.file.path": "asa.log", "log.level": "warning", "log.offset": 16835, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5513,6 +5749,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17000, + "network.community_id": "1:ZuhnndzENnR8d8NKvStxJffM+XM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -5572,6 +5809,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17150, + "network.community_id": "1:7t0ua2FV3S8YYwDwaXzw5Tm8M80=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -5627,6 +5865,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17343, + "network.community_id": "1:ZhyIop0bR8c1qT9K7cSplqrW0ew=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -5686,6 +5925,7 @@ "log.file.path": "asa.log", "log.level": "informational", "log.offset": 17494, + "network.community_id": "1:vvawE2mM1hKl2WU/GmHBmMoI3G8=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 5b15b5338d8..1ae3aa1f563 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -62,6 +62,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 174, + "network.community_id": "1:bEmZObpc4rxeHLkGwSyEBNS+Sxg=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index adfb513bdb9..e959ed69145 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -76,6 +76,7 @@ "log.file.path": "hostnames.log", "log.level": "informational", "log.offset": 169, + "network.community_id": "1:TIG5OyXflKDSW/Fgd/O5r5A7Zk4=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "MYHOSTNAME", diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index bf0c3a439e7..09357b0121b 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -79,6 +79,7 @@ "log.file.path": "not-ip.log", "log.level": "informational", "log.offset": 201, + "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "localhost", @@ -138,6 +139,7 @@ "log.file.path": "not-ip.log", "log.level": "warning", "log.offset": 360, + "network.community_id": "1:d9RGgqBro5rzu16MqJQFehDRaKY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "wan", diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log b/x-pack/filebeat/module/cisco/asa/test/sample.log index 73ea89341b0..6553ffa18ef 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log @@ -70,3 +70,18 @@ Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username) +Jan 13 2021 19:12:37: %ASA-5-304001: USER001@192.168.0.1(LOCAL\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html +Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001) +Jan 13 2021 19:12:37: %ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld) +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3 +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3 +Jan 13 2021 19:12:37: %ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3 +Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00 +Jan 15 2021 19:12:37: %ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0 +Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com) +Jan 15 2021 19:12:37: %ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05 +Jan 15 2021 19:12:37: %ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\domain\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\USER001) +Jan 15 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\domain\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\USER001) +Jul 29 2021 08:35:29: %ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= 12.12.12.12) has been deleted. diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 33522a3339c..50e7be1889e 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -29,6 +29,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 0, + "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -79,6 +80,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 139, + "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -130,6 +132,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 294, + "network.community_id": "1:/AVpSqNe7QhujyFPgKMbMS9Ct44=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -181,6 +184,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 465, + "network.community_id": "1:462QRxMFThXYxhSyvR50cIDJegg=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -236,6 +240,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 632, + "network.community_id": "1:c8hH08+kxqP8+dYZZFCsPYYf0oo=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -287,6 +292,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 812, + "network.community_id": "1:oGT+RQ2PYVsSEX/LuKvEW6O6Jiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -340,6 +346,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 938, + "network.community_id": "1:4NJbCZhuyrAJcj7S647C7IIhAM8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -388,6 +395,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1106, + "network.community_id": "1:ay9S7HyVcpV47ArwMPDsxLg6wBU=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -441,6 +449,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1233, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -491,6 +500,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1401, + "network.community_id": "1:fZibb4nXPyoJv3pk+hIlafmMMMY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -545,6 +555,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 1527, + "network.community_id": "1:KAOD4KM9MUK44UkzQPDM20+aGPI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -600,6 +611,7 @@ "log.level": "informational", "log.offset": 1692, "network.bytes": 140, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -631,6 +643,7 @@ "destination.address": "10.123.1.35", "destination.ip": "10.123.1.35", "destination.port": 52925, + "destination.user.name": "user2", "event.action": "flow-expiration", "event.category": [ "network" @@ -655,6 +668,7 @@ "log.level": "informational", "log.offset": 1844, "network.bytes": 9999999, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -666,14 +680,20 @@ "10.123.1.35", "192.0.2.222" ], + "related.user": [ + "user1", + "user2" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 53, + "source.user.name": "user1", "tags": [ "cisco-asa", "forwarded" - ] + ], + "user.name": "user2" }, { "@timestamp": "2011-06-04T21:59:52.000-02:00", @@ -702,6 +722,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2008, + "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "FJSG2NRFW01", @@ -750,6 +771,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2163, + "network.community_id": "1:EsAlPGwbpvnOIWG+1RbOLtWOWaI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -804,6 +826,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 2289, + "network.community_id": "1:m/dSB7tetihSecuyjm6x4Rl/8I8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -853,6 +876,7 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 2454, + "network.community_id": "1:cjsjwTI1K/FNwJ9mwZX971rPjfo=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -903,6 +927,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 2563, + "network.community_id": "1:Zboag8BrI6OW/Oo2vWMZ2CJe4tM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -953,6 +978,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 2722, + "network.community_id": "1:Ne/QE55iCFiCg5J75DhSp3KZzQI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1003,6 +1029,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 2883, + "network.community_id": "1:nVqNkC3HBTw1Le7RJD28aYfCDTg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1053,6 +1080,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3044, + "network.community_id": "1:c82bgYlFS2zsrs3He7w3jq7x6jY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1103,6 +1131,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3205, + "network.community_id": "1:iQJvtLpa8CzCZimwacqAWJp9sZg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1153,6 +1182,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3366, + "network.community_id": "1:CHFAR3iwADiL0sMiLhocbg8YF4o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1203,6 +1233,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3527, + "network.community_id": "1:fW9fDNL4osH5ogPXIzh5huGyJLU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1253,6 +1284,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3688, + "network.community_id": "1:VqbI7AJvRLmCOZAb2tHFFBTeRZ8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1303,6 +1335,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 3847, + "network.community_id": "1:TUJhCk7pGNvVhgiAnf4YJJaoCpo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -1353,6 +1386,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4004, + "network.community_id": "1:EItD1g2bG+b/iorMXbZ/3Bvjam8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1401,6 +1435,7 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 4163, + "network.community_id": "1:a6VFmKsjwlqdlhQIeSm95/lkWlY=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -1448,6 +1483,7 @@ "log.file.path": "sample.log", "log.level": "critical", "log.offset": 4274, + "network.community_id": "1:96NZ3spb6QBXPZwoL7NadaqTMac=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -1498,6 +1534,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4383, + "network.community_id": "1:DbXtTF7Tt+LJ0/omdap4K0RmodY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1548,6 +1585,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4542, + "network.community_id": "1:8enMIE4IqhVXWyyRuJRvdyDxiBA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1598,6 +1636,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4703, + "network.community_id": "1:3vGj3wfvZB2f5kZmDflH/qfkWYE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1648,6 +1687,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 4862, + "network.community_id": "1:Wjdn68t3gwpMPxbO1bBTBvMkQKE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1698,6 +1738,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5018, + "network.community_id": "1:OHPCPPOkvDP3KMLJodW8pdmntUw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1748,6 +1789,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 5174, + "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1798,6 +1840,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 5321, + "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1848,6 +1891,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5468, + "network.community_id": "1:IOafOGWxFLefP+hvoAc06Z1pBj8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1898,6 +1942,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5631, + "network.community_id": "1:89qba0kw6T/uGNWcSzTTYvNoLeY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1949,6 +1994,7 @@ "log.file.path": "sample.log", "log.level": "notification", "log.offset": 5792, + "network.community_id": "1:3EQcjAJCGY7yJRip464V5VZ2h00=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2001,6 +2047,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 5963, + "network.community_id": "1:xQpx+K3UkeF1wQfNjT+9cuVvkHo=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2053,6 +2100,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 6138, + "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2104,6 +2152,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 6288, + "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2271,6 +2320,7 @@ "log.level": "informational", "log.offset": 6778, "network.bytes": 14804, + "network.community_id": "1:tVS/eeyng4tH7pSAcq77I2cbedw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2326,6 +2376,7 @@ "log.level": "informational", "log.offset": 6943, "network.bytes": 134781, + "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2381,6 +2432,7 @@ "log.level": "informational", "log.offset": 7109, "network.bytes": 134781, + "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2430,6 +2482,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7275, + "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.ingress.interface.name": "outside", @@ -2478,6 +2531,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7417, + "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.ingress.interface.name": "outside", @@ -2528,6 +2582,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 7559, + "network.community_id": "1:BouUIZD+TqJZdYklL1aMrJfnbQ0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2581,6 +2636,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7710, + "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2635,6 +2691,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 7884, + "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2691,6 +2748,7 @@ "log.level": "informational", "log.offset": 8058, "network.bytes": 11420, + "network.community_id": "1:kugTIYv6tVeitQAN8XRNgUPvZiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2745,6 +2803,7 @@ "log.level": "informational", "log.offset": 8223, "network.bytes": 1416, + "network.community_id": "1:n1IQHcbrWLb1u8dflqz8hfEElA0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3180,6 +3239,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9335, + "network.community_id": "1:buRYH8vRkdq5apZqKHNDfmztnUo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3281,6 +3341,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9599, + "network.community_id": "1:XKWgpeop6LmXORBjS+D+pjammJ4=", "network.iana_number": 1, "network.transport": "icmp", "observer.ingress.interface.name": "inside", @@ -3334,6 +3395,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9735, + "network.community_id": "1:ZWjuP5bJeA+f0NH342ubXOWI+Lc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3396,6 +3458,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 9986, + "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", @@ -3454,6 +3517,7 @@ "log.file.path": "sample.log", "log.level": "warning", "log.offset": 10285, + "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", @@ -3623,6 +3687,7 @@ "cisco.asa.message_id": "302013", "cisco.asa.source_interface": "internet", "cisco.asa.source_username": "LOCAL\\username", + "cisco.asa.termination_user": "username", "destination.address": "1.2.3.4", "destination.geo.city_name": "Moscow", "destination.geo.continent_name": "Europe", @@ -3634,7 +3699,6 @@ "destination.geo.region_name": "Moscow", "destination.ip": "1.2.3.4", "destination.port": 80, - "destination.user.name": "username", "event.action": "firewall-rule", "event.category": [ "network" @@ -3654,6 +3718,7 @@ "log.file.path": "sample.log", "log.level": "informational", "log.offset": 10899, + "network.community_id": "1:iwVZPCmO/50L3MVqIW0tC5ED+bg=", "network.direction": "inbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3674,10 +3739,1090 @@ "source.ip": "10.2.3.4", "source.nat.ip": "1.2.3.4", "source.port": 49926, + "source.user.name": "username", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.message_id": "304001", + "destination.address": "172.17.6.211", + "destination.ip": "172.17.6.211", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 304001, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-304001: USER001@192.168.0.1(LOCAL\\USER001) Accessed URL 172.17.6.211:http://testingserver.com/somewebpage.html", + "event.outcome": "success", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11080, + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "172.17.6.211", + "192.168.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "192.168.0.1", + "source.ip": "192.168.0.1", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ], + "url.domain": "testingserver.com", + "url.extension": "html", + "url.original": "http://testingserver.com/somewebpage.html", + "url.path": "/somewebpage.html", + "url.scheme": "http" + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.connection_id": "195207391", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.mapped_destination_ip": "81.0.0.1", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "62.0.0.1", + "cisco.asa.mapped_source_port": 34534, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\USER001", + "cisco.asa.termination_user": "USER001", + "destination.address": "81.0.0.1", + "destination.as.number": 15704, + "destination.as.organization.name": "Xtra Telecom S.A.", + "destination.geo.city_name": "Madrid", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", + "destination.geo.location.lat": 40.4143, + "destination.geo.location.lon": -3.7016, + "destination.geo.region_iso_code": "ES-M", + "destination.geo.region_name": "Madrid", + "destination.ip": "81.0.0.1", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\USER001) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (USER001)", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11220, + "network.community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=", + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "62.0.0.1", + "81.0.0.1", + "85.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "85.0.0.1", + "source.as.number": 3303, + "source.as.organization.name": "Bluewin", + "source.geo.city_name": "Kolliken", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "CH", + "source.geo.country_name": "Switzerland", + "source.geo.location.lat": 47.3388, + "source.geo.location.lon": 8.0264, + "source.geo.region_iso_code": "CH-AG", + "source.geo.region_name": "Aargau", + "source.ip": "85.0.0.1", + "source.nat.ip": "62.0.0.1", + "source.nat.port": "34534", + "source.port": 12312, + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.connection_id": "195207391", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.mapped_destination_ip": "81.0.0.1", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "62.0.0.1", + "cisco.asa.mapped_source_port": 34534, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\user@domain.tld", + "cisco.asa.termination_user": "user@domain.tld", + "destination.address": "81.0.0.1", + "destination.as.number": 15704, + "destination.as.organization.name": "Xtra Telecom S.A.", + "destination.geo.city_name": "Madrid", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", + "destination.geo.location.lat": 40.4143, + "destination.geo.location.lon": -3.7016, + "destination.geo.region_iso_code": "ES-M", + "destination.geo.region_name": "Madrid", + "destination.ip": "81.0.0.1", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-302013: Built inbound TCP connection 195207391 for OUTSIDE:85.0.0.1/12312 (62.0.0.1/34534)(LOCAL\\user@domain.tld) to OUTSIDE:81.0.0.1/443 (81.0.0.1/443) (user@domain.tld)", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11404, + "network.community_id": "1:80+NOqHrJ3D1YMNcnBpJC7S6Pkg=", + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain.tld" + ], + "related.ip": [ + "62.0.0.1", + "81.0.0.1", + "85.0.0.1" + ], + "related.user": [ + "user@domain.tld" + ], + "service.type": "cisco", + "source.address": "85.0.0.1", + "source.as.number": 3303, + "source.as.organization.name": "Bluewin", + "source.geo.city_name": "Kolliken", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "CH", + "source.geo.country_name": "Switzerland", + "source.geo.location.lat": 47.3388, + "source.geo.location.lon": 8.0264, + "source.geo.region_iso_code": "CH-AG", + "source.geo.region_name": "Aargau", + "source.ip": "85.0.0.1", + "source.nat.ip": "62.0.0.1", + "source.nat.port": "34534", + "source.port": 12312, + "source.user.domain": "domain.tld", + "source.user.name": "user@domain.tld", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.destination_username": "LOCAL\\USER001", + "cisco.asa.icmp_code": 3, + "cisco.asa.icmp_type": 3, + "cisco.asa.mapped_source_ip": "81.0.0.1", + "cisco.asa.message_id": "302020", + "cisco.asa.source_username": "USER001", + "destination.address": "85.0.0.1", + "destination.as.number": 3303, + "destination.as.organization.name": "Bluewin", + "destination.geo.city_name": "Kolliken", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", + "destination.geo.location.lat": 47.3388, + "destination.geo.location.lon": 8.0264, + "destination.geo.region_iso_code": "CH-AG", + "destination.geo.region_name": "Aargau", + "destination.ip": "85.0.0.1", + "destination.user.name": "USER001", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\USER001) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER001) type 3 code 3", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11604, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "81.0.0.1", + "85.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "USER001" + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.destination_username": "LOCAL\\user@domain.tld", + "cisco.asa.icmp_code": 3, + "cisco.asa.icmp_type": 3, + "cisco.asa.mapped_source_ip": "81.0.0.1", + "cisco.asa.message_id": "302020", + "cisco.asa.source_username": "user@domain.tld", + "destination.address": "85.0.0.1", + "destination.as.number": 3303, + "destination.as.organization.name": "Bluewin", + "destination.geo.city_name": "Kolliken", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", + "destination.geo.location.lat": 47.3388, + "destination.geo.location.lon": 8.0264, + "destination.geo.region_iso_code": "CH-AG", + "destination.geo.region_name": "Aargau", + "destination.ip": "85.0.0.1", + "destination.user.domain": "domain.tld", + "destination.user.name": "user@domain.tld", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(LOCAL\\user@domain.tld) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (user@domain.tld) type 3 code 3", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11765, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain.tld" + ], + "related.ip": [ + "81.0.0.1", + "85.0.0.1" + ], + "related.user": [ + "user@domain.tld" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.user.domain": "domain.tld", + "source.user.name": "user@domain.tld", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "user@domain.tld" + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.destination_username": "AD\\USER002", + "cisco.asa.icmp_code": 3, + "cisco.asa.icmp_type": 3, + "cisco.asa.mapped_source_ip": "81.0.0.1", + "cisco.asa.message_id": "302020", + "cisco.asa.source_username": "USER002", + "destination.address": "85.0.0.1", + "destination.as.number": 3303, + "destination.as.organization.name": "Bluewin", + "destination.geo.city_name": "Kolliken", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", + "destination.geo.location.lat": 47.3388, + "destination.geo.location.lon": 8.0264, + "destination.geo.region_iso_code": "CH-AG", + "destination.geo.region_name": "Aargau", + "destination.ip": "85.0.0.1", + "destination.user.domain": "AD", + "destination.user.name": "USER002", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302020, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-5-302020: Built inbound ICMP connection for faddr 85.0.0.1/0(AD\\USER002) gaddr 81.0.0.1/0 laddr 81.0.0.1/0 (USER002) type 3 code 3", + "event.severity": 5, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "notification", + "log.offset": 11942, + "network.direction": "inbound", + "network.protocol": "icmp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "AD" + ], + "related.ip": [ + "81.0.0.1", + "85.0.0.1" + ], + "related.user": [ + "USER002" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.user.name": "USER002", + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "USER002" + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "305012", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\USER001", + "destination.address": "75.0.0.1", + "destination.as.number": 7018, + "destination.as.organization.name": "AT&T Services, Inc.", + "destination.geo.city_name": "Carson City", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 39.1507, + "destination.geo.location.lon": -119.7459, + "destination.geo.region_iso_code": "US-NV", + "destination.geo.region_name": "Nevada", + "destination.ip": "75.0.0.1", + "destination.port": 18449, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 305012, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2021-01-15T19:12:37.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:192.168.0.1/59677(LOCAL\\USER001) to OUTSIDE:75.0.0.1/18449 duration 0:00:00", + "event.severity": 6, + "event.start": "2021-01-15T21:12:37.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 12100, + "network.community_id": "1:kOYfvYjW0lZrPxD+ArQ6vDYnS7g=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "192.168.0.1", + "75.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "192.168.0.1", + "source.ip": "192.168.0.1", + "source.port": 59677, + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.icmp_code": 0, + "cisco.asa.icmp_type": 134, + "cisco.asa.mapped_source_ip": "fe80::2205:baff:fe9d:f637", + "cisco.asa.message_id": "302021", + "destination.address": "ff02::1", + "destination.ip": "ff02::1", + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302021, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::2205:baff:fe9d:f637/0 laddr fe80::2205:baff:fe9d:f637/0 type 134 code 0", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 12259, + "network.community_id": "1:bHWN9qumWIGMl/MbjgS2bQi/Jsw=", + "network.iana_number": 1, + "network.transport": "icmp", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "fe80::2205:baff:fe9d:f637", + "ff02::1" + ], + "service.type": "cisco", + "source.address": "fe80::2205:baff:fe9d:f637", + "source.ip": "fe80::2205:baff:fe9d:f637", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.connection_id": "251933191", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.mapped_destination_ip": "2a03:2880:f253:cb:face:b00c:0:43fe", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "fe00::fede:bbe1", + "cisco.asa.mapped_source_port": 62477, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.termination_user": "soc@danskecommodities.com", + "destination.address": "2a03:2880:f253:cb:face:b00c:0:43fe", + "destination.as.number": 32934, + "destination.as.organization.name": "Facebook, Inc.", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IE", + "destination.geo.country_name": "Ireland", + "destination.geo.location.lat": 53.0, + "destination.geo.location.lon": -8.0, + "destination.ip": "2a03:2880:f253:cb:face:b00c:0:43fe", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built inbound TCP connection 251933191 for OUTSIDE:fe00::fede:bbe1/62477 (fe00::fede:bbe1/62477) to OUTSIDE:2a03:2880:f253:cb:face:b00c:0:43fe/443 (2a03:2880:f253:cb:face:b00c:0:43fe/443) (soc@danskecommodities.com)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 12425, + "network.community_id": "1:lOTrEnVpsUc4jukAUBxF/BkD8jE=", + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "2a03:2880:f253:cb:face:b00c:0:43fe", + "fe00::fede:bbe1" + ], + "service.type": "cisco", + "source.address": "fe00::fede:bbe1", + "source.ip": "fe00::fede:bbe1", + "source.port": 62477, + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "305012", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\domain\\USER001", + "destination.address": "181.0.0.1", + "destination.as.number": 7303, + "destination.as.organization.name": "Telecom Argentina S.A.", + "destination.geo.continent_name": "South America", + "destination.geo.country_iso_code": "AR", + "destination.geo.country_name": "Argentina", + "destination.geo.location.lat": -34.6033, + "destination.geo.location.lon": -58.3817, + "destination.ip": "181.0.0.1", + "destination.port": 50120, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 305012, + "event.dataset": "cisco.asa", + "event.duration": 125000000000, + "event.end": "2021-01-15T19:12:37.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:181.0.0.1/50120 duration 0:02:05", + "event.severity": 6, + "event.start": "2021-01-15T21:10:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 12678, + "network.community_id": "1:R7zADbxzUGXOH0O/Hzma4ba6iHU=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain" + ], + "related.ip": [ + "181.0.0.1", + "81.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.port": 50120, + "source.user.domain": "domain", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.connection_id": "261246338", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.message_id": "302014", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\domain\\USER001", + "cisco.asa.termination_initiator": "OUTSIDE", + "cisco.asa.termination_user": "domain\\USER001", + "destination.address": "40.0.0.1", + "destination.as.number": 4249, + "destination.as.organization.name": "Eli Lilly and Company", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "40.0.0.1", + "destination.port": 443, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302014, + "event.dataset": "cisco.asa", + "event.duration": 125000000000, + "event.end": "2021-01-15T19:12:37.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302014: Teardown TCP connection 261246338 for OUTSIDE:81.0.0.1/50120(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 duration 0:02:05 bytes 9610 TCP FINs from OUTSIDE (domain\\USER001)", + "event.reason": "TCP FINs", + "event.severity": 6, + "event.start": "2021-01-15T21:10:32.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 12842, + "network.bytes": 9610, + "network.community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain" + ], + "related.ip": [ + "40.0.0.1", + "81.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.port": 50120, + "source.user.domain": "domain", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.connection_id": "261311655", + "cisco.asa.destination_interface": "INSIDE", + "cisco.asa.mapped_destination_ip": "192.168.0.1", + "cisco.asa.mapped_destination_port": 53, + "cisco.asa.mapped_source_ip": "82.0.0.1", + "cisco.asa.mapped_source_port": 63790, + "cisco.asa.message_id": "302015", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\domain\\USER001", + "cisco.asa.termination_user": "domain\\USER001", + "destination.address": "192.168.0.1", + "destination.ip": "192.168.0.1", + "destination.port": 53, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302015, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302015: Built inbound UDP connection 261311655 for OUTSIDE:81.0.0.1/63790 (82.0.0.1/63790)(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 (192.168.0.1/53) (domain\\USER001)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 13053, + "network.community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=", + "network.direction": "inbound", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "INSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain" + ], + "related.ip": [ + "192.168.0.1", + "81.0.0.1", + "82.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.nat.ip": "82.0.0.1", + "source.port": 63790, + "source.user.domain": "domain", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.connection_id": "261311655", + "cisco.asa.destination_interface": "INSIDE", + "cisco.asa.message_id": "302016", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\domain\\USER001", + "cisco.asa.termination_user": "domain\\USER001", + "destination.address": "192.168.0.1", + "destination.ip": "192.168.0.1", + "destination.port": 53, + "event.action": "flow-expiration", + "event.category": [ + "network" + ], + "event.code": 302016, + "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2021-01-15T19:12:37.000-02:00", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302016: Teardown UDP connection 261311655 for OUTSIDE:81.0.0.1/63790(LOCAL\\domain\\USER001) to INSIDE:192.168.0.1/53 duration 0:00:00 bytes 139 (domain\\USER001)", + "event.severity": 6, + "event.start": "2021-01-15T21:12:37.000Z", + "event.timezone": "-02:00", + "event.type": [ + "connection", + "end" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 13254, + "network.bytes": 139, + "network.community_id": "1:BIxqdLncXeXXZrNudh3yrj2zmZc=", + "network.iana_number": 17, + "network.transport": "udp", + "observer.egress.interface.name": "INSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain" + ], + "related.ip": [ + "192.168.0.1", + "81.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.port": 63790, + "source.user.domain": "domain", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-01-15T19:12:37.000-02:00", + "cisco.asa.connection_id": "261246338", + "cisco.asa.destination_interface": "OUTSIDE", + "cisco.asa.mapped_destination_ip": "40.0.0.1", + "cisco.asa.mapped_destination_port": 443, + "cisco.asa.mapped_source_ip": "82.0.0.1", + "cisco.asa.mapped_source_port": 50120, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "OUTSIDE", + "cisco.asa.source_username": "LOCAL\\domain\\USER001", + "cisco.asa.termination_user": "domain\\USER001", + "destination.address": "40.0.0.1", + "destination.as.number": 4249, + "destination.as.organization.name": "Eli Lilly and Company", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "40.0.0.1", + "destination.port": 443, + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built inbound TCP connection 261246338 for OUTSIDE:81.0.0.1/50120 (82.0.0.1/50120)(LOCAL\\domain\\USER001) to OUTSIDE:40.0.0.1/443 (40.0.0.1/443) (domain\\USER001)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 13443, + "network.community_id": "1:Wki7xXtyiCACPfXpHuQV+NLf33o=", + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "OUTSIDE", + "observer.ingress.interface.name": "OUTSIDE", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.hosts": [ + "domain" + ], + "related.ip": [ + "40.0.0.1", + "81.0.0.1", + "82.0.0.1" + ], + "related.user": [ + "USER001" + ], + "service.type": "cisco", + "source.address": "81.0.0.1", + "source.as.number": 15704, + "source.as.organization.name": "Xtra Telecom S.A.", + "source.geo.city_name": "Madrid", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", + "source.geo.location.lat": 40.4143, + "source.geo.location.lon": -3.7016, + "source.geo.region_iso_code": "ES-M", + "source.geo.region_name": "Madrid", + "source.ip": "81.0.0.1", + "source.nat.ip": "82.0.0.1", + "source.port": 50120, + "source.user.domain": "domain", + "source.user.name": "USER001", + "tags": [ + "cisco-asa", + "forwarded" + ] + }, + { + "@timestamp": "2021-07-29T08:35:29.000-02:00", + "cisco.asa.message_id": "602304", + "cisco.asa.tunnel_type": "LAN-to-LAN", + "destination.address": "12.12.12.12", + "destination.as.number": 32328, + "destination.as.organization.name": "Alascom, Inc.", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 37.751, + "destination.geo.location.lon": -97.822, + "destination.ip": "12.12.12.12", + "event.action": "deleted", + "event.category": [ + "network" + ], + "event.code": 602304, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0xABCXYZ) between 12.12.12.12 and 12.12.12.12 (user= 12.12.12.12) has been deleted.", + "event.outcome": "success", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "allowed", + "deletion", + "info", + "user" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 13641, + "network.direction": "outbound", + "network.type": "ipsec", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "12.12.12.12" + ], + "related.user": [ + "12.12.12.12" + ], + "service.type": "cisco", + "source.address": "12.12.12.12", + "source.as.number": 32328, + "source.as.organization.name": "Alascom, Inc.", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", + "source.geo.location.lat": 37.751, + "source.geo.location.lon": -97.822, + "source.ip": "12.12.12.12", "tags": [ "cisco-asa", "forwarded" ], - "user.name": "username" + "user.name": "12.12.12.12" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index b7ffbc2b460..a1e5fe24bef 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded zlib format compressed contents of module/cisco. func AssetCisco() string { - return "eJzs/W1zGzmSII6/30+B64j/2e5Q09Pubu9N3+5eaCX1tG5st9ay3fu/mIgKEAWSGKOAMoAixf70v0AC9cAqFElRQEneHb9w2BKZyEwAiXzO79Bnuv0ZEaaJ/CeEDDOc/owu/H9zqolipWFS/Iz+7Z8QQuitzCtO0UIqtMIi50ws3ceRoGYj1WeU0zUjFHG51LN/QmjBKM/1z/8E37Z/vkMCF9SvOcNF2fwGIbMt6c9oqWTV/aminGJNf0ZzanDn5zld4IqbDJb4GS0w13Tn1wPs6z8dKkqsdEvE+dubBvP6T01BF0BNhGEF1QYXZSawkJoSKXK988maqBwb2vvFHgTtnw8r2sJHTKCrUpIV6izUYhlEjq6pMJldPmN5EKnPdLuRqv+7A3idI13N0fUlkgtkVtQtc4ZyWlKRW1ZK4X4GixzAMaeGErtSPPws3yzwGr8C8w1W1C9F82Mxiso0i1TLsmaNA7gQKQQlRqpsWcXG5i8fW3yadZD2e8jEQqoCWwDIwL04gCpcWkAzfP5PO2oCYaXw1uIJCwDWt1YiYENzi1kk9NcVF1ThOePMMBomYcGxMVTQBxBRI95briakwJwRJivtLtABnDXBYtZZPB7fL9tfW6xxfaE7fMewPJpTx25mmP3NGchUeoeLklMgSZeUsAUjKGcK9mgL2B9DGuEUh4maSxn43QGi/t19Ca0xryhiC0+CoDlaME7RBmsESyKpkJBHcd8DyCyA8KHhUizvh+eFrISxbAegDY5MINwy8T7IlUoSqnV8BBvADZK7B4SJJafunBx9nhuksVlFRzhniwVV9iTXjGRRkW/ub9ZI+Og0tDLCnQ+pUC5JVVBhdPPGPYwWIouyMlTNJn9/zpBmBeNYgUSUJeJ0TXnvHTxD88qgSrAv7h4XFTfMypvmYxrZB5+JteTrgw9+Qy29M1QJzDNWBkkd/PgIKmuY6PqmJrbempXUR28EJoat+/rjA2Thted7peA2UJGXkgmDmEZuqeNkYIOfV/4znOdqXNSc+oBy3lgXTBiqFpjQnSfevvL346y9O7Oc6VJqFvftvMCGLqVif+D6+bRr7T6M37ytL/E3ltHfXNgd/OYAyjWPLeFToY4bxgcUgBR0iUUxc7I5uk1QH/YGPJpjTXN7eLSsFKEIi9wCMkw4Blwf0ho9O2YFJmmUXsx5w/O35xeouV9HIkZGhMajIUa4rPKMSTKJ4toVCte/XcBZbRRS+wM41RotlCyOMBJa5PVKKpMlIeHWgu5+KAEhO1euxPZaTCdRavzjCQ1PAcupMMxsZ0X+UzwS3l7+hFZYrwLb8BAc9Qp/H/HQ/Hr+fXQsF4Dlq59eR8Xz1U+vT8QU3mysyIqtvck13aEFC9GvneQVDBA3zXmu13Qk9jwr93NI7KMh8XmfjorU9yE6JcZg8tkapJhxPcNlyRnB8dWrDmDnfu2gfnVXcskMulGANqs9xIe0hSAB8F+aZwU48eMRcYPNquYzvaOkMnjOwRDKOUdmhQ24iOr1vbbo7e35NkDkCdRZlbS2ouLuj4WMClpIta21tf7pop6CIz3lIfx1pUvvAhn3iT1Y+6zxdh6QzYoKhIXfGWvDPnxbplWKSgymSYRnhCol1WRO4dptAKseJZIcfvB3RmQe8fqCtwXwsHD9p+dMLHe0jOMxNStFsclWlTBMLGearqliZhtR9nuISFFdcVPLf7cususiRZdMG6rGHwB0AU549EZuvrtQzDCC+f0IY4LA85YpWlqjJq2nr5E4LZV2i9zaJyJufzAR2kysqTZs6SNLCpPPEP/QujoU0hjDHmLuETG34Gq060X6gr7HfXD5WfXmNAp0VRRYxbwZDmBNhawMkQWtvXxxkVe0oDmLrA+9p0QWBRU5wIXwnqJa8rWLiXWjf1sEIh/eqONcl2OUxD7/LB+efn+c7DMVfyuoyDPDivBluH/+xO9WLehL1AUTmLM/aG7ZTrjUB7Wc0VNvsDLJ8bUaZxNdPUEfYyK3SrlUUT3yl00crYEPALVTkwtsyAr+M9Qpd3WcNiD39vrD+ytk7BEih8yC3pb4L8Uk8A3TpnZz7mDWl6SdK1GJex4lQ8kKglipUW/WeRj2XwubC2YUzfahe5oBEvJ9w1oea3R9+Uwf4OHXteWek/uRjs7Merkj+GmfWSzyjDNBZ1gtXRg87jt48eYaNaD77LzgssrRByexr3+78JqsMz0hp/AAi+dlluOdtEb00ONw1UZzJXeaaidY+k8DHrpETN3FIZyIuWfdXyBJEmS7z6S8PUe/MEU3mPP92ZTNYaNa4+UgV3F89/ayAXauwcTDRt6xzagKbkuTzFEtFuzuSDT8W/Yz0lTrvhq5F8ff4OeY+/UQXhiq0P/PInwsohC4zJqoeAzO3bpgaBtpr7W9BZcbtNd6bnMomyBqXNwuO9HZhyCoKk4z+88YSL3rJJueE0K1RhdSGCW5k8x2sa5iZK1fts+D29vdSlOVAlcL1+HFnK7mw+COnUdh2N3oydDshujvgWuBy5LmWX1lygCevR8eFDBGYaHde+B5d31TO1fvgYs1+o7m2t6c95NwHrU5w9ja9y2A7SCl7QRMRp1APUx25EvkjdxNALnPbnaxeqwt7WJ/7L528U6xuV2cDu6wt5Eg7y+OHgCqmcsjtNKiLgd4iebSCGosposFIzP0mwCZs6Zq+x2XmzNk/+qBK2ROFTb0DK3YcmUfG/i4/c8xZBHn+t/GoMyHEbbN8zdO2S+tyf0zWjNV6TP/mT59Rsm/Y3GGqCF76fGploEyiROp+ejTORu9B8jC8KbvxYSRooQilwAWkKZzPA7XF29vxotWdhYcxC5OX9CCOpbXI3SmESufbt511kY7a4d0AVxmihKpehUgBxF5gIaPtWZLQXN0eX6D+osHWdnai1nYXkyJrl8e2eU7NiWXy6WzGO015pJgjnCVM2N/s4+cmvz+I3gkDfd9JdvnsGU85MDASeGMCoN0BRrwouJ825wesZeKUrE143RJZ5Lf8wyfuBfgasWgWep2eatfkhUWy1pD9/qm5LkrGjmOCEE3T5AIQTeHiZhXSpuZnP+dkr4US3cpao+KWxbEPuCBNlgJJpZ7L7TDmE1zbLrYWiUAXV+ehK7PRM5UP0aQVPb49GeHLKCvKRVHYCvFgi0rRfPHQbhdv4P7YbTxevk4+OI1VXhJH8ToR0O+w+wAHZhzuem4I/ec8KLi2LA1zYisxHTCxEiDOSJ1sVQH9xUzGmkmiIvBemkDRX9WNa8jghSr/QQaqoquy2MS0s7Pz5uaZvCHKPqlArNq2UVoH94bOl+XYubqdO/lp3moHvk7nVsFwRXwAhWNW2dOrWWpkZH/1MfXuaUXpovNw93SvzBFS7mhqjYML+mCCk2fiK/6lw+XX5ev2iL8D1/1P3zV//BVf9W+avRRU3R1cet/NRPYzFj5Dxf2iS7sEDufsG+7Qbfz+3scgX/4vQ/jtHss+nz+h1f8H17xf3jFdxY86BXXlFSDhHy3XtCB1S7YW+493nhNH5h76+Giq/EKpf8invmUKN7XM7/XrE6F6H9bs5pJHdWsvv7t9oi+eU3YAgyPjLN76ApHKuBWq3FmjYW+9/IuMIEE/PuazrdXF/fbqHohZCTarBhZuXfJm/mKLqjS6HknLfoM3b57e3OGbv//t2dQZqhlD+xCKrN6MUPnLXDXjQthtMIq9w3v1ozQM4RRqaSRRPIzBK+Hq5xEctF/5qxdtdWGFkjLhbFAZujaoJwKaeiO3eUfV4Ir3fDefbWvGjgyZ4OD6OvOZ41pPOvdHrmmaqOYscJBVXRwXoebdHpDyO4RGraa2ayocrfL6w5ohTWaUyqQnGuqdnoMNWb7TkLlIWKGl28vKeN3C7AWeFdLHF99bP39bS8L3e9etW+Fe2TgfrDm8We6teZzpV14keDSVJ7/Cm+aiwNmNpEF1ZZoSMftgUbojVyiS2p1CRUmxMEalM6cSs5u601LWmTAHuHE3Pcs13VzLgNharlATGiDhanR0EEcAzUxxyB4qGLmQyeaaZdA2Hhximt3pnPyY/SOmt+ZEfYZ8Ls/GxyNhli9khXPkaBreDmbc1dipSl6Sw22qGHXW6Vd6vkbudQvbzD5TI1+MQB/CV2G+PasicJi9J46YeFOuOigOQsycmjuHcfJQ93lLmmpKAEb1WKS0wUT0AiJA1qu7r3AZRirQi+HtWYxT6Df47f+nl9ffu97NjrHWm0L1fVFmECehNsvNdgIoA4quP1pgc/Z7SixMoxUHCv4vt/Y2ejJGIA+6aSETsYA8vhJGd2S9bR78uofe7J/TwJVHZE25GHXV87/ngEh/W15Mtit8SlCLzlqijrd9yniZtmW6v4/DDNtsKEF7aUAPBHkIMkuIxwPmq08CfSoMIOy+ieB2CrQuuNJIMbEaYil1ZhqyfF0T1pO8SnSIy3bFtQFaWLZUCN6TcjODLRftNgM9JCBkvAwK6KnhwygH7Aixrk4cExOwkXR8aoE2efYNSAzEvtQgIP3Zh+ZQq2uBmGemv66E+OuUXshBbGPAzbyqVu2I+JmzdKKwy53L+wybFE3p/MH8o1cuhBPnURUiZwqcJZSL6gGpC/YHc2RppBbuPPl3TX0uMFSb8IA9oMNlmYTBqDvtSlDT2B8/9JpB3NA1z14cj8eDLIYkpzLX6U2XRHJ+yeynmbif6lDx6bjQ/p6+DvopH8Md/e33+8y9vpm/WNTqTJ23fvMHVBv5NfK3HW/Q2l09r7+78veQaA/iWzoywXnSOt6y3KE0ZKtqWicZF+vImCCM8oe3wLJn6Ly93VENEYdGrLcZop+SbDX3eAhbDDQ7asqr9zS6AYu0pn3ZhuMPmxLishggApYIZSZFVXo47Uw379GUqFfuMTmh1ft5AgfIIOamWETwSHdp6i7XzHdEAZNZ3xG8C8Ecw8nsY7rlb96B4NUG6wGNcjRtI6OROuQ3eXk9c2nHX0PQ5Vmf0tRndviHlGPNlQ40J35GVAeptiSQbmL+86utnKAD6n0rz2JEdc3n14HWBDOyUERWNBgNORyjNenPahDxfHU12dFcU7VJLHrX2EpdH35kCipw7cbLAUwp8VKn7STjZMsuZ8N14rWdatowUWxpsuF5Bwmx32NAthy7xFybuyZYxoRx7p6QmVHUX0j+2oL2sPoJ2jxFWT+VFTVQmpIdiukQPPtYNNQnblsAWpWlHzr98l+2LXcxWSFNMspev4nZFaqQq9++ukFFEBr6jsPF32/1y4nnoTyegQndCmFpulYQb6aU+EK4WufQlXMndCDseJBCOg5nss17TCDiWBmZS3etFEUF6P3h3w1x+aRWUVzVvX1tBiM+iakOTaOBbZAzPytevWn7/+snUh/WYIArZH+24Cav1l78A3eUoVeoStBcKkr32XWmpT3kush6A8MfgRyK0Or/PAK/asl9wz98AP6V0SkgsYusE1u0TP0P7n53/aDTKNdpnwT3EIh80Cd9hOxdcWGZgRzPsfkc1oN2CFXFwxg4yeHMt2Oi/E9dIKIwuHIYExLan0QBihiDhgDptpIZTVrsXVah/3FGnPmxjigEFLI9dG2LwyngDwMQjgueXH3Rgwgx4gF+uuwJ2w0sgtbLnH+VN45jw7S7A+KCmrUsLE7gpHP/Q+DLeye+1oI22cfm1ajdeOX7LbN0K9yY7dmaHMygaSyxpiR6DOl5QGmPYkX7ythmpshn61ZnuWpoq5NR/QlFVCorKGsqnJ2tLcL10yZCnNrtO/43kXAxeGHlLvau3YSvr/q15dIWWmtwaECTMNqSU3zsYOc0CpR0tOjc6Juk7CPEypJKGgo+Nv5Tu9pIQ1Ft/681x2h5tsxQYmgwYsLxHwFgRe/UqZLzlJmNjxpc16zgdr/JHQzK3MTnne4dfYNqMs0/amrrRb/hPzXiDA68bJgg5FqE8ToYWCrVOjm4vzG676+KJcVbihI4In86tIgqqfh/vCdMcAQH7YYRM6VumvKV+1XWoPd6Tlgmc/Qq59eow3wvaBYwGyaoK8AnPqgJrX+I7ShynV6RNBZBWuDpOiVi+wy8dHVxK+biYG7miJs63n3u1Q5MM41hyArIblcbvuBuAVTAy0WoZ8QWWGFiXFMtJd6C/iD01ygSvicHr7jMx+tqI1d0O0C9SmDCHtil2BRFG42bx1GUHgzKtNAsvbUSkxAY3UxCj9dGklCoJMpQNQGixyrHAmpCjcDMGDLqyLIn9xnOZzMIlnNB0/SvZjUYt0g85KzBQWKAwa+pkSKfETBbrc70yaln2UPQUwQWZScmuABGHWiYlDgjWI9MdipN1PmkQ7yrV07eJzHjvLuyRw9foUUZhVpm9r61Fg5L22WU/5IjL8SeQq2W5B/SJG628IesWhXr1VMl177oc/hgYhKdqPPkaF3xl8+tKZKd8op8n15YIH9fehh21Ici8y2TI9IldPgENo4p9gn2fhnSjcr1jpGnWnTfLAbXx++VkoWM4BaQVG+JlRgxaRT64uKG/adYVQhXJa8rn5pe9kUWOBlqDQXIQ7hnZ22PnUPL8TMM43kRrjImMFF2fcMeoyh5amSw+QjZjQiK2atG5lTPUNvK23ATOoCdQMLR/JysaEnbtJeAbZYWLzXdApNCDa5XtDxDlpBUUHcgcACpuuuWW41GzgPYUF2WwuyDz3mhYm8K5majMJ2P10s6M6eRGb4tu57ZSToaxYp1w9zr2804qaPunDOrDRu5NlssGSTTiar2BKoGChyD4XY8D/2VQEN8ktFq8mOkj3d7hS18nGDNQIk8pFzA8h9H5upEZWCHYYmkGnLwiR4fZdFClxhFG58oCm05zKmKNoF+io61AS6UucVeRwTsmc+Bt+YwXN5rzfnVLF5SK6dEixoH4heN4TYjiBMBkp8DMVaVzx12GnEipKVIbKgLx0OjfECWdmDBpjIngvHgh0DcuSA0DUddCCejLB6dV8E2Ins7HP5pC1eHPQOdK90U+lioUHcqaSELVhr+IS1W989f+RMeV05fTZTYAMaFyPL24KJ2kWV+yBLEG9vNk+1CZ92rfSuJSgV+u3Wp8YyXScE9P