diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index c3cee7d5db7..5bcdb19cf8d 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -555,7 +555,6 @@ field. You can revert this change by configuring tags for the module and omittin
- Add experimental dataset cisco/nexus for Cisco Nexus logs {pull}19713[19713]
- Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs {pull}19713[19713]
- Add experimental dataset cylance/protect for Cylance Protect logs {pull}19713[19713]
-- Add experimental dataset f5/firepass for F5 FirePass SSL VPN logs {pull}19713[19713]
- Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs {pull}19713[19713]
- Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs {pull}19713[19713]
- Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs {pull}19713[19713]
diff --git a/filebeat/docs/modules/f5.asciidoc b/filebeat/docs/modules/f5.asciidoc
index e0f69dbffac..8ebfd8f94a7 100644
--- a/filebeat/docs/modules/f5.asciidoc
+++ b/filebeat/docs/modules/f5.asciidoc
@@ -67,51 +67,6 @@ will be found under `rsa.raw`. The default is false.
:fileset_ex!:
-[float]
-==== `firepass` fileset settings
-
-experimental[]
-
-NOTE: This was converted from RSA NetWitness log parser XML "firepass" device revision 0.
-
-*`var.input`*::
-
-The input from which messages are read. One of `file`, `tcp` or `udp`.
-
-*`var.syslog_host`*::
-
-The address to listen to UDP or TCP based syslog traffic.
-Defaults to `localhost`.
-Set to `0.0.0.0` to bind to all available interfaces.
-
-*`var.syslog_port`*::
-
-The port to listen for syslog traffic. Defaults to `9509`
-
-NOTE: Ports below 1024 require Filebeat to run as root.
-
-*`var.tz_offset`*::
-
-By default, datetimes in the logs will be interpreted as relative to
-the timezone configured in the host where {beatname_uc} is running. If ingesting
-logs from a host on a different timezone, use this field to set the timezone
-offset so that datetimes are correctly parsed. Valid values are in the form
-±HH:mm, for example, `-07:00` for `UTC-7`.
-
-*`var.rsa_fields`*::
-
-Flag to control the addition of non-ECS fields to the event. Defaults to true,
-which causes both ECS and custom fields under `rsa` to be are added.
-
-*`var.keep_raw_fields`*::
-
-Flag to control the addition of the raw parser fields to the event. This fields
-will be found under `rsa.raw`. The default is false.
-
-:has-dashboards!:
-
-:fileset_ex!:
-
:modulename!:
diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py
index dbbfce5c4a1..745eb7843be 100644
--- a/filebeat/tests/system/test_modules.py
+++ b/filebeat/tests/system/test_modules.py
@@ -235,7 +235,6 @@ def clean_keys(obj):
"cef.log",
"cisco.asa",
"cisco.ios",
- "f5.firepass",
"fortinet.clientendpoint",
"haproxy.log",
"icinga.startup",
diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml
index f3936c2c87f..6c552cd8a97 100644
--- a/x-pack/filebeat/filebeat.reference.yml
+++ b/x-pack/filebeat/filebeat.reference.yml
@@ -600,25 +600,6 @@ filebeat.modules:
# "+02:00" for GMT+02:00
# var.tz_offset: local
- firepass:
- enabled: true
-
- # Set which input to use between udp (default), tcp or file.
- # var.input: udp
- # var.syslog_host: localhost
- # var.syslog_port: 9509
-
- # Set paths for the log files when file input is used.
- # var.paths:
-
- # Toggle output of non-ECS fields (default true).
- # var.rsa_fields: true
-
- # Set custom timezone offset.
- # "local" (default) for system timezone.
- # "+02:00" for GMT+02:00
- # var.tz_offset: local
-
#------------------------------- Fortinet Module -------------------------------
- module: fortinet
firewall:
diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml
index a40427c7730..11ba78ad098 100644
--- a/x-pack/filebeat/module/f5/_meta/config.yml
+++ b/x-pack/filebeat/module/f5/_meta/config.yml
@@ -17,22 +17,3 @@
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
-
- firepass:
- enabled: true
-
- # Set which input to use between udp (default), tcp or file.
- # var.input: udp
- # var.syslog_host: localhost
- # var.syslog_port: 9509
-
- # Set paths for the log files when file input is used.
- # var.paths:
-
- # Toggle output of non-ECS fields (default true).
- # var.rsa_fields: true
-
- # Set custom timezone offset.
- # "local" (default) for system timezone.
- # "+02:00" for GMT+02:00
- # var.tz_offset: local
diff --git a/x-pack/filebeat/module/f5/_meta/docs.asciidoc b/x-pack/filebeat/module/f5/_meta/docs.asciidoc
index 058a7aa3ea9..3b44e5fe63b 100644
--- a/x-pack/filebeat/module/f5/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/f5/_meta/docs.asciidoc
@@ -62,50 +62,5 @@ will be found under `rsa.raw`. The default is false.
:fileset_ex!:
-[float]
-==== `firepass` fileset settings
-
-experimental[]
-
-NOTE: This was converted from RSA NetWitness log parser XML "firepass" device revision 0.
-
-*`var.input`*::
-
-The input from which messages are read. One of `file`, `tcp` or `udp`.
-
-*`var.syslog_host`*::
-
-The address to listen to UDP or TCP based syslog traffic.
-Defaults to `localhost`.
-Set to `0.0.0.0` to bind to all available interfaces.
-
-*`var.syslog_port`*::
-
-The port to listen for syslog traffic. Defaults to `9509`
-
-NOTE: Ports below 1024 require Filebeat to run as root.
-
-*`var.tz_offset`*::
-
-By default, datetimes in the logs will be interpreted as relative to
-the timezone configured in the host where {beatname_uc} is running. If ingesting
-logs from a host on a different timezone, use this field to set the timezone
-offset so that datetimes are correctly parsed. Valid values are in the form
-±HH:mm, for example, `-07:00` for `UTC-7`.
-
-*`var.rsa_fields`*::
-
-Flag to control the addition of non-ECS fields to the event. Defaults to true,
-which causes both ECS and custom fields under `rsa` to be are added.
-
-*`var.keep_raw_fields`*::
-
-Flag to control the addition of the raw parser fields to the event. This fields
-will be found under `rsa.raw`. The default is false.
-
-:has-dashboards!:
-
-:fileset_ex!:
-
:modulename!:
diff --git a/x-pack/filebeat/module/f5/fields.go b/x-pack/filebeat/module/f5/fields.go
index c54966f5028..6adc122ebd7 100644
--- a/x-pack/filebeat/module/f5/fields.go
+++ b/x-pack/filebeat/module/f5/fields.go
@@ -19,5 +19,5 @@ func init() {
// AssetF5 returns asset data.
// This is the base64 encoded gzipped contents of module/f5.
func AssetF5() string {
- return "eJzsff9zGzey5+/7V+Dyw9lOOXTiJH63vn175ZWUjW5tR8+ynVdXWzUFYkASKwwwBjCkmL/+Cg3MF85gSIkChvK72x+2YpFsNBpAo7vR/env0A3dvkaLn/+EkGGG09fob2z53eUVekMI1RpdSc7IFr3DAi+p+hNCOdVEsdIwKV6jv/4JIYQWP6MFozzXsz8h/1+v4QP7v++QwAV9jQQ1G6luZkwYqhaY0Jn9e/M1hOSaqo1ihr5GRlXdT8y2pK8toxup8s7fc7rAFTcZDPkaLTDXdOfjAaf1/97jgiK5QGZFa8ZQwxjarKii8JlReLFgBK2wRnNKBZJzTdWa5rPB/JTG95jMUsmqvPtU+kJthwWuBeY70xsffWz80BDtIIVe7vx9/wjjCzZYlY8rpu33ENOo0jRHRiKCS1N5+Su8QQXVGi/tv7FBRBZU20lL+3mPNEJv5RKdUyJz2KqBiTharM/UsdOp6dI1FSazU4tM2DOcWPpe5BpkTqQwVBhtzwcT2mBhajZ0kEfDimMYzLHpfzDkjjme7BAIG7RZMbJCGGmqNZMCrZjRCKP31PzOjLD6yq/+bLA1msnqlax4jgRdU4XmtNl3JVaaonfUYMsaRgsli85QT9/KpX5xhckNNfrZgPw5U5QYvn2OjOcbow/UKQu3w0WHzVlQkJyuKT9CklyK/vnckeQ5LRUl2HhOcrpgguZICg5sGTznFBW4DHNV6GUW7cDsWeN3/pxfnv+A1phX/sSznArDFszvTnqLiUFcLt16qcFCwOyYJe93C3zPLkeJlWGk4ljB7/3CzkZ3xoD0UTsltDMGlMd3yuiSrKddk5f/f032r4kdNc2CPOz4yvm/MphIf1keDXdrfIzSS86aolpWiiS6ex8utlTn/2GcaYMNLagwj5E5XOXMZITj3hl+JOxRYdT2MTK2sjbVY2SMieMYS2sx1Zrj8e60nOJjtEdasS0ozWP6UCN2TcjP7HyxDgtYbgZ2yMBIeJgX0bNDBtQPeBHjUuyFViaSouhEVYLic+IaTDOS+FBAgvcWH5nCrK4E+1LR1oxWzfz9n7a7Tu2ZFMReDtjIx+7ZjqibNUurDrvSPbPDsAUjuHue38olulhTYdA1KGdUiZwq64Io6hXVYOoLdktzpKmxRHZ+vDuGHndY6kUY0H6ww9IswoD0vRZlGAmMH186bmMO5nUPmdxPBiupE9mr3X35q9SmqyJ5f0dqKnImlvWHOrRtOjGkr0e+7JgNNvjRqGAvr9Y/IZznyurKsePeF+5g9kZ+rcJdv0ot3lf/74rXSiu9bujrBRdI60bLcoTRkq2paIJkX68hYEV0XPwirQeSP0bj7+t40RgNaMhymyn6JcFadx8PYYFh3vMtSPnCDY2u4CA999Fsg9HHbUkRwUMNMqeIMrOiCn26FOaHV0gq9AuX2Pz4Es2xhl1UP5At2LJSYPodmPcx5u5XPG94Bk3nfEaIL9hfL2WqMNs+77ge+asPMEi1wSpPZtR1NFpn2l1JXl593rH3MFKU4/6SIqS32tDCX6KebUttRd1O1U549t9SsSUTmNe/2bVWDsghlf21JzHi8urzq4AIPPsDSTxcBA1HQynHuH3ajTo0HI+9fVYU51RN8nb9KwyFLs8f8krq+O0+lgKZ495KH3WQjZMseZwN14bWZWtowUGxrsuZ5JwSI9XXqICt9E6Qc2P3HNOIONHR3HK6Y6i+lX2zBe0R9CP0+AoyfyymaiE1JLsVUqD5drBoCCn6paLaWIKaFSXf+nWyX7aKHlFMVkiznKKn3yOzUhV6+fPPz9AGa6QpFc0oeyTxKIzXO0hCl1Jomk4U5KvZFURWwjQxhaqYO6Vnj7IOUkBP8VyuaUcYTAQzK2v1po2iuBg9P+Sr2TYnFhXNWdW302II6puQ5dgEFtgCMfPP6uX3P/xZO5X+ogQFWjP9z8Fs/mn9wbd4SxV6iS4EwaWuuHtZsS7lvfR6iPoDHz8CuZWhUX58if7dTvc5+vFH9O+ISGXtZZiFH/Q5+u/c/E/7RabRrlC+CS6hkDl9tL6u2NCMYM7nmNyktYAdc0IaODbYOL/CCpGKvJRMGHBNDA0nOMPmyKhSMlF+WmsP6pIShjlwDJxqI5W1rMXWWR32gzXmLHcbI8QUQgtZidzeMJwC80wsvXF0MHlx90QMKMd4C/THYc+z0cgqbLnE+WO55zw7SLM/KCqoUYwEvA7vCne/DL6wu+5rJWyvfWxai1Yu6mWboV/lxi7N0OdkAkllnTEj0Q2l5QGhPYob7ysRmpKEap2tWZ7lqV5dL2rNs6SCKmzgkOdWgh2/cM2UqTC3TvtO7F0EQhysYNbthrdyEIabhT/ql+dIWW2tIaACQsNqSU3ztYOS0CpR0tPJJeEy4fZLQiV5Choq/svzOvb6gRbSUHTt9ztRFC7a+XZMUdr/1Q8xX8HDix8p0yVnKTMbHrU7r9nA7H8UtpnVuQn3O5w6ewf4vV7vutpr8VfIf40XRqdeFoyf4I3ejmqdo6uzN1fe9iVYWPGwopSqb/EiuCK/ujSI6nGEPz65qwoccXDdQ6HUXVe+an/SOuzOzgHPfIZe/vwKbUDuBcUCYc7DsQII6oOZ1MaP0IYq6shigzjF2iApeuUiu0I8uZn4dQsxcFZTPNt62f0uVQ6Cg6wmSlZCcrnc9h/iFkwNrFiEfkZkhRUmxgnRHuot8A9Bc4Eq4XN6+E7MfLSiNnZBt3uoT/mIsOftEjyKwhqZUtTPCApvRnUaaNaeWYkJWKzujUL4mIMkpFI1RW2wyLHKkZCqwJz9EcrvlaoIyif3WQ5Hi0hW88GVdC8htVw3zLzgbEFhxgEHX1MiRT5iYLfLnWmTMs6yZ0JMEFmUnJrgBhgNomIw4I1iPTXYqTdT5kQb+dqOHdzOY1t5d2eObr9CCrOKtExtfWqsnJc2yyk/keAvRJ5C7JbkH1KkRlvYoxbt6LWJ6dJrP/YlPFBRyU70G2TorfGHD62p0p1yinxfHlhgfR+62bYUx5pmW6ZHpMppnu4e9Ek2/prSzYi1jVFn2jRf7L6vD28rJYsZUK2gKF8TKrBi0pn1RcUN+84wqhAuS15Xv7RYNgVA+ARKcxHi8LxT+4uOKcerRsw80UhuhHsZM7go+5FBz7EdzbI4PH1GI7Ji1ruROdUz9K7SBtykLlF7KrEZycvFhh65SHsV2GJh+V7TKSwhWOR6QCc7RRdUUUHchsDWtM7ZmuXWsoH9EFZk17Ui+9gTXniStyVTk82wXU/3FnRrdyIzfOsmq63Ss/aaZQo26P7YaMRFHw3hPLfauNFns8GQTTqZrGJroGJgyD2UYiP/2EcFLMgvFa0m20p2d7td1OrHDdYImMhH9g0w90NsoUY0CnYEmkCnLQuT4PZdFil4LbMErJZZCuu5jKmKdom+jE41ga3UuUVO40L23MfgHTO4Lu915xyrNg/ptWMeC9oLooeGEDsQhMnAiI9hWOuKp352GvGiZGWILOgLx0PjvEBWtlwMdggWXgQ7DuTIBqFrqphJWTqyZ2L16L4IsPOysy/kk7Z4cYAd6G7pptLFUoN3p5IStmCt4xO2bt1jzhimireV02czBRagCTGyvC2YqENUuX9kCfLt3eapFuHzrpfe9QSlQr9d+9RYpuuEgH5cDcavV2isSlKXUrOIiuNOewvcaZE7hClI5a/P7igKT8VNlg666J6qSFQFVYzcVxcF5zZBFdueiXUr2ZqT4dSSO9+Dqa2pyKXyCbN7Zybn/zoBek39tCvn/6Ik7EdbxtLXgg/EbTXofsacpk+JVffN8ED6qn+vZnyUa4Wb3GIhDcJo5REvwgm0XC6zOlHlJEq93oj3VupTYKbs6L6/Q7oVoFaD+ggb/gDVnfr07NELHivcgWsLvh3RyxVPmTcdFuCHilNgLKxOpTD0NrXF2jB0KVy8rsVDxXmu7f/BpYp5zVAIAObA5UxWWCxpJugmtS4Ye7ikm85TPxghxig2rwztaIhhjr52rFtrvXv9hVWHLnE0ZddIjrNksJX7hAaOYD+/yDHTtd8Czi1UgFmB1YCDus35UmuqZuiaukWpNFUzvKQA5e0z3RdS1TwMaNdknN1O4PfI/b6DWyEVmiu5sZ/Vf/W2pnO7RvGkL/MrrEzsMF1DOHZExZ8pOagOnepMSZ43ZmOqIyVL6h8UU93FbwTCnCrTZBepdlD/N/e85dVHBwQAkpACBnOOhBTfKVpS8GT2ZT+A2zDllUMqpeyBafwVWEmw414w98JWP/8MZrZhZuWNZafr0TkMOIdqE4Gk+G4p7X/vuQnASMkChmPCeePOY+ALYMAyKRfIagfDqJ6h61an9BsbdCur0nB85sr5Km2dGFcy6pJtcq9+veAxIrzSpt6Q/h+DZYKfMG1X0tdE+/iGNXzh03ETaHLrx52wsEfvYJnSGWVPDjlelstz4AJhrSVhEC+1qxH0J2HB3rIb+hphVK62mhHMUc70zXNUKuiJ8hxRQ56EDWWs8DG1l/e86F2djcIFNVRpVGINKF4agBwcFgGRRWG1mNx5tB+W1lBD9pp77j44lcXXWcMEF5NT30QWZTU8gwmWDaMNE7nc+HxaIgWhpXneZFKMCmMwzUXF+RZ9qTB3wc9cFpgJrzVEZyAuR66ubtQzlrm0Z+rWJHzLxA3NfS1QnYiONUSnvINiP/mmYW3G8n0LxweoEElVXbezkwtL9Bmo2fvt+lR8/Vb6yCu6HsL1NI/OVBWs39gpdYjVjwncuv2/39L+MbKlvWA8/RlvpvwLjNYcY0XzilBUvxzRcLhNU8UwzwK3abJL5BqGrM3m/v3YuQDtDTMaF6DkRh8FORAjYuxHtxfdCutVc0KtWRioMqzIymX+1jU2TZnhWU2pBxFmJ9IMM9OK2F81/x5WmiKrzwVikHNXCcIpVvZPAITXsuYLCH20U9WFnYdfH5zyq4Y4T4/6xiKymDPR4GZ3LyxfNqrucXutmar01JG+rjUCDIxH/KZ5IA0ciTM3usNkHI+UOg8ueWi8EZ+LMl+eo/dO0zz1wA3IddvzRb+Wt2dhu9oFoE8Ry++Eny/PQaS+5K1RE8Powe6LnEsDdFOYuU1kdcGG6bCTutbblFj2u6+6vkDbmQt749jCOd8T7hor+rNmYHR5ftCSjRWfO2DJWsZeiry1aGfozNVnerxT7j7Yb80Cg2r3Gz9848Nx88o0lZvSNJdRJTjVTjLSXSgbidZYMTzngypAB8rABCo5HlEEmgqdFB9lZ0G7pqobeWY1lbUw6vpCZtf5+sXlVd+GRh4y1kUUxuqyj2woeOdayPalxTGJLoVB12wpMCiLkS1aSpUSvPbJQH/ZTXpV224SUB3hPy0jnbMMuyyXgY3z/rePiAnCq5xadeYb2dqfz9DTi1tclJy+RlcuIOLIgvaeheMi8DI3+dsmBKfaqyXMGdM31uQ+gq97lOJ1wpjv/dXwgembPU+uRrHlkqp0LezCIvvcfQvwPIB1ulJUryTP7e5xvvpIp9Gdp/cJIgvDt3evlZ9+cDbGswaM4/I8XEZy59d5IosymzjvClbF515BG1cX39PV/DvLjhRQn7qAdjMyr8iYl+bN0hNljXU5b7SlVIA8YPV6zd9Ilzis8g1Wp8nQG6LqW+2K/UVkJzECjfzUKlGM3mFS4ymHjVurgib1Y6T4rjZQ1X4t5HzN6E2tFcU6em6wNthUsQznJh6FGT+Z22EHn8tbxPIX4/eXvVmrKTi0HH0aAB+7s2C5CB/d+h5L3H1vsMnPh333jrnOmJBVrDfOTh2JXkY/U1aTxgw6DCKyP0UmnBqZcWdLvOHc6j2kK0Ko1ouKows7PiIyp9puiRrsN+xZMJHT28gC4Eyb4yzPB+oWGBhcMVUzMacK3jcLrBiHDJ5ABM+9v4slwiDE7+xvgzMTCfahnDtwoRNZxH509LTJ5yyp0qUvunUaZiAybyK0CfE1wtOzkSJDF+Ya3sepE0qc8dUkeflYlfu2/RAzoVFODWY8EGSYy8p0fjcyNcknz82sI7a4yWMDPsYvUkOLkifL5nmDcrrA/gnII1/Wb/g+W9NaxWuqON5CIZeR/nJFTwMn0n4AXrf/NV3UVeAuVq8NMxUAM6LgxFrfYAjY9NDjGvUVqxPfITg2pwl0FZFFYc9Tmm105qgj1kn2LZVcs9zFz2oUuYLq0USoXJLjHxrvHy37hfHWaiTdvLywaXBbQtLTaXR9PXpaXf8vOT8y7nT09P63nPsHmPDpKlk64NxzSCh2K399dYkuBwZVl41kqLW+umQ/BxELu5pq2GVUR/o+8TCfWx027p2KyOYyT13xNai46xsdnhdkeRkxj1bx0RLck8EEleedELAvHXYJtM17CFuyvHnKGQniFbG9xkEZeISbP56R18y7rFJeU3V376tPDj2nfoiCZI1bSqpuFMGlfs1pqLy1RmHal7gxQSAkGBXPdwMiTXUlXmPG8fAhAzWhcAT1lQuq1EinBXeGjon1x3t3885K4QGg3APsYEo+3UCz5WxEI7Iim1d5vo0en2FFFrUOqEO30vQ4oPO9Uar4FBWTEVEOeiV2ma6mKEhgupu96jBXcZUz01TWtbhonqNQY7u2YsOpkvZ5Yf8kXZZYbAmuJ/PKzz5foKe+VuJzxa2tPGccCjggD+zitpTafvMZ+m4YaBD9V5gbITdixxHSlFQAZrHepT7SaZPgCUJw/bTQs7rK/b0vTXpLl5hs0adRd42zucKnKMr3A++ImAlUYCYWChd0bzpGiRV07U2Pk7BjXF7BsOi9zF1ydAsL2Mk6CzCFDlhfkCpgBZHKQ9rFjXtPN+jXSoAr+U7mlKOnTKxn3z5HTJLnaG7/j9r/wwLzrWZ69m34fdGQMltwPOicH9uG2rXwz64QDAqxLtCT27r5lVzsBWowMimn7q9zz2cNg6Cpshs5yNC6iKt3e5x9fvc7VhR9dAnA3377+d3vbz5cfPuty7ldY4XZ6J7cSHUTs2T54AH7vR6w+8I2GgTDIrYR4Wt24qKUNNcBJva62CZwYRZSUaEZialAOqGkBBwX8aMggfeBWESzDWbD5sQPjg4A9nlsovb4xC5R19U80aEw81wbFbvyHeq1kwXEundptHu0rvlIFyQ9ttilbQw2MGl8sUlb9+LrXSyJBRsNNNVTTRaIPXaqQTSiwDT75T1hpXw0nuD9AxeWeW//fxiO2prMrvPfSbZY3onRe0b2MnmSzVG/4+7jT8oJkrZ2Vrbjlz41TUZ7nWUHOJnPIOw22LmHX6ZryGo2xXsYFH0tMONW1jWYy5XXGZfn3do2QOKy7qChywCEwXhWYZ1znVkT8Yj5HJN4DenWvvroTBZFJfqRqAF34jjgpody957emr/TsE3d8KaPs6wfyts1FvnfZPjVrOXNYMOO0QwP5m448A5zutIlI0xGyxKdyoMH7jdYieGjw2NnXYuizGQqZXz9/t0V+s3FUduk1DAjXyZNJbj+j7foS0XVCHZrxUWmaB+pM21yQycgukUf6qKzYFpXY6WTiBdpl6iM3UbAEi2PChwdomoCj2MPppvHb9CAOVZFgtWyZBOEF3AZsQC5IVrl0brS7tCMi3a1QzrHpm8VPpTunAqyKrCKVVbS0N2WeNC++MGvT5gM0qmi0MxW0fcCoYu4BVQN4cUSoJYSkJXzfyWgWuLonTAc4lT07QWP7hmLfeF45LaCWtMzOtMiwwQao8QvP7G0tYjovHcIz5fl+idxa1bR73ciMmJUluuouOsd6pbycS9PdyC85ji6xhAZFUsmIhZFDkmnyI0W2SLTG2ZIdP0hsgWXG42L+LkrXdrCrNNRT/DqQkTGREp1wkRJVTHfRkt4H9AuyU0a4mvMU+wVVmalkkZm8Z+kgPr6pwwijvFp82Rnk8tllqcQtiUcP/+NiKzAt5kxscIGu4TtjuY0waVQMJGIaSbSMV1ynfE5z2I/i+7Q/j4h8ejI4B3asbEQu7RjV/V2af+ckParhLT/LSHt/5GQ9p/T0Day5HhOU6iUhnp890xkRcXB+J5vE9yTNfHyJoFdUlScLYsyjfVtrUzMl7GTkDxllsIo0fQLiR8bEZl2CYkJVlArksabtITTeJN6q6syQS9SIpqy6iSuqpHGuh70NoEKMdJYxywVbXBrkhCvBLsVWEhNSYJNuH5lpZLoUli/kqVZUZwnCKvJoswITxDDtoQTPJIAXTXfmvhhUUtZJ6FcVlmCNw2imGEE8wQFRDrDSyrINmLWVZe2wHz7B83nKfheZwADmoSyg4NJw7VLrE1Cfb4s16/SxKB1Nmfmz0mAxojO4vaK6xFWMrqq1kmOOVClRMWvctMuxh+t11aHMDUrF+ePHxxxxMHsS0LcocnHQ5Dr0F4wTlP4MDpbpFhEtohZnL1LOIVtoDNWQpJilkTVsXL9U65NOQDzj0RbK5KENmcLmsKN0RBoLmjOohWM7tJmIs0uKWRecaqJTCFtT5wtE+gmWeoNNlF7/neohzLIoxBWdMm0UTh+JKSlncDiU7RMJWqVTNYakMhVIv3qMvPdFk9A3SiKiwSGpCsFSsV2OuN6s5JMZ67DbHzqW6xwkg2ejxTCxqC8dv3tY9Nl2mARvc9xrs28UrGaBdZUqesVlIJqFZ3X+HZ0XZMcmyx0bljEb3Z9LNLAPppLnOexzwDLYz+r1tBBCe4iVmRESVkkQSWyhBO4aazI0iRHesSjFGIub6LDM5U6PmQpK3WpWGSiHBtmqujZZ5wJGg9ip6Wqo3bUaehC8W38sBaXDvU0W3AZ/TpviCdI+bc+b3StY4km0DjWh07AavTcBC6XSbauWCY5wKVUsRVYMa+WKY5ZwTRJoRYKnWTDpugDIagBcKXodKPrcAcAHTvjz1GNnY4nNpvYHkiSijLpGkBH90RlfMtIKrbMAv24Hkx3I6iKf2eVmWvKG51s1M7ULVnX4jXJJktQuOl74sRWBp5sbG1QZi6QFJ1drLX9MCOrWHX+A9L0tmTRHwJKqoqlwsIMMHdjUN4kIRz/6nVIZJ8+9bqARiCs5DLDuozYMKBLWuHYVBXFPIV9pygBOTjU0UTE4wvZUo4L4dqhLFWegOP4gUydIDasXWw4QT6AprETAVzD4wTOiaZf4m+AEEBrNKoJXCnNlgkUry5jR9m0IinOgSJ5dENaKxJCxY1A2MRrsdWlWenoqJprImIXSgS7xT6UqAPpjD19szTxt5UjGv9Fr+npGZvutoyO1lrl8yR56JXiCe7CSlOV5Sx21XuSthX1y1AKMRiiDS5iR4PXGRPa4EUCy2DNlElhhq9LkQC6yUhViZhh1hAsWgBR9E1lJPpQCTQYuskeSdgs7zPmLEdniubMoDOsco9mqAH+PcyO65yVUEpjHUKBDDTRR4BvQCRHoVKdJh+CiXSSuyhKLrd00FjwoPwWsooG6n3HPWZl6GJG0O9M0SW9RQXuAy20b7FiWfWbgSRnkjMNzRnq0f3SA4AS0lVZSmXQEHgUoc0KG8QMKhVdjG2FB6Tl3qcJRUjw3utoWEBMeGT3EVxozkTqjvwdVu1oXT41MnJJzYqqWft9vZLV4EZDSNA1VU07IiNRiZWm6B01GDqCu7OKGxE8fSuX+sWVK3t9hs59i6/nyKwCXYoADPgD9a2PgW2B3lPzOzOC6vA6Dzd1EuEtoGV3c4pgcDdZTbEiqxkTLMgf9NydAF+7pz6hFwYkQ7zguBLQ63dZQR/XGsQ9DODew2vfM6f0cNzNnBoQbt+/eMTZtwuRRaxpuhvyKgyLPtJbA6diLFwwRTfqEYXUNq57Dx2qBR/peAnouQnbgQN+rqYGKfqlotrsAe0+Plv5/lj5zmSAtjxuVKex+xGpJu90N5yyjyfHEbyN7fwdENr16+DMY/b+P9zf0A52eV4rBRg7vDfAa4iXxHvPLWwvlznWFLl07YYbNDhVzSr5X5yGX9G0gm84l8rB1wfFiBDWSFMK7c7w/n5VCguNyQTtfQcI025oAWZvu2lIpaAD2j6mS6oK5syNqZhuh3SNOdiacbqkiNM15QhrzZbCLVzbrz+89QGS+YT6G8bfs9PnJ+n0bDmrBPtS0X6bRBw+fB1+j0NMPK4LSm3RsNwdSCKFoJBbgTbMrMYUBUKBypDGYlf0qPKie7sWVpygT5orisslI5gjy8GI6wNcnJY7GGqkTePpZFeutjrMXiedbSN7Wa2xL3jMGdbZSib3CZwT17hr0EulbWpktWK3BU8YDwC5Q2O5hTvNN2IhnGI1e8O1tI74znk7h8dy9Kv/xQy9EdvmXwPqBnx5LQzC+YzIoqwMVWE1nCSMbyeWzj37pr8W0GNxZ0GY+Wf18vsf/mx93/POctQS+ybItt+nWdwXs7sGbvCWKvRvTUxOv/BsAHPhUx+7/if9nhctzzu7fu96HJm8fEi3Pek3TLHjzND73z5e2LlTRV3wBOKlOdNE0RILsrVWpTfPeD8XBIGEnqOP716jS2F+fPkcXb4/v/jP1+jTpTCvfkJPN6stEpSZFVWIrKT2rdKkUpQY+NYPr/7Xf3v2JCgRalYJdVxfHqBTZwUOt+PRiXffPY/5tduLlzVT4SOePy6mu7rpAOdHAsbd+YIP8dszTFvv5DNTpsIcvX3zPsjsH1LQdLGs43bG/5GCzsKytex+NSoUJnJYecISPMY7eM86LLGhG3yCFumwu6/QmzxXEKd1uzzETnP1kqI89p3zoW8hl2fvrtytNPo8VmA94evHTlDJWar+7kaXV5aVkeiXleGRnSCiyNCOPS7D2hLLXHetaRVEh12c58x+GfP2wbbTyz98z024AaxLCAdc+hN+vrsFBqy0udZJ7Lq7XmkYvfccXkllGpU8ULo5PLDBAjCzPax59cSyd/NhYllfJvW03o0JXtCQ3zhVFNdzB54v1loSZk1OFzca2DjI6mWFxZLOGteJSLFgy0rRHM23QJOKHLKGwnqmPBJ6YFA0OmItBwddJMA74BFt/24JV/QAgKKFNDTzmd3x84ziizYXOsOZS8VPQLo0Kg3xRYItsUhQLcxTHIdU+CdlAqHiPKsjcenM8r4Hb+cx64/WDSacwIK9MCuqBDXo47akz9Gn+hp7CwGwH9FVHQAb3AS/jVlqdaueCYyJEde4ZtrHxZ8jzHnQmCjbL0KCG1aQmLemyt6BTBiJtIHLnAn06XJUoRBIkE2mr6KrbEtUlgnavlnCiurYGb2WbIISF3cjxk5Fh3h7Am5da4WMU7GM3ikSeLbGR0IrdMQCdSYP5p0HGIEIpBMsEEa/SLXBKh/26UbozRKSvRTC9sTfQi7dnJoNpSJsekZGTbzvG7c0mHef6hwzCCDjITNiMEMmfJ4rpCUUzFi15FtshKe45lhM8Y5/hwBlnSDSCVEOJrgbsmxfUtbWg12CA7t788R+qaQEUAjW8fDg7vZij5VhpOJYIcCLRjUTTy9uX7+VS7lYhLu/U5KZFU2+vDvMfrQDutPY4fvC8m3ZfVOZFRXGJ4uPsq2rmMgJd0vocUOOs/5JUzXKsKwMkdNK2g85zvB1RQjVeoRnQB4/DhztuMQT4AtZE3cp1RYFChMGvE2hnHZ4pD0erVaCBz5dSmHvFau3QsZh80M0MJR2Z7WOh0c3cm9i5FBLoWaAM5o38/FxmJ49zATSzFQB/YmguIB6Fe2prrBGOJelvV3MijKF5Ea0S+YEZ/CtFLIYyauFnhyaOYj6aY0Ia9wzkVv9I5VuBIDRL4xT9MYzNhuI4S7BXtFMzJ3J0YTxZv4nSVcYFcG1z1qIK4XQHAOCiFnv/gBBuHy9a1+vEVsS4wmhc5myeiAw+Tld4TWTFViXRBalkgUbyVCkUzN3IfCcQxHZAp3t542JdaN2EjLZ53DH6kRBBnY4jNpc5ggGA+M3/KVe3c4t25630W3XlllWwvTL2WJb9DmUgWfkGLf+TlYQ3MdLKqhipJ4SCAQS/fqpBcys4KoN9XZDntkZ+WGmjRp//KzndAzs1snm9HL/nLx54cZKOK+ga9o44YYVVFu97qw9RUs6+ojkVyEaKMTBhQDgwQcug7rj1joGu/tkW+vHu83ph0xHa3J656n5gPGhGQ7mBjNuFcIdlMHXO7uXB2enJl07d9CizE0dXrloWKrTKJADerxRIF/vdvzx8JLFam0wzZLdTT+qSTVIzDN2B/0x6XaMObfBZmyMeihB68Wpo1fuVGaVFdSs5AleSfBOJBk5NvzXRhccsJSUTBp12vOq80FyH6+1jOzZl4kiIf85+/n779HTt+dvrp6hc6YNE8uK6RXNoRQ+yAuXS5kcF2jfSxhkyy4cH36Z4YsjGWNKJo4q7qv/tKsa4qA5MRCRj9b0+T7HhUDaf1P32wn8AU+hN1MsQjDpbaYY5rHQ6XoT+YBzVmk3ApIKaVYwjpVTT1Zt2jNE4F4Pl1fBOdcsnxJppJsp/8luhDqK2MPFbA95ujqLN2LfWYdnDV9p2In/+iARfDLYCz5wQztlGXk4lClVysSAwZMNiFqqJRbsjz1Z1SLdVrirsI+QdHdPjYh7wVSwljQR6s8vdji4LRzEl8Mu2slq/pViblYEK4pKRXNZMIGDBXcd9XSFDaPC6IPp8RxPOdu3+KSTddCPtEy0ce3ReWIVV4mVATCkdqr71eqEYEde2dxFoy5oThU2NM+iJZXt2R9W+fxSj9g8nl0puWZ5Ax7mv4fLkntLdbAxPPiPvdZ2bdqwgdNOkuUTzbIZ0mP9me3INIPNQyFzcs3c6/mqb7iPQMA1RmfMpuD3tTzpLdhMnR91KqGXgYk6GxUsVqyRNlI5jW+pFdRgGO0JfGtmv/UkPPuC5Tmn02m5dzDeXfVcYHk7eu8oPVe3x5hmuld+tA7CkNjWr7PPUcmxXTJ7P0uFqCBqW45F+SEVcgJ/8g4ZdKrxLX+V2qB3mKyYGHHpcpxIc3zTl/UnAZn+paJWfVj7yIGc6Rl6m+MSfYZ/OPsol8LVnf5zeHmiFV5TazlxihX6UlG1RYBBqEspNK0tqnBxqp1vBr+ZRl96DDxiKStWo0AKN32HyzfOZz2lCVhtN9AHD456V06hy1PagFl/j9fQ0jsgRtY39Bcv00hVQgT9WP28uXncy7ODkRqpsfMUM+9hpl8IjDZM5HKjkS4pYQtG7CfPQ3WCPk92eEDs9By/bc4NegqIsFSQ9hqCp8tnHWmhSsA9/pYuMdmiT3oX+LZ5gS36hbTRs2vtCBM47CO3fdfVAlagVg02mb0RBxJvcAAC1f87laZQzjMU3+600xvUY+i8zrwOzBhmGNxo/jdHTHaavN6xqfoMXx96r3XdBUx9HAV0OJtpAnbNg8Hu2rQJmW4ZBisUBqQ4XPwMZQMxWwKOVrjBlHO6YMLH6kE5AapfgcsR0EHg7qhCsUS8tQGYnvkXWzE2MdvUc/dYSiPYlE0M2xhMVsXEEPjtqCBwNPCOusuRpMnLnIl4HcSing07ZSgqTHt5BpRUt2wHlsXBaLfl/YGunQOu0959B7gusar3lP3z83YqmxUbQKkjezqsL+uS3+80PRO9Z4mDtZBqm27B/6JLLP56EDGmZmQXRb02z0NXkxXLX14A9QNzO5lJNJhVjbe+f1ajuyCjwihZHqM6clnNB8GFO+1xP6b1tumBcgTg0VV3THsOz2RRYrFtziMcO2in7/yVNVX2GsqYWMiwUYD1TeoaoQP6o+dF1pxtaFpU9MWXVDkCv1Scb9F/VJizBaM5Ooe6ZxccDLKyofOMSHnDTvTo/judIzd+6z9jPmbNR0ebbZ/Dy8qAyX1kC9PDZ/1DM4TvsuPD0S4mP0Mft6Wbehs5sMJxKzi+eIousqhgsj22LQ8uEKGe6BBsbZ+ZKUJ1jXG5y52LLJZS1dF+eGL+8HZkyTtYOZG3Uy2LMm0foj2isCMfjNzXbCopE1kiu0zZcex6oBKbcGiSiAzrmK/9HcLKl9NHplwpHnGZO1QjrkrjjGaVihUN6dDUVGV4Gc+nbElHv552SUdNf9wl7Xd9AsVCbw0VYFrFd04s/Wi7uTH0Vor2UmViW1RuiClqCXd07kcYFsyrF/6/zzwLL/x/+LymUNgfc6rC2Xl+Oid8PXeT6T6eQ8S102ptMJ3cN0SzLhUTC6rUyLvrcN6TzKtr+B8UfTA8OwGTNS7xorMMgSMFz9oy6ZEKDDHZ9rtw7/Z2232EDGLV/dM/6DBBa7zhJytXVE0Tj7A2u894enoGrR+foTMYP8waVWYisJQROZ9R5Zt/0p0szD3gvDTp03FHkJ0Ft4M+0R2k6L0rzf44Nip5f2iU8Gqja/ZHOFrDbhLplMt/XCBBl9Iwt4DlCuuRDlCaTA0r1FlKN/h4c0G71Mk6QA0SXHp7rAZOr+tvwgkpmi2nqKjYxTdquh5+HG20bLUJ07qKbnQCZUiWShete9gbCnBIlUoaAx0sSld7XtjB0TU8Tu/TTpNkSDTI4P4V+ek1pHbuv4w62vM4Ju+vPffwOK5CtebZOuWN3n9S9YHsIDN5ZrcerqLDNOpUhNkN9R51InCDb9p2Jd0LCXTrT0jDe51U6PL6zT/eXaEre0+h38RI95WW20SV1Mdw+3Ejw9yCGiIrSm70UUHkuynhtBhkoaZzDV5nAxEGaaC+BWGrBfdYuVSxASjkCYxcx0eDCjLqNADPBptqsg6fXS7XmLPcbcQAE31FOBmq9T5FCBK7oVvdV9uRdn6dQBqZ9sqYUmcMetAmIQ1LmUIgBD+C08SWoq58kYqZ7YETRWRRJMWJuyPfjg8fEAqX4G+YorzvacYOsWw4FpnWp2p4a0d2Ovx3P9u6RivIrSs1zkrJpkirDjHsOEDAATAV9gZArGSFhRgAZ6SGm/KjAiMjb7YTwTY3F4vvefj72zfv/b33ojd8c6EYqfqx/+iYbUzfZGvJq1QCeFP3cRa+z03TGbtu51sJZjR66pjQzwCtAwp76466PfIImA7OhleJtNlbz+snwYxPF5jtFh2sqYJMgUXFEZGC0NJYR/nareEIvMJmk1L7OsFbh71uoW0ZLaUySFr5/vq3N6EU3KDYY+87qZbTJ1j2Cwx2Qqxz7MBOgkAxf7/47eryCr3DtwUTedPWO7ysdm6Tp2HuNFEcmZafxmB2+6bVmE/hksXo6dmuyjFbTFeweeoi/HrKyc2OnWCZ18qX5x6l13Oxl0M+3aKcGCugnnHxX75uuCnMEfnQkox9uiFeYl3oE2U3+nbV4MU3j7qFK+59jnQVSFHHGv1FGyXF8q9zjskNZ9rQ/C8v/N+eN58ysaAk/NGCKbrBPGjI4Dnv/AZhkSMt0ci2VHTJtFFb69lPqSxKbFYerL/hAfV5GDAJQamp2HSF0K5ei0jVQSFv7MmGcypMJyel5ts3ZJw13dRmvcM/zvsY3zld4IqbDM7Ea7TAfKcUeWdKuxn87zvJEXWnyLZlfFu2ZhReLBiBRgJzSgWSc8CN6AB6Neui8T0m0z/YB6YyPPVNyNhyLRKbk4VODZM0olEU3qCCao2XHpeISKu/oYFZyJB8K5fonBKZjzz7eFrRY1QO8zliAlOP4Sm1ERRh2htNLhAT2mBhajbCPr5hR13i+fCeCpricA6Z9W6Nq3Nq2xOglfVtocPu78wIqnW9+oe7IAi6pqoLUFFipSl6Rw0GS93X3DZDPX0rl/rFlUuqfTYgf+7TwVqzAqMP1CkLt8NFh80RJBm6ThLCedhrc6GXaY1nv8bv/Dm/PP/BP7g42LfWuwZMgFtMDOJy6dZriGsDs4NO1n63wPf0bt8h+3u/sLPRnTEgfdROCe2MAeXxnTK6JOtp1+Tl/1+T/WtiR02zIA87vnL+ryyIdfVouFuneip9GGuKpsyKfbjYUp3/h3EGvl+6gvuHMYernJkM8KgfI3u7jtMjYmwVsaNuVMaYOI6xtBZTrTke707L6VHNYtOKbUFpnroIZPzZogub6IAkaT6wQwZGwsO8iJ4dMqB+wIsYl+L0deb9xrhB8TlxDaYZSXwoIMF7i49MYVb714HGjFbN/P2ftrtO7ZkUxF4O2MjH7tmOqBsAqUuoDrvSPbPDuOSXznl+K5e+rauvYgAsOeuCKOoV1WDqC3ZLc6QpdNrd+fHuGHrcYakXYUD7wQ5LswgD0vdalGEkMH586biNOZjXPWRyPxlEhFjYsy9/rfNK/Y7k/R2pqWiQh7lc6tC26cSQvh75smM22OBHo4K9vFr/1OIBjhz3vnAHszfyaxXu+lVq8b76f1e8iWufvIz7esEF0rrRshxhtGRrKpog2ddrCFgRHRe/SOuB5I/R+Ps6XjRGAxqy3GaKfkmw1t3HQ1hgmLcH87vwmGJXcJCe+2i2wa7CmuChBpnTOnn006UwP7xCUqFfuMTmx5e7aV5EigVbVmo8v6Wd9zHm7lc8b3gGfaxlk+AZT4CZMZYdU1cTfe0BBqk2WOXJjLr9neqdQfJ5x97DSFGOh6lpDlrVX6KebQ+GCTtVtygfUrElE5jXv9m1Vg7IIZX9tScx4vLq86uACFAQTRZFEEHD0VDKMW6fdqMODcdjb58VxXnC8vod1w6GQpfnD3kldfx2H0uBzHFvpY86yMZJljzOhpsc3NbQgoNiXZczyTngpn6NCthK7wQ5N3bPMY2IE13dHq5jqL6Vw3YW44J+hB5fQeaPxVQtpDZ14d58O1i0phOXJahZUfKtXyf7ZUhmppiskGY5RU+/R2alKvTy55+foQ32rYTqUfZI4lEYr3eQhO+rk0wU5KvZFa6pSh1TaHBX7VHWQQroKZ7LNe0Ig4VLdGr1po2iuBg9P+Sr2TYnFhXN2VGgCYcE9U3IcmwCC2yBmKlxf0Clv3AwoTXTw3ZW/0RQL7KlCr1EF4LgUlccN2Bl99LrIeoPfPwI5FaGRvnxJfp3O93n6Mcf0b8jIpW1lx3mQN1M7b9z8z/tF5lGu0IJw18ImdNH6+uKDc0I5nyOyU360qecCmnq1mjgV1gh1jUv4JqMdaWDzZEczAi2DABuYw4cuz72RiprWYutszrsBx0wihBTCC1kJXJ7w3BoyKABEeBuyYu7J2JAOcZboD8Oe56NRlZhyyXOH8s959lBmv0BzSgVIwGvw7vC3S+DL+yu+1oJ22sfm9ailYt62WboV7mxSzP0OZlAUllnzEh0Q2l5QGiP4sb7SoTmGlNk65QNzy9qzQNtqVx/agGd+Dt+4ZopaJl6eb4bexeBEEe3pzsIw83CH/XLc6SsttYQUBn2Fhnt/t9IIlk988klsduPZCRfLslT0FDxt+BXHwANv+nRTBTFvhHQiKK0/6sfYr6Chxc/UqZLzlKjlzxad16zVIWwD0yRPg406q77HU6dvQPqjkB+19Vei79C/mu8MDr1MmgXNMkbPbQAkgpdnb258rYvwcKKhxWlVH2LF8EV+dWlQVSPI/zxyV1V4IiHWt2ioStftT9pHXZn54BnPkMvf36FNiD3gmKBMOfhWEFd/bxAbfwIbaiijiw2iFOsDZKiVy6yK8STm4lftxADZzXFs62X3e9S5SA4yGqiZCUkl8tt/yFuwdTAikXoZ0RWWGFinBApwBdZLlwHd1QJn9PDd2LmoxW1sQu63UN9ykeEfd0WrEdRWCNTivoZQeHNqE4DzdozKzEBi9W9UQgfc5CEVKqmqA0WOVY5ElIVmLM/Qvm9UhVB+eQ+y+FoEd2tF94eIbVcN8y84GxBYcYBB19TIkU+YmC3y51pMwGgfWhCTBBZlJya4AYYDaJiMODHgaa1wcqcaCNf27GD23lsK+/uzNHtV0gRHQk5HyRIPBj0QOQnEvyFyFOI3ZL8Q4oToefUo9cmpkuv/diX8EBFJTvRbxA04/YtyD0cbs1dvi8PLLC+D91s234r8IeTVJRIldM83T3ok2z8NaWbEWsbo860ab7YfV8f3lZKFjOgWkFRviZUYMWkM+uLihv2nWFUIVyWvK5+abFsCizwMlSaixCH553aX3RMOV41YuaJRnIj3MuYwUXZjwx6juuuScPTZzQiK2a9G5lTPUPvKm3ATeoSdehZI3m52NAjF2mvAlssLN9rOoUlBItcD+hk55qmCeI2BLamdc7WLLeWDeyHsCK7rhXZx57wwpO8LZmabIbterq3oFu7E5nhWzdZbZWetdcsU7BB98dGIy76AbTvWp/NBkO26GpVbA1URG/F2cg/9lEBC/JLRavJtpLd3W4Xtfpxg6HtadUF4OqyWQJzsVo9NEKNaBTsCDSBTlsWJsHtuyxS8FpmCVgtsxTWcxlTFe0SjdXqo6WawFbq3CKncSF77mPwjhlcl/e6c45Vm4f02jGPBe0F0UNDiB0IwmRgxMcwrHXFTwSaLytDZEFfOB4a58U3cBnsECy8CHYcyJENQtdUMZMaGnQMfdqP7osAx1qT9kI+Ezduc7d0U+liqcG7k2t13zo+YevWPeaMYap4Wzl9NlNgAZoQI8sHnWGbTrBBvkNdZBIuwuddL73rCUqFfrv2qbFM1wkB/bgajF+v0FiVpC6lZhEVx532FrjTIm/RhZuzO4rCU3GTpYMuuqcqElVBFSP31UXBuU3U+fkOlWzNyXBqyZ3vwdTWVOTQJ/mg3pLzf50AvaZ+2pXD7rRdxtLXgg/EDf2A9zLmNH1KrLpvRjvBejXjo1wr3OQWC2kQbjqphRNouVxmdaLKSZR6vRHvrdSnwEzZ0X1/h3QrQK0ewn43hr/kjGyn6LYzoheugAEPri34dkQvVzxl3nRYgB8qD/4fVqdSGHqb2mJtGLpsWwXU1VV5ru3/waWKec1QCADmwOVMVlgsaSboJrUuGHu4pJvOUz8YIcYoNq8M7WiIYY6+dqxba717/Y00JS5xNGXXSI4POnRMcnLAEeznFzlmuvZbwLmFCjArsBpwULc5X2pN1QxdU7colaZqhpcUoLx9pvtCqpqHAe2ajLPbCfweud93cCukQnMlN/az+q+k7uNo3a5RPOnL/AorEztM1xCOHVHxZ0oOqkOnOlOS520P0kRHSpbUPyimuovfCIQ5VabJLlLtoP5v7nnLq48OCAAkIQUM5hwJKb5TtKTgyezLfpiiL8oujn6oG4qz414w98JWP/8MZuabarS6Hp3DgHOoNhFIiu+W0v73npsAjJQsYDgmnDfuPAa+AAYsk3KBoMM8o3qGrlud0m9s0K2sSsPxmSvnq7R1YlzJqEu2yb36bbqZEF5pU29I/4/BMsFPmLYr6WuifXzDGr7w6bgJNLn1405Y2KN3sEzpjLInhxwvy+U5cIGw1pIwiJfa1Qj6k7Bgb9kNfd1pZAiNC5+jUkFPlOeIGvIkbChjhWM1rD7wiAVDUUOVRiXWgOKlAcjBd5OWRWG1mNx5tB+W1lBD9pp77j44lcXXWcMEF5NT30QWZTU8gwmWDaMNE7nc+Hxa323yeZNJMSqMwTQXFedb9KXC3AU/c1lg5hvxwrzrgbgcubq6Uc9EDewHreGYuKG5rwWqE9GxhuiUd1DsJ980rM1Yvm/h+AAVIqmq63Z2cmGJPgM1e79dn4qv30ofeUXXQ7ie5tGZqoL1GzulDrH6MTtt8vZb2j9GtrQXjKc/482Uf4HRmmOsaF4RiuqXIxoOt7me+lngNk12iVzvtPHv34+dC9DeMKNxAUpu9FGQAzEixn50e9GtsF41J9SahYEqw4qsXOZvXWPTlBme1ZR6EGF2Is0wM62I/VXz72GlKbL6XCAGOXeVIJxiZf8EQHgta76AsO78Whd2Hn59cMqvGuI8Peobi8hi