1qyPeF7c2sQDtVkrqUmkUUHEedLTCnRe46TEEqf313R7vwVNwMe5Q/ligSVUEVI/eVRUHaJqhi20NYt5KtuRlOLLn7PSBtTUUulU+Y3UuZnP/9EbrX1KHdQCf5LmLpa8EH7LYSdD9iTtKn7FX3zfBC+qp/L2a8l2uFm9xiIQ3CMJnDIhlOoOVymdWJKo8i1OuDeG+hPkXPlB3Z9xdIt4Ku1btDPbtYlZIzsk19e/bIhRtAwDfXFnw7IpeD860SM/B9xSkgFhanUhh6l1pjbRC6Fs5f1/ZDxXmu7V/wqMJAQ0Ao1ADmwOPsZsFm/aG0CWTBWOCyHjzb9ArBxig2rwztSIhhjr4fY2u19e7zFxYduuwPbXu41eIGGk9/c8AQ7OcX+enKHf0tYNw2syvqhoO6zflSa6pm6Ja2UyJmeEmhlbfPdF9IVeMwgF2DcXo7cVMm3Pc7fSukQnMlN/Z39U+9runMrtF+0tf5DVYmtpuuARzbo+LvVH9a9XR3qplInfBKyZL6gGKqt/hcIMypMk12kWoX9T9z4S0vPjpNACAJKaAw50hI8Z2iJQVLZl/2A5gNUz459Yjdxl4xzRjal8xF2Orwz4CyDTMrryw7WY8uYcE5VJsIJMV3S2n/veclcCNqAopjQrpxJxj4EhCwSMoFstLBMKpn6LaVKf3BBt3KqjQYX7hyvkpbI8aVjLpkm9yLX894jAivtKkPpP/PYJvgK0zbnfQ10d6/YRVf+O24CjS59uNuWNiid22Z0illzw4ZXhbLS8ACYa0lYeAvtbsRtCdhw96wz/RnhFG52mpGMEc505/PUKlgJgpMb3sWVpSxwqfUXt7zoXd1NgoX1MDIfqyhi5eGRg6uFwGRRWGlmNwJ2g9La3YG0aHh0+Teg8fS+Dp7mOBhcuKbyKKshncwwbZhtGEilxufT0ukILQ0Z00mxSgzBmQuKs636EuFuXN+5rLATHipIToLcTnydHW9nrHUpT2kW5XwDROfae5rgepEdKzBO+UNFPubbxrUZizft3F80BUiqajrTnZybok+AjV6v90+Fl6/ld7zim6H7XqaoLObR5doNMKIi9WvCdi6879f0/4hsqa9YDz9HW9I/gVWa66xonlFKKojRzTsbtNUMcyzwGua7BG5hSVrtbn/PnYeQPvCjPoFKPmsT2o5EMNj7Fe3D90K61VzQ61aGKgyrMjKZf7WNTZNmeFFDanXIswS0iwz04rYbzX/H1aaIivPBWKQc1cJwilW9kfQCK9FzRcQtkPwXGHn4eiDE36DyZZP/MUispjXI4zlYufB8mWj6h6vF8zYndrT19VGAIFxj980AdLAlbhwq7uejOOeUmfBJXeNN+xzXubrS/TOSZrnvnEDctP2OqNHX4T1aueAfgxffsf9fH0JLPUlb42YGHoPdiNyLg3QkTBzh8jKgg3TYSN1rbcpe9nvRnV9gbZTF/b6sUfmUSe+dBftcOLry4OabCz/3AFN1iL2SuStRjtDF64+0/c75e4X+7VZQFDtfuL7b7w7bl6ZpnJTmuYxqgSn2nFGugdlI9EaK4bnfFAF6JoyMIFKjkcEgaZCJ+2PsrOhXVXVrTyzkspqGHV9IbP7fPvy+qavQyPfMtZ5FMbqsk8cKHh0LWQbaXFIomth0C1bCgzCYuSIllKlbF77bCC/7CG9qXU3CV0d4Z8Wke68b3vKchk4OO9++4CYILzKqRVnfpCt/foMPb+qBxjfOIeIAwvSexb2i0BkbvLYJjin2qcljBnTn63KfQJe9yjF67gx3/mn4T3Tn/eEXI1iyyVV6UbYhVn2qRsL8Di4Ec2K6pXkuT09zlYfmTS6E3qfwLMwjL17qfz8vdMxXjTNOK4vw2UkR0fniSzKbOK8K9gVn3sFY1ydf09X8+8sOlJAferCzebOKzJmpXm19JGyxrqYN9JSKug8YOV6jd/IlDg/iPxRFMBhV/0FzD53D5ElYqQ18nMrRDF6i0ndTzms3FoRNKkdI8V3tYKq9kshZ2tGH2qtKNbRc4O1waaKpTg3/ijM+KOZHXbxubxDLH85/n7Zl7WaAkOL0cdB42N3FywW4atbv2OJp+8NDvnlcO7eKc8ZE7KKFePs1JHoZfQ7ZSVpTKfDwCP7Y2TAqTsz7hyJc86t3EO6IoRqvag4urLrIyJzqu2RqJv9hi0LJnJ6F5kBnGlzmub5QNkCC4Mppmok5lRBfLPAinHI4Al48Fz8XSwRBiZ+Z78bpEwkOIdy7poLPZJG7FdHz5t8zpIqXfqiWydhBizzKkKbEF93eHoxUmTo3FzD9zh1QolTvpokL++rcp+2v8RMaJRTgxkPOBnmsjKd742QJvnkuZm1xxY3eWyAx/hDamhR8mTZPOcopwvsQ0C+82Udw/fZmlYrXlPF8RYKuYz0jyt6HriR9hdgdftv00VdBe589dowU0FjRhQkrLUNhg2bHnpdo0axOv4dgmNjmkBWEVkU9j6lOUYXDjpinWTfUsk1y53/rO4iV1A9mgiVS3J6oPH+3rJfGG+1RtLNywurBnclJD09jqyvV08r6/8u5yf6nU4m7//KuQ/AhG9XydI1zr2EhGK387c31+h6oFB10UjWtdZXl+zHIGJhV1MNu4xqSN/HH+Zzq8PKvRMR2VzmqSu+BhV3faXD44IsLiPq0Sp+twQXMpig8rzjAvalwy6BtomHsCXLm1DOiBOviG01DsrAI7z88ZS8hu6ySvlM1dO9bz667jl1IAqSNe4oqbpeBJf6Naeh8ta6C9O+xI0JHCFBr3i+6xBpqivxGjOOh4EM1LjCEdRXLqhSI5MW3B06xdcfL+7mjZXCN4ByAdgBST7dQLPlbEQisiKbV3m+je6fYUUWtQ6oA7fS9LRG53u9VPEhKiYjdjnoldhlupqiIIHpbvaq67mKq5yZprKu7YvmMQoNtmsrNpwoacML+4l0WWKxObiezCq/+HSFnvtaiU8Vt7rynHEo4IA8sKu7Umr7yRfou6GjQfSjMJ+F3IgdQ0hTUkEzi/Uu9JFJmwRP4ILrp4Ve1FXu73xp0hu6xGSLPo6aa5zNFX6Mony/8A6LmUAFZmKhcEH3pmOUWMHU3vR9EnaUyxtYFr2TuUuObtsCdrLOAkihA9oXpApYRqSykHb7xr2jG/RrJcCUfCtzytFzJtazb88Qk+QMze1f1P6FBeZbzfTs23B80ZAyW3A8mJwfW4fa1fAvbhAsCr4ukJPbeviVXOxt1GBkUkzdT+cez7oNgqbKHuQgQusirtztYfbp7e9YUfTBJQB/++2nt7+fv7/69luXc7vGCrPRM7mR6nPMkuWDF+z3esFuhG3UCYZFbCXC1+zE7VLSPAeY2Odim8CEWUhFhWYkpgDpuJISYFzE94IE4gOxgGYbzIbDiR/sHYDe57GB2usTu0RdV/NEl8LMc21U7Mp3qNdO5hDrvqXR3tG65iOdk/TUYpd2MNhApfHFJm3di693sSAWbNTRVJOazBF7KqnBbkQBMvvlPWGhfHI/wfs7LizyXv9/P1y1VZnd5L9HOWJ5x0fvEdmL5KMcjjqOuw8/KSdI2trZ2Y5d+tw0Ge11lh30yXwBbrfByT0cma5bVrMp4mFQ9LXAjFte181cbrzMuL7s1rZBJy5rDhq6DLQwGM8qrHOuM6sinkDPKYnXkG7tq48uZFFUou+JGmAnTmvc9FDs3tE78xca1qkb3PRpmvVDcbvFIv93GY6atbgZbNgpkuHB2A0X3kFOV7pkhMloWaJTWfCA/QYrMQw6PHXUtSjKTKYSxrfv3t6g35wftU1KDSPyZdJUgtv/eIO+VFSN9G6tuMgU7XfqTJvc0HGIbtH7uugsmNbVaOkk4kPaBSpjjxGwQMuTHEeHoJpAcOzBcPP4Axowx6pIsFsWbAL3Ai4jFiA3QKs82lTaHZhxu13tgM6x6WuFD4U7p4KsCqxilZU0cLclHowvfnD0CZNBOlUUmNkq+lkgdBG3gKoBvFhCq6UEYOX87wmgljj6JAzXcSr68YKge8ZiPzi+c1tBreoZHWmRYQKDUeKXn1jYWkQ03juA58ty/aO4M6vo7zsRGTEqy3XUvusd6BbyaZGnIwCvOY4uMURGxZKJiEWRQ9ApcqNFtsj0hhkSXX6IbMHlRuMifu5KF7Yw63TQE0RdiMiYSClOmCipKubbaAnvA9gl+ZwG+BrzFGeFlVmppJFZ/JAUQF//mIHHMT5snuxucrnM8hTMtoDj578RkRX4LjMmlttgF7A90ZwmeBQKJhIhzUQ6pEuuMz7nWeyw6A7sPyUEHr0zeAd27F6IXdixq3q7sH9KCPt1Qtj/nBD2/0oI+89pYBtZcjynKURKAz2+eSayouKgfM+3Cd7JGnj5OYFeUlScLYsyjfZttUzMl7GTkDxklkIp0fQLie8bEZl2CYkJdlArksaatIDTWJN6q6sywSxSIpqy6iSmqpHGmh70LoEIMdJYwywVbDBrkgCvBLsTWEhNSYJDuH5tuZLoUVi/lqVZUZwncKvJoswIT+DDtoATBEkArppvTXy3qIWsk0AuqyxBTIMoZhjBPEEBkc7wkgqyjZh11YUtMN/+QfN5CrzXGbQBTQLZtYNJg7VLrE0Cfb4s16/T+KB1Nmfmz0kajRGdxZ0V1wOsZHRRrZNcc4BKiYpf5aadjz/arK0OYGpWzs8f3znigIPalwS46yYfr4NcB/aCcZrChtHZIsUmskXM4uxdwCl0A52xEpIUsySijpXrH3NtykEz/0iwtSJJYHO2oCnMGA2O5oLmLFrB6C5sJtKckkLmFaeayBTc9sDZMoFskqXeYBN15n8HeiiDPApgRZdMG4Xje0Ja2Ak0PkXLVKxWyXitoRO5SiRfXWa+O+IJoBtFcZFAkXSlQKnQTqdcb1aS6cxNmI0PfYsVTnLA85FC2BiQ126+fWy4TBssos85zrWZVyrWsMAaKnWzglJAraLjGl+PrmuSY4OFyQ2L+MOuT+00sA/mEud57DvA8thh1bp1UIK3iBUZUVIWSboSWcAJzDRWZGmSI33HoxRsLj9Hb89U6vgtS1mpS8UiA+XYMFNFzz7jTNB4LXZaqDrqRJ0GLhTfxndrcem6nmYLLqM/5w3wBCn/1uaNLnUs0AQSx9rQCVCNnpvA5TLJ0RXLJBe4lCq2ACvm1TLFNSuYJinEQqGTHNgUcyAENdBcKTrc6DLcNYCOnfHnoMZOxxObTWwLJElFmXQDoKNbojK+ZiQVW2aBeVwPhrsRVMV/s8rMDeWNDjbqZOoWrBvxmuSQJSjc9DNxYgsDDza2NCgz50iKji7W2v4yI6tYdf4D0PSuZNEDASVVxVJhYQY9d2NA3iQBHP/pdZ3IPn7sTQGNAFjJZYZ1GXFgQBe0wrGhKop5Cv1OUQJ8cF1HEwGPz2QLOW4L1w5kqfIEGMd3ZOoEvmHtfMMJ8gE0jZ0I4AYeJzBONP0S/wCEGrRGg5rAlNJsmUDw6jK2l00rkuIeKJJHV6S1IqGuuBEAm3gjtrowKx29q+aaiNiFEsFpsQ8F6pp0xibfLE38Y+WAxo/oNTM9Y8PdltG7tVb5PEkeeqV4grew0lRlOYtd9Z5kbEUdGUrBBkO0wUVsb/A6Y0IbvEigGayZMinU8HUpErRuMlJVIqabNdQWLdBR9LwyEr2vBBos3WSPJByW9wlzlqMLRXNm0AVWue9mqKH9exgdNzkrIZfGJoQCGBiij6C/AZEchUp1mnwIJtJx7qooudzSwWDBg/xbyCpaU+8jz5jlofMZwbwzRZf0DhW432ihjcWKZdUfBpIcSc40DGeoV/dbDw2UkK7KUiqDho1HEdqssEHMoFLRxdhReEBa7n2GUIQY762OBgXEhO/sPtIXmjOReiJ/B1W7WhdPjYxcUrOiatZ+Xq9kNXjREBJ0TVUzjshIVGKlKXpLDYaJ4O6u4oYFz9/IpX5548peX6BLP+LrDJlVYEoRNAN+T/3oY0BboHfU/M6MoDq8z8NDnYR5CxjZ3dwiWNwRqylWZDVjggXxg5m7E/TX7olPmIUByRAvOa4EzPpdVjDHtW7iHm7g3uvXvoem9O24G5qaJtx+fvGIsW83IotY03Rc51VYFn2gdwZuxZi7YIpp1CMCqR1c9w4mVAs+MvESuucmHAcO/XM1NUjRLxXVZk/T7tOzle/fK9+pDDCWx63qJHbfI9Xkne66U/bh5DCC2NjOz6FDu/45SHnM2f+H5xvaxa4va6EAa4fPBlgN8ZJ473mE7eMyx5oil67dYIMGt6rZJf+Nx8FXNKPgG8ylcu3rg2xECGukKYVxZ3j/vCqFhcZkgvG+gw7TbmkBam97aEilYALaPqRLqgrm1I2pkG6XdIM52JpxuqSI0zXlCGvNlsJtXDuvP3z0oSXzI8pvWH/PSZ8/yqRni1kl2JeK9sck4vDl6+B7WsfE06ag1BoNy92FJFIICrkVaMPMakxQIBSoDGk0dkVPKi+6t2lh2QnypHmiuFwygjmyGIyYPoDF42IHS42MaXw83pWrrQ6j10ln28heVmvsBx5zhnW2ksltAmfENeYazFJphxpZqdgdwRPuB4DcpbHYwpvmB7EQTrGanXMtrSG+c98uIViOfvXfmKFzsW3+N4BuwJbXwiCcz4gsyspQFRbDSdz4lrB05tk3/b2AGYs7G8LM36pXf/r+z9b2vexsR82xb4Jo+3OaxY2YHeu4wVuq0D83Pjn90qMByIVvfez6n/RnXrQ475z6vftxYvLyIdn2rD8wxa4zQ+9++3BlaaeKOucJ+EtzpomiJRZka7VKr57xfi4IAg6doQ9vf0bXwvzw6gxdv7u8+s+f0cdrYV7/iJ5vVlskKDMrqhBZSe1HpUmlKDHwqe9f/5//8eJZkCPUrBLKuD4/QKbOChwex6MTn757XvNbdxava6TCVzx/Wkh3ZdMBzE9sGHf0Ax/Ct6eYttbJJ6ZMhTl6c/4uiOwfUtB0vqzTTsb/k4LOwry16H41IhQIOSw8YQue4hu8Zx+W2NANfoQR6XC6b9B5nivw07pTHkKneXpJUZ4a53xoLOT64u2Ne5VGw2MF1hNGP3acSk5T9W83ur6xqIx4vywPT5wEEYWHdu1xHtaaWOama00rIDro4jxn9sOYtwHbziz/8Ds34QGwJiFccOlv+OXuERig0uZaJ9Hrjn3SMHrnMbyRyjQieSB0cwiwwQYwsz0sefXEvHf0MLGsH5OarLdjjBc0ZDdO5cX12IHli7WWhFmV0/mNBjoOsnJZYbGks8Z0IlIs2LJSNEfzLcCkIoesobCcKU9sPTAoGh3RloOLLhL0O+ARdf9uCVd0B4CihTQ085nd8fOM4rM2FzrDmUvFTwC6NCoN8EWCI7FIUC3MU1yHVP1PygRMxXlWe+LSqeV9C97SMeuv1nUmPIIGe2VWVAlq0IdtSc/Qx/oZewMOsB/QTe0AG7wEv41pavWongmUiRHTuEba+8XPEOY8qEyU7QchwQ0rSMxbU2XfQCaMRNrAY84E+ng9KlAIJMgmk1fRRbYFKssEY98sYEV17IxeCzZBiYt7EWOnooO/PQG2brRCxqlYRp8UCThb5SOhFjqigTqVB/NOAEYgAukEC4TRL1JtsMqHc7oROl9CspdC2N74O8ilm1OzoVSEVc/IXRPvG+OWBvNuqM4hg6BlPGRGDChkwue5QlpCwYwVS37ERpjENcdiijj+EQ7KOkGk46IcELjrsmwjKWtrwS7BgN19eWJHKimBLgTreP3gjovYY2UYqThWCPpFoxqJ51d3P7+RS7lYhKe/U5KZFU2+vTvIfrALutvYwfvK4m3RPa/Migrjk8VH0dZVzM4JxyX0uCXHUf+oqRpFWFaGyGk57ZccR/i2IoRqPYIzdB4/rTnaaYkngBeyKu5Sqi0KFCYMcJtCOO3gSHs4WqkEAT5dSmHfFSu3Qsph80U0UJR2qVrH60c38m5i5LqWQs0AZzRv6PF+mJ4+zATSzFQB+YmguIB6Ee2hrrBGOJelfV3MijKF5Ea0W+YYZ/CdFLIYyauFmRyauRb10yoRVrlnIrfyRyrdMACjXxin6NwjNhuw4Rhnr2gIc3dyNGG8of9R0hVGWXDrsxbiciFEY4ARMevdH8AIl6936+s1YnNiPCF0LlNWDwSIn9MVXjNZgXZJZFEqWbCRDEU6NXJXAs85FJEt0MV+3JhYN2InIZJ9DHe0ThREYAfDqMNlTkAwsH6DX+rd7byy7X0bPXZtmWUlTL+cLbZGn0MZeEZOMeuP0oLgPV5SQRUjNUnAEEj066cWMLOCpzY02w15ZGfk+5k2ajz4WdN0StutR6Pp1X6avHrh1kpIV9A0bYxwwwqqrVx32p6iJR0NIvldiNYU4uBGQOPBB26DOvJondK7+9GO1g/H0fR9pqMNOT2aNO8wPkThgDaguBUIRwiDr5e6VwepU5PunbtoUWhTh3cuWi/VaQTIATneCJCv9zj+cHjLYo02mGbLjpOPalIJEvOOHSE/Jj2OMWkbHMZGqYcStJ6fOnrlTmVWWUHNSj5ClATveJKRQ8N/bHTDoZeSkkm9TnuiOu8l9/5ai8iec5nIE/Kfs5/+9Cf0/M3l+c0LdMm0YWJZMb2iOZTCB3HhcimT9wXaFwmDbNmFw8NvM3xwJGNMycRexX31n3ZXQxg0NwY88tGGPt/nuhBI+2/qfjuOP8ApFDPFItQmvc0UwzxWd7oeIe9xzirtVkBSIc0KxrFy4smKTXuHCLzr4fIquOea5VN2Gulmyn+0B6H2Ivb6YraXPF2dxbnYd9chrOErDTv+X+8kgt8MzoJ33NBOWUYedmVKlTIxYBCyAVZLtcSC/bEnq1qkOwrHMvsETnfP1Ai7F0wFa0kTdf35xS4Hr4Vr8eV6F+1kNf9KMTcrghVFpaK5LJjAwYK7jni6wYZRYfTB9HiOp6T2DX5UYl3rR1omOrj26jyzgqvEykAzpJbU/WJ1wmZHXtgcI1EXNKcKG5pn0ZLK9pwPK3x+qVdsgmc3Sq5Z3jQP85/DZcm9pjo4GL75j33WdnXasILTEsnyiahslvS9/sx2hMzg8FDInFwzFz1f9RX3kRZwjdIZcyj4fTVPegc6U+dLnUroZYBQp6OCxoo10kYqJ/EttIIaDKs9g0/N7KeehakvWJ5zOp2UewvrHSvnAtvbkXsnybl6PMY05N741TodhsS2js6eoZJju2X2fZYKUUHUthzz8kMq5AT25BEZdKqxLX+V2qC3mKyYGDHpcpxIcnzT5/VHAZn+paJWfFj9yDU50zP0Jscl+gT/cfpRLoWrO/3b8PFEK7ymVnPiFCv0paJqi6AHoS6l0LTWqMLFqZbeDL4zjbz0PfCIhaxY3QVSOPJdX75xPGuSJkC1PUDvfXPUYzGFKU9pHWb9M163lt5pYmRtQ//wMo1UJUTQjtVnzcvjIs+ujdRIjZ2HmHkLM/1GYLRhIpcbjXRJCVswYn9zFqoT9HmywwtiyXP4tjk36Dl0hKWCtM8QhC5fdLiFKgHv+Bu6xGSLPurdxrdNBLboF9JGz661K0xgsI+89l1TC1CBWjU4ZPZFHHC86QMQqP7fqTSFcp4h+3bJTq9Qj3Xndep1gGKgMHjQ/HdOIHaavN4xUn2Gr3e917LuCkgf7wI6pGYah10TMNjdmzYh023DYIfCDSkOFz9D2UDMkYCjFW5Ack4XTHhfPQgn6OpX4HKk6SBgd1KhWCLcWgdMT/2LLRgbn21q2n0vpZHelI0P2xhMVsXELfDbVYHhaGAddbcjyZCXORPxJohFvRuWZCgqTPt4BoRUt2wHtsW10W7L+wNTOwdYp337DmBdYlWfKfvjs5aUzYoNWqkjezusLeuS348iz0SfWeLaWki1Tbfh/6JLLP7tYMeYGpHdLuq1eh56mixb/uUlQD9A26OpRAOq6n7r+6kaPQUZFUbJ8hTRkctqPnAuHHXG/ZrW2qYHyhEAR1fdMe09vJBFicW2uY9w7WCcvrNX1lTZZyhjYiHDSgHWn1PXCB2QHz0rssZsQ9N2RV98SZUj8EvF+Rb9R4U5WzCao0uoe3bOwSAqGzrPiJSf2SMF3X+nc+TWb+1nzMe0+ejdZttweFkZULlPHGF6+K6/b5bwU3a8O9r55Gfow7Z0pLeeA8sct4Pjm6foIovaTLaHtsXBOSLUMx1qW9tHZgpXXaNc7mLnPIulVLW3H0LM79+MbHmnV07k41Tzokw7h2gPK+zKBz33NZpKykSayC5Sdh27H6jEJuyaJCLDOma0vwNY+XL6yJArxSNucwdqxF1pjNGsUrG8IR2YmqoML+PZlC3o6M/TLuio6Y+7oP2pTyBY6J2hAlSr+MaJhR/tNDeK3krRXqpMbI3KLTFFLeGOzP0Ay4J69dL/+8Kj8NL/w+c1hdz+mFMVzs7z5Dxi9NwR0w2eg8e1M2ptQE7uB6JZk4qJBVVqJO46pHsSurqK/0HWB92zEyBZ9yVedLYhcKUgrC2TXqnAEpMdvysXt7fH7gNkEKvuj/5Khwla4wM/Wbmiahp/hNXZfcbT8wsY/fgCXcD6YdSoMhM1Sxnh8wVVfvgn3cnC3NOclyYNHXcY2dlwu+gz3ekUvXen2R+neiXv3xolvNvolv0R9tawz4lkyvVfr5CgS2mY28ByhfXIBChNpm4r1NlKt/j4cEG71ckmQA0SXHpnrG6cXtffhBNSNFtOUVGx29+omXr4YXTQspUmTOsqutIJkCFZKp237mExFMCQKpXUBzrYlK70vLKLo1sITu+TTpNkSDSdwX0U+fktpHbuf4w60vM0JO8vPffgOC5CtebZOuWL3g+pekd2EJk8s0cPV9HbNOpUgNln6i3qRM0NvmnHlXQfJJCtPyIN8Tqp0PXt+V/f3qAb+06h38TI9JUW20SV1Kdg+2Ejw9iCGCIrSj7rk5zIxwnhtD3IQkPnmn6dTYswSAP1IwhbKbhHy6WKDZpCPoKS6/BouoKMGg2As8GmmmzCZxfLNeYsdwcxgERfEE7W1XqfIASOfaZb3RfbkU5+nUAaGfbKmFJnDGbQJgENW5mCIQQ/gdvElqKufJGKme2BG0VkUSTtE3ck3g4P7xAKl+BvmKK8b2nGdrFsOBaZ1o818Nau7GT4757aukYriK0rNc5KyaZIqw4h7DBAgAEgFbYGgK1khYUYNM5I3W7KrwqIjMRsJ2rb3Dwsfubh72/O3/l372Vv+eZBMVL1ff/Re7Yx/TlbS16lYsB5PcdZ+Dk3zWTsepxvJZjR6LlDQr+Abh1Q2FtP1O2BR4B0kBpeJZJmbzyuHwUzPl1gtlt0sKYKMgUWFUdECkJLYw3lW7eHI+0VNpuU0tcx3hrs9Qhti2gplUHS8vfXfz8PpeAG2R773Em1nD7Bsl9gsONinWPX7CTYKOYvV7/dXN+gt/iuYCJvxnqHt9XSNnka5s4QxRGyPBkD6vaR1ahP4ZLF6OnZrsoxW0xXsPnYRfg1ycnVjh1nmZfK15e+S6/HYi+GfLpNeeReATXFxX/5uuGmMEfkQ00y9u0Gf4k1oR8pu9GPqwYrvgnqFq649wzpKpCijjX6F22UFMt/m3NMPnOmDc3/5aX/2VnzWyYWlIR/tWCKbjAPKjJ4zjvfQVjkSEs0ciwVXTJt1NZa9lMKixKblW/W3+CA+jgMkASn1FRoukJoV69FpOp0IW/0yQZzKkwnJ6XG2w9knDXT1Ga9yz+O+xjeOV3gipsM7sTPaIH5TinyDkm7GfzvOskR9aTIdmR8W7ZmFF4sGIFBAnNKBZJz6BvRaejV7IvG9yCmf7EPkDK89Y3L2GItEquThU7dJmlEoii8QQXVGi99XyIirfyGAWYhRfKNXKJLSmQ+EvbxsKL7qFzP54gJTD2Ep5RGUIRpXzS5QExog4Wp0Qjb+Iad9Ijnw3cqqIrDPWTWujWuzqkdT4BW1raFCbu/MyOo1vXuH56CIOiaqm6DihIrTdFbajBo6r7mtlnq+Ru51C9vXFLtiwH4S58O1qoVGL2nTli4Ey46aI50kqHrJC6ch0WbC71Mqzz7PX7r7/n15fc+4OLavrXWNfQEuMPEIC6Xbr+GfW2AOphk7U8LfE7vzh2y3/cbOxs9GQPQJ52U0MkYQB4/KaNbsp52T179Y0/274ldNc2GPOz6yvnfs2CvqyeD3TpVqPRhqCmaMiv24WxLdf8fhhnYfukK7h+GHK5yZjLoR/0U0ds1nJ4QYquIE3WjIsbEaYil1ZhqyfF0T1pOTxoWm5ZtC0rz1EUg42GLbttE10iS5gM9ZKAkPMyK6OkhA+gHrIhxLk5fZ94fjBtkn2PXgMxI7EMBDt6bfWQKtdpHBxo1WjX0+x9td43aCymIfRywkU/dsh0RN9CkLqE47HL3wi7jkl869/mNXPqxrr6KAXrJWRNEUS+oBqQv2B3NkaYwaXfny7tr6HGDpd6EAewHGyzNJgxA32tThp7A+P6l0w7mgK578OR+PIjYYmHPufy1ziv1J5L3T6Smouk8zOVSh45Nx4f09fCXnXLABl8aZez1zfrHth/gyHXvM3dAvZFfK3PXr1Oz9/V/X/Ymrn3yPO7LBedI63rLcoTRkq2paJxkX68iYFl0mv8irQWSP0Xl7+uIaIw6NGS5zRT9kmCvu8FD2GCg2zfzu/I9xW7gIp15b7bBrsKa4KEEmdM6efTjtTDfv0ZSoV+4xOaHV7tpXkSKBVtWajy/paX7FHX3K6YbwqBPtWwSLOMJemaMZcfU1URfu4NBqg1WeTKlbv+keqeQfNrR9zBSlONhapprreofUY+2b4YJJ1W3XT6kYksmMK+/s6utHOBDKv1rT2LE9c2n1wEWoGA3WRSBBQ1GQy7HeH3agzpUHE99fVYU5wnL63dMO1gKXV8+JErq8O0GSwHMabHSJ+1k4yRL7mfDTQ5uq2jBRbGmy4XkHPqmfo0C2HLvEXJu7JljGhHHuno8XEdRfSOH4yzGGf0ELb6CzJ+KqlpIberCvfl2sGnNJC4LULOi5Fu/T/bDkMxMMVkhzXKKnv8JmZWq0KuffnqBNtiPEqpX2cOJJ6G8HsEJP1cnGSvIV3Mq3FCV2qfQ9F21V1kHIaDneC7XtMMMFi7RqcWbNoriYvT+kK/m2Dwyq2jOTmqacIhR34Q0x8axwBaImbrvD4j0l65NaI30cJzV3xDUi2ypQq/QlSC41BXHTbOye8n1EPQHBj8CuZWhVX54hf7VknuGfvgB/SsiUll92fUcqIep/U9u/rf9INNolynh9hdC5vTJ2rpiQzOCOZ9j8jl96VNOhTT1aDSwKywT65oXME3GptLB4UjezAiODDTcxhwwdnPsjVRWsxZbp3XYX3SaUYSQQmghK5HbF4bDQAYNHQGOS17cvREDyDFigf467AkbjezClkucP5V3zqODNPsDhlEqRgJWhzeFux8GW9g997UQts8+Nq1GKxf1ts3Qr3Jjt2ZoczKBpLLGmJHoM6XlAaY9iRfvK2GaG0yRrVMOPL+qJQ+MpXLzqQVM4u/YhWumYGTq9eWu710EXBzdme7ADEeFv+rXl0hZaa3BoTKcLTI6/b/hRLJ65kfnxO48kpF8uSShoKHgb5tfvYdu+M2MZqIo9oOARgSl/VMHYr6CwItfKdMlZ6m7lzxZc16zVIWwD0yRPq1p1LHnHW6dfQPqiUD+1NVWi39C/mtEGJ14GYwLmiRGDyOApEI3F+c3XvclWFj2sKKUqq/xIngiv7o0iOppuD8+uqcKDPHQqFs0NOWr9iutwe70HLDMZ+jVT6/RBvheUCwQ5jzsK6irnxeo9R+hDVXUgcUGcYq1QVL0ykV2mfjoauLXzcTAXU0RtvW8+12qHBgHWU2UrITkcrntB+IWTA20WIR+QmSFFSbGMZFC+yKLhZvgjirhc3r4js98tKI2dkG3C9SnDCLsm7ZgLYrCKplS1GEEhTejMg0ka0+txAQ0VhejEN7nIAmpVA1RGyxyrHIkpCowZ3+E8nulKoL8yX2Ww8ksOm4W3h4mtVg3yLzkbEGB4oCBrymRIh9RsNvtzrSZoKF9iCAmiCxKTk3wAIw6UTEo8OONprXByjzSQb61aweP89hR3j2Zo8evkCJ6J+R8kCDx4KYHIn8kxl+JPAXbLcg/pHik7jn16rWK6dJrP/Q5PBBRyW70OYJh3H4EuW+HW2OX78sDC+zvQw/btj8K/OEgFSVS5TRP9w76JBv/TOlmxVrHqDNtmg924+vD10rJYgZQKyjK14QKrJh0an1RccO+M4wqhMuS19UvbS+bAgu8DJXmIsQhvFPbiw4ph6tGzDzTSG6Ei4wZXJR9z6DHuJ6aNLx9RiOyYta6kTnVM/S20gbMpC5Q1z1rJC8XG3riJu0VYIuFxXtNp9CEYJPrBR3v3NA0QdyBwFa1ztma5VazgfMQFmS3tSD70GNemMi7kqnJKGz308WC7uxJZIZvHbHaCj2rr1mk4IDu941G3PQD3b5reTYbLNl2V6tiS6Ai+ijOhv+xrwpokF8qWk12lOzpdqeolY8bDGNPq24Dri6aJSAXa9RDw9SISsEOQxPItGVhEry+yyIFrmWWANUyS6E9lzFF0S7QWKM+WqgJdKXOK/I4JmTPfAy+MYPn8l5vzqli85BcOyVY0D4QvW4IsR1BmAyU+BiKta74IzXNl5UhsqAvHQ6N8eIHuAxOCBaeBTsG5MgBoWuqmEndGnSs+7Rf3RcBjo0m7bl8Jh7c5l7pptLFQoO4kxt13xo+Ye3WBXPGeqp4XTl9NlNgAxoXI8sHk2GbSbBBvENTZBJuwqddK71rCUqFfrv1qbFM1wkBfb8arF/v0FiVpC6lZhEFx1FnC8xpkbfdhZu7O9qFp+ImS9e66J6iSFQFVYzcVxYFaZto8vMRlWzNzXBiyd3vAWlrKnKYk3xQbsn53x+he00d2pXD6bRdxNLXgg/YDfOA9yLmJH3KXnXfjE6C9WLGe7lWuMktFtIg3ExSCyfQcrnM6kSVRxHq9UG8t1CfomfKjuz7C6RbQdfqYdvvRvGXnJHtFNN2RuTCDSDgm2sLvh2RyxVPmTcdZuD7yjf/D4tTKQy9S62xNghdt6MC6uqqPNf2L3hUMa8RCjWAOfA4kxUWS5oJukktC8YCl3TTCfWDEmKMYvPK0I6EGOboa4e61da7z9/IUOISRxN2Def4YELHJDcHDMF+fpFDpqu/BYxbqACzDKsbDuo250utqZqhW+o2pdJUzfCSQitvn+m+kKrGYQC7BuP0dgLfR+77nb4VUqG5khv7u/qnpJ7jaM2u0X7S1/kNVia2m64BHNuj4u+UHFSHTnWnJM/bGaSJrpQsqQ8opnqLzwXCnCrTZBepdlH/Mxfe8uKj0wQAkpACCnOOhBTfKVpSsGT2ZT9MMRdlt49+aBqK0+NeMhdhq8M/A8r8UI1W1qNLWHAO1SYCSfHdUtp/73kJQEnJAopjQrpxJxj4EhCwSMoFggnzjOoZum1lSn+wQbeyKg3GF66cr9LWiHEloy7ZJvfit5lmQnilTX0g/X8G2wRfYdrupK+J9v4Nq/jCb8dVoMm1H3fDwha9a8uUTil7dsjwslheAhYIay0JA3+p3Y2gPQkb9oZ9pj93BhnC4MIzVCqYiXKGqCHPwooyVjjWwOoDQSxYihqqNCqxhi5eGho5+GnSsiisFJM7QfthaQ01ZK+6596Dx9L4OnuY4GFy4pvIoqyGdzDBtmG0YSKXG59P66dNnjWZFKPMGJC5qDjfoi8V5s75mcsCMz+IF+iuF+Jy5Onqej0TDbAfjIZj4jPNfS1QnYiONXinvIFif/NNg9qM5fs2jg+6QiQVdd3JTs4t0UegRu+328fC67fSe17R7bBdTxN0pqpg/cFOqV2sfs3OmLz9mvYPkTXtBePp73hD8i+wWnONFc0rQlEdOaJhd5ubqZ8FXtNkj8jtzhj//vvYeQDtCzPqF6Dksz6p5UAMj7Ff3T50K6xXzQ21amGgyrAiK5f5W9fYNGWGFzWkXoswS0izzEwrYr/V/H9YaYqsPBeIQc5dJQinWNkfQSO8FjVfQFhPfq0LOw9HH5zwq4Z9np70i0VkMW/G9y52HixfNqru8Xqtmar01J6+rjYCCIx7/KYJkAauxIVb3fVkHPeUOgtuusG1zst8felHcKPnvnFDPZvSFf1a3F6E9WrngH6sAf/e/Xx92Z3v2oiJofdgNyLn0gAdCTN3iKws2DAdNlLXepuyl/1uVNcXaDt1Ya8fWzjje+JxxxfNwuj68qAmG8s/d0CTtYi9Enmr0c7QhavP9P1OufvFfm0WEFS7n/j+G++Om1emqdyUpnmMKsGpdpyR7kHZSLTGiuE5H1QBuqYMTKCS4xFBoKnQSfuj7GxoV1V1K8+spLIaRl1fyOw+3768vunr0Mi3jHUehbG67BMHCh5dC9lGWhyS6FoYdMuWAoOwGDmipVQpm9c+G8gve0hvat1NQldH+KdFpHOX4ZTlMnBw3v32ATFBeJVTK878IFv79Rl6fnWHi5LTn9GNc4g4sCC9Z2G/CETmJo9tgnOqfVrCmDH92arcJ+B1j1K8jhvznX8a3jP9eU/I1Si2XFKVboRdmGWfurEAjwNopytF9Ury3J4eZ6uPTBrdCb1P4FkYxt69VH7+3ukYL5pmHNeX4TKSo6PzRBZlNnHeFeyKz72CMa7Ov6er+XcWHSmgPnUB42ZkXpExK82rpY+UNdbFvJGWUkHnASvXa/xGpsRhlW+wepwMvWFXfStdsX+ILBEjrZGfWyGK0VtM6n7KYeXWiqBJ7RgpvqsVVLVfCjlbM/pQa0Wxjp4brA02VSzFufFHYcYfzeywi8/lHWL5y/H3y76s1RQYWow+Dhofu7tgsQhf3fodSzx9b3DIL4dz9055zpiQVawYZ6eORC+j3ykrSWM6HQYe2R8jA07dmXHnSJxzbuUe0hUhVOtFxdGVXR8RmVNtj0Td7DdsWTCR07vIDOBMm9M0zwfKFlgYTDFVIzGnCuKbBVaMQwZPwIPn4u9iiTAw8Tv73SBlIsE5lHPXXOiRNGK/Onre5HOWVOnSF906CTNgmVcR2oT4usPTi5EiQ+fmGr7HqRNKnPLVJHl5X5X7tP0lZkKjnBrMeMDJMJeV6XxvhDTJJ8/NrD22uMljAzzGH1JDi5Iny+Y5RzldYB8C8p0v6xi+z9a0WvGaKo63UMhlpH9c0fPAjbS/AKvbf5su6ipw56vXhpkKGjOiIGGtbTBs2PTQ6xo1itXx7xAcG9MEsorIorD3Kc0xunDQEesk+5ZKrlnu/Gd1F7mC6tFEqFyS0wON9/eW/cJ4qzWSbl5eWDW4KyHp6XFkfb16Wln/dzk/0e90Mnn/V859ACZ8u0qWrnHuJSQUu52/vblG1wOFqotGsq61vrpkPwYRC7uaathlVEP6Pv4wn1sdVu6diMjmMk9d8TWouOsrHR4XZHEZUY9W8bsluJDBBJXnHRewLx12CbRNPIQtWd6EckaceEVsq3FQBh7h5Y+n5DV0l1XKZ6qe7n3z0XXPqQNRkKxxR0nV9SK41K85DZW31l2Y9iVuTOAICXrF812HSFNdideYcTwMZKDGFY6gvnJBlRqZtODu0Cm+/nhxN2+sFL4BlAvADkjy6QaaLWcjEpEV2bzK8210/wwrsqh1QB24laanNTrf66WKD1ExGbHLQa/ELtPVFAUJTHezV13PVVzlzDSVdW1fNI9RaLBdW7HhREkbXthPpMsSi83B9WRW+cWnK/Tc10p8qrjVleeMQwEH5IFd3ZVS20++QN8NHQ2iH4X5LORG7BhCmpIKmlmsd6GPTNokeAIXXD8t9KKucn/nS5Pe0CUmW/Rx1FzjbK7wYxTl+4V3WMwEKjATC4ULujcdo8QKpvam75Owo1zewLLoncxdcnTbFrCTdRZACh3QviBVwDIilYW02zfuHd2gXysBpuRbmVOOnjOxnn17hpgkZ2hu/6L2Lyww32qmZ9+G44uGlNmC48Hk/Ng61K6Gf3GDYFHwdYGc3NbDr+Rib6MGI5Ni6n4693jWbRA0VfYgBxFaF3Hlbg+zT29/x4qiDy4B+NtvP739/fz91bffupzbNVaYjZ7JjVSfY5YsH7xgv9cLdiNso04wLGIrEb5mJ26XkuY5wMQ+F9sEJsxCKio0IzEFSMeVlADjIr4XJBAfiAU022A2HE78YO8A9D6PDdRen9gl6rqaJ7oUZp5ro2JXvkO9djKHWPctjfaO1jUf6Zykpxa7tIPBBiqNLzZp6158vYsFsWCjjqaa1GSO2FNJDXYjCpDZL+8JC+WT+wne33Fhkff6//vhqq3K7Cb/PcoRyzs+eo/IXiQf5XDUcdx9+Ek5QdLWzs527NLnpslor7PsoE/mC3C7DU7u4ch03bKaTREPg6KvBWbc8rpu5nLjZcb1Zbe2DTpxWXPQ0GWghcF4VmGdc51ZFfEEek5JvIZ0a199dCGLohJ9T9QAO3Fa46aHYveO3pm/0LBO3eCmT9OsH4rbLRb5v8tw1KzFzWDDTpEMD8ZuuPAOcrrSJSNMRssSncqCB+w3WIlh0OGpo65FUWYylTC+fff2Bv3m/KhtUmoYkS+TphLc/scb9KWiaqR3a8VFpmi/U2fa5IaOQ3SL3tdFZ8G0rkZLJxEf0i5QGXuMgAVanuQ4OgTVBIJjD4abxx/QgDlWRYLdsmATuBdwGbEAuQFa5dGm0u7AjNvtagd0jk1fK3wo3DkVZFVgFauspIG7LfFgfPGDo0+YDNKposDMVtHPAqGLuAVUDeDFElotJQAr539PALXE0SdhuI5T0Y8XBN0zFvvB8Z3bCmpVz+hIiwwTGIwSv/zEwtYiovHeATxflusfxZ1ZRX/ficiIUVmuo/Zd70C3kE+LPB0BeM1xdIkhMiqWTEQsihyCTpEbLbJFpjfMkOjyQ2QLLjcaF/FzV7qwhVmng54g6kJExkRKccJESVUx30ZLeB/ALsnnNMDXmKc4K6zMSiWNzOKHpAD6+scMPI7xYfNkd5PLZZanYLYFHD//jYiswHeZMbHcBruA7YnmNMGjUDCRCGkm0iFdcp3xOc9ih0V3YP8pIfDoncE7sGP3QuzCjl3V24X9U0LYrxPC/ueEsP9XQth/TgPbyJLjOU0hUhro8c0zkRUVB+V7vk3wTtbAy88J9JKi4mxZlGm0b6tlYr6MnYTkIbMUSommX0h834jItEtITLCDWpE01qQFnMaa1FtdlQlmkRLRlFUnMVWNNNb0oHcJRIiRxhpmqWCDWZMEeCXYncBCakoSHML1a8uVRI/C+rUszYriPIFbTRZlRngCH7YFnCBIAnDVfGviu0UtZJ0EclllCWIaRDHDCOYJCoh0hpdUkG3ErKsubIH59g+az1Pgvc6gDWgSyK4dTBqsXWJtEujzZbl+ncYHrbM5M39O0miM6CzurLgeYCWji2qd5JoDVEpU/Co37Xz80WZtdQBTs3J+/vjOEQcc1L4kwF03+Xgd5DqwF4zTFDaMzhYpNpEtYhZn7wJOoRvojJWQpJglEXWsXP+Ya1MOmvlHgq0VSQKbswVNYcZocDQXNGfRCkZ3YTOR5pQUMq841USm4LYHzpYJZJMs9QabqDP/O9BDGeRRACu6ZNooHN8T0sJOoPEpWqZitUrGaw2dyFUi+eoy890RTwDdKIqLBIqkKwVKhXY65XqzkkxnbsJsfOhbrHCSA56PFMLGgLx28+1jw2XaYBF9znGuzbxSsYYF1lCpmxWUAmoVHdf4enRdkxwbLExuWMQfdn1qp4F9MJc4z2PfAZbHDqvWrYMSvEWsyIiSskjSlcgCTmCmsSJLkxzpOx6lYHP5OXp7plLHb1nKSl0qFhkox4aZKnr2GWeCxmux00LVUSfqNHCh+Da+W4tL1/U0W3AZ/TlvgCdI+bc2b3SpY4EmkDjWhk6AavTcBC6XSY6uWCa5wKVUsQVYMa+WKa5ZwTRJIRYKneTAppgDIaiB5krR4UaX4a4BdOyMPwc1djqe2GxiWyBJKsqkGwAd3RKV8TUjqdgyC8zjejDcjaAq/ptVZm4ob3SwUSdTt2DdiNckhyxB4aafiRNbGHiwsaVBmTlHUnR0sdb2lxlZxarzH4CmdyWLHggoqSqWCgsz6LkbA/ImCeD4T6/rRPbxY28KaATASi4zrMuIAwO6oBWODVVRzFPod4oS4IPrOpoIeHwmW8hxW7h2IEuVJ8A4viNTJ/ANa+cbTpAPoGnsRAA38DiBcaLpl/gHINSgNRrUBKaUZssEgleXsb1sWpEU90CRPLoirRUJdcWNANjEG7HVhVnp6F0110TELpQITot9KFDXpDM2+WZp4h8rBzR+RK+Z6Rkb7raM3q21yudJ8tArxRO8hZWmKstZ7Kr3JGMr6shQCjYYog0uYnuD1xkT2uBFAs1gzZRJoYavS5GgdZORqhIx3ayhtmiBjqLnlZHofSXQYOkmeyThsLxPmLMcXSiaM4MusMp9N0MN7d/D6LjJWQm5NDYhFMDAEH0E/Q2I5ChUqtPkQzCRjnNXRcnllg4GCx7k30JW0Zp6H3nGLA+dzwjmnSm6pHeowP1GC20sViyr/jCQ5EhypmE4Q72633pooIR0VZZSGTRsPIrQZoUNYgaVii7GjsID0nLvM4QixHhvdTQoICZ8Z/eRvtCcidQT+Tuo2tW6eGpk5JKaFVWz9vN6JavBi4aQoGuqmnFERqISK03RW2owTAR3dxU3LHj+Ri71yxtX9voCXfoRX2fIrAJTiqAZ8HvqRx8D2gK9o+Z3ZgTV4X0eHuokzFvAyO7mFsHijlhNsSKrGRMsiB/M3J2gv3ZPfMIsDEiGeMlxJWDW77KCOa51E/dwA/dev/Y9NKVvx93Q1DTh9vOLR4x9uxFZxJqm4zqvwrLoA70zcCvG3AVTTKMeEUjt4Lp3MKFa8JGJl9A9N+E4cOifq6lBin6pqDZ7mnafnq18/175TmWAsTxuVSex+x6pJu90152yDyeHEcTGdn4OHdr1z0HKY87+Pzzf0C52fVkLBVg7fDbAaoiXxHvPI2wflznWFLl07QYbNLhVzS75bzwOvqIZBd9gLpVrXx9kI0JYI00pjDvD++dVKSw0JhOM9x10mHZLC1B720NDKgUT0PYhXVJVMKduTIV0u6QbzMHWjNMlRZyuKUdYa7YUbuPaef3how8tmR9RfsP6e076/FEmPVvMKsG+VLQ/JhGHL18H39M6Jp42BaXWaFjuLiSRQlDIrUAbZlZjggKhQGVIo7ErelJ50b1NC8tOkCfNE8XlkhHMkcVgxPQBLB4XO1hqZEzj4/GuXG11GL1OOttG9rJaYz/wmDOss5VMbhM4I64x12CWSjvUyErF7giecD8A5C6NxRbeND+IhXCK1eyca2kN8Z37dgnBcvSr/8YMnYtt878BdAO2vBYG4XxGZFFWhqqwGE7ixreEpTPPvunvBcxY3NkQZv5WvfrT93+2tu9lZztqjn0TRNuf0yxuxOxYxw3eUoX+ufHJ6ZceDUAufOtj1/+kP/OixXnn1O/djxOTlw/Jtmf9gSl2nRl699uHK0s7VdQ5T8BfmjNNFC2xIFurVXr1jPdzQRBw6Ax9ePszuhbmh1dn6Prd5dV//ow+Xgvz+kf0fLPaIkGZWVGFyEpqPypNKkWJgU99//r//I8Xz4IcoWaVUMb1+QEydVbg8Dgenfj03fOa37qzeF0jFb7i+dNCuiubDmB+YsO4ox/4EL49xbS1Tj4xZSrM0Zvzd0Fk/5CCpvNlnXYy/p8UdBbmrUX3qxGhQMhh4Qlb8BTf4D37sMSGbvAjjEiH032DzvNcgZ/WnfIQOs3TS4ry1DjnQ2Mh1xdvb9yrNBoeK7CeMPqx41Rymqp/u9H1jUVlxPtleXjiJIgoPLRrj/Ow1sQyN11rWgHRQRfnObMfxrwN2HZm+YffuQkPgDUJ4YJLf8Mvd4/AAJU21zqJXnfsk4bRO4/hjVSmEckDoZtDgA02gJntYcmrJ+a9o4eJZf2Y1GS9HWO8oCG7cSovrscOLF+stSTMqpzObzTQcZCVywqLJZ01phORYsGWlaI5mm8BJhU5ZA2F5Ux5YuuBQdHoiLYcXHSRoN8Bj6j7d0u4ojsAFC2koZnP7I6fZxSftbnQGc5cKn4C0KVRaYAvEhyJRYJqYZ7iOqTqf1ImYCrOs9oTl04t71vwlo5Zf7WuM+ERNNgrs6JKUIM+bEt6hj7Wz9gbcID9gG5qB9jgJfhtTFOrR/VMoEyMmMY10t4vfoYw50Flomw/CAluWEFi3poq+wYyYSTSBh5zJtDH61GBQiBBNpm8ii6yLVBZJhj7ZgErqmNn9FqwCUpc3IsYOxUd/O0JsHWjFTJOxTL6pEjA2SofCbXQEQ3UqTyYdwIwAhFIJ1ggjH6RaoNVPpzTjdD5EpK9FML2xt9BLt2cmg2lIqx6Ru6aeN8YtzSYd0N1DhkELeMhM2JAIRM+zxXSEgpmrFjyIzbCJK45FlPE8Y9wUNYJIh0X5YDAXZdlG0lZWwt2CQbs7ssTO1JJCXQhWMfrB3dcxB4rw0jFsULQLxrVSDy/uvv5jVzKxSI8/Z2SzKxo8u3dQfaDXdDdxg7eVxZvi+55ZVZUGJ8sPoq2rmJ2TjguocctOY76R03VKMKyMkROy2m/5DjCtxUhVOsRnKHz+GnN0U5LPAG8kFVxl1JtUaAwYYDbFMJpB0faw9FKJQjw6VIK+65YuRVSDpsvooGitEvVOl4/upF3EyPXtRRqBjijeUOP98P09GEmkGamCshPBMUF1ItoD3WFNcK5LO3rYlaUKSQ3ot0yxziD76SQxUheLczk0My1qJ9WibDKPRO5lT9S6YYBGP3COEXnHrHZgA3HOHtFQ5i7k6MJ4w39j5KuMMqCW5+1EJcLIRoDjIhZ7/4ARrh8vVtfrxGbE+MJoXOZsnogQPycrvCayQq0SyKLUsmCjWQo0qmRuxJ4zqGIbIEu9uPGxLoROwmR7GO4o3WiIAI7GEYdLnMCgoH1G/xS727nlW3v2+ixa8ssK2H65WyxNfocysAzcopZf5QWBO/xkgqqGKlJAoZAol8/tYCZFTy1odluyCM7I9/PtFHjwc+aplPabj0aTa/20+TVC7dWQrqCpmljhBtWUG3lutP2FC3paBDJ70K0phAHNwIaDz5wG9SRR+uU3t2PdrR+OI6m7zMdbcjp0aR5h/EhCge0AcWtQDhCGHy91L06SJ2adO/cRYtCmzq8c9F6qU4jQA7I8UaAfL3H8YfDWxZrtME0W3acfFSTSpCYd+wI+THpcYxJ2+AwNko9lKD1/NTRK3cqs8oKalbyEaIkeMeTjBwa/mOjGw69lJRM6nXaE9V5L7n311pE9pzLRJ6Q/5z99Kc/oedvLs9vXqBLpg0Ty4rpFc2hFD6IC5dLmbwv0L5IGGTLLhwefpvhgyMZY0om9iruq/+0uxrCoLkx4JGPNvT5PteFQNp/U/fbcfwBTqGYKRahNultphjmsbrT9Qh5j3NWabcCkgppVjCOlRNPVmzaO0TgXQ+XV8E91yyfstNIN1P+oz0ItRex1xezveTp6izOxb67DmENX2nY8f96JxH8ZnAWvOOGdsoy8rArU6qUiQGDkA2wWqolFuyPPVnVIt1ROJbZJ3C6e6ZG2L1gKlhLmqjrzy92OXgtXIsv17toJ6v5V4q5WRGsKCoVzWXBBA4W3HXE0w02jAqjD6bHczwltW/woxLrWj/SMtHBtVfnmRVcJVYGmiG1pO4XqxM2O/LC5hiJuqA5VdjQPIuWVLbnfFjh80u9YhM8u1FyzfKmeZj/HC5L7jXVwcHwzX/ss7ar04YVnJZIlk9EZbOk7/VntiNkBoeHQubkmrno+aqvuI+0gGuUzphDwe+redI70Jk6X+pUQi8DhDodFTRWrJE2UjmJb6EV1GBY7Rl8amY/9SxMfcHynNPppNxbWO9YORfY3o7cO0nO1eMxpiH3xq/W6TAktnV09gyVHNsts++zVIgKorblmJcfUiEnsCePyKBTjW35q9QGvcVkxcSISZfjRJLjmz6vPwrI9C8VteLD6keuyZmeoTc5LtEn+I/Tj3IpXN3p34aPJ1rhNbWaE6dYoS8VVVsEPQh1KYWmtUYVLk619GbwnWnkpe+BRyxkxeoukMKR7/ryjeNZkzQBqu0Beu+box6LKUx5Susw65/xurX0ThMjaxv6h5dppCohgnasPmteHhd5dm2kRmrsPMTMW5jpNwKjDRO53GikS0rYghH7m7NQnaDPkx1eEEuew7fNuUHPoSMsFaR9hiB0+aLDLVQJeMff0CUmW/RR7za+bSKwRb+QNnp2rV1hAoN95LXvmlqACtSqwSGzL+KA400fgED1/06lKZTzDNm3S3Z6hXqsO69TrwMUA4XBg+a/cwKx0+T1jpHqM3y9672WdVdA+ngX0CE10zjsmoDB7t60CZluGwY7FG5Icbj4GcoGYo4EHK1wA5JzumDC++pBOEFXvwKXI00HAbuTCsUS4dY6YHrqX2zB2PhsU9PueymN9KZsfNjGYLIqJm6B364KDEcD66i7HUmGvMyZiDdBLOrdsCRDUWHaxzMgpLplO7Atro12W94fmNo5wDrt23cA6xKr+kzZH5+1pGxWbNBKHdnbYW1Zl/x+FHkm+swS19ZCqm26Df8XXWLxbwc7xtSI7HZRr9Xz0NNk2fIvLwH6AdoeTSUaUFX3W99P1egpyKgwSpaniI5cVvOBc+GoM+7XtNY2PVCOADi66o5p7+GFLEosts19hGsH4/SdvbKmyj5DGRMLGVYKsP6cukbogPzoWZE1Zhuativ64kuqHIFfKs636D8qzNmC0RxdQt2zcw4GUdnQeUak/MweKej+O50jt35rP2M+ps1H7zbbhsPLyoDKfeII08N3/X2zhJ+y493Rzic/Qx+2pSO99RxY5rgdHN88RRdZ1GayPbQtDs4RoZ7pUNvaPjJTuOoa5XIXO+dZLKWqvf0QYn7/ZmTLO71yIh+nmhdl2jlEe1hhVz7oua/RVFIm0kR2kbLr2P1AJTZh1yQRGdYxo/0dwMqX00eGXCkecZs7UCPuSmOMZpWK5Q3pwNRUZXgZz6ZsQUd/nnZBR01/3AXtT30CwULvDBWgWsU3Tiz8aKe5UfRWivZSZWJrVG6JKWoJd2TuB1gW1KuX/t8XHoWX/h8+rynk9secqnB2nifnEaPnjphu8Bw8rp1RawNycj8QzZpUTCyoUiNx1yHdk9DVVfwPsj7onp0Aybov8aKzDYErBWFtmfRKBZaY7Phdubi9PXYfIINYdX/0VzpM0Bof+MnKFVXT+COszu4znp5fwOjHF+gC1g+jRpWZqFnKCJ8vqPLDP+lOFuae5rw0aei4w8jOhttFn+lOp+i9O83+ONUref/WKOHdRrfsj7C3hn1OJFOu/3qFBF1Kw9wGliusRyZAaTJ1W6HOVrrFx4cL2q1ONgFqkODSO2N14/S6/iackKLZcoqKit3+Rs3Uww+jg5atNGFaV9GVToAMyVLpvHUPi6EAhlSppD7QwaZ0peeVXRzdQnB6n3SaJEOi6Qzuo8jPbyG1c/9j1JGepyF5f+m5B8dxEao1z9YpX/R+SNU7soPI5Jk9eriK3qZRpwLMPlNvUSdqbvBNO66k+yCBbP0RaYjXSYWub8//+vYG3dh3Cv0mRqavtNgmqqQ+BdsPGxnGFsQQWVHyWZ/kRD5OCKftQRYaOtf062xahEEaqB9B2ErBPVouVWzQFPIRlFyHR9MVZNRoAJz/P+6upbdxGwjf+yt4TAA3Afq6dFHAzXa7ATat0TbYozCmaJswRQokZTn/vuDwYT1ot2hkpdhrAlMfZ4bDITnfjAXbzNbhs4vyAIKX3hAzIIaOcLaq1pccIUpsz17M0G1PZPkxgXTisXfW1qbg2IP2KkOjKq8hEAr/g9XEtzIyX5Tm9uUfVhRVVXXVOnH/ErfHES6E8hT8lmsmhifNqa9YWgGyMOatGt66L3sf/jnMNnK0smg91bioFZ8jrToH2CMgiABB5U8DKFa6AylHhTOuXW4qfBWBnHmznalsc9pYQs/Dz5+Wv4V9737w+bShWKWHd/+T12zjZl8clGiuJYBl7OMsQ5+b1Bk7tvNtJLeG3HgQ5hardSCxN3bUHQxPEHR2NqK5kjf7FLA+S25DusBdn3RwYBozBTaNIFRJymrrDsp/eh2eKa/Qttf0vl7w7sAeW2g7oLXSlign348/L3MpuFmxT213Sm/nT7AcEgx6V6xr8MVOsoVifv3l99XjijzBseKyTG2982p1c5s9DbPXRPHMtMI0RrO7NK0UPuUpi5OnZ3uWY7GZj7D51iT8OOWrhx29y7LglR/fhyq9AcVFhGI+pbxxrYA44+qL5w0nYo4sx5Hk1Ksb70vcEfqNshtDu2o8xadH3cqTexfENJkUdTDknbFaye1PawF0L7ixrHx3H/62SP/lcsNo/l8brlkLIhvIwFp0fkNAlsQocsYsNdtyY/WLO9nP6SxqsLtQrD9hIEMMI5B4KTUXTE+E9nwtqnSnCnmKJxNyJm0nJ+V0426oumuqtWZCdE/zeUvv4emn33/AJYAr9sENSp7DoN2NdbxOBuXm+ODEcl44F6AQspQEtIaUf1/yDdJYbec7RDOBbz1Bx8hrzUUB4cJxImh/YfYKbfxVhfbsulPLCB657MO4rQJLd8xkg1clOH0p4ovh+GHwFVCxOFB6jPSVKTyUVGKQm1iB5I4sD8AFvpOdsu/Jt7jCYa0O2Sirh3syGdtQ9e0E3Um1gjIUO4iIPyhN2BGqWrAF+UNBxeUWeQWNxbJQsaNqDvlaKLpnZTG9hQytQSO9/kTC7lrGmjnIAcsZFXx3WQXBCCe1nKiAFrPrcfyF+2NIMLfsaO93thI5PGYHhdnBN9//MAWaj+xISr5lxkZ/0K/6kF/2cChKZn3338n0mkYMVwOUKt3pCkNAWn7gujGEyS2XpwYryGzh0tT+51k30MA0zpO4/R4v5YQgtXIC4p4UIFuQzgo71YjIzep5eRsM1KTnmlqrI3cRnMMNzkPYRssOrS9N1FCQst++N6mgqouSm1oZPopaX+N+8T2jyzo0CS/GIogIofqtbFkeAEsgPIFoXfC90irq8Wb5tLp1M6xBJ/uKe59vCvOY1EY2DDMofiQU3MIlD4KBXLhxOeWqwb38We6larMqdgKpPIbx/d1/lMjj5vT5xaiVWvha31KXT6tz6AxVejIXgoMNkWAOqEPgAyIMKRI33ce6kb/ilNlyIZyk1wJk1omXYIGyUVuAV8Duyi9ZwnuwQB7wO96lBzJg4IE2humvka/vYxINmw2nOby+g+Hw5PwKuOFUnDbK9BTte3XbRkom7r76OwAA//8VqLns" + return "eJzsvW1zGzmSIPx9fwWuI56z3aGmp93d3pu+3b3QSupp3dhurWW797mYiAoQBZIYo4AygCLF/vUXSKBeWIUiKQooyXvjDw5bIhOZCSCR7/kd+ky3PyPCNJH/hJBhhtOf0YX/b041Uaw0TIqf0b/9E0IIvZV5xSlaSIVWWOSciaX7OBLUbKT6jHK6ZoQiLpd69k8ILRjluf75n+Db9s93SOCC+jVnuCib3yBktiX9GS2VrLo/VZRTrOnPaE4N7vw8pwtccZPBEj+jBeaa7vx6gH39p0NFiZVuiTh/e9NgXv+pKegCqIkwrKDa4KLMBBZSUyJFrnc+WROVY0N7v9iDoP3zYUVb+IgJdFVKskKdhVosg8jRNRUms8tnLA8i9ZluN1L1f3cAr3Okqzm6vkRygcyKumXOUE5LKnLLSincz2CRAzjm1FBiV4qHn+WbBV7jV2C+wYr6pWh+LEZRmWaRalnWrHEAFyKFoMRIlS2r2Nj85WOLT7MO0n4PmVhIVWALABm4FwdQhUsLaIbP/2lHTSCsFN5aPGEBwPrWSgRsaG4xi4T+uuKCKjxnnBlGwyQsODaGCvoAImrEe8vVhBSYM8Jkpd0FOoCzJljMOovH4/tl+2uLNa4vdIfvGJZHc+rYzQyzvzkDmUrvcFFyCiTpkhK2YATlTMEebQH7Y0gjnOIwUXMpA787QNS/uy+hNeYVRWzhSRA0RwvGKdpgjWBJJBUS8ijuewCZBRA+NFyK5f3wvJCVMJbtALTBkQmEWybeB7lSSUK1jo9gA7hBcveAMLHk1J2To89zgzQ2q+gI52yxoMqe5JqRLCryzf3NGgkfnYZWRrjzIRXKJakKKoxu3riH0UJkUVaGqtnk788Z0qxgHCuQiLJEnK4p772DZ2heGVQJ9sXd46Lihll503xMI/vgM7GWfH3wwW+opXeGKoF5xsogqYMfH0FlDRNd39TE1luzkvrojcDEsHVff3yALLz2fK8U3AYq8lIyYRDTyC11nAxs8PPKf4bzXI2LmlMfUM4b64IJQ9UCE7rzxNtX/n6ctXdnljNdSs3ivp0X2NClVOwPXD+fdq3dh/Gbt/Ul/sYy+psLu4PfHEC55rElfCrUccP4gAKQgi6xKGZONke3CerD3oBHc6xpbg+PlpUiFGGRW0CGCceA60Nao2fHrMAkjdKLOW94/vb8AjX360jEyIjQeDTECJdVnjFJJlFcu0Lh+rcLOKuNQmp/AKdao4WSxRFGQou8XkllsiQk3FrQ3Q8lIGTnypXYXovpJEqNfzyh4SlgORWGme2syH+KR8Lby5/QCutVYBsegqNe4e8jHppfz7+PjuUCsHz10+uoeL766fWJmMKbjRVZsbU3uaY7tGAh+rWTvIIB4qY5z/WajsSeZ+V+Dol9NCQ+79NRkfo+RKfEGEw+W4MUM65nuCw5Izi+etUB7NyvHdSv7koumUE3CtBmtYf4kLYQJAD+S/OsACd+PCJusFnVfKZ3lFQGzzkYQjnnyKywARdRvb7XFr29Pd8GiDyBOquS1lZU3P2xkFFBC6m2tbbWP13UU3CkpzyEv6506V0g4z6xB2ufNd7OA7JZUYGw8DtjbdiHb8u0SlGJwTSJ8IxQpaSazClcuw1g1aNEksMP/s6IzCNeX/C2AB4Wrv/0nInljpZxPKZmpSg22aoShonlTNM1VcxsI8p+DxEpqituavnv1kV2XaTokmlD1fgDgC7ACY/eyM13F4oZRjC/H2FMEHjeMkVLa9Sk9fQ1Eqel0m6RW/tExO0PJkKbiTXVhi19ZElh8hniH1pXh0IaY9hDzD0i5hZcjXa9SF/Q97gPLj+r3pxGga6KAquYN8MBrKmQlSGyoLWXLy7yihY0Z5H1ofeUyKKgIge4EN5TVEu+djGxbvRvi0Dkwxt1nOtyjJLY55/lw9Pvj5N9puJvBRV5ZlgRvgz3z5/43aoFfYm6YAJz9gfNLdsJl/qgljN66g1WJjm+VuNsoqsn6GNM5FYplyqqR/6yiaM18AGgdmpygQ1ZwX+GOuWujtMG5N5ef3h/hYw9QuSQWdDbEv+lmAS+YdrUbs4dzPqStHMlKnHPo2QoWUEQKzXqzToPw/5rYXPBjKLZPnRPM0BCvm9Yy2ONri+f6QM8/Lq23HNyP9LRmVkvdwQ/7TOLRZ5xJugMq6ULg8d9By/eXKMGdJ+dF1xWOfrgJPb1bxdek3WmJ+QUHmDxvMxyvJPWiB56HK7aaK7kTlPtBEv/acBDl4ipuziEEzH3rPsLJEmCbPeZlLfn6Bem6AZzvj+bsjlsVGu8HOQqju/eXjbAzjWYeNjIO7YZVcFtaZI5qsWC3R2Jhn/Lfkaaat1XI/fi+Bv8HHO/HsILQxX6/yzCxyIKgcusiYrH4NytC4a2kfZa21twuUF7rec2h7IJosbF7bITnX0IgqriNLP/jIHUu06y6TkhVGt0IYVRkjvJbBfrKkbW+mX7PLi93a00VSlwtXAdXszpaj4M7th5FIbdjZ4MzW6I/h64FrgsaZ7VV6YM4Nn74UEBYxQW2r0HnnfXN7Vz9R64WKPvaK7tzXk/CedRmzOMrX3fAtgOUtpOwGTUCdTDZEe+RN7I3QSQ++xmF6vH2tIu9sfuaxfvFJvbxengDnsbCfL+4ugBoJq5PEIrLepygJdoLo2gxmK6WDAyQ78JkDlrqrbfcbk5Q/avHrhC5lRhQ8/Qii1X9rGBj9v/HEMWca7/bQzKfBhh2zx/45T90prcP6M1U5U+85/p02eU/DsWZ4gaspcen2oZKJM4kZqPPp2z0XuALAxv+l5MGClKKHIJYAFpOsfjcH3x9ma8aGVnwUHs4vQFLahjeT1CZxqx8unmXWdttLN2SBfAZaYokapXAXIQkQdo+FhrthQ0R5fnN6i/eJCVrb2Yhe3FlOj65ZFdvmNTcrlcOovRXmMuCeYIVzkz9jf7yKnJ7z+CR9Jw31eyfQ5bxkMODJwUzqgwSFegAS8qzrfN6RF7qSgVWzNOl3Qm+T3P8Il7Aa5WDJqlbpe3+iVZYbGsNXSvb0qeu6KR44gQdPMEiRB0c5iIeaW0mcn53ynpS7F0l6L2qLhlQewDHmiDlWBiufdCO4zZNMemi61VAtD15Uno+kzkTPVjBEllj09/dsgC+ppScQS2UizYslI0fxyE2/U7uB9GG6+Xj4MvXlOFl/RBjH405DvMDtCBOZebjjtyzwkvKo4NW9OMyEpMJ0yMNJgjUhdLdXBfMaORZoK4GKyXNlD0Z1XzOiJIsdpPoKGq6Lo8JiHt/Py8qWkGf4iiXyowq5ZdhPbhvaHzdSlmrk73Xn6ah+qRv9O5VRBcAS9Q0bh15tRalhoZeSzLfTBUqknQv258jN2Kcs1y79BrQrMucEuxyuVm7zaYSgjKp1Pkb88BNHquaCHtFXYOSqnQm1dvXvxTHz0XDFiYLgoPDwb8whQt5Yaq2hy/pAsqNH0iEYJfPlx+XRECi/A/IgT/iBD8I0LwVUcI0EdN0dXFrf/VTGAzY+U/AgcnBg5C7HzCEYUG3c7v73EE/hFtOIzT7rHo8/kfsYh/xCL+EYvYWfBgLEJTUg3KINx6Qbdhu2Bvufd44zV9YO6th4uuxuvC/ovEQ1KieN94yF5nRipE/+HM+CqdGbsuAia7p/rhLoLr326P6LzYBL7AiMo4u4fec6QxYTU0Z6JZ6HsF0QITKOE4EoXm1bu9urjfoasXQkaizYqRlXtjvctC0QVVGj3vJNafodt3b2/O0O3/f3sGhapa9sAupDKrFzN03gJ3/dwQRiusct8ycc0IPUMYlUoaSSQ/Q/ASutpbJBf9J9seqK02tEBaLowFMkPXBuVUSEN3bEivKBBc6fYswlf7ao4jczY4iL5zwawx82c9SSDXVG0UM/bWqYoOzutwk05vKdo9QsNmRZsVVU5SeD0IrbBGc0oFknNN1U6XqsYFsZOSe4iY4eXbS8r43QKsBd7VeMdXH1t/f+PUQvf7n+1b4R453B+sqf+ZbhHTVipDgJrg0lSe/wpvmosDUo/IgmpLNCR090Aj9EYu0SW1epEKE+JgDYqvTiVnt3mrJS0yYI9wYu57luu6vZuBRAe5QExog4Wp0dBBHANVVccgeKjm6kMnHm6XQNh4cYpr16wLE2H0jprfmRH2GfC7PxscjYZYvZIVz5Gga9ACmnNXYqUpeksNtqhh152nXer5G7nUL28w+UyNfjEAfwl9qvj2rInjY/SeOmHhTrjooDkLMnJouh7HyUP9CS9pqSgBXcFiktMFE9BKiwNarnNCgcswVoVeDqsVY55Av8dv/T2/vvzed/10ek5t19UVaphApo3bLzXYCKAOegD40wKfs9tRYmUYqThW8H2/sbPRkzEAfdJJCZ2MAeTxkzK6Jetp9+TVP/Zk/54E6oIibcjDrq+c/z0DQvrb8mSwW+NThF5y1BR1uu9TxM2yLdX9fxhm2mBDC9pLInkiyEGaZkY4HrTreRLoUWEGjRmeBGKrQPOXJ4EYE6chllZjqiXH0z1pOcWnSI+0bFtQF3CKZUON6DUhOzPQwNNiM9BDBkrCw6yInh4ygH7Aihjn4sDJOgkXu47KIPscuwZkRmIfCnDw3uwjU6jV1SBkVdNf9/LcNWovpCD2ccBGPnXLdkTcrFlacdjl7oVdhi3q9ob+QL6RSxeuqhOiKpFTBc5S6gXVgPQFu6M50hSyU3e+vLuGHjdY6k0YwH6wwdJswgD0vTZl6AmM71867WAO6LoHT+7Hg0FGRpJz+avUpisief9E1vNw/C916Nh0fEhfD38HsxiO4e7+AQ5dxl7frH9sap3GrnufuQPqjfxambvu97iNzt7X/++yd5C0kEQ29OWCc6R1vWU5wmjJ1lQ0TrKvVxEwwSl3j2+B5E9R+fs6IhqjDg1ZbjNFvyTY627wEDYY6PZ1uVduaXQDF+nMe7MNRh+2JUVkMIIHrBDKzIoq9PFamO9fI6nQL1xi88OrdvaID5BB1dWwDeWQ7lPU3a+YbgiDpjM+I/gXgnmUk1jH9cpfvYNBqg1Wgyr2aFpHR6J1yO5y8vrm046+h6HOt7+lqM5tcY+oR9vnS3UnsECBoWJLBqU77ju72soBPqTSv/YkRlzffHodYEE4JwdFYEGD0ZDLMV6f9qAOFcdTX58VxTlVk8Suf4Wl0PXlQ6KkDt9usBTAnBYrfdJONk6y5H42XCta162iBRfFmi4XknOYPfg1CmDLvUfIubFnjmlEHOvqGacdRfWN7KstaA+jn6DFV5D5U1FVC6kh2a2QAs23g01DdRa2BahZUfKt3yf7Yde0GZOVSxd+/idkVqpCr3766QWU0Gvqe1cXfb/XLieehPJ6BCd0KYWm6VhBvppT4Vop1D6Fqpg7oQeD6YMQ0HM8l2vaYQYTwczKWrxpoyguRu8P+WqOzSOziuas6utpMRj1TUhzbBwLbIGY+Vv16k/f/1k7kf6yBAFaI/23ATV/g+4DeEsVeoWuBMGlrnyfYmtS3kuuh6A/MPgRyK0MrfLDK/Svltwz9MMP6F8RkQpaA8E2uUXP0H/n5n/aDzKNdpnyTXALhcwDNedPxNYVG5oRzPkck89pNWCHXF0wgI2fPct0O3DId2EKIgqHI4NBP6n1QRjBiTlgDJhqI5XVrMXWaR32F2vMmRsEgkJIIdeJ3b4wnALyMErjuOTF3RsxgBwjFuivw56w0cgubLnE+VN55zw6SLM/KCqoUcPRAAiGhvc/DLawe+5rIWyffWxajdYN8LLbNkO/yo3dmqHNyQSSyhpjRqLPlJYHmPYkXryvhGlKQjHYmuVZnirq2vTUX1IBRdcayqoqZ0d7u3DNlKkwt0b7ju9dBFwcfsy9qyO0zHBU+Kt+fYmUldYaHCrANKyW1DQfO8gJrRIlPT06J+qWD/s4oZKEgoaCv50Q9t61V7r1573uKTbfjglKBM1qXCDmKwi8+JUyXXKWMrPhSZvzmg3U/iehm1mZm/C8uzLhP9oyTX/qaqvFPyH/NSKMTrws2GAo3wQxehj5KxW6uTi/8bqvL8plhRsrE3giv7o0iOppuD98lw8wxIdNKpFzpe6a8lX7ldZgd3oOWOYz9Oqn12gDfC8oFjDdKOgrAKc+qEmt/whtqHK9QhF0icHaICl65SK7THx0NfHrZmLgrqYI23re/S5VDoxzjS7ISkgul9t+IG7B1ECLRegnRFZYYWIcE+2l3gL+4DQXqBI+p4fv+MxHK2pjF3S7QH3KIMKe2CVYFIWb7lyHERTejMo0kKw9tRIT0FhdjMLPJ0eSEOiFCxC1wSLHKkdCqsJNkQzY8qoI8if3WQ4ns0hW88GTdC8mtVg3yLzkbEGB4oCBrymRIh9RsNvtzrRJ6WfZQxATRBYlpyZ4AEadqBgUeKNYTwx26s2UeaSDfGvXDh7nsaO8ezJHj18hhVlF2qa2PjVWzkub5ZQ/EuOvRJ6C7RbkH1Kk7rawRyza1WsV06XXfuhzeCCikt3oc2TonfGXD62p0p1yinxfHlhgfx962LYUxyKzLdMjUuU0OMY4zin2STb+mdLNirWOUWfaNB/sxteHr5WSxQygVlCUrwkVWDHp1Pqi4oZ9ZxhVCJclr6tf2l42BRZ4GSrNRYhDeGenrU/djwwx80wjuREuMmZwUfY9gx5jaN+q5DD5iBmNyIpZ60bmVM/Q20obMJO6QN3Iy5G8XGzoiZu0V4AtFhbvNZ1CE4JNrhd0vINWUFQQdyCwgPnMa5ZbzQbOQ1iQ3daC7EOPeWEi70qmJqOw3U8XC7qzJ5EZvq37XhkJ+ppFyvX23Osbjbjpoy6cMyuNG3k2GyzZpJPJKrYEKgaK3EMhNvyPfVVAg/xS0Wqyo2RPtztFrXzcYI0AiXzk3ABy38dmakSlYIehCWTasjAJXt9lkQJXGKYcH2gK7bmMKYp2gb6KDjWBrtR5RR7HhOyZj8E3ZvBc3uvNOVVsHpJrpwQL2gei1w0htiMIk4ESH0Ox1hVPHXYasaJkZYgs6EuHQ2O8QFb2oAEmsufCsWDHgBw5IHRNB92UJyOsXt0XAXYiO/tcPmmLFwe9A90r3VS6WGgQdyopYQvWGj5h7dZPAhg5U15XTp/NFNiAxsXI8rZgonZR5T7IEsTbm81TbcKnXSu9awlKhX679amxTNcJAX2/GvJ9YXvzN9BOlaQupWYRBcdRZwvMaZG7DlOQyl/f3dEuPBU3w37rjyWKRFVQxch9ZVGQtgmq2PYQ1q1ka26GE0vufg9IW1ORS+UTZvdSJud/f4TuNXVoN9AVv4tY+lrwAbutBN2PmJP0KXvVfTO8kL7q34sZ7+Va4Sa3WEiDMEwZsUiGE2i5XGZ1osqjCPX6IN5bqE/RM2VH9v0F0q2ga/XuWNguVqXkjGxT3549cuEGEPDNtQXfjsjl4KyuxAx8X3EKiIXFqRSG3qXWWBuEroXz17X9UHGea/sXPKowEhMQCjWAOfA4u2nCWX+scQJZMBa4rEcXN71CsDGKzStDOxJimKPvByFbbb37/IVFhy77A+gebrW4kdjT3xwwBPv5RX4+d0d/Cxi3zRyOuuGgbnO+1JqqGbql7cSLGV5SaOXtM90XUtU4DGDXYJzeTtzEDPf9Tt8KqdBcyY39Xf1Tr2s6s2u0n/R1foOVie2mawDH9qj4O9Wfdz7dnWpmmie8UrKkPqCY6i0+FwhzqkyTXaTaRf3PXHjLi49OEwBIQgoozDkSUnynaEnBktmX/QBmw5RPTj2kubFXTDPI+CVzEbY6/DOgbMPMyivLTtajS1hwDtUmAknx3VLaf+95Cdy4nYDimJBu3AkGvgQELJJygax0MIzqGbptZUp/sEG3sioNxheunK/S1ohxJaMu2Sb34tczHiPCK23qA+n/M9gm+ArTdid9TbT3b1jFF347rgJNrv24Gxa26F1bpnRK2bNDhpfF8hKwQFhrSdxkI7sbQXsSNuwN+0x/RhiVq61mBHOUM/35DJUKZqLAJLpnYUUZK3xK7eU9H3pXZ6NwQQ1VGpVYQxcvDY0cXC8CIovCSjG5E7QfltbsDNVDw6fJvQePpfF19jDBw+TEN5FFWQ3vYIJtw2jDRC43Pp+WSEFoac6aTIpRZgzIXFScb9GXCnPn/MxlgZnwUkN0FuJy5Onqej1jqUt7SLcq4RsmPtPc1wLViehYg3fKGyj2N980qM1Yvm/j+KArRFJR153s5NwSfQRq9H67fSy8fiu95xXdDtv1NEFnN3ku0WiEERerXxOwded/v6b9Q2RNe8F4+jvekPwLrNZcY0XzilBUR45o2N2mqWKYZ4HXNNkjcgtL1mpz/33sPID2hRn1C1DyWZ/UciCGx9ivbh+6Fdar5oZatTBQZViRlcv8rWtsmjLDixpSr0WYJaRZZqYVsd9q/j+sNEVWngvEIOeuEoRTrOyPoBFei5ovIGyH4LnCzsPRByf8BlM6n/iLRWQxr8cxy8XOg+XLRtU9Xi+YFzy1p6+rjQAC4x6/aQKkgStx4VZ3PRnHPaXOgkvuGm/Y57zM15fonZM0z33jBuSm7XXGqL4I69XOAf0YvvyO+/n6EljqS94aMTH0HuxG5FwaoCNh5g6RlQUbpsNG6lpvU/ay343q+gJtpy7s9WOPzNZOfOku2kHL15cHNdlY/rkDmqxF7JXIW412hi5cfabvd8rdL/Zrs4Cg2v3E9994d9y8Mk3lpjTNY1QJTrXjjHQPykaiNVYMz/mgCtA1ZWAClRyPCAJNhU7aH2VnQ7uqqlt5ZiWV1TDq+kJm9/n25fVNX4dGvmWs8yiM1WWfOFDw6FrINtLikETXwqBbthQYhMXIES2lStm89tlAftlDelPrbhK6OsI/LSLd2eX2lOUycHDe/fYBMUF4lVMrzvwgW/v1GXp+VQ8wvnEOEQcWpPcs7BeByNzksU1wTrVPSxgzpj9blfsEvO5RitdxY77zT8N7pj/vCbkaxZZLqtKNsAuz7FM3FuBxcCOaFdUryXN7epytPjJpdCf0PoFnYRh791L5+XunY7xomnFcX4bLSI6OzhNZlNnEeVewKz73Csa4Ov+erubfWXSkgPrUhZvNnVdkzErzaukjZY11MW+kpVTQecDK9Rq/kSlxfhD5oyiAw676C5h97h4iS8RIa+TnVohi9BaTup9yWLm1ImhSO0aK72oFVe2XQs7WjD7UWlGso+cGa4NNFUtxbvxRmPFHMzvs4nN5h1j+cvz9si9rNQWGFqOPg8bH7i5YLMJXt37HEk/fGxzyy+HcvVOeMyZkFSvG2akj0cvod8pK0phOh4FH9sfIgFN3Ztw5EuecW7mHdEUI1XpRcXRl10dE5lTbI1E3+w1bFkzk9C4yAzjT5jTN84GyBRYGU0zVSMypgvhmgRXjkMET8OC5+LtYIgxM/M5+N0iZSHAO5dw1F3okjdivjp43+ZwlVbr0RbdOwgxY5lWENiG+7vD0YqTI0Lm5hu9x6oQSp3w1SV7eV+U+bX+JmdAopwYzHnAyzGVlOt8bIU3yyXMza48tbvLYAI/xh9TQouTJsnnOUU4X2IeAfOfLOobvszWtVrymiuMtFHIZ6R9X9DxwI+0vwOr236aLugrc+eq1YaaCxowoSFhrGwwbNj30ukaNYnX8OwTHxjSBrCKyKOx9SnOMLhx0xDrJvqWSa5Y7/1ndRa6gejQRKpfk9EDj/b1lvzDeao2km5cXVg3uSkh6ehxZX6+eVtb/Xc5P9DudTN7/lnMfgAnfrpKla5x7CQnFbudvb67R9UCh6qKRrGutry7Zj0HEwq6mGnYZ1ZC+jz/M51aHlXsnIrK5zFNXfA0q7vpKh8cFWVxG1KNV/G4JLmQwQeV5xwXsS4ddAm0TD2FLljehnBEnXhHbahyUgUd4+eMpeQ3dZZXymaqne998dN1z6kAUJGvcUVJ1vQgu9WtOQ+WtdRemfYkbEzhCgl7xfNch0lRX4jVmHA8DGahxhSOor1xQpUYmLbg7dIqvP17czRsrhW8A5QKwA5J8uoFmy9mIRGRFNq/yfBvdP8OKLGodUAdupelpjc73eqniQ1RMRuxy0Cuxy3Q1RUEC093sVddzFVc5M01lXdsXzWMUGmzXVmw4UdKGF/YT6bLEYnNwPZlVfvHpCj33tRKfKm515TnjUMABeWBXd6XU9pMv0HdDR4PoR2E+C7kRO4aQpqSCZhbrXegjkzYJnsAF108Lvair3N/50qQ3dInJFn0cNdc4myv8GEX5fuEdFjOBCszEQuGC7k3HKLGCqb3p+yTsKJc3sCx6J3OXHN22BexknQWQQge0L0gVsIxIZSHt9o17Rzfo10qAKflW5pSj50ysZ9+eISbJGZrbv6j9CwvMt5rp2bfh+KIhZbbgeDA5P7YOtavhX9wgWBR8XSAnt/XwK7nY26jByKSYup/OPZ51GwRNlT3IQYTWRVy528Ps09vfsaLog0sA/vbbT29/P39/9e23Lud2jRVmo2dyI9XnmCXLBy/Y7/WC3QjbqBMMi9hKhK/ZidulpHkOMLHPxTaBCbOQigrNSEwB0nElJcC4iO8FCcQHYgHNNpgNhxM/2DsAvc9jA7XXJ3aJuq7miS6FmefaqNiV71Cvncwh1n1Lo72jdc1HOifpqcUu7WCwgUrji03auhdf72JBLNioo6kmNZkj9lRSg92IAmT2y3vCQvnkfoL3d1xY5L3+/364aqsyu8l/j3LE8o6P3iOyF8lHORx1HHcfflJOkLS1s7Mdu/S5aTLa6yw76JP5Atxug5N7ODJdt6xmU8TDoOhrgRm3vK6budx4mXF92a1tg05c1hw0dBloYTCeVVjnXGdWRTyBnlMSryHd2lcfXciiqETfEzXATpzWuOmh2L2jd+YvNKxTN7jp0zTrh+J2i0X+7zIcNWtxM9iwUyTDg7EbLryDnK50yQiT0bJEp7LgAfsNVmIYdHjqqGtRlJlMJYxv3729Qb85P2qblBpG5MukqQS3//EGfamoGundWnGRKdrv1Jk2uaHjEN2i93XRWTCtq9HSScSHtAtUxh4jYIGWJzmODkE1geDYg+Hm8Qc0YI5VkWC3LNgE7gVcRixAboBWebSptDsw43a72gGdY9PXCh8Kd04FWRVYxSoraeBuSzwYX/zg6BMmg3SqKDCzVfSzQOgibgFVA3ixhFZLCcDK+d8TQC1x9EkYruNU9OMFQfeMxX5wfOe2glrVMzrSIsMEBqPELz+xsLWIaLx3AM+X5fpHcWdW0d93IjJiVJbrqH3XO9At5NMiT0cAXnMcXWKIjIolExGLIoegU+RGi2yR6Q0zJLr8ENmCy43GRfzclS5sYdbpoCeIuhCRMZFSnDBRUlXMt9ES3gewS/I5DfA15inOCiuzUkkjs/ghKYC+/jEDj2N82DzZ3eRymeUpmG0Bx89/IyIr8F1mTCy3wS5ge6I5TfAoFEwkQpqJdEiXXGd8zrPYYdEd2H9KCDx6Z/AO7Ni9ELuwY1f1dmH/lBD264Sw/zkh7P+REPaf08A2suR4TlOIlAZ6fPNMZEXFQfmebxO8kzXw8nMCvaSoOFsWZRrt22qZmC9jJyF5yCyFUqLpFxLfNyIy7RISE+ygViSNNWkBp7Em9VZXZYJZpEQ0ZdVJTFUjjTU96F0CEWKksYZZKthg1iQBXgl2J7CQmpIEh3D92nIl0aOwfi1Ls6I4T+BWk0WZEZ7Ah20BJwiSAFw135r4blELWSeBXFZZgpgGUcwwgnmCAiKd4SUVZBsx66oLW2C+/YPm8xR4rzNoA5oEsmsHkwZrl1ibBPp8Wa5fp/FB62zOzJ+TNBojOos7K64HWMnoolonueYAlRIVv8pNOx9/tFlbHcDUrJyfP75zxAEHtS8JcNdNPl4HuQ7sBeM0hQ2js0WKTWSLmMXZu4BT6AY6YyUkKWZJRB0r1z/m2pSDZv6RYGtFksDmbEFTmDEaHM0FzVm0gtFd2EykOSWFzCtONZEpuO2Bs2UC2SRLvcEm6sz/DvRQBnkUwIoumTYKx/eEtLATaHyKlqlYrZLxWkMncpVIvrrMfHfEE0A3iuIigSLpSoFSoZ1Oud6sJNOZmzAbH/oWK5zkgOcjhbAxIK/dfPvYcJk2WESfc5xrM69UrGGBNVTqZgWlgFpFxzW+Hl3XJMcGC5MbFvGHXZ/aaWAfzCXO89h3gOWxw6p166AEbxErMqKkLJJ0JbKAE5hprMjSJEf6jkcp2Fx+jt6eqdTxW5ayUpeKRQbKsWGmip59xpmg8VrstFB11Ik6DVwovo3v1uLSdT3NFlxGf84b4AlS/q3NG13qWKAJJI61oROgGj03gctlkqMrlkkucClVbAFWzKtlimtWME1SiIVCJzmwKeZACGqguVJ0uNFluGsAHTvjz0GNnY4nNpvYFkiSijLpBkBHt0RlfM1IKrbMAvO4Hgx3I6iK/2aVmRvKGx1s1MnULVg34jXJIUtQuOln4sQWBh5sbGlQZs6RFB1drLX9ZUZWser8B6DpXcmiBwJKqoqlwsIMeu7GgLxJAjj+0+s6kX382JsCGgGwkssM6zLiwIAuaIVjQ1UU8xT6naIE+OC6jiYCHp/JFnLcFq4dyFLlCTCO78jUCXzD2vmGE+QDaBo7EcANPE5gnGj6Jf4BCDVojQY1gSml2TKB4NVlbC+bViTFPVAkj65Ia0VCXXEjADbxRmx1YVY6elfNNRGxCyWC02IfCtQ16YxNvlma+MfKAY0f0WtmesaGuy2jd2ut8nmSPPRK8QRvYaWpynIWu+o9ydiKOjKUgg2GaIOL2N7gdcaENniRQDNYM2VSqOHrUiRo3WSkqkRMN2uoLVqgo+h5ZSR6Xwk0WLrJHkk4LO8T5ixHF4rmzKALrHLfzVBD+/cwOm5yVkIujU0IBTAwRB9BfwMiOQqV6jT5EEyk49xVUXK5pYPBggf5t5BVtKbeR54xy0PnM4J5Z4ou6R0qcL/RQhuLFcuqPwwkOZKcaRjOUK/utx4aKCFdlaVUBg0bjyK0WWGDmEGloouxo/CAtNz7DKEIMd5bHQ0KiAnf2X2kLzRnIvVE/g6qdrUunhoZuaRmRdWs/bxeyWrwoiEk6JqqZhyRkajESlP0lhoME8HdXcUNC56/kUv98saVvb5Al37E1xkyq8CUImgG/J760ceAtkDvqPmdGUF1eJ+HhzoJ8xYwsru5RbC4I1ZTrMhqxgQL4gczdyfor90TnzALA5IhXnJcCZj1u6xgjmvdxD3cwL3Xr30PTenbcTc0NU24/fziEWPfbkQWsabpuM6rsCz6QO8M3Ioxd8EU06hHBFI7uO4dTKgWfGTiJXTPTTgOHPrnamqQol8qqs2ept2nZyvfv1e+UxlgLI9b1UnsvkeqyTvddafsw8lhBLGxnZ9Dh3b9c5DymLP/D883tItdX9ZCAdYOnw2wGuIl8d7zCNvHZY41RS5du8EGDW5Vs0v+G4+Dr2hGwTeYS+Xa1wfZiBDWSFMK487w/nlVCguNyQTjfQcdpt3SAtTe9tCQSsEEtH1Il1QVzKkbUyHdLukGc7A143RJEadryhHWmi2F27h2Xn/46ENL5keU37D+npM+f5RJzxazSrAvFe2PScThy9fB97SOiadNQak1Gpa7C0mkEBRyK9CGmdWYoEAoUBnSaOyKnlRedG/TwrIT5EnzRHG5ZARzZDEYMX0Ai8fFDpYaGdP4eLwrV1sdRq+TzraRvazW2A885gzrbCWT2wTOiGvMNZil0g41slKxO4In3A8AuUtjsYU3zQ9iIZxiNTvnWlpDfOe+XUKwHP3qvzFD52Lb/G8A3YAtr4VBOJ8RWZSVoSoshpO48S1h6cyzb/p7ATMWdzaEmb9Vr/70/Z+t7XvZ2Y6aY98E0fbnNIsbMTvWcYO3VKF/bnxy+qVHA5AL3/rY9T/pz7xocd459Xv348Tk5UOy7Vl/YIpdZ4be/fbhytJOFXXOE/CX5kwTRUssyNZqlV494/1cEAQcOkMf3v6MroX54dUZun53efWfP6OP18K8/hE936y2SFBmVlQhspLaj0qTSlFi4FPfv/5f/+3FsyBHqFkllHF9foBMnRU4PI5HJz5997zmt+4sXtdIha94/rSQ7sqmA5if2DDu6Ac+hG9PMW2tk09MmQpz9Ob8XRDZP6Sg6XxZp52M/yMFnYV5a9H9akQoEHJYeMIWPMU3eM8+LLGhG/wII9LhdN+g8zxX4Kd1pzyETvP0kqI8Nc750FjI9cXbG/cqjYbHCqwnjH7sOJWcpurfbnR9Y1EZ8X5ZHp44CSIKD+3a4zysNbHMTdeaVkB00MV5zuyHMW8Dtp1Z/uF3bsIDYE1CuODS3/DL3SMwQKXNtU6i1x37pGH0zmN4I5VpRPJA6OYQYIMNYGZ7WPLqiXnv6GFiWT8mNVlvxxgvaMhunMqL67EDyxdrLQmzKqfzGw10HGTlssJiSWeN6USkWLBlpWiO5luASUUOWUNhOVOe2HpgUDQ6oi0HF10k6HfAI+r+3RKu6A4ARQtpaOYzu+PnGcVnbS50hjOXip8AdGlUGuCLBEdikaBamKe4Dqn6n5QJmIrzrPbEpVPL+xa8pWPWX63rTHgEDfbKrKgS1KAP25KeoY/1M/YGHGA/oJvaATZ4CX4b09TqUT0TKBMjpnGNtPeLnyHMeVCZKNsPQoIbVpCYt6bKvoFMGIm0gcecCfTxelSgEEiQTSavootsC1SWCca+WcCK6tgZvRZsghIX9yLGTkUHf3sCbN1ohYxTsYw+KRJwtspHQi10RAN1Kg/mnQCMQATSCRYIo1+k2mCVD+d0I3S+hGQvhbC98XeQSzenZkOpCKuekbsm3jfGLQ3m3VCdQwZBy3jIjBhQyITPc4W0hIIZK5b8iI0wiWuOxRRx/CMclHWCSMdFOSBw12XZRlLW1oJdggG7+/LEjlRSAl0I1vH6wR0XscfKMFJxrBD0i0Y1Es+v7n5+I5dysQhPf6ckMyuafHt3kP1gF3S3sYP3lcXbontemRUVxieLj6Ktq5idE45L6HFLjqP+UVM1irCsDJHTctovOY7wbUUI1XoEZ+g8flpztNMSTwAvZFXcpVRbFChMGOA2hXDawZH2cLRSCQJ8upTCvitWboWUw+aLaKAo7VK1jtePbuTdxMh1LYWaAc5o3tDj/TA9fZgJpJmpAvITQXEB9SLaQ11hjXAuS/u6mBVlCsmNaLfMMc7gOylkMZJXCzM5NHMt6qdVIqxyz0Ru5Y9UumEARr8wTtG5R2w2YMMxzl7REObu5GjCeEP/o6QrjLLg1mctxOVCiMYAI2LWuz+AES5f79bXa8TmxHhC6FymrB4IED+nK7xmsgLtksiiVLJgIxmKdGrkrgSecygiW6CL/bgxsW7ETkIk+xjuaJ0oiMAOhlGHy5yAYGD9Br/Uu9t5Zdv7Nnrs2jLLSph+OVtsjT6HMvCMnGLWH6UFwXu8pIIqRmqSgCGQ6NdPLWBmBU9taLYb8sjOyPczbdR48LOm6ZS2W49G06v9NHn1wq2VkK6gadoY4YYVVFu57rQ9RUs6GkTyuxCtKcTBjYDGgw/cBnXk0Tqld/ejHa0fjqPp+0xHG3J6NGneYXyIwgFtQHErEI4QBl8vda8OUqcm3Tt30aLQpg7vXLReqtMIkANyvBEgX+9x/OHwlsUabTDNlh0nH9WkEiTmHTtCfkx6HGPSNjiMjVIPJWg9P3X0yp3KrLKCmpV8hCgJ3vEkI4eG/9johkMvJSWTep32RHXeS+79tRaRPecykSfkP2c//elP6Pmby/ObF+iSacPEsmJ6RXMohQ/iwuVSJu8LtC8SBtmyC4eH32b44EjGmJKJvYr76j/troYwaG4MeOSjDX2+z3UhkPbf1P12HH+AUyhmikWoTXqbKYZ5rO50PULe45xV2q2ApEKaFYxj5cSTFZv2DhF418PlVXDPNcun7DTSzZT/aA9C7UXs9cVsL3m6Ootzse+uQ1jDVxp2/L/eSQS/GZwF77ihnbKMPOzKlCplYsAgZAOslmqJBftjT1a1SHcUjmX2CZzunqkRdi+YCtaSJur684tdDl4L1+LL9S7ayWr+lWJuVgQrikpFc1kwgYMFdx3xdIMNo8Log+nxHE9J7Rv8qMS61o+0THRw7dV5ZgVXiZWBZkgtqfvF6oTNjrywOUaiLmhOFTY0z6Ille05H1b4/FKv2ATPbpRcs7xpHuY/h8uSe011cDB88x/7rO3qtGEFpyWS5RNR2Szpe/2Z7QiZweGhkDm5Zi56vuor7iMt4BqlM+ZQ8PtqnvQOdKbOlzqV0MsAoU5HBY0Va6SNVE7iW2gFNRhWewafmtlPPQtTX7A853Q6KfcW1jtWzgW2tyP3TpJz9XiMaci98at1OgyJbR2dPUMlx3bL7PssFaKCqG055uWHVMgJ7MkjMuhUY1v+KrVBbzFZMTFi0uU4keT4ps/rjwIy/UtFrfiw+pFrcqZn6E2OS/QJ/uP0o1wKV3f6t+HjiVZ4Ta3mxClW6EtF1RZBD0JdSqFprVGFi1MtvRl8Zxp56XvgEQtZsboLpHDku75843jWJE2AanuA3vvmqMdiClOe0jrM+me8bi2908TI2ob+4WUaqUqIoB2rz5qXx0WeXRupkRo7DzHzFmb6jcBow0QuNxrpkhK2YMT+5ixUJ+jzZIcXxJLn8G1zbtBz6AhLBWmfIQhdvuhwC1UC3vE3dInJFn3Uu41vmwhs0S+kjZ5da1eYwGAfee27phagArVqcMjsizjgeNMHIFD9v1NpCuU8Q/btkp1eoR7rzuvU6wDFQGHwoPnvnEDsNHm9Y6T6DF/veq9l3RWQPt4FdEjNNA67JmCwuzdtQqbbhsEOhRtSHC5+hrKBmCMBRyvcgOScLpjwvnoQTtDVr8DlSNNBwO6kQrFEuLUOmJ76F1swNj7b1LT7XkojvSkbH7YxmKyKiVvgt6sCw9HAOupuR5IhL3Mm4k0Qi3o3LMlQVJj28QwIqW7ZDmyLa6PdlvcHpnYOsE779h3AusSqPlP2x2ctKZsVG7RSR/Z2WFvWJb8fRZ6JPrPEtbWQaptuw/9Fl1j828GOMTUiu13Ua/U89DRZtvzLS4B+gLZHU4kGVNX91vdTNXoKMiqMkuUpoiOX1XzgXDjqjPs1rbVND5QjAI6uumPae3ghixKLbXMf4drBOH1nr6ypss9QxsRChpUCrD+nrhE6ID96VmSN2Yam7Yq++JIqR+CXivMt+o8Kc7ZgNEeXUPfsnINBVDZ0nhEpP7NHCrr/TufIrd/az5iPafPRu8224fCyMqBynzjC9PBdf98s4afseHe088nP0Idt6UhvPQeWOW4HxzdP0UUWtZlsD22Lg3NEqGc61La2j8wUrrpGudzFznkWS6lqbz+EmN+/GdnyTq+cyMep5kWZdg7RHlbYlQ967ms0lZSJNJFdpOw6dj9QiU3YNUlEhnXMaH8HsPLl9JEhV4pH3OYO1Ii70hijWaVieUM6MDVVGV7Gsylb0NGfp13QUdMfd0H7U59AsNA7QwWoVvGNEws/2mluFL2Vor1UmdgalVtiilrCHZn7AZYF9eql//eFR+Gl/4fPawq5/TGnKpyd58l5xOi5I6YbPAePa2fU2oCc3A9EsyYVEwuq1EjcdUj3JHR1Ff+DrA+6ZydAsu5LvOhsQ+BKQVhbJr1SgSUmO35XLm5vj90HyCBW3R/9lQ4TtMYHfrJyRdU0/girs/uMp+cXMPrxBbqA9cOoUWUmapYywucLqvzwT7qThbmnOS9NGjruMLKz4XbRZ7rTKXrvTrM/TvVK3r81Sni30S37I+ytYZ8TyZTrv14hQZfSMLeB5QrrkQlQmkzdVqizlW7x8eGCdquTTYAaJLj0zljdOL2uvwknpGi2nKKiYre/UTP18MPooGUrTZjWVXSlEyBDslQ6b93DYiiAIVUqqQ90sCld6XllF0e3EJzeJ50myZBoOoP7KPLzW0jt3P8YdaTnaUjeX3ruwXFchGrNs3XKF70fUvWO7CAyeWaPHq6it2nUqQCzz9Rb1ImaG3zTjivpPkggW39EGuJ1UqHr2/O/vr1BN/adQr+JkekrLbaJKqlPwfbDRoaxBTFEVpR81ic5kY8Twml7kIWGzjX9OpsWYZAG6kcQtlJwj5ZLFRs0hXwEJdfh0XQFGTUaAGeDTTXZhM8ulmvMWe4OYgCJviCcrKv1PkEIHPtMt7ovtiOd/DqBNDLslTGlzhjMoE0CGrYyBUMIfgK3iS1FXfkiFTPbAzeKyKJI2ifuSLwdHt4hFC7B3zBFed/SjO1i2XAsMq0fa+CtXdnJ8N89tXWNVhBbV2qclZJNkVYdQthhgAADQCpsDQBbyQoLMWickbrdlF8VEBmJ2U7Utrl5WPzMw9/fnL/z797L3vLNg2Kk6vv+o/dsY/pztpa8SsWA83qOs/BzbprJ2PU430owo9Fzh4R+Ad06oLC3nqjbA48A6SA1vEokzd54XD8KZny6wGy36GBNFWQKLCqOiBSElsYayrduD0faK2w2KaWvY7w12OsR2hbRUiqDpOXvr/9+HkrBDbI99rmTajl9gmW/wGDHxTrHrtlJsFHMX65+u7m+QW/xXcFE3oz1Dm+rpW3yNMydIYojZHkyBtTtI6tRn8Ili9HTs12VY7aYrmDzsYvwa5KTqx07zjIvla8vfZdej8VeDPl0m/LIvQJqiov/8nXDTWGOyIeaZOzbDf4Sa0I/UnajH1cNVnwT1C1cce8Z0lUgRR1r9C/aKCmW/zbnmHzmTBua/8tL/7Oz5rdMLCgJ/2rBFN1gHlRk8Jx3voOwyJGWaORYKrpk2qitteynFBYlNivfrL/BAfVxGCAJTqmp0HSF0K5ei0jV6ULe6JMN5lSYTk5KjbcfyDhrpqnNepd/HPcxvHO6wBU3GdyJn9EC851S5B2SdjP433WSI+pJke3I+LZszSi8WDACgwTmlAok59A3otPQq9kXje9BTP9iHyBleOsbl7HFWiRWJwuduk3SiERReIMKqjVe+r5ERFr5DQPMQorkG7lEl5TIfCTs42FF91G5ns8RE5h6CE8pjaAI075ocoGY0AYLU6MRtvENO+kRz4fvVFAVh3vIrHVrXJ1TO54AraxtCxN2f2dGUK3r3T88BUHQNVXdBhUlVpqit9Rg0NR9zW2z1PM3cqlf3rik2hcD8Jc+HaxVKzB6T52wcCdcdNAc6SRD10lcOA+LNhd6mVZ59nv81t/z68vvfcDFtX1rrWvoCXCHiUFcLt1+DfvaAHUwydqfFvic3p07ZL/vN3Y2ejIGoE86KaGTMYA8flJGt2Q97Z68+see7N8Tu2qaDXnY9ZXzv2fBXldPBrt1qlDpw1BTNGVW7MPZlur+PwwzsP3SFdw/DDlc5cxk0I/6KaK3azg9IcRWESfqRkWMidMQS6sx1ZLj6Z60nJ40LDYt2xaU5qmLQMbDFt22ia6RJM0HeshASXiYFdHTQwbQD1gR41ycvs68Pxg3yD7HrgGZkdiHAhy8N/vIFGq1jw40arRq6Pc/2u4atRdSEPs4YCOfumU7Im6gSV1Ccdjl7oVdxiW/dO7zG7n0Y119FQP0krMmiKJeUA1IX7A7miNNYdLuzpd319DjBku9CQPYDzZYmk0YgL7Xpgw9gfH9S6cdzAFd9+DJ/XgQscXCnnP5a51X6k8k759ITUXTeZjLpQ4dm44P6evhLzvlgA2+NMrY65v1j20/wJHr3mfugHojv1bmrl+nZu/r/3fZm7j2yfO4LxecI63rLcsRRku2pqJxkn29ioBl0Wn+i7QWSP4Ulb+vI6Ix6tCQ5TZT9EuCve4GD2GDgW7fzO/K9xS7gYt05r3ZBrsKa4KHEmRO6+TRj9fCfP8aSYV+4RKbH17tpnkRKRZsWanx/JaW7lPU3a+YbgiDPtWySbCMJ+iZMZYdU1cTfe0OBqk2WOXJlLr9k+qdQvJpR9/DSFGOh6lprrWqf0Q92r4ZJpxU3Xb5kIotmcC8/s6utnKAD6n0rz2JEdc3n14HWICC3WRRBBY0GA25HOP1aQ/qUHE89fVZUZwnLK/fMe1gKXR9+ZAoqcO3GywFMKfFSp+0k42TLLmfDTc5uK2iBRfFmi4XknPom/o1CmDLvUfIubFnjmlEHOvq8XAdRfWNHI6zGGf0E7T4CjJ/KqpqIbWpC/fm28GmNZO4LEDNipJv/T7ZD0MyM8VkhTTLKXr+J2RWqkKvfvrpBdpgP0qoXmUPJ56E8noEJ/xcnWSsIF/NqXBDVWqfQtN31V5lHYSAnuO5XNMOM1i4RKcWb9ooiovR+0O+mmPzyKyiOTupacIhRn0T0hwbxwJbIGbqvj8g0l+6NqE10sNxVn9DUC+ypQq9QleC4FJXHDfNyu4l10PQHxj8CORWhlb54RX6V0vuGfrhB/SviEhl9WXXc6Aepvbfufmf9oNMo12mhNtfCJnTJ2vrig3NCOZ8jsnn9KVPORXS1KPRwK6wTKxrXsA0GZtKB4cjeTMjODLQcBtzwNjNsTdSWc1abJ3WYX/RaUYRQgqhhaxEbl8YDgMZNHQEOC55cfdGDCDHiAX667AnbDSyC1sucf5U3jmPDtLsDxhGqRgJWB3eFO5+GGxh99zXQtg++9i0Gq1c1Ns2Q7/Kjd2aoc3JBJLKGmNGos+UlgeY9iRevK+EaW4wRbZOOfD8qpY8MJbKzacWMIm/YxeumYKRqdeXu753EXBxdGe6AzMcFf6qX18iZaW1BofKcLbI6PT/hhPJ6pkfnRO780hG8uWShIKGgr9tfvUeuuE3M5qJotgPAhoRlPZPHYj5CgIvfqVMl5yl7l7yZM15zVIVwj4wRfq0plHHnne4dfYNqCcC+VNXWy3+CfmvEWF04mUwLmiSGD2MAJIK3Vyc33jdl2Bh2cOKUqq+xovgifzq0iCqp+H++OieKjDEQ6Nu0dCUr9qvtAa703PAMp+hVz+9Rhvge0GxQJjzsK+grn5eoNZ/hDZUUQcWG8Qp1gZJ0SsX2WXio6uJXzcTA3c1RdjW8+53qXJgHGQ1UbISksvlth+IWzA10GIR+gmRFVaYGMdECu2LLBZugjuqhM/p4Ts+89GK2tgF3S5QnzKIsG/agrUoCqtkSlGHERTejMo0kKw9tRIT0FhdjEJ4n4MkpFI1RG2wyLHKkZCqwJz9EcrvlaoI8if3WQ4ns+i4WXh7mNRi3SDzkrMFBYoDBr6mRIp8RMFutzvTZoKG9iGCmCCyKDk1wQMw6kTFoMCPN5rWBivzSAf51q4dPM5jR3n3ZI4ev0KK6J2Q80GCxIObHoj8kRh/JfIUbLcg/5Dikbrn1KvXKqZLr/3Q5/BARCW70ecIhnH7EeS+HW6NXb4vDyywvw89bNv+KPCHg1SUSJXTPN076JNs/DOlmxVrHaPOtGk+2I2vD18rJYsZQK2gKF8TKrBi0qn1RcUN+84wqhAuS15Xv7S9bAos8DJUmosQh/BObS86pByuGjHzTCO5ES4yZnBR9j2DHuN6atLw9hmNyIpZ60bmVM/Q20obMJO6QF33rJG8XGzoiZu0V4AtFhbvNZ1CE4JNrhd0vHND0wRxBwJb1Tpna5ZbzQbOQ1iQ3daC7EOPeWEi70qmJqOw3U8XC7qzJ5EZvnXEaiv0rL5mkYIDut83GnHTD3T7ruXZbLBk212tii2BiuijOBv+x74qoEF+qWg12VGyp9udolY+bjCMPa26Dbi6aJaAXKxRDw1TIyoFOwxNINOWhUnw+i6LFLiWWQJUyyyF9lzGFEW7QGON+mihJtCVOq/I45iQPfMx+MYMnst7vTmnis1Dcu2UYEH7QPS6IcR2BGEyUOJjKNa64o/UNF9WhsiCvnQ4NMaLH+AyOCFYeBbsGJAjB4SuqWImdWvQse7TfnVfBDg2mrTn8pl4cJt7pZtKFwsN4k5u1H1r+IS1WxfMGeup4nXl9NlMgQ1oXIwsH0yGbSbBBvEOTZFJuAmfdq30riUoFfrt1qfGMl0nBPT9arB+vUNjVZK6lJpFFBxHnS0wp0Xedhdu7u5oF56Kmyxd66J7iiJRFVQxcl9ZFKRtosnPR1SyNTfDiSV3vwekranIYU7yQbkl539/hO41dWhXDqfTdhFLXws+YDfMA96LmJP0KXvVfTM6CdaLGe/lWuEmt1hIg3AzSS2cQMvlMqsTVR5FqNcH8d5CfYqeKTuy7y+QbgVdq4dtvxvFX3JGtlNM2xmRCzeAgG+uLfh2RC5XPGXedJiB7yvf/D8sTqUw9C61xtogdN2OCqirq/Jc27/gUcW8RijUAObA40xWWCxpJugmtSwYC1zSTSfUD0qIMYrNK0M7EmKYo68d6lZb7z5/I0OJSxxN2DWc44MJHZPcHDAE+/lFDpmu/hYwbqECzDKsbjio25wvtaZqhm6p25RKUzXDSwqtvH2m+0KqGocB7BqM09sJfB+573f6VkiF5kpu7O/qn5J6jqM1u0b7SV/nN1iZ2G66BnBsj4q/U3JQHTrVnZI8b2eQJrpSsqQ+oJjqLT4XCHOqTJNdpNpF/c9ceMuLj04TAEhCCijMORJSfKdoScGS2Zf9MMVclN0++qFpKE6Pe8lchK0O/wwo80M1WlmPLmHBOVSbCCTFd0tp/73nJQAlJQsojgnpxp1g4EtAwCIpFwgmzDOqZ+i2lSn9wQbdyqo0GF+4cr5KWyPGlYy6ZJvci99mmgnhlTb1gfT/GWwTfIVpu5O+Jtr7N6ziC78dV4Em137cDQtb9K4tUzql7Nkhw8tieQlYIKy1JAz8pXY3gvYkbNgb9pn+3BlkCIMLz1CpYCbKGaKGPAsryljhWAOrDwSxYClqqNKoxBq6eGlo5OCnScuisFJM7gTth6U11JC96p57Dx5L4+vsYYKHyYlvIouyGt7BBNuG0YaJXG58Pq2fNnnWZFKMMmNA5qLifIu+VJg752cuC8z8IF6gu16Iy5Gnq+v1TDTAfjAajonPNPe1QHUiOtbgnfIGiv3NNw1qM5bv2zg+6AqRVNR1Jzs5t0QfgRq9324fC6/fSu95RbfDdj1N0JmqgvUHO6V2sfo1O2Py9mvaP0TWtBeMp7/jDcm/wGrNNVY0rwhFdeSIht1tbqZ+FnhNkz0itztj/PvvY+cBtC/MqF+Aks/6pJYDMTzGfnX70K2wXjU31KqFgSrDiqxc5m9dY9OUGV7UkHotwiwhzTIzrYj9VvP/YaUpsvJcIAY5d5UgnGJlfwSN8FrUfAFhPfm1Luw8HH1wwq8a9nl60i8WkcW8Gd+72HmwfNmousfrtWaq0lN7+rraCCAw7vGbJkAauBIXbnXXk3HcU+osuOkG1zov8/WlH8GNnvvGDfVsSlf0a3F7EdarnQP6sQb8e/fz9WV3vmsjJobeg92InEsDdCTM3CGysmDDdNhIXettyl72u1FdX6Dt1IW9fmzhjO+Jxx1fNAuj68uDmmws/9wBTdYi9krkrUY7QxeuPtP3O+XuF/u1WUBQ7X7i+2+8O25emaZyU5rmMaoEp9pxRroHZSPRGiuG53xQBeiaMjCBSo5HBIGmQiftj7KzoV1V1a08s5LKahh1fSGz+3z78vqmr0Mj3zLWeRTG6rJPHCh4dC1kG2lxSKJrYdAtWwoMwmLkiJZSpWxe+2wgv+whval1NwldHeGfFpHOXYZTlsvAwXn32wfEBOFVTq0484Ns7ddn6PnVHS5KTn9GN84h4sCC9J6F/SIQmZs8tgnOqfZpCWPG9Gercp+A1z1K8TpuzHf+aXjP9Oc9IVej2HJJVboRdmGWferGAjwOoJ2uFNUryXN7epytPjJpdCf0PoFnYRh791L5+XunY7xomnFcX4bLSI6OzhNZlNnEeVewKz73Csa4Ov+erubfWXSkgPrUBYybkXlFxqw0r5Y+UtZYF/NGWkoFnQesXK/xG5kSh1W+wepxMvSGXfWtdMX+IbJEjLRGfm6FKEZvMan7KYeVWyuCJrVjpPiuVlDVfinkbM3oQ60VxTp6brA22FSxFOfGH4UZfzSzwy4+l3eI5S/H3y/7slZTYGgx+jhofOzugsUifHXrdyzx9L3BIb8czt075TljQlaxYpydOhK9jH6nrCSN6XQYeGR/jAw4dWfGnSNxzrmVe0hXhFCtFxVHV3Z9RGROtT0SdbPfsGXBRE7vIjOAM21O0zwfKFtgYTDFVI3EnCqIbxZYMQ4ZPAEPnou/iyXCwMTv7HeDlIkE51DOXXOhR9KI/eroeZPPWVKlS1906yTMgGVeRWgT4usOTy9Gigydm2v4HqdOKHHKV5Pk5X1V7tP2l5gJjXJqMOMBJ8NcVqbzvRHSJJ88N7P22OImjw3wGH9IDS1Kniyb5xzldIF9CMh3vqxj+D5b02rFa6o43kIhl5H+cUXPAzfS/gKsbv9tuqirwJ2vXhtmKmjMiIKEtbbBsGHTQ69r1ChWx79DcGxME8gqIovC3qc0x+jCQUesk+xbKrlmufOf1V3kCqpHE6FySU4PNN7fW/YL463WSLp5eWHV4K6EpKfHkfX16mll/d/l/ES/08nk/W859wGY8O0qWbrGuZeQUOx2/vbmGl0PFKouGsm61vrqkv0YRCzsaqphl1EN6fv4w3xudVi5dyIim8s8dcXXoOKur3R4XJDFZUQ9WsXvluBCBhNUnndcwL502CXQNvEQtmR5E8oZceIVsa3GQRl4hJc/npLX0F1WKZ+perr3zUfXPacOREGyxh0lVdeL4FK/5jRU3lp3YdqXuDGBIyToFc93HSJNdSVeY8bxMJCBGlc4gvrKBVVqZNKCu0On+Prjxd28sVL4BlAuADsgyacbaLacjUhEVmTzKs+30f0zrMii1gF14FaantbofK+XKj5ExWTELge9ErtMV1MUJDDdzV51PVdxlTPTVNa1fdE8RqHBdm3FhhMlbXhhP5EuSyw2B9eTWeUXn67Qc18r8aniVleeMw4FHJAHdnVXSm0/+QJ9N3Q0iH4U5rOQG7FjCGlKKmhmsd6FPjJpk+AJXHD9tNCLusr9nS9NekOXmGzRx1FzjbO5wo9RlO8X3mExE6jATCwULujedIwSK5jam75Pwo5yeQPLoncyd8nRbVvATtZZACl0QPuCVAHLiFQW0m7fuHd0g36tBJiSb2VOOXrOxHr27Rlikpyhuf2L2r+wwHyrmZ59G44vGlJmC44Hk/Nj61C7Gv7FDYJFwdcFcnJbD7+Si72NGoxMiqn76dzjWbdB0FTZgxxEaF3Elbs9zD69/R0rij64BOBvv/309vfz91fffutybtdYYTZ6JjdSfY5Zsnzwgv1eL9iNsI06wbCIrUT4mp24XUqa5wAT+1xsE5gwC6mo0IzEFCAdV1ICjIv4XpBAfCAW0GyD2XA48YO9A9D7PDZQe31il6jrap7oUph5ro2KXfkO9drJHGLdtzTaO1rXfKRzkp5a7NIOBhuoNL7YpK178fUuFsSCjTqaalKTOWJPJTXYjShAZr+8JyyUT+4neH/HhUXe6//vh6u2KrOb/PcoRyzv+Og9InuRfJTDUcdx9+En5QRJWzs727FLn5smo73OsoM+mS/A7TY4uYcj03XLajZFPAyKvhaYccvrupnLjZcZ15fd2jboxGXNQUOXgRYG41mFdc51ZlXEE+g5JfEa0q199dGFLIpK9D1RA+zEaY2bHordO3pn/kLDOnWDmz5Ns34obrdY5P8uw1GzFjeDDTtFMjwYu+HCO8jpSpeMMBktS3QqCx6w32AlhkGHp466FkWZyVTC+Pbd2xv0m/OjtkmpYUS+TJpKcPsfb9CXiqqR3q0VF5mi/U6daZMbOg7RLXpfF50F07oaLZ1EfEi7QGXsMQIWaHmS4+gQVBMIjj0Ybh5/QAPmWBUJdsuCTeBewGXEAuQGaJVHm0q7AzNut6sd0Dk2fa3woXDnVJBVgVWsspIG7rbEg/HFD44+YTJIp4oCM1tFPwuELuIWUDWAF0totZQArJz/PQHUEkefhOE6TkU/XhB0z1jsB8d3biuoVT2jIy0yTGAwSvzyEwtbi4jGewfwfFmufxR3ZhX9fSciI0ZluY7ad70D3UI+LfJ0BOA1x9ElhsioWDIRsShyCDpFbrTIFpneMEOiyw+RLbjcaFzEz13pwhZmnQ56gqgLERkTKcUJEyVVxXwbLeF9ALskn9MAX2Oe4qywMiuVNDKLH5IC6OsfM/A4xofNk91NLpdZnoLZFnD8/DcisgLfZcbEchvsArYnmtMEj0LBRCKkmUiHdMl1xuc8ix0W3YH9p4TAo3cG78CO3QuxCzt2VW8X9k8JYb9OCPufE8L+Hwlh/zkNbCNLjuc0hUhpoMc3z0RWVByU7/k2wTtZAy8/J9BLioqzZVGm0b6tlon5MnYSkofMUiglmn4h8X0jItMuITHBDmpF0liTFnAaa1JvdVUmmEVKRFNWncRUNdJY04PeJRAhRhprmKWCDWZNEuCVYHcCC6kpSXAI168tVxI9CuvXsjQrivMEbjVZlBnhCXzYFnCCIAnAVfOtie8WtZB1EshllSWIaRDFDCOYJygg0hleUkG2EbOuurAF5ts/aD5Pgfc6gzagSSC7djBpsHaJtUmgz5fl+nUaH7TO5sz8OUmjMaKzuLPieoCVjC6qdZJrDlApUfGr3LTz8UebtdUBTM3K+fnjO0cccFD7kgB33eTjdZDrwF4wTlPYMDpbpNhEtohZnL0LOIVuoDNWQpJilkTUsXL9Y65NOWjmHwm2ViQJbM4WNIUZo8HRXNCcRSsY3YXNRJpTUsi84lQTmYLbHjhbJpBNstQbbKLO/O9AD2WQRwGs6JJpo3B8T0gLO4HGp2iZitUqGa81dCJXieSry8x3RzwBdKMoLhIokq4UKBXa6ZTrzUoynbkJs/Ghb7HCSQ54PlIIGwPy2s23jw2XaYNF9DnHuTbzSsUaFlhDpW5WUAqoVXRc4+vRdU1ybLAwuWERf9j1qZ0G9sFc4jyPfQdYHjusWrcOSvAWsSIjSsoiSVciCziBmcaKLE1ypO94lILN5efo7ZlKHb9lKSt1qVhkoBwbZqro2WecCRqvxU4LVUedqNPAheLb+G4tLl3X02zBZfTnvAGeIOXf2rzRpY4FmkDiWBs6AarRcxO4XCY5umKZ5AKXUsUWYMW8Wqa4ZgXTJIVYKHSSA5tiDoSgBporRYcbXYa7BtCxM/4c1NjpeGKziW2BJKkok24AdHRLVMbXjKRiyywwj+vBcDeCqvhvVpm5obzRwUadTN2CdSNekxyyBIWbfiZObGHgwcaWBmXmHEnR0cVa219mZBWrzn8Amt6VLHogoKSqWCoszKDnbgzImySA4z+9rhPZx4+9KaARACu5zLAuIw4M6IJWODZURTFPod8pSoAPrutoIuDxmWwhx23h2oEsVZ4A4/iOTJ3AN6ydbzhBPoCmsRMB3MDjBMaJpl/iH4BQg9ZoUBOYUpotEwheXcb2smlFUtwDRfLoirRWJNQVNwJgE2/EVhdmpaN31VwTEbtQIjgt9qFAXZPO2OSbpYl/rBzQ+BG9ZqZnbLjbMnq31iqfJ8lDrxRP8BZWmqosZ7Gr3pOMragjQynYYIg2uIjtDV5nTGiDFwk0gzVTJoUavi5FgtZNRqpKxHSzhtqiBTqKnldGoveVQIOlm+yRhMPyPmHOcnShaM4MusAq990MNbR/D6PjJmcl5NLYhFAAA0P0EfQ3IJKjUKlOkw/BRDrOXRUll1s6GCx4kH8LWUVr6n3kGbM8dD4jmHem6JLeoQL3Gy20sVixrPrDQJIjyZmG4Qz16n7roYES0lVZSmXQsPEoQpsVNogZVCq6GDsKD0jLvc8QihDjvdXRoICY8J3dR/pCcyZST+TvoGpX6+KpkZFLalZUzdrP65WsBi8aQoKuqWrGERmJSqw0RW+pwTAR3N1V3LDg+Ru51C9vXNnrC3TpR3ydIbMKTCmCZsDvqR99DGgL9I6a35kRVIf3eXiokzBvASO7m1sEiztiNcWKrGZMsCB+MHN3gv7aPfEJszAgGeIlx5WAWb/LCua41k3cww3ce/3a99CUvh13Q1PThNvPLx4x9u1GZBFrmo7rvArLog/0zsCtGHMXTDGNekQgtYPr3sGEasFHJl5C99yE48Chf66mBin6paLa7GnafXq28v175TuVAcbyuFWdxO57pJq80113yj6cHEYQG9v5OXRo1z8HKY85+//wfEO72PVlLRRg7fDZAKshXhLvPY+wfVzmWFPk0rUbbNDgVjW75L/xOPiKZhR8g7lUrn19kI0IYY00pTDuDO+fV6Ww0JhMMN530GHaLS1A7W0PDakUTEDbh3RJVcGcujEV0u2SbjAHWzNOlxRxuqYcYa3ZUriNa+f1h48+tGR+RPkN6+856fNHmfRsMasE+1LR/phEHL58HXxP65h42hSUWqNhubuQRApBIbcCbZhZjQkKhAKVIY3GruhJ5UX3Ni0sO0GeNE8Ul0tGMEcWgxHTB7B4XOxgqZExjY/Hu3K11WH0OulsG9nLao39wGPOsM5WMrlN4Iy4xlyDWSrtUCMrFbsjeML9AJC7NBZbeNP8IBbCKVazc66lNcR37tslBMvRr/4bM3Quts3/BtAN2PJaGITzGZFFWRmqwmI4iRvfEpbOPPumvxcwY3FnQ5j5W/XqT9//2dq+l53tqDn2TRBtf06zuBGzYx03eEsV+ufGJ6dfejQAufCtj13/k/7MixbnnVO/dz9OTF4+JNue9Qem2HVm6N1vH64s7VRR5zwBf2nONFG0xIJsrVbp1TPezwVBwKEz9OHtz+hamB9enaHrd5dX//kz+ngtzOsf0fPNaosEZWZFFSIrqf2oNKkUJQY+9f3r//XfXjwLcoSaVUIZ1+cHyNRZgcPjeHTi03fPa37rzuJ1jVT4iudPC+mubDqA+YkN445+4EP49hTT1jr5xJSpMEdvzt8Fkf1DCprOl3Xayfg/UtBZmLcW3a9GhAIhh4UnbMFTfIP37MMSG7rBjzAiHU73DTrPcwV+WnfKQ+g0Ty8pylPjnA+NhVxfvL1xr9JoeKzAesLox45TyWmq/u1G1zcWlRHvl+XhiZMgovDQrj3Ow1oTy9x0rWkFRAddnOfMfhjzNmDbmeUffucmPADWJIQLLv0Nv9w9AgNU2lzrJHrdsU8aRu88hjdSmUYkD4RuDgE22ABmtoclr56Y944eJpb1Y1KT9XaM8YKG7MapvLgeO7B8sdaSMKtyOr/RQMdBVi4rLJZ01phORIoFW1aK5mi+BZhU5JA1FJYz5YmtBwZFoyPacnDRRYJ+Bzyi7t8t4YruAFC0kIZmPrM7fp5RfNbmQmc4c6n4CUCXRqUBvkhwJBYJqoV5iuuQqv9JmYCpOM9qT1w6tbxvwVs6Zv3Vus6ER9Bgr8yKKkEN+rAt6Rn6WD9jb8AB9gO6qR1gg5fgtzFNrR7VM4EyMWIa10h7v/gZwpwHlYmy/SAkuGEFiXlrquwbyISRSBt4zJlAH69HBQqBBNlk8iq6yLZAZZlg7JsFrKiOndFrwSYocXEvYuxUdPC3J8DWjVbIOBXL6JMiAWerfCTUQkc0UKfyYN4JwAhEIJ1ggTD6RaoNVvlwTjdC50tI9lII2xt/B7l0c2o2lIqw6hm5a+J9Y9zSYN4N1TlkELSMh8yIAYVM+DxXSEsomLFiyY/YCJO45lhMEcc/wkFZJ4h0XJQDAnddlm0kZW0t2CUYsLsvT+xIJSXQhWAdrx/ccRF7rAwjFccKQb9oVCPx/Oru5zdyKReL8PR3SjKzosm3dwfZD3ZBdxs7eF9ZvC2655VZUWF8svgo2rqK2TnhuIQet+Q46h81VaMIy8oQOS2n/ZLjCN9WhFCtR3CGzuOnNUc7LfEE8EJWxV1KtUWBwoQBblMIpx0caQ9HK5UgwKdLKey7YuVWSDlsvogGitIuVet4/ehG3k2MXNdSqBngjOYNPd4P09OHmUCamSogPxEUF1Avoj3UFdYI57K0r4tZUaaQ3Ih2yxzjDL6TQhYjebUwk0Mz16J+WiXCKvdM5Fb+SKUbBmD0C+MUnXvEZgM2HOPsFQ1h7k6OJow39D9KusIoC2591kJcLoRoDDAiZr37Axjh8vVufb1GbE6MJ4TOZcrqgQDxc7rCayYr0C6JLEolCzaSoUinRu5K4DmHIrIFutiPGxPrRuwkRLKP4Y7WiYII7GAYdbjMCQgG1m/wS727nVe2vW+jx64ts6yE6ZezxdbocygDz8gpZv1RWhC8x0sqqGKkJgkYAol+/dQCZlbw1IZmuyGP7Ix8P9NGjQc/a5pOabv1aDS92k+TVy/cWgnpCpqmjRFuWEG1letO21O0pKNBJL8L0ZpCHNwIaDz4wG1QRx6tU3p3P9rR+uE4mr7PdLQhp0eT5h3Ghygc0AYUtwLhCGHw9VL36iB1atK9cxctCm3q8M5F66U6jQA5IMcbAfL1HscfDm9ZrNEG02zZcfJRTSpBYt6xI+THpMcxJm2Dw9go9VCC1vNTR6/cqcwqK6hZyUeIkuAdTzJyaPiPjW449FJSMqnXaU9U573k3l9rEdlzLhN5Qv5z9tOf/oSev7k8v3mBLpk2TCwrplc0h1L4IC5cLmXyvkD7ImGQLbtwePhthg+OZIwpmdiruK/+0+5qCIPmxoBHPtrQ5/tcFwJp/03db8fxBziFYqZYhNqkt5limMfqTtcj5D3OWaXdCkgqpFnBOFZOPFmxae8QgXc9XF4F91yzfMpOI91M+Y/2INRexF5fzPaSp6uzOBf77jqENXylYcf/651E8JvBWfCOG9opy8jDrkypUiYGDEI2wGqplliwP/ZkVYt0R+FYZp/A6e6ZGmH3gqlgLWmirj+/2OXgtXAtvlzvop2s5l8p5mZFsKKoVDSXBRM4WHDXEU832DAqjD6YHs/xlNS+wY9KrGv9SMtEB9denWdWcJVYGWiG1JK6X6xO2OzIC5tjJOqC5lRhQ/MsWlLZnvNhhc8v9YpN8OxGyTXLm+Zh/nO4LLnXVAcHwzf/sc/ark4bVnBaIlk+EZXNkr7Xn9mOkBkcHgqZk2vmouervuI+0gKuUTpjDgW/r+ZJ70Bn6nypUwm9DBDqdFTQWLFG2kjlJL6FVlCDYbVn8KmZ/dSzMPUFy3NOp5Nyb2G9Y+VcYHs7cu8kOVePx5iG3Bu/WqfDkNjW0dkzVHJst8y+z1IhKojalmNefkiFnMCePCKDTjW25a9SG/QWkxUTIyZdjhNJjm/6vP4oINO/VNSKD6sfuSZneobe5LhEn+A/Tj/KpXB1p38bPp5ohdfUak6cYoW+VFRtEfQg1KUUmtYaVbg41dKbwXemkZe+Bx6xkBWru0AKR77ryzeOZ03SBKi2B+i9b456LKYw5Smtw6x/xuvW0jtNjKxt6B9eppGqhAjasfqseXlc5Nm1kRqpsfMQM29hpt8IjDZM5HKjkS4pYQtG7G/OQnWCPk92eEEseQ7fNucGPYeOsFSQ9hmC0OWLDrdQJeAdf0OXmGzRR73b+LaJwBb9Qtro2bV2hQkM9pHXvmtqASpQqwaHzL6IA443fQAC1f87laZQzjNk3y7Z6RXqse68Tr0OUAwUBg+a/84JxE6T1ztGqs/w9a73WtZdAenjXUCH1EzjsGsCBrt70yZkum0Y7FC4IcXh4mcoG4g5EnC0wg1IzumCCe+rB+EEXf0KXI40HQTsTioUS4Rb64DpqX+xBWPjs01Nu++lNNKbsvFhG4PJqpi4BX67KjAcDayj7nYkGfIyZyLeBLGod8OSDEWFaR/PgJDqlu3Atrg22m15f2Bq5wDrtG/fAaxLrOozZX981pKyWbFBK3Vkb4e1ZV3y+1HkmegzS1xbC6m26Tb8X3SJxb8d7BhTI7LbRb1Wz0NPk2XLv7wE6AdoezSVaEBV3W99P1WjpyCjwihZniI6clnNB86Fo864X9Na2/RAOQLg6Ko7pr2HF7Iosdg29xGuHYzTd/bKmir7DGVMLGRYKcD6c+oaoQPyo2dF1phtaNqu6IsvqXIEfqk436L/qDBnC0ZzdAl1z845GERlQ+cZkfIze6Sg++90jtz6rf2M+Zg2H73bbBsOLysDKveJI0wP3/X3zRJ+yo53Rzuf/Ax92JaO9NZzYJnjdnB88xRdZFGbyfbQtjg4R4R6pkNta/vITOGqa5TLXeycZ7GUqvb2Q4j5/ZuRLe/0yol8nGpelGnnEO1hhV35oOe+RlNJmUgT2UXKrmP3A5XYhF2TRGRYx4z2dwArX04fGXKleMRt7kCNuCuNMZpVKpY3pANTU5XhZTybsgUd/XnaBR01/XEXtD/1CQQLvTNUgGoV3zix8KOd5kbRWynaS5WJrVG5JaaoJdyRuR9gWVCvXvp/X3gUXvp/+LymkNsfc6rC2XmenEeMnjtiusFz8Lh2Rq0NyMn9QDRrUjGxoEqNxF2HdE9CV1fxP8j6oHt2AiTrvsSLzjYErhSEtWXSKxVYYrLjd+Xi9vbYfYAMYtX90V/pMEFrfOAnK1dUTeOPsDq7z3h6fgGjH1+gC1g/jBpVZqJmKSN8vqDKD/+kO1mYe5rz0qSh4w4jOxtuF32mO52i9+40++NUr+T9W6OEdxvdsj/C3hr2OZFMuf7rFRJ0KQ1zG1iusB6ZAKXJ1G2FOlvpFh8fLmi3OtkEqEGCS++M1Y3T6/qbcEKKZsspKip2+xs1Uw8/jA5attKEaV1FVzoBMiRLpfPWPSyGAhhSpZL6QAeb0pWeV3ZxdAvB6X3SaZIMiaYzuI8iP7+F1M79j1FHep6G5P2l5x4cx0Wo1jxbp3zR+yFV78gOIpNn9ujhKnqbRp0KMPtMvUWdqLnBN+24ku6DBLL1R6QhXicVur49/+v/5e7qehs5ufD9+yu4TCS/idSvm64qudluN9Kma7Ub7eXomME2MgMjYDzOv684MHg+sLtKZsZVbxOZeYDD4QDnec7TiqzcPkU+yzPVV05oJ2JSvwbtl1ql0aIbojtG9+ZVl8jf5oSn1SBLFZ2Lep1RIgzTQEMJwpMXvBDlMs0HopBXCHI9jqgKcvbQgJgt2Gq2Cp9tlAcQPPeGmADRd4SzqVpfcoQ4Ynv2YvpueyTLbxJIR257Z21pMo41aCdpGqdyigGh8C9YTXwrG+aL0ty+/MOKoqooJtWJ+0bcHke4EEpT8GuumeifNMe+YqkFyMyYaxW8dV/2Pvxr6G3D0Uqi9VTjrFR8jrTqFGCPgCACBJU+DeCw0h1IORDOmFpuKnwVgZx5s51JtjluLKHm4ddPyz/Cvnff+3zcUKzS/bv/0TXbuNlnByWqqQZg2dRxlqHOTayM3ZTzrSS3htx4EOYW1TqQ2NtU1O01TxB0sjeimsibfQpYnyW3IV3grks6ODCNmQKbShCqJGWldQflv/wcnpFXqOspva8feHdgb0poO6Cl0pYoN74ff12mUnCTwz623Sm9nT/Bsk8w6FyxrsGLnSSFYn7/7fPqcUWe4Fhwmcey3ulpdX2bPQ2zU0TxTLdCNwa9u9StGD6lKYujp2d7lmO2mY+weW0SftPlycOOzmVZ8MqP74NKb0BxEaGYb1KurBXQ9Lj4z/OGIzFH5sNIcuzVjfcl7gh9pezGUK4aT/HxUbfw5N4FMVUiRR0MeWesVnL7y1oA3QtuLMvf3Ye/LeJ/udwwmv7XhmtWg0gGMrAWrd8QkDkxipwxS8223Fj94k72czqLEuwuiPVHDKSPYQASL6XmgumJ0J6vRZVuqZDHeDIiZ9K2clJON+6GqruqWGsmRPs0n7b0Dp5u+v0HXAK4Yh9co+Q5NNreWIfrpCc3x3snlvODcwEKIUtJQGuI+fc53yCN1ba+QzQT+NYT5hh5rakoIFw4jgTtC2av0MpfVWjPrjuVjOANl70ftxVg6Y6ZZPCqBKcvWfNiOHwYfANUFAeKj5FemcJDiRKD3DQKJHdkeQAu8J3slH1PvscVDmt1SEZZHdyjjbENqm8n6G5UC8iD2EGD+IPShB2hKAVbkD8VFFxukVdQWZSFaiqqppCvhaJ7lmfjW0jfGjTS608k7LZlrJmDHLCcmYIfLk9BMMJRLaeZgBqz67H9hftjSDC37Gjvd7YQKTxmB5nZwXc//jQGmo/sSHK+ZcY2/qCr+pBe9nDIcmZ99d/R5jW2GK4GKFW6VRWGgLT8wHVlCJNbLk8FVpDZwqUp/c+TbqCCcZwncfs9XsoJQUrlBoh7UoCsQTorbKkRkZvV8/I2GKiJzzWlVkfuIjiHG5yHsJWWLVpf7KihIGW3fG+cgqLMcm5KZfggan2L+8X3jDbr0ES8GIsgIoTqt7JlfgCUQHgCUbvge6VVM483y6fVrethCTraV7P3+aIwj3HayIZhBsXPhIJbuORBMJAL1y6nXFW4lz/LvVR1cordgBQew/D+7pUj8rg5fX4xKKUWvta11OXT6hw6Q5UezYVgY30kmAPqEPiACEOKyE33sW7DX3GTWXMh3EivBcikE8/BAmWDsgBvgN0ev2gJ78ECecDveJceyICBB1oZpv+PfH0fk2jYbDhN4fUVDPsn5zfADafiuFHGp2hfq9tWUjJx97+/AwAA//8ypVmA" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml index 88f1d922df1..5e9678f9adb 100644 --- a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -126,3 +126,9 @@ default_field: false description: > The WebVPN group name the user belongs to + + - name: termination_initiator + type: keyword + default_field: false + description: > + Interface name of the side that initiated the teardown diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 9f144579c5e..5b4432fe41b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -5,7 +5,7 @@ "cisco.ftd.destination_interface": "Inside", "cisco.ftd.message_id": "302016", "cisco.ftd.source_interface": "Outside", - "cisco.ftd.source_username": "(LOCAL\\Elastic)", + "cisco.ftd.source_username": "LOCAL\\Elastic", "cisco.ftd.termination_user": "zzzzzz", "destination.address": "10.233.123.123", "destination.ip": "10.233.123.123", @@ -34,6 +34,7 @@ "log.level": "informational", "log.offset": 0, "network.bytes": 148, + "network.community_id": "1:9aBQ+NznvYals1agEGRVJm37dvQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Inside", @@ -49,10 +50,14 @@ "10.123.123.123", "10.233.123.123" ], + "related.user": [ + "Elastic" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 53723, + "source.user.name": "Elastic", "tags": [ "cisco-ftd", "forwarded" @@ -87,6 +92,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 200, + "network.community_id": "1:kV/6Jt4iMhVyUT1AW+UO0itOhqU=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "Outside", @@ -138,6 +144,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 381, + "network.community_id": "1:7nrIUULEgk5A+nhbh4kNmEkwL3o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -163,7 +170,7 @@ "cisco.ftd.message_id": "106023", "cisco.ftd.rule_name": "Inside_access_in", "cisco.ftd.source_interface": "Inside", - "cisco.ftd.source_username": "(LOCAL\\Elastic)", + "cisco.ftd.source_username": "LOCAL\\Elastic", "destination.address": "10.123.123.123", "destination.ip": "10.123.123.123", "destination.port": 57621, @@ -188,6 +195,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 545, + "network.community_id": "1:LM0R4Wi8tEf+1pe2ukofXQKxfMc=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "Outside", @@ -202,10 +210,14 @@ "related.ip": [ "10.123.123.123" ], + "related.user": [ + "Elastic" + ], "service.type": "cisco", "source.address": "10.123.123.123", "source.ip": "10.123.123.123", "source.port": 57621, + "source.user.name": "Elastic", "tags": [ "cisco-ftd", "forwarded" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 21e4da22dbc..4aa3fad3d8b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -26,6 +26,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 0, + "network.community_id": "1:ygCOhTlTMVGn+PXlTgyzRveBJ9g=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -84,6 +85,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 150, + "network.community_id": "1:aH+Rcp4nenimMGZQ733uys/x0js=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -145,6 +147,7 @@ "log.level": "informational", "log.offset": 345, "network.bytes": 38110, + "network.community_id": "1:nawleoAMDhKg7pshv6H5enEaKV8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -205,6 +208,7 @@ "log.level": "informational", "log.offset": 535, "network.bytes": 44010, + "network.community_id": "1:XqwLVHNEt7Z1fB2ZZXj1piBH4PM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -265,6 +269,7 @@ "log.level": "informational", "log.offset": 725, "network.bytes": 7652, + "network.community_id": "1:Q18EvtK0EmoGK6hViBJu2B9syjc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -325,6 +330,7 @@ "log.level": "informational", "log.offset": 913, "network.bytes": 7062, + "network.community_id": "1:k3K4xSa45aJwCWLM9eIJsqCydLQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -385,6 +391,7 @@ "log.level": "informational", "log.offset": 1101, "network.bytes": 5738, + "network.community_id": "1:Qq/qwMDt7lmCdvQnPYJ86wHp5mY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -445,6 +452,7 @@ "log.level": "informational", "log.offset": 1290, "network.bytes": 4176, + "network.community_id": "1:ezm9yQGN1cdh1QEJ2nw19295QfU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -505,6 +513,7 @@ "log.level": "informational", "log.offset": 1478, "network.bytes": 1715, + "network.community_id": "1:dV1ILqqOHNIkUwdYUt2iodkCTIg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -565,6 +574,7 @@ "log.level": "informational", "log.offset": 1666, "network.bytes": 45595, + "network.community_id": "1:M9jSkRNBaw+CV8aYYGLeh+1c4LQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -625,6 +635,7 @@ "log.level": "informational", "log.offset": 1853, "network.bytes": 27359, + "network.community_id": "1:kcIahkhuYMj1cJNDgmYdpgb8b5o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -685,6 +696,7 @@ "log.level": "informational", "log.offset": 2043, "network.bytes": 4457, + "network.community_id": "1:Oll9UOQVtF14Vb1gAqDgbQ8GVN0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -745,6 +757,7 @@ "log.level": "informational", "log.offset": 2231, "network.bytes": 26709, + "network.community_id": "1:SRok/PbYRZCXwEJ9MQDvhiR0OZc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -805,6 +818,7 @@ "log.level": "informational", "log.offset": 2420, "network.bytes": 22097, + "network.community_id": "1:agnIkBJhbPXkAM0Ai6Q8vvm22FM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -865,6 +879,7 @@ "log.level": "informational", "log.offset": 2609, "network.bytes": 2209, + "network.community_id": "1:dyOBaLTo8f2aK6FSqmPQ8iEKQCM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -925,6 +940,7 @@ "log.level": "informational", "log.offset": 2798, "network.bytes": 10404, + "network.community_id": "1:JG3x+PLXI8vDNUP0xc2b7cGmtO8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -985,6 +1001,7 @@ "log.level": "informational", "log.offset": 2987, "network.bytes": 123694, + "network.community_id": "1:aVhOiCMAQUL3DYMg+b1hd6++Tsw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1045,6 +1062,7 @@ "log.level": "informational", "log.offset": 3177, "network.bytes": 35835, + "network.community_id": "1:yvanaru1i/rrH9fF3MeSmHfJVH0=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1105,6 +1123,7 @@ "log.level": "informational", "log.offset": 3367, "network.bytes": 0, + "network.community_id": "1:h36yIuCF0zHqn+9q0Z5lLEIz2FE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1158,6 +1177,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 3552, + "network.community_id": "1:tCQw5Th130a6dZONq7h6PjILJZY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -1216,6 +1236,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 3703, + "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1276,6 +1297,7 @@ "log.level": "informational", "log.offset": 3896, "network.bytes": 148, + "network.community_id": "1:kcCQj9lygM48oLeBgvoRv3KlTuA=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1334,6 +1356,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4071, + "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1394,6 +1417,7 @@ "log.level": "informational", "log.offset": 4264, "network.bytes": 164, + "network.community_id": "1:bp0GOEdY1zkuA4pQN1jtkfjom00=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1447,6 +1471,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4439, + "network.community_id": "1:IqCv9QrYpJkgySoRM91LE2Ao1Ug=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1505,6 +1530,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4589, + "network.community_id": "1:sxPO5rXtxG30Oh+QP2ncQZ0N1U8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1559,6 +1585,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4784, + "network.community_id": "1:MZcBg2aQ/SdpVmPXf2Ze+Ng4g9Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1617,6 +1644,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 4934, + "network.community_id": "1:G5HU7oEz3i/eGfSUoq5HuDVo7u4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -1676,6 +1704,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5129, + "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1735,6 +1764,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5326, + "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -1795,6 +1825,7 @@ "log.level": "informational", "log.offset": 5519, "network.bytes": 111, + "network.community_id": "1:H8tgP5tPUaaz9Npdxb+q+3ZYoN0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1854,6 +1885,7 @@ "log.level": "informational", "log.offset": 5696, "network.bytes": 237, + "network.community_id": "1:Sj4w7IG06WsDGSPRXBX9NS6LDEY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -1907,6 +1939,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5871, + "network.community_id": "1:/KJCwT2FUqlgb+8c7f4b8fvqWFE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1965,6 +1998,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 6021, + "network.community_id": "1:gFO9U+lgj3sty9R349zScds2rBg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2019,6 +2053,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 6218, + "network.community_id": "1:kpfWE+K4tPLbC1LWM9M8v5zQqyk=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2077,6 +2112,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 6369, + "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2136,6 +2172,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 6566, + "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2196,6 +2233,7 @@ "log.level": "informational", "log.offset": 6759, "network.bytes": 87, + "network.community_id": "1:PmwiqFgdpl13iRx/dI+XAUpFScQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2255,6 +2293,7 @@ "log.level": "informational", "log.offset": 6935, "network.bytes": 221, + "network.community_id": "1:HgVBFZOMW/jvKdEmq/wc0JyLnZQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2308,6 +2347,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7110, + "network.community_id": "1:J8j4D9Hm6tPmF+enIkcOgaYzEg4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2366,6 +2406,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7260, + "network.community_id": "1:2VKYvyM6qODR0XAXnVUFrYSP/IU=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2425,6 +2466,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7455, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2484,6 +2526,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7652, + "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2544,6 +2587,7 @@ "log.level": "informational", "log.offset": 7849, "network.bytes": 101, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2603,6 +2647,7 @@ "log.level": "informational", "log.offset": 8026, "network.bytes": 126, + "network.community_id": "1:xuWnph7S4x01QQURwZz62YrNdQQ=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2656,6 +2701,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 8203, + "network.community_id": "1:TO0ui5exOUfDCukU8mR9bJIjkLY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -2714,6 +2760,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 8353, + "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2775,6 +2822,7 @@ "log.level": "informational", "log.offset": 8548, "network.bytes": 862, + "network.community_id": "1:/NBLcipqeKvQyDqtEziGtIMUQTs=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -2833,6 +2881,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 8733, + "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2893,6 +2942,7 @@ "log.level": "informational", "log.offset": 8930, "network.bytes": 104, + "network.community_id": "1:26iZkkyLxmu1X9KqcswJINmTCPM=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -2952,6 +3002,7 @@ "log.level": "informational", "log.offset": 9107, "network.bytes": 176, + "network.community_id": "1:Aq1WnukJ+GNVqeRryOc0YYsSDos=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3005,6 +3056,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 9284, + "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3063,6 +3115,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 9434, + "network.community_id": "1:2YT6PqWSIyoyRYVbl2cIXiGcMsw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3117,6 +3170,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 9625, + "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3175,6 +3229,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 9775, + "network.community_id": "1:XheyUG03AcgRSOyMnpafZQNi3wY=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3229,6 +3284,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 9966, + "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3287,6 +3343,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 10116, + "network.community_id": "1:cKgOVwHWv3CzYQlpMkVbynKHE30=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3346,6 +3403,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 10307, + "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3406,6 +3464,7 @@ "log.level": "informational", "log.offset": 10500, "network.bytes": 104, + "network.community_id": "1:+QNGALKBnl7iYd1+qg3bg2IJyho=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3459,6 +3518,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 10675, + "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3517,6 +3577,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 10825, + "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3571,6 +3632,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 11018, + "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3629,6 +3691,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 11168, + "network.community_id": "1:wH3OQfGQv6qlex3KDY6fleRZ3W4=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3688,6 +3751,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 11361, + "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -3749,6 +3813,7 @@ "log.level": "informational", "log.offset": 11554, "network.bytes": 593, + "network.community_id": "1:YysjQgUCP64UYIQdnFMFxvopBMw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3802,6 +3867,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 11738, + "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3860,6 +3926,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 11888, + "network.community_id": "1:9aaIbdVfxtctEtHtisDVEKYc8wI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -3920,6 +3987,7 @@ "log.level": "informational", "log.offset": 12081, "network.bytes": 375, + "network.community_id": "1:+y5eZK0soO9pFOh5l07R/VVpE0Q=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3973,6 +4041,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 12256, + "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4031,6 +4100,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 12406, + "network.community_id": "1:CUxMKGQ8Da35o4Z5ZJ3cqjyBcjE=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4060,27 +4130,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8267, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1454 to outside:100.66.98.44/8267 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 12599, + "network.community_id": "1:Aj/XpM3jpqRdnliZ41V6x4P43+E=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4089,7 +4173,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1454, "tags": [ "cisco-ftd", "forwarded" @@ -4122,6 +4213,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 12769, + "network.community_id": "1:24J8khLuXWoetlU/J6WYj+4RnIU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4180,6 +4272,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 12920, + "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4209,27 +4302,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8268, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1455 to outside:100.66.98.44/8268 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13115, + "network.community_id": "1:92e0i/+rET9QRb4OJPjo8ombnho=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4238,7 +4345,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1455, "tags": [ "cisco-ftd", "forwarded" @@ -4246,27 +4360,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8269, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1456 to outside:100.66.98.44/8269 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13285, + "network.community_id": "1:zO9YefYViVlpEmjk0y/xJ+kBVQM=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4275,7 +4403,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1456, "tags": [ "cisco-ftd", "forwarded" @@ -4283,27 +4418,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8270, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1457 to outside:100.66.98.44/8270 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13455, + "network.community_id": "1:04tYx55j9tCWtjlaXaCxE2U8b8M=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4312,7 +4461,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1457, "tags": [ "cisco-ftd", "forwarded" @@ -4320,27 +4476,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8271, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1458 to outside:100.66.98.44/8271 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13625, + "network.community_id": "1:1MUBdAvjCABqDQE9IfLWai42OhA=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4349,7 +4519,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1458, "tags": [ "cisco-ftd", "forwarded" @@ -4357,27 +4534,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8272, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1459 to outside:100.66.98.44/8272 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13795, + "network.community_id": "1:Q4mw5/UOrraSXyucLYyaom31Os4=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4386,7 +4577,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1459, "tags": [ "cisco-ftd", "forwarded" @@ -4394,27 +4592,41 @@ }, { "@timestamp": "2018-10-10T12:34:56.000-02:00", + "cisco.ftd.destination_interface": "outside", "cisco.ftd.message_id": "305012", - "event.action": "firewall-rule", + "cisco.ftd.source_interface": "inside", + "destination.address": "100.66.98.44", + "destination.ip": "100.66.98.44", + "destination.port": 8273, + "event.action": "flow-expiration", "event.category": [ "network" ], "event.code": 305012, "event.dataset": "cisco.ftd", + "event.duration": 30000000000, + "event.end": "2018-10-10T12:34:56.