3rTvXexcWL5sVN3j9lozVempI31dawQYGI/4TfNAGjgSZ250h8k4Hil1Htx0jWtdlPny3LfgRk89cEPdm9IV/VrenoXtaheAPlWDfx9+vjzv9ndt1MQwerD7IufSAN0UZm4TWV2wYTrspK71NiWW/e6rri/QdubC3ji2cM73xO2Oz5qB0eX5QUs2VnzugCVrGXsp8tainaEzV5/p8U65+2C/NQsMqt1v/PCND8fNK9NUbkrTXEaV4FQ7yUh3oWwkWmPF8JwPqgAdKAMTqOR4RBFoKnRSfJSdBe2aqm7kmdVU1sKo6wuZXefrF5dXfRsaechYF1EYq8s+sqHgnWsh25cWxyS6FAZds6XAoCxGtmgpVUrw2icD/WU36VVtu0lAdYT/tIx0zjLsslwGNs773z4iJgivcmrVmW9ka38+Q08vbnFRcvoaXbmAiCML2nsWjovAy9zkb5sQnGqvljBnTN9Yk/sIvu5RitcJY773V8MHpm/2PLkaxZZLqtK1sAuL7HP3LcDzANbpSlG9kjy3u8f56iOdRnee3ieILAzf3r1WfvrB2RjPGjCOy/NwGcmdX+eJLMps4rwrWBWfewVtXF18T1fz7yw7UkB96gLazci8ImNemjdLT5Q11uW80ZZSAfKA1es1fyNd4rDKN1idJkNviKpvtSv2F5GdxAg08lOrRDF6h0mNpxw2bq0KmtSPkeK72kBV+7WQ8zWjN7VWFOvoucHaYFPFMpybeBRm/GRuhx18Lm8Ry1+M31/2Zq2m4NBy9GkAfOzOguUifHTreyxx973BJj8f9t075jpjQlax3jg7dSR6Gf1MWU0aM+gwiMj+FJlwamTGnS3xhnOr95CuCKFaLyqOLuz4iMicarslarDfsGfBRE5vIwuAM22OszwfqFtgYHDFVM3EnCp43yywYhwyeAIRPPf+LpYIgxC/s78Nzkwk2Idy7sCFTmQR+9HR0yafs6RKl77o1mmYgci8idAmxNcIT89GigxdmGt4H6dOKHHGV5Pk5WNV7tv2Q8yERjk1mPFAkGEuK9P53cjUJJ88N7OO2OImjw34GL9IDS1Kniyb5w3K6QL7JyCPfFm/4ftsTWsVr6nieAuFXEb6yxU9DZxI+wF43f7XdFFXgbtYvTbMVADMiIITa32DIWDTQ49r1FesTnyH4NicJtBVRBaFPU9pttGZo45YJ9m3VHLNchc/q1HkCqpHE6FySY5/aLx/tOwXxlurkXTz8sKmwW0JSU+n0fX16Gl1/b/k/Mi409HT+99y7h9gwqerZOmAc88hodit/PXVJbocGFRdNpKh1vrqkv0cRCzsaqphl1Ed6fvEw3xuddi4dyoim8s8dcXXoOKub3R4XpDlZcQ8WsVHS3BPBhNUnndCwL502CXQNu8hbMny5ilnJIhXxPYaB2XgEW7+eEZeM++ySnlN1d29rz459Jz6IQqSNW4pqbpRBJf6Naeh8tYahWlf4sYEgZBgVDzfDYg01ZV4jRnHw4cM1ITCEdRXLqhSI50W3Bk6JtYf793NOyuFB4ByD7CDKfl0A82WsxGNyIpsXuX5Nnp8hhVZ1DqgDt1K0+OAzvdGqeJTVExGRDnoldhlupqiIIHpbvaqw1zFVc5MU1nX4qJ5jkKN7dqKDadK2ueF/ZN0WWKxJbiezCs/+3yBnvpaic8Vt7bynHEo4IA8sIvbUmr7zWfou2GgQfRfYW6E3IgdR0hTUgGYxXqX+kinTYInCMH100LP6ir397406S1dYrJFn0bdNc7mCp+iKN8PvCNiJlCBmVgoXNC96RglVtC1Nz1Owo5xeQXDovcyd8nRLSxgJ+sswBQ6YH1BqoAVRCoPaRc37j3doF8rAa7kO5lTjp4ysZ59+xwxSZ6juf0/av8PC8y3munZt+H3RUPKbMHxoHN+bBtq18I/u0IwKMS6QE9u6+ZXcrEXqMHIpJy6v849nzUMgqbKbuQgQ+sirt7tcfb53e9YUfTRJQB/++3nd7+/+XDx7bcu53aNFWaje3Ij1U3MkuWDB+z3esDuC9toEAyL2EaEr9mJi1LSXAeY2Otim8CFWUhFhWYkpgLphJIScFzEj4IE3gdiEc02mA2bEz84OgDY57GJ2uMTu0RdV/NEh8LMc21U7Mp3qNdOFhDr3qXR7tG65iNdkPTYYpe2MdjApPHFJm3di693sSQWbDTQVE81WSD22KkG0YgC0+yX94SV8tF4gvcPXFjmvf3/YThqazK7zn8n2WJ5J0bvGdnL5Ek2R/2Ou48/KSdI2tpZ2Y5f+tQ0Ge11lh3gZD6DsNtg5x5+ma4hq9kU72FQ9LXAjFtZ12AuV15nXJ53a9sAicu6g4YuAxAG41mFdc51Zk3EI+ZzTOI1pFv76qMzWRSV6EeiBtyJ44CbHsrde3pr/k7DNnXDmz7Osn4ob9dY5H+T4VezljeDDTtGMzyYu+HAO8zpSpeMMBktS3QqDx6432Alho8Oj511LYoyk6mU8fX7d1foNxdHbZNSw4x8mTSV4Po/3qIvFVUj2K0VF5mifaTOtMkNnYDoFn2oi86CaV2NlU4iXqRdojJ2GwFLtDwqcHSIqgk8jj2Ybh6/QQPmWBUJVsuSTRBewGXEAuSGaJVH60q7QzMu2tUO6RybvlX4ULpzKsiqwCpWWUlDd1viQfviB78+YTJIp4pCM1tF3wuELuIWUDWEF0uAWkpAVs7/lYBqiaN3wnCIU9G3Fzy6Zyz2heOR2wpqTc/oTIsME2iMEr/8xNLWIqLz3iE8X5brn8StWUW/34nIiFFZrqPirneoW8rHvTzdgfCa4+gaQ2RULJmIWBQ5JJ0iN1pki0xvmCHR9YfIFlxuNC7i5650aQuzTkc9wasLERkTKdUJEyVVxXwbLeF9QLskN2mIrzFPsVdYmZVKGpnFf5IC6uufMog4xqfNk51NLpdZnkLYlnD8/DcisgLfZsbEChvsErY7mtMEl0LBRCKmmUjHdMl1xuc8i/0sukP7+4TEoyODd2jHxkLs0o5d1dul/XNC2q8S0v63hLT/R0Laf05D28iS4zlNoVIa6vHdM5EVFQfje75NcE/WxMubBHZJUXG2LMo01re1MjFfxk5C8pRZCqNE0y8kfmxEZNolJCZYQa1IGm/SEk7jTeqtrsoEvUiJaMqqk7iqRhrretDbBCrESGMds1S0wa1JQrwS7FZgITUlCTbh+pWVSqJLYf1KlmZFcZ4grCaLMiM8QQzbEk7wSAJ01Xxr4odFLWWdhHJZZQneNIhihhHMExQQ6QwvqSDbiFlXXdoC8+0fNJ+n4HudAQxoEsoODiYN1y6xNgn1+bJcv0oTg9bZnJk/JwEaIzqL2yuuR1jJ6KpaJznmQJUSFb/KTbsYf7ReWx3C1KxcnD9+cMQRB7MvCXGHJh8PQa5De8E4TeHD6GyRYhHZImZx9i7hFLaBzlgJSYpZElXHyvVPuTblAMw/Em2tSBLanC1oCjdGQ6C5oDmLVjC6S5uJNLukkHnFqSYyhbQ9cbZMoJtkqTfYRO3536EeyiCPQljRJdNG4fiRkJZ2AotP0TKVqFUyWWtAIleJ9KvLzHdbPAF1oyguEhiSrhQoFdvpjOvNSjKduQ6z8alvscJJNng+Uggbg/La9bePTZdpg0X0Pse5NvNKxWoWWFOlrldQCqpVdF7j29F1TXJsstC5YRG/2fWxSAP7aC5xnsc+AyyP/axaQwcluItYkRElZZEElcgSTuCmsSJLkxzpEY9SiLm8iQ7PVOr4kKWs1KVikYlybJipomefcSZoPIidlqqO2lGnoQvFt/HDWlw61NNswWX067whniDl3/q80bWOJZpA41gfOgGr0XMTuFwm2bpimeQAl1LFVmDFvFqmOGYF0ySFWih0kg2bog+EoAbAlaLTja7DHQB07Iw/RzV2Op7YbGJ7IEkqyqRrAB3dE5XxLSOp2DIL9ON6MN2NoCr+nVVmrilvdLJRO1O3ZF2L1ySbLEHhpu+JE1sZeLKxtUGZuUBSdHax1vbDjKxi1fkPSNPbkkV/CCipKpYKCzPA3I1BeZOEcPyr1yGRffrU6wIagbCSywzrMmLDgC5phWNTVRTzFPadogTk4FBHExGPL2RLOS6Ea4eyVHkCjuMHMnWC2LB2seEE+QCaxk4EcA2PEzgnmn6JvwFCAK3RqCZwpTRbJlC8uowdZdOKpDgHiuTRDWmtSAgVNwJhE6/FVpdmpaOjaq6JiF0oEewW+1CiDqQz9vTN0sTfVo5o/Be9pqdnbLrbMjpaa5XPk+ShV4onuAsrTVWWs9hV70naVtQvQynEYIg2uIgdDV5nTGiDFwksgzVTJoUZvi5FAugmI1UlYoZZQ7BoAUTRN5WR6EMl0GDoJnskYbO8z5izHJ0pmjODzrDKPZqhBvj3MDuuc1ZCKY11CAUy0EQfAb4BkRyFSnWafAgm0knuoii53NJBY8GD8lvIKhqo9x33mJWhixlBvzNFl/QWFbgPtNC+xYpl1W8GkpxJzjQ0Z6hH90sPAEpIV2UplUFD4FGENitsEDOoVHQxthUekJZ7nyYUIcF7r6NhATHhkd1HcKE5E6k78ndYtaN1+dTIyCU1K6pm7ff1SlaDGw0hQddUNe2IjEQlVpqid9Rg6AjuzipuRPD0rVzqF1eu7PUZOvctvp4jswp0KQIw4A/Utz4GtgV6T83vzAiqw+s83NRJhLeAlt3NKYLB3WQ1xYqsZkywIH/Qc3cCfO2e+oReGJAM8YLjSkCv32UFfVxrEPcwgHsPr33PnNLDcTdzakC4ff/iEWffLkQWsabpbsirMCz6SG8NnIqxcMEU3ahHFFLbuO49dKgWfKTjJaDnJmwHDvi5mhqk6JeKarMHtPv4bOX7Y+U7kwHa8rhRncbuR6SavNPdcMo+nhxH8Da283dAaNevgzOP2fv/cH9DO9jlea0UYOzw3gCvIV4S7z23sL1c5lhT5NK1G27Q4FQ1q+R/cRp+RdMKvuFcKgdfHxQjQlgjTSm0O8P7+1UpLDQmE7T3HSBMu6EFmL3tpiGVgg5o+5guqSqYMzemYrod0jXmYGvG6ZIiTteUI6w1Wwq3cG2//vDWB0jmE+pvGH/PTp+fpNOz5awS7EtF+20Scfjwdfg9DjHxuC4otUXDcncgiRSCQm4F2jCzGlMUCAUqQxqLXdGjyovu7VpYcYI+aa4oLpeMYI4sByOuD3BxWu5gqJE2jaeTXbna6jB7nXS2jexltca+4DFnWGcrmdwncE5c465BL5W2qZHVit0WPGE8AOQOjeUW7jTfiIVwitXsDdfSOuI75+0cHsvRr/4XM/RGbJt/Dagb8OW1MAjnMyKLsjJUhdVwkjC+nVg69+yb/lpAj8WdBWHmn9XL73/4s/V9zzvLUUvsmyDbfp9mcV/M7hq4wVuq0L81MTn9wrMBzIVPfez6n/R7XrQ87+z6vetxZPLyId32pN8wxY4zQ+9/+3hh504VdcETiJfmTBNFSyzI1lqV3jzj/VwQBBJ6jj6+e40uhfnx5XN0+f784j9fo0+Xwrz6CT3drLZIUGZWVCGyktq3SpNKUWLgWz+8+l//7dmToESoWSXUcX15gE6dFTjcjkcn3n33PObXbi9e1kyFj3j+uJju6qYDnB8JGHfnCz7Eb88wbb2Tz0yZCnP09s37ILN/SEHTxbKO2xn/Rwo6C8vWsvvVqFCYyGHlCUvwGO/gPeuwxIZu8AlapMPuvkJv8lxBnNbt8hA7zdVLivLYd86HvoVcnr27crfS6PNYgfWErx87QSVnqfq7G11eWVZGol9Whkd2gogiQzv2uAxrSyxz3bWmVRAddnGeM/tlzNsH204v//A9N+EGsC4hHHDpT/j57hYYsNLmWiex6+56pWH03nN4JZVpVPJA6ebwwAYLwMz2sObVE8vezYeJZX2Z1NN6NyZ4QUN+41RRXM8deL5Ya0mYNTld3Ghg4yCrlxUWSzprXCcixYItK0VzNN8CTSpyyBoK65nySOiBQdHoiLUcHHSRAO+AR7T9uyVc0QMAihbS0MxndsfPM4ov2lzoDGcuFT8B6dKoNMQXCbbEIkG1ME9xHFLhn5QJhIrzrI7EpTPL+x68ncesP1o3mHACC/bCrKgS1KCP25I+R5/qa+wtBMB+RFd1AGxwE/w2ZqnVrXomMCZGXOOaaR8Xf44w50Fjomy/CAluWEFi3poqewcyYSTSBi5zJtCny1GFQiBBNpm+iq6yLVFZJmj7ZgkrqmNn9FqyCUpc3I0YOxUd4u0JuHWtFTJOxTJ6p0jg2RofCa3QEQvUmTyYdx5gBCKQTrBAGP0i1QarfNinG6E3S0j2UgjbE38LuXRzajaUirDpGRk18b5v3NJg3n2qc8wggIyHzIjBDJnwea6QllAwY9WSb7ERnuKaYzHFO/4dApR1gkgnRDmY4G7Isn1JWVsPdgkO7O7NE/ulkhJAIVjHw4O724s9VoaRimOFAC8a1Uw8vbh9/VYu5WIR7v5OSWZWNPny7jD70Q7oTmOH7wvLt2X3TWVWVBifLD7Ktq5iIifcLaHHDTnO+idN1SjDsjJETitpP+Q4w9cVIVTrEZ4Befw4cLTjEk+AL2RN3KVUWxQoTBjwNoVy2uGR9ni0Wgke+HQphb1XrN4KGYfND9HAUNqd1ToeHt3IvYmRQy2FmgHOaN7Mx8dhevYwE0gzUwX0J4LiAupVtKe6whrhXJb2djEryhSSG9EumROcwbdSyGIkrxZ6cmjmIOqnNSKscc9EbvWPVLoRAEa/ME7RG8/YbCCGuwR7RTMxdyZHE8ab+Z8kXWFUBNc+ayGuFEJzDAgiZr37AwTh8vWufb1GbEmMJ4TOZcrqgcDk53SF10xWYF0SWZRKFmwkQ5FOzdyFwHMORWQLdLafNybWjdpJyGSfwx2rEwUZ2OEwanOZIxgMjN/wl3p1O7dse95Gt11bZlkJ0y9ni23R51AGnpFj3Po7WUFwHy+poIqRekogEEj066cWMLOCqzbU2w15Zmfkh5k2avzxs57TMbBbJ5vTy/1z8uaFGyvhvIKuaeOEG1ZQbfW6s/YULenoI5JfhWigEAcXAoAHH7gM6o5b6xjs7pNtrR/vNqcfMh2tyemdp+YDxodmOJgbzLhVCHdQBl/v7F4enJ2adO3cQYsyN3V45aJhqU6jQA7o8UaBfL3b8cfDSxartcE0S3Y3/agm1SAxz9gd9Mek2zHm3AabsTHqoQStF6eOXrlTmVVWULOSJ3glwTuRZOTY8F8bXXDAUlIyadRpz6vOB8l9vNYysmdfJoqE/Ofs5++/R0/fnr+5eobOmTZMLCumVzSHUvggL1wuZXJcoH0vYZAtu3B8+GWGL45kjCmZOKq4r/7TrmqIg+bEQEQ+WtPn+xwXAmn/Td1vJ/AHPIXeTLEIwaS3mWKYx0Kn603kA85Zpd0ISCqkWcE4Vk49WbVpzxCBez1cXgXnXLN8SqSRbqb8J7sR6ihiDxezPeTp6izeiH1nHZ41fKVhJ/7rg0TwyWAv+MAN7ZRl5OFQplQpEwMGTzYgaqmWWLA/9mRVi3Rb4a7CPkLS3T01Iu4FU8Fa0kSoP7/Y4eC2cBBfDrtoJ6v5V4q5WRGsKCoVzWXBBA4W3HXU0xU2jAqjD6bHczzlbN/ik07WQT/SMtHGtUfniVVcJVYGwJDaqe5XqxOCHXllcxeNuqA5VdjQPIuWVLZnf1jl80s9YvN4dqXkmuUNeJj/Hi5L7i3Vwcbw4D/2Wtu1acMGTjtJlk80y2ZIj/VntiPTDDYPhczJNXOv56u+4T4CAdcYnTGbgt/X8qS3YDN1ftSphF4GJupsVLBYsUbaSOU0vqVWUINhtCfwrZn91pPw7AuW55xOp+XewXh31XOB5e3ovaP0XN0eY5rpXvnROghDYlu/zj5HJcd2yez9LBWigqhtORblh1TICfzJO2TQqca3/FVqg95hsmJixKXLcSLN8U1f1p8EZPqXilr1Ye0jB3KmZ+htjkv0Gf7h7KNcCld3+s/h5YlWeE2t5cQpVuhLRdUWAQahLqXQtLaowsWpdr4Z/GYafekx8IilrFiNAinc9B0u3zif9ZQmYLXdQB88OOpdOYUuT2kDZv09XkNL74AYWd/QX7xMI1UJEfRj9fPm5nEvzw5GaqTGzlPMvIeZfiEw2jCRy41GuqSELRixnzwP1Qn6PNnhAbHTc/y2OTfoKSDCUkHaawieLp91pIUqAff4W7rEZIs+6V3g2+YFtugX0kbPrrUjTOCwj9z2XVcLWIFaNdhk9kYcSLzBAQhU/+9UmkI5z1B8u9NOb1CPofM68zowY5hhcKP53xwx2Wnyesem6jN8fei91nUXMPVxFNDhbKYJ2DUPBrtr0yZkumUYrFAYkOJw8TOUDcRsCTha4QZTzumCCR+rB+UEqH4FLkdAB4G7owrFEvHWBmB65l9sxdjEbFPP3WMpjWBTNjFsYzBZFRND4LejgsDRwDvqLkeSJi9zJuJ1EIt6NuyUoagw7eUZUFLdsh1YFgej3Zb3B7p2DrhOe/cd4LrEqt5T9s/P26lsVmwApY7s6bC+rEt+v9P0TPSeJQ7WQqptugX/iy6x+OtBxJiakV0U9do8D11NVix/eQHUD8ztZCbRYFY13vr+WY3ugowKo2R5jOrIZTUfBBfutMf9mNbbpgfKEYBHV90x7Tk8k0WJxbY5j3DsoJ2+81fWVNlrKGNiIcNGAdY3qWuEDuiPnhdZc7ahaVHRF19S5Qj8UnG+Rf9RYc4WjOboHOqeXXAwyMqGzjMi5Q070aP773SO3Pit/4z5mDUfHW22fQ4vKwMm95EtTA+f9Q/NEL7Ljg9Hu5j8DH3clm7qbeTACset4PjiKbrIooLJ9ti2PLhAhHqiQ7C1fWamCNU1xuUudy6yWEpVR/vhifnD25El72DlRN5OtSzKtH2I9ojCjnwwcl+zqaRMZInsMmXHseuBSmzCoUkiMqxjvvZ3CCtfTh+ZcqV4xGXuUI24Ko0zmlUqVjSkQ1NTleFlPJ+yJR39etolHTX9cZe03/UJFAu9NVSAaRXfObH0o+3mxtBbKdpLlYltUbkhpqgl3NG5H2FYMK9e+P8+8yy88P/h85pCYX/MqQpn5/npnPD13E2m+3gOEddOq7XBdHLfEM26VEwsqFIj767DeU8yr67hf1D0wfDsBEzWuMSLzjIEjhQ8a8ukRyowxGTb78K929tt9xEyiFX3T/+gwwSt8YafrFxRNU08wtrsPuPp6Rm0fnyGzmD8MGtUmYnAUkbkfEaVb/5Jd7Iw94Dz0qRPxx1BdhbcDvpEd5Ci9640++PYqOT9oVHCq42u2R/haA27SaRTLv9xgQRdSsPcApYrrEc6QGkyNaxQZynd4OPNBe1SJ+sANUhw6e2xGji9rr8JJ6RotpyiomIX36jpevhxtNGy1SZM6yq60QmUIVkqXbTuYW8owCFVKmkMdLAoXe15YQdH1/A4vU87TZIh0SCD+1fkp9eQ2rn/Mupoz+OYvL/23MPjuArVmmfrlDd6/0nVB7KDzOSZ3Xq4ig7TqFMRZjfUe9SJwA2+aduVdC8k0K0/IQ3vdVKhy+s3/3h3ha7sPYV+EyPdV1puE1VSH8Ptx40McwtqiKwoudFHBZHvpoTTYpCFms41eJ0NRBikgfoWhK0W3GPlUsUGoJAnMHIdHw0qyKjTADwbbKrJOnx2uVxjznK3EQNM9BXhZKjW+xQhSOyGbnVfbUfa+XUCaWTaK2NKnTHoQZuENCxlCoEQ/AhOE1uKuvJFKma2B04UkUWRFCfujnw7PnxAKFyCv2GK8r6nGTvEsuFYZFqfquGtHdnp8N/9bOsarSC3rtQ4KyWbIq06xLDjAAEHwFTYGwCxkhUWYgCckRpuyo8KjIy82U4E29xcLL7n4e9v37z3996L3vDNhWKk6sf+o2O2MX2TrSWvUgngTd3HWfg+N01n7LqdbyWY0eipY0I/A7QOKOytO+r2yCNgOjgbXiXSZm89r58EMz5dYLZbdLCmCjIFFhVHRApCS2Md5Wu3hiPwCptNSu3rBG8d9rqFtmW0lMogaeX769/ehFJwg2KPve+kWk6fYNkvMNgJsc6xAzsJAsX8/eK3q8sr9A7fFkzkTVvv8LLauU2ehrnTRHFkWn4ag9ntm1ZjPoVLFqOnZ7sqx2wxXcHmqYvw6yknNzt2gmVeK1+ee5Rez8VeDvl0i3JirIB6xsV/+brhpjBH5ENLMvbphniJdaFPlN3o21WDF9886hauuPc50lUgRR1r9BdtlBTLv845JjecaUPzv7zwf3vefMrEgpLwRwum6AbzoCGD57zzG4RFjrREI9tS0SXTRm2tZz+lsiixWXmw/oYH1OdhwCQEpaZi0xVCu3otIlUHhbyxJxvOqTBq+6f/GwAA//8elVjt"
+ return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dk9vOfCLHcCnhN/sbn351fkDeMgTHkQgnO1uQdlXQO+k+ElGCY5rXlSr4mf/0TIYTMfiYzDqI0kz+R8F+v8QP3v++IpBW8JhLsSumrCZcW9IwymLi/d18jRC1BrzS38JpY3fQ/sesaXjtEV0qXvb+XMKONsAUu+ZrMqDCw9fEA0/Z/72kFRM2IXUCLGOkQI6sFaMDPrKazGWdkQQ2ZAkiipgb0EsrJgD5t6B2ImWvV1LcnZZepm2URa0nFFnnjq4+tH1tis0hl5lt/37/C+IYNduXjghv3PcINaQyUxCrCaG2bwH9NV6QCY+jc/ZtawlQFxhGt3Oc7oAl5q+bkFJgq8ahGCPGw+C5Sh5LTwoUlSFs40hIDDghn5n5guUGeMyUtSGvc/eDSWCpti4aJ4mh5dQiCJbW7Hwyx4x4ntwShlqwWnC0IJQaM4UqSBbeGUPIe7O/cSievwu5PBkejI9YsVCNKImEJmkyhO3c11QbIO7DUoUbJTKuqt9TTt2puXlxQdgXWPBuAP+UamBXr58QGvCn5AF5Y+BMue2hOoowUsARxACeFkrv3c4uTp1BrYNQGTEqYcQklUVIgWpZOBZCK1nGsKjMvkl2YPXv8Ltzz89MfyJKKJtx4XoK0fMbD6YRryiwRau73Sw82AqnjDnw4Lfg9tx011ZazRlCNvw8bOxk9GQPQB52U2MkYQB4/KaNbsjzunrz8/3uyf0/cqnk25H7XV03/VSAhu9vyaLBb0kOEXnbUNBjVaJbp7b0/23Ld//thZiy1UIG0jxE52pTcFkzQnTv8SNADafX6MSK2cDrVY0SMy8MQy6sxtZLj8Z60Eugh0iMv22YAZUobakSvidmZvS+2bgGHzUAPGSgJ97MidvSQAfQbrIhxLu64Vo7ERdnzqkTZ59k1IDMR+0iEg3dmHzuGWt1I/qWBjRqtO/rDn9bbRu2Jksw9DtSqx27ZjoibJc8rDvvcPXHL8BlntH+f36o5OVuCtOQShTNpZAnamSAagqAakD7j11ASA9YB2frx9hpm3GBpN2EA+94GS7cJA9B32pShJzC9f+mwgzmg6w48uRsPFspk0lf75/JXZWxfRIrdE2lAllzO2w9N7Nj0fEhfD3/5IQds8KNRxp5fLH8itCy1k5Vj132XuQPqrfpambt8lZu9r/7fZa/jVn7ZsCsXvCOt7y0rCSVzvgTZOcm+XkXAsegw/0VeC6R8jMrf1xHRGHVoqHpdaPiSYa/7wUPcYKR7ukYun/mlyQVepOfBm20p+biugTA6lCBTIMDtAjT5dC7tD6+I0uQXoaj98SWZUoOnqA2Qzfi80aj63UD3IeruV0w3hkHzGZ8J/Avu13OVy822zzpuV/7qHQxKr6gusyl1PYnWI7vPyfOLz1v6HiUaBN3dUkLM2liowiMa0HbQFuBPqvHMc/9Wms+5pKL9zba2cgMfculfexIjzi8+v4qwIKA/4MT9WdBhNORyitdnc1CHiuOhr88CaAn6KLHrX3Epcn56nyipx7cfLEUwh8VKH7WTTbAiu5+NtorW+UbRwoviTJcTJQQwq/TXKIAd9x4g58adOW4I86yD0mG6pai+VbtqC9nD6Edo8VVs+lhU1UoZTHarlCTT9WDTCNHwpQFjHUDDq1qswz65LztBT4CyBTG8BPL0e2IXuiEvf/75GVlRQwyA7FbZw4lHobzeghOmVtJAPlawr+ZUMNVI2/kUmmrqhZ67yiYKgTylU7WEHjO4jGZWtuLNWA20Gr0/7Ks5Ng/MKih5s6unpWDUNzHNsXMs8Bnh9p/Ny+9/+LPxIv1FjQK0RfqfA2r+6ezBt3QNmrwkZ5LR2jTCR1acSXknuR6Dfs/gRyS3MrbKjy/Jvztyn5MffyT/TpjSTl9GKsKiz8l/F/Z/ui9yQ7aZ8k10C6Uq4dHaunIFBaNCTCm7yqsBe+SksnhtqPV2hWMiyLJWXFo0TSzEE5zxcBSgtcqUn7bRB00NjFOBGCOmxirtNGu59lqH+2BJBS/9wYghRchMNbJ0L4wARJ7LeVCObkxe3L4RA8gpYoHhOuwJG43swlooWj6Wdy6gQwz/A0gFVnMWsTqCKdz/MtrC/rlvhbB79qndaLRq1m7bhPyqVm5rhjYnl0RpZ4xZRa4A6huY9ihevK+EaVoxMKZY8rIoc0Vdz1rJMwcJmlq85KXjYM8uXHJtGyqc0b7le5cRFwevuDO7MVaOzPBUhKt+fkq0k9YGHSrINKrnYLuv3cgJozMlPT04J3wm3H5O6CyhoKHgPz9tfa8foFIWyGU470wDPrTT9ZigdP9rAzFfQeAlrFSYWvCcmQ2P2pw3fKD2PwrdzMncjOcdb517A8JZb09da7WEJ+S/RoTRi5cZFw8Qo3erOuPo4uTNRdB9GZWOPbyqld7VeAk+kV9dGkTzONwfn/xThYY4mu4xV+q2Kd9sfrIx2L2eg5b5hLz8+RVZId8roJJQIeK+AnTqo5q08R+RFWjwYKklAqixRMmdcpFtJj64mvh1MzFyV3OEbQPvfle6RMZhVhOwhVRCzde7gbgZ1wMtlpCfCVtQTZn1THSXeo34o9NckkaGnB6x5TMfrahNXdDtA/U5gwh7YpdoUVROyVSyDSNouhqVaShZd9RKylBj9TEKGXwOirFGtxCNpbKkuiRS6YoK/kcsv1fpKsqfMmQ5HMwi1UwHT9KdmLTBukPmheAzQIojBr4BpmQ5omBvtrswNqefZQ9BXDJV1QJs9ACMOlEpKvBW8x0x2Ks30/aBDvKlWzt6nMeO8vbJHD1+lZJ2kWibNvWpqXJeNllO5QMx/kyWOdjuQP6hZO5uC3vEolu9VTF9eu3HXQ4PRFS2G/2GWLi24fKRJWjTK6co9+WBRfb3vodtDTQVmZsyPaZ0CWW+dzAk2YRnynQrtjpGm2nTfbEfXx++VlpVE4TaYFG+YSCp5sqr9VUjLP/OctCE1rVoq182vWwqbOETKc0lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYO3KS9Amw2c3gv4RiaEG5yu6DnnYYZaJDMHwjqVOuSL3npNBs8D3FBdtkKso87zIsTeV1zfTQKN/vpY0HX7iRyK9aeWOOEntPXHFJ4QPf7RhNu+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv+p74qqEF+aaA52lFyp9ufoo18XFFDEIly5Nwgcj+kZmpCpWCLoRlk2ryyGV7feZUD17rIgGpd5NCe65SiaBvoy+RQM+hKvVfkYUzIHfMx+sYMnss7vTmHis2b5NohwYLNA7HTDSG1I4iygRKfQrE2jcgddhqxolRjmarghcehM14wK1vNBieEysCCLQNy5IDAEjS3OUtH9hDWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKbIBnYuRl5uCidZFVYYgSxTvYDYfaxM+b1vpfUtQafLbZUiN5aZNCNj1q+H67Q6NVUmaWhmeUHDc6myhOS1L32EKU/nbuzvahacRtsjXuuiOokg2FWjO7iqLorQdoYptD2H9SrbuZnix5O/3gLQlyFLpkDC7lzI1/dcDdK9pQ7tq+i9gcTvaIZa/FnzAbidB9yPmJX3OXnXfDC9kqPoPYiZ4uRa0yy2WyhJKFqHjRTyBVqh50SaqPIhQbw/inYX6MXqmbMm+v2O6FXatRvERV/yxVXfu27NHLoRe4b65thTrEbnciJx503EGfmgEIGJxcaqkhevcGmuH0Ln0/rpNP1Ralsb9Hz6qVLQIxRrA3PA4swWVcygkrHLLgrHAJax6oX5UQqzVfNpY6EmIYY6+8ag7bb3//MVFh6lpMmHXcU7wbG0r9zENDcHd/CKPTF9/ixi3WAHmGNY2HDSbnC+9BD0hl+A3pTGgJ3QO2Mo7ZLrPlG5xGMBuwXi9neHvif99r2+F0mSq1cp91v416Jre7BrtJ31eXlBtU7vpOsCpPSrhTqlBdeix7pQSZac25rpSqoYQUMz1Fr+RhArQtssu0ptFw998eCuIj14TAExCiijMJZFKfqehBrRk9mU/oNlwzCeHNVq7C9PZK7iTqMe94D7C1oZ/BpStuF0EZdnLenKKC06x2kQSJb+bK/ffe14CVFKKiOKYkW7aCwa+QAQckmpGnHSwHMyEXG5kyu5gg35lVR6MT3w5X2OcEeNLRn2yTRnEb2A8JUw0xrYHMvxjsE34E27cToaa6ODfcIovfjquAh1d+/E3LG7R+7ZM+ZSyJzcZXg7LU8SCUGMU4+gvdbsRtSdxw97yK3hNKKkXa8MZFaTk5uo5qTXORHlOwLIncUWZanpI7eUdH3pfZ6NpBRa0ITU12MXLYCMH34uAqapyUkxtBe2HpTVg2V51z78HD6Xx9fYww8PkxTdTVd0M72CGbaNkxWWpViGflinJoLbPu0yKUWYMyJw1QqzJl4YK7/wsVUW5DFJD9hYSauTp6ns9U6lLe0h3KuFbLq+gDLVAbSI6NeidCgaK++SbDrUJL/dtnBh0hcgq6vqTnbxbYheBFr3fLh8Kr9/q4Hkll8N2PV3QGXTFdwc75XaxhjURW3/+92vaPybWtGdc5L/jHcm/4GrdNdZQNgxIGzmCuLvNgOZUFJHXNNsjcolLtmrz7vvYewDdCzPqFwB2ZQ5qOZDCYxxWdw/dgppFd0OdWhipMmzYwmf+tjU2XZnhSQtpp0WYI6RbZmI0c7/q/j2sNCVOnkvCMeeukUwA1e5P2Ahvg1ooIAzeTt0Wdt4cffDCrxn2eXrULxZT1ZTLrm92/8EKZaP6Dq/XkuvGHNvT19dGEIFxj99xAqSRK3HiV/c9Gcc9pd6Cy+4a79jnvcznp+S9lzRPQ+MG4qfthaJfh9uzuF7tHdAP4cvvuZ/PT5GloeStExND78F2RM6nAXoSJv4QOVmw4iZupC7NOmcv++2obijQ9urCXj+29Mb3EU+NY/1JtzA5P71Rk03ln7tBk3WIvZTlRqOdkBNfnxn6nQr/wX5tFhHU29/44Zvgjps2tqvcVLZ7jBopwHjOKP+grBRZUs3pVAyqAH1TBi5JLeiIIDAgTdb+KFsb2ldV/coTJ6mchtHWF3K3z5cvzi92dWgSWsZ6j8JYXfaBAwVvXQu5ibR4JMm5tOSSzyVFYTFyRGulczavfTKQX+6QXrS6m8KujvifDpHeXcZTVqrIwXn/20fCJRNNCU6chUG27ucT8vTsmla1gNfkwjtEPFiU3pO4XwQjc0ePbaJzavO0xDHj5sqp3AfgdYdSvJ4b8314Gj5wc7Un5Go1n89B5xthF2fZ534sIOCA2ulCg1koUbrT4231kUmjW6H3I3gWhrH3IJWffvA6xrOuGcf5abyM5NbReaaqujhy3hXuSsi9wjGu3r9nmul3Dh0lsT51huNmVNmwMSstqKUPlDXWx7yTlkpj5wEn11v8RqbEUV2uqH6YDL1hV30nXWl4iBwRI62RnzohSsk7ytp+ynHl1omgo9oxSn7XKqh6vxTytmbyodYaqEmeG2wstU0qxbnzR1EuHszscItP1TXh5Yvx98u9rM0xMHQYfRo0PvZ3wWERv7rtO5Z5+t7gkJ8O5+4d8pxxqZpUMc5eHYmZJ79TTpKmdDoMPLI/JQacuzPj1pF4I4STe8Q0jIExs0aQM7c+YaoE445E2+w3bllwWcJ1YgYIbuxhmuc9ZQsujKaYbpGYgsb4ZkU1F5jBE/Hg+fi7nBOKTPzO/TZKmcxwDtXUNxd6II04rE6edvmcNWhTh6JbL2EGLAsqwiYhvu3w9GykyNC7uYbvce6EEq98dUlewVflv+0+pFwaUoKlXEScDFPV2N7vRkhT4ui5ma3HlnZ5bIjH+ENqoapFtmyeN6SEGQ0hoND5so3hh2xNpxUvQQu6xkIuq8LjSp5GbqT7AK3u8GuYtVXg3ldvLLcNNmYkUcI2tsGwYdN9r2vSKFbPv8NoakwzyCqmqsrdpzzH6MRDJ7yX7FtrteSl95+1XeQqMKOJUKVihwca7+4t+4WLjdbI+nl5cdXgusakp4eR9e3qeWX9v9T0QL/TweT9bzUNAZj47ap5vsa5p5hQ7Hf+8uKcnA8Uqj4a2brWhuqS/RgkLOzqqmHnSQ3pu/jDQm51XLn3IqKYqjJ3xdeg4m5X6Qi4EIfLiHq0SN8twYcMjlB53nMBh9Jhn0DbxUP4nJddKGfEiVelthoHZeAJXv50Sl5Hd93kfKba6d4Xn3z3nDYQhcka18CavhfBp35NIVbe2nZh2pe4cQRHSNQrXm47RLrqSrqkXNBhIIN0rnCC9ZUz0Hpk0oK/Q4f4+tPF3YKxUoUGUD4AOyAppBsYPp+MSEReFdOmLNfJ/TO8KpLWAfXgNgYOa3S+10uVHqLmKmGXg50Su8I0xyhI4Kafvep7rtKm5LarrNv0RQsYxQbbbSo2vCjZhBf2E+mzxFJzcHk0q/zk8xl5GmolPjfC6cpTLrCAA/PAzq5rZdw3n5Hvho4GuRuFuZJqJbcMIQOswWYWy23oI5M2GT2CC243LfSkrXJ/H0qT3sKcsjX5NGquCT7V9CGK8sPCWyzmklSUy5mmFexNx6ipxqm9+fskbCmXF7gsea9Knxy9aQvYyzqLIEVu0L4wVcAxIpeFtN037j2syK+NRFPynSpBkKdcLiffPidcsedk6v4P3P9RScXacDP5Nh5ftKwuZoIOJuen1qG2NfyTC4KLoq8L5eS6HX6lZnsbNViVFVP/12nAs22DYEC7gxxFaFmllbs7mH1+9zvVQD76BOBvv/387vc3H86+/dbn3C6ppnz0TK6UvkpZsnzjBfu9XbAfYRt1glGZWokINTtpu5R0zwFl7rlYZzBhZkqDNJylFCA9V1IGjKv0XpBIfCAV0GJF+XA48b29A9j7PDVQd31Sl6ibZprpUthpaaxOXfmO9drZHGL9tzTZO9rWfORzkh5a7LIZDDZQaUKxyabuJdS7OBAzPupoaknN5og9lNRoN6IImbvlPXGhfHA/wbs7LhzyQf//MFx1ozL7yX8PcsTKno8+ILIXyQc5HG0cdx9+Sh0haWtrZ3t26VPbZbS3WXbYJ/MZut0GJ/fmyHTbspofIx6GRV8zyoXjddvM5SLIjPPTfm0bduJy5qCFeaSFwXhWYZtzXTgV8QB6Dkm8xnTrUH10oqqqkbueqAF28rDGTffF7j1c279DXKfucDOHadb3xe2SyvJvKh412+BmqeWHSIZ7YzdceAs505iaM66SZYkey4JH7FdUy2HQ4bGjbmRVFyqXML58/+6C/Ob9qJuk1DgiX46aSnD5H2/Jlwb0SO/WRshCw26nzrzJDT2H6Jp8aIvOomldnZbOEj6kfaAq9RgBB7Q+yHF0E1QbCY7dG26ZfkADFVRXGXbLgc3gXqB1wgLkDmhTJptKuwUzbberLdAltbta4X3hTkGyRUV1qrKSDu66poPxxfeOPlE2SKdKArNYJD8LDGZpC6g6wLM5tlrKAFZN/5UBak2TT8LwHaeSHy8Muhc89YMTOrdV4FTP5EjLgjIcjJK+/MTBNjKh8d4DPJ3Xy5/ktV0kf9+ZLJjVRWmS9l3vQXeQD4s83QLwUtDkEkMWIOdcJiyKHILOkRsti1lhVtyy5PJDFjOhVoZW6XNX+rClXeaDniHqwmTBZU5xwmUNupqukyW8D2DX7CoP8CUVOc4Kr4taK6uK9CEphL78qUCPY3rYItvdFGpelDmY7QCnz39jsqjodWFtKrfBNmB3ogVkeBQqLjMhzWU+pGthCjEVReqw6Bbs7zMCT94ZvAc7dS/EPuzUVb192D9nhP0qI+x/ywj7f2SE/ec8sK2qBZ1CDpHSQU9vnsmiagQq39N1hneyBV5fZdBLqkbweVXn0b6dlknFPHUSUoDMcyglBr6w9L4RWRifkJhhB41meaxJBziPNWnWpqkzzCJlsiurzmKqWmWd6QHXGUSIVdYZZrlgo1mTBXgj+bWkUhlgGQ7h8pXjSqZHYflK1XYBtMzgVlNVXTCRwYftAGcIkiBcPV3b9G5RB9lkgVw3RYaYBtPcckZFhgIiU9A5SLZOmHXVhy2pWP8B5TQH3ssC24BmgezbweTB2ifWZoE+ndfLV3l80KaYcvvnLI3GmCnSzorbAaxVclFtslxzhApMp69yM97Hn2zWVg8w2IX386d3jnjgqPZlAe67yafrINeDPeMCctgwppjl2EQ+S1mcvQ04h25gCl5jkmKRRdTxevlTaWw9aOafCLbRLAtswWeQw4wx6GiuoOTJCka3YXOZ55RUqmwEGKZycDsA5/MMsknVZkVt0pn/PeixDPIkgDXMubGapveEbGBn0Pg01LlYrbPx2mAncp1JvvrMfH/EM0C3GmiVQZH0pUC50M6nXK8WipvCT5hND31NNc1ywMuRQtgUkJd+vn1quNxYKpPPOS6NnTY61bDAFir4WUE5oDbJcU2vR7c1yanB4uSGWfph14d2GtgHc07LMvUd4GXqsGrbOijDW8SrgmmlqixdiRzgDGYar4o8yZGh41EONtdXydsz1SZ9y1Jem1rzxEAFtdw2ybPPBJeQrsXOBqpJOlGng4vFt+ndWkL5rqfFTKjkz3kHPEPKv7N5k0sdBzSDxHE2dAZUk+cmCDXPcnTlPMsFrpVOLcCqaTPPcc0qblgOsVCZLAc2xxwICRabKyWHm1yG+wbQqTP+PNTU6XhytUptgWSpKFN+AHRyS1Sl14yU5vMiMo/r3nBXEnT6N6su/FDe5GCTTqbegPUjXrMcsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQz54LuOZgKenskOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJfwBiDVqTQc1gShk+zyB4TZ3ay2Y0y3EPNCuTK9JGs1hX3ASAbboRW32YjUneVXPJZOpCiei02PsC9U06U5Nv5zb9sfJA00f0upmeqeGu6+TdWptymiUPvdEiw1vYGNBFyVNXvWcZW9FGhnKwwTJjaZXaG7wsuDSWzjJoBkuubQ41fFnLDK2brNKNTOlmjbVFi3QUfdNYRT40kgyW7rJHMg7L+0wFL8mJhpJbckJ1GboZGmz/HkfHT87KyKWxCaEIBofoE+xvwJQgsVKdLh+Cy3ycO6tqodYwGCx4I/9mqknW1PuWZ8zx0PuMcN6Zhjlck4ruNlrYxGLlvNkdBpIdScENDmdoVw9bjw2UiGnqWmlLho1HCVktqCXcklrDbOwo3CMt9y5DKGKMD1ZHhwLhMnR2H+kLLbjMPZG/h6pbrY+nIVbNwS5ATzbfNwvVDF40QiQsQXfjiKwiNdUGyDuwFCeC+7tKOxY8favm5sWFL3t9Rk7DiK/nxC4iU4qwGfAHCKOPEW1J3oP9nVsJJr7Pw0OdhXkzHNnd3SJc3BNrgGq2mHDJo/jhzN0j9NfeEZ84CwOTIV4I2kic9TtvcI5r28Q93sB9p1/7Hpryt+PuaOqacIf5xSPGvtuIImFN0+06r+Ky5CNcW7wVY+6CY0yjHhFIm8F173FCtRQjEy+xe27GceDYP9eAJRq+NGDsnqbdh2cr371XvlcZcCyPX9VL7F2PVJd3uu1O2YeTxwhjY1t/xw7t5nWU8pSz/2+eb+gWOz9thQKuHT8baDWkS+K94xF2j8uUGiA+XbvDhgxuVbdL4RcPg6/sRsF3mCvt29dH2UgINcQA4Lgzun9elabSUHaE8b6DDtN+aYlq7+bQsEbjBLR9SNegK+7VjWMhvVnSD+bgSy5gDkTAEgShxvC59Bu3mdcfP/rYkvkB5Teuv+ekTx9k0rPDrJH8SwO7YxJp/PL18D2sY+JhU1BajYaX/kIyJSVgbgVZcbsYExSERCpDOo1dw0HlRXc2LRw7UZ50T5RQc86oIA6DEdMHsXhY7HCpkTGND8e7erE2cfR66WwrtZPVmvqBp4JTUyxUdpvAG3GduYazVDZDjZxU7I/gifcDIP7SOGzxTQuDWJgAqidvhFHOEN+6b6cYLCe/hl9MyBu57v41gG7RljfSElpOmKrqxoKOi+EsbnxHWD7z7JvdvcAZi1sbwu0/m5ff//BnZ/ue9raj5dg3UbTDOS3SRsxu67iha9Dk3zqfnHkR0EDk4rc+df1P/jMvNzhvnfq9+3Fg8vJNsu3J7sAUt86EvP/t45mjHTR45wn6S0tumIaaSrZ2WmVQz8RuLghBDj0nH9+9JufS/vjyOTl/f3r2n6/Jp3NpX/1Enq4WayKB2wVowhbKhFFpSmtgFr/1w6v/9d+ePYlyBOwio4zb5QfK1ElF4+N4TObTd8drfunP4nmLVPyKl48L6b5sugHzAxvG3fqBj+G7o5hurJPPXNuGCvL2zfsosn8oCfl8WYedjP+jJEzivHXofjUiFAm5WXjiFjzGN3jPPsyphRV9gBHpeLovyJuy1Oin9ac8hk739LKqPjTOed9YyPnJuwv/Ko2Gxypqjhj92HIqeU01vN3k/MKhMuL9cjw8cBJEEh66tcd52GpihZ+udVwB0UOXliV3X6ZiE7DtzfKPv3NHPADOJMQLrsINP90+AgNUNrnWWfS62z5plLwPGF4obTuRPBC6JQbYcAO4Xd8sec2Ree/p4XLePiYtWe/GGC8hZjcey4sbsEPLlxqjGHcqp/cbDXQc4uSypnIOk850YkrO+LzRUJLpGmGCLDFrKC5n6gNbDwyKRke05eiiswz9DkRC3b9fwpXcAaChUhaKkNmdPs8oPWtLaQpa+FT8DKBrq/MAn2U4ErMM1cIix3XI1f+kzsBUWhatJy6fWr5rwTs6Jrur9Z0JD6DBntkFaAmWfFzX8Jx8ap+xt+gA+5FctA6wwUvw25im1o7qOYIyMWIat0gHv/hzQoWIKhP15ouY4EY1JuYtQbs3kEuriLH4mHNJPp2PChSGCbLZ5FVyke2AqjrD2DcHWINJndHrwGYocfEvYupUdPS3Z8DWj1YoBMh58kmRiLNTPjJqoSMaqFd5qOgFYCRhmE4wI5T8ovSK6nI4p5uQN3NM9tKEuht/jbl0U7ArABlXPRN3TbxrjFtZKvqhOo8MwZbxmBkxoJDLkOeKaQkVt04shREbcRKXgspjxPFv4aBsE0R6LsoBgdsuy00kZeks2DkasNsvT+pIJTDsQrBM1w/udhF7qi1njaCaYL9o0iLx9Oz69Vs1V7NZfPo7sMIuIPv2biH70S3ob2MP7zOHt0P3TWMXIG1IFh9F2zQpOyfcLqHHLzmO+icDehRh1VimjsvpsOQ4wpcNY2DMCM7Yefyw5miHJZ4gXsSpuHOl1yRSmDDA7RjCaQtH2MHRSSUM8JlaSfeuOLkVUw67H5KBorRN1TJdP7qRd5MS37UUawYEh7KjJ/hhdvRhLonhtonIT4LFBRBEdIC6oIbQUtXudbEL4JqoldxsmWecpddKqmokrxZnchjuW9QfV4lwyj2XpZM/SpuOAZT8wgWQNwGxyYANt3H2yo4wfydHE8Y7+h8kXWGUBZchayEtF2I0RhiRst79Hozw+XqXoV4jNSfGE0KnKmf1QIT4KSzokqsGtUumqlqrio9kKMKxkTuTdCqwiGxGTvbjxuWyEzsZkdzFcEvrJFEEtjBMOlzmAAQj63f45d7d3iu7uW+jx25TZtlIu1vOllqjL7EMvGCHmPW30oLwPZ6DBM1ZSxIyBBP9dlMLuF3gUxub7UYCshP2w8RYPR78bGk6pO3Wg9H0cj9NQb3wa2WkK2qadka45RUYJ9e9tqehhtEgUtiFZE0hbtwIbDx4z23Qtzxah/TufrCj9ePtaPqhMMmGnN6atOAwvonCAW1I8UYg3EIYfL3UvbyROn3UvfMXLQlt+uadS9ZL9TgC5AY53gmQr/c4/njzlqUabXCcLbudfNRHlSAp79gt5MdRj2NK2gaHsVPqsQRtx0+dvHKnsYuiArtQDxAloVueZOLRCF8b3XDspaRVVq/TnqjOByWCv9YhsudcZvKE/Ofk5++/J0/fnr65eEZOubFczhtuFlBiKXwUF6HmKntfoH2RMMyWnXk8wjbjF0cyxrTK7FXcV//pdjWGQXdj0COfbOjzXa4Lw7T/ru635/hDnGIxUypjbdI3mWJUpOpOt0PIB1ryxvgViNLE8IoLqr14cmLT3SGG73q8vArvueHlMTuN9DPlP7mD0HoRd/pibi55vjqLN3LfXcewRqg07Pl/g5MIPxmcheC4gV5ZRhl3ZSqdMzFgELJBVis9p5L/sSerWuY7Crdl9gGc7p+pEXbPuI7Wkmbq+vOLWw5fC9/iy/cu2spq/hWosAtGNZBaQ6kqLmm04K4nni6o5SCtuTE9XtBjUvuWPiixvvUj1JkOrrs6T5zgqqm22AxpQ+p+sXrEZkdB2NxGos6gBE0tlEWypLI958MJn1/aFbvg2YVWS152zcPC92hdi6CpDg5GaP7jnrVtnTau4GyI5OWRqOyWDL3+7HqEzOjwUMycXHIfPV/sKu4jLeA6pTPlUPC7ap5wjTpT70e9Suh5hFCvo6LGSg0xVmkv8R20CizF1Z7gtybuW0/i1Fe8LAUcT8q9w/VuK+ci29uTewfJuXY8xnHIvQir9ToMyXUbnX1OakHdlrn3WWkCkul1Peblx1TII9iTt8ig051t+asylryjbMHliElX0kyS45tdXn+SmOlfa3Diw+lHvsmZmZC3Ja3JZ/yH149KJX3d6T+HjydZ0CU4zUkA1eRLA3pNsAehqZU00GpU8eJUR2+BvzmOvAw98JiDrHnbBVJ68n1fvnE8W5KOgOrmAH0IzVFviylOecrrMNs9421r6a0mRs42DA8vN0Q3UkbtWPO8e3l85Nm3kRqpsQsQi2Bh5t8ISlZclmpliKmB8Rln7pPnsTrBkCc7vCCOPI/vJueGPMWOsCDZ5hnC0OWzHrdII/Edfwtzytbkk9lufNtFYKvdQtrk2bVuhSMY7COvfd/UQlSwVg0PmXsRBxzv+gBEqv+3Kk2xnGfIvm2y8yvUY915vXodoRgpjB608JsDiD1OXu8YqSHDN7jeW1l3hqSPdwEdUnMch10XMNjem01Cpt+GwQ7FG1LcXPyMZQMpRwKOVrghySXMuAy+ehRO2NWvovVI00HE7qBCsUy4bRwwO+pfasHY+Wxz0x56KY30pux82NZStqiO3AJ/syoynAyso/52ZBnyMuUy3QSxpHfDkYxFhXkfz4iQ6pft4Lb4Ntqb8v7I1M4B1nnfvhuwrqluz5T78/MNKasFH7RSJ+52OFvWJ7/fijybfGaJb2uh9Drfhv/F1FT+9caOMS0i213UW/U89jQ5tvzlBUK/gbYHU4kGVLX91vdTNXoKCpBWq/oQ0VGqZjpwLtzqjIc1nbUNN5QjII6+uuO49/BEVTWV6+4+4rXDcfreXlmCds9QweVMxZUCaq5y1wjdID92rMgWsxXk7Yo++5IrR+CXRog1+Y+GCj7jUJJTrHv2zsEoKiuYFkypK/5AQfffYUr8+hv7mYoxbT55t9lNOLxuLKrcB44wvfmuf+iWCFN2gjva++Qn5OO69qRvPAeOOX4HxzdPw6xI2kx2B22Hg3dE6Ccm1rZ2F5ljuOo65XIbO+9ZrJVuvf0YYv7wdmTLe71yEh+nlhd13jlEe1jhVr7Rc9+iqZXKpIlsI+XWcftBamrjrkkmC2pSRvt7gHUop08MudEi4Tb3oCbclc4YLRqdyhvSg2lAF3SezqbcgE7+PG2DTpr+uA06nPoMggWuLUhUrdIbJw5+stPcKXoLDTupMqk1Kr/EMWoJt2TuR1wW1asX4b9PAgovwn+EvKaY258K0PHsvEDOA0bPPTH94Dl6XHuj1gbklGEgmjOpuJyB1iNx1yHdR6Grr/jfyPqoe/YISLZ9iWe9bYhcKQxrq6xXKrLE0Y7fmY/bu2P3ETOIdf9P/4Bhgtb4wE9eL0Afxx/hdPaQ8fT0BEc/PiMnuH4cNdD2SM1SRvh8AjoM/4StLMw9zXkha+i4x8jehrtFn5hep+i9O83/ONQreffWKPHdJpf8j7i3hl9lkinn/zgjEubKcr+B9YKakQlQhh27rVBvK/3i48MF3VZnmwA1SHDZOWNt4/S2/iaekGL4/BgVFdv9jbqphx9HBy07acKNaZIrnQgZk6XyeevuF0NBDEHrrD7Qwab0peeZW5xcYnB6n3Q6SoZE1xk8RJGfXmJq5/7HqCc9D0Py7tJzD47jItQYUSxzvui7IdXgyI4iUxbu6NEmeZtGkwswv4JgUWdqbvDNZlxJ/0FC2foTMRivU5qcX775x7sLcuHeKfKbHJm+ssE2UyX1Idh+XKk4tiiG2ALYlTnIiXw7IZy3B1ls6FzXr7NrEYZpoGEE4UYK7tFyQfNBU8gHUHI9Hl1XkFGjAXG21DZHm/DZx3JJBS/9QYwgsSsIj9bVep8gRI5dwdrsiu1EJ79NIE0Me2FtbQqOM2izgMatzMEQRh/BbeJz2Va+KM3t+oYbxVRVZe0Td0u8PR7BIRQvwV9xDWLX0kztYlkJKgtjHmrgrVvZy/DfA7VtjVYUW19qXNSKHyOtOoawx4AgBohU3BpAtrIFlXLQOCN3u6mwKiIyErM9Utvm7mEJMw9/f/vmfXj3Xuws3z0oVuld33/ynm3cXBVLJZpcDHjTznGWYc5NNxm7HefbSG4NeeqRMM+wWwcW9rYTdXfAE0Q6So1oMkmztwHXT5LbkC4w2S46WILGTIFZIwhTkkFtnaF86fdwpL3CapVT+nrGO4O9HaHtEK2VtkQ5/v76tzexFNwo21OfO6Xnx0+w3C0w2HKxTqlvdhJtFPP3s98uzi/IO3pdcVl2Y73j2+poO3oa5tYQxRGyAhkD6vaR1alP8ZLF5OnZvsqxmB2vYPOhi/BbkrOrHVvOsiCVz09Dl96AxV4MxfE25YF7BbQUV//l64a7whxZDjXJ1Lcb/SXOhH6g7MYwrhqt+C6oW/ni3ufENJEUdWrIX4zVSs7/OhWUXQluLJR/eRH+9rz7lMsZsPhHM65hRUVUkaFT0fsNobIkRpGRY6lhzo3Va2fZH1NY1NQuQrP+Dgeyi8MASXRKHQtNXwjt67WY0r0u5J0+2WEO0ur1n/5vAAAA//9X1Lot"
}
diff --git a/x-pack/filebeat/module/f5/firepass/_meta/fields.yml b/x-pack/filebeat/module/f5/firepass/_meta/fields.yml
deleted file mode 100644
index ecf61b431da..00000000000
--- a/x-pack/filebeat/module/f5/firepass/_meta/fields.yml
+++ /dev/null
@@ -1,2637 +0,0 @@
-- name: network.interface.name
- overwrite: true
- type: keyword
- default_field: false
- description: >
- Name of the network interface where the traffic has been observed.