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-305012: Teardown dynamic TCP translation from inside:172.31.98.44/1460 to outside:100.66.98.44/8273 duration 0:00:30", "event.severity": 6, + "event.start": "2018-10-10T14:34:26.000Z", "event.timezone": "-02:00", "event.type": [ - "info" + "connection", + "end" ], "fileset.name": "ftd", "host.hostname": "localhost", "input.type": "log", "log.level": "informational", "log.offset": 13965, + "network.community_id": "1:4DSy4gkfywR/vYGwMX8ni9L8xNA=", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "outside", "observer.hostname": "localhost", + "observer.ingress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -4423,7 +4635,14 @@ "related.hosts": [ "localhost" ], + "related.ip": [ + "100.66.98.44", + "172.31.98.44" + ], "service.type": "cisco", + "source.address": "172.31.98.44", + "source.ip": "172.31.98.44", + "source.port": 1460, "tags": [ "cisco-ftd", "forwarded" @@ -4463,6 +4682,7 @@ "log.level": "informational", "log.offset": 14135, "network.bytes": 575, + "network.community_id": "1:pux42VCSy7BX42P3cpyd4c/X1M8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4523,6 +4743,7 @@ "log.level": "informational", "log.offset": 14320, "network.bytes": 5391, + "network.community_id": "1:gufBCDdtvRqSstVTarndQuv0AHg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4576,6 +4797,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 14509, + "network.community_id": "1:mWEQuMzgDppOFGfUpnRU2SOVLC4=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -4634,6 +4856,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 14660, + "network.community_id": "1:WPQ7PgW0xK/OsH/dwOA4osO4W+M=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -4691,6 +4914,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 14855, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4747,6 +4971,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15020, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4803,6 +5028,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15185, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4859,6 +5085,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15350, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4915,6 +5142,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15515, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -4971,6 +5199,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15680, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5027,6 +5256,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 15845, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5083,6 +5313,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16010, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5139,6 +5370,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16175, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5195,6 +5427,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16340, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5251,6 +5484,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16505, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5307,6 +5541,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16670, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5363,6 +5598,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 16835, + "network.community_id": "1:m3G8lpFOBxFE7qCGywbpUdjPFfY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -5416,6 +5652,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 17000, + "network.community_id": "1:ZuhnndzENnR8d8NKvStxJffM+XM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -5474,6 +5711,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 17150, + "network.community_id": "1:7t0ua2FV3S8YYwDwaXzw5Tm8M80=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -5528,6 +5766,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 17343, + "network.community_id": "1:ZhyIop0bR8c1qT9K7cSplqrW0ew=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -5586,6 +5825,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 17494, + "network.community_id": "1:vvawE2mM1hKl2WU/GmHBmMoI3G8=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index ab324760e70..900923811c3 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -74,6 +74,7 @@ "log.level": "alert", "log.offset": 0, "network.application": "dns client", + "network.community_id": "1:yuD3M7UhwRSNitDpAnWcqzEC85c=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -185,6 +186,7 @@ "log.level": "alert", "log.offset": 658, "network.application": "dns client", + "network.community_id": "1:eDcIGG/W1UcwGWzaTgv5mgr2RDw=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -294,6 +296,7 @@ "log.level": "alert", "log.offset": 1371, "network.application": "dns client", + "network.community_id": "1:nTPeg7DUgB3rjeFwl+cm5VHEdXQ=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -405,6 +408,7 @@ "log.level": "alert", "log.offset": 2047, "network.application": "dns client", + "network.community_id": "1:F3IHQYMd3DO1p+rWBITDU1/XCgA=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -515,6 +519,7 @@ "log.level": "alert", "log.offset": 2766, "network.application": "dns client", + "network.community_id": "1:1SqTqSDG5492OiLhDUMOi+wnDYs=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -624,6 +629,7 @@ "log.level": "alert", "log.offset": 3449, "network.application": "dns client", + "network.community_id": "1:eXdHUOdHk5dGXusvMEGcWj9ywPM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -736,6 +742,7 @@ "log.level": "alert", "log.offset": 4125, "network.application": "dns client", + "network.community_id": "1:rjxS8IH4jqdHiflcG+1txqEFP1M=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -845,6 +852,7 @@ "log.level": "alert", "log.offset": 4878, "network.application": "dns client", + "network.community_id": "1:R1FcZHFFvO0mHFfeVXH/CwTGCmU=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -955,6 +963,7 @@ "log.level": "alert", "log.offset": 5553, "network.application": "dns client", + "network.community_id": "1:0YJqKZXX7VN9W1Gx6txd8TFELHM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1066,6 +1075,7 @@ "log.level": "alert", "log.offset": 6269, "network.application": "dns client", + "network.community_id": "1:jVTdIEwjG0Eb77jGrcDygrNq9jg=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1178,6 +1188,7 @@ "log.level": "alert", "log.offset": 6983, "network.application": "dns client", + "network.community_id": "1:ZllIE5YNb+12oKtX/tP/gysnSuE=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1283,6 +1294,7 @@ "log.level": "alert", "log.offset": 7672, "network.application": "dns client", + "network.community_id": "1:oGBN4YWsAncmtqDJ1onnQNRAEnw=", "network.iana_number": 6, "network.protocol": "dns", "network.transport": "tcp", @@ -1393,6 +1405,7 @@ "log.level": "alert", "log.offset": 8298, "network.application": "dns client", + "network.community_id": "1:+1CCqUYePM8bXFUXWVeSSjL3g58=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1502,6 +1515,7 @@ "log.level": "alert", "log.offset": 9010, "network.application": "dns client", + "network.community_id": "1:f5P/ntfU9KchCtCfWHT0mYDOHOw=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1612,6 +1626,7 @@ "log.level": "alert", "log.offset": 9683, "network.application": "dns client", + "network.community_id": "1:wrAm7MmrJHlBQ+ikcQmSwf2JnJM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1723,6 +1738,7 @@ "log.level": "alert", "log.offset": 10403, "network.application": "dns client", + "network.community_id": "1:rjxS8IH4jqdHiflcG+1txqEFP1M=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1832,6 +1848,7 @@ "log.level": "alert", "log.offset": 11118, "network.application": "dns client", + "network.community_id": "1:0YJqKZXX7VN9W1Gx6txd8TFELHM=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -1941,6 +1958,7 @@ "log.level": "alert", "log.offset": 11801, "network.application": "dns client", + "network.community_id": "1:nTPeg7DUgB3rjeFwl+cm5VHEdXQ=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -2050,6 +2068,7 @@ "log.level": "alert", "log.offset": 12477, "network.application": "dns client", + "network.community_id": "1:R1FcZHFFvO0mHFfeVXH/CwTGCmU=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -2157,6 +2176,7 @@ "log.level": "alert", "log.offset": 13152, "network.application": "dns client", + "network.community_id": "1:k5kQaEfpetJ7SxFkG7Ytzzz5ik0=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -2268,6 +2288,7 @@ "log.level": "alert", "log.offset": 13795, "network.application": "dns client", + "network.community_id": "1:jVTdIEwjG0Eb77jGrcDygrNq9jg=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 8dcb7692215..709c0b6a9a2 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -53,6 +53,7 @@ "log.offset": 0, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", "network.application": "firefox", + "network.community_id": "1:aVBZLbVEijzexcqIhp/89fLm6Fw=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -140,6 +141,7 @@ "log.offset": 587, "message": "SERVER-WEBAPP Ipswitch WhatsUp Small Business directory traversal attempt", "network.application": "firefox", + "network.community_id": "1:T2FxxCvrJYccm7bcw2QZ9tWONIo=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -224,6 +226,7 @@ "log.level": "unknown", "log.offset": 1174, "message": "APP-DETECT failed FTP login attempt", + "network.community_id": "1:4Ze3PKactlddzol+s7PbEeCTTlk=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -307,6 +310,7 @@ "log.level": "unknown", "log.offset": 1662, "message": "APP-DETECT failed FTP login attempt", + "network.community_id": "1:yyUSZl65LfpqAPKtrjT9QRDUlfs=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index a1f9c037515..eb1a32afe4c 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -77,6 +77,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 201, + "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "localhost", @@ -135,6 +136,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 360, + "network.community_id": "1:d9RGgqBro5rzu16MqJQFehDRaKY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "wan", diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 454f0f3141e..4d979868847 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -28,6 +28,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 0, + "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -77,6 +78,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 139, + "network.community_id": "1:3NxcSu9jwJUYIYwJ2TO4TSNnPX8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -127,6 +129,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 294, + "network.community_id": "1:/AVpSqNe7QhujyFPgKMbMS9Ct44=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -177,6 +180,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 465, + "network.community_id": "1:462QRxMFThXYxhSyvR50cIDJegg=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -231,6 +235,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 632, + "network.community_id": "1:c8hH08+kxqP8+dYZZFCsPYYf0oo=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -281,6 +286,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 812, + "network.community_id": "1:oGT+RQ2PYVsSEX/LuKvEW6O6Jiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -333,6 +339,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 938, + "network.community_id": "1:4NJbCZhuyrAJcj7S647C7IIhAM8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -380,6 +387,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1106, + "network.community_id": "1:ay9S7HyVcpV47ArwMPDsxLg6wBU=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -432,6 +440,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1233, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -481,6 +490,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1401, + "network.community_id": "1:fZibb4nXPyoJv3pk+hIlafmMMMY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -534,6 +544,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 1527, + "network.community_id": "1:KAOD4KM9MUK44UkzQPDM20+aGPI=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -588,6 +599,7 @@ "log.level": "informational", "log.offset": 1692, "network.bytes": 140, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -619,6 +631,7 @@ "destination.address": "10.123.1.35", "destination.ip": "10.123.1.35", "destination.port": 52925, + "destination.user.name": "user2", "event.action": "flow-expiration", "event.category": [ "network" @@ -642,6 +655,7 @@ "log.level": "informational", "log.offset": 1844, "network.bytes": 9999999, + "network.community_id": "1:JpGltiZUmRdP7Yj0gpMkjYQzWJY=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -653,14 +667,20 @@ "10.123.1.35", "192.0.2.222" ], + "related.user": [ + "user1", + "user2" + ], "service.type": "cisco", "source.address": "192.0.2.222", "source.ip": "192.0.2.222", "source.port": 53, + "source.user.name": "user1", "tags": [ "cisco-ftd", "forwarded" - ] + ], + "user.name": "user2" }, { "@timestamp": "2011-06-04T21:59:52.000-02:00", @@ -688,6 +708,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2008, + "network.community_id": "1:tTzSWYTCd+HV5W2Q/cSW6AszABM=", "network.iana_number": 1, "network.transport": "icmp", "observer.hostname": "FJSG2NRFW01", @@ -735,6 +756,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2163, + "network.community_id": "1:EsAlPGwbpvnOIWG+1RbOLtWOWaI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -788,6 +810,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 2289, + "network.community_id": "1:m/dSB7tetihSecuyjm6x4Rl/8I8=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -836,6 +859,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 2454, + "network.community_id": "1:cjsjwTI1K/FNwJ9mwZX971rPjfo=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -885,6 +909,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 2563, + "network.community_id": "1:Zboag8BrI6OW/Oo2vWMZ2CJe4tM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -934,6 +959,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 2722, + "network.community_id": "1:Ne/QE55iCFiCg5J75DhSp3KZzQI=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -983,6 +1009,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 2883, + "network.community_id": "1:nVqNkC3HBTw1Le7RJD28aYfCDTg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1032,6 +1059,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3044, + "network.community_id": "1:c82bgYlFS2zsrs3He7w3jq7x6jY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1081,6 +1109,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3205, + "network.community_id": "1:iQJvtLpa8CzCZimwacqAWJp9sZg=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1130,6 +1159,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3366, + "network.community_id": "1:CHFAR3iwADiL0sMiLhocbg8YF4o=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1179,6 +1209,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3527, + "network.community_id": "1:fW9fDNL4osH5ogPXIzh5huGyJLU=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1228,6 +1259,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3688, + "network.community_id": "1:VqbI7AJvRLmCOZAb2tHFFBTeRZ8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1277,6 +1309,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 3847, + "network.community_id": "1:TUJhCk7pGNvVhgiAnf4YJJaoCpo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -1326,6 +1359,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4004, + "network.community_id": "1:EItD1g2bG+b/iorMXbZ/3Bvjam8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1373,6 +1407,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 4163, + "network.community_id": "1:a6VFmKsjwlqdlhQIeSm95/lkWlY=", "network.direction": "inbound", "network.iana_number": 17, "network.transport": "udp", @@ -1419,6 +1454,7 @@ "input.type": "log", "log.level": "critical", "log.offset": 4274, + "network.community_id": "1:96NZ3spb6QBXPZwoL7NadaqTMac=", "network.direction": "inbound", "network.iana_number": 17, "network.protocol": "dns", @@ -1468,6 +1504,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4383, + "network.community_id": "1:DbXtTF7Tt+LJ0/omdap4K0RmodY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1517,6 +1554,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4542, + "network.community_id": "1:8enMIE4IqhVXWyyRuJRvdyDxiBA=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1566,6 +1604,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4703, + "network.community_id": "1:3vGj3wfvZB2f5kZmDflH/qfkWYE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1615,6 +1654,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 4862, + "network.community_id": "1:Wjdn68t3gwpMPxbO1bBTBvMkQKE=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1664,6 +1704,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5018, + "network.community_id": "1:OHPCPPOkvDP3KMLJodW8pdmntUw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1713,6 +1754,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 5174, + "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1762,6 +1804,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 5321, + "network.community_id": "1:7ujfPje/XmaZUbijXhcBn7jzz8Y=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -1811,6 +1854,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5468, + "network.community_id": "1:IOafOGWxFLefP+hvoAc06Z1pBj8=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1860,6 +1904,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5631, + "network.community_id": "1:89qba0kw6T/uGNWcSzTTYvNoLeY=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1910,6 +1955,7 @@ "input.type": "log", "log.level": "notification", "log.offset": 5792, + "network.community_id": "1:3EQcjAJCGY7yJRip464V5VZ2h00=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -1962,6 +2008,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 5963, + "network.community_id": "1:xQpx+K3UkeF1wQfNjT+9cuVvkHo=", "network.direction": "outbound", "network.iana_number": 17, "network.transport": "udp", @@ -2017,6 +2064,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 6143, + "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2071,6 +2119,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 6298, + "network.community_id": "1:/lWsjFt8GNAqxtRiPYxbyU20/N8=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2243,6 +2292,7 @@ "log.level": "informational", "log.offset": 6803, "network.bytes": 14804, + "network.community_id": "1:tVS/eeyng4tH7pSAcq77I2cbedw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2301,6 +2351,7 @@ "log.level": "informational", "log.offset": 6973, "network.bytes": 134781, + "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2359,6 +2410,7 @@ "log.level": "informational", "log.offset": 7144, "network.bytes": 134781, + "network.community_id": "1:Tc+oC6fll4kTgOTp2hiirhpXAuQ=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2411,6 +2463,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7315, + "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "127.0.0.1", @@ -2462,6 +2515,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7462, + "network.community_id": "1:BX8uzuuLWZ5TLiZXPqdka12ZHOc=", "network.iana_number": 6, "network.transport": "tcp", "observer.hostname": "127.0.0.1", @@ -2515,6 +2569,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 7609, + "network.community_id": "1:BouUIZD+TqJZdYklL1aMrJfnbQ0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "outside", @@ -2571,6 +2626,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7765, + "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2628,6 +2684,7 @@ "input.type": "log", "log.level": "informational", "log.offset": 7944, + "network.community_id": "1:mUqH1e0FnddfDertRLbskQ9rX5Q=", "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2687,6 +2744,7 @@ "log.level": "informational", "log.offset": 8123, "network.bytes": 11420, + "network.community_id": "1:kugTIYv6tVeitQAN8XRNgUPvZiw=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "dmz", @@ -2743,6 +2801,7 @@ "log.level": "informational", "log.offset": 8293, "network.bytes": 1416, + "network.community_id": "1:n1IQHcbrWLb1u8dflqz8hfEElA0=", "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "inside", @@ -3169,6 +3228,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 9405, + "network.community_id": "1:buRYH8vRkdq5apZqKHNDfmztnUo=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3268,6 +3328,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 9669, + "network.community_id": "1:XKWgpeop6LmXORBjS+D+pjammJ4=", "network.iana_number": 1, "network.transport": "icmp", "observer.ingress.interface.name": "inside", @@ -3320,6 +3381,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 9805, + "network.community_id": "1:ZWjuP5bJeA+f0NH342ubXOWI+Lc=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3382,6 +3444,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 10056, + "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", @@ -3441,6 +3504,7 @@ "input.type": "log", "log.level": "warning", "log.offset": 10355, + "network.community_id": "1:iQUXct+pq5A5+rR869ELbDtnuek=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outsidet", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index fae2b463a49..f5c9eb57649 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -56,6 +56,7 @@ "log.level": "alert", "log.offset": 0, "network.application": "icmp client", + "network.community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", @@ -150,6 +151,7 @@ "log.level": "alert", "log.offset": 579, "network.application": "icmp client", + "network.community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "network.iana_number": 1, "network.protocol": "icmp", "network.transport": "icmp", @@ -253,6 +255,7 @@ "log.level": "alert", "log.offset": 1182, "network.application": "dns client", + "network.community_id": "1:LrHhMjRxI8XLokucnZO43cq3wJ0=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -363,6 +366,7 @@ "log.level": "alert", "log.offset": 1821, "network.application": "dns client", + "network.community_id": "1:/cLFaau3XcCC0NUtxHnt+rWlO6A=", "network.iana_number": 17, "network.protocol": "dns", "network.transport": "udp", @@ -462,6 +466,7 @@ "input.type": "log", "log.level": "alert", "log.offset": 2515, + "network.community_id": "1:L+Ul/KflTuC9qM1HyJ2hOk2/NSM=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -577,6 +582,7 @@ "advanced packaging tool", "ubuntu" ], + "network.community_id": "1:L+Ul/KflTuC9qM1HyJ2hOk2/NSM=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -682,6 +688,7 @@ "input.type": "log", "log.level": "alert", "log.offset": 3919, + "network.community_id": "1:TE/czajXLfyOntGRUMlWpOamN+I=", "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -793,6 +800,7 @@ "log.level": "alert", "log.offset": 4442, "network.application": "curl", + "network.community_id": "1:TE/czajXLfyOntGRUMlWpOamN+I=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -887,6 +895,7 @@ "input.type": "log", "log.level": "alert", "log.offset": 5177, + "network.community_id": "1:Lc5Ybc+aBSwS/2nqgn+rGxqrgck=", "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "input", @@ -989,6 +998,7 @@ "log.level": "alert", "log.offset": 5719, "network.application": "curl", + "network.community_id": "1:EX7LDhHq0D9ez/OeVOOW5FWakkI=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 367c559c2e6..3dcdb4f4219 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -44,6 +44,7 @@ "log.level": "alert", "log.offset": 0, "network.application": "curl", + "network.community_id": "1:ICpzATq4Q7ls9bAGqEmf+eAOtFc=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -123,6 +124,7 @@ "log.level": "alert", "log.offset": 450, "network.application": "curl", + "network.community_id": "1:1P/UJpeT0HuAQ0Zj36VUw3NWrms=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -202,6 +204,7 @@ "log.level": "alert", "log.offset": 900, "network.application": "curl", + "network.community_id": "1:k9jZpiIYklqnW5VrPKZ36zGCfpw=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -281,6 +284,7 @@ "log.level": "alert", "log.offset": 1348, "network.application": "curl", + "network.community_id": "1:1O6Tg+zlE975TFeaA0Qa6QBRfBs=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -366,6 +370,7 @@ "log.level": "alert", "log.offset": 1804, "network.application": "curl", + "network.community_id": "1:9k57JmGIU8Cd4FcndffJHSuGmHg=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -454,6 +459,7 @@ "log.level": "alert", "log.offset": 2372, "network.application": "curl", + "network.community_id": "1:eJqjWMIqoBPiagsWFCmeQAhxZaM=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -546,6 +552,7 @@ "log.level": "alert", "log.offset": 2940, "network.application": "curl", + "network.community_id": "1:EX7LDhHq0D9ez/OeVOOW5FWakkI=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -647,6 +654,7 @@ "log.level": "alert", "log.offset": 3639, "network.application": "curl", + "network.community_id": "1:idXjLwb9WD2+SkGKCxynJU8imAk=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -737,6 +745,7 @@ "log.level": "alert", "log.offset": 4397, "network.application": "curl", + "network.community_id": "1:nOd4Q0QVZ1CGu/nTE/uuQ/52Q3A=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", @@ -837,6 +846,7 @@ "log.level": "alert", "log.offset": 5211, "network.application": "curl", + "network.community_id": "1:NJVenFV6VTdZygfzWuC08PwZc84=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index a1146a75efc..eeb9024fdc4 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -77,6 +77,7 @@ "log.level": "unknown", "log.offset": 0, "network.application": "chrome", + "network.community_id": "1:IpM6MLWKXk42SgVki5Wy5/6cTfk=", "network.iana_number": 6, "network.protocol": "http", "network.transport": "tcp", diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 2c92b41648e..ee379156ce6 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -268,7 +268,10 @@ processors: field: "message" description: "106023" patterns: - - ^%{NOTSPACE:event.outcome} %{NOTSPACE:network.transport} src %{NOTSPACE:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(%{GREEDYDATA:_temp_.cisco.source_username} )?dst %{NOTSPACE:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access.group "%{NOTSPACE:_temp_.cisco.list_id}" + - ^%{NOTSPACE:event.outcome} ((protocol %{POSINT:network.iana_number})|%{NOTSPACE:network.transport}) src %{NOTCOLON:_temp_.cisco.source_interface}:%{IPORHOST:source.address}(/%{POSINT:source.port})?\s*(\(%{CISCO_USER:_temp_.cisco.source_username}\) )?dst %{NOTCOLON:_temp_.cisco.destination_interface}:%{IPORHOST:destination.address}(/%{POSINT:destination.port})?%{DATA}by access-group "%{NOTSPACE:_temp_.cisco.list_id}" + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '106027'" field: "message" @@ -329,28 +332,37 @@ processors: field: "message" description: "302013, 302015" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" + - Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\)(\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\)(\(%{CISCO_USER:destination.user.name}\))?( \(%{CISCO_USER:_temp_.cisco.termination_user}\))?%{GREEDYDATA} + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '303002'" field: "message" description: "303002" pattern: "%{network.protocol} connection from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}, user %{client.user.name} %{} file %{file.path}" - - dissect: - if: "ctx._temp_.cisco.message_id == '302012'" + - grok: + if: "ctx._temp_.cisco.message_id == '305012'" field: "message" - description: "302012" - pattern: "Teardown %{} %{network.transport} translation from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms}" + description: "305012" + patterns: + - Teardown %{DATA} %{NOTSPACE:network.transport} translation from %{NOTCOLON:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port}(\s*\(%{CISCO_USER:_temp_.cisco.source_username}\))? to %{NOTCOLON:_temp_.cisco.destination_interface}:%{IP:destination.address}/%{NUMBER:destination.port} duration %{DURATION:_temp_.duration_hms} + pattern_definitions: + NOTCOLON: "[^:]*" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" - grok: if: "ctx._temp_.cisco.message_id == '302020'" field: "message" description: "302020" patterns: - - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{NOTSPACE:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.protocol} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.destination_username}\\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\\s*(?:\\(%{CISCO_USER:_temp_.cisco.source_username}\\) )?(type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})?" pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) - dissect: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" @@ -366,7 +378,7 @@ processors: field: "message" description: "304001" patterns: - - "%{IP:source.address} %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" + - "(%{NOTSPACE:source.user.name}@)?%{IP:source.address}(\\(%{DATA}\\))? %{DATA} (%{NOTSPACE}@)?%{IP:destination.address}:%{GREEDYDATA:url.original}" - set: if: "ctx._temp_.cisco.message_id == '304001'" field: "event.outcome" @@ -651,13 +663,14 @@ processors: field: "message" description: "722051" patterns: - - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" - - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" - - dissect: + - "Group <%{NOTSPACE:_temp_.cisco.webvpn.group_name}> User <%{NOTSPACE:source.user.name}> IP <%{IP:source.address}> IPv4 Address <%{IP:_temp_.cisco.assigned_ip}> %{GREEDYDATA}" + - "Group %{NOTSPACE:_temp_.cisco.webvpn.group_name} User %{NOTSPACE:source.user.name} IP %{IP:source.address} IPv4 Address %{IP:_temp_.cisco.assigned_ip} %{GREEDYDATA}" + - grok: if: "ctx._temp_.cisco.message_id == '733100'" field: "message" description: "733100" - pattern: "[%{_temp_.cisco.burst.object}] drop %{_temp_.cisco.burst.id} exceeded. Current burst rate is %{_temp_.cisco.burst.current_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_rate}; Current average rate is %{_temp_.cisco.burst.avg_rate} per second, max configured rate is %{_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{_temp_.cisco.burst.cumulative_count}" + patterns: + - \[(%{SPACE})?%{DATA:_temp_.cisco.burst.object}\] drop %{NOTSPACE:_temp_.cisco.burst.id} exceeded. Current burst rate is %{INT:_temp_.cisco.burst.current_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_rate}; Current average rate is %{INT:_temp_.cisco.burst.avg_rate} per second, max configured rate is %{INT:_temp_.cisco.burst.configured_avg_rate}; Cumulative total count is %{INT:_temp_.cisco.burst.cumulative_count} - dissect: if: "ctx._temp_.cisco.message_id == '734001'" field: "message" @@ -667,7 +680,7 @@ processors: if: "ctx._temp_.cisco.message_id == '805001'" field: "message" description: "805001" - pattern: "Offloaded %{network.transport} for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + pattern: "Offloaded %{network.transport} Flow for connection %{_temp_.cisco.connection_id} from %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" - dissect: if: "ctx._temp_.cisco.message_id == '805002'" field: "message" @@ -696,7 +709,7 @@ processors: - dissect: if: '["602303", "602304"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "%{network.type}: An %{network.direction} %{network.inner} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." + pattern: "%{network.type}: An %{network.direction} %{_temp_.cisco.tunnel_type} SA (SPI= %{}) between %{source.address} and %{destination.address} (user= %{user.name}) has been %{event.action}." - dissect: if: "ctx._temp_.cisco.message_id == '750002'" field: "message" @@ -762,27 +775,29 @@ processors: # Handle 302xxx messages (Flow expiration a.k.a "Teardown") # - set: - if: '["302012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' + if: '["305012", "302014", "302016", "302018", "302020", "302021", "302036", "302304", "302306", "609001", "609002"].contains(ctx._temp_.cisco.message_id)' field: "event.action" value: "flow-expiration" - description: "302012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" + description: "305012, 302014, 302016, 302018, 302020, 302021, 302036, 302304, 302306, 609001, 609002" - grok: field: "message" if: '["302014", "302016", "302018", "302021", "302036", "302304", "302306"].contains(ctx._temp_.cisco.message_id)' description: "302014, 302016, 302018, 302021, 302036, 302304, 302306" patterns: - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{NOTSPACE:_temp_.cisco.termination_user}\) - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} - - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.source_username} )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:%{NOTSPACE:_temp_.cisco.destination_username} )?duration (?:%{TIME:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) - - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.destination_username}\) )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{NOTSPACE:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} from %{NOTCOLON:_temp_.cisco.termination_initiator} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) \(%{CISCO_USER:_temp_.cisco.termination_user}\) + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) %{NOTCOLON:event.reason} + - ^Teardown %{NOTSPACE:network.transport} (?:state-bypass )?connection %{NOTSPACE:_temp_.cisco.connection_id} (?:for|from) %{NOTCOLON:_temp_.cisco.source_interface}:%{DATA:source.address}/%{NUMBER:source.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.source_username}\)? )?to %{NOTCOLON:_temp_.cisco.destination_interface}:%{DATA:destination.address}/%{NUMBER:destination.port:int}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?duration (?:%{DURATION:_temp_.duration_hms} bytes %{NUMBER:network.bytes}) + - ^Teardown %{NOTSPACE:network.transport} connection for faddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSDESTIPORHOST}/%{NUMBER}\s*(?:\(?%{CISCO_USER:_temp_.cisco.destination_username}\)? )?gaddr (?:%{NOTCOLON}:)?%{MAPPEDSRC}/%{NUMBER} laddr (?:%{NOTCOLON:_temp_.cisco.source_interface}:)?%{ECSSOURCEIPORHOST}/%{NUMBER}\s*(?:\(%{CISCO_USER:_temp_.cisco.source_username}\))?(\s*type %{NUMBER:_temp_.cisco.icmp_type} code %{NUMBER:_temp_.cisco.icmp_code})? pattern_definitions: NOTCOLON: "[^:]*" ECSSOURCEIPORHOST: "(?:%{IP:source.address}|%{HOSTNAME:source.domain})" ECSDESTIPORHOST: "(?:%{IP:destination.address}|%{HOSTNAME:destination.domain})" - MAPPEDSRC: "(?:%{DATA:_temp_.natsrcip}|%{HOSTNAME})" + MAPPEDSRC: "(?:%{IPORHOST:_temp_.natsrcip}|%{HOSTNAME})" + DURATION: "%{INT}:%{MINUTE}:%{SECOND}" + CISCO_USER: ((LOCAL\\)?(%{HOSTNAME}\\)?%{USERNAME}(@%{HOSTNAME})?) # # Decode FTD's Security Event Syslog Messages # @@ -1320,6 +1335,35 @@ processors: Instant.parse(end).minusNanos(nanos), ZoneOffset.UTC); # + # Parse Source/Dest Username/Domain + # + - set: + field: source.user.name + value: "{{{ _temp_.cisco.source_username }}}" + if: 'ctx?.source?.user?.name == null && ctx?._temp_?.cisco?.source_username != null' + - set: + field: destination.user.name + value: "{{{ _temp_.cisco.destination_username }}}" + if: 'ctx?.destination?.user?.name == null && ctx?._temp_?.cisco?.destination_username != null' + - grok: + field: "source.user.name" + if: 'ctx?.source?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER:source.user.name} + pattern_definitions: + CISCO_USER: "%{USERNAME}(@%{HOSTNAME:source.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:source.user.domain}\\)? + - grok: + field: "destination.user.name" + if: 'ctx?.destination?.user?.name != null' + ignore_failure: true + patterns: + - (%{CISCO_DOMAIN})?%{CISCO_USER:destination.user.name} + pattern_definitions: + CISCO_USER: "%{USERNAME}(@%{HOSTNAME:destination.user.domain})?" + CISCO_DOMAIN: (LOCAL\\)?(%{HOSTNAME:destination.user.domain}\\)? + # # Normalize protocol names # - lowercase: @@ -1428,50 +1472,62 @@ processors: field: "source.port" type: integer ignore_failure: true + ignore_missing: true - convert: field: "destination.port" type: integer ignore_failure: true + ignore_missing: true - convert: field: "source.bytes" type: long ignore_failure: true + ignore_missing: true - convert: field: "destination.bytes" type: long ignore_failure: true + ignore_missing: true - convert: field: "network.bytes" type: long ignore_failure: true + ignore_missing: true - convert: field: "source.packets" type: integer ignore_failure: true + ignore_missing: true - convert: field: "destination.packets" type: integer ignore_failure: true + ignore_missing: true - convert: field: "_temp_.cisco.mapped_source_port" type: integer ignore_failure: true + ignore_missing: true - convert: field: "_temp_.cisco.mapped_destination_port" type: integer ignore_failure: true + ignore_missing: true - convert: field: "_temp_.cisco.icmp_code" type: integer ignore_failure: true + ignore_missing: true - convert: field: "_temp_.cisco.icmp_type" type: integer ignore_failure: true + ignore_missing: true - convert: field: "network.iana_number" type: integer ignore_failure: true + ignore_missing: true # # Assign ECS .ip fields from .address is a valid IP address is found, # otherwise set .domain field. @@ -1856,22 +1912,22 @@ processors: allow_duplicates: false - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" if: ctx?.user?.name != null && ctx?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{host.user.name}}" + value: "{{{host.user.name}}}" if: ctx?.host?.user?.name != null && ctx?.host?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: ctx?.source?.user?.name != null && ctx?.source?.user?.name != '' allow_duplicates: false - append: field: related.user - value: "{{destination.user.name}}" + value: "{{{destination.user.name}}}" if: ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != '' allow_duplicates: false - append: @@ -1899,6 +1955,16 @@ processors: value: "{{source.domain}}" if: ctx.source?.domain != null && ctx.source?.domain != '' allow_duplicates: false + - append: + field: related.hosts + value: "{{source.user.domain}}" + if: ctx.source?.user?.domain != null && ctx.source?.user?.domain != '' + allow_duplicates: false + - append: + field: related.hosts + value: "{{destination.user.domain}}" + if: ctx.destination?.user?.domain != null && ctx.destination?.user?.domain != '' + allow_duplicates: false - script: lang: painless description: This script processor iterates over the whole document to remove fields with null values. @@ -1923,6 +1989,9 @@ processors: } } handleMap(ctx); + - community_id: + ignore_missing: true + ignore_failure: true on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help # with diagnosing the failure. From 0ee910f4df6653dc9557090946b392533621c2a3 Mon Sep 17 00:00:00 2001 From: Michel Laterman <82832767+michel-laterman@users.noreply.github.com> Date: Tue, 14 Sep 2021 14:09:35 -0700 Subject: [PATCH 03/12] Elastic-agent snapshot lookup will use proxy settings (#27904) Change the HTTP client from the standard library client to one built from the http settings supplied to the artifact downloader (`agent.download` in fleet.yml) so that proxy settings are used for the initial request to find the artifact location as well as the subsequent download. --- x-pack/elastic-agent/CHANGELOG.next.asciidoc | 1 + .../pkg/artifact/download/snapshot/downloader.go | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index bb20b592edc..9bcda5fe195 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -86,6 +86,7 @@ - Migrate state on upgrade {pull}27825[27825] - Add "_monitoring" suffix to monitoring instance names to remove ambiguity with the status command. {issue}25449[25449] - Ignore ErrNotExists when fixing permissions. {issue}27836[27836] {pull}27846[27846] +- Snapshot artifact lookup will use agent.download proxy settings. {issue}27903[27903] {pull}27904[27904] ==== New features diff --git a/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go b/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go index acf6b32328f..a08295ba49b 100644 --- a/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go +++ b/x-pack/elastic-agent/pkg/artifact/download/snapshot/downloader.go @@ -7,9 +7,9 @@ package snapshot import ( "encoding/json" "fmt" - gohttp "net/http" "strings" + "github.com/elastic/beats/v7/libbeat/common/transport/httpcommon" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact/download/http" @@ -27,7 +27,7 @@ func NewDownloader(config *artifact.Config, versionOverride string) (download.Do } func snapshotConfig(config *artifact.Config, versionOverride string) (*artifact.Config, error) { - snapshotURI, err := snapshotURI(versionOverride) + snapshotURI, err := snapshotURI(versionOverride, config) if err != nil { return nil, fmt.Errorf("failed to detect remote snapshot repo, proceeding with configured: %v", err) } @@ -43,7 +43,7 @@ func snapshotConfig(config *artifact.Config, versionOverride string) (*artifact. }, nil } -func snapshotURI(versionOverride string) (string, error) { +func snapshotURI(versionOverride string, config *artifact.Config) (string, error) { version := release.Version() if versionOverride != "" { if strings.HasSuffix(versionOverride, "-SNAPSHOT") { @@ -52,8 +52,13 @@ func snapshotURI(versionOverride string) (string, error) { version = versionOverride } + client, err := config.HTTPTransportSettings.Client(httpcommon.WithAPMHTTPInstrumentation()) + if err != nil { + return "", err + } + artifactsURI := fmt.Sprintf("https://artifacts-api.elastic.co/v1/search/%s-SNAPSHOT/elastic-agent", version) - resp, err := gohttp.Get(artifactsURI) + resp, err := client.Get(artifactsURI) if err != nil { return "", err } From 23285488f49511e96f46fe354f774804d6e992fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?No=C3=A9mi=20V=C3=A1nyi?= Date: Wed, 15 Sep 2021 09:04:12 +0200 Subject: [PATCH 04/12] Beats dashboard should use custom index patterns when `setup.dashboards.index` is set (#27901) ## What does this PR do? This PR adds a new check to `make check` to make sure all dashboards can handle custom index names. It is the responsibility of the dashboard author to keep the dashboard useable if `setup.dashboards.index` is configured. The PR contains additional fixes to make sure existing dashboards can be used with custom index names. Also, the test coverage was increased as it is a quite big PR. The PR also decodes a few fields to make dashboards easier to review. ## Why is it important? The bug prevents users from setting custom index names and use our dashboards at the same time. Closes #21232 --- CHANGELOG.next.asciidoc | 1 + dev-tools/mage/check.go | 9 + libbeat/dashboards/decode.go | 46 +- libbeat/dashboards/modify_json.go | 202 +++++++-- libbeat/dashboards/modify_json_test.go | 29 +- .../0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json | 150 ++++++- .../513a3d70-4482-11ea-ad63-791a5dc86f10.json | 185 +++++++- .../dae24080-739a-11ea-a345-f985c61fe654.json | 144 ++++++- .../dashboard/Filebeat-cyberarkpas-audit.json | 398 +++++++++++++++++- .../a97de660-73a5-11ea-a345-f985c61fe654.json | 144 ++++++- .../dbae13c0-685c-11ea-8d6a-292ef5d68366.json | 158 ++++++- .../281ca660-67b1-11ea-a76f-bf44814e437d.json | 165 +++++++- .../63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json | 180 +++++++- .../ec5aa090-df42-11eb-8f2b-753caedf727d.json | 170 +++++++- 14 files changed, 1929 insertions(+), 52 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 69ac4ec1732..7cc705a8a8f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -210,6 +210,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix bug with cgroups hierarchy override path in cgroups {pull}27620[27620] - Beat `setup kibana` command may use the elasticsearch API key defined in `output.elasticsearch.api_key`. {issue}24015[24015] {pull}27540[27540] - Seperate namespaces for V1 and V2 controller paths {pull}27676[27676] +- Beats dashboards use custom index when `setup.dashboards.index` is set. {issue}21232[21232] {pull}27901[27901] *Auditbeat* diff --git a/dev-tools/mage/check.go b/dev-tools/mage/check.go index f61501b06eb..c34255420cd 100644 --- a/dev-tools/mage/check.go +++ b/dev-tools/mage/check.go @@ -36,6 +36,7 @@ import ( "github.com/pkg/errors" "github.com/elastic/beats/v7/dev-tools/mage/gotool" + "github.com/elastic/beats/v7/libbeat/dashboards" "github.com/elastic/beats/v7/libbeat/processors/dissect" ) @@ -260,6 +261,14 @@ func checkDashboardForErrors(file string, d []byte) bool { fmt.Println(" ", err) } + replaced := dashboards.ReplaceIndexInDashboardObject("my-test-index-*", d) + if bytes.Contains(replaced, []byte(BeatName+"-*")) { + hasErrors = true + fmt.Printf(">> Cannot modify all index pattern references in dashboard - %s\n", file) + fmt.Println("Please edit the dashboard override function named ReplaceIndexInDashboardObject in libbeat.") + fmt.Println(string(replaced)) + } + return hasErrors } diff --git a/libbeat/dashboards/decode.go b/libbeat/dashboards/decode.go index cd79bfead43..10c0a694898 100644 --- a/libbeat/dashboards/decode.go +++ b/libbeat/dashboards/decode.go @@ -30,11 +30,13 @@ import ( var ( responseToDecode = []string{ - "attributes.uiStateJSON", - "attributes.visState", + "attributes.kibanaSavedObjectMeta.searchSourceJSON", + "attributes.layerListJSON", + "attributes.mapStateJSON", "attributes.optionsJSON", "attributes.panelsJSON", - "attributes.kibanaSavedObjectMeta.searchSourceJSON", + "attributes.uiStateJSON", + "attributes.visState", } ) @@ -76,15 +78,51 @@ func decodeLine(line []byte) []byte { if err != nil { return line } + o = decodeObject(o) + o = decodeEmbeddableConfig(o) + + return []byte(o.String()) +} + +func decodeObject(o common.MapStr) common.MapStr { for _, key := range responseToDecode { // All fields are optional, so errors are not caught err := decodeValue(o, key) if err != nil { logger := logp.NewLogger("dashboards") logger.Debugf("Error while decoding dashboard objects: %+v", err) + continue } } - return []byte(o.String()) + + return o +} + +func decodeEmbeddableConfig(o common.MapStr) common.MapStr { + p, err := o.GetValue("attributes.panelsJSON") + if err != nil { + return o + } + + if panels, ok := p.([]interface{}); ok { + for i, pan := range panels { + if panel, ok := pan.(map[string]interface{}); ok { + panelObj := common.MapStr(panel) + embedded, err := panelObj.GetValue("embeddableConfig") + if err != nil { + continue + } + if embeddedConfig, ok := embedded.(map[string]interface{}); ok { + embeddedConfigObj := common.MapStr(embeddedConfig) + panelObj.Put("embeddableConfig", decodeObject(embeddedConfigObj)) + panels[i] = panelObj + } + } + } + o.Put("attributes.panelsJSON", panels) + } + + return o } func decodeValue(data common.MapStr, key string) error { diff --git a/libbeat/dashboards/modify_json.go b/libbeat/dashboards/modify_json.go index 3178d6b2382..daacccdbc3f 100644 --- a/libbeat/dashboards/modify_json.go +++ b/libbeat/dashboards/modify_json.go @@ -21,6 +21,7 @@ import ( "bytes" "encoding/json" "fmt" + "regexp" "github.com/pkg/errors" @@ -46,11 +47,6 @@ type JSONObject struct { Attributes JSONObjectAttribute `json:"attributes"` } -// JSONFormat contains a list of JSON object -type JSONFormat struct { - Objects []JSONObject `json:"objects"` -} - // ReplaceIndexInIndexPattern replaces an index in a dashboard content body func ReplaceIndexInIndexPattern(index string, content common.MapStr) (err error) { if index == "" { @@ -128,43 +124,62 @@ func ReplaceIndexInSavedObject(logger *logp.Logger, index string, kibanaSavedObj } kibanaSavedObject["searchSourceJSON"] = searchSourceJSON } - if visStateJSON, ok := kibanaSavedObject["visState"].