-- name: rsa
- overwrite: true
- type: group
- default_field: false
- fields:
- - name: internal
- overwrite: true
- type: group
- fields:
- - name: msg
- overwrite: true
- type: keyword
- description: This key is used to capture the raw message that comes into the
- Log Decoder
- - name: messageid
- overwrite: true
- type: keyword
- - name: event_desc
- overwrite: true
- type: keyword
- - name: message
- overwrite: true
- type: keyword
- description: This key captures the contents of instant messages
- - name: time
- overwrite: true
- type: date
- description: This is the time at which a session hits a NetWitness Decoder.
- This key should never be used to parse Meta data from a session (Logs/Packets)
- Directly, this is a Reserved key in NetWitness.
- - name: level
- overwrite: true
- type: long
- description: Deprecated key defined only in table map.
- - name: msg_id
- overwrite: true
- type: keyword
- description: This is the Message ID1 value that identifies the exact log parser
- definition which parses a particular log session. This key should never be
- used to parse Meta data from a session (Logs/Packets) Directly, this is a
- Reserved key in NetWitness
- - name: msg_vid
- overwrite: true
- type: keyword
- description: This is the Message ID2 value that identifies the exact log parser
- definition which parses a particular log session. This key should never be
- used to parse Meta data from a session (Logs/Packets) Directly, this is a
- Reserved key in NetWitness
- - name: data
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: obj_server
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: obj_val
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: resource
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: obj_id
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: statement
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: audit_class
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: entry
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: hcode
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: inode
- overwrite: true
- type: long
- description: Deprecated key defined only in table map.
- - name: resource_class
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: dead
- overwrite: true
- type: long
- description: Deprecated key defined only in table map.
- - name: feed_desc
- overwrite: true
- type: keyword
- description: This is used to capture the description of the feed. This key should
- never be used to parse Meta data from a session (Logs/Packets) Directly, this
- is a Reserved key in NetWitness
- - name: feed_name
- overwrite: true
- type: keyword
- description: This is used to capture the name of the feed. This key should never
- be used to parse Meta data from a session (Logs/Packets) Directly, this is
- a Reserved key in NetWitness
- - name: cid
- overwrite: true
- type: keyword
- description: This is the unique identifier used to identify a NetWitness Concentrator.
- This key should never be used to parse Meta data from a session (Logs/Packets)
- Directly, this is a Reserved key in NetWitness
- - name: device_class
- overwrite: true
- type: keyword
- description: This is the Classification of the Log Event Source under a predefined
- fixed set of Event Source Classifications. This key should never be used to
- parse Meta data from a session (Logs/Packets) Directly, this is a Reserved
- key in NetWitness
- - name: device_group
- overwrite: true
- type: keyword
- description: This key should never be used to parse Meta data from a session
- (Logs/Packets) Directly, this is a Reserved key in NetWitness
- - name: device_host
- overwrite: true
- type: keyword
- description: This is the Hostname of the log Event Source sending the logs to
- NetWitness. This key should never be used to parse Meta data from a session
- (Logs/Packets) Directly, this is a Reserved key in NetWitness
- - name: device_ip
- overwrite: true
- type: ip
- description: This is the IPv4 address of the Log Event Source sending the logs
- to NetWitness. This key should never be used to parse Meta data from a session
- (Logs/Packets) Directly, this is a Reserved key in NetWitness
- - name: device_ipv6
- overwrite: true
- type: ip
- description: This is the IPv6 address of the Log Event Source sending the logs
- to NetWitness. This key should never be used to parse Meta data from a session
- (Logs/Packets) Directly, this is a Reserved key in NetWitness
- - name: device_type
- overwrite: true
- type: keyword
- description: This is the name of the log parser which parsed a given session.
- This key should never be used to parse Meta data from a session (Logs/Packets)
- Directly, this is a Reserved key in NetWitness
- - name: device_type_id
- overwrite: true
- type: long
- description: Deprecated key defined only in table map.
- - name: did
- overwrite: true
- type: keyword
- description: This is the unique identifier used to identify a NetWitness Decoder.
- This key should never be used to parse Meta data from a session (Logs/Packets)
- Directly, this is a Reserved key in NetWitness
- - name: entropy_req
- overwrite: true
- type: long
- description: This key is only used by the Entropy Parser, the Meta Type can
- be either UInt16 or Float32 based on the configuration
- - name: entropy_res
- overwrite: true
- type: long
- description: This key is only used by the Entropy Parser, the Meta Type can
- be either UInt16 or Float32 based on the configuration
- - name: event_name
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: feed_category
- overwrite: true
- type: keyword
- description: This is used to capture the category of the feed. This key should
- never be used to parse Meta data from a session (Logs/Packets) Directly, this
- is a Reserved key in NetWitness
- - name: forward_ip
- overwrite: true
- type: ip
- description: This key should be used to capture the IPV4 address of a relay
- system which forwarded the events from the original system to NetWitness.
- - name: forward_ipv6
- overwrite: true
- type: ip
- description: This key is used to capture the IPV6 address of a relay system
- which forwarded the events from the original system to NetWitness. This key
- should never be used to parse Meta data from a session (Logs/Packets) Directly,
- this is a Reserved key in NetWitness
- - name: header_id
- overwrite: true
- type: keyword
- description: This is the Header ID value that identifies the exact log parser
- header definition that parses a particular log session. This key should never
- be used to parse Meta data from a session (Logs/Packets) Directly, this is
- a Reserved key in NetWitness
- - name: lc_cid
- overwrite: true
- type: keyword
- description: This is a unique Identifier of a Log Collector. This key should
- never be used to parse Meta data from a session (Logs/Packets) Directly, this
- is a Reserved key in NetWitness
- - name: lc_ctime
- overwrite: true
- type: date
- description: This is the time at which a log is collected in a NetWitness Log
- Collector. This key should never be used to parse Meta data from a session
- (Logs/Packets) Directly, this is a Reserved key in NetWitness
- - name: mcb_req
- overwrite: true
- type: long
- description: This key is only used by the Entropy Parser, the most common byte
- request is simply which byte for each side (0 thru 255) was seen the most
- - name: mcb_res
- overwrite: true
- type: long
- description: This key is only used by the Entropy Parser, the most common byte
- response is simply which byte for each side (0 thru 255) was seen the most
- - name: mcbc_req
- overwrite: true
- type: long
- description: This key is only used by the Entropy Parser, the most common byte
- count is the number of times the most common byte (above) was seen in the
- session streams
- - name: mcbc_res
- overwrite: true
- type: long
- description: This key is only used by the Entropy Parser, the most common byte
- count is the number of times the most common byte (above) was seen in the
- session streams
- - name: medium
- overwrite: true
- type: long
- description: "This key is used to identify if it\u2019s a log/packet session\
- \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\
- \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\
- \ 32 = log, 33 = correlation session, < 32 is packet session"
- - name: node_name
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: nwe_callback_id
- overwrite: true
- type: keyword
- description: This key denotes that event is endpoint related
- - name: parse_error
- overwrite: true
- type: keyword
- description: This is a special key that stores any Meta key validation error
- found while parsing a log session. This key should never be used to parse
- Meta data from a session (Logs/Packets) Directly, this is a Reserved key in
- NetWitness
- - name: payload_req
- overwrite: true
- type: long
- description: This key is only used by the Entropy Parser, the payload size metrics
- are the payload sizes of each session side at the time of parsing. However,
- in order to keep
- - name: payload_res
- overwrite: true
- type: long
- description: This key is only used by the Entropy Parser, the payload size metrics
- are the payload sizes of each session side at the time of parsing. However,
- in order to keep
- - name: process_vid_dst
- overwrite: true
- type: keyword
- description: Endpoint generates and uses a unique virtual ID to identify any
- similar group of process. This ID represents the target process.
- - name: process_vid_src
- overwrite: true
- type: keyword
- description: Endpoint generates and uses a unique virtual ID to identify any
- similar group of process. This ID represents the source process.
- - name: rid
- overwrite: true
- type: long
- description: This is a special ID of the Remote Session created by NetWitness
- Decoder. This key should never be used to parse Meta data from a session (Logs/Packets)
- Directly, this is a Reserved key in NetWitness
- - name: session_split
- overwrite: true
- type: keyword
- description: This key should never be used to parse Meta data from a session
- (Logs/Packets) Directly, this is a Reserved key in NetWitness
- - name: site
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: size
- overwrite: true
- type: long
- description: This is the size of the session as seen by the NetWitness Decoder.
- This key should never be used to parse Meta data from a session (Logs/Packets)
- Directly, this is a Reserved key in NetWitness
- - name: sourcefile
- overwrite: true
- type: keyword
- description: This is the name of the log file or PCAPs that can be imported
- into NetWitness. This key should never be used to parse Meta data from a session
- (Logs/Packets) Directly, this is a Reserved key in NetWitness
- - name: ubc_req
- overwrite: true
- type: long
- description: This key is only used by the Entropy Parser, Unique byte count
- is the number of unique bytes seen in each stream. 256 would mean all byte
- values of 0 thru 255 were seen at least once
- - name: ubc_res
- overwrite: true
- type: long
- description: This key is only used by the Entropy Parser, Unique byte count
- is the number of unique bytes seen in each stream. 256 would mean all byte
- values of 0 thru 255 were seen at least once
- - name: word
- overwrite: true
- type: keyword
- description: This is used by the Word Parsing technology to capture the first
- 5 character of every word in an unparsed log
- - name: time
- overwrite: true
- type: group
- fields:
- - name: event_time
- overwrite: true
- type: date
- description: This key is used to capture the time mentioned in a raw session
- that represents the actual time an event occured in a standard normalized
- form
- - name: duration_time
- overwrite: true
- type: double
- description: This key is used to capture the normalized duration/lifetime in
- seconds.
- - name: event_time_str
- overwrite: true
- type: keyword
- description: This key is used to capture the incomplete time mentioned in a
- session as a string
- - name: starttime
- overwrite: true
- type: date
- description: This key is used to capture the Start time mentioned in a session
- in a standard form
- - name: month
- overwrite: true
- type: keyword
- - name: day
- overwrite: true
- type: keyword
- - name: endtime
- overwrite: true
- type: date
- description: This key is used to capture the End time mentioned in a session
- in a standard form
- - name: timezone
- overwrite: true
- type: keyword
- description: This key is used to capture the timezone of the Event Time
- - name: duration_str
- overwrite: true
- type: keyword
- description: A text string version of the duration
- - name: date
- overwrite: true
- type: keyword
- - name: year
- overwrite: true
- type: keyword
- - name: recorded_time
- overwrite: true
- type: date
- description: The event time as recorded by the system the event is collected
- from. The usage scenario is a multi-tier application where the management
- layer of the system records it's own timestamp at the time of collection from
- its child nodes. Must be in timestamp format.
- - name: datetime
- overwrite: true
- type: keyword
- - name: effective_time
- overwrite: true
- type: date
- description: This key is the effective time referenced by an individual event
- in a Standard Timestamp format
- - name: expire_time
- overwrite: true
- type: date
- description: This key is the timestamp that explicitly refers to an expiration.
- - name: process_time
- overwrite: true
- type: keyword
- description: Deprecated, use duration.time
- - name: hour
- overwrite: true
- type: keyword
- - name: min
- overwrite: true
- type: keyword
- - name: timestamp
- overwrite: true
- type: keyword
- - name: event_queue_time
- overwrite: true
- type: date
- description: This key is the Time that the event was queued.
- - name: p_time1
- overwrite: true
- type: keyword
- - name: tzone
- overwrite: true
- type: keyword
- - name: eventtime
- overwrite: true
- type: keyword
- - name: gmtdate
- overwrite: true
- type: keyword
- - name: gmttime
- overwrite: true
- type: keyword
- - name: p_date
- overwrite: true
- type: keyword
- - name: p_month
- overwrite: true
- type: keyword
- - name: p_time
- overwrite: true
- type: keyword
- - name: p_time2
- overwrite: true
- type: keyword
- - name: p_year
- overwrite: true
- type: keyword
- - name: expire_time_str
- overwrite: true
- type: keyword
- description: This key is used to capture incomplete timestamp that explicitly
- refers to an expiration.
- - name: stamp
- overwrite: true
- type: date
- description: Deprecated key defined only in table map.
- - name: misc
- overwrite: true
- type: group
- fields:
- - name: action
- overwrite: true
- type: keyword
- - name: result
- overwrite: true
- type: keyword
- description: This key is used to capture the outcome/result string value of
- an action in a session.
- - name: severity
- overwrite: true
- type: keyword
- description: This key is used to capture the severity given the session
- - name: event_type
- overwrite: true
- type: keyword
- description: This key captures the event category type as specified by the event
- source.
- - name: reference_id
- overwrite: true
- type: keyword
- description: This key is used to capture an event id from the session directly
- - name: version
- overwrite: true
- type: keyword
- description: This key captures Version of the application or OS which is generating
- the event.
- - name: disposition
- overwrite: true
- type: keyword
- description: This key captures the The end state of an action.
- - name: result_code
- overwrite: true
- type: keyword
- description: This key is used to capture the outcome/result numeric value of
- an action in a session
- - name: category
- overwrite: true
- type: keyword
- description: This key is used to capture the category of an event given by the
- vendor in the session
- - name: obj_name
- overwrite: true
- type: keyword
- description: This is used to capture name of object
- - name: obj_type
- overwrite: true
- type: keyword
- description: This is used to capture type of object
- - name: event_source
- overwrite: true
- type: keyword
- description: "This key captures Source of the event that\u2019s not a hostname"
- - name: log_session_id
- overwrite: true
- type: keyword
- description: This key is used to capture a sessionid from the session directly
- - name: group
- overwrite: true
- type: keyword
- description: This key captures the Group Name value
- - name: policy_name
- overwrite: true
- type: keyword
- description: This key is used to capture the Policy Name only.
- - name: rule_name
- overwrite: true
- type: keyword
- description: This key captures the Rule Name
- - name: context
- overwrite: true
- type: keyword
- description: This key captures Information which adds additional context to
- the event.
- - name: change_new
- overwrite: true
- type: keyword
- description: "This key is used to capture the new values of the attribute that\u2019\
- s changing in a session"
- - name: space
- overwrite: true
- type: keyword
- - name: client
- overwrite: true
- type: keyword
- description: This key is used to capture only the name of the client application
- requesting resources of the server. See the user.agent meta key for capture
- of the specific user agent identifier or browser identification string.
- - name: msgIdPart1
- overwrite: true
- type: keyword
- - name: msgIdPart2
- overwrite: true
- type: keyword
- - name: change_old
- overwrite: true
- type: keyword
- description: "This key is used to capture the old value of the attribute that\u2019\
- s changing in a session"
- - name: operation_id
- overwrite: true
- type: keyword
- description: An alert number or operation number. The values should be unique
- and non-repeating.
- - name: event_state
- overwrite: true
- type: keyword
- description: This key captures the current state of the object/item referenced
- within the event. Describing an on-going event.
- - name: group_object
- overwrite: true
- type: keyword
- description: This key captures a collection/grouping of entities. Specific usage
- - name: node
- overwrite: true
- type: keyword
- description: Common use case is the node name within a cluster. The cluster
- name is reflected by the host name.
- - name: rule
- overwrite: true
- type: keyword
- description: This key captures the Rule number
- - name: device_name
- overwrite: true
- type: keyword
- description: 'This is used to capture name of the Device associated with the
- node Like: a physical disk, printer, etc'
- - name: param
- overwrite: true
- type: keyword
- description: This key is the parameters passed as part of a command or application,
- etc.
- - name: change_attrib
- overwrite: true
- type: keyword
- description: "This key is used to capture the name of the attribute that\u2019\
- s changing in a session"
- - name: event_computer
- overwrite: true
- type: keyword
- description: This key is a windows only concept, where this key is used to capture
- fully qualified domain name in a windows log.
- - name: reference_id1
- overwrite: true
- type: keyword
- description: This key is for Linked ID to be used as an addition to "reference.id"
- - name: event_log
- overwrite: true
- type: keyword
- description: This key captures the Name of the event log
- - name: OS
- overwrite: true
- type: keyword
- description: This key captures the Name of the Operating System
- - name: terminal
- overwrite: true
- type: keyword
- description: This key captures the Terminal Names only
- - name: msgIdPart3
- overwrite: true
- type: keyword
- - name: filter
- overwrite: true
- type: keyword
- description: This key captures Filter used to reduce result set
- - name: serial_number
- overwrite: true
- type: keyword
- description: This key is the Serial number associated with a physical asset.
- - name: checksum
- overwrite: true
- type: keyword
- description: This key is used to capture the checksum or hash of the entity
- such as a file or process. Checksum should be used over checksum.src or checksum.dst
- when it is unclear whether the entity is a source or target of an action.
- - name: event_user
- overwrite: true
- type: keyword
- description: This key is a windows only concept, where this key is used to capture
- combination of domain name and username in a windows log.
- - name: virusname
- overwrite: true
- type: keyword
- description: This key captures the name of the virus
- - name: content_type
- overwrite: true
- type: keyword
- description: This key is used to capture Content Type only.
- - name: group_id
- overwrite: true
- type: keyword
- description: This key captures Group ID Number (related to the group name)
- - name: policy_id
- overwrite: true
- type: keyword
- description: This key is used to capture the Policy ID only, this should be
- a numeric value, use policy.name otherwise
- - name: vsys
- overwrite: true
- type: keyword
- description: This key captures Virtual System Name
- - name: connection_id
- overwrite: true
- type: keyword
- description: This key captures the Connection ID
- - name: reference_id2
- overwrite: true
- type: keyword
- description: This key is for the 2nd Linked ID. Can be either linked to "reference.id"
- or "reference.id1" value but should not be used unless the other two variables
- are in play.
- - name: sensor
- overwrite: true
- type: keyword
- description: This key captures Name of the sensor. Typically used in IDS/IPS
- based devices
- - name: sig_id
- overwrite: true
- type: long
- description: This key captures IDS/IPS Int Signature ID
- - name: port_name
- overwrite: true
- type: keyword
- description: 'This key is used for Physical or logical port connection but does
- NOT include a network port. (Example: Printer port name).'
- - name: rule_group
- overwrite: true
- type: keyword
- description: This key captures the Rule group name
- - name: risk_num
- overwrite: true
- type: double
- description: This key captures a Numeric Risk value
- - name: trigger_val
- overwrite: true
- type: keyword
- description: This key captures the Value of the trigger or threshold condition.
- - name: log_session_id1
- overwrite: true
- type: keyword
- description: This key is used to capture a Linked (Related) Session ID from
- the session directly
- - name: comp_version
- overwrite: true
- type: keyword
- description: This key captures the Version level of a sub-component of a product.
- - name: content_version
- overwrite: true
- type: keyword
- description: This key captures Version level of a signature or database content.
- - name: hardware_id
- overwrite: true
- type: keyword
- description: This key is used to capture unique identifier for a device or system
- (NOT a Mac address)
- - name: risk
- overwrite: true
- type: keyword
- description: This key captures the non-numeric risk value
- - name: event_id
- overwrite: true
- type: keyword
- - name: reason
- overwrite: true
- type: keyword
- - name: status
- overwrite: true
- type: keyword
- - name: mail_id
- overwrite: true
- type: keyword
- description: This key is used to capture the mailbox id/name
- - name: rule_uid
- overwrite: true
- type: keyword
- description: This key is the Unique Identifier for a rule.
- - name: trigger_desc
- overwrite: true
- type: keyword
- description: This key captures the Description of the trigger or threshold condition.
- - name: inout
- overwrite: true
- type: keyword
- - name: p_msgid
- overwrite: true
- type: keyword
- - name: data_type
- overwrite: true
- type: keyword
- - name: msgIdPart4
- overwrite: true
- type: keyword
- - name: error
- overwrite: true
- type: keyword
- description: This key captures All non successful Error codes or responses
- - name: index
- overwrite: true
- type: keyword
- - name: listnum
- overwrite: true
- type: keyword
- description: This key is used to capture listname or listnumber, primarily for
- collecting access-list
- - name: ntype
- overwrite: true
- type: keyword
- - name: observed_val
- overwrite: true
- type: keyword
- description: This key captures the Value observed (from the perspective of the
- device generating the log).
- - name: policy_value
- overwrite: true
- type: keyword
- description: This key captures the contents of the policy. This contains details
- about the policy
- - name: pool_name
- overwrite: true
- type: keyword
- description: This key captures the name of a resource pool
- - name: rule_template
- overwrite: true
- type: keyword
- description: A default set of parameters which are overlayed onto a rule (or
- rulename) which efffectively constitutes a template
- - name: count
- overwrite: true
- type: keyword
- - name: number
- overwrite: true
- type: keyword
- - name: sigcat
- overwrite: true
- type: keyword
- - name: type
- overwrite: true
- type: keyword
- - name: comments
- overwrite: true
- type: keyword
- description: Comment information provided in the log message
- - name: doc_number
- overwrite: true
- type: long
- description: This key captures File Identification number
- - name: expected_val
- overwrite: true
- type: keyword
- description: This key captures the Value expected (from the perspective of the
- device generating the log).
- - name: job_num
- overwrite: true
- type: keyword
- description: This key captures the Job Number
- - name: spi_dst
- overwrite: true
- type: keyword
- description: Destination SPI Index
- - name: spi_src
- overwrite: true
- type: keyword
- description: Source SPI Index
- - name: code
- overwrite: true
- type: keyword
- - name: agent_id
- overwrite: true
- type: keyword
- description: This key is used to capture agent id
- - name: message_body
- overwrite: true
- type: keyword
- description: This key captures the The contents of the message body.
- - name: phone
- overwrite: true
- type: keyword
- - name: sig_id_str
- overwrite: true
- type: keyword
- description: This key captures a string object of the sigid variable.
- - name: cmd
- overwrite: true
- type: keyword
- - name: misc
- overwrite: true
- type: keyword
- - name: name
- overwrite: true
- type: keyword
- - name: cpu
- overwrite: true
- type: long
- description: This key is the CPU time used in the execution of the event being
- recorded.
- - name: event_desc
- overwrite: true
- type: keyword
- description: This key is used to capture a description of an event available
- directly or inferred
- - name: sig_id1
- overwrite: true
- type: long
- description: This key captures IDS/IPS Int Signature ID. This must be linked
- to the sig.id
- - name: im_buddyid
- overwrite: true
- type: keyword
- - name: im_client
- overwrite: true
- type: keyword
- - name: im_userid
- overwrite: true
- type: keyword
- - name: pid
- overwrite: true
- type: keyword
- - name: priority
- overwrite: true
- type: keyword
- - name: context_subject
- overwrite: true
- type: keyword
- description: This key is to be used in an audit context where the subject is
- the object being identified
- - name: context_target
- overwrite: true
- type: keyword
- - name: cve
- overwrite: true
- type: keyword
- description: This key captures CVE (Common Vulnerabilities and Exposures) -
- an identifier for known information security vulnerabilities.
- - name: fcatnum
- overwrite: true
- type: keyword
- description: This key captures Filter Category Number. Legacy Usage
- - name: library
- overwrite: true
- type: keyword
- description: This key is used to capture library information in mainframe devices
- - name: parent_node
- overwrite: true
- type: keyword
- description: This key captures the Parent Node Name. Must be related to node
- variable.
- - name: risk_info
- overwrite: true
- type: keyword
- description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- - name: tcp_flags
- overwrite: true
- type: long
- description: This key is captures the TCP flags set in any packet of session
- - name: tos
- overwrite: true
- type: long
- description: This key describes the type of service
- - name: vm_target
- overwrite: true
- type: keyword
- description: VMWare Target **VMWARE** only varaible.
- - name: workspace
- overwrite: true
- type: keyword
- description: This key captures Workspace Description
- - name: command
- overwrite: true
- type: keyword
- - name: event_category
- overwrite: true
- type: keyword
- - name: facilityname
- overwrite: true
- type: keyword
- - name: forensic_info
- overwrite: true
- type: keyword
- - name: jobname
- overwrite: true
- type: keyword
- - name: mode
- overwrite: true
- type: keyword
- - name: policy
- overwrite: true
- type: keyword
- - name: policy_waiver
- overwrite: true
- type: keyword
- - name: second
- overwrite: true
- type: keyword
- - name: space1
- overwrite: true
- type: keyword
- - name: subcategory
- overwrite: true
- type: keyword
- - name: tbdstr2
- overwrite: true
- type: keyword
- - name: alert_id
- overwrite: true
- type: keyword
- description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- - name: checksum_dst
- overwrite: true
- type: keyword
- description: This key is used to capture the checksum or hash of the the target
- entity such as a process or file.
- - name: checksum_src
- overwrite: true
- type: keyword
- description: This key is used to capture the checksum or hash of the source
- entity such as a file or process.
- - name: fresult
- overwrite: true
- type: long
- description: This key captures the Filter Result
- - name: payload_dst
- overwrite: true
- type: keyword
- description: This key is used to capture destination payload
- - name: payload_src
- overwrite: true
- type: keyword
- description: This key is used to capture source payload
- - name: pool_id
- overwrite: true
- type: keyword
- description: This key captures the identifier (typically numeric field) of a
- resource pool
- - name: process_id_val
- overwrite: true
- type: keyword
- description: This key is a failure key for Process ID when it is not an integer
- value
- - name: risk_num_comm
- overwrite: true
- type: double
- description: This key captures Risk Number Community
- - name: risk_num_next
- overwrite: true
- type: double
- description: This key captures Risk Number NextGen
- - name: risk_num_sand
- overwrite: true
- type: double
- description: This key captures Risk Number SandBox
- - name: risk_num_static
- overwrite: true
- type: double
- description: This key captures Risk Number Static
- - name: risk_suspicious
- overwrite: true
- type: keyword
- description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- - name: risk_warning
- overwrite: true
- type: keyword
- description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*)
- - name: snmp_oid
- overwrite: true
- type: keyword
- description: SNMP Object Identifier
- - name: sql
- overwrite: true
- type: keyword
- description: This key captures the SQL query
- - name: vuln_ref
- overwrite: true
- type: keyword
- description: This key captures the Vulnerability Reference details
- - name: acl_id
- overwrite: true
- type: keyword
- - name: acl_op
- overwrite: true
- type: keyword
- - name: acl_pos
- overwrite: true
- type: keyword
- - name: acl_table
- overwrite: true
- type: keyword
- - name: admin
- overwrite: true
- type: keyword
- - name: alarm_id
- overwrite: true
- type: keyword
- - name: alarmname
- overwrite: true
- type: keyword
- - name: app_id
- overwrite: true
- type: keyword
- - name: audit
- overwrite: true
- type: keyword
- - name: audit_object
- overwrite: true
- type: keyword
- - name: auditdata
- overwrite: true
- type: keyword
- - name: benchmark
- overwrite: true
- type: keyword
- - name: bypass
- overwrite: true
- type: keyword
- - name: cache
- overwrite: true
- type: keyword
- - name: cache_hit
- overwrite: true
- type: keyword
- - name: cefversion
- overwrite: true
- type: keyword
- - name: cfg_attr
- overwrite: true
- type: keyword
- - name: cfg_obj
- overwrite: true
- type: keyword
- - name: cfg_path
- overwrite: true
- type: keyword
- - name: changes
- overwrite: true
- type: keyword
- - name: client_ip
- overwrite: true
- type: keyword
- - name: clustermembers
- overwrite: true
- type: keyword
- - name: cn_acttimeout
- overwrite: true
- type: keyword
- - name: cn_asn_src
- overwrite: true
- type: keyword
- - name: cn_bgpv4nxthop
- overwrite: true
- type: keyword
- - name: cn_ctr_dst_code
- overwrite: true
- type: keyword
- - name: cn_dst_tos
- overwrite: true
- type: keyword
- - name: cn_dst_vlan
- overwrite: true
- type: keyword
- - name: cn_engine_id
- overwrite: true
- type: keyword
- - name: cn_engine_type
- overwrite: true
- type: keyword
- - name: cn_f_switch
- overwrite: true
- type: keyword
- - name: cn_flowsampid
- overwrite: true
- type: keyword
- - name: cn_flowsampintv
- overwrite: true
- type: keyword
- - name: cn_flowsampmode
- overwrite: true
- type: keyword
- - name: cn_inacttimeout
- overwrite: true
- type: keyword
- - name: cn_inpermbyts
- overwrite: true
- type: keyword
- - name: cn_inpermpckts
- overwrite: true
- type: keyword
- - name: cn_invalid
- overwrite: true
- type: keyword
- - name: cn_ip_proto_ver
- overwrite: true
- type: keyword
- - name: cn_ipv4_ident
- overwrite: true
- type: keyword
- - name: cn_l_switch
- overwrite: true
- type: keyword
- - name: cn_log_did
- overwrite: true
- type: keyword
- - name: cn_log_rid
- overwrite: true
- type: keyword
- - name: cn_max_ttl
- overwrite: true
- type: keyword
- - name: cn_maxpcktlen
- overwrite: true
- type: keyword
- - name: cn_min_ttl
- overwrite: true
- type: keyword
- - name: cn_minpcktlen
- overwrite: true
- type: keyword
- - name: cn_mpls_lbl_1
- overwrite: true
- type: keyword
- - name: cn_mpls_lbl_10
- overwrite: true
- type: keyword
- - name: cn_mpls_lbl_2
- overwrite: true
- type: keyword
- - name: cn_mpls_lbl_3
- overwrite: true
- type: keyword
- - name: cn_mpls_lbl_4
- overwrite: true
- type: keyword
- - name: cn_mpls_lbl_5
- overwrite: true
- type: keyword
- - name: cn_mpls_lbl_6
- overwrite: true
- type: keyword
- - name: cn_mpls_lbl_7
- overwrite: true
- type: keyword
- - name: cn_mpls_lbl_8
- overwrite: true
- type: keyword
- - name: cn_mpls_lbl_9
- overwrite: true
- type: keyword
- - name: cn_mplstoplabel
- overwrite: true
- type: keyword
- - name: cn_mplstoplabip
- overwrite: true
- type: keyword
- - name: cn_mul_dst_byt
- overwrite: true
- type: keyword
- - name: cn_mul_dst_pks
- overwrite: true
- type: keyword
- - name: cn_muligmptype
- overwrite: true
- type: keyword
- - name: cn_sampalgo
- overwrite: true
- type: keyword
- - name: cn_sampint
- overwrite: true
- type: keyword
- - name: cn_seqctr
- overwrite: true
- type: keyword
- - name: cn_spackets
- overwrite: true
- type: keyword
- - name: cn_src_tos
- overwrite: true
- type: keyword
- - name: cn_src_vlan
- overwrite: true
- type: keyword
- - name: cn_sysuptime
- overwrite: true
- type: keyword
- - name: cn_template_id
- overwrite: true
- type: keyword
- - name: cn_totbytsexp
- overwrite: true
- type: keyword
- - name: cn_totflowexp
- overwrite: true
- type: keyword
- - name: cn_totpcktsexp
- overwrite: true
- type: keyword
- - name: cn_unixnanosecs
- overwrite: true
- type: keyword
- - name: cn_v6flowlabel
- overwrite: true
- type: keyword
- - name: cn_v6optheaders
- overwrite: true
- type: keyword
- - name: comp_class
- overwrite: true
- type: keyword
- - name: comp_name
- overwrite: true
- type: keyword
- - name: comp_rbytes
- overwrite: true
- type: keyword
- - name: comp_sbytes
- overwrite: true
- type: keyword
- - name: cpu_data
- overwrite: true
- type: keyword
- - name: criticality
- overwrite: true
- type: keyword
- - name: cs_agency_dst
- overwrite: true
- type: keyword
- - name: cs_analyzedby
- overwrite: true
- type: keyword
- - name: cs_av_other
- overwrite: true
- type: keyword
- - name: cs_av_primary
- overwrite: true
- type: keyword
- - name: cs_av_secondary
- overwrite: true
- type: keyword
- - name: cs_bgpv6nxthop
- overwrite: true
- type: keyword
- - name: cs_bit9status
- overwrite: true
- type: keyword
- - name: cs_context
- overwrite: true
- type: keyword
- - name: cs_control
- overwrite: true
- type: keyword
- - name: cs_data
- overwrite: true
- type: keyword
- - name: cs_datecret
- overwrite: true
- type: keyword
- - name: cs_dst_tld
- overwrite: true
- type: keyword
- - name: cs_eth_dst_ven
- overwrite: true
- type: keyword
- - name: cs_eth_src_ven
- overwrite: true
- type: keyword
- - name: cs_event_uuid
- overwrite: true
- type: keyword
- - name: cs_filetype
- overwrite: true
- type: keyword
- - name: cs_fld
- overwrite: true
- type: keyword
- - name: cs_if_desc
- overwrite: true
- type: keyword
- - name: cs_if_name
- overwrite: true
- type: keyword
- - name: cs_ip_next_hop
- overwrite: true
- type: keyword
- - name: cs_ipv4dstpre
- overwrite: true
- type: keyword
- - name: cs_ipv4srcpre
- overwrite: true
- type: keyword
- - name: cs_lifetime
- overwrite: true
- type: keyword
- - name: cs_log_medium
- overwrite: true
- type: keyword
- - name: cs_loginname
- overwrite: true
- type: keyword
- - name: cs_modulescore
- overwrite: true
- type: keyword
- - name: cs_modulesign
- overwrite: true
- type: keyword
- - name: cs_opswatresult
- overwrite: true
- type: keyword
- - name: cs_payload
- overwrite: true
- type: keyword
- - name: cs_registrant
- overwrite: true
- type: keyword
- - name: cs_registrar
- overwrite: true
- type: keyword
- - name: cs_represult
- overwrite: true
- type: keyword
- - name: cs_rpayload
- overwrite: true
- type: keyword
- - name: cs_sampler_name
- overwrite: true
- type: keyword
- - name: cs_sourcemodule
- overwrite: true
- type: keyword
- - name: cs_streams
- overwrite: true
- type: keyword
- - name: cs_targetmodule
- overwrite: true
- type: keyword
- - name: cs_v6nxthop
- overwrite: true
- type: keyword
- - name: cs_whois_server
- overwrite: true
- type: keyword
- - name: cs_yararesult
- overwrite: true
- type: keyword
- - name: description
- overwrite: true
- type: keyword
- - name: devvendor
- overwrite: true
- type: keyword
- - name: distance
- overwrite: true
- type: keyword
- - name: dstburb
- overwrite: true
- type: keyword
- - name: edomain
- overwrite: true
- type: keyword
- - name: edomaub
- overwrite: true
- type: keyword
- - name: euid
- overwrite: true
- type: keyword
- - name: facility
- overwrite: true
- type: keyword
- - name: finterface
- overwrite: true
- type: keyword
- - name: flags
- overwrite: true
- type: keyword
- - name: gaddr
- overwrite: true
- type: keyword
- - name: id3
- overwrite: true
- type: keyword
- - name: im_buddyname
- overwrite: true
- type: keyword
- - name: im_croomid
- overwrite: true
- type: keyword
- - name: im_croomtype
- overwrite: true
- type: keyword
- - name: im_members
- overwrite: true
- type: keyword
- - name: im_username
- overwrite: true
- type: keyword
- - name: ipkt
- overwrite: true
- type: keyword
- - name: ipscat
- overwrite: true
- type: keyword
- - name: ipspri
- overwrite: true
- type: keyword
- - name: latitude
- overwrite: true
- type: keyword
- - name: linenum
- overwrite: true
- type: keyword
- - name: list_name
- overwrite: true
- type: keyword
- - name: load_data
- overwrite: true
- type: keyword
- - name: location_floor
- overwrite: true
- type: keyword
- - name: location_mark
- overwrite: true
- type: keyword
- - name: log_id
- overwrite: true
- type: keyword
- - name: log_type
- overwrite: true
- type: keyword
- - name: logid
- overwrite: true
- type: keyword
- - name: logip
- overwrite: true
- type: keyword
- - name: logname
- overwrite: true
- type: keyword
- - name: longitude
- overwrite: true
- type: keyword
- - name: lport
- overwrite: true
- type: keyword
- - name: mbug_data
- overwrite: true
- type: keyword
- - name: misc_name
- overwrite: true
- type: keyword
- - name: msg_type
- overwrite: true
- type: keyword
- - name: msgid
- overwrite: true
- type: keyword
- - name: netsessid
- overwrite: true
- type: keyword
- - name: num
- overwrite: true
- type: keyword
- - name: number1
- overwrite: true
- type: keyword
- - name: number2
- overwrite: true
- type: keyword
- - name: nwwn
- overwrite: true
- type: keyword
- - name: object
- overwrite: true
- type: keyword
- - name: operation
- overwrite: true
- type: keyword
- - name: opkt
- overwrite: true
- type: keyword
- - name: orig_from
- overwrite: true
- type: keyword
- - name: owner_id
- overwrite: true
- type: keyword
- - name: p_action
- overwrite: true
- type: keyword
- - name: p_filter
- overwrite: true
- type: keyword
- - name: p_group_object
- overwrite: true
- type: keyword
- - name: p_id
- overwrite: true
- type: keyword
- - name: p_msgid1
- overwrite: true
- type: keyword
- - name: p_msgid2
- overwrite: true
- type: keyword
- - name: p_result1
- overwrite: true
- type: keyword
- - name: password_chg
- overwrite: true
- type: keyword
- - name: password_expire
- overwrite: true
- type: keyword
- - name: permgranted
- overwrite: true
- type: keyword
- - name: permwanted
- overwrite: true
- type: keyword
- - name: pgid
- overwrite: true
- type: keyword
- - name: policyUUID
- overwrite: true
- type: keyword
- - name: prog_asp_num
- overwrite: true
- type: keyword
- - name: program
- overwrite: true
- type: keyword
- - name: real_data
- overwrite: true
- type: keyword
- - name: rec_asp_device
- overwrite: true
- type: keyword
- - name: rec_asp_num
- overwrite: true
- type: keyword
- - name: rec_library
- overwrite: true
- type: keyword
- - name: recordnum
- overwrite: true
- type: keyword
- - name: ruid
- overwrite: true
- type: keyword
- - name: sburb
- overwrite: true
- type: keyword
- - name: sdomain_fld
- overwrite: true
- type: keyword
- - name: sec
- overwrite: true
- type: keyword
- - name: sensorname
- overwrite: true
- type: keyword
- - name: seqnum
- overwrite: true
- type: keyword
- - name: session
- overwrite: true
- type: keyword
- - name: sessiontype
- overwrite: true
- type: keyword
- - name: sigUUID
- overwrite: true
- type: keyword
- - name: spi
- overwrite: true
- type: keyword
- - name: srcburb
- overwrite: true
- type: keyword
- - name: srcdom
- overwrite: true
- type: keyword
- - name: srcservice
- overwrite: true
- type: keyword
- - name: state
- overwrite: true
- type: keyword
- - name: status1
- overwrite: true
- type: keyword
- - name: svcno
- overwrite: true
- type: keyword
- - name: system
- overwrite: true
- type: keyword
- - name: tbdstr1
- overwrite: true
- type: keyword
- - name: tgtdom
- overwrite: true
- type: keyword
- - name: tgtdomain
- overwrite: true
- type: keyword
- - name: threshold
- overwrite: true
- type: keyword
- - name: type1
- overwrite: true
- type: keyword
- - name: udb_class
- overwrite: true
- type: keyword
- - name: url_fld
- overwrite: true
- type: keyword
- - name: user_div
- overwrite: true
- type: keyword
- - name: userid
- overwrite: true
- type: keyword
- - name: username_fld
- overwrite: true
- type: keyword
- - name: utcstamp
- overwrite: true
- type: keyword
- - name: v_instafname
- overwrite: true
- type: keyword
- - name: virt_data
- overwrite: true
- type: keyword
- - name: vpnid
- overwrite: true
- type: keyword
- - name: autorun_type
- overwrite: true
- type: keyword
- description: This is used to capture Auto Run type
- - name: cc_number
- overwrite: true
- type: long
- description: Valid Credit Card Numbers only
- - name: content
- overwrite: true
- type: keyword
- description: This key captures the content type from protocol headers
- - name: ein_number
- overwrite: true
- type: long
- description: Employee Identification Numbers only
- - name: found
- overwrite: true
- type: keyword
- description: This is used to capture the results of regex match
- - name: language
- overwrite: true
- type: keyword
- description: This is used to capture list of languages the client support and
- what it prefers
- - name: lifetime
- overwrite: true
- type: long
- description: This key is used to capture the session lifetime in seconds.
- - name: link
- overwrite: true
- type: keyword
- description: This key is used to link the sessions together. This key should
- never be used to parse Meta data from a session (Logs/Packets) Directly, this
- is a Reserved key in NetWitness
- - name: match
- overwrite: true
- type: keyword
- description: This key is for regex match name from search.ini
- - name: param_dst
- overwrite: true
- type: keyword
- description: This key captures the command line/launch argument of the target
- process or file
- - name: param_src
- overwrite: true
- type: keyword
- description: This key captures source parameter
- - name: search_text
- overwrite: true
- type: keyword
- description: This key captures the Search Text used
- - name: sig_name
- overwrite: true
- type: keyword
- description: This key is used to capture the Signature Name only.
- - name: snmp_value
- overwrite: true
- type: keyword
- description: SNMP set request value
- - name: streams
- overwrite: true
- type: long
- description: This key captures number of streams in session
- - name: db
- overwrite: true
- type: group
- fields:
- - name: index
- overwrite: true
- type: keyword
- description: This key captures IndexID of the index.
- - name: instance
- overwrite: true
- type: keyword
- description: This key is used to capture the database server instance name
- - name: database
- overwrite: true
- type: keyword
- description: This key is used to capture the name of a database or an instance
- as seen in a session
- - name: transact_id
- overwrite: true
- type: keyword
- description: This key captures the SQL transantion ID of the current session
- - name: permissions
- overwrite: true
- type: keyword
- description: This key captures permission or privilege level assigned to a resource.
- - name: table_name
- overwrite: true
- type: keyword
- description: This key is used to capture the table name
- - name: db_id
- overwrite: true
- type: keyword
- description: This key is used to capture the unique identifier for a database
- - name: db_pid
- overwrite: true
- type: long
- description: This key captures the process id of a connection with database
- server
- - name: lread
- overwrite: true
- type: long
- description: This key is used for the number of logical reads
- - name: lwrite
- overwrite: true
- type: long
- description: This key is used for the number of logical writes
- - name: pread
- overwrite: true
- type: long
- description: This key is used for the number of physical writes
- - name: network
- overwrite: true
- type: group
- fields:
- - name: alias_host
- overwrite: true
- type: keyword
- description: This key should be used when the source or destination context
- of a hostname is not clear.Also it captures the Device Hostname. Any Hostname
- that isnt ad.computer.
- - name: domain
- overwrite: true
- type: keyword
- - name: host_dst
- overwrite: true
- type: keyword
- description: "This key should only be used when it\u2019s a Destination Hostname"
- - name: network_service
- overwrite: true
- type: keyword
- description: This is used to capture layer 7 protocols/service names
- - name: interface
- overwrite: true
- type: keyword
- description: This key should be used when the source or destination context
- of an interface is not clear
- - name: network_port
- overwrite: true
- type: long
- description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently
- used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)'
- - name: eth_host
- overwrite: true
- type: keyword
- description: Deprecated, use alias.mac
- - name: sinterface
- overwrite: true
- type: keyword
- description: "This key should only be used when it\u2019s a Source Interface"
- - name: dinterface
- overwrite: true
- type: keyword
- description: "This key should only be used when it\u2019s a Destination Interface"
- - name: vlan
- overwrite: true
- type: long
- description: This key should only be used to capture the ID of the Virtual LAN
- - name: zone_src
- overwrite: true
- type: keyword
- description: "This key should only be used when it\u2019s a Source Zone."
- - name: zone
- overwrite: true
- type: keyword
- description: This key should be used when the source or destination context
- of a Zone is not clear
- - name: zone_dst
- overwrite: true
- type: keyword
- description: "This key should only be used when it\u2019s a Destination Zone."
- - name: gateway
- overwrite: true
- type: keyword
- description: This key is used to capture the IP Address of the gateway
- - name: icmp_type
- overwrite: true
- type: long
- description: This key is used to capture the ICMP type only
- - name: mask
- overwrite: true
- type: keyword
- description: This key is used to capture the device network IPmask.
- - name: icmp_code
- overwrite: true
- type: long
- description: This key is used to capture the ICMP code only
- - name: protocol_detail
- overwrite: true
- type: keyword
- description: This key should be used to capture additional protocol information
- - name: dmask
- overwrite: true
- type: keyword
- description: This key is used for Destionation Device network mask
- - name: port
- overwrite: true
- type: long
- description: This key should only be used to capture a Network Port when the
- directionality is not clear
- - name: smask
- overwrite: true
- type: keyword
- description: This key is used for capturing source Network Mask
- - name: netname
- overwrite: true
- type: keyword
- description: This key is used to capture the network name associated with an
- IP range. This is configured by the end user.
- - name: paddr
- overwrite: true
- type: ip
- description: Deprecated
- - name: faddr
- overwrite: true
- type: keyword
- - name: lhost
- overwrite: true
- type: keyword
- - name: origin
- overwrite: true
- type: keyword
- - name: remote_domain_id
- overwrite: true
- type: keyword
- - name: addr
- overwrite: true
- type: keyword
- - name: dns_a_record
- overwrite: true
- type: keyword
- - name: dns_ptr_record
- overwrite: true
- type: keyword
- - name: fhost
- overwrite: true
- type: keyword
- - name: fport
- overwrite: true
- type: keyword
- - name: laddr
- overwrite: true
- type: keyword
- - name: linterface
- overwrite: true
- type: keyword
- - name: phost
- overwrite: true
- type: keyword
- - name: ad_computer_dst
- overwrite: true
- type: keyword
- description: Deprecated, use host.dst
- - name: eth_type
- overwrite: true
- type: long
- description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols
- Only
- - name: ip_proto
- overwrite: true
- type: long
- description: This key should be used to capture the Protocol number, all the
- protocol nubers are converted into string in UI
- - name: dns_cname_record
- overwrite: true
- type: keyword
- - name: dns_id
- overwrite: true
- type: keyword
- - name: dns_opcode
- overwrite: true
- type: keyword
- - name: dns_resp
- overwrite: true
- type: keyword
- - name: dns_type
- overwrite: true
- type: keyword
- - name: domain1
- overwrite: true
- type: keyword
- - name: host_type
- overwrite: true
- type: keyword
- - name: packet_length
- overwrite: true
- type: keyword
- - name: host_orig
- overwrite: true
- type: keyword
- description: This is used to capture the original hostname in case of a Forwarding
- Agent or a Proxy in between.
- - name: rpayload
- overwrite: true
- type: keyword
- description: This key is used to capture the total number of payload bytes seen
- in the retransmitted packets.
- - name: vlan_name
- overwrite: true
- type: keyword
- description: This key should only be used to capture the name of the Virtual
- LAN
- - name: investigations
- overwrite: true
- type: group
- fields:
- - name: ec_activity
- overwrite: true
- type: keyword
- description: This key captures the particular event activity(Ex:Logoff)
- - name: ec_theme
- overwrite: true
- type: keyword
- description: This key captures the Theme of a particular Event(Ex:Authentication)
- - name: ec_subject
- overwrite: true
- type: keyword
- description: This key captures the Subject of a particular Event(Ex:User)
- - name: ec_outcome
- overwrite: true
- type: keyword
- description: This key captures the outcome of a particular Event(Ex:Success)
- - name: event_cat
- overwrite: true
- type: long
- description: This key captures the Event category number
- - name: event_cat_name
- overwrite: true
- type: keyword
- description: This key captures the event category name corresponding to the
- event cat code
- - name: event_vcat
- overwrite: true
- type: keyword
- description: This is a vendor supplied category. This should be used in situations
- where the vendor has adopted their own event_category taxonomy.
- - name: analysis_file
- overwrite: true
- type: keyword
- description: This is used to capture all indicators used in a File Analysis.
- This key should be used to capture an analysis of a file
- - name: analysis_service
- overwrite: true
- type: keyword
- description: This is used to capture all indicators used in a Service Analysis.
- This key should be used to capture an analysis of a service
- - name: analysis_session
- overwrite: true
- type: keyword
- description: This is used to capture all indicators used for a Session Analysis.
- This key should be used to capture an analysis of a session
- - name: boc
- overwrite: true
- type: keyword
- description: This is used to capture behaviour of compromise
- - name: eoc
- overwrite: true
- type: keyword
- description: This is used to capture Enablers of Compromise
- - name: inv_category
- overwrite: true
- type: keyword
- description: This used to capture investigation category
- - name: inv_context
- overwrite: true
- type: keyword
- description: This used to capture investigation context
- - name: ioc
- overwrite: true
- type: keyword
- description: This is key capture indicator of compromise
- - name: counters
- overwrite: true
- type: group
- fields:
- - name: dclass_c1
- overwrite: true
- type: long
- description: This is a generic counter key that should be used with the label
- dclass.c1.str only
- - name: dclass_c2
- overwrite: true
- type: long
- description: This is a generic counter key that should be used with the label
- dclass.c2.str only
- - name: event_counter
- overwrite: true
- type: long
- description: This is used to capture the number of times an event repeated
- - name: dclass_r1
- overwrite: true
- type: keyword
- description: This is a generic ratio key that should be used with the label
- dclass.r1.str only
- - name: dclass_c3
- overwrite: true
- type: long
- description: This is a generic counter key that should be used with the label
- dclass.c3.str only
- - name: dclass_c1_str
- overwrite: true
- type: keyword
- description: This is a generic counter string key that should be used with the
- label dclass.c1 only
- - name: dclass_c2_str
- overwrite: true
- type: keyword
- description: This is a generic counter string key that should be used with the
- label dclass.c2 only
- - name: dclass_r1_str
- overwrite: true
- type: keyword
- description: This is a generic ratio string key that should be used with the
- label dclass.r1 only
- - name: dclass_r2
- overwrite: true
- type: keyword
- description: This is a generic ratio key that should be used with the label
- dclass.r2.str only
- - name: dclass_c3_str
- overwrite: true
- type: keyword
- description: This is a generic counter string key that should be used with the
- label dclass.c3 only
- - name: dclass_r3
- overwrite: true
- type: keyword
- description: This is a generic ratio key that should be used with the label
- dclass.r3.str only
- - name: dclass_r2_str
- overwrite: true
- type: keyword
- description: This is a generic ratio string key that should be used with the
- label dclass.r2 only
- - name: dclass_r3_str
- overwrite: true
- type: keyword
- description: This is a generic ratio string key that should be used with the
- label dclass.r3 only
- - name: identity
- overwrite: true
- type: group
- fields:
- - name: auth_method
- overwrite: true
- type: keyword
- description: This key is used to capture authentication methods used only
- - name: user_role
- overwrite: true
- type: keyword
- description: This key is used to capture the Role of a user only
- - name: dn
- overwrite: true
- type: keyword
- description: X.500 (LDAP) Distinguished Name
- - name: logon_type
- overwrite: true
- type: keyword
- description: This key is used to capture the type of logon method used.
- - name: profile
- overwrite: true
- type: keyword
- description: This key is used to capture the user profile
- - name: accesses
- overwrite: true
- type: keyword
- description: This key is used to capture actual privileges used in accessing
- an object
- - name: realm
- overwrite: true
- type: keyword
- description: Radius realm or similar grouping of accounts
- - name: user_sid_dst
- overwrite: true
- type: keyword
- description: This key captures Destination User Session ID
- - name: dn_src
- overwrite: true
- type: keyword
- description: An X.500 (LDAP) Distinguished name that is used in a context that
- indicates a Source dn
- - name: org
- overwrite: true
- type: keyword
- description: This key captures the User organization
- - name: dn_dst
- overwrite: true
- type: keyword
- description: An X.500 (LDAP) Distinguished name that used in a context that
- indicates a Destination dn
- - name: firstname
- overwrite: true
- type: keyword
- description: This key is for First Names only, this is used for Healthcare predominantly
- to capture Patients information
- - name: lastname
- overwrite: true
- type: keyword
- description: This key is for Last Names only, this is used for Healthcare predominantly
- to capture Patients information
- - name: user_dept
- overwrite: true
- type: keyword
- description: User's Department Names only
- - name: user_sid_src
- overwrite: true
- type: keyword
- description: This key captures Source User Session ID
- - name: federated_sp
- overwrite: true
- type: keyword
- description: This key is the Federated Service Provider. This is the application
- requesting authentication.
- - name: federated_idp
- overwrite: true
- type: keyword
- description: This key is the federated Identity Provider. This is the server
- providing the authentication.
- - name: logon_type_desc
- overwrite: true
- type: keyword
- description: This key is used to capture the textual description of an integer
- logon type as stored in the meta key 'logon.type'.