(string); ok { - visStateJSON = ReplaceIndexInVisState(logger, index, visStateJSON) - kibanaSavedObject["visState"] = visStateJSON + if visState, ok := kibanaSavedObject["visState"].(map[string]interface{}); ok { + kibanaSavedObject["visState"] = ReplaceIndexInVisState(logger, index, visState) } return kibanaSavedObject } -// ReplaceIndexInVisState replaces index appearing in visState params objects -func ReplaceIndexInVisState(logger *logp.Logger, index string, visStateJSON string) string { - - var visState map[string]interface{} - err := json.Unmarshal([]byte(visStateJSON), &visState) - if err != nil { - logger.Errorf("Fail to unmarshal visState: %v", err) - return visStateJSON - } +var timeLionIdxRegexp = regexp.MustCompile(`index=\".*beat-\*\"`) +// ReplaceIndexInVisState replaces index appearing in visState params objects +func ReplaceIndexInVisState(logger *logp.Logger, index string, visState map[string]interface{}) map[string]interface{} { params, ok := visState["params"].(map[string]interface{}) if !ok { - return visStateJSON + return visState } // Don't set it if it was not set before - if pattern, ok := params["index_pattern"].(string); !ok || len(pattern) == 0 { - return visStateJSON + if pattern, ok := params["index_pattern"].(string); ok && len(pattern) != 0 { + params["index_pattern"] = index + } + + if s, ok := params["series"].([]interface{}); ok { + for i, ser := range s { + if series, ok := ser.(map[string]interface{}); ok { + if _, ok := series["series_index_pattern"]; !ok { + continue + } + series["series_index_pattern"] = index + s[i] = series + } + } + params["series"] = s } - params["index_pattern"] = index + if annotations, ok := params["annotations"].([]interface{}); ok { + for i, ann := range annotations { + annotation, ok := ann.(map[string]interface{}) + if !ok { + continue + } + if _, ok = annotation["index_pattern"]; !ok { + continue + } + annotation["index_pattern"] = index + annotations[i] = annotation + } + params["annotations"] = annotations + } - d, err := json.Marshal(visState) - if err != nil { - logger.Errorf("Fail to marshal visState: %v", err) - return visStateJSON + if expr, ok := params["expression"].(string); ok { + params["expression"] = timeLionIdxRegexp.ReplaceAllString(expr, `index="`+index+`"`) } - return string(d) + visState["params"] = replaceIndexInParamControls(logger, index, params) + + return visState } // ReplaceIndexInDashboardObject replaces references to the index pattern in dashboard objects @@ -195,10 +210,28 @@ func ReplaceIndexInDashboardObject(index string, content []byte) []byte { attributes["kibanaSavedObjectMeta"] = ReplaceIndexInSavedObject(logger, index, kibanaSavedObject) } - if visState, ok := attributes["visState"].(string); ok { + if visState, ok := attributes["visState"].(map[string]interface{}); ok { attributes["visState"] = ReplaceIndexInVisState(logger, index, visState) } + if layerListJSON, ok := attributes["layerListJSON"].([]interface{}); ok { + attributes["layerListJSON"] = replaceIndexInLayerListJSON(logger, index, layerListJSON) + } + + if mapStateJSON, ok := attributes["mapStateJSON"].(map[string]interface{}); ok { + attributes["mapStateJSON"] = replaceIndexInMapStateJSON(logger, index, mapStateJSON) + } + + if panelsJSON, ok := attributes["panelsJSON"].([]interface{}); ok { + attributes["panelsJSON"] = replaceIndexInPanelsJSON(logger, index, panelsJSON) + } + + objectMap["attributes"] = attributes + + if references, ok := objectMap["references"].([]interface{}); ok { + objectMap["references"] = replaceIndexInReferences(index, references) + } + b, err := json.Marshal(objectMap) if err != nil { logger.Error("Error marshaling modified dashboard: %+v", err) @@ -208,6 +241,121 @@ func ReplaceIndexInDashboardObject(index string, content []byte) []byte { return b } +func replaceIndexInLayerListJSON(logger *logp.Logger, index string, layerListJSON []interface{}) []interface{} { + for i, layerListElem := range layerListJSON { + elem, ok := layerListElem.(map[string]interface{}) + if !ok { + continue + } + + if joins, ok := elem["joins"].([]interface{}); ok { + for j, join := range joins { + if pos, ok := join.(map[string]interface{}); ok { + for key, val := range pos { + if joinElems, ok := val.(map[string]interface{}); ok { + if _, ok := joinElems["indexPatternTitle"]; ok { + joinElems["indexPatternTitle"] = index + pos[key] = joinElems + } + } + } + joins[j] = pos + } + } + elem["joins"] = joins + } + if descriptor, ok := elem["sourceDescriptor"].(map[string]interface{}); ok { + if _, ok := descriptor["indexPatternId"]; ok { + descriptor["indexPatternId"] = index + } + elem["sourceDescriptor"] = descriptor + } + + layerListJSON[i] = elem + } + return layerListJSON +} + +func replaceIndexInMapStateJSON(logger *logp.Logger, index string, mapState map[string]interface{}) map[string]interface{} { + if filters, ok := mapState["filters"].([]interface{}); ok { + for i, f := range filters { + if filter, ok := f.(map[string]interface{}); ok { + if meta, ok := filter["meta"].(map[string]interface{}); ok { + if _, ok := meta["index"]; !ok { + continue + } + meta["index"] = index + filter["meta"] = meta + } + filters[i] = filter + } + } + mapState["filters"] = filters + } + + return mapState +} + +func replaceIndexInPanelsJSON(logger *logp.Logger, index string, panelsJSON []interface{}) []interface{} { + for i, p := range panelsJSON { + if panel, ok := p.(map[string]interface{}); ok { + config, ok := panel["embeddableConfig"].(map[string]interface{}) + if !ok { + continue + } + if configAttr, ok := config["attributes"].(map[string]interface{}); ok { + if references, ok := configAttr["references"].([]interface{}); ok { + configAttr["references"] = replaceIndexInReferences(index, references) + } + if layerListJSON, ok := configAttr["layerListJSON"].([]interface{}); ok { + configAttr["layerListJSON"] = replaceIndexInLayerListJSON(logger, index, layerListJSON) + } + config["attributes"] = configAttr + } + + if savedVis, ok := config["savedVis"].(map[string]interface{}); ok { + if params, ok := savedVis["params"].(map[string]interface{}); ok { + savedVis["params"] = replaceIndexInParamControls(logger, index, params) + } + config["savedVis"] = savedVis + } + + panel["embeddableConfig"] = config + panelsJSON[i] = panel + } + } + return panelsJSON +} + +func replaceIndexInParamControls(logger *logp.Logger, index string, params map[string]interface{}) map[string]interface{} { + if controlsList, ok := params["controls"].([]interface{}); ok { + for i, ctrl := range controlsList { + if control, ok := ctrl.(map[string]interface{}); ok { + if _, ok := control["indexPattern"]; ok { + control["indexPattern"] = index + controlsList[i] = control + } + } + } + params["controls"] = controlsList + } + return params +} + +func replaceIndexInReferences(index string, references []interface{}) []interface{} { + for i, ref := range references { + if reference, ok := ref.(map[string]interface{}); ok { + if refType, ok := reference["type"].(string); ok { + if refType == "index-pattern" { + reference["id"] = index + } + } + references[i] = reference + } + } + return references +} + func EncodeJSONObjects(content []byte) []byte { logger := logp.NewLogger("dashboards") diff --git a/libbeat/dashboards/modify_json_test.go b/libbeat/dashboards/modify_json_test.go index 48f0fe972c9..389e8b416a7 100644 --- a/libbeat/dashboards/modify_json_test.go +++ b/libbeat/dashboards/modify_json_test.go @@ -77,9 +77,34 @@ func TestReplaceIndexInDashboardObject(t *testing.T) { []byte(`{"attributes":{"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"index\":\"otherindex-*\"}"}}}`), }, { - []byte(`{"attributes":{"kibanaSavedObjectMeta":{"visState":"{\"params\":{\"index_pattern\":\"metricbeat-*\"}}"}}}`), + []byte(`{"attributes":{"layerListJSON":[{"joins":[{"leftField":"iso2","right":{"indexPatternTitle":"filebeat-*"}}]}]}}`), "otherindex-*", - []byte(`{"attributes":{"kibanaSavedObjectMeta":{"visState":"{\"params\":{\"index_pattern\":\"otherindex-*\"}}"}}}`), + []byte(`{"attributes":{"layerListJSON":[{"joins":[{"leftField":"iso2","right":{"indexPatternTitle":"otherindex-*"}}]}]}}`), + }, + { + []byte(`{"attributes":{"panelsJSON":[{"embeddableConfig":{"attributes":{"references":[{"id":"filebeat-*","type":"index-pattern"}]}}}]}}`), + "otherindex-*", + []byte(`{"attributes":{"panelsJSON":[{"embeddableConfig":{"attributes":{"references":[{"id":"otherindex-*","type":"index-pattern"}]}}}]}}`), + }, + { + []byte(`{"attributes":{},"references":[{"id":"auditbeat-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}]}`), + "otherindex-*", + []byte(`{"attributes":{},"references":[{"id":"otherindex-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}]}`), + }, + { + []byte(`{"attributes":{"visState":{"params":{"index_pattern":"winlogbeat-*"}}}}`), + "otherindex-*", + []byte(`{"attributes":{"visState":{"params":{"index_pattern":"otherindex-*"}}}}`), + }, + { + []byte(`{"attributes":{"visState":{"params":{"series":[{"series_index_pattern":"filebeat-*"}]}}}}`), + "otherindex-*", + []byte(`{"attributes":{"visState":{"params":{"series":[{"series_index_pattern":"otherindex-*"}]}}}}`), + }, + { + []byte(`{"attributes":{"mapStateJSON":{"filters":[{"meta":{"index":"filebeat-*"}}]}}}`), + "otherindex-*", + []byte(`{"attributes":{"mapStateJSON":{"filters":[{"meta":{"index":"otherindex-*"}}]}}}`), }, } diff --git a/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json b/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json index 5082eae2c9e..3f128a002ea 100644 --- a/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json +++ b/x-pack/filebeat/module/aws/_meta/kibana/7/map/0edf0640-3e7e-11ea-bb0a-69c3ca1d410f.json @@ -1,8 +1,154 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"19047c4c-18d7-4aec-b0ce-98de2828244d\",\"label\":\"Hits\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"id\":\"1e82f50f-424a-4718-905b-ad45db14db62\",\"geoField\":\"source.geo.location\",\"requestType\":\"point\",\"resolution\":\"COARSE\",\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"applyGlobalQuery\":true},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"label\":\"count\",\"name\":\"doc_count\",\"origin\":\"source\"},\"color\":\"Blues\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#167a6d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"label\":\"count\",\"name\":\"doc_count\",\"origin\":\"source\"},\"minSize\":4,\"maxSize\":32,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}}},\"id\":\"1d457cd4-01be-4f96-95fd-af4ac535ebea\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", - "mapStateJSON": "{\"zoom\":3.9,\"center\":{\"lon\":13.666,\"lat\":50.97903},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"filebeat-*\",\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"fileset.name\",\"value\":\"elb\",\"params\":{\"query\":\"elb\"}},\"query\":{\"match\":{\"fileset.name\":{\"query\":\"elb\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "19047c4c-18d7-4aec-b0ce-98de2828244d", + "label": "Hits", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "1d457cd4-01be-4f96-95fd-af4ac535ebea", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "geoField": "source.geo.location", + "id": "1e82f50f-424a-4718-905b-ad45db14db62", + "indexPatternRefName": "layer_1_source_index_pattern", + "requestType": "point", + "resolution": "COARSE", + "type": "ES_GEO_GRID" + }, + "style": { + "properties": { + "fillColor": { + "options": { + "color": "Blues", + "field": { + "label": "count", + "name": "doc_count", + "origin": "source" + }, + "fieldMetaOptions": { + "isEnabled": false, + "sigma": 3 + } + }, + "type": "DYNAMIC" + }, + "icon": { + "options": { + "value": "airfield" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "field": { + "label": "count", + "name": "doc_count", + "origin": "source" + }, + "fieldMetaOptions": { + "isEnabled": false, + "sigma": 3 + }, + "maxSize": 32, + "minSize": 4 + }, + "type": "DYNAMIC" + }, + "lineColor": { + "options": { + "color": "#167a6d" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 50.97903, + "lon": 13.666 + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "fileset.name", + "negate": false, + "params": { + "query": "elb" + }, + "type": "phrase", + "value": "elb" + }, + "query": { + "match": { + "fileset.name": { + "query": "elb", + "type": "phrase" + } + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-15m", + "to": "now" + }, + "zoom": 3.9 + }, "title": "ELB Requests Geolocation [Filebeat AWS] ECS", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json b/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json index 558f5987a06..94698371beb 100644 --- a/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json +++ b/x-pack/filebeat/module/aws/_meta/kibana/7/map/513a3d70-4482-11ea-ad63-791a5dc86f10.json @@ -1,8 +1,189 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"842c201e-96d7-413d-8688-de5ee4f8a1e0\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"97903038-e08d-4451-bbd2-eb92c894bdf5\",\"type\":\"ES_SEARCH\",\"geoField\":\"destination.geo.location\",\"filterByMapBounds\":true,\"tooltipProperties\":[],\"topHitsSize\":1,\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#1EA593\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#167a6d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":5}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}}},\"id\":\"401944dd-a371-4698-be17-bc4542e9a5d4\",\"label\":\"vpc flow action accept\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"aws.vpcflow.action : \\\"ACCEPT\\\" \",\"language\":\"kuery\"}},{\"sourceDescriptor\":{\"id\":\"9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb\",\"type\":\"ES_SEARCH\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"tooltipProperties\":[],\"topHitsSize\":1,\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#f00f0b\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#7a1a18\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":5}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}}},\"id\":\"b1d44a5c-3a04-4c80-8080-57585b02fd48\",\"label\":\"vpc flow action reject\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"aws.vpcflow.action : \\\"REJECT\\\" \",\"language\":\"kuery\"}}]", - "mapStateJSON": "{\"zoom\":0.47,\"center\":{\"lon\":-108.92402,\"lat\":0},\"timeFilters\":{\"from\":\"now-15d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "842c201e-96d7-413d-8688-de5ee4f8a1e0", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "401944dd-a371-4698-be17-bc4542e9a5d4", + "label": "vpc flow action accept", + "maxZoom": 24, + "minZoom": 0, + "query": { + "language": "kuery", + "query": "aws.vpcflow.action : \"ACCEPT\" " + }, + "sourceDescriptor": { + "applyGlobalQuery": true, + "filterByMapBounds": true, + "geoField": "destination.geo.location", + "id": "97903038-e08d-4451-bbd2-eb92c894bdf5", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "@timestamp", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "type": "ES_SEARCH" + }, + "style": { + "properties": { + "fillColor": { + "options": { + "color": "#1EA593" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "airfield" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 5 + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#167a6d" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + }, + { + "alpha": 0.75, + "id": "b1d44a5c-3a04-4c80-8080-57585b02fd48", + "label": "vpc flow action reject", + "maxZoom": 24, + "minZoom": 0, + "query": { + "language": "kuery", + "query": "aws.vpcflow.action : \"REJECT\" " + }, + "sourceDescriptor": { + "applyGlobalQuery": true, + "filterByMapBounds": true, + "geoField": "source.geo.location", + "id": "9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb", + "indexPatternRefName": "layer_2_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "@timestamp", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "type": "ES_SEARCH" + }, + "style": { + "properties": { + "fillColor": { + "options": { + "color": "#f00f0b" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "airfield" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 5 + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#7a1a18" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 0, + "lon": -108.92402 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-15d", + "to": "now" + }, + "zoom": 0.47 + }, "title": "VPC Flow Action Geo Location[Filebeat AWS]", "uiStateJSON": { "isLayerTOCOpen": false, diff --git a/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json b/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json index 1908bdc747b..a1b23ec8fbe 100644 --- a/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json +++ b/x-pack/filebeat/module/aws/_meta/kibana/7/map/dae24080-739a-11ea-a345-f985c61fe654.json @@ -1,8 +1,148 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"2c7b49fb-3fb5-4e18-b27f-fabe930971f3\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"7bfe2df9-9398-4f1a-8cf7-b57aa5f3f31e\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"LIMIT\",\"topHitsSize\":1,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"a10fa758-30ad-4e2a-bf9d-472e133a7f17\",\"label\":\"CloudTrail Soure Location\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[],\"query\":{\"query\":\"event.dataset:aws.cloudtrail\",\"language\":\"kuery\"}}]", - "mapStateJSON": "{\"zoom\":1.97,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-15m\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "2c7b49fb-3fb5-4e18-b27f-fabe930971f3", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "a10fa758-30ad-4e2a-bf9d-472e133a7f17", + "joins": [], + "label": "CloudTrail Soure Location", + "maxZoom": 24, + "minZoom": 0, + "query": { + "language": "kuery", + "query": "event.dataset:aws.cloudtrail" + }, + "sourceDescriptor": { + "applyGlobalQuery": true, + "filterByMapBounds": true, + "geoField": "source.geo.location", + "id": "7bfe2df9-9398-4f1a-8cf7-b57aa5f3f31e", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#54B399" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#41937c" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-15m", + "to": "now" + }, + "zoom": 1.97 + }, "title": "CloudTrail Source Location [Filebeat AWS]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json b/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json index 406c258f164..9ac5720c6aa 100644 --- a/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json +++ b/x-pack/filebeat/module/cyberarkpas/_meta/kibana/7/dashboard/Filebeat-cyberarkpas-audit.json @@ -972,10 +972,402 @@ "embeddableConfig": { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"id\":null,\"isAutoSelect\":true},\"id\":\"a3734143-d6e1-4551-b0b1-8282a37e151b\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"label\":\"filebeat-* | Source Point\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"geoField\":\"source.geo.location\",\"scalingType\":\"TOP_HITS\",\"topHitsSplitField\":\"source.ip\",\"tooltipProperties\":[\"host.name\",\"source.ip\",\"source.domain\",\"source.geo.country_iso_code\",\"source.as.organization.name\"],\"id\":\"5f2b25a1-01ea-45ca-a4a2-f1a670c3b149\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"filterByMapBounds\":true,\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":22},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"home\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#6092C0\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":8}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"icon\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"2ad8e318-4ef4-4e89-94f2-f37e395c488c\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]},{\"label\":\"filebeat-* | Destination point\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"geoField\":\"destination.geo.location\",\"scalingType\":\"TOP_HITS\",\"topHitsSplitField\":\"destination.ip\",\"tooltipProperties\":[\"host.name\",\"destination.ip\",\"destination.domain\",\"destination.geo.country_iso_code\",\"destination.as.organization.name\"],\"id\":\"bc95f479-964f-4498-be1e-376d34a01b0a\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"filterByMapBounds\":true,\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":35},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#D36086\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":8}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"icon\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"dbb878c8-4039-49f1-b2ff-ab7fb942ba55\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]},{\"label\":\"filebeat-* | Line\",\"sourceDescriptor\":{\"indexPatternId\":\"filebeat-*\",\"sourceGeoField\":\"source.geo.location\",\"destGeoField\":\"destination.geo.location\",\"metrics\":[{\"type\":\"count\"},{\"type\":\"sum\",\"field\":\"destination.bytes\"}],\"id\":\"faf6884d-b7cb-41dd-ab86-95970d7c59d2\",\"type\":\"ES_PEW_PEW\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#6092C0\"}},\"lineWidth\":{\"type\":\"DYNAMIC\",\"options\":{\"minSize\":1,\"maxSize\":8,\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3}}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"9c450fbf-b009-4b53-9810-2f47ca8dcfa8\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[]}]", - "mapStateJSON": "{\"zoom\":1.24,\"center\":{\"lon\":-49.38072,\"lat\":7.87497},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "a3734143-d6e1-4551-b0b1-8282a37e151b", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "id": null, + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "2ad8e318-4ef4-4e89-94f2-f37e395c488c", + "joins": [], + "label": "Filebeat index | Source Point", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "filterByMapBounds": true, + "geoField": "source.geo.location", + "id": "5f2b25a1-01ea-45ca-a4a2-f1a670c3b149", + "indexPatternId": "filebeat-*", + "scalingType": "TOP_HITS", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [ + "host.name", + "source.ip", + "source.domain", + "source.geo.country_iso_code", + "source.as.organization.name" + ], + "topHitsSize": 22, + "topHitsSplitField": "source.ip", + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#6092C0" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "home" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 8 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 2 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "icon" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + }, + { + "alpha": 0.75, + "id": "dbb878c8-4039-49f1-b2ff-ab7fb942ba55", + "joins": [], + "label": "Filebeat index | Destination point", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "filterByMapBounds": true, + "geoField": "destination.geo.location", + "id": "bc95f479-964f-4498-be1e-376d34a01b0a", + "indexPatternId": "filebeat-*", + "scalingType": "TOP_HITS", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [ + "host.name", + "destination.ip", + "destination.domain", + "destination.geo.country_iso_code", + "destination.as.organization.name" + ], + "topHitsSize": 35, + "topHitsSplitField": "destination.ip", + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#D36086" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 8 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 2 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "icon" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + }, + { + "alpha": 0.75, + "id": "9c450fbf-b009-4b53-9810-2f47ca8dcfa8", + "joins": [], + "label": "Filebeat index | Line", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "destGeoField": "destination.geo.location", + "id": "faf6884d-b7cb-41dd-ab86-95970d7c59d2", + "indexPatternId": "filebeat-*", + "metrics": [ + { + "type": "count" + }, + { + "field": "destination.bytes", + "type": "sum" + } + ], + "sourceGeoField": "source.geo.location", + "type": "ES_PEW_PEW" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#54B399" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#6092C0" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "field": { + "name": "doc_count", + "origin": "source" + }, + "fieldMetaOptions": { + "isEnabled": true, + "sigma": 3 + }, + "maxSize": 8, + "minSize": 1 + }, + "type": "DYNAMIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 7.87497, + "lon": -49.38072 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-15w", + "to": "now" + }, + "zoom": 1.24 + }, "title": "", - "uiStateJSON": "{\"isLayerTOCOpen\":true,\"openTOCDetails\":[]}" + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } }, "enhancements": {}, "hiddenLayers": [], diff --git a/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json b/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json index 4632935ce64..fcafb6c5428 100644 --- a/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json +++ b/x-pack/filebeat/module/gcp/_meta/kibana/7/map/a97de660-73a5-11ea-a345-f985c61fe654.json @@ -1,8 +1,148 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"79ec6461-7561-45e4-a6a2-9d6fbd4cf986\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"LIMIT\",\"topHitsSize\":1,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"279da950-e9a7-4287-ab37-25906e448455\",\"label\":\"Source Locations\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"joins\":[],\"query\":{\"query\":\"event.dataset:gcp.audit\",\"language\":\"kuery\"}}]", - "mapStateJSON": "{\"zoom\":1.97,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "866b5ce1-6ca0-47db-a6f2-54c5e0dcd2f0", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "279da950-e9a7-4287-ab37-25906e448455", + "joins": [], + "label": "Source Locations", + "maxZoom": 24, + "minZoom": 0, + "query": { + "language": "kuery", + "query": "event.dataset:gcp.audit" + }, + "sourceDescriptor": { + "applyGlobalQuery": true, + "filterByMapBounds": true, + "geoField": "source.geo.location", + "id": "79ec6461-7561-45e4-a6a2-9d6fbd4cf986", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#54B399" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#41937c" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-7d", + "to": "now" + }, + "zoom": 1.97 + }, "title": "Audit Source Locations [Filebeat GCP]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json b/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json index 1c3afa633e7..bc30cc657b4 100644 --- a/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json +++ b/x-pack/filebeat/module/o365/_meta/kibana/7/map/dbae13c0-685c-11ea-8d6a-292ef5d68366.json @@ -1,8 +1,162 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"0b910b6c-77c8-4223-892a-1ebf69b0ccb4\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"id\":\"3ba31ffc-7051-44bf-96a0-a684020cd2a3\",\"geoField\":\"source.geo.location\",\"requestType\":\"point\",\"resolution\":\"FINE\",\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\",\"useCustomColorRamp\":false}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":0}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"minSize\":8,\"maxSize\":32,\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3}}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"}}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}}},\"isTimeAware\":true},\"id\":\"acc53b7b-3411-406b-9371-6fa62b6b9365\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", - "mapStateJSON": "{\"zoom\":2.88,\"center\":{\"lon\":16.67387,\"lat\":30.87292},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"event.dataset:\\\"o365.audit\\\" \",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "0b910b6c-77c8-4223-892a-1ebf69b0ccb4", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "acc53b7b-3411-406b-9371-6fa62b6b9365", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "geoField": "source.geo.location", + "id": "3ba31ffc-7051-44bf-96a0-a684020cd2a3", + "indexPatternRefName": "layer_1_source_index_pattern", + "requestType": "point", + "resolution": "FINE", + "type": "ES_GEO_GRID" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "Yellow to Red", + "colorCategory": "palette_0", + "field": { + "name": "doc_count", + "origin": "source" + }, + "fieldMetaOptions": { + "isEnabled": true, + "sigma": 3 + }, + "type": "ORDINAL", + "useCustomColorRamp": false + }, + "type": "DYNAMIC" + }, + "icon": { + "options": { + "value": "airfield" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "field": { + "name": "doc_count", + "origin": "source" + }, + "fieldMetaOptions": { + "isEnabled": true, + "sigma": 3 + }, + "maxSize": 32, + "minSize": 8 + }, + "type": "DYNAMIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "field": { + "name": "doc_count", + "origin": "source" + } + }, + "type": "DYNAMIC" + }, + "lineColor": { + "options": { + "color": "#FFF" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 0 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 30.87292, + "lon": 16.67387 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "event.dataset:\"o365.audit\" " + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-7d", + "to": "now" + }, + "zoom": 2.88 + }, "title": "Client Geo Map [Filebeat o365 audit]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json b/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json index 8e84bedce4a..1daf57ec1d8 100644 --- a/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json +++ b/x-pack/filebeat/module/okta/_meta/kibana/7/map/281ca660-67b1-11ea-a76f-bf44814e437d.json @@ -1,8 +1,169 @@ { "attributes": { "description": "", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"6908e81b-1695-4445-aee4-8bc8c9f65600\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"4b8bd321-4b90-4d97-83e0-2b12bf091f66\",\"geoField\":\"client.geo.location\",\"filterByMapBounds\":false,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSize\":1,\"applyGlobalQuery\":true,\"indexPatternRefName\":\"layer_1_source_index_pattern\",\"scalingType\":\"LIMIT\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"dc52e707-92d7-4de7-becf-a3a8bfaa2c2d\",\"label\":\"Okta \",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"event.dataset : \\\"okta.system\\\" \",\"language\":\"kuery\"}}]", - "mapStateJSON": "{\"zoom\":2.75,\"center\":{\"lon\":-44.69098,\"lat\":26.54701},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"filebeat-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"okta.system\"}}}],\"settings\":{\"autoFitToDataBounds\":false}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "6908e81b-1695-4445-aee4-8bc8c9f65600", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": {}, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "dc52e707-92d7-4de7-becf-a3a8bfaa2c2d", + "label": "Okta ", + "maxZoom": 24, + "minZoom": 0, + "query": { + "language": "kuery", + "query": "event.dataset : \"okta.system\" " + }, + "sourceDescriptor": { + "applyGlobalQuery": true, + "filterByMapBounds": false, + "geoField": "client.geo.location", + "id": "4b8bd321-4b90-4d97-83e0-2b12bf091f66", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [], + "topHitsSize": 1, + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#54B399" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#41937c" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 26.54701, + "lon": -44.69098 + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "filebeat-*", + "key": "event.dataset", + "negate": false, + "params": { + "query": "okta.system" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "okta.system" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": false + }, + "settings": { + "autoFitToDataBounds": false + }, + "timeFilters": { + "from": "now-15w", + "to": "now" + }, + "zoom": 2.75 + }, "title": "Geolocation [Filebeat Okta]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json index a5db3f4515c..63e7825a56b 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/63365b50-82aa-11eb-ac13-d5ca87cb8fa2.json @@ -1,8 +1,184 @@ { "attributes": { "description": "Origin country of the indicator ingested by the threat intel Filebeat module.", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"ea2479ec-b43e-4377-a068-91d93265081d\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"81d209f7-b068-4b0d-90f4-baf9a3eefb55\",\"indexPatternTitle\":\"filebeat-*\",\"term\":\"threatintel.indicator.geo.country_iso_code\",\"metrics\":[{\"type\":\"count\"}],\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"indexPatternRefName\":\"layer_1_join_0_index_pattern\"}}],\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\"]},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}},\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"color\":\"Yellow to Red\",\"colorCategory\":\"palette_0\",\"field\":{\"name\":\"__kbnjoin__count__81d209f7-b068-4b0d-90f4-baf9a3eefb55\",\"origin\":\"join\"},\"fieldMetaOptions\":{\"isEnabled\":true,\"sigma\":3},\"type\":\"ORDINAL\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#3d3d3d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"66df8b3a-7f7c-4969-929e-2c1ac5b64584\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\"}]", - "mapStateJSON": "{\"zoom\":2.08,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-30d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "ea2479ec-b43e-4377-a068-91d93265081d", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "66df8b3a-7f7c-4969-929e-2c1ac5b64584", + "joins": [ + { + "leftField": "iso2", + "right": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "id": "81d209f7-b068-4b0d-90f4-baf9a3eefb55", + "indexPatternRefName": "layer_1_join_0_index_pattern", + "indexPatternTitle": "filebeat-*", + "metrics": [ + { + "type": "count" + } + ], + "term": "threatintel.indicator.geo.country_iso_code", + "type": "ES_TERM_SOURCE" + } + } + ], + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "id": "world_countries", + "tooltipProperties": [ + "name" + ], + "type": "EMS_FILE" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "Yellow to Red", + "colorCategory": "palette_0", + "field": { + "name": "__kbnjoin__count__81d209f7-b068-4b0d-90f4-baf9a3eefb55", + "origin": "join" + }, + "fieldMetaOptions": { + "isEnabled": true, + "sigma": 3 + }, + "type": "ORDINAL" + }, + "type": "DYNAMIC" + }, + "icon": { + "options": { + "value": "marker" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#3d3d3d" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showSpatialFilters": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-30d", + "to": "now" + }, + "zoom": 2.08 + }, "title": "Indicator Origin Country [Filebeat Threat Intel]", "uiStateJSON": { "isLayerTOCOpen": true, diff --git a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json index 6f7918fe90d..8100b60e6b3 100644 --- a/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json +++ b/x-pack/filebeat/module/threatintel/_meta/kibana/7/map/ec5aa090-df42-11eb-8f2b-753caedf727d.json @@ -1,8 +1,174 @@ { "attributes": { "description": "Geographic location of Anomali indicators ingested by the threat intel Filebeat module.", - "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"9027343a-f725-4467-9b08-8566ad0b2a52\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{\"type\":\"TILE\"},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"geoField\":\"threatintel.indicator.geo.location\",\"filterByMapBounds\":true,\"scalingType\":\"LIMIT\",\"id\":\"a3ecc6af-0299-4cb9-a29c-0b70f666b011\",\"type\":\"ES_SEARCH\",\"applyGlobalQuery\":true,\"applyGlobalTime\":true,\"tooltipProperties\":[\"threatintel.indicator.as.number\",\"threatintel.indicator.as.organization.name\",\"threatintel.indicator.geo.country_iso_code\"],\"sortField\":\"\",\"sortOrder\":\"desc\",\"topHitsSplitField\":\"\",\"topHitsSize\":1,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"id\":\"83ede860-fe89-43c9-8e74-fa2703efbb85\",\"label\":\"Indicator Geographic Location\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"danger\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#D36086\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"type\":\"VECTOR\",\"joins\":[]}]", - "mapStateJSON": "{\"zoom\":2.08,\"center\":{\"lon\":0,\"lat\":19.94277},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"query\":\"event.dataset:\\\"threatintel.anomalithreatstream\\\" \",\"language\":\"kuery\"},\"filters\":[],\"settings\":{\"autoFitToDataBounds\":false,\"backgroundColor\":\"#ffffff\",\"disableInteractive\":false,\"disableTooltipControl\":false,\"hideToolbarOverlay\":false,\"hideLayerControl\":false,\"hideViewControl\":false,\"initialLocation\":\"LAST_SAVED_LOCATION\",\"fixedLocation\":{\"lat\":0,\"lon\":0,\"zoom\":2},\"browserLocation\":{\"zoom\":2},\"maxZoom\":24,\"minZoom\":0,\"showScaleControl\":false,\"showSpatialFilters\":true,\"spatialFiltersAlpa\":0.3,\"spatialFiltersFillColor\":\"#DA8B45\",\"spatialFiltersLineColor\":\"#DA8B45\"}}", + "layerListJSON": [ + { + "alpha": 1, + "id": "9027343a-f725-4467-9b08-8566ad0b2a52", + "label": null, + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "isAutoSelect": true, + "type": "EMS_TMS" + }, + "style": { + "type": "TILE" + }, + "type": "VECTOR_TILE", + "visible": true + }, + { + "alpha": 0.75, + "id": "83ede860-fe89-43c9-8e74-fa2703efbb85", + "joins": [], + "label": "Indicator Geographic Location", + "maxZoom": 24, + "minZoom": 0, + "sourceDescriptor": { + "applyGlobalQuery": true, + "applyGlobalTime": true, + "filterByMapBounds": true, + "geoField": "threatintel.indicator.geo.location", + "id": "a3ecc6af-0299-4cb9-a29c-0b70f666b011", + "indexPatternRefName": "layer_1_source_index_pattern", + "scalingType": "LIMIT", + "sortField": "", + "sortOrder": "desc", + "tooltipProperties": [ + "threatintel.indicator.as.number", + "threatintel.indicator.as.organization.name", + "threatintel.indicator.geo.country_iso_code" + ], + "topHitsSize": 1, + "topHitsSplitField": "", + "type": "ES_SEARCH" + }, + "style": { + "isTimeAware": true, + "properties": { + "fillColor": { + "options": { + "color": "#D36086" + }, + "type": "STATIC" + }, + "icon": { + "options": { + "value": "danger" + }, + "type": "STATIC" + }, + "iconOrientation": { + "options": { + "orientation": 0 + }, + "type": "STATIC" + }, + "iconSize": { + "options": { + "size": 6 + }, + "type": "STATIC" + }, + "labelBorderColor": { + "options": { + "color": "#FFFFFF" + }, + "type": "STATIC" + }, + "labelBorderSize": { + "options": { + "size": "SMALL" + } + }, + "labelColor": { + "options": { + "color": "#000000" + }, + "type": "STATIC" + }, + "labelSize": { + "options": { + "size": 14 + }, + "type": "STATIC" + }, + "labelText": { + "options": { + "value": "" + }, + "type": "STATIC" + }, + "lineColor": { + "options": { + "color": "#41937c" + }, + "type": "STATIC" + }, + "lineWidth": { + "options": { + "size": 1 + }, + "type": "STATIC" + }, + "symbolizeAs": { + "options": { + "value": "circle" + } + } + }, + "type": "VECTOR" + }, + "type": "VECTOR", + "visible": true + } + ], + "mapStateJSON": { + "center": { + "lat": 19.94277, + "lon": 0 + }, + "filters": [], + "query": { + "language": "kuery", + "query": "event.dataset:\"threatintel.anomalithreatstream\" " + }, + "refreshConfig": { + "interval": 0, + "isPaused": true + }, + "settings": { + "autoFitToDataBounds": false, + "backgroundColor": "#ffffff", + "browserLocation": { + "zoom": 2 + }, + "disableInteractive": false, + "disableTooltipControl": false, + "fixedLocation": { + "lat": 0, + "lon": 0, + "zoom": 2 + }, + "hideLayerControl": false, + "hideToolbarOverlay": false, + "hideViewControl": false, + "initialLocation": "LAST_SAVED_LOCATION", + "maxZoom": 24, + "minZoom": 0, + "showScaleControl": false, + "showSpatialFilters": true, + "spatialFiltersAlpa": 0.3, + "spatialFiltersFillColor": "#DA8B45", + "spatialFiltersLineColor": "#DA8B45" + }, + "timeFilters": { + "from": "now-7d", + "to": "now" + }, + "zoom": 2.08 + }, "title": "Anomali Indicator Geographic Location [Filebeat Threat Intel]", "uiStateJSON": { "isLayerTOCOpen": true, From 4fbd87e0eb2054ea653b89d1d11131c987e12f6c Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 15 Sep 2021 11:26:47 +0200 Subject: [PATCH 05/12] Filebeat: Have filesets disabled unless explicitly configured (#27526) This changes fileset loading so that only filesets that are explicitly defined in the configuration are enabled. Until now, an enabled module will have all its filesets enabled unless explicitly disabled, which makes for a bad user experience with modules that contain a lot of filesets. Closes #17256 --- CHANGELOG.next.asciidoc | 1 + filebeat/autodiscover/builder/hints/logs.go | 2 +- filebeat/beater/filebeat.go | 13 ++ .../docs/filebeat-modules-options.asciidoc | 4 + filebeat/fileset/modules.go | 75 +++++--- filebeat/fileset/modules_integration_test.go | 8 +- filebeat/fileset/modules_test.go | 180 +++++++++++++++++- 7 files changed, 252 insertions(+), 31 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7cc705a8a8f..3381464cd39 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -85,6 +85,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add option for S3 input to work without SQS notification {issue}18205[18205] {pull}27332[27332] - Fix Crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27622[27622] {pull}27623[27623] - Rename `log.path` to `log.file.path` in filestream to be consistent with `log` input and ECS. {pull}27761[27761] +- Only filesets that are explicitly configured will be enabled. {issue}17256[17256] {pull}27526[27526] *Heartbeat* - Remove long deprecated `watch_poll` functionality. {pull}27166[27166] diff --git a/filebeat/autodiscover/builder/hints/logs.go b/filebeat/autodiscover/builder/hints/logs.go index 4fb86cd9e18..5a09bb41780 100644 --- a/filebeat/autodiscover/builder/hints/logs.go +++ b/filebeat/autodiscover/builder/hints/logs.go @@ -201,7 +201,7 @@ func (l *logHints) getFilesets(hints common.MapStr, module string) map[string]*f var configured bool filesets := make(map[string]*filesetConfig) - moduleFilesets, err := l.registry.ModuleFilesets(module) + moduleFilesets, err := l.registry.ModuleAvailableFilesets(module) if err != nil { logp.Err("Error retrieving module filesets: %+v", err) return nil diff --git a/filebeat/beater/filebeat.go b/filebeat/beater/filebeat.go index a66a674b525..435161bb9f4 100644 --- a/filebeat/beater/filebeat.go +++ b/filebeat/beater/filebeat.go @@ -113,6 +113,19 @@ func newBeater(b *beat.Beat, plugins PluginFactory, rawConfig *common.Config) (b } if !moduleRegistry.Empty() { logp.Info("Enabled modules/filesets: %s", moduleRegistry.InfoString()) + for _, mod := range moduleRegistry.ModuleNames() { + if mod == "" { + continue + } + filesets, err := moduleRegistry.ModuleConfiguredFilesets(mod) + if err != nil { + logp.Err("Failed listing filesets for module %s", mod) + continue + } + if len(filesets) == 0 { + logp.Warn("Module %s is enabled but has no enabled filesets", mod) + } + } } moduleInputs, err := moduleRegistry.GetInputConfigs() diff --git a/filebeat/docs/filebeat-modules-options.asciidoc b/filebeat/docs/filebeat-modules-options.asciidoc index 643f964080d..80b87e14f12 100644 --- a/filebeat/docs/filebeat-modules-options.asciidoc +++ b/filebeat/docs/filebeat-modules-options.asciidoc @@ -75,8 +75,12 @@ The following example shows a configuration that runs the `nginx`,`mysql`, and ---- {beatname_lc}.modules: - module: nginx + access: + error: - module: mysql + slowlog: - module: system + auth: ---- [[advanced-settings]] diff --git a/filebeat/fileset/modules.go b/filebeat/fileset/modules.go index 3df41999f8f..72c8d17cb25 100644 --- a/filebeat/fileset/modules.go +++ b/filebeat/fileset/modules.go @@ -69,33 +69,13 @@ func newModuleRegistry(modulesPath string, return nil, fmt.Errorf("error getting filesets for module %s: %v", mcfg.Module, err) } - for _, filesetName := range moduleFilesets { - fcfg, exists := mcfg.Filesets[filesetName] - if !exists { - fcfg = &FilesetConfig{} - } + for filesetName, fcfg := range mcfg.Filesets { fcfg, err = applyOverrides(fcfg, mcfg.Module, filesetName, overrides) if err != nil { return nil, fmt.Errorf("error applying overrides on fileset %s/%s: %v", mcfg.Module, filesetName, err) } - if fcfg.Enabled != nil && !