- - name: middlename
- overwrite: true
- type: keyword
- description: This key is for Middle Names only, this is used for Healthcare
- predominantly to capture Patients information
- - name: password
- overwrite: true
- type: keyword
- description: This key is for Passwords seen in any session, plain text or encrypted
- - name: host_role
- overwrite: true
- type: keyword
- description: This key should only be used to capture the role of a Host Machine
- - name: ldap
- overwrite: true
- type: keyword
- description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\
- t have a clear query or response context"
- - name: ldap_query
- overwrite: true
- type: keyword
- description: This key is the Search criteria from an LDAP search
- - name: ldap_response
- overwrite: true
- type: keyword
- description: This key is to capture Results from an LDAP search
- - name: owner
- overwrite: true
- type: keyword
- description: This is used to capture username the process or service is running
- as, the author of the task
- - name: service_account
- overwrite: true
- type: keyword
- description: This key is a windows specific key, used for capturing name of
- the account a service (referenced in the event) is running under. Legacy Usage
- - name: email
- overwrite: true
- type: group
- fields:
- - name: email_dst
- overwrite: true
- type: keyword
- description: This key is used to capture the Destination email address only,
- when the destination context is not clear use email
- - name: email_src
- overwrite: true
- type: keyword
- description: This key is used to capture the source email address only, when
- the source context is not clear use email
- - name: subject
- overwrite: true
- type: keyword
- description: This key is used to capture the subject string from an Email only.
- - name: email
- overwrite: true
- type: keyword
- description: This key is used to capture a generic email address where the source
- or destination context is not clear
- - name: trans_from
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: trans_to
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: file
- overwrite: true
- type: group
- fields:
- - name: privilege
- overwrite: true
- type: keyword
- description: Deprecated, use permissions
- - name: attachment
- overwrite: true
- type: keyword
- description: This key captures the attachment file name
- - name: filesystem
- overwrite: true
- type: keyword
- - name: binary
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: filename_dst
- overwrite: true
- type: keyword
- description: This is used to capture name of the file targeted by the action
- - name: filename_src
- overwrite: true
- type: keyword
- description: This is used to capture name of the parent filename, the file which
- performed the action
- - name: filename_tmp
- overwrite: true
- type: keyword
- - name: directory_dst
- overwrite: true
- type: keyword
- description: This key is used to capture the directory of the target process
- or file
- - name: directory_src
- overwrite: true
- type: keyword
- description: This key is used to capture the directory of the source process
- or file
- - name: file_entropy
- overwrite: true
- type: double
- description: This is used to capture entropy vale of a file
- - name: file_vendor
- overwrite: true
- type: keyword
- description: This is used to capture Company name of file located in version_info
- - name: task_name
- overwrite: true
- type: keyword
- description: This is used to capture name of the task
- - name: web
- overwrite: true
- type: group
- fields:
- - name: fqdn
- overwrite: true
- type: keyword
- description: Fully Qualified Domain Names
- - name: web_cookie
- overwrite: true
- type: keyword
- description: This key is used to capture the Web cookies specifically.
- - name: alias_host
- overwrite: true
- type: keyword
- - name: reputation_num
- overwrite: true
- type: double
- description: Reputation Number of an entity. Typically used for Web Domains
- - name: web_ref_domain
- overwrite: true
- type: keyword
- description: Web referer's domain
- - name: web_ref_query
- overwrite: true
- type: keyword
- description: This key captures Web referer's query portion of the URL
- - name: remote_domain
- overwrite: true
- type: keyword
- - name: web_ref_page
- overwrite: true
- type: keyword
- description: This key captures Web referer's page information
- - name: web_ref_root
- overwrite: true
- type: keyword
- description: Web referer's root URL path
- - name: cn_asn_dst
- overwrite: true
- type: keyword
- - name: cn_rpackets
- overwrite: true
- type: keyword
- - name: urlpage
- overwrite: true
- type: keyword
- - name: urlroot
- overwrite: true
- type: keyword
- - name: p_url
- overwrite: true
- type: keyword
- - name: p_user_agent
- overwrite: true
- type: keyword
- - name: p_web_cookie
- overwrite: true
- type: keyword
- - name: p_web_method
- overwrite: true
- type: keyword
- - name: p_web_referer
- overwrite: true
- type: keyword
- - name: web_extension_tmp
- overwrite: true
- type: keyword
- - name: web_page
- overwrite: true
- type: keyword
- - name: threat
- overwrite: true
- type: group
- fields:
- - name: threat_category
- overwrite: true
- type: keyword
- description: This key captures Threat Name/Threat Category/Categorization of
- alert
- - name: threat_desc
- overwrite: true
- type: keyword
- description: This key is used to capture the threat description from the session
- directly or inferred
- - name: alert
- overwrite: true
- type: keyword
- description: This key is used to capture name of the alert
- - name: threat_source
- overwrite: true
- type: keyword
- description: This key is used to capture source of the threat
- - name: crypto
- overwrite: true
- type: group
- fields:
- - name: crypto
- overwrite: true
- type: keyword
- description: This key is used to capture the Encryption Type or Encryption Key
- only
- - name: cipher_src
- overwrite: true
- type: keyword
- description: This key is for Source (Client) Cipher
- - name: cert_subject
- overwrite: true
- type: keyword
- description: This key is used to capture the Certificate organization only
- - name: peer
- overwrite: true
- type: keyword
- description: This key is for Encryption peer's IP Address
- - name: cipher_size_src
- overwrite: true
- type: long
- description: This key captures Source (Client) Cipher Size
- - name: ike
- overwrite: true
- type: keyword
- description: IKE negotiation phase.
- - name: scheme
- overwrite: true
- type: keyword
- description: This key captures the Encryption scheme used
- - name: peer_id
- overwrite: true
- type: keyword
- description: "This key is for Encryption peer\u2019s identity"
- - name: sig_type
- overwrite: true
- type: keyword
- description: This key captures the Signature Type
- - name: cert_issuer
- overwrite: true
- type: keyword
- - name: cert_host_name
- overwrite: true
- type: keyword
- description: Deprecated key defined only in table map.
- - name: cert_error
- overwrite: true
- type: keyword
- description: This key captures the Certificate Error String
- - name: cipher_dst
- overwrite: true
- type: keyword
- description: This key is for Destination (Server) Cipher
- - name: cipher_size_dst
- overwrite: true
- type: long
- description: This key captures Destination (Server) Cipher Size
- - name: ssl_ver_src
- overwrite: true
- type: keyword
- description: Deprecated, use version
- - name: d_certauth
- overwrite: true
- type: keyword
- - name: s_certauth
- overwrite: true
- type: keyword
- - name: ike_cookie1
- overwrite: true
- type: keyword
- description: "ID of the negotiation \u2014 sent for ISAKMP Phase One"
- - name: ike_cookie2
- overwrite: true
- type: keyword
- description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two"
- - name: cert_checksum
- overwrite: true
- type: keyword
- - name: cert_host_cat
- overwrite: true
- type: keyword
- description: This key is used for the hostname category value of a certificate
- - name: cert_serial
- overwrite: true
- type: keyword
- description: This key is used to capture the Certificate serial number only
- - name: cert_status
- overwrite: true
- type: keyword
- description: This key captures Certificate validation status
- - name: ssl_ver_dst
- overwrite: true
- type: keyword
- description: Deprecated, use version
- - name: cert_keysize
- overwrite: true
- type: keyword
- - name: cert_username
- overwrite: true
- type: keyword
- - name: https_insact
- overwrite: true
- type: keyword
- - name: https_valid
- overwrite: true
- type: keyword
- - name: cert_ca
- overwrite: true
- type: keyword
- description: This key is used to capture the Certificate signing authority only
- - name: cert_common
- overwrite: true
- type: keyword
- description: This key is used to capture the Certificate common name only
- - name: wireless
- overwrite: true
- type: group
- fields:
- - name: wlan_ssid
- overwrite: true
- type: keyword
- description: This key is used to capture the ssid of a Wireless Session
- - name: access_point
- overwrite: true
- type: keyword
- description: This key is used to capture the access point name.
- - name: wlan_channel
- overwrite: true
- type: long
- description: This is used to capture the channel names
- - name: wlan_name
- overwrite: true
- type: keyword
- description: This key captures either WLAN number/name
- - name: storage
- overwrite: true
- type: group
- fields:
- - name: disk_volume
- overwrite: true
- type: keyword
- description: A unique name assigned to logical units (volumes) within a physical
- disk
- - name: lun
- overwrite: true
- type: keyword
- description: Logical Unit Number.This key is a very useful concept in Storage.
- - name: pwwn
- overwrite: true
- type: keyword
- description: This uniquely identifies a port on a HBA.
- - name: physical
- overwrite: true
- type: group
- fields:
- - name: org_dst
- overwrite: true
- type: keyword
- description: This is used to capture the destination organization based on the
- GEOPIP Maxmind database.
- - name: org_src
- overwrite: true
- type: keyword
- description: This is used to capture the source organization based on the GEOPIP
- Maxmind database.
- - name: healthcare
- overwrite: true
- type: group
- fields:
- - name: patient_fname
- overwrite: true
- type: keyword
- description: This key is for First Names only, this is used for Healthcare predominantly
- to capture Patients information
- - name: patient_id
- overwrite: true
- type: keyword
- description: This key captures the unique ID for a patient
- - name: patient_lname
- overwrite: true
- type: keyword
- description: This key is for Last Names only, this is used for Healthcare predominantly
- to capture Patients information
- - name: patient_mname
- overwrite: true
- type: keyword
- description: This key is for Middle Names only, this is used for Healthcare
- predominantly to capture Patients information
- - name: endpoint
- overwrite: true
- type: group
- fields:
- - name: host_state
- overwrite: true
- type: keyword
- description: This key is used to capture the current state of the machine, such
- as blacklisted, infected, firewall
- disabled and so on
- - name: registry_key
- overwrite: true
- type: keyword
- description: This key captures the path to the registry key
- - name: registry_value
- overwrite: true
- type: keyword
- description: This key captures values or decorators used within a registry entry
diff --git a/x-pack/filebeat/module/f5/firepass/config/input.yml b/x-pack/filebeat/module/f5/firepass/config/input.yml
deleted file mode 100644
index 467922155dc..00000000000
--- a/x-pack/filebeat/module/f5/firepass/config/input.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-{{ if eq .input "file" }}
-
-type: log
-paths:
- {{ range $i, $path := .paths }}
-- {{$path}}
- {{ end }}
-exclude_files: [".gz$"]
-
-{{ else }}
-
-type: {{.input}}
-host: "{{.syslog_host}}:{{.syslog_port}}"
-
-{{ end }}
-
-tags: {{.tags | tojson}}
-publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
-
-fields_under_root: true
-fields:
- observer:
- vendor: "F5"
- product: "FirePass"
- type: "VPN"
-
-processors:
-- script:
- lang: javascript
- params:
- ecs: true
- rsa: {{.rsa_fields}}
- tz_offset: {{.tz_offset}}
- keep_raw: {{.keep_raw_fields}}
- debug: {{.debug}}
- files:
- - ${path.home}/module/f5/firepass/config/liblogparser.js
- - ${path.home}/module/f5/firepass/config/pipeline.js
-{{ if .community_id }}
-- community_id: ~
-{{ end }}
-- add_fields:
- target: ''
- fields:
- ecs.version: 1.5.0
diff --git a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js
deleted file mode 100644
index c8cf5e2ee06..00000000000
--- a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js
+++ /dev/null
@@ -1,2344 +0,0 @@
-// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
-// or more contributor license agreements. Licensed under the Elastic License;
-// you may not use this file except in compliance with the Elastic License.
-
-/* jshint -W014,-W016,-W097,-W116 */
-
-var processor = require("processor");
-var console = require("console");
-
-var FLAG_FIELD = "log.flags";
-var FIELDS_OBJECT = "nwparser";
-var FIELDS_PREFIX = FIELDS_OBJECT + ".";
-
-var defaults = {
- debug: false,
- ecs: true,
- rsa: false,
- keep_raw: false,
- tz_offset: "local",
- strip_priority: true
-};
-
-var saved_flags = null;
-var debug;
-var map_ecs;
-var map_rsa;
-var keep_raw;
-var device;
-var tz_offset;
-var strip_priority;
-
-// Register params from configuration.
-function register(params) {
- debug = params.debug !== undefined ? params.debug : defaults.debug;
- map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs;
- map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa;
- keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw;
- tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset);
- strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority;
- device = new DeviceProcessor();
-}
-
-function parse_tz_offset(offset) {
- var date;
- var m;
- switch(offset) {
- // local uses the tz offset from the JS VM.
- case "local":
- date = new Date();
- // Reversing the sign as we the offset from UTC, not to UTC.
- return parse_local_tz_offset(-date.getTimezoneOffset());
- // event uses the tz offset from event.timezone (add_locale processor).
- case "event":
- return offset;
- // Otherwise a tz offset in the form "[+-][0-9]{4}" is required.
- default:
- m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/);
- if (m === null || m.length !== 4) {
- throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM");
- }
- return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00");
- }
-}
-
-function parse_local_tz_offset(minutes) {
- var neg = minutes < 0;
- minutes = Math.abs(minutes);
- var min = minutes % 60;
- var hours = Math.floor(minutes / 60);
- var pad2digit = function(n) {
- if (n < 10) { return "0" + n;}
- return "" + n;
- };
- return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min);
-}
-
-function process(evt) {
- // Function register is only called by the processor when `params` are set
- // in the processor config.
- if (device === undefined) {
- register(defaults);
- }
- return device.process(evt);
-}
-
-function processor_chain(subprocessors) {
- var builder = new processor.Chain();
- subprocessors.forEach(builder.Add);
- return builder.Build().Run;
-}
-
-function linear_select(subprocessors) {
- return function (evt) {
- var flags = evt.Get(FLAG_FIELD);
- var i;
- for (i = 0; i < subprocessors.length; i++) {
- evt.Delete(FLAG_FIELD);
- if (debug) console.warn("linear_select trying entry " + i);
- subprocessors[i](evt);
- // Dissect processor succeeded?
- if (evt.Get(FLAG_FIELD) == null) break;
- if (debug) console.warn("linear_select failed entry " + i);
- }
- if (flags !== null) {
- evt.Put(FLAG_FIELD, flags);
- }
- if (debug) {
- if (i < subprocessors.length) {
- console.warn("linear_select matched entry " + i);
- } else {
- console.warn("linear_select didn't match");
- }
- }
- };
-}
-
-function conditional(opt) {
- return function(evt) {
- if (opt.if(evt)) {
- opt.then(evt);
- } else if (opt.else) {
- opt.else(evt);
- }
- };
-}
-
-var strip_syslog_priority = (function() {
- var isEnabled = function() { return strip_priority === true; };
- var fetchPRI = field("_pri");
- var fetchPayload = field("payload");
- var removePayload = remove(["payload"]);
- var cleanup = remove(["_pri", "payload"]);
- var onMatch = function(evt) {
- var pri, priStr = fetchPRI(evt);
- if (priStr != null
- && 0 < priStr.length && priStr.length < 4
- && !isNaN((pri = Number(priStr)))
- && 0 <= pri && pri < 192) {
- var severity = pri & 7,
- facility = pri >> 3;
- setc("_severity", "" + severity)(evt);
- setc("_facility", "" + facility)(evt);
- // Replace message with priority stripped.
- evt.Put("message", fetchPayload(evt));
- removePayload(evt);
- } else {
- // not a valid syslog PRI, cleanup.
- cleanup(evt);
- }
- };
- return conditional({
- if: isEnabled,
- then: cleanup_flags(match(
- "STRIP_PRI",
- "message",
- "<%{_pri}>%{payload}",
- onMatch
- ))
- });
-})();
-
-function match(id, src, pattern, on_success) {
- var dissect = new processor.Dissect({
- field: src,
- tokenizer: pattern,
- target_prefix: FIELDS_OBJECT,
- ignore_failure: true,
- overwrite_keys: true,
- trim_values: "right"
- });
- return function (evt) {
- var msg = evt.Get(src);
- dissect.Run(evt);
- var failed = evt.Get(FLAG_FIELD) != null;
- if (debug) {
- if (failed) {
- console.debug("dissect fail: " + id + " field:" + src);
- } else {
- console.debug("dissect OK: " + id + " field:" + src);
- }
- console.debug(" expr: <<" + pattern + ">>");
- console.debug(" input: <<" + msg + ">>");
- }
- if (on_success != null && !failed) {
- on_success(evt);
- }
- };
-}
-
-function cleanup_flags(processor) {
- return function(evt) {
- processor(evt);
- evt.Delete(FLAG_FIELD);
- };
-}
-
-function all_match(opts) {
- return function (evt) {
- var i;
- for (i = 0; i < opts.processors.length; i++) {
- evt.Delete(FLAG_FIELD);
- opts.processors[i](evt);
- // Dissect processor succeeded?
- if (evt.Get(FLAG_FIELD) != null) {
- if (debug) console.warn("all_match failure at " + i);
- if (opts.on_failure != null) opts.on_failure(evt);
- return;
- }
- if (debug) console.warn("all_match success at " + i);
- }
- if (opts.on_success != null) opts.on_success(evt);
- };
-}
-
-function msgid_select(mapping) {
- return function (evt) {
- var msgid = evt.Get(FIELDS_PREFIX + "messageid");
- if (msgid == null) {
- if (debug) console.warn("msgid_select: no messageid captured!");
- return;
- }
- var next = mapping[msgid];
- if (next === undefined) {
- if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid);
- return;
- }
- if (debug) console.info("msgid_select: matched key=" + msgid);
- return next(evt);
- };
-}
-
-function msg(msg_id, match) {
- return function (evt) {
- match(evt);
- if (evt.Get(FLAG_FIELD) == null) {
- evt.Put(FIELDS_PREFIX + "msg_id1", msg_id);
- }
- };
-}
-
-var start;
-
-function save_flags(evt) {
- saved_flags = evt.Get(FLAG_FIELD);
- evt.Put("event.original", evt.Get("message"));
-}
-
-function restore_flags(evt) {
- if (saved_flags !== null) {
- evt.Put(FLAG_FIELD, saved_flags);
- }
- evt.Delete("message");
-}
-
-function constant(value) {
- return function (evt) {
- return value;
- };
-}
-
-function field(name) {
- var fullname = FIELDS_PREFIX + name;
- return function (evt) {
- return evt.Get(fullname);
- };
-}
-
-function STRCAT(args) {
- var s = "";
- var i;
- for (i = 0; i < args.length; i++) {
- s += args[i];
- }
- return s;
-}
-
-// TODO: Implement
-function DIRCHK(args) {
- unimplemented("DIRCHK");
-}
-
-function strictToInt(str) {
- return str * 1;
-}
-
-function CALC(args) {
- if (args.length !== 3) {
- console.warn("skipped call to CALC with " + args.length + " arguments.");
- return;
- }
- var a = strictToInt(args[0]);
- var b = strictToInt(args[2]);
- if (isNaN(a) || isNaN(b)) {
- console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'.");
- return;
- }
- var result;
- switch (args[1]) {
- case "+":
- result = a + b;
- break;
- case "-":
- result = a - b;
- break;
- case "*":
- result = a * b;
- break;
- default:
- // Only * and + seen in the parsers.
- console.warn("unknown CALC operation '" + args[1] + "'.");
- return;
- }
- // Always return a string
- return result !== undefined ? "" + result : result;
-}
-
-var quoteChars = "\"'`";
-function RMQ(args) {
- if(args.length !== 1) {
- console.warn("RMQ: only one argument expected");
- return;
- }
- var value = args[0].trim();
- var n = value.length;
- var char;
- return n > 1
- && (char=value.charAt(0)) === value.charAt(n-1)
- && quoteChars.indexOf(char) !== -1?
- value.substr(1, n-2)
- : value;
-}
-
-function call(opts) {
- var args = new Array(opts.args.length);
- return function (evt) {
- for (var i = 0; i < opts.args.length; i++)
- if ((args[i] = opts.args[i](evt)) == null) return;
- var result = opts.fn(args);
- if (result != null) {
- evt.Put(opts.dest, result);
- }
- };
-}
-
-function nop(evt) {
-}
-
-function appendErrorMsg(evt, msg) {
- var value = evt.Get("error.message");
- if (value == null) {
- value = [msg];
- } else if (msg instanceof Array) {
- value.push(msg);
- } else {
- value = [value, msg];
- }
- evt.Put("error.message", value);
-}
-
-function unimplemented(name) {
- appendErrorMsg("unimplemented feature: " + name);
-}
-
-function lookup(opts) {
- return function (evt) {
- var key = opts.key(evt);
- if (key == null) return;
- var value = opts.map.keyvaluepairs[key];
- if (value === undefined) {
- value = opts.map.default;
- }
- if (value !== undefined) {
- evt.Put(opts.dest, value(evt));
- }
- };
-}
-
-function set(fields) {
- return new processor.AddFields({
- target: FIELDS_OBJECT,
- fields: fields,
- });
-}
-
-function setf(dst, src) {
- return function (evt) {
- var val = evt.Get(FIELDS_PREFIX + src);
- if (val != null) evt.Put(FIELDS_PREFIX + dst, val);
- };
-}
-
-function setc(dst, value) {
- return function (evt) {
- evt.Put(FIELDS_PREFIX + dst, value);
- };
-}
-
-function set_field(opts) {
- return function (evt) {
- var val = opts.value(evt);
- if (val != null) evt.Put(opts.dest, val);
- };
-}
-
-function dump(label) {
- return function (evt) {
- console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t"));
- };
-}
-
-function date_time_join_args(evt, arglist) {
- var str = "";
- for (var i = 0; i < arglist.length; i++) {
- var fname = FIELDS_PREFIX + arglist[i];
- var val = evt.Get(fname);
- if (val != null) {
- if (str !== "") str += " ";
- str += val;
- } else {
- if (debug) console.warn("in date_time: input arg " + fname + " is not set");
- }
- }
- return str;
-}
-
-function to2Digit(num) {
- return num? (num < 10? "0" + num : num) : "00";
-}
-
-// Make two-digit dates 00-69 interpreted as 2000-2069
-// and dates 70-99 translated to 1970-1999.
-var twoDigitYearEpoch = 70;
-var twoDigitYearCentury = 2000;
-
-// This is to accept dates up to 2 days in the future, only used when
-// no year is specified in a date. 2 days should be enough to account for
-// time differences between systems and different tz offsets.
-var maxFutureDelta = 2*24*60*60*1000;
-
-// DateContainer stores date fields and then converts those fields into
-// a Date. Necessary because building a Date using its set() methods gives
-// different results depending on the order of components.
-function DateContainer(tzOffset) {
- this.offset = tzOffset === undefined? "Z" : tzOffset;
-}
-
-DateContainer.prototype = {
- setYear: function(v) {this.year = v;},
- setMonth: function(v) {this.month = v;},
- setDay: function(v) {this.day = v;},
- setHours: function(v) {this.hours = v;},
- setMinutes: function(v) {this.minutes = v;},
- setSeconds: function(v) {this.seconds = v;},
-
- setUNIX: function(v) {this.unix = v;},
-
- set2DigitYear: function(v) {
- this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100;
- },
-
- toDate: function() {
- if (this.unix !== undefined) {
- return new Date(this.unix * 1000);
- }
- if (this.day === undefined || this.month === undefined) {
- // Can't make a date from this.
- return undefined;
- }
- if (this.year === undefined) {
- // A date without a year. Set current year, or previous year
- // if date would be in the future.
- var now = new Date();
- this.year = now.getFullYear();
- var date = this.toDate();
- if (date.getTime() - now.getTime() > maxFutureDelta) {
- date.setFullYear(now.getFullYear() - 1);
- }
- return date;
- }
- var MM = to2Digit(this.month);
- var DD = to2Digit(this.day);
- var hh = to2Digit(this.hours);
- var mm = to2Digit(this.minutes);
- var ss = to2Digit(this.seconds);
- return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset);
- }
-}
-
-function date_time_try_pattern(fmt, str, tzOffset) {
- var date = new DateContainer(tzOffset);
- var pos = date_time_try_pattern_at_pos(fmt, str, 0, date);
- return pos !== undefined? date.toDate() : undefined;
-}
-
-function date_time_try_pattern_at_pos(fmt, str, pos, date) {
- var len = str.length;
- for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) {
- pos = fmt[proc](str, pos, date);
- }
- return pos;
-}
-
-function date_time(opts) {
- return function (evt) {
- var tzOffset = opts.tz || tz_offset;
- if (tzOffset === "event") {
- tzOffset = evt.Get("event.timezone");
- }
- var str = date_time_join_args(evt, opts.args);
- for (var i = 0; i < opts.fmts.length; i++) {
- var date = date_time_try_pattern(opts.fmts[i], str, tzOffset);
- if (date !== undefined) {
- evt.Put(FIELDS_PREFIX + opts.dest, date);
- return;
- }
- }
- if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str);
- };
-}
-
-var uA = 60 * 60 * 24;
-var uD = 60 * 60 * 24;
-var uF = 60 * 60;
-var uG = 60 * 60 * 24 * 30;
-var uH = 60 * 60;
-var uI = 60 * 60;
-var uJ = 60 * 60 * 24;
-var uM = 60 * 60 * 24 * 30;
-var uN = 60 * 60;
-var uO = 1;
-var uS = 1;
-var uT = 60;
-var uU = 60;
-var uc = dc;
-
-function duration(opts) {
- return function(evt) {
- var str = date_time_join_args(evt, opts.args);
- for (var i = 0; i < opts.fmts.length; i++) {
- var seconds = duration_try_pattern(opts.fmts[i], str);
- if (seconds !== undefined) {
- evt.Put(FIELDS_PREFIX + opts.dest, seconds);
- return;
- }
- }
- if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str);
- };
-}
-
-function duration_try_pattern(fmt, str) {
- var secs = 0;
- var pos = 0;
- for (var i=0; i [ month_id , how many chars to skip if month in long form ]
- "Jan": [0, 4],
- "Feb": [1, 5],
- "Mar": [2, 2],
- "Apr": [3, 2],
- "May": [4, 0],
- "Jun": [5, 1],
- "Jul": [6, 1],
- "Aug": [7, 3],
- "Sep": [8, 6],
- "Oct": [9, 4],
- "Nov": [10, 5],
- "Dec": [11, 4],
- "jan": [0, 4],
- "feb": [1, 5],
- "mar": [2, 2],
- "apr": [3, 2],
- "may": [4, 0],
- "jun": [5, 1],
- "jul": [6, 1],
- "aug": [7, 3],
- "sep": [8, 6],
- "oct": [9, 4],
- "nov": [10, 5],
- "dec": [11, 4],
-};
-
-// var dC = undefined;
-var dR = dateMonthName(true);
-var dB = dateMonthName(false);
-var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth);
-var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth);
-var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay);
-var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay);
-var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours);
-var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12
-var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours);
-var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes);
-var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes);
-var dP = parseAMPM; // AM|PM
-var dQ = parseAMPM; // A.M.|P.M
-var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds);
-var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds);
-var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear);
-var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear);
-var dZ = parseHMS;
-var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX);
-
-// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs.
-// Only works if this modifier appears after the hour has been read from logs
-// which is always the case in the 300 devices.