(*fcfg.Enabled) { - continue - } - - fileset, err := New(modulesPath, filesetName, mcfg, fcfg) - if err != nil { - return nil, err - } - if err = fileset.Read(beatInfo); err != nil { - return nil, fmt.Errorf("error reading fileset %s/%s: %v", mcfg.Module, filesetName, err) - } - reg.registry[mcfg.Module][filesetName] = fileset - } - - // check that no extra filesets are configured - for filesetName, fcfg := range mcfg.Filesets { if fcfg.Enabled != nil && !(*fcfg.Enabled) { continue } @@ -108,6 +88,15 @@ func newModuleRegistry(modulesPath string, if !found { return nil, fmt.Errorf("fileset %s/%s is configured but doesn't exist", mcfg.Module, filesetName) } + + fileset, err := New(modulesPath, filesetName, mcfg, fcfg) + if err != nil { + return nil, err + } + if err = fileset.Read(beatInfo); err != nil { + return nil, fmt.Errorf("error reading fileset %s/%s: %v", mcfg.Module, filesetName, err) + } + reg.registry[mcfg.Module][filesetName] = fileset } } @@ -152,9 +141,30 @@ func NewModuleRegistry(moduleConfigs []*common.Config, beatInfo beat.Info, init return nil, err } + enableFilesetsFromOverrides(mcfgs, modulesOverrides) return newModuleRegistry(modulesPath, mcfgs, modulesOverrides, beatInfo) } +// enableFilesetsFromOverrides enables in mcfgs the filesets mentioned in overrides, +// so that the overridden configuration can be applied. +func enableFilesetsFromOverrides(mcfgs []*ModuleConfig, overrides *ModuleOverrides) { + if overrides == nil { + return + } + for _, mcfg := range mcfgs { + if modOvr, ok := (*overrides)[mcfg.Module]; ok { + for fset := range modOvr { + if _, ok = mcfg.Filesets[fset]; !ok { + if mcfg.Filesets == nil { + mcfg.Filesets = make(map[string]*FilesetConfig) + } + mcfg.Filesets[fset] = &FilesetConfig{} + } + } + } + } +} + func mcfgFromConfig(cfg *common.Config) (*ModuleConfig, error) { var mcfg ModuleConfig @@ -171,11 +181,18 @@ func mcfgFromConfig(cfg *common.Config) (*ModuleConfig, error) { } mcfg.Filesets = map[string]*FilesetConfig{} - for name, filesetConfig := range dict { + + // This calls cfg.GetFields() instead of iterating over `dict` keys + // because cfg.Unpack above doesn't return keys that map to a nil value, + // but GetFields() returns all keys. We need to observe filesets that + // don't contain any configuration (all default values). + for _, name := range cfg.GetFields() { if name == "module" || name == "enabled" || name == "path" { continue } + filesetConfig, _ := dict[name] // Nil config if name is not present. + tmpCfg, err := common.NewConfigFrom(filesetConfig) if err != nil { return nil, fmt.Errorf("error creating config from fileset %s/%s: %v", mcfg.Module, name, err) @@ -400,9 +417,19 @@ func (reg *ModuleRegistry) ModuleNames() []string { return modules } -// ModuleFilesets return the list of available filesets for the given module +// ModuleAvailableFilesets return the list of available filesets for the given module // it returns an empty list if the module doesn't exist -func (reg *ModuleRegistry) ModuleFilesets(module string) ([]string, error) { +func (reg *ModuleRegistry) ModuleAvailableFilesets(module string) ([]string, error) { modulesPath := paths.Resolve(paths.Home, "module") return getModuleFilesets(modulesPath, module) } + +// ModuleConfiguredFilesets return the list of configured filesets for the given module +// it returns an empty list if the module doesn't exist +func (reg *ModuleRegistry) ModuleConfiguredFilesets(module string) (list []string, err error) { + filesets, _ := reg.registry[module] + for name := range filesets { + list = append(list, name) + } + return +} diff --git a/filebeat/fileset/modules_integration_test.go b/filebeat/fileset/modules_integration_test.go index 7afd9bbb547..4d5a79a9426 100644 --- a/filebeat/fileset/modules_integration_test.go +++ b/filebeat/fileset/modules_integration_test.go @@ -105,7 +105,13 @@ func TestSetupNginx(t *testing.T) { require.NoError(t, err) configs := []*ModuleConfig{ - {Module: "nginx"}, + { + Module: "nginx", + Filesets: map[string]*FilesetConfig{ + "error": {}, + "access": {}, + }, + }, } reg, err := newModuleRegistry(modulesPath, configs, nil, makeTestInfo("5.2.0")) diff --git a/filebeat/fileset/modules_test.go b/filebeat/fileset/modules_test.go index f69db27648c..7fe2e32aaab 100644 --- a/filebeat/fileset/modules_test.go +++ b/filebeat/fileset/modules_test.go @@ -45,11 +45,39 @@ func TestNewModuleRegistry(t *testing.T) { modulesPath, err := filepath.Abs("../module") require.NoError(t, err) + falseVar := false + configs := []*ModuleConfig{ - {Module: "nginx"}, - {Module: "mysql"}, - {Module: "system"}, - {Module: "auditd"}, + { + Module: "nginx", + Filesets: map[string]*FilesetConfig{ + "access": {}, + "error": {}, + "ingress_controller": { + Enabled: &falseVar, + }, + }, + }, + { + Module: "mysql", + Filesets: map[string]*FilesetConfig{ + "slowlog": {}, + "error": {}, + }, + }, + { + Module: "system", + Filesets: map[string]*FilesetConfig{ + "syslog": {}, + "auth": {}, + }, + }, + { + Module: "auditd", + Filesets: map[string]*FilesetConfig{ + "log": {}, + }, + }, } reg, err := newModuleRegistry(modulesPath, configs, nil, beat.Info{Version: "5.2.0"}) @@ -58,7 +86,7 @@ func TestNewModuleRegistry(t *testing.T) { expectedModules := map[string][]string{ "auditd": {"log"}, - "nginx": {"access", "error", "ingress_controller"}, + "nginx": {"access", "error"}, "mysql": {"slowlog", "error"}, "system": {"syslog", "auth"}, } @@ -374,6 +402,19 @@ func TestMcfgFromConfig(t *testing.T) { }, }, }, + { + name: "empty fileset (nil)", + config: load(t, map[string]interface{}{ + "module": "nginx", + "error": nil, + }), + expected: ModuleConfig{ + Module: "nginx", + Filesets: map[string]*FilesetConfig{ + "error": {}, + }, + }, + }, } for _, test := range tests { @@ -451,3 +492,132 @@ func TestInterpretError(t *testing.T) { }) } } + +func TestEnableFilesetsFromOverrides(t *testing.T) { + tests := []struct { + Name string + Cfg []*ModuleConfig + Overrides *ModuleOverrides + Expected []*ModuleConfig + }{ + { + Name: "add fileset", + Cfg: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + }, + }, + }, + Overrides: &ModuleOverrides{ + "foo": { + "baz": nil, + }, + }, + Expected: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + "baz": {}, + }, + }, + }, + }, + { + Name: "defined fileset", + Cfg: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": { + Var: map[string]interface{}{ + "a": "b", + }, + }, + }, + }, + }, + Overrides: &ModuleOverrides{ + "foo": { + "bar": nil, + }, + }, + Expected: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": { + Var: map[string]interface{}{ + "a": "b", + }, + }, + }, + }, + }, + }, + { + Name: "disabled module", + Cfg: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + }, + }, + }, + Overrides: &ModuleOverrides{ + "other": { + "bar": nil, + }, + }, + Expected: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + }, + }, + }, + }, + { + Name: "nil overrides", + Cfg: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + }, + }, + }, + Overrides: nil, + Expected: []*ModuleConfig{ + { + Module: "foo", + Filesets: map[string]*FilesetConfig{ + "bar": {}, + }, + }, + }, + }, + { + Name: "no modules", + Cfg: nil, + Overrides: &ModuleOverrides{ + "other": { + "bar": nil, + }, + }, + Expected: nil, + }, + } + + for _, test := range tests { + t.Run(test.Name, func(t *testing.T) { + enableFilesetsFromOverrides(test.Cfg, test.Overrides) + assert.Equal(t, test.Expected, test.Cfg) + }) + } + +} From dac239129d7ceb7783c5ab4e1bfe6cecc3321c29 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 15 Sep 2021 12:04:58 +0200 Subject: [PATCH 06/12] Skip filestream flaky tests (#27896) --- filebeat/input/filestream/parsers_integration_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/filebeat/input/filestream/parsers_integration_test.go b/filebeat/input/filestream/parsers_integration_test.go index aab501ca146..87f592c0849 100644 --- a/filebeat/input/filestream/parsers_integration_test.go +++ b/filebeat/input/filestream/parsers_integration_test.go @@ -247,6 +247,8 @@ The total should be 4 lines covered // test_rabbitmq_multiline_log from test_multiline.py func TestParsersRabbitMQMultilineLog(t *testing.T) { + t.Skip("Flaky test: https://github.com/elastic/beats/issues/27893") + env := newInputTestingEnvironment(t) testlogName := "test.log" @@ -291,6 +293,8 @@ connection <0.23893.109>, channel 3 - soft error: // test_max_lines from test_multiline.py func TestParsersMultilineMaxLines(t *testing.T) { + t.Skip("Flaky test: https://github.com/elastic/beats/issues/27894") + env := newInputTestingEnvironment(t) testlogName := "test.log" @@ -501,6 +505,8 @@ func TestParsersCloseTimeoutWithMultiline(t *testing.T) { // test_consecutive_newline from test_multiline.py func TestParsersConsecutiveNewline(t *testing.T) { + t.Skip("Flaky test: https://github.com/elastic/beats/issues/27085") + env := newInputTestingEnvironment(t) testlogName := "test.log" From cdc613d3e7b7c55a3d48b9bcdee22eb5a3995582 Mon Sep 17 00:00:00 2001 From: Philipp Kahr Date: Wed, 15 Sep 2021 12:23:42 +0200 Subject: [PATCH 07/12] Filebeat module sophos documentation fixes (#27831) Two fixes for docs: - Sophos setting to correct output type - Updated link to Sophos documentation and added version 18.5 --- filebeat/docs/modules/sophos.asciidoc | 8 ++++---- x-pack/filebeat/module/sophos/_meta/docs.asciidoc | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/filebeat/docs/modules/sophos.asciidoc b/filebeat/docs/modules/sophos.asciidoc index 510afde1f65..35438478d5d 100644 --- a/filebeat/docs/modules/sophos.asciidoc +++ b/filebeat/docs/modules/sophos.asciidoc @@ -16,17 +16,17 @@ logs in syslog format or from a file for the following devices: - `xg` fileset: supports Sophos XG SFOS logs. - `utm` fileset: supports Sophos UTM logs. -To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. +To configure a remote syslog destination, please reference the https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.html[SophosXG/SFOS Documentation]. -The syslog format choosen should be `Default`. +The syslog format choosen in Sophos configuration should be `Central Reporting Format`. include::../include/gs-link.asciidoc[] [float] === Compatibility -This module has been tested against SFOS version 17.5.x and 18.0.x. -Versions above this are expected to work but have not been tested. +This module has been tested against SFOS version 17.5.x, 18.0.x, and 18.5.x. +Versions above this and between 18.0 - 18.5 are expected to work but have not been tested. include::../include/configuring-intro.asciidoc[] diff --git a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc index 58d9add8037..19b6df5e14a 100644 --- a/x-pack/filebeat/module/sophos/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/sophos/_meta/docs.asciidoc @@ -11,17 +11,17 @@ logs in syslog format or from a file for the following devices: - `xg` fileset: supports Sophos XG SFOS logs. - `utm` fileset: supports Sophos UTM logs. -To configure a remote syslog destination, please reference the https://community.sophos.com/kb/en-us/123184[SophosXG/SFOS Documentation]. +To configure a remote syslog destination, please reference the https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/SyslogServerAdd.html[SophosXG/SFOS Documentation]. -The syslog format choosen should be `Default`. +The syslog format choosen in Sophos configuration should be `Central Reporting Format`. include::../include/gs-link.asciidoc[] [float] === Compatibility -This module has been tested against SFOS version 17.5.x and 18.0.x. -Versions above this are expected to work but have not been tested. +This module has been tested against SFOS version 17.5.x, 18.0.x, and 18.5.x. +Versions above this and between 18.0 - 18.5 are expected to work but have not been tested. include::../include/configuring-intro.asciidoc[] From f9524650a8d06e8de8fd0e38d58277da38a65694 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 15 Sep 2021 07:03:15 -0400 Subject: [PATCH 08/12] [libbeat] Fix decode_xml array handling when lowercasing keys (#27922) Arrays were not being merged properly when the element name was mixed-case and `to_lower: true` was set in the config (the default). --- CHANGELOG.next.asciidoc | 1 + libbeat/common/encoding/xml/decode.go | 2 +- libbeat/common/encoding/xml/decode_test.go | 14 +++++--- .../processors/decode_xml/decode_xml_test.go | 35 +++++++++++++++++++ 4 files changed, 47 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3381464cd39..1b736cdcc2a 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -210,6 +210,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Do not try to load ILM policy if `check_exists` is `false`. {pull}27508[27508] {issue}26322[26322] - Fix bug with cgroups hierarchy override path in cgroups {pull}27620[27620] - Beat `setup kibana` command may use the elasticsearch API key defined in `output.elasticsearch.api_key`. {issue}24015[24015] {pull}27540[27540] +- Fix `decode_xml` handling of array merging when using `to_lower: true`. {pull}27922[27922] - Seperate namespaces for V1 and V2 controller paths {pull}27676[27676] - Beats dashboards use custom index when `setup.dashboards.index` is set. {issue}21232[21232] {pull}27901[27901] diff --git a/libbeat/common/encoding/xml/decode.go b/libbeat/common/encoding/xml/decode.go index 665c0608f67..8fcc790ca5c 100644 --- a/libbeat/common/encoding/xml/decode.go +++ b/libbeat/common/encoding/xml/decode.go @@ -80,7 +80,7 @@ func (d *Decoder) decode(attrs []xml.Attr) (string, map[string]interface{}, erro // Add the data to the current object while taking into account // if the current key already exists (in the case of lists). key := d.key(elem.Name.Local) - value := elements[elem.Name.Local] + value := elements[key] switch v := value.(type) { case nil: elements[key] = add diff --git a/libbeat/common/encoding/xml/decode_test.go b/libbeat/common/encoding/xml/decode_test.go index 277972e56da..9dd585ac6d7 100644 --- a/libbeat/common/encoding/xml/decode_test.go +++ b/libbeat/common/encoding/xml/decode_test.go @@ -366,10 +366,16 @@ func ExampleDecoder_Decode() { // "event": { // "eventdata": { // "binary": "770069006E006C006F00670062006500610074002F0034000000", - // "data": { - // "#text": "running", - // "name": "param2" - // } + // "data": [ + // { + // "#text": "winlogbeat", + // "name": "param1" + // }, + // { + // "#text": "running", + // "name": "param2" + // } + // ] // }, // "processingerrordata": { // "dataitemname": "shellId", diff --git a/libbeat/processors/decode_xml/decode_xml_test.go b/libbeat/processors/decode_xml/decode_xml_test.go index 04c3c8847ed..83ef61ea226 100644 --- a/libbeat/processors/decode_xml/decode_xml_test.go +++ b/libbeat/processors/decode_xml/decode_xml_test.go @@ -176,6 +176,41 @@ func TestDecodeXML(t *testing.T) { }, }, }, + { + description: "Decoding with an array and mixed-case keys", + config: decodeXMLConfig{ + Field: "message", + ToLower: true, + }, + Input: common.MapStr{ + "message": ` + + + N/A + + + N/A + + + `, + }, + Output: common.MapStr{ + "message": common.MapStr{ + "auditbase": map[string]interface{}{ + "contextcomponents": map[string]interface{}{ + "component": []interface{}{ + map[string]interface{}{ + "relyingparty": "N/A", + }, + map[string]interface{}{ + "primaryauth": "N/A", + }, + }, + }, + }, + }, + }, + }, { description: "Decoding with multiple xml objects", config: decodeXMLConfig{ From ba9eebf2f62f3a827008dbfaf0f814464b0a63f9 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 15 Sep 2021 15:31:22 +0200 Subject: [PATCH 09/12] Filebeat: Make all filesets disabled in default configuration (#27762) What does this PR do? Changes the default configuration for Filebeat's filesets to make them disabled by default (enabled: false). Adds a check to the config and update targets of mage to check that default configurations have an explicit disable: > error: in file 'modules.d/checkpoint.yml.disabled': checkpoint module > dataset firewall must be explicitly disabled (needs enabled: false) Why is it important? The previous default of having all filesets enabled, paired with the configuration loader enabling all non-explicitly-disabled filesets (changed in #27526) has been causing trouble for our users for quite some time. --- CHANGELOG.next.asciidoc | 1 + dev-tools/mage/modules.go | 70 +++++ filebeat/docs/getting-started.asciidoc | 5 +- filebeat/filebeat.reference.yml | 30 +- filebeat/magefile.go | 1 + filebeat/module/apache/_meta/config.yml | 4 +- filebeat/module/auditd/_meta/config.yml | 2 +- .../module/elasticsearch/_meta/config.yml | 10 +- filebeat/module/haproxy/_meta/config.yml | 2 +- filebeat/module/icinga/_meta/config.yml | 6 +- filebeat/module/iis/_meta/config.yml | 6 +- filebeat/module/kafka/_meta/config.yml | 2 +- filebeat/module/kibana/_meta/config.yml | 4 +- filebeat/module/logstash/_meta/config.yml | 4 +- filebeat/module/mongodb/_meta/config.yml | 2 +- filebeat/module/mysql/_meta/config.yml | 4 +- filebeat/module/nats/_meta/config.yml | 2 +- filebeat/module/nginx/_meta/config.yml | 4 +- .../module/osquery/_meta/config.reference.yml | 6 +- filebeat/module/osquery/_meta/config.yml | 2 +- filebeat/module/pensando/_meta/config.yml | 2 +- filebeat/module/postgresql/_meta/config.yml | 2 +- filebeat/module/redis/_meta/config.yml | 4 +- filebeat/module/santa/_meta/config.yml | 2 +- filebeat/module/system/_meta/config.yml | 4 +- filebeat/module/traefik/_meta/config.yml | 2 +- filebeat/modules.d/apache.yml.disabled | 4 +- filebeat/modules.d/auditd.yml.disabled | 2 +- filebeat/modules.d/elasticsearch.yml.disabled | 10 +- filebeat/modules.d/haproxy.yml.disabled | 2 +- filebeat/modules.d/icinga.yml.disabled | 6 +- filebeat/modules.d/iis.yml.disabled | 6 +- filebeat/modules.d/kafka.yml.disabled | 2 +- filebeat/modules.d/kibana.yml.disabled | 4 +- filebeat/modules.d/logstash.yml.disabled | 4 +- filebeat/modules.d/mongodb.yml.disabled | 2 +- filebeat/modules.d/mysql.yml.disabled | 4 +- filebeat/modules.d/nats.yml.disabled | 2 +- filebeat/modules.d/nginx.yml.disabled | 4 +- filebeat/modules.d/osquery.yml.disabled | 2 +- filebeat/modules.d/pensando.yml.disabled | 2 +- filebeat/modules.d/postgresql.yml.disabled | 2 +- filebeat/modules.d/redis.yml.disabled | 4 +- filebeat/modules.d/santa.yml.disabled | 2 +- filebeat/modules.d/system.yml.disabled | 4 +- filebeat/modules.d/traefik.yml.disabled | 2 +- x-pack/filebeat/filebeat.reference.yml | 284 +++++++++--------- x-pack/filebeat/magefile.go | 1 + .../filebeat/module/activemq/_meta/config.yml | 4 +- x-pack/filebeat/module/azure/_meta/config.yml | 2 +- .../module/barracuda/_meta/config.yml | 4 +- .../filebeat/module/bluecoat/_meta/config.yml | 2 +- x-pack/filebeat/module/cef/_meta/config.yml | 2 +- .../module/checkpoint/_meta/config.yml | 2 +- x-pack/filebeat/module/cisco/_meta/config.yml | 14 +- .../filebeat/module/coredns/_meta/config.yml | 2 +- .../module/crowdstrike/_meta/config.yml | 2 +- .../filebeat/module/cyberark/_meta/config.yml | 2 +- .../module/cyberarkpas/_meta/config.yml | 2 +- .../filebeat/module/cylance/_meta/config.yml | 2 +- .../module/envoyproxy/_meta/config.yml | 2 +- x-pack/filebeat/module/f5/_meta/config.yml | 4 +- .../filebeat/module/fortinet/_meta/config.yml | 8 +- x-pack/filebeat/module/gcp/_meta/config.yml | 6 +- .../module/google_workspace/_meta/config.yml | 12 +- .../module/googlecloud/_meta/config.yml | 6 +- .../filebeat/module/gsuite/_meta/config.yml | 12 +- x-pack/filebeat/module/ibmmq/_meta/config.yml | 2 +- .../filebeat/module/imperva/_meta/config.yml | 2 +- .../filebeat/module/infoblox/_meta/config.yml | 2 +- .../filebeat/module/iptables/_meta/config.yml | 2 +- .../filebeat/module/juniper/_meta/config.yml | 6 +- .../module/microsoft/_meta/config.yml | 6 +- x-pack/filebeat/module/misp/_meta/config.yml | 2 +- x-pack/filebeat/module/mssql/_meta/config.yml | 2 +- .../module/mysqlenterprise/_meta/config.yml | 2 +- .../filebeat/module/netflow/_meta/config.yml | 2 +- .../filebeat/module/netscout/_meta/config.yml | 2 +- x-pack/filebeat/module/o365/_meta/config.yml | 2 +- x-pack/filebeat/module/okta/_meta/config.yml | 2 +- .../filebeat/module/oracle/_meta/config.yml | 2 +- x-pack/filebeat/module/panw/_meta/config.yml | 2 +- .../module/proofpoint/_meta/config.yml | 2 +- .../filebeat/module/rabbitmq/_meta/config.yml | 2 +- .../filebeat/module/radware/_meta/config.yml | 2 +- x-pack/filebeat/module/snort/_meta/config.yml | 2 +- x-pack/filebeat/module/snyk/_meta/config.yml | 4 +- .../module/sonicwall/_meta/config.yml | 2 +- .../filebeat/module/sophos/_meta/config.yml | 4 +- x-pack/filebeat/module/squid/_meta/config.yml | 2 +- .../filebeat/module/suricata/_meta/config.yml | 2 +- .../module/threatintel/_meta/config.yml | 16 +- .../filebeat/module/tomcat/_meta/config.yml | 2 +- x-pack/filebeat/module/zeek/_meta/config.yml | 78 ++--- .../module/zookeeper/_meta/config.yml | 4 +- x-pack/filebeat/module/zoom/_meta/config.yml | 2 +- .../filebeat/module/zscaler/_meta/config.yml | 2 +- .../filebeat/modules.d/activemq.yml.disabled | 4 +- x-pack/filebeat/modules.d/azure.yml.disabled | 2 +- .../filebeat/modules.d/barracuda.yml.disabled | 4 +- .../filebeat/modules.d/bluecoat.yml.disabled | 2 +- x-pack/filebeat/modules.d/cef.yml.disabled | 2 +- .../modules.d/checkpoint.yml.disabled | 2 +- x-pack/filebeat/modules.d/cisco.yml.disabled | 14 +- .../filebeat/modules.d/coredns.yml.disabled | 2 +- .../modules.d/crowdstrike.yml.disabled | 2 +- .../filebeat/modules.d/cyberark.yml.disabled | 2 +- .../modules.d/cyberarkpas.yml.disabled | 2 +- .../filebeat/modules.d/cylance.yml.disabled | 2 +- .../modules.d/envoyproxy.yml.disabled | 2 +- x-pack/filebeat/modules.d/f5.yml.disabled | 4 +- .../filebeat/modules.d/fortinet.yml.disabled | 8 +- x-pack/filebeat/modules.d/gcp.yml.disabled | 6 +- .../modules.d/google_workspace.yml.disabled | 12 +- .../modules.d/googlecloud.yml.disabled | 6 +- x-pack/filebeat/modules.d/gsuite.yml.disabled | 12 +- x-pack/filebeat/modules.d/ibmmq.yml.disabled | 2 +- .../filebeat/modules.d/imperva.yml.disabled | 2 +- .../filebeat/modules.d/infoblox.yml.disabled | 2 +- .../filebeat/modules.d/iptables.yml.disabled | 2 +- .../filebeat/modules.d/juniper.yml.disabled | 6 +- .../filebeat/modules.d/microsoft.yml.disabled | 6 +- x-pack/filebeat/modules.d/misp.yml.disabled | 2 +- x-pack/filebeat/modules.d/mssql.yml.disabled | 2 +- .../modules.d/mysqlenterprise.yml.disabled | 2 +- .../filebeat/modules.d/netflow.yml.disabled | 2 +- .../filebeat/modules.d/netscout.yml.disabled | 2 +- x-pack/filebeat/modules.d/o365.yml.disabled | 2 +- x-pack/filebeat/modules.d/okta.yml.disabled | 2 +- x-pack/filebeat/modules.d/oracle.yml.disabled | 2 +- x-pack/filebeat/modules.d/panw.yml.disabled | 2 +- .../modules.d/proofpoint.yml.disabled | 2 +- .../filebeat/modules.d/rabbitmq.yml.disabled | 2 +- .../filebeat/modules.d/radware.yml.disabled | 2 +- x-pack/filebeat/modules.d/snort.yml.disabled | 2 +- x-pack/filebeat/modules.d/snyk.yml.disabled | 4 +- .../filebeat/modules.d/sonicwall.yml.disabled | 2 +- x-pack/filebeat/modules.d/sophos.yml.disabled | 4 +- x-pack/filebeat/modules.d/squid.yml.disabled | 2 +- .../filebeat/modules.d/suricata.yml.disabled | 2 +- .../modules.d/threatintel.yml.disabled | 16 +- x-pack/filebeat/modules.d/tomcat.yml.disabled | 2 +- x-pack/filebeat/modules.d/zeek.yml.disabled | 78 ++--- .../filebeat/modules.d/zookeeper.yml.disabled | 4 +- x-pack/filebeat/modules.d/zoom.yml.disabled | 2 +- .../filebeat/modules.d/zscaler.yml.disabled | 2 +- 146 files changed, 560 insertions(+), 486 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1b736cdcc2a..786d73a0502 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -86,6 +86,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix Crowdstrike ingest pipeline that was creating flattened `process` fields. {issue}27622[27622] {pull}27623[27623] - Rename `log.path` to `log.file.path` in filestream to be consistent with `log` input and ECS. {pull}27761[27761] - Only filesets that are explicitly configured will be enabled. {issue}17256[17256] {pull}27526[27526] +- All filesets are disabled in the default configuration. {issue}17256[17256] {pull}27762[27762] *Heartbeat* - Remove long deprecated `watch_poll` functionality. {pull}27166[27166] diff --git a/dev-tools/mage/modules.go b/dev-tools/mage/modules.go index 80fc4c2f7c5..a65c2c2a121 100644 --- a/dev-tools/mage/modules.go +++ b/dev-tools/mage/modules.go @@ -18,10 +18,15 @@ package mage import ( + "fmt" "io/ioutil" "os" "path/filepath" "strings" + + "github.com/joeshaw/multierror" + "github.com/pkg/errors" + "gopkg.in/yaml.v2" ) var modulesDConfigTemplate = ` @@ -71,3 +76,68 @@ func GenerateDirModulesD() error { } return nil } + +type datasetDefinition struct { + Enabled *bool +} + +type moduleDefinition struct { + Name string `yaml:"module"` + Filesets map[string]datasetDefinition `yaml:",inline"` +} + +// ValidateDirModulesD validates a modules.d directory containing the +// .yml.disabled files. It checks that the files are valid +// yaml and conform to module definitions. +func ValidateDirModulesD() error { + _, err := loadModulesD() + return err +} + +// ValidateDirModulesDDatasetsDisabled ensures that all the datasets +// are disabled by default. +func ValidateDirModulesDDatasetsDisabled() error { + cfgs, err := loadModulesD() + if err != nil { + return err + } + var errs multierror.Errors + for path, cfg := range cfgs { + // A config.yml is a list of module configurations. + for modIdx, mod := range cfg { + // A module config is a map of datasets. + for dsName, ds := range mod.Filesets { + if ds.Enabled == nil || *ds.Enabled { + var entry string + if len(cfg) > 1 { + entry = fmt.Sprintf(" (entry #%d)", modIdx+1) + } + err = fmt.Errorf("in file '%s': %s module%s dataset %s must be explicitly disabled (needs `enabled: false`)", + path, mod.Name, entry, dsName) + errs = append(errs, err) + } + } + } + } + return errs.Err() +} + +func loadModulesD() (modules map[string][]moduleDefinition, err error) { + files, err := filepath.Glob("modules.d/*.disabled") + if err != nil { + return nil, err + } + modules = make(map[string][]moduleDefinition, len(files)) + for _, file := range files { + contents, err := ioutil.ReadFile(file) + if err != nil { + return nil, errors.Wrapf(err, "reading %s", file) + } + var cfg []moduleDefinition + if err = yaml.Unmarshal(contents, &cfg); err != nil { + return nil, errors.Wrapf(err, "parsing %s as YAML", file) + } + modules[file] = cfg + } + return modules, nil +} diff --git a/filebeat/docs/getting-started.asciidoc b/filebeat/docs/getting-started.asciidoc index 8f340bde6a5..d51a267b91f 100644 --- a/filebeat/docs/getting-started.asciidoc +++ b/filebeat/docs/getting-started.asciidoc @@ -86,8 +86,8 @@ configs: include::{libbeat-dir}/tab-widgets/enable-modules-widget.asciidoc[] -- -. In the module configs under `modules.d`, change the module settings to match -your environment. +. In the module configs under `modules.d`, enable the desired datasets and +change the module settings to match your environment. + For example, log locations are set based on the OS. If your logs aren't in default locations, set the `paths` variable: @@ -97,6 +97,7 @@ default locations, set the `paths` variable: ---- - module: nginx access: + enabled: true var.paths: ["/var/log/nginx/access.log*"] <1> ---- -- diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index dbdb731c0dc..33a24a5fb9c 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -80,32 +80,32 @@ filebeat.modules: - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: @@ -114,7 +114,7 @@ filebeat.modules: - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -191,7 +191,7 @@ filebeat.modules: - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. @@ -205,7 +205,7 @@ filebeat.modules: - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -213,7 +213,7 @@ filebeat.modules: # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -281,7 +281,7 @@ filebeat.modules: - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -322,9 +322,9 @@ filebeat.modules: # #var.paths: #------------------------------- Osquery Module ------------------------------- -- module: osquery - result: - enabled: true +#- module: osquery + #result: + #enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -339,7 +339,7 @@ filebeat.modules: - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 @@ -384,7 +384,7 @@ filebeat.modules: #----------------------------- Google Santa Module ----------------------------- - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/magefile.go b/filebeat/magefile.go index 93f2eada680..8e55f6e0d4d 100644 --- a/filebeat/magefile.go +++ b/filebeat/magefile.go @@ -105,6 +105,7 @@ func Update() { // modules.d directory. func Config() { mg.Deps(devtools.GenerateDirModulesD, configYML) + mg.SerialDeps(devtools.ValidateDirModulesD, devtools.ValidateDirModulesDDatasetsDisabled) } func configYML() error { diff --git a/filebeat/module/apache/_meta/config.yml b/filebeat/module/apache/_meta/config.yml index 24e64df694a..ddf2b0c40d4 100644 --- a/filebeat/module/apache/_meta/config.yml +++ b/filebeat/module/apache/_meta/config.yml @@ -1,7 +1,7 @@ - module: apache # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/auditd/_meta/config.yml b/filebeat/module/auditd/_meta/config.yml index bd952f49cc9..eaf816cec78 100644 --- a/filebeat/module/auditd/_meta/config.yml +++ b/filebeat/module/auditd/_meta/config.yml @@ -1,6 +1,6 @@ - module: auditd log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/elasticsearch/_meta/config.yml b/filebeat/module/elasticsearch/_meta/config.yml index 0c2562f2796..4a2f751b67c 100644 --- a/filebeat/module/elasticsearch/_meta/config.yml +++ b/filebeat/module/elasticsearch/_meta/config.yml @@ -1,32 +1,32 @@ - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/module/haproxy/_meta/config.yml b/filebeat/module/haproxy/_meta/config.yml index 0e1431e503c..b559d6d837f 100644 --- a/filebeat/module/haproxy/_meta/config.yml +++ b/filebeat/module/haproxy/_meta/config.yml @@ -1,7 +1,7 @@ - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/filebeat/module/icinga/_meta/config.yml b/filebeat/module/icinga/_meta/config.yml index afcd57986a2..5fe0ddc2054 100644 --- a/filebeat/module/icinga/_meta/config.yml +++ b/filebeat/module/icinga/_meta/config.yml @@ -1,7 +1,7 @@ - module: icinga # Main logs main: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Debug logs debug: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -17,7 +17,7 @@ # Startup logs startup: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/iis/_meta/config.yml b/filebeat/module/iis/_meta/config.yml index 0ed84f14e52..f4f1d8cec36 100644 --- a/filebeat/module/iis/_meta/config.yml +++ b/filebeat/module/iis/_meta/config.yml @@ -1,7 +1,7 @@ - module: iis # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,9 +9,9 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: - \ No newline at end of file + diff --git a/filebeat/module/kafka/_meta/config.yml b/filebeat/module/kafka/_meta/config.yml index cbda5709c39..72e6d49ab44 100644 --- a/filebeat/module/kafka/_meta/config.yml +++ b/filebeat/module/kafka/_meta/config.yml @@ -1,7 +1,7 @@ - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. diff --git a/filebeat/module/kibana/_meta/config.yml b/filebeat/module/kibana/_meta/config.yml index ffb82496fca..2d6904e30c6 100644 --- a/filebeat/module/kibana/_meta/config.yml +++ b/filebeat/module/kibana/_meta/config.yml @@ -1,7 +1,7 @@ - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/logstash/_meta/config.yml b/filebeat/module/logstash/_meta/config.yml index bdb8e488dac..d38c8058aca 100644 --- a/filebeat/module/logstash/_meta/config.yml +++ b/filebeat/module/logstash/_meta/config.yml @@ -1,7 +1,7 @@ - module: logstash # logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/module/mongodb/_meta/config.yml b/filebeat/module/mongodb/_meta/config.yml index be6ea989c1c..28143b64eb4 100644 --- a/filebeat/module/mongodb/_meta/config.yml +++ b/filebeat/module/mongodb/_meta/config.yml @@ -1,7 +1,7 @@ - module: mongodb # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/mysql/_meta/config.yml b/filebeat/module/mysql/_meta/config.yml index 10afcb9e0ab..2b7c393eecc 100644 --- a/filebeat/module/mysql/_meta/config.yml +++ b/filebeat/module/mysql/_meta/config.yml @@ -1,7 +1,7 @@ - module: mysql # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/nats/_meta/config.yml b/filebeat/module/nats/_meta/config.yml index 59a63637680..b09a36dd006 100644 --- a/filebeat/module/nats/_meta/config.yml +++ b/filebeat/module/nats/_meta/config.yml @@ -1,7 +1,7 @@ - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/nginx/_meta/config.yml b/filebeat/module/nginx/_meta/config.yml index 3967af2693f..d520f4225b9 100644 --- a/filebeat/module/nginx/_meta/config.yml +++ b/filebeat/module/nginx/_meta/config.yml @@ -1,7 +1,7 @@ - module: nginx # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/osquery/_meta/config.reference.yml b/filebeat/module/osquery/_meta/config.reference.yml index b2a86b43c67..890e602f688 100644 --- a/filebeat/module/osquery/_meta/config.reference.yml +++ b/filebeat/module/osquery/_meta/config.reference.yml @@ -1,6 +1,6 @@ -- module: osquery - result: - enabled: true +#- module: osquery + #result: + #enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/osquery/_meta/config.yml b/filebeat/module/osquery/_meta/config.yml index b2a86b43c67..2f4fd911807 100644 --- a/filebeat/module/osquery/_meta/config.yml +++ b/filebeat/module/osquery/_meta/config.yml @@ -1,6 +1,6 @@ - module: osquery result: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/pensando/_meta/config.yml b/filebeat/module/pensando/_meta/config.yml index e632160bdd7..f352f542124 100644 --- a/filebeat/module/pensando/_meta/config.yml +++ b/filebeat/module/pensando/_meta/config.yml @@ -1,7 +1,7 @@ - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 diff --git a/filebeat/module/postgresql/_meta/config.yml b/filebeat/module/postgresql/_meta/config.yml index c82734a9570..373954e6e4f 100644 --- a/filebeat/module/postgresql/_meta/config.yml +++ b/filebeat/module/postgresql/_meta/config.yml @@ -1,7 +1,7 @@ - module: postgresql # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/redis/_meta/config.yml b/filebeat/module/redis/_meta/config.yml index 4aa2f1eacf0..1a99edf7d29 100644 --- a/filebeat/module/redis/_meta/config.yml +++ b/filebeat/module/redis/_meta/config.yml @@ -1,7 +1,7 @@ - module: redis # Main logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Slow logs, retrieved via the Redis API (SLOWLOG) slowlog: - enabled: true + enabled: false # The Redis hosts to connect to. #var.hosts: ["localhost:6379"] diff --git a/filebeat/module/santa/_meta/config.yml b/filebeat/module/santa/_meta/config.yml index ab2588f900e..b6b03be3fe4 100644 --- a/filebeat/module/santa/_meta/config.yml +++ b/filebeat/module/santa/_meta/config.yml @@ -1,6 +1,6 @@ - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/module/system/_meta/config.yml b/filebeat/module/system/_meta/config.yml index f76dd905b4d..c1fe882374d 100644 --- a/filebeat/module/system/_meta/config.yml +++ b/filebeat/module/system/_meta/config.yml @@ -1,7 +1,7 @@ - module: system # Syslog syslog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Authorization logs auth: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/module/traefik/_meta/config.yml b/filebeat/module/traefik/_meta/config.yml index 16ec37f975e..3e9f73ce10b 100644 --- a/filebeat/module/traefik/_meta/config.yml +++ b/filebeat/module/traefik/_meta/config.yml @@ -1,7 +1,7 @@ - module: traefik # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/apache.yml.disabled b/filebeat/modules.d/apache.yml.disabled index c6a2c941469..d4fbc61659d 100644 --- a/filebeat/modules.d/apache.yml.disabled +++ b/filebeat/modules.d/apache.yml.disabled @@ -4,7 +4,7 @@ - module: apache # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/auditd.yml.disabled b/filebeat/modules.d/auditd.yml.disabled index 4b0bd49c6f6..8bcedafdee9 100644 --- a/filebeat/modules.d/auditd.yml.disabled +++ b/filebeat/modules.d/auditd.yml.disabled @@ -3,7 +3,7 @@ - module: auditd log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/elasticsearch.yml.disabled b/filebeat/modules.d/elasticsearch.yml.disabled index 4db2df4eaea..75236f1a664 100644 --- a/filebeat/modules.d/elasticsearch.yml.disabled +++ b/filebeat/modules.d/elasticsearch.yml.disabled @@ -4,32 +4,32 @@ - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/modules.d/haproxy.yml.disabled b/filebeat/modules.d/haproxy.yml.disabled index 7493d93d763..5863c5bbdf8 100644 --- a/filebeat/modules.d/haproxy.yml.disabled +++ b/filebeat/modules.d/haproxy.yml.disabled @@ -4,7 +4,7 @@ - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/filebeat/modules.d/icinga.yml.disabled b/filebeat/modules.d/icinga.yml.disabled index 2b136d52072..10ab79616eb 100644 --- a/filebeat/modules.d/icinga.yml.disabled +++ b/filebeat/modules.d/icinga.yml.disabled @@ -4,7 +4,7 @@ - module: icinga # Main logs main: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Debug logs debug: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -20,7 +20,7 @@ # Startup logs startup: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/iis.yml.disabled b/filebeat/modules.d/iis.yml.disabled index 3fb8768b391..868fadedbb0 100644 --- a/filebeat/modules.d/iis.yml.disabled +++ b/filebeat/modules.d/iis.yml.disabled @@ -4,7 +4,7 @@ - module: iis # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,9 +12,9 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: - \ No newline at end of file + diff --git a/filebeat/modules.d/kafka.yml.disabled b/filebeat/modules.d/kafka.yml.disabled index 9d1b367b5c3..fd7b0013739 100644 --- a/filebeat/modules.d/kafka.yml.disabled +++ b/filebeat/modules.d/kafka.yml.disabled @@ -4,7 +4,7 @@ - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. diff --git a/filebeat/modules.d/kibana.yml.disabled b/filebeat/modules.d/kibana.yml.disabled index 0dbffa7e766..bc34de819a5 100644 --- a/filebeat/modules.d/kibana.yml.disabled +++ b/filebeat/modules.d/kibana.yml.disabled @@ -4,7 +4,7 @@ - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/logstash.yml.disabled b/filebeat/modules.d/logstash.yml.disabled index 3eee07b97bf..fe99eeabae4 100644 --- a/filebeat/modules.d/logstash.yml.disabled +++ b/filebeat/modules.d/logstash.yml.disabled @@ -4,7 +4,7 @@ - module: logstash # logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: diff --git a/filebeat/modules.d/mongodb.yml.disabled b/filebeat/modules.d/mongodb.yml.disabled index 36745bca419..ac31f64bed1 100644 --- a/filebeat/modules.d/mongodb.yml.disabled +++ b/filebeat/modules.d/mongodb.yml.disabled @@ -4,7 +4,7 @@ - module: mongodb # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/mysql.yml.disabled b/filebeat/modules.d/mysql.yml.disabled index a7904e69f1b..dd5079648bc 100644 --- a/filebeat/modules.d/mysql.yml.disabled +++ b/filebeat/modules.d/mysql.yml.disabled @@ -4,7 +4,7 @@ - module: mysql # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/nats.yml.disabled b/filebeat/modules.d/nats.yml.disabled index d203a1735e4..6074f499cad 100644 --- a/filebeat/modules.d/nats.yml.disabled +++ b/filebeat/modules.d/nats.yml.disabled @@ -4,7 +4,7 @@ - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/nginx.yml.disabled b/filebeat/modules.d/nginx.yml.disabled index e15f4fe492d..450b30c0e01 100644 --- a/filebeat/modules.d/nginx.yml.disabled +++ b/filebeat/modules.d/nginx.yml.disabled @@ -4,7 +4,7 @@ - module: nginx # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Error logs error: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/osquery.yml.disabled b/filebeat/modules.d/osquery.yml.disabled index 1c66965bfe9..0740b774a52 100644 --- a/filebeat/modules.d/osquery.yml.disabled +++ b/filebeat/modules.d/osquery.yml.disabled @@ -3,7 +3,7 @@ - module: osquery result: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/pensando.yml.disabled b/filebeat/modules.d/pensando.yml.disabled index 72350a5dcb6..1002b61bf3e 100644 --- a/filebeat/modules.d/pensando.yml.disabled +++ b/filebeat/modules.d/pensando.yml.disabled @@ -4,7 +4,7 @@ - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 diff --git a/filebeat/modules.d/postgresql.yml.disabled b/filebeat/modules.d/postgresql.yml.disabled index 1e01709d02c..5df32fefc49 100644 --- a/filebeat/modules.d/postgresql.yml.disabled +++ b/filebeat/modules.d/postgresql.yml.disabled @@ -4,7 +4,7 @@ - module: postgresql # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/redis.yml.disabled b/filebeat/modules.d/redis.yml.disabled index 6a43828abfe..dfec32f8849 100644 --- a/filebeat/modules.d/redis.yml.disabled +++ b/filebeat/modules.d/redis.yml.disabled @@ -4,7 +4,7 @@ - module: redis # Main logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Slow logs, retrieved via the Redis API (SLOWLOG) slowlog: - enabled: true + enabled: false # The Redis hosts to connect to. #var.hosts: ["localhost:6379"] diff --git a/filebeat/modules.d/santa.yml.disabled b/filebeat/modules.d/santa.yml.disabled index 8e187d56b62..9655b1afb59 100644 --- a/filebeat/modules.d/santa.yml.disabled +++ b/filebeat/modules.d/santa.yml.disabled @@ -3,7 +3,7 @@ - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: diff --git a/filebeat/modules.d/system.yml.disabled b/filebeat/modules.d/system.yml.disabled index 49e5c9c4d98..4171c65f7ad 100644 --- a/filebeat/modules.d/system.yml.disabled +++ b/filebeat/modules.d/system.yml.disabled @@ -4,7 +4,7 @@ - module: system # Syslog syslog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Authorization logs auth: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/filebeat/modules.d/traefik.yml.disabled b/filebeat/modules.d/traefik.yml.disabled index 22e6cdf0dc8..440028cc182 100644 --- a/filebeat/modules.d/traefik.yml.disabled +++ b/filebeat/modules.d/traefik.yml.disabled @@ -4,7 +4,7 @@ - module: traefik # Access logs access: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index b30193416cc..acb3e5d1cd1 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -41,7 +41,7 @@ filebeat.modules: - module: activemq # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -49,7 +49,7 @@ filebeat.modules: # Application logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -462,7 +462,7 @@ filebeat.modules: - module: azure # All logs activitylogs: - enabled: true + enabled: false var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" @@ -505,7 +505,7 @@ filebeat.modules: #------------------ Barracuda Web Application Firewall Module ------------------ - module: barracuda waf: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -524,7 +524,7 @@ filebeat.modules: # var.tz_offset: local spamfirewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -545,7 +545,7 @@ filebeat.modules: #-------------------------- Blue Coat Director Module -------------------------- - module: bluecoat director: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -566,7 +566,7 @@ filebeat.modules: #--------------------------------- CEF Module --------------------------------- - module: cef log: - enabled: true + enabled: false var: syslog_host: localhost syslog_port: 9003 @@ -582,7 +582,7 @@ filebeat.modules: #------------------------------ Checkpoint Module ------------------------------ - module: checkpoint firewall: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -605,7 +605,7 @@ filebeat.modules: #-------------------------------- Cisco Module -------------------------------- - module: cisco asa: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -631,7 +631,7 @@ filebeat.modules: #var.external_zones: [ "External" ] ftd: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -657,7 +657,7 @@ filebeat.modules: #var.external_zones: [ "External" ] ios: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -674,7 +674,7 @@ filebeat.modules: #var.paths: nexus: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -693,7 +693,7 @@ filebeat.modules: # var.tz_offset: local meraki: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -712,7 +712,7 @@ filebeat.modules: # var.tz_offset: local umbrella: - enabled: true + enabled: false #var.input: aws-s3 # AWS SQS queue url @@ -727,7 +727,7 @@ filebeat.modules: #var.api_timeout: 120s amp: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson @@ -747,7 +747,7 @@ filebeat.modules: - module: coredns # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -757,7 +757,7 @@ filebeat.modules: - module: crowdstrike falcon: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -768,7 +768,7 @@ filebeat.modules: # Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. - module: cyberark corepas: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -789,7 +789,7 @@ filebeat.modules: #----------------------------- CyberArk PAS Module ----------------------------- - module: cyberarkpas audit: - enabled: true + enabled: false # Set which input to use between tcp (default), udp, or file. # @@ -815,7 +815,7 @@ filebeat.modules: #---------------------------- CylanceProtect Module ---------------------------- - module: cylance protect: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -837,32 +837,32 @@ filebeat.modules: - module: elasticsearch # Server log server: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: gc: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: slowlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: deprecation: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: @@ -871,7 +871,7 @@ filebeat.modules: - module: envoyproxy # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -880,7 +880,7 @@ filebeat.modules: #--------------------- Big-IP Access Policy Manager Module --------------------- - module: f5 bigipapm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -899,7 +899,7 @@ filebeat.modules: # var.tz_offset: local bigipafm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -920,7 +920,7 @@ filebeat.modules: #------------------------------- Fortinet Module ------------------------------- - module: fortinet firewall: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -943,7 +943,7 @@ filebeat.modules: #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -962,7 +962,7 @@ filebeat.modules: # var.tz_offset: local fortimail: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -981,7 +981,7 @@ filebeat.modules: # var.tz_offset: local fortimanager: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1002,7 +1002,7 @@ filebeat.modules: #--------------------- Google Cloud Platform (GCP) Module --------------------- - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1030,7 +1030,7 @@ filebeat.modules: #var.internal_networks: [ "private" ] firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1057,7 +1057,7 @@ filebeat.modules: #var.internal_networks: [ "private" ] audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1077,7 +1077,7 @@ filebeat.modules: #--------------------------- Google_workspace Module --------------------------- - module: google_workspace saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1085,7 +1085,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1093,7 +1093,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1101,7 +1101,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1109,7 +1109,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1117,7 +1117,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1130,7 +1130,7 @@ filebeat.modules: # googlecloud module is deprecated, please use gcp instead - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1148,7 +1148,7 @@ filebeat.modules: var.credentials_file: ${path.config}/gcp-service-account-xyz.json firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1166,7 +1166,7 @@ filebeat.modules: var.credentials_file: ${path.config}/gcp-service-account-xyz.json audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -1187,7 +1187,7 @@ filebeat.modules: # Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. - module: gsuite saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1195,7 +1195,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1203,7 +1203,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1211,7 +1211,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1219,7 +1219,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1227,7 +1227,7 @@ filebeat.modules: # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -1239,7 +1239,7 @@ filebeat.modules: - module: haproxy # All logs log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -1252,7 +1252,7 @@ filebeat.modules: - module: ibmmq # All logs errorlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1325,7 +1325,7 @@ filebeat.modules: #------------------------- Imperva SecureSphere Module ------------------------- - module: imperva securesphere: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1346,7 +1346,7 @@ filebeat.modules: #---------------------------- Infoblox NIOS Module ---------------------------- - module: infoblox nios: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1367,7 +1367,7 @@ filebeat.modules: #------------------------------- Iptables Module ------------------------------- - module: iptables log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -1379,7 +1379,7 @@ filebeat.modules: #---------------------------- Juniper JUNOS Module ---------------------------- - module: juniper junos: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1398,7 +1398,7 @@ filebeat.modules: # var.tz_offset: local netscreen: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1417,7 +1417,7 @@ filebeat.modules: # var.tz_offset: local srx: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -1433,7 +1433,7 @@ filebeat.modules: - module: kafka # All logs log: - enabled: true + enabled: false # Set custom paths for Kafka. If left empty, # Filebeat will look under /opt. @@ -1447,7 +1447,7 @@ filebeat.modules: - module: kibana # Server logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1455,7 +1455,7 @@ filebeat.modules: # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1483,7 +1483,7 @@ filebeat.modules: - module: microsoft # ATP configuration defender_atp: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -1496,7 +1496,7 @@ filebeat.modules: # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -1513,7 +1513,7 @@ filebeat.modules: #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1536,7 +1536,7 @@ filebeat.modules: - module: misp threat: - enabled: true + enabled: false # API key to access MISP #var.api_key @@ -1567,7 +1567,7 @@ filebeat.modules: - module: mssql # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1602,7 +1602,7 @@ filebeat.modules: #--------------------------- MySQL Enterprise Module --------------------------- - module: mysqlenterprise audit: - enabled: true + enabled: false # Sets the input type. Currently only supports file #var.input: file @@ -1616,7 +1616,7 @@ filebeat.modules: - module: nats # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1625,7 +1625,7 @@ filebeat.modules: #------------------------------- NetFlow Module ------------------------------- - module: netflow log: - enabled: true + enabled: false var: netflow_host: localhost netflow_port: 2055 @@ -1638,7 +1638,7 @@ filebeat.modules: #-------------------------- Arbor Peakflow SP Module -------------------------- - module: netscout sightline: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1693,7 +1693,7 @@ filebeat.modules: #------------------------------ Office 365 Module ------------------------------ - module: o365 audit: - enabled: true + enabled: false # Set the application_id (also known as client ID): var.application_id: "" @@ -1740,7 +1740,7 @@ filebeat.modules: #--------------------------------- Okta Module --------------------------------- - module: okta system: - enabled: true + enabled: false # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs @@ -1749,7 +1749,7 @@ filebeat.modules: #-------------------------------- Oracle Module -------------------------------- - module: oracle database_audit: - enabled: true + enabled: false # Set which input to use between syslog or file (default). #var.input: file @@ -1759,9 +1759,9 @@ filebeat.modules: #var.paths: ["/home/user/oracleauditlogs/*.aud"] #------------------------------- Osquery Module ------------------------------- -- module: osquery - result: - enabled: true +#- module: osquery + #result: + #enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1775,7 +1775,7 @@ filebeat.modules: #--------------------------------- Panw Module --------------------------------- - module: panw panos: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: @@ -1797,7 +1797,7 @@ filebeat.modules: - module: pensando # Firewall logs dfw: - enabled: true + enabled: false var.syslog_host: 0.0.0.0 var.syslog_port: 9001 @@ -1822,7 +1822,7 @@ filebeat.modules: #---------------------- Proofpoint Email Security Module ---------------------- - module: proofpoint emailsecurity: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1844,7 +1844,7 @@ filebeat.modules: - module: rabbitmq # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -1853,7 +1853,7 @@ filebeat.modules: #-------------------------- Radware DefensePro Module -------------------------- - module: radware defensepro: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1894,7 +1894,7 @@ filebeat.modules: #----------------------------- Google Santa Module ----------------------------- - module: santa log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the the default path. #var.paths: @@ -1902,7 +1902,7 @@ filebeat.modules: #--------------------------- Snort/Sourcefire Module --------------------------- - module: snort log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -1923,7 +1923,7 @@ filebeat.modules: #--------------------------------- Snyk Module --------------------------------- - module: snyk audit: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -1952,7 +1952,7 @@ filebeat.modules: #var.email_address: "" vulnerabilities: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated @@ -2027,7 +2027,7 @@ filebeat.modules: #----------------------------- Sonicwall-FW Module ----------------------------- - module: sonicwall firewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2048,7 +2048,7 @@ filebeat.modules: #-------------------------------- Sophos Module -------------------------------- - module: sophos xg: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -2072,7 +2072,7 @@ filebeat.modules: utm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2093,7 +2093,7 @@ filebeat.modules: #-------------------------------- Squid Module -------------------------------- - module: squid log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2115,7 +2115,7 @@ filebeat.modules: - module: suricata # All logs eve: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2124,7 +2124,7 @@ filebeat.modules: #----------------------------- Threatintel Module ----------------------------- - module: threatintel abuseurl: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -2136,7 +2136,7 @@ filebeat.modules: var.interval: 10m abusemalware: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -2148,7 +2148,7 @@ filebeat.modules: var.interval: 10m malwarebazaar: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -2160,7 +2160,7 @@ filebeat.modules: var.interval: 10m misp: - enabled: true + enabled: false # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -2189,7 +2189,7 @@ filebeat.modules: var.interval: 5m otx: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -2216,7 +2216,7 @@ filebeat.modules: var.interval: 5m anomali: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -2238,7 +2238,7 @@ filebeat.modules: var.interval: 5m anomalithreatstream: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: http_endpoint @@ -2263,7 +2263,7 @@ filebeat.modules: # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -2297,7 +2297,7 @@ filebeat.modules: #---------------------------- Apache Tomcat Module ---------------------------- - module: tomcat log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -2333,83 +2333,83 @@ filebeat.modules: #--------------------------------- Zeek Module --------------------------------- - module: zeek capture_loss: - enabled: true + enabled: false connection: - enabled: true + enabled: false dce_rpc: - enabled: true + enabled: false dhcp: - enabled: true + enabled: false dnp3: - enabled: true + enabled: false dns: - enabled: true + enabled: false dpd: - enabled: true + enabled: false files: - enabled: true + enabled: false ftp: - enabled: true + enabled: false http: - enabled: true + enabled: false intel: - enabled: true + enabled: false irc: - enabled: true + enabled: false kerberos: - enabled: true + enabled: false modbus: - enabled: true + enabled: false mysql: - enabled: true + enabled: false notice: - enabled: true + enabled: false ntp: - enabled: true + enabled: false ntlm: - enabled: true + enabled: false ocsp: - enabled: true + enabled: false pe: - enabled: true + enabled: false radius: - enabled: true + enabled: false rdp: - enabled: true + enabled: false rfb: - enabled: true + enabled: false signature: - enabled: true + enabled: false sip: - enabled: true + enabled: false smb_cmd: - enabled: true + enabled: false smb_files: - enabled: true + enabled: false smb_mapping: - enabled: true + enabled: false smtp: - enabled: true + enabled: false snmp: - enabled: true + enabled: false socks: - enabled: true + enabled: false ssh: - enabled: true + enabled: false ssl: - enabled: true + enabled: false stats: - enabled: true + enabled: false syslog: - enabled: true + enabled: false traceroute: - enabled: true + enabled: false tunnel: - enabled: true + enabled: false weird: - enabled: true + enabled: false x509: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2419,14 +2419,14 @@ filebeat.modules: - module: zookeeper # All logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -2435,7 +2435,7 @@ filebeat.modules: #--------------------------------- Zoom Module --------------------------------- - module: zoom webhook: - enabled: true + enabled: false # The type of input to use #var.input: http_endpoint @@ -2456,7 +2456,7 @@ filebeat.modules: #----------------------------- Zscaler NSS Module ----------------------------- - module: zscaler zia: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/magefile.go b/x-pack/filebeat/magefile.go index da25e7c4051..c4532d5f56a 100644 --- a/x-pack/filebeat/magefile.go +++ b/x-pack/filebeat/magefile.go @@ -130,6 +130,7 @@ func ExportDashboard() error { // Config generates both the short and reference configs. func Config() { mg.Deps(configYML, devtools.GenerateDirModulesD) + mg.SerialDeps(devtools.ValidateDirModulesD, devtools.ValidateDirModulesDDatasetsDisabled) } func configYML() error { diff --git a/x-pack/filebeat/module/activemq/_meta/config.yml b/x-pack/filebeat/module/activemq/_meta/config.yml index 593c6c1632d..8c965bd1a8e 100644 --- a/x-pack/filebeat/module/activemq/_meta/config.yml +++ b/x-pack/filebeat/module/activemq/_meta/config.yml @@ -1,7 +1,7 @@ - module: activemq # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -9,7 +9,7 @@ # Application logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/azure/_meta/config.yml b/x-pack/filebeat/module/azure/_meta/config.yml index fdea9b1f252..02f06ae956d 100644 --- a/x-pack/filebeat/module/azure/_meta/config.yml +++ b/x-pack/filebeat/module/azure/_meta/config.yml @@ -1,7 +1,7 @@ - module: azure # All logs activitylogs: - enabled: true + enabled: false var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" diff --git a/x-pack/filebeat/module/barracuda/_meta/config.yml b/x-pack/filebeat/module/barracuda/_meta/config.yml index 36ecc93be83..c6e7a48e75b 100644 --- a/x-pack/filebeat/module/barracuda/_meta/config.yml +++ b/x-pack/filebeat/module/barracuda/_meta/config.yml @@ -1,6 +1,6 @@ - module: barracuda waf: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local spamfirewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/bluecoat/_meta/config.yml b/x-pack/filebeat/module/bluecoat/_meta/config.yml index b4c71666b1c..76056292f7b 100644 --- a/x-pack/filebeat/module/bluecoat/_meta/config.yml +++ b/x-pack/filebeat/module/bluecoat/_meta/config.yml @@ -1,6 +1,6 @@ - module: bluecoat director: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/cef/_meta/config.yml b/x-pack/filebeat/module/cef/_meta/config.yml index 1b9ff319441..53a29aa10ba 100644 --- a/x-pack/filebeat/module/cef/_meta/config.yml +++ b/x-pack/filebeat/module/cef/_meta/config.yml @@ -1,6 +1,6 @@ - module: cef log: - enabled: true + enabled: false var: syslog_host: localhost syslog_port: 9003 diff --git a/x-pack/filebeat/module/checkpoint/_meta/config.yml b/x-pack/filebeat/module/checkpoint/_meta/config.yml index 8ed0c7d11c2..69357058b66 100644 --- a/x-pack/filebeat/module/checkpoint/_meta/config.yml +++ b/x-pack/filebeat/module/checkpoint/_meta/config.yml @@ -1,6 +1,6 @@ - module: checkpoint firewall: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog diff --git a/x-pack/filebeat/module/cisco/_meta/config.yml b/x-pack/filebeat/module/cisco/_meta/config.yml index 3af897a1225..3fd735c050d 100644 --- a/x-pack/filebeat/module/cisco/_meta/config.yml +++ b/x-pack/filebeat/module/cisco/_meta/config.yml @@ -1,6 +1,6 @@ - module: cisco asa: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -26,7 +26,7 @@ #var.external_zones: [ "External" ] ftd: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -52,7 +52,7 @@ #var.external_zones: [ "External" ] ios: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -69,7 +69,7 @@ #var.paths: nexus: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -88,7 +88,7 @@ # var.tz_offset: local meraki: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -107,7 +107,7 @@ # var.tz_offset: local umbrella: - enabled: true + enabled: false #var.input: aws-s3 # AWS SQS queue url @@ -122,7 +122,7 @@ #var.api_timeout: 120s amp: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson diff --git a/x-pack/filebeat/module/coredns/_meta/config.yml b/x-pack/filebeat/module/coredns/_meta/config.yml index d9ef777bde5..4cfd48edb1e 100644 --- a/x-pack/filebeat/module/coredns/_meta/config.yml +++ b/x-pack/filebeat/module/coredns/_meta/config.yml @@ -1,7 +1,7 @@ - module: coredns # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/crowdstrike/_meta/config.yml b/x-pack/filebeat/module/crowdstrike/_meta/config.yml index 04cf80889ba..84901e8779b 100644 --- a/x-pack/filebeat/module/crowdstrike/_meta/config.yml +++ b/x-pack/filebeat/module/crowdstrike/_meta/config.yml @@ -1,7 +1,7 @@ - module: crowdstrike falcon: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/cyberark/_meta/config.yml b/x-pack/filebeat/module/cyberark/_meta/config.yml index d3a1f20ec6f..9b0e08f26c8 100644 --- a/x-pack/filebeat/module/cyberark/_meta/config.yml +++ b/x-pack/filebeat/module/cyberark/_meta/config.yml @@ -2,7 +2,7 @@ # Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. - module: cyberark corepas: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/cyberarkpas/_meta/config.yml b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml index 4ebf2db818d..9b2cc6d0e27 100644 --- a/x-pack/filebeat/module/cyberarkpas/_meta/config.yml +++ b/x-pack/filebeat/module/cyberarkpas/_meta/config.yml @@ -1,6 +1,6 @@ - module: cyberarkpas audit: - enabled: true + enabled: false # Set which input to use between tcp (default), udp, or file. # diff --git a/x-pack/filebeat/module/cylance/_meta/config.yml b/x-pack/filebeat/module/cylance/_meta/config.yml index f48f72b6065..3025ab38401 100644 --- a/x-pack/filebeat/module/cylance/_meta/config.yml +++ b/x-pack/filebeat/module/cylance/_meta/config.yml @@ -1,6 +1,6 @@ - module: cylance protect: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/envoyproxy/_meta/config.yml b/x-pack/filebeat/module/envoyproxy/_meta/config.yml index c0fada4e3ae..8009773045d 100644 --- a/x-pack/filebeat/module/envoyproxy/_meta/config.yml +++ b/x-pack/filebeat/module/envoyproxy/_meta/config.yml @@ -1,7 +1,7 @@ - module: envoyproxy # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml index a939fc021f8..48ccc13d31a 100644 --- a/x-pack/filebeat/module/f5/_meta/config.yml +++ b/x-pack/filebeat/module/f5/_meta/config.yml @@ -1,6 +1,6 @@ - module: f5 bigipapm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local bigipafm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/fortinet/_meta/config.yml b/x-pack/filebeat/module/fortinet/_meta/config.yml index 5f5561c7925..f71e5732b14 100644 --- a/x-pack/filebeat/module/fortinet/_meta/config.yml +++ b/x-pack/filebeat/module/fortinet/_meta/config.yml @@ -1,6 +1,6 @@ - module: fortinet firewall: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -23,7 +23,7 @@ #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -42,7 +42,7 @@ # var.tz_offset: local fortimail: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -61,7 +61,7 @@ # var.tz_offset: local fortimanager: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/gcp/_meta/config.yml b/x-pack/filebeat/module/gcp/_meta/config.yml index b32c5a65957..7b804388694 100644 --- a/x-pack/filebeat/module/gcp/_meta/config.yml +++ b/x-pack/filebeat/module/gcp/_meta/config.yml @@ -1,6 +1,6 @@ - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -28,7 +28,7 @@ #var.internal_networks: [ "private" ] firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -55,7 +55,7 @@ #var.internal_networks: [ "private" ] audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/module/google_workspace/_meta/config.yml b/x-pack/filebeat/module/google_workspace/_meta/config.yml index 1d6c5ad4589..58d6a754b1e 100644 --- a/x-pack/filebeat/module/google_workspace/_meta/config.yml +++ b/x-pack/filebeat/module/google_workspace/_meta/config.yml @@ -1,6 +1,6 @@ - module: google_workspace saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -8,7 +8,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -16,7 +16,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -24,7 +24,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -32,7 +32,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -40,7 +40,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/module/googlecloud/_meta/config.yml b/x-pack/filebeat/module/googlecloud/_meta/config.yml index 2c535fb4664..c2808c28854 100644 --- a/x-pack/filebeat/module/googlecloud/_meta/config.yml +++ b/x-pack/filebeat/module/googlecloud/_meta/config.yml @@ -1,7 +1,7 @@ # googlecloud module is deprecated, please use gcp instead - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -19,7 +19,7 @@ var.credentials_file: ${path.config}/gcp-service-account-xyz.json firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -37,7 +37,7 @@ var.credentials_file: ${path.config}/gcp-service-account-xyz.json audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/module/gsuite/_meta/config.yml b/x-pack/filebeat/module/gsuite/_meta/config.yml index 0badc11284e..24cdb493167 100644 --- a/x-pack/filebeat/module/gsuite/_meta/config.yml +++ b/x-pack/filebeat/module/gsuite/_meta/config.yml @@ -1,7 +1,7 @@ # Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. - module: gsuite saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -9,7 +9,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -17,7 +17,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -25,7 +25,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -33,7 +33,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -41,7 +41,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/module/ibmmq/_meta/config.yml b/x-pack/filebeat/module/ibmmq/_meta/config.yml index 320922d37e0..e81a5fca28e 100644 --- a/x-pack/filebeat/module/ibmmq/_meta/config.yml +++ b/x-pack/filebeat/module/ibmmq/_meta/config.yml @@ -1,7 +1,7 @@ - module: ibmmq # All logs errorlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/imperva/_meta/config.yml b/x-pack/filebeat/module/imperva/_meta/config.yml index 2b5660cd4c2..1ffb9f5d708 100644 --- a/x-pack/filebeat/module/imperva/_meta/config.yml +++ b/x-pack/filebeat/module/imperva/_meta/config.yml @@ -1,6 +1,6 @@ - module: imperva securesphere: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/infoblox/_meta/config.yml b/x-pack/filebeat/module/infoblox/_meta/config.yml index 85df3964b38..03c704cc5ba 100644 --- a/x-pack/filebeat/module/infoblox/_meta/config.yml +++ b/x-pack/filebeat/module/infoblox/_meta/config.yml @@ -1,6 +1,6 @@ - module: infoblox nios: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/iptables/_meta/config.yml b/x-pack/filebeat/module/iptables/_meta/config.yml index 0de64687f6e..3b791196985 100644 --- a/x-pack/filebeat/module/iptables/_meta/config.yml +++ b/x-pack/filebeat/module/iptables/_meta/config.yml @@ -1,6 +1,6 @@ - module: iptables log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/module/juniper/_meta/config.yml b/x-pack/filebeat/module/juniper/_meta/config.yml index 7f992656788..2ad874d9c4f 100644 --- a/x-pack/filebeat/module/juniper/_meta/config.yml +++ b/x-pack/filebeat/module/juniper/_meta/config.yml @@ -1,6 +1,6 @@ - module: juniper junos: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -19,7 +19,7 @@ # var.tz_offset: local netscreen: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -38,7 +38,7 @@ # var.tz_offset: local srx: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp diff --git a/x-pack/filebeat/module/microsoft/_meta/config.yml b/x-pack/filebeat/module/microsoft/_meta/config.yml index a168b621ba5..96b1f3db1db 100644 --- a/x-pack/filebeat/module/microsoft/_meta/config.yml +++ b/x-pack/filebeat/module/microsoft/_meta/config.yml @@ -1,7 +1,7 @@ - module: microsoft # ATP configuration defender_atp: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -14,7 +14,7 @@ # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -31,7 +31,7 @@ #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/misp/_meta/config.yml b/x-pack/filebeat/module/misp/_meta/config.yml index 0eab72db205..1e6ce8928d1 100644 --- a/x-pack/filebeat/module/misp/_meta/config.yml +++ b/x-pack/filebeat/module/misp/_meta/config.yml @@ -2,7 +2,7 @@ - module: misp threat: - enabled: true + enabled: false # API key to access MISP #var.api_key diff --git a/x-pack/filebeat/module/mssql/_meta/config.yml b/x-pack/filebeat/module/mssql/_meta/config.yml index a56e658f7b7..3735debfcfd 100644 --- a/x-pack/filebeat/module/mssql/_meta/config.yml +++ b/x-pack/filebeat/module/mssql/_meta/config.yml @@ -1,7 +1,7 @@ - module: mssql # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml b/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml index a4350a0ac60..ee13c51ec1e 100644 --- a/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml +++ b/x-pack/filebeat/module/mysqlenterprise/_meta/config.yml @@ -1,6 +1,6 @@ - module: mysqlenterprise audit: - enabled: true + enabled: false # Sets the input type. Currently only supports file #var.input: file diff --git a/x-pack/filebeat/module/netflow/_meta/config.yml b/x-pack/filebeat/module/netflow/_meta/config.yml index 91fe3953e94..5fed6db3581 100644 --- a/x-pack/filebeat/module/netflow/_meta/config.yml +++ b/x-pack/filebeat/module/netflow/_meta/config.yml @@ -1,6 +1,6 @@ - module: netflow log: - enabled: true + enabled: false var: netflow_host: localhost netflow_port: 2055 diff --git a/x-pack/filebeat/module/netscout/_meta/config.yml b/x-pack/filebeat/module/netscout/_meta/config.yml index 168d7284a9f..d7bcfcf2e7f 100644 --- a/x-pack/filebeat/module/netscout/_meta/config.yml +++ b/x-pack/filebeat/module/netscout/_meta/config.yml @@ -1,6 +1,6 @@ - module: netscout sightline: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/o365/_meta/config.yml b/x-pack/filebeat/module/o365/_meta/config.yml index b1a30d6dbe9..9ff4f9fb926 100644 --- a/x-pack/filebeat/module/o365/_meta/config.yml +++ b/x-pack/filebeat/module/o365/_meta/config.yml @@ -1,6 +1,6 @@ - module: o365 audit: - enabled: true + enabled: false # Set the application_id (also known as client ID): var.application_id: "" diff --git a/x-pack/filebeat/module/okta/_meta/config.yml b/x-pack/filebeat/module/okta/_meta/config.yml index bb2da13eca4..21fc87b737d 100644 --- a/x-pack/filebeat/module/okta/_meta/config.yml +++ b/x-pack/filebeat/module/okta/_meta/config.yml @@ -1,6 +1,6 @@ - module: okta system: - enabled: true + enabled: false # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs diff --git a/x-pack/filebeat/module/oracle/_meta/config.yml b/x-pack/filebeat/module/oracle/_meta/config.yml index 7b1f569b835..230ad88e684 100644 --- a/x-pack/filebeat/module/oracle/_meta/config.yml +++ b/x-pack/filebeat/module/oracle/_meta/config.yml @@ -1,6 +1,6 @@ - module: oracle database_audit: - enabled: true + enabled: false # Set which input to use between syslog or file (default). #var.input: file diff --git a/x-pack/filebeat/module/panw/_meta/config.yml b/x-pack/filebeat/module/panw/_meta/config.yml index 737825f598c..8b28631ddd9 100644 --- a/x-pack/filebeat/module/panw/_meta/config.yml +++ b/x-pack/filebeat/module/panw/_meta/config.yml @@ -1,6 +1,6 @@ - module: panw panos: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/module/proofpoint/_meta/config.yml b/x-pack/filebeat/module/proofpoint/_meta/config.yml index d25f23041e3..05dcc780bcd 100644 --- a/x-pack/filebeat/module/proofpoint/_meta/config.yml +++ b/x-pack/filebeat/module/proofpoint/_meta/config.yml @@ -1,6 +1,6 @@ - module: proofpoint emailsecurity: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/rabbitmq/_meta/config.yml b/x-pack/filebeat/module/rabbitmq/_meta/config.yml index 246c13225c6..966f2169acc 100644 --- a/x-pack/filebeat/module/rabbitmq/_meta/config.yml +++ b/x-pack/filebeat/module/rabbitmq/_meta/config.yml @@ -1,7 +1,7 @@ - module: rabbitmq # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/radware/_meta/config.yml b/x-pack/filebeat/module/radware/_meta/config.yml index dc134fbe59f..5341bf6064f 100644 --- a/x-pack/filebeat/module/radware/_meta/config.yml +++ b/x-pack/filebeat/module/radware/_meta/config.yml @@ -1,6 +1,6 @@ - module: radware defensepro: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/snort/_meta/config.yml b/x-pack/filebeat/module/snort/_meta/config.yml index e3804a605b9..e428234a180 100644 --- a/x-pack/filebeat/module/snort/_meta/config.yml +++ b/x-pack/filebeat/module/snort/_meta/config.yml @@ -1,6 +1,6 @@ - module: snort log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/snyk/_meta/config.yml b/x-pack/filebeat/module/snyk/_meta/config.yml index 2d433139638..6c224738076 100644 --- a/x-pack/filebeat/module/snyk/_meta/config.yml +++ b/x-pack/filebeat/module/snyk/_meta/config.yml @@ -1,6 +1,6 @@ - module: snyk audit: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -29,7 +29,7 @@ #var.email_address: "" vulnerabilities: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated diff --git a/x-pack/filebeat/module/sonicwall/_meta/config.yml b/x-pack/filebeat/module/sonicwall/_meta/config.yml index fcc2abefb79..92a71910286 100644 --- a/x-pack/filebeat/module/sonicwall/_meta/config.yml +++ b/x-pack/filebeat/module/sonicwall/_meta/config.yml @@ -1,6 +1,6 @@ - module: sonicwall firewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/sophos/_meta/config.yml b/x-pack/filebeat/module/sophos/_meta/config.yml index 5388cbdfcbc..4b07d941401 100644 --- a/x-pack/filebeat/module/sophos/_meta/config.yml +++ b/x-pack/filebeat/module/sophos/_meta/config.yml @@ -1,6 +1,6 @@ - module: sophos xg: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -24,7 +24,7 @@ utm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/squid/_meta/config.yml b/x-pack/filebeat/module/squid/_meta/config.yml index e3d681dac2a..ad0f3f2053c 100644 --- a/x-pack/filebeat/module/squid/_meta/config.yml +++ b/x-pack/filebeat/module/squid/_meta/config.yml @@ -1,6 +1,6 @@ - module: squid log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/suricata/_meta/config.yml b/x-pack/filebeat/module/suricata/_meta/config.yml index 1556d5d0451..1ad37b0427e 100644 --- a/x-pack/filebeat/module/suricata/_meta/config.yml +++ b/x-pack/filebeat/module/suricata/_meta/config.yml @@ -1,7 +1,7 @@ - module: suricata # All logs eve: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/threatintel/_meta/config.yml b/x-pack/filebeat/module/threatintel/_meta/config.yml index f2cf00bcf0d..41451f6e33a 100644 --- a/x-pack/filebeat/module/threatintel/_meta/config.yml +++ b/x-pack/filebeat/module/threatintel/_meta/config.yml @@ -1,6 +1,6 @@ - module: threatintel abuseurl: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -12,7 +12,7 @@ var.interval: 10m abusemalware: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -24,7 +24,7 @@ var.interval: 10m malwarebazaar: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -36,7 +36,7 @@ var.interval: 10m misp: - enabled: true + enabled: false # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -65,7 +65,7 @@ var.interval: 5m otx: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -92,7 +92,7 @@ var.interval: 5m anomali: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -114,7 +114,7 @@ var.interval: 5m anomalithreatstream: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: http_endpoint @@ -139,7 +139,7 @@ # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson diff --git a/x-pack/filebeat/module/tomcat/_meta/config.yml b/x-pack/filebeat/module/tomcat/_meta/config.yml index e3640165f61..e04b9201704 100644 --- a/x-pack/filebeat/module/tomcat/_meta/config.yml +++ b/x-pack/filebeat/module/tomcat/_meta/config.yml @@ -1,6 +1,6 @@ - module: tomcat log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/module/zeek/_meta/config.yml b/x-pack/filebeat/module/zeek/_meta/config.yml index dbe6012df6b..496581963fa 100644 --- a/x-pack/filebeat/module/zeek/_meta/config.yml +++ b/x-pack/filebeat/module/zeek/_meta/config.yml @@ -1,82 +1,82 @@ - module: zeek capture_loss: - enabled: true + enabled: false connection: - enabled: true + enabled: false dce_rpc: - enabled: true + enabled: false dhcp: - enabled: true + enabled: false dnp3: - enabled: true + enabled: false dns: - enabled: true + enabled: false dpd: - enabled: true + enabled: false files: - enabled: true + enabled: false ftp: - enabled: true + enabled: false http: - enabled: true + enabled: false intel: - enabled: true + enabled: false irc: - enabled: true + enabled: false kerberos: - enabled: true + enabled: false modbus: - enabled: true + enabled: false mysql: - enabled: true + enabled: false notice: - enabled: true + enabled: false ntp: - enabled: true + enabled: false ntlm: - enabled: true + enabled: false ocsp: - enabled: true + enabled: false pe: - enabled: true + enabled: false radius: - enabled: true + enabled: false rdp: - enabled: true + enabled: false rfb: - enabled: true + enabled: false signature: - enabled: true + enabled: false sip: - enabled: true + enabled: false smb_cmd: - enabled: true + enabled: false smb_files: - enabled: true + enabled: false smb_mapping: - enabled: true + enabled: false smtp: - enabled: true + enabled: false snmp: - enabled: true + enabled: false socks: - enabled: true + enabled: false ssh: - enabled: true + enabled: false ssl: - enabled: true + enabled: false stats: - enabled: true + enabled: false syslog: - enabled: true + enabled: false traceroute: - enabled: true + enabled: false tunnel: - enabled: true + enabled: false weird: - enabled: true + enabled: false x509: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/zookeeper/_meta/config.yml b/x-pack/filebeat/module/zookeeper/_meta/config.yml index a31d217a5ec..e14f9d1020f 100644 --- a/x-pack/filebeat/module/zookeeper/_meta/config.yml +++ b/x-pack/filebeat/module/zookeeper/_meta/config.yml @@ -1,14 +1,14 @@ - module: zookeeper # All logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/module/zoom/_meta/config.yml b/x-pack/filebeat/module/zoom/_meta/config.yml index 43c8ed43628..a010f43f3a9 100644 --- a/x-pack/filebeat/module/zoom/_meta/config.yml +++ b/x-pack/filebeat/module/zoom/_meta/config.yml @@ -1,6 +1,6 @@ - module: zoom webhook: - enabled: true + enabled: false # The type of input to use #var.input: http_endpoint diff --git a/x-pack/filebeat/module/zscaler/_meta/config.yml b/x-pack/filebeat/module/zscaler/_meta/config.yml index 9afb8712afb..d7c47dc6e70 100644 --- a/x-pack/filebeat/module/zscaler/_meta/config.yml +++ b/x-pack/filebeat/module/zscaler/_meta/config.yml @@ -1,6 +1,6 @@ - module: zscaler zia: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/activemq.yml.disabled b/x-pack/filebeat/modules.d/activemq.yml.disabled index 1c6728dd8c4..82c70b16947 100644 --- a/x-pack/filebeat/modules.d/activemq.yml.disabled +++ b/x-pack/filebeat/modules.d/activemq.yml.disabled @@ -4,7 +4,7 @@ - module: activemq # Audit logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. @@ -12,7 +12,7 @@ # Application logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/azure.yml.disabled b/x-pack/filebeat/modules.d/azure.yml.disabled index dcf5b1764d7..89ccfff8204 100644 --- a/x-pack/filebeat/modules.d/azure.yml.disabled +++ b/x-pack/filebeat/modules.d/azure.yml.disabled @@ -4,7 +4,7 @@ - module: azure # All logs activitylogs: - enabled: true + enabled: false var: # eventhub name containing the activity logs, overwrite he default value if the logs are exported in a different eventhub eventhub: "insights-operational-logs" diff --git a/x-pack/filebeat/modules.d/barracuda.yml.disabled b/x-pack/filebeat/modules.d/barracuda.yml.disabled index 20552d4c503..6327b8d6a75 100644 --- a/x-pack/filebeat/modules.d/barracuda.yml.disabled +++ b/x-pack/filebeat/modules.d/barracuda.yml.disabled @@ -3,7 +3,7 @@ - module: barracuda waf: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local spamfirewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/bluecoat.yml.disabled b/x-pack/filebeat/modules.d/bluecoat.yml.disabled index df71bb8ab04..98a4cef099b 100644 --- a/x-pack/filebeat/modules.d/bluecoat.yml.disabled +++ b/x-pack/filebeat/modules.d/bluecoat.yml.disabled @@ -3,7 +3,7 @@ - module: bluecoat director: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/cef.yml.disabled b/x-pack/filebeat/modules.d/cef.yml.disabled index bb8eca97d6b..cda083f4a5e 100644 --- a/x-pack/filebeat/modules.d/cef.yml.disabled +++ b/x-pack/filebeat/modules.d/cef.yml.disabled @@ -3,7 +3,7 @@ - module: cef log: - enabled: true + enabled: false var: syslog_host: localhost syslog_port: 9003 diff --git a/x-pack/filebeat/modules.d/checkpoint.yml.disabled b/x-pack/filebeat/modules.d/checkpoint.yml.disabled index 03db911f192..05fdfc0aa27 100644 --- a/x-pack/filebeat/modules.d/checkpoint.yml.disabled +++ b/x-pack/filebeat/modules.d/checkpoint.yml.disabled @@ -3,7 +3,7 @@ - module: checkpoint firewall: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog diff --git a/x-pack/filebeat/modules.d/cisco.yml.disabled b/x-pack/filebeat/modules.d/cisco.yml.disabled index 6a933610336..3ad2d76a875 100644 --- a/x-pack/filebeat/modules.d/cisco.yml.disabled +++ b/x-pack/filebeat/modules.d/cisco.yml.disabled @@ -3,7 +3,7 @@ - module: cisco asa: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -29,7 +29,7 @@ #var.external_zones: [ "External" ] ftd: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -55,7 +55,7 @@ #var.external_zones: [ "External" ] ios: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: syslog @@ -72,7 +72,7 @@ #var.paths: nexus: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -91,7 +91,7 @@ # var.tz_offset: local meraki: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -110,7 +110,7 @@ # var.tz_offset: local umbrella: - enabled: true + enabled: false #var.input: aws-s3 # AWS SQS queue url @@ -125,7 +125,7 @@ #var.api_timeout: 120s amp: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson diff --git a/x-pack/filebeat/modules.d/coredns.yml.disabled b/x-pack/filebeat/modules.d/coredns.yml.disabled index d4a871455fd..fb7e9995130 100644 --- a/x-pack/filebeat/modules.d/coredns.yml.disabled +++ b/x-pack/filebeat/modules.d/coredns.yml.disabled @@ -4,7 +4,7 @@ - module: coredns # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/crowdstrike.yml.disabled b/x-pack/filebeat/modules.d/crowdstrike.yml.disabled index a51bf2818a1..aea362f2e40 100644 --- a/x-pack/filebeat/modules.d/crowdstrike.yml.disabled +++ b/x-pack/filebeat/modules.d/crowdstrike.yml.disabled @@ -4,7 +4,7 @@ - module: crowdstrike falcon: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/cyberark.yml.disabled b/x-pack/filebeat/modules.d/cyberark.yml.disabled index 833a92645b1..391acfe7b24 100644 --- a/x-pack/filebeat/modules.d/cyberark.yml.disabled +++ b/x-pack/filebeat/modules.d/cyberark.yml.disabled @@ -5,7 +5,7 @@ # Please use the Cyberark Privileged Account Security (cyberarkpas) module instead. - module: cyberark corepas: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled index 2045718a6b7..f2168e9d453 100644 --- a/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled +++ b/x-pack/filebeat/modules.d/cyberarkpas.yml.disabled @@ -3,7 +3,7 @@ - module: cyberarkpas audit: - enabled: true + enabled: false # Set which input to use between tcp (default), udp, or file. # diff --git a/x-pack/filebeat/modules.d/cylance.yml.disabled b/x-pack/filebeat/modules.d/cylance.yml.disabled index 8f16f29ca5b..164642f0738 100644 --- a/x-pack/filebeat/modules.d/cylance.yml.disabled +++ b/x-pack/filebeat/modules.d/cylance.yml.disabled @@ -3,7 +3,7 @@ - module: cylance protect: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/envoyproxy.yml.disabled b/x-pack/filebeat/modules.d/envoyproxy.yml.disabled index a46cf279282..d95316b3c30 100644 --- a/x-pack/filebeat/modules.d/envoyproxy.yml.disabled +++ b/x-pack/filebeat/modules.d/envoyproxy.yml.disabled @@ -4,7 +4,7 @@ - module: envoyproxy # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled index fdf357dae44..4db5209693d 100644 --- a/x-pack/filebeat/modules.d/f5.yml.disabled +++ b/x-pack/filebeat/modules.d/f5.yml.disabled @@ -3,7 +3,7 @@ - module: f5 bigipapm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local bigipafm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/fortinet.yml.disabled b/x-pack/filebeat/modules.d/fortinet.yml.disabled index f77f2169d6d..e31eb967d73 100644 --- a/x-pack/filebeat/modules.d/fortinet.yml.disabled +++ b/x-pack/filebeat/modules.d/fortinet.yml.disabled @@ -3,7 +3,7 @@ - module: fortinet firewall: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -26,7 +26,7 @@ #var.external_interfaces: [ "WAN" ] clientendpoint: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -45,7 +45,7 @@ # var.tz_offset: local fortimail: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -64,7 +64,7 @@ # var.tz_offset: local fortimanager: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/gcp.yml.disabled b/x-pack/filebeat/modules.d/gcp.yml.disabled index 0a1971525a3..b0b5f636b10 100644 --- a/x-pack/filebeat/modules.d/gcp.yml.disabled +++ b/x-pack/filebeat/modules.d/gcp.yml.disabled @@ -3,7 +3,7 @@ - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -31,7 +31,7 @@ #var.internal_networks: [ "private" ] firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -58,7 +58,7 @@ #var.internal_networks: [ "private" ] audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/modules.d/google_workspace.yml.disabled b/x-pack/filebeat/modules.d/google_workspace.yml.disabled index b5eb0051965..85142dfcaf0 100644 --- a/x-pack/filebeat/modules.d/google_workspace.yml.disabled +++ b/x-pack/filebeat/modules.d/google_workspace.yml.disabled @@ -3,7 +3,7 @@ - module: google_workspace saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -11,7 +11,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -19,7 +19,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -27,7 +27,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -35,7 +35,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -43,7 +43,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/modules.d/googlecloud.yml.disabled b/x-pack/filebeat/modules.d/googlecloud.yml.disabled index 6f3e6b53e21..c337a0e7645 100644 --- a/x-pack/filebeat/modules.d/googlecloud.yml.disabled +++ b/x-pack/filebeat/modules.d/googlecloud.yml.disabled @@ -4,7 +4,7 @@ # googlecloud module is deprecated, please use gcp instead - module: gcp vpcflow: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -22,7 +22,7 @@ var.credentials_file: ${path.config}/gcp-service-account-xyz.json firewall: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id @@ -40,7 +40,7 @@ var.credentials_file: ${path.config}/gcp-service-account-xyz.json audit: - enabled: true + enabled: false # Google Cloud project ID. var.project_id: my-gcp-project-id diff --git a/x-pack/filebeat/modules.d/gsuite.yml.disabled b/x-pack/filebeat/modules.d/gsuite.yml.disabled index ddb160dcbac..ec38309a193 100644 --- a/x-pack/filebeat/modules.d/gsuite.yml.disabled +++ b/x-pack/filebeat/modules.d/gsuite.yml.disabled @@ -4,7 +4,7 @@ # Gsuite module is deprecated and will be removed in future releases. Please use Google Workspace module instead. - module: gsuite saml: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -12,7 +12,7 @@ # var.user_key: all # var.interval: 2h user_accounts: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -20,7 +20,7 @@ # var.user_key: all # var.interval: 2h login: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -28,7 +28,7 @@ # var.user_key: all # var.interval: 2h admin: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -36,7 +36,7 @@ # var.user_key: all # var.interval: 2h drive: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h @@ -44,7 +44,7 @@ # var.user_key: all # var.interval: 2h groups: - enabled: true + enabled: false # var.jwt_file: credentials.json # var.delegated_account: admin@example.com # var.initial_interval: 24h diff --git a/x-pack/filebeat/modules.d/ibmmq.yml.disabled b/x-pack/filebeat/modules.d/ibmmq.yml.disabled index 0acfa0b0bce..4ad3209a90e 100644 --- a/x-pack/filebeat/modules.d/ibmmq.yml.disabled +++ b/x-pack/filebeat/modules.d/ibmmq.yml.disabled @@ -4,7 +4,7 @@ - module: ibmmq # All logs errorlog: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/imperva.yml.disabled b/x-pack/filebeat/modules.d/imperva.yml.disabled index f5e69959cf9..cd864075960 100644 --- a/x-pack/filebeat/modules.d/imperva.yml.disabled +++ b/x-pack/filebeat/modules.d/imperva.yml.disabled @@ -3,7 +3,7 @@ - module: imperva securesphere: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/infoblox.yml.disabled b/x-pack/filebeat/modules.d/infoblox.yml.disabled index ec5385c6df7..24d524d259d 100644 --- a/x-pack/filebeat/modules.d/infoblox.yml.disabled +++ b/x-pack/filebeat/modules.d/infoblox.yml.disabled @@ -3,7 +3,7 @@ - module: infoblox nios: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/iptables.yml.disabled b/x-pack/filebeat/modules.d/iptables.yml.disabled index 833fd91537b..2d51c67f24e 100644 --- a/x-pack/filebeat/modules.d/iptables.yml.disabled +++ b/x-pack/filebeat/modules.d/iptables.yml.disabled @@ -3,7 +3,7 @@ - module: iptables log: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/modules.d/juniper.yml.disabled b/x-pack/filebeat/modules.d/juniper.yml.disabled index 6ffe87834a4..583f47bb7f7 100644 --- a/x-pack/filebeat/modules.d/juniper.yml.disabled +++ b/x-pack/filebeat/modules.d/juniper.yml.disabled @@ -3,7 +3,7 @@ - module: juniper junos: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -22,7 +22,7 @@ # var.tz_offset: local netscreen: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp @@ -41,7 +41,7 @@ # var.tz_offset: local srx: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp diff --git a/x-pack/filebeat/modules.d/microsoft.yml.disabled b/x-pack/filebeat/modules.d/microsoft.yml.disabled index 43944caad29..e4af73ad6ed 100644 --- a/x-pack/filebeat/modules.d/microsoft.yml.disabled +++ b/x-pack/filebeat/modules.d/microsoft.yml.disabled @@ -4,7 +4,7 @@ - module: microsoft # ATP configuration defender_atp: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -17,7 +17,7 @@ # Oauth Token URL, should include the tenant ID #var.oauth2.token_url: "https://login.microsoftonline.com/TENANT-ID/oauth2/token" m365_defender: - enabled: true + enabled: false # How often the API should be polled #var.interval: 5m @@ -34,7 +34,7 @@ #var.oauth2.scopes: # - "https://api.security.microsoft.com/.default" dhcp: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/misp.yml.disabled b/x-pack/filebeat/modules.d/misp.yml.disabled index 610cc874073..4e405aaac70 100644 --- a/x-pack/filebeat/modules.d/misp.yml.disabled +++ b/x-pack/filebeat/modules.d/misp.yml.disabled @@ -5,7 +5,7 @@ - module: misp threat: - enabled: true + enabled: false # API key to access MISP #var.api_key diff --git a/x-pack/filebeat/modules.d/mssql.yml.disabled b/x-pack/filebeat/modules.d/mssql.yml.disabled index 3fdaac9e8a6..c8473c91dd5 100644 --- a/x-pack/filebeat/modules.d/mssql.yml.disabled +++ b/x-pack/filebeat/modules.d/mssql.yml.disabled @@ -4,7 +4,7 @@ - module: mssql # Fileset for native deployment log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled b/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled index c04fb9c1908..33c1731cd19 100644 --- a/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled +++ b/x-pack/filebeat/modules.d/mysqlenterprise.yml.disabled @@ -3,7 +3,7 @@ - module: mysqlenterprise audit: - enabled: true + enabled: false # Sets the input type. Currently only supports file #var.input: file diff --git a/x-pack/filebeat/modules.d/netflow.yml.disabled b/x-pack/filebeat/modules.d/netflow.yml.disabled index f0d03a1fef2..7f365e90b43 100644 --- a/x-pack/filebeat/modules.d/netflow.yml.disabled +++ b/x-pack/filebeat/modules.d/netflow.yml.disabled @@ -3,7 +3,7 @@ - module: netflow log: - enabled: true + enabled: false var: netflow_host: localhost netflow_port: 2055 diff --git a/x-pack/filebeat/modules.d/netscout.yml.disabled b/x-pack/filebeat/modules.d/netscout.yml.disabled index 988f1b98899..c6d5520629b 100644 --- a/x-pack/filebeat/modules.d/netscout.yml.disabled +++ b/x-pack/filebeat/modules.d/netscout.yml.disabled @@ -3,7 +3,7 @@ - module: netscout sightline: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/o365.yml.disabled b/x-pack/filebeat/modules.d/o365.yml.disabled index a2bdc1ecee3..ab61528d6f9 100644 --- a/x-pack/filebeat/modules.d/o365.yml.disabled +++ b/x-pack/filebeat/modules.d/o365.yml.disabled @@ -3,7 +3,7 @@ - module: o365 audit: - enabled: true + enabled: false # Set the application_id (also known as client ID): var.application_id: "" diff --git a/x-pack/filebeat/modules.d/okta.yml.disabled b/x-pack/filebeat/modules.d/okta.yml.disabled index 66965ac4ba2..062856ce4e4 100644 --- a/x-pack/filebeat/modules.d/okta.yml.disabled +++ b/x-pack/filebeat/modules.d/okta.yml.disabled @@ -3,7 +3,7 @@ - module: okta system: - enabled: true + enabled: false # You must configure the URL with your Okta domain and provide an # API token to access the logs API. #var.url: https://yourOktaDomain/api/v1/logs diff --git a/x-pack/filebeat/modules.d/oracle.yml.disabled b/x-pack/filebeat/modules.d/oracle.yml.disabled index d8b1d8c58e2..aa24b1f6755 100644 --- a/x-pack/filebeat/modules.d/oracle.yml.disabled +++ b/x-pack/filebeat/modules.d/oracle.yml.disabled @@ -3,7 +3,7 @@ - module: oracle database_audit: - enabled: true + enabled: false # Set which input to use between syslog or file (default). #var.input: file diff --git a/x-pack/filebeat/modules.d/panw.yml.disabled b/x-pack/filebeat/modules.d/panw.yml.disabled index 0bd5bf33419..1a630f8fb4e 100644 --- a/x-pack/filebeat/modules.d/panw.yml.disabled +++ b/x-pack/filebeat/modules.d/panw.yml.disabled @@ -3,7 +3,7 @@ - module: panw panos: - enabled: true + enabled: false # Set which input to use between syslog (default) or file. #var.input: diff --git a/x-pack/filebeat/modules.d/proofpoint.yml.disabled b/x-pack/filebeat/modules.d/proofpoint.yml.disabled index b0f94ac3022..34b31277086 100644 --- a/x-pack/filebeat/modules.d/proofpoint.yml.disabled +++ b/x-pack/filebeat/modules.d/proofpoint.yml.disabled @@ -3,7 +3,7 @@ - module: proofpoint emailsecurity: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/rabbitmq.yml.disabled b/x-pack/filebeat/modules.d/rabbitmq.yml.disabled index c446834f99e..437cf9a5721 100644 --- a/x-pack/filebeat/modules.d/rabbitmq.yml.disabled +++ b/x-pack/filebeat/modules.d/rabbitmq.yml.disabled @@ -4,7 +4,7 @@ - module: rabbitmq # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/radware.yml.disabled b/x-pack/filebeat/modules.d/radware.yml.disabled index ad17e4fcd7d..553d8459127 100644 --- a/x-pack/filebeat/modules.d/radware.yml.disabled +++ b/x-pack/filebeat/modules.d/radware.yml.disabled @@ -3,7 +3,7 @@ - module: radware defensepro: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/snort.yml.disabled b/x-pack/filebeat/modules.d/snort.yml.disabled index b8abbd3e370..89d25c4b556 100644 --- a/x-pack/filebeat/modules.d/snort.yml.disabled +++ b/x-pack/filebeat/modules.d/snort.yml.disabled @@ -3,7 +3,7 @@ - module: snort log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/snyk.yml.disabled b/x-pack/filebeat/modules.d/snyk.yml.disabled index b8f62d7b885..f92cf1d71f0 100644 --- a/x-pack/filebeat/modules.d/snyk.yml.disabled +++ b/x-pack/filebeat/modules.d/snyk.yml.disabled @@ -3,7 +3,7 @@ - module: snyk audit: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # @@ -32,7 +32,7 @@ #var.email_address: "" vulnerabilities: - enabled: true + enabled: false # Set which input to use between httpjson (default) or file. #var.input: httpjson # How often the API should be polled. Data from the Snyk API is automatically updated diff --git a/x-pack/filebeat/modules.d/sonicwall.yml.disabled b/x-pack/filebeat/modules.d/sonicwall.yml.disabled index 975b4577c13..f267d355b37 100644 --- a/x-pack/filebeat/modules.d/sonicwall.yml.disabled +++ b/x-pack/filebeat/modules.d/sonicwall.yml.disabled @@ -3,7 +3,7 @@ - module: sonicwall firewall: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/sophos.yml.disabled b/x-pack/filebeat/modules.d/sophos.yml.disabled index d0a7b23c632..e875354ad62 100644 --- a/x-pack/filebeat/modules.d/sophos.yml.disabled +++ b/x-pack/filebeat/modules.d/sophos.yml.disabled @@ -3,7 +3,7 @@ - module: sophos xg: - enabled: true + enabled: false # Set which input to use between tcp, udp (default) or file. #var.input: udp @@ -27,7 +27,7 @@ utm: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/squid.yml.disabled b/x-pack/filebeat/modules.d/squid.yml.disabled index 3656c1b8eed..81d5f6e0af0 100644 --- a/x-pack/filebeat/modules.d/squid.yml.disabled +++ b/x-pack/filebeat/modules.d/squid.yml.disabled @@ -3,7 +3,7 @@ - module: squid log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/suricata.yml.disabled b/x-pack/filebeat/modules.d/suricata.yml.disabled index d710dac848f..98e905fff23 100644 --- a/x-pack/filebeat/modules.d/suricata.yml.disabled +++ b/x-pack/filebeat/modules.d/suricata.yml.disabled @@ -4,7 +4,7 @@ - module: suricata # All logs eve: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/threatintel.yml.disabled b/x-pack/filebeat/modules.d/threatintel.yml.disabled index e150fe8835a..55f192feb11 100644 --- a/x-pack/filebeat/modules.d/threatintel.yml.disabled +++ b/x-pack/filebeat/modules.d/threatintel.yml.disabled @@ -3,7 +3,7 @@ - module: threatintel abuseurl: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -15,7 +15,7 @@ var.interval: 10m abusemalware: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -27,7 +27,7 @@ var.interval: 10m malwarebazaar: - enabled: true + enabled: false # Input used for ingesting threat intel data. var.input: httpjson @@ -39,7 +39,7 @@ var.interval: 10m misp: - enabled: true + enabled: false # Input used for ingesting threat intel data, defaults to JSON. var.input: httpjson @@ -68,7 +68,7 @@ var.interval: 5m otx: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -95,7 +95,7 @@ var.interval: 5m anomali: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson @@ -117,7 +117,7 @@ var.interval: 5m anomalithreatstream: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: http_endpoint @@ -142,7 +142,7 @@ # var.ssl_key: path/to/ssl_key.pem recordedfuture: - enabled: true + enabled: false # Input used for ingesting threat intel data var.input: httpjson diff --git a/x-pack/filebeat/modules.d/tomcat.yml.disabled b/x-pack/filebeat/modules.d/tomcat.yml.disabled index 3dde8911ac0..dc7a8d7eadd 100644 --- a/x-pack/filebeat/modules.d/tomcat.yml.disabled +++ b/x-pack/filebeat/modules.d/tomcat.yml.disabled @@ -3,7 +3,7 @@ - module: tomcat log: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp diff --git a/x-pack/filebeat/modules.d/zeek.yml.disabled b/x-pack/filebeat/modules.d/zeek.yml.disabled index d1349bf1388..2ceeeea911d 100644 --- a/x-pack/filebeat/modules.d/zeek.yml.disabled +++ b/x-pack/filebeat/modules.d/zeek.yml.disabled @@ -3,83 +3,83 @@ - module: zeek capture_loss: - enabled: true + enabled: false connection: - enabled: true + enabled: false dce_rpc: - enabled: true + enabled: false dhcp: - enabled: true + enabled: false dnp3: - enabled: true + enabled: false dns: - enabled: true + enabled: false dpd: - enabled: true + enabled: false files: - enabled: true + enabled: false ftp: - enabled: true + enabled: false http: - enabled: true + enabled: false intel: - enabled: true + enabled: false irc: - enabled: true + enabled: false kerberos: - enabled: true + enabled: false modbus: - enabled: true + enabled: false mysql: - enabled: true + enabled: false notice: - enabled: true + enabled: false ntp: - enabled: true + enabled: false ntlm: - enabled: true + enabled: false ocsp: - enabled: true + enabled: false pe: - enabled: true + enabled: false radius: - enabled: true + enabled: false rdp: - enabled: true + enabled: false rfb: - enabled: true + enabled: false signature: - enabled: true + enabled: false sip: - enabled: true + enabled: false smb_cmd: - enabled: true + enabled: false smb_files: - enabled: true + enabled: false smb_mapping: - enabled: true + enabled: false smtp: - enabled: true + enabled: false snmp: - enabled: true + enabled: false socks: - enabled: true + enabled: false ssh: - enabled: true + enabled: false ssl: - enabled: true + enabled: false stats: - enabled: true + enabled: false syslog: - enabled: true + enabled: false traceroute: - enabled: true + enabled: false tunnel: - enabled: true + enabled: false weird: - enabled: true + enabled: false x509: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/zookeeper.yml.disabled b/x-pack/filebeat/modules.d/zookeeper.yml.disabled index 34273eacff4..f632c0de9e7 100644 --- a/x-pack/filebeat/modules.d/zookeeper.yml.disabled +++ b/x-pack/filebeat/modules.d/zookeeper.yml.disabled @@ -4,14 +4,14 @@ - module: zookeeper # All logs audit: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # All logs log: - enabled: true + enabled: false # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. diff --git a/x-pack/filebeat/modules.d/zoom.yml.disabled b/x-pack/filebeat/modules.d/zoom.yml.disabled index f5320d112b9..a04706cf15a 100644 --- a/x-pack/filebeat/modules.d/zoom.yml.disabled +++ b/x-pack/filebeat/modules.d/zoom.yml.disabled @@ -3,7 +3,7 @@ - module: zoom webhook: - enabled: true + enabled: false # The type of input to use #var.input: http_endpoint diff --git a/x-pack/filebeat/modules.d/zscaler.yml.disabled b/x-pack/filebeat/modules.d/zscaler.yml.disabled index 2c8f03ebcc3..732a033073b 100644 --- a/x-pack/filebeat/modules.d/zscaler.yml.disabled +++ b/x-pack/filebeat/modules.d/zscaler.yml.disabled @@ -3,7 +3,7 @@ - module: zscaler zia: - enabled: true + enabled: false # Set which input to use between udp (default), tcp or file. # var.input: udp From 2c47ac8d7e3af05dc84c19ae5ff81aeaf3cca875 Mon Sep 17 00:00:00 2001 From: Marcin Tojek Date: Wed, 15 Sep 2021 22:31:29 +0200 Subject: [PATCH 10/12] Docker: remove deprecated fields (#27933) * Docker: remove deprecated fields * Update docs/fields.asciidoc * Update CHANGELOG * Fix * Fix --- CHANGELOG.next.asciidoc | 1 + metricbeat/docs/fields.asciidoc | 137 ------------------ .../module/docker/diskio/_meta/fields.yml | 21 +-- metricbeat/module/docker/diskio/data.go | 3 - metricbeat/module/docker/fields.go | 2 +- .../module/docker/network/_meta/fields.yml | 46 ------ metricbeat/module/docker/network/data.go | 14 -- 7 files changed, 5 insertions(+), 219 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 786d73a0502..e57576aa204 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -112,6 +112,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support for kube-state-metrics v2.0.0 {pull}27552[27552] - Add User-Agent header to HTTP requests. {issue}18160[18160] {pull}27509[27509] - Errors should be thrown as errors. Metricsets inside Metricbeat will now throw errors as the `error` log level. {pull}27804[27804] +- Remove deprecated fields in Docker module. {issue}11835[11835] {pull}27933[27933] *Packetbeat* diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index 0551dbbff8f..da9d67c3783 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -12029,19 +12029,6 @@ type: long -- -*`docker.diskio.reads`*:: -+ --- - -deprecated:[6.4] - -Number of current reads per second - - -type: scaled_float - --- - [float] === write @@ -12111,19 +12098,6 @@ type: long -- -*`docker.diskio.writes`*:: -+ --- - -deprecated:[6.4] - -Number of current writes per second - - -type: scaled_float - --- - [float] === summary @@ -12193,19 +12167,6 @@ type: long -- -*`docker.diskio.total`*:: -+ --- - -deprecated:[6.4] - -Number of reads and writes per second - - -type: scaled_float - --- - [float] === event @@ -12703,104 +12664,6 @@ type: keyword -- -[float] -=== in - -Incoming network stats per second. - - - -*`docker.network.in.bytes`*:: -+ --- -Total number of incoming bytes. - - -type: long - -format: bytes - --- - -*`docker.network.in.dropped`*:: -+ --- -Total number of dropped incoming packets. - - -type: scaled_float - --- - -*`docker.network.in.errors`*:: -+ --- -Total errors on incoming packets. - - -type: long - --- - -*`docker.network.in.packets`*:: -+ --- -Total number of incoming packets. - - -type: long - --- - -[float] -=== out - -Outgoing network stats per second. - - - -*`docker.network.out.bytes`*:: -+ --- -Total number of outgoing bytes. - - -type: long - -format: bytes - --- - -*`docker.network.out.dropped`*:: -+ --- -Total number of dropped outgoing packets. - - -type: scaled_float - --- - -*`docker.network.out.errors`*:: -+ --- -Total errors on outgoing packets. - - -type: long - --- - -*`docker.network.out.packets`*:: -+ --- -Total number of outgoing packets. - - -type: long - --- - [float] === inbound diff --git a/metricbeat/module/docker/diskio/_meta/fields.yml b/metricbeat/module/docker/diskio/_meta/fields.yml index 71f9e22859a..74532058ec3 100644 --- a/metricbeat/module/docker/diskio/_meta/fields.yml +++ b/metricbeat/module/docker/diskio/_meta/fields.yml @@ -28,17 +28,12 @@ Total time to service IO requests, in nanoseconds - name: wait_time type: long - description: > + description: > Total time requests spent waiting in queues for service, in nanoseconds - name: queued type: long description: > Total number of queued requests - - name: reads - type: scaled_float - deprecated: 6.4 - description: > - Number of current reads per second - name: write type: group description: > @@ -63,17 +58,12 @@ Total time to service IO requests, in nanoseconds - name: wait_time type: long - description: > + description: > Total time requests spent waiting in queues for service, in nanoseconds - name: queued type: long description: > Total number of queued requests - - name: writes - type: scaled_float - deprecated: 6.4 - description: > - Number of current writes per second - name: summary type: group description: > @@ -98,14 +88,9 @@ Total time to service IO requests, in nanoseconds - name: wait_time type: long - description: > + description: > Total time requests spent waiting in queues for service, in nanoseconds - name: queued type: long description: > Total number of queued requests - - name: total - type: scaled_float - deprecated: 6.4 - description: > - Number of reads and writes per second diff --git a/metricbeat/module/docker/diskio/data.go b/metricbeat/module/docker/diskio/data.go index 04665ca85cc..4d5ae9b0e5c 100644 --- a/metricbeat/module/docker/diskio/data.go +++ b/metricbeat/module/docker/diskio/data.go @@ -30,9 +30,6 @@ func eventsMapping(r mb.ReporterV2, blkioStatsList []BlkioStats) { func eventMapping(r mb.ReporterV2, stats *BlkioStats) { fields := common.MapStr{ - "reads": stats.reads, - "writes": stats.writes, - "total": stats.totals, "read": common.MapStr{ "ops": stats.serviced.reads, "bytes": stats.servicedBytes.reads, diff --git a/metricbeat/module/docker/fields.go b/metricbeat/module/docker/fields.go index 500a172a399..9c88da1e5b9 100644 --- a/metricbeat/module/docker/fields.go +++ b/metricbeat/module/docker/fields.go @@ -32,5 +32,5 @@ func init() { // AssetDocker returns asset data. // This is the base64 encoded zlib format compressed contents of module/docker. func AssetDocker() string { - return "eJzsXE1v4zjSvudXFPIeXqCR2NjFYA8+LDCb7kUHOz0ddCe7h8HAQ1Nlu9YSqSYpu92/fkFSkm2JkvwhO8kgPuQQWlVPfRfJkm9hgesRRJIvUF0BGDIxjuD6vfvH9RVAhJorSg1JMYK/XwEA+EXQhhkNXMYxcoMRTJVM8rXBFYDCGJnGEczYFYBGY0jM9Ah+u9Y6vv7d/m8ulRlzKaY0G8GUxRqvAKaEcaRHjtMtCJbgFj77MevUUlUyS/P/BDDaz72YSpUw+29gInKASRviGthEZiYn+/8aVCYEiRlwKQwjgUoPcirbaLYRld8sV0LAWsBtKbKkBQkaRbxkbj+7aiw+VVi70JKEiWhnrQC3wPVKqupaC0T7ufMEwcyZgRXTgN+RZ9bkJMDMsSbHIIxLITMYxhUxg4eBes8MwmqOHsFGhRZfzikMw3pBpvvUTsHaUw5zpXTMokih1hjmTemxbO8foCTdIDL9qGo37KuHiUs/MOSx0OCf24iUlGY8rWpiAyyWYhZY7MDmPo/SsNiDk1NgcewcZEox6sJfGxx1B+DqHNi+5qg2iFxMzdkSYYIoCs8FqYDPmZhhBJoER79AUoQNbNisR4++T9gMHc1BPe+l2SkZ70smDCUIdw9P/SS7BSqB8SDlJii/5izGaDyNJat+wdeGEaSoOIrqaoeKHvxDVk/WnFYkEjkY0CnjGDZUDldIlbxAzGBxsZh+YASTtfNSkSUTVPYBazIuVVOOySUzxBdhVwyETVeqeXgCR28/3eq1NvjsanXZxyP3CrZazKG1wX4JLtGC/RTXyCXs2zVyYI5smHGmUT23TnNNWihtzuugvgQfqOE9xfJOqrOlhC6dOn++uD4fyyjKNJu1QnsWe1fwnWJeuzR41yiBnPwXa0v+n+NL+vRuRiPtcbdJ1GqYFy3WTQ/2bA7YbtEPD+lfd9CVwR0wVHkaQHpB8qSNN+kF3A8/99ODKmThXe0R26ufOc+SLHabAEtXQ5QpEjNnyJim5fYhdADRBHQbrEzPsevaGPEo0Bt4k7WpbZA7ARZB1fTwHgL8wz7qwB+PXdUPMTqhH6RbnimFwuQ6Tm31Qy5rRz1bnReqJXEc2zRxBmS+lLgcZGTBDO4/g8JvGWqjb2wkCyakx1m3TQF0xcj0gBK6YBbAQKdWkZattTUJ+JZhhtq6UiHI3uDdo3Uj9KXfTfr2jEohGpNROHm3VKUIU4XcJp0R/G3w07EJfC//LE2uqBYuvaRNR/jV5c3jUL+UxGnRGxSvIHfmen5Lnm/JM6BJ5xzPnD3bPbT0zixJmFqfr+9k4rWmUtvYyxSVOzB/tSnV9aKFEV5Hbt1S+lt+fcuvdTDu2OuZ0mstqwVctMCJy92zmWNv9qt0Dj9b6Pu2+oNFFKJaXlT3ODjgmVHk7+nZklHMJjEG+U6VTHoXU2aKh9lZ2v2xe5yje9z6mT8OA0zITby4HF31gw0Oxi3N8yBp5Sqr9eKE1qFOrKsFqHlZl9h74CjEv39flMb9TLGjGGMUTbK2uh88A4XqOehJUvybKZKZtkSGSxZnuIVrV7Ybmx1RRFY6KYCM3vXsQq45stjM+Rz5ooe0tkWtfoK688DHrW9GzDBYURyDFPEaJrjJCH52LKqMEWmbNxRacXeI5t/74+OHn395/Hj38cPdv/4AEtqozEUTzJn24xSZxshW/0lGceTUlj9LSeVq5vDMPGUUk5hpo5AtgrFEwuCs1pd12J9LwTPXTVkGGEHVaOerDdvG8rSByyicP0NhdHQGccRyZR86SYQiGgemx6BttGwPSFV9oIjClLaMocwlkDhG7VhkZtIslKJ6yE3bUBr4lKb5TmZc86BtJOEIOU4pNXcta42N9R6ynqPTz41RQ5N1ROjYgueBxWxtUyZFKAxNqT7c1hVJ+S7uPG4DT4K+ZQXWDUiY0dIm6jSvXuE5t22YKTsjyvsNsLzOOsA3QFMgYz3abRxduVrNic/9Fjzf/3rhIlLITbx2DFFUU9oZx2HdkK7dSZZzsR5R90xsjwOifnrQzV96lzzUD5ekTFbbJkLf85e1FmAXhcJZFrNQaup5QtViYXEMnPE5Rh6WBqa15OSO44ysO1lDu1WAj9kE42Ov8E+YGfV8O8BdbliVxPSkMYF7MZVFwocJs82k7S6NSfVoOIwk1wPfTw64TIYoZiRwqHCKCgXHIUtp6NfHChNpcMxSGi//MvjrT8P/G0ak05itb/0Y2+2KIrylzRsLp74DUPTQfYX15yUq56Y74+4HB3fKbE9+hqiqHkd5RoE3OuqY8rc/LgCq+T2TOiptZJpeRFU5p71QhU7wzoHJVdo2VZ3jvCrvUYpdrtQm2E6Fcbi8HcRy+ExUozY8l3qmSzCRO5dBB+e6T45CP+2tzwzvjqw/AXVtrY8TlqYkZvmXr99dH6baL2yVayt/gc31cq7AOm3pfHVgV90GRU1ZwyEil0lCve2C7xw14+b23EGPgP+QiOSq6lVdOfaoGO3h3sp7bZhAmf/rhyWXgPaAbJGbq1PBJVRFS2ZwvJJqYR1Ooxk0X2AEsLfh7sCc84acN2g0nXinjOIBl1nDuUzrDUsrmH8ysnU/s7EQTsIxNcVBv2rJk5RjF0aidG8dz5evX3cyxaGtzvOGYY5coXYlzHqQ23K0bKyDp9qdzgOdU8174v7UgLig2jhM7+bY+7L6k/anPMfbPWHfn8Hqn9j3AnXgvQN4eXb2bx802RZeWiBVlFrrwAQam6xPacF+9SSO78HCjWmwhTmpTy6AlqQdq4b+PHy5GY7MEy767wWXiS2VuSHy7m5zyX9oGD/X9E+196dCMEezOUoi1b5f7AjtI5DlHDcIU8YXWE+YWzcCSsnakQT0tn305N1F6N6Q8i9cYEvbjmnr7uYyAfM5MzP5ZwwYWQj2YgOmRPhyAmZ/SJcLmHZMmwIzkVnDz50cc30RriP+Vxh2f2rE3cRWr1ReT5z0VVj6M/hbQTlPQek1QBrqxp8wQPoqJP0HyFsBObGAVHZt4/rbFOH4KPdhEzRsv11dM4vWCZH0kPPzrpr2UBzfNYxl8z65Pd51sMuiPtk9ve9mN47JYM88fyGD7YyJJ71a8e5Th6T2r/89jLThWuyIq6g5ul/rgofNXG2Z4W+AS6VQp9KPoBoJw1RJPvwtpej3ocDw+PEGZ68wNwCL0lQy8pOg+e8h7A1fOwn+FwAA//+qunky" + return "eJzsnE9v47oRwO/5FIP0UOAhsdGipxwKvGa32KBv3wa7SXt4ePCjqbE9tURqScpe76cv+EeyLVGW/8hOgq4Pe4ismR+HM8MhOd5bmOPqDhLJ56iuAAyZFO/g+p37w/UVQIKaK8oNSXEHf78CAPAPQRtmNHCZpsgNJjBRMgvPBlcAClNkGu9gyq4ANBpDYqrv4LdrrdPr3+3fZlKZEZdiQtM7mLBU4xXAhDBN9J3TdAuCZbjBZz9mlVupShZ5+EuE0X4exESqjNk/AxOJAyZtiGtgY1mYIPbPGlQhBIkpcCkMI4FKD4KUTZpNouqb1ZMY2A64DUNWsiBDo4hXyu1n24zlp461jZZlTCRbz0q4Oa6WUtWf7UC0n3svEMyMGVgyDfgNeWGnnASYGTbGMYhzKWQG41wJM3gY1DtmEJYz9ARrE1q+oCmOYb2g0H1ap1TtJce1Uj5iSaJQa4zrpvxYtQ+PUIluGTJ9r1s37quHDZe+Y8xjocU/N4mUlGY0qVtiDZZKMY087GBznydpWOrh5ARYmjoHmVCKuvTXFkfdAlyeg+1LoFoTuZiasQXCGFGUngtSAZ8xMcUENAmO/gFJEZ9gw6Y9evRDxqboZA6aeS8vTsl4nwthKEO4f3zuJ9nNUQlMBzk30fFrzlJMRpNUsvoX/NpwBzkqjqL+tMNEj/4layc7nXZIJAIM6JxxjE9UwBVSZa+QGSwXS+k7JjBeOS8VRTZGZV+wU8alassxYWSG+DzuipGw6Uo1j8/g5O1nW73SBl/crC77eHJvYGvFgLYL+zW4xA72U1wjjLBv1whgTmxccaFRvbRNgyUtyi7ndaivwQcavKfMvBvV2VJCl02dP1/cnk9VFBWaTXeivch81/hOmV77aPBT6wjk+L/YeOT/OLqkT29nNNKee9eIdk7Mqx7WTQ/z2R6w3UM/PKR/3aKrgjsyUdVpAOk5yZM23qTn8DD81E8NqpDFd7VHbK9+5rzIitRtAqxcDUmhSEzdRKY0qbYPsQOINtBNWJmfY9e1nsSjoNd445VpbJA7Acugant5jwH8w77q4I9nV81DjE70g2zLC6VQmGDj3K5+yGXjqGej8kK1II4jmybOQOaXEpeDjCyVwcMnUPi1QG30jY1kwYT0nM25KUGXjMwFKEsu0Lm1o9Vqp5oEfC2wQG09qRzH3uzu1eYc9AW+zt5eUTWIaC5aKmo4YS/JyAl+c9noOOrXko4svUHxBjJSsPOPlPQjJTVgdJFlTK3OVyEx8VbTky1BZY7KHe2+2TTlqqZyEt5Gvtow+o+c9SNnbYHgYntjfuy1bl3O4RvLvq8q31uimNTqlrLHW2OvjBJ/ScsWjFI2TjGqd6Jk1vswZaF4XJ2V3Z+6pxm6161v+bMQwIxcu4NLe3U/WHMwbmWeh2SnVllPwSesxk1hXatqw8u6hr0HRzn8h3flarPfVGwZxhhF42LXUho9AIP6IdhJo/g3UyQLbYUMFywtcINre2w3kGCOIrGjkwLI6G3PLsc1Q5aaGZ8hn/eQ1jakNY/Ptl74sPHNhBkGS0pTkCJdwRjXGcE3DiW1HhJt84ZCO9wtoeF7f3x4//MvTx/uP7y//9cfQEIbVbhoghnT/i690JjYBXVcUJo4s4V3Kaudyx+emSeMUhJTbRSyeTSWSBicNkqdjvnnUvDCFShWASZQn7TzrQ2bk+VlA5dJPH/GwujoDOKEBWMf2kaCIhlFWodgV1/RHkh1e6BI4pI2JkOZS5A4RbtZZGHyIpaieshNmygteqqp+UZm1PCgTZJ4hBxnlIa7VmuNjfUesp6T0891QUuRdUTo2AXPg6VsZVMmJSgMTajZ2dQVSWFjdB63gWdBX4uSdQ0JU1rYRJ2H1Sve5LSJmbMzUj6swcI664BvgCZAxnq024u55Wo5Iz7zu9qwpfSDS0ghN+nKKURRT2ln7IV0HZp2d1Y1RXqi7obIHrsDfeuYa77zLnmoHy5ImYKlZ9gGbjXfNUqAbQqF0yJlsdTUc3uiZWFpCpzxGSYeSwPTWnJyJ1xGNp2spdwq4VM2xvTY+9sTGga93g64y3UqkpicdEf8ICayTPgwZraYtNWlMbm+Gw4TyfXA15MDLrMhiikJHCqcoELBcchyGvrnI4WZNDhiOY0Wfxn89W/DPw0T0nnKVre+h+l2SQne0rpd/dQG8LKG7iusPy1QOTfd6nU+OLhzZmvyM0RV/YjHK4q08zeZQuv/BaDaf2TQpNJG5vlFTBU07UXlupYuwORW2l2mOsd5VahRyl2u1CZaTsU5XN6OshzeENNqDa+lmekyzOTW/crBue6jk9BPeeszw09Hrj8Rc208H2Usz0lMw5evf7o+zLSf2TJYK/x6ydVyboF11tLh6cA+dRsUNWEth4hcZhn1tgu+d9KMa9pyBz0C/kMikcu6V3Xl2KNitIerIO+1cQFV/m8ellwC7RHZPExXp4ErVEULZnC0lGpuHU6jGcRM28q+i7uDOeiGoBs0mk7eCaN0wGXRci6zoyOxA+afjOy6X9hYiCfhlNrioF+zhCTl1MVJlO6t4vn85ctWpji01HnZMAzkCrVbwqwHuS3Hjo119FS703mgs6V1T+6PLcSl1NZOatfE3NesP2t/ynP8vGfs2wvM+kf2raSONJ3D65tn33reNrfw2gKpZtRGBSbQ2GR9Sgn2qxdxfA0WL0yjJcxJdXIJWol2qlrqczGWRctPkY85XRJcZnZFDPYORZz/heT2z4DdQXn9xKs7fF+qkaZe81M5UiezPToSdal9YtC0JssZn2MzQW7cACglG0cQ/aF58e7ic2+k8IULmGs308ZdTa8B8qkwU/l/ESCyHOmrC5CK7PUEyP5IlwuQdqbaojpq9o/G46NaJsdo2H6LbruKnRd4+SHHG11r2mO5u4pv7AzvU9vTfYe6IulT3fO7bnWjlAz2rPMXMrhbMfGs11m8/9gxUvuv/61q3nJqecRJ4Qzd/6QBj+u2pyrD3wCXSqHOpe8QMhKGuZJ8+FtOye9DgfHusDVnr5hrwHJpqhT5Rp3wW8W98bUbwf8CAAD//+ANZsY=" } diff --git a/metricbeat/module/docker/network/_meta/fields.yml b/metricbeat/module/docker/network/_meta/fields.yml index 035047eb091..68af440a9bf 100644 --- a/metricbeat/module/docker/network/_meta/fields.yml +++ b/metricbeat/module/docker/network/_meta/fields.yml @@ -9,52 +9,6 @@ type: keyword description: > Network interface name. - - name: in - type: group - deprecated: 6.4 - description: > - Incoming network stats per second. - fields: - - name: bytes - type: long - format: bytes - description: > - Total number of incoming bytes. - - name: dropped - type: scaled_float - description: > - Total number of dropped incoming packets. - - name: errors - type: long - description: > - Total errors on incoming packets. - - name: packets - type: long - description: > - Total number of incoming packets. - - name: out - type: group - deprecated: 6.4 - description: > - Outgoing network stats per second. - fields: - - name: bytes - type: long - format: bytes - description: > - Total number of outgoing bytes. - - name: dropped - type: scaled_float - description: > - Total number of dropped outgoing packets. - - name: errors - type: long - description: > - Total errors on outgoing packets. - - name: packets - type: long - description: > - Total number of outgoing packets. - name: inbound type: group description: > diff --git a/metricbeat/module/docker/network/data.go b/metricbeat/module/docker/network/data.go index b4a2b90c405..c537032abb1 100644 --- a/metricbeat/module/docker/network/data.go +++ b/metricbeat/module/docker/network/data.go @@ -33,20 +33,6 @@ func eventMapping(r mb.ReporterV2, stats *NetStats) { RootFields: stats.Container.ToMapStr(), MetricSetFields: common.MapStr{ "interface": stats.NameInterface, - // Deprecated - "in": common.MapStr{ - "bytes": stats.RxBytes, - "dropped": stats.RxDropped, - "errors": stats.RxErrors, - "packets": stats.RxPackets, - }, - // Deprecated - "out": common.MapStr{ - "bytes": stats.TxBytes, - "dropped": stats.TxDropped, - "errors": stats.TxErrors, - "packets": stats.TxPackets, - }, "inbound": common.MapStr{ "bytes": stats.Total.RxBytes, "dropped": stats.Total.RxDropped, From 680fb5bced3d8b7da8e0603469d9f7aea82be6c9 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 16 Sep 2021 09:02:56 +0200 Subject: [PATCH 11/12] Add write access to 'url.value' from 'request.transforms'. (#27937) --- CHANGELOG.next.asciidoc | 1 + .../docs/inputs/input-httpjson.asciidoc | 2 +- .../input/httpjson/internal/v2/pagination.go | 2 +- .../input/httpjson/internal/v2/request.go | 2 +- .../httpjson/internal/v2/transform_set.go | 26 ++-------- .../internal/v2/transform_set_test.go | 52 ++++--------------- .../httpjson/internal/v2/transform_test.go | 4 +- 7 files changed, 19 insertions(+), 70 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e57576aa204..d97f3595a5b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -759,6 +759,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve memory usage of line reader of `log` and `filestream` input. {pull}27782[27782] - Add `ignore_empty_value` flag to `httpjson` `split` processor. {pull}27880[27880] - Update Cisco ASA/FTD ingest pipeline grok/dissect patterns for multiple message IDs. {issue}26869[26869] {pull}26879[26879] +- Add write access to `url.value` from `request.transforms` in `httpjson` input. {pull}27937[27937] *Heartbeat* diff --git a/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc b/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc index 0fd64311ef4..0585f10d46e 100644 --- a/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-httpjson.asciidoc @@ -466,7 +466,7 @@ Available transforms for request: [`append`, `delete`, `set`]. Can read state from: [`.last_response.*`, `.last_event.*`, `.cursor.*`, `.header.*`, `.url.*`, `.body.*`]. -Can write state to: [`header.*`, `url.params.*`, `body.*`]. +Can write state to: [`body.*`, `header.*`, `url.*`]. ["source","yaml",subs="attributes"] ---- diff --git a/x-pack/filebeat/input/httpjson/internal/v2/pagination.go b/x-pack/filebeat/input/httpjson/internal/v2/pagination.go index de6261b3fd0..6ea063a10af 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/pagination.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/pagination.go @@ -19,7 +19,7 @@ const paginationNamespace = "pagination" func registerPaginationTransforms() { registerTransform(paginationNamespace, appendName, newAppendPagination) registerTransform(paginationNamespace, deleteName, newDeletePagination) - registerTransform(paginationNamespace, setName, newSetPagination) + registerTransform(paginationNamespace, setName, newSetRequestPagination) } type pagination struct { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/request.go b/x-pack/filebeat/input/httpjson/internal/v2/request.go index 6c223d746a9..921b13b9ab7 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/request.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/request.go @@ -22,7 +22,7 @@ const requestNamespace = "request" func registerRequestTransforms() { registerTransform(requestNamespace, appendName, newAppendRequest) registerTransform(requestNamespace, deleteName, newDeleteRequest) - registerTransform(requestNamespace, setName, newSetRequest) + registerTransform(requestNamespace, setName, newSetRequestPagination) } type httpClient struct { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go b/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go index 26a389c01da..c38f1719faf 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/transform_set.go @@ -39,7 +39,7 @@ type set struct { func (set) transformName() string { return setName } -func newSetRequest(cfg *common.Config, log *logp.Logger) (transform, error) { +func newSetRequestPagination(cfg *common.Config, log *logp.Logger) (transform, error) { set, err := newSet(cfg, log) if err != nil { return nil, err @@ -52,6 +52,8 @@ func newSetRequest(cfg *common.Config, log *logp.Logger) (transform, error) { set.runFunc = setHeader case targetURLParams: set.runFunc = setURLParams + case targetURLValue: + set.runFunc = setURLValue default: return nil, fmt.Errorf("invalid target type: %s", set.targetInfo.Type) } @@ -75,28 +77,6 @@ func newSetResponse(cfg *common.Config, log *logp.Logger) (transform, error) { return &set, nil } -func newSetPagination(cfg *common.Config, log *logp.Logger) (transform, error) { - set, err := newSet(cfg, log) - if err != nil { - return nil, err - } - - switch set.targetInfo.Type { - case targetBody: - set.runFunc = setBody - case targetHeader: - set.runFunc = setHeader - case targetURLParams: - set.runFunc = setURLParams - case targetURLValue: - set.runFunc = setURLValue - default: - return nil, fmt.Errorf("invalid target type: %s", set.targetInfo.Type) - } - - return &set, nil -} - func newSet(cfg *common.Config, log *logp.Logger) (set, error) { c := &setConfig{} if err := cfg.Unpack(c); err != nil { diff --git a/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go b/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go index a011302da33..6a3a2d8915c 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/transform_set_test.go @@ -41,72 +41,40 @@ func TestNewSet(t *testing.T) { expectedErr: "invalid target: cursor.foo", }, { - name: "newSetRequest targets body", - constructor: newSetRequest, + name: "newSetRequestPagination targets body", + constructor: newSetRequestPagination, config: map[string]interface{}{ "target": "body.foo", }, expectedTarget: targetInfo{Name: "foo", Type: "body"}, }, { - name: "newSetRequest targets header", - constructor: newSetRequest, + name: "newSetRequestPagination targets header", + constructor: newSetRequestPagination, config: map[string]interface{}{ "target": "header.foo", }, expectedTarget: targetInfo{Name: "foo", Type: "header"}, }, { - name: "newSetRequest targets url param", - constructor: newSetRequest, + name: "newSetRequestPagination targets url param", + constructor: newSetRequestPagination, config: map[string]interface{}{ "target": "url.params.foo", }, expectedTarget: targetInfo{Name: "foo", Type: "url.params"}, }, { - name: "newSetRequest targets something else", - constructor: newSetRequest, - config: map[string]interface{}{ - "target": "cursor.foo", - }, - expectedErr: "invalid target: cursor.foo", - }, - { - name: "newSetPagination targets body", - constructor: newSetPagination, - config: map[string]interface{}{ - "target": "body.foo", - }, - expectedTarget: targetInfo{Name: "foo", Type: "body"}, - }, - { - name: "newSetPagination targets header", - constructor: newSetPagination, - config: map[string]interface{}{ - "target": "header.foo", - }, - expectedTarget: targetInfo{Name: "foo", Type: "header"}, - }, - { - name: "newSetPagination targets url param", - constructor: newSetPagination, - config: map[string]interface{}{ - "target": "url.params.foo", - }, - expectedTarget: targetInfo{Name: "foo", Type: "url.params"}, - }, - { - name: "newSetPagination targets url value", - constructor: newSetPagination, + name: "newSetRequestPagination targets url value", + constructor: newSetRequestPagination, config: map[string]interface{}{ "target": "url.value", }, expectedTarget: targetInfo{Type: "url.value"}, }, { - name: "newSetPagination targets something else", - constructor: newSetPagination, + name: "newSetRequestPagination targets something else", + constructor: newSetRequestPagination, config: map[string]interface{}{ "target": "cursor.foo", }, diff --git a/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go b/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go index dbc788e6001..2ac43b3faf9 100644 --- a/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go +++ b/x-pack/filebeat/input/httpjson/internal/v2/transform_test.go @@ -46,7 +46,7 @@ func TestTransformableClone(t *testing.T) { } func TestNewTransformsFromConfig(t *testing.T) { - registerTransform("test", setName, newSetRequest) + registerTransform("test", setName, newSetRequestPagination) t.Cleanup(func() { registeredTransforms = newRegistry() }) cases := []struct { @@ -126,7 +126,7 @@ func TestNewBasicTransformsFromConfig(t *testing.T) { return fakeTransform{}, nil } - registerTransform("test", setName, newSetRequest) + registerTransform("test", setName, newSetRequestPagination) registerTransform("test", "fake", fakeConstr) t.Cleanup(func() { registeredTransforms = newRegistry() }) From 5456b6eb07c6cc8a4ab401b76ef96e075a627f58 Mon Sep 17 00:00:00 2001 From: Andres Rodriguez Date: Thu, 16 Sep 2021 10:15:19 +0200 Subject: [PATCH 12/12] No changelog for 8.0.0-alpha2 (#27961) --- CHANGELOG.asciidoc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 5c25d138679..7280d1039b8 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,10 +3,16 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-8.0.0-alpha2]] +=== Beats version 8.0.0-alpha2 + +Changes will be described in a later alpha / beta. + [[release-notes-8.0.0-alpha1]] === Beats version 8.0.0-alpha1 Changes will be described in a later alpha / beta. + [[release-notes-7.14.1]] === Beats version 7.14.1 https://github.com/elastic/beats/compare/v7.14.0...v7.14.1[View commits]