-function parseAMPM(str, pos, date) {
- var n = str.length;
- var start = skipws(str, pos);
- if (start + 2 > n) return;
- var head = str.substr(start, 2).toUpperCase();
- var isPM = false;
- var skip = false;
- switch (head) {
- case "A.":
- skip = true;
- /* falls through */
- case "AM":
- break;
- case "P.":
- skip = true;
- /* falls through */
- case "PM":
- isPM = true;
- break;
- default:
- if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")");
- return;
- }
- pos = start + 2;
- if (skip) {
- if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") {
- if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)");
- return;
- }
- pos += 2;
- }
- var hh = date.hours;
- if (isPM) {
- // Accept existing hour in 24h format.
- if (hh < 12) hh += 12;
- } else {
- if (hh === 12) hh = 0;
- }
- date.setHours(hh);
- return pos;
-}
-
-function parseHMS(str, pos, date) {
- return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date);
-}
-
-function skipws(str, pos) {
- for ( var n = str.length;
- pos < n && str.charAt(pos) === " ";
- pos++)
- ;
- return pos;
-}
-
-function skipdigits(str, pos) {
- var c;
- for (var n = str.length;
- pos < n && (c = str.charAt(pos)) >= "0" && c <= "9";
- pos++)
- ;
- return pos;
-}
-
-function dSkip(str, pos, date) {
- var chr;
- for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {}
- return pos < str.length? pos : undefined;
-}
-
-function dateVariableWidthNumber(fmtChar, min, max, setter) {
- return function (str, pos, date) {
- var start = skipws(str, pos);
- pos = skipdigits(str, start);
- var s = str.substr(start, pos - start);
- var value = parseInt(s, 10);
- if (value >= min && value <= max) {
- setter.call(date, value);
- return pos;
- }
- return;
- };
-}
-
-function dateFixedWidthNumber(fmtChar, width, min, max, setter) {
- return function (str, pos, date) {
- pos = skipws(str, pos);
- var n = str.length;
- if (pos + width > n) return;
- var s = str.substr(pos, width);
- var value = parseInt(s, 10);
- if (value >= min && value <= max) {
- setter.call(date, value);
- return pos + width;
- }
- return;
- };
-}
-
-// Short month name (Jan..Dec).
-function dateMonthName(long) {
- return function (str, pos, date) {
- pos = skipws(str, pos);
- var n = str.length;
- if (pos + 3 > n) return;
- var mon = str.substr(pos, 3);
- var idx = shortMonths[mon];
- if (idx === undefined) {
- idx = shortMonths[mon.toLowerCase()];
- }
- if (idx === undefined) {
- //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)");
- return;
- }
- date.setMonth(idx[0]+1);
- return pos + 3 + (long ? idx[1] : 0);
- };
-}
-
-function url_wrapper(dst, src, fn) {
- return function(evt) {
- var value = evt.Get(FIELDS_PREFIX + src), result;
- if (value != null && (result = fn(value))!== undefined) {
- evt.Put(FIELDS_PREFIX + dst, result);
- } else {
- console.error(fn.name + " failed for '" + value + "'");
- }
- };
-}
-
-// The following regular expression for parsing URLs from:
-// https://github.com/wizard04wsu/URI_Parsing
-//
-// The MIT License (MIT)
-//
-// Copyright (c) 2014 Andrew Harrison
-//
-// Permission is hereby granted, free of charge, to any person obtaining a copy of
-// this software and associated documentation files (the "Software"), to deal in
-// the Software without restriction, including without limitation the rights to
-// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
-// the Software, and to permit persons to whom the Software is furnished to do so,
-// subject to the following conditions:
-//
-// The above copyright notice and this permission notice shall be included in all
-// copies or substantial portions of the Software.
-//
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
-// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
-// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i;
-
-var uriScheme = 1;
-var uriDomain = 5;
-var uriPort = 6;
-var uriPath = 7;
-var uriPathAlt = 9;
-var uriQuery = 11;
-
-function domain(dst, src) {
- return url_wrapper(dst, src, extract_domain);
-}
-
-function split_url(value) {
- var m = value.match(uriRegExp);
- if (m && m[uriDomain]) return m;
- // Support input in the form "www.example.net/path", but not "/path".
- m = ("null://" + value).match(uriRegExp);
- if (m) return m;
-}
-
-function extract_domain(value) {
- var m = split_url(value);
- if (m && m[uriDomain]) return m[uriDomain];
-}
-
-var extFromPage = /\.[^.]+$/;
-function extract_ext(value) {
- var page = extract_page(value);
- if (page) {
- var m = page.match(extFromPage);
- if (m) return m[0];
- }
-}
-
-function ext(dst, src) {
- return url_wrapper(dst, src, extract_ext);
-}
-
-function fqdn(dst, src) {
- // TODO: fqdn and domain(eTLD+1) are currently the same.
- return domain(dst, src);
-}
-
-var pageFromPathRegExp = /\/([^\/]+)$/;
-var pageName = 1;
-
-function extract_page(value) {
- value = extract_path(value);
- if (!value) return undefined;
- var m = value.match(pageFromPathRegExp);
- if (m) return m[pageName];
-}
-
-function page(dst, src) {
- return url_wrapper(dst, src, extract_page);
-}
-
-function extract_path(value) {
- var m = split_url(value);
- return m? m[uriPath] || m[uriPathAlt] : undefined;
-}
-
-function path(dst, src) {
- return url_wrapper(dst, src, extract_path);
-}
-
-// Map common schemes to their default port.
-// port has to be a string (will be converted at a later stage).
-var schemePort = {
- "ftp": "21",
- "ssh": "22",
- "http": "80",
- "https": "443",
-};
-
-function extract_port(value) {
- var m = split_url(value);
- if (!m) return undefined;
- if (m[uriPort]) return m[uriPort];
- if (m[uriScheme]) {
- return schemePort[m[uriScheme]];
- }
-}
-
-function port(dst, src) {
- return url_wrapper(dst, src, extract_port);
-}
-
-function extract_query(value) {
- var m = split_url(value);
- if (m && m[uriQuery]) return m[uriQuery];
-}
-
-function query(dst, src) {
- return url_wrapper(dst, src, extract_query);
-}
-
-function extract_root(value) {
- var m = split_url(value);
- if (m && m[uriDomain] && m[uriDomain]) {
- var scheme = m[uriScheme] && m[uriScheme] !== "null"?
- m[uriScheme] + "://" : "";
- var port = m[uriPort]? ":" + m[uriPort] : "";
- return scheme + m[uriDomain] + port;
- }
-}
-
-function root(dst, src) {
- return url_wrapper(dst, src, extract_root);
-}
-
-var ecs_mappings = {
- "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]},
- "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]},
- "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]},
- "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]},
- "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]},
- "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]},
- "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]},
- "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]},
- "application": {to:[{field: "network.application", setter: fld_set}]},
- "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]},
- "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]},
- "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]},
- "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]},
- "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]},
- "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]},
- "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]},
- "child_pid_val": {to:[{field: "process.title", setter: fld_set}]},
- "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]},
- "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]},
- "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]},
- "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
- "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
- "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]},
- "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
- "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]},
- "dhost": {to:[{field: "destination.address", setter: fld_set}]},
- "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]},
- "direction": {to:[{field: "network.direction", setter: fld_set}]},
- "directory": {to:[{field: "file.directory", setter: fld_set}]},
- "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]},
- "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]},
- "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]},
- "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]},
- "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]},
- "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]},
- "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]},
- "domain_id": {to:[{field: "user.domain", setter: fld_set}]},
- "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]},
- "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]},
- "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
- "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]},
- "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]},
- "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]},
- "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]},
- "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]},
- "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]},
- "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]},
- "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]},
- "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]},
- "filepath": {to:[{field: "file.path", setter: fld_set}]},
- "filetype": {to:[{field: "file.type", setter: fld_set}]},
- "group": {to:[{field: "group.name", setter: fld_set}]},
- "groupid": {to:[{field: "group.id", setter: fld_set}]},
- "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]},
- "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
- "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
- "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]},
- "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]},
- "interface": {to:[{field: "network.interface.name", setter: fld_set}]},
- "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
- "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
- "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
- "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]},
- "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]},
- "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]},
- "location_city": {to:[{field: "geo.city_name", setter: fld_set}]},
- "location_country": {to:[{field: "geo.country_name", setter: fld_set}]},
- "location_desc": {to:[{field: "geo.name", setter: fld_set}]},
- "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]},
- "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]},
- "location_state": {to:[{field: "geo.region_name", setter: fld_set}]},
- "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]},
- "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]},
- "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]},
- "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]},
- "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]},
- "method": {to:[{field: "http.request.method", setter: fld_set}]},
- "msg": {to:[{field: "log.original", setter: fld_set}]},
- "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]},
- "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]},
- "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]},
- "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]},
- "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]},
- "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]},
- "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]},
- "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]},
- "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]},
- "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]},
- "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]},
- "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]},
- "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]},
- "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]},
- "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]},
- "product": {to:[{field: "observer.product", setter: fld_set}]},
- "protocol": {to:[{field: "network.protocol", setter: fld_set}]},
- "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]},
- "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]},
- "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]},
- "rulename": {to:[{field: "rule.name", setter: fld_set}]},
- "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
- "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]},
- "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]},
- "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]},
- "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]},
- "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]},
- "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]},
- "severity": {to:[{field: "log.level", setter: fld_set}]},
- "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]},
- "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]},
- "sld": {to:[{field: "url.registered_domain", setter: fld_set}]},
- "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]},
- "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]},
- "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]},
- "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]},
- "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]},
- "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]},
- "timezone": {to:[{field: "event.timezone", setter: fld_set}]},
- "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]},
- "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]},
- "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]},
- "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]},
- "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]},
- "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]},
- "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]},
- "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]},
- "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]},
- "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]},
- "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]},
- "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]},
- "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]},
- "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]},
- "version": {to:[{field: "observer.version", setter: fld_set}]},
- "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]},
- "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]},
- "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]},
- "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]},
- "web_root": {to:[{field: "url.path", setter: fld_set}]},
- "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]},
-};
-
-var rsa_mappings = {
- "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]},
- "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]},
- "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]},
- "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]},
- "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]},
- "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]},
- "action": {to:[{field: "rsa.misc.action", setter: fld_append}]},
- "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]},
- "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]},
- "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]},
- "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]},
- "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]},
- "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]},
- "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]},
- "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]},
- "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]},
- "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
- "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]},
- "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]},
- "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]},
- "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]},
- "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]},
- "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]},
- "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]},
- "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]},
- "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]},
- "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]},
- "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]},
- "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]},
- "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]},
- "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]},
- "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]},
- "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]},
- "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]},
- "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]},
- "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]},
- "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]},
- "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]},
- "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]},
- "category": {to:[{field: "rsa.misc.category", setter: fld_set}]},
- "cc": {to:[{field: "rsa.email.email", setter: fld_append}]},
- "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]},
- "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]},
- "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]},
- "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]},
- "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]},
- "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]},
- "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]},
- "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]},
- "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]},
- "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]},
- "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]},
- "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]},
- "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]},
- "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]},
- "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]},
- "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]},
- "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]},
- "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]},
- "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]},
- "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]},
- "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]},
- "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]},
- "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]},
- "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]},
- "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]},
- "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]},
- "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]},
- "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]},
- "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]},
- "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]},
- "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]},
- "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]},
- "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]},
- "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]},
- "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]},
- "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]},
- "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]},
- "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]},
- "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]},
- "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]},
- "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]},
- "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]},
- "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]},
- "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]},
- "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]},
- "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]},
- "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]},
- "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]},
- "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]},
- "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]},
- "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]},
- "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]},
- "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]},
- "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]},
- "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]},
- "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]},
- "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]},
- "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]},
- "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]},
- "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]},
- "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]},
- "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]},
- "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]},
- "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]},
- "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]},
- "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]},
- "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]},
- "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]},
- "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]},
- "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]},
- "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]},
- "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]},
- "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]},
- "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]},
- "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]},
- "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]},
- "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]},
- "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]},
- "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]},
- "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]},
- "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]},
- "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]},
- "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]},
- "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]},
- "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]},
- "code": {to:[{field: "rsa.misc.code", setter: fld_set}]},
- "command": {to:[{field: "rsa.misc.command", setter: fld_set}]},
- "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]},
- "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]},
- "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]},
- "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]},
- "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]},
- "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]},
- "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]},
- "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]},
- "content": {to:[{field: "rsa.misc.content", setter: fld_set}]},
- "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]},
- "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]},
- "context": {to:[{field: "rsa.misc.context", setter: fld_set}]},
- "count": {to:[{field: "rsa.misc.count", setter: fld_set}]},
- "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]},
- "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]},
- "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]},
- "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]},
- "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]},
- "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]},
- "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]},
- "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]},
- "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]},
- "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]},
- "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]},
- "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]},
- "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]},
- "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]},
- "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]},
- "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]},
- "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]},
- "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]},
- "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]},
- "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]},
- "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]},
- "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]},
- "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]},
- "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]},
- "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]},
- "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]},
- "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]},
- "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]},
- "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]},
- "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]},
- "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]},
- "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]},
- "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]},
- "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]},
- "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]},
- "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]},
- "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]},
- "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]},
- "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]},
- "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]},
- "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]},
- "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]},
- "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]},
- "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]},
- "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]},
- "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]},
- "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]},
- "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]},
- "data": {to:[{field: "rsa.internal.data", setter: fld_set}]},
- "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]},
- "date": {to:[{field: "rsa.time.date", setter: fld_set}]},
- "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]},
- "day": {to:[{field: "rsa.time.day", setter: fld_set}]},
- "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]},
- "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]},
- "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]},
- "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]},
- "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]},
- "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]},
- "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]},
- "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]},
- "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]},
- "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]},
- "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]},
- "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]},
- "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]},
- "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]},
- "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]},
- "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]},
- "description": {to:[{field: "rsa.misc.description", setter: fld_set}]},
- "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]},
- "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]},
- "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]},
- "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]},
- "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]},
- "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]},
- "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]},
- "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]},
- "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]},
- "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
- "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]},
- "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]},
- "did": {to:[{field: "rsa.internal.did", setter: fld_set}]},
- "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]},
- "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]},
- "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]},
- "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]},
- "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]},
- "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]},
- "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]},
- "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]},
- "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]},
- "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]},
- "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]},
- "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]},
- "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]},
- "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]},
- "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]},
- "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]},
- "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]},
- "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]},
- "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]},
- "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]},
- "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]},
- "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]},
- "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]},
- "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]},
- "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]},
- "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]},
- "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]},
- "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]},
- "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]},
- "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]},
- "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]},
- "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]},
- "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]},
- "email": {to:[{field: "rsa.email.email", setter: fld_append}]},
- "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]},
- "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]},
- "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]},
- "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]},
- "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]},
- "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]},
- "error": {to:[{field: "rsa.misc.error", setter: fld_set}]},
- "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]},
- "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]},
- "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]},
- "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]},
- "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]},
- "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]},
- "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]},
- "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]},
- "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]},
- "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]},
- "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]},
- "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]},
- "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]},
- "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]},
- "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]},
- "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]},
- "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]},
- "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]},
- "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]},
- "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]},
- "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]},
- "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]},
- "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]},
- "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]},
- "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]},
- "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]},
- "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]},
- "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]},
- "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]},
- "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]},
- "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]},
- "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]},
- "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]},
- "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]},
- "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]},
- "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]},
- "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]},
- "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]},
- "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]},
- "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]},
- "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]},
- "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]},
- "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]},
- "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]},
- "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]},
- "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]},
- "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]},
- "found": {to:[{field: "rsa.misc.found", setter: fld_set}]},
- "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]},
- "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]},
- "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]},
- "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]},
- "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]},
- "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]},
- "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]},
- "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]},
- "group": {to:[{field: "rsa.misc.group", setter: fld_set}]},
- "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]},
- "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]},
- "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]},
- "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]},
- "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]},
- "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]},
- "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]},
- "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]},
- "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]},
- "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
- "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
- "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]},
- "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]},
- "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]},
- "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]},
- "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]},
- "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]},
- "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]},
- "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]},
- "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]},
- "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]},
- "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]},
- "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]},
- "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]},
- "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]},
- "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]},
- "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]},
- "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]},
- "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]},
- "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]},
- "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]},
- "index": {to:[{field: "rsa.misc.index", setter: fld_set}]},
- "info": {to:[{field: "rsa.db.index", setter: fld_set}]},
- "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]},
- "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]},
- "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]},
- "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]},
- "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]},
- "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]},
- "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]},
- "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]},
- "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]},
- "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]},
- "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]},
- "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]},
- "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]},
- "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]},
- "language": {to:[{field: "rsa.misc.language", setter: fld_set}]},
- "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]},
- "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]},
- "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]},
- "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]},
- "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]},
- "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]},
- "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]},
- "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]},
- "library": {to:[{field: "rsa.misc.library", setter: fld_set}]},
- "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]},
- "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]},
- "link": {to:[{field: "rsa.misc.link", setter: fld_set}]},
- "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]},
- "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]},
- "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]},
- "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]},
- "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]},
- "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]},
- "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]},
- "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]},
- "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]},
- "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]},
- "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]},
- "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]},
- "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]},
- "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]},
- "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]},
- "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]},
- "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]},
- "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]},
- "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]},
- "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]},
- "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]},
- "match": {to:[{field: "rsa.misc.match", setter: fld_set}]},
- "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]},
- "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]},
- "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]},
- "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]},
- "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]},
- "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]},
- "message": {to:[{field: "rsa.internal.message", setter: fld_set}]},
- "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]},
- "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]},
- "min": {to:[{field: "rsa.time.min", setter: fld_set}]},
- "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]},
- "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]},
- "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]},
- "month": {to:[{field: "rsa.time.month", setter: fld_set}]},
- "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]},
- "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]},
- "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]},
- "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]},
- "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]},
- "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]},
- "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]},
- "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]},
- "name": {to:[{field: "rsa.misc.name", setter: fld_set}]},
- "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]},
- "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]},
- "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]},
- "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]},
- "node": {to:[{field: "rsa.misc.node", setter: fld_set}]},
- "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]},
- "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]},
- "num": {to:[{field: "rsa.misc.num", setter: fld_set}]},
- "number": {to:[{field: "rsa.misc.number", setter: fld_set}]},
- "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]},
- "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]},
- "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]},
- "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]},
- "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]},
- "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]},
- "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]},
- "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]},
- "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]},
- "object": {to:[{field: "rsa.misc.object", setter: fld_set}]},
- "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]},
- "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]},
- "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]},
- "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]},
- "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]},
- "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]},
- "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]},
- "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]},
- "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]},
- "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]},
- "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]},
- "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]},
- "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]},
- "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]},
- "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]},
- "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]},
- "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]},
- "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]},
- "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]},
- "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]},
- "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]},
- "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]},
- "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]},
- "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]},
- "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]},
- "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]},
- "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]},
- "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]},
- "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]},
- "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]},
- "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]},
- "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]},
- "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]},
- "param": {to:[{field: "rsa.misc.param", setter: fld_set}]},
- "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]},
- "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]},
- "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]},
- "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]},
- "password": {to:[{field: "rsa.identity.password", setter: fld_set}]},
- "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]},
- "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]},
- "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]},
- "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]},
- "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]},
- "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]},
- "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]},
- "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]},
- "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]},
- "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]},
- "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]},
- "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]},
- "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]},
- "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]},
- "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]},
- "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]},
- "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]},
- "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]},
- "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]},
- "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]},
- "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]},
- "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]},
- "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]},
- "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]},
- "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]},
- "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]},
- "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]},
- "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]},
- "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]},
- "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]},
- "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]},
- "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]},
- "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]},
- "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]},
- "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]},
- "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]},
- "program": {to:[{field: "rsa.misc.program", setter: fld_set}]},
- "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]},
- "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]},
- "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
- "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]},
- "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]},
- "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]},
- "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]},
- "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]},
- "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]},
- "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]},
- "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]},
- "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]},
- "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]},
- "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]},
- "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]},
- "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]},
- "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]},
- "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]},
- "result": {to:[{field: "rsa.misc.result", setter: fld_set}]},
- "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]},
- "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]},
- "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]},
- "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]},
- "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]},
- "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]},
- "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]},
- "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]},
- "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]},
- "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]},
- "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]},
- "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]},
- "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]},
- "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]},
- "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]},
- "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]},
- "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]},
- "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]},
- "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]},
- "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]},
- "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]},
- "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]},
- "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]},
- "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]},
- "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]},
- "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]},
- "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]},
- "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]},
- "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]},
- "second": {to:[{field: "rsa.misc.second", setter: fld_set}]},
- "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]},
- "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]},
- "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]},
- "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]},
- "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]},
- "session": {to:[{field: "rsa.misc.session", setter: fld_set}]},
- "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]},
- "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]},
- "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]},
- "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]},
- "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]},
- "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]},
- "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]},
- "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]},
- "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]},
- "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]},
- "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]},
- "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]},
- "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]},
- "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]},
- "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]},
- "site": {to:[{field: "rsa.internal.site", setter: fld_set}]},
- "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]},
- "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]},
- "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]},
- "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]},
- "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]},
- "space": {to:[{field: "rsa.misc.space", setter: fld_set}]},
- "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]},
- "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]},
- "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]},
- "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]},
- "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]},
- "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]},
- "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]},
- "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]},
- "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]},
- "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]},
- "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]},
- "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]},
- "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]},
- "state": {to:[{field: "rsa.misc.state", setter: fld_set}]},
- "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]},
- "status": {to:[{field: "rsa.misc.status", setter: fld_set}]},
- "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]},
- "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]},
- "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]},
- "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]},
- "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]},
- "system": {to:[{field: "rsa.misc.system", setter: fld_set}]},
- "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]},
- "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]},
- "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]},
- "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]},
- "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]},
- "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]},
- "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]},
- "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]},
- "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]},
- "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]},
- "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]},
- "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]},
- "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]},
- "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]},
- "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]},
- "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]},
- "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]},
- "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]},
- "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]},
- "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]},
- "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]},
- "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]},
- "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]},
- "type": {to:[{field: "rsa.misc.type", setter: fld_set}]},
- "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]},
- "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]},
- "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]},
- "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]},
- "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]},
- "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]},
- "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]},
- "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]},
- "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]},
- "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]},
- "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]},
- "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]},
- "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]},
- "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]},
- "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]},
- "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]},
- "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]},
- "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]},
- "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]},
- "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]},
- "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]},
- "version": {to:[{field: "rsa.misc.version", setter: fld_set}]},
- "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]},
- "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]},
- "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]},
- "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]},
- "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]},
- "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]},
- "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]},
- "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]},
- "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]},
- "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]},
- "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]},
- "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]},
- "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]},
- "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]},
- "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]},
- "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
- "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]},
- "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]},
- "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]},
- "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]},
- "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]},
- "word": {to:[{field: "rsa.internal.word", setter: fld_set}]},
- "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]},
- "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]},
- "year": {to:[{field: "rsa.time.year", setter: fld_set}]},
- "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]},
-};
-
-function to_date(value) {
- switch (typeof (value)) {
- case "object":
- // This is a Date. But as it was obtained from evt.Get(), the VM
- // doesn't see it as a JS Date anymore, thus value instanceof Date === false.
- // Have to trust that any object here is a valid Date for Go.
- return value;
- case "string":
- var asDate = new Date(value);
- if (!isNaN(asDate)) return asDate;
- }
-}
-
-// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER.
-var maxSafeInt = Math.pow(2, 53) - 1;
-var minSafeInt = -maxSafeInt;
-
-function to_long(value) {
- var num = parseInt(value);
- // Better not to index a number if it's not safe (above 53 bits).
- return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined;
-}
-
-function to_ip(value) {
- if (value.indexOf(":") === -1)
- return to_ipv4(value);
- return to_ipv6(value);
-}
-
-var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
-var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/;
-
-function to_ipv4(value) {
- var result = ipv4_regex.exec(value);
- if (result == null || result.length !== 5) return;
- for (var i = 1; i < 5; i++) {
- var num = strictToInt(result[i]);
- if (isNaN(num) || num < 0 || num > 255) return;
- }
- return value;
-}
-
-function to_ipv6(value) {
- var sqEnd = value.indexOf("]");
- if (sqEnd > -1) {
- if (value.charAt(0) !== "[") return;
- value = value.substr(1, sqEnd - 1);
- }
- var zoneOffset = value.indexOf("%");
- if (zoneOffset > -1) {
- value = value.substr(0, zoneOffset);
- }
- var parts = value.split(":");
- if (parts == null || parts.length < 3 || parts.length > 8) return;
- var numEmpty = 0;
- var innerEmpty = 0;
- for (var i = 0; i < parts.length; i++) {
- if (parts[i].length === 0) {
- numEmpty++;
- if (i > 0 && i + 1 < parts.length) innerEmpty++;
- } else if (!parts[i].match(ipv6_hex_regex) &&
- // Accept an IPv6 with a valid IPv4 at the end.
- ((i + 1 < parts.length) || !to_ipv4(parts[i]))) {
- return;
- }
- }
- return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined;
-}
-
-function to_double(value) {
- return parseFloat(value);
-}
-
-function to_mac(value) {
- // ES doesn't have a mac datatype so it's safe to ingest whatever was captured.
- return value;
-}
-
-function to_lowercase(value) {
- // to_lowercase is used against keyword fields, which can accept
- // any other type (numbers, dates).
- return typeof(value) === "string"? value.toLowerCase() : value;
-}
-
-function fld_set(dst, value) {
- dst[this.field] = { v: value };
-}
-
-function fld_append(dst, value) {
- if (dst[this.field] === undefined) {
- dst[this.field] = { v: [value] };
- } else {
- var base = dst[this.field];
- if (base.v.indexOf(value)===-1) base.v.push(value);
- }
-}
-
-function fld_prio(dst, value) {
- if (dst[this.field] === undefined) {
- dst[this.field] = { v: value, prio: this.prio};
- } else if(this.prio < dst[this.field].prio) {
- dst[this.field].v = value;
- dst[this.field].prio = this.prio;
- }
-}
-
-var valid_ecs_outcome = {
- 'failure': true,
- 'success': true,
- 'unknown': true
-};
-
-function fld_ecs_outcome(dst, value) {
- value = value.toLowerCase();
- if (valid_ecs_outcome[value] === undefined) {
- value = 'unknown';
- }
- if (dst[this.field] === undefined) {
- dst[this.field] = { v: value };
- } else if (dst[this.field].v === 'unknown') {
- dst[this.field] = { v: value };
- }
-}
-
-function map_all(evt, targets, value) {
- for (var i = 0; i < targets.length; i++) {
- evt.Put(targets[i], value);
- }
-}
-
-function populate_fields(evt) {
- var base = evt.Get(FIELDS_OBJECT);
- if (base === null) return;
- alternate_datetime(evt);
- if (map_ecs) {
- do_populate(evt, base, ecs_mappings);
- }
- if (map_rsa) {
- do_populate(evt, base, rsa_mappings);
- }
- if (keep_raw) {
- evt.Put("rsa.raw", base);
- }
- evt.Delete(FIELDS_OBJECT);
-}
-
-var datetime_alt_components = [
- {field: "day", fmts: [[dF]]},
- {field: "year", fmts: [[dW]]},
- {field: "month", fmts: [[dB],[dG]]},
- {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]},
- {field: "hour", fmts: [[dN]]},
- {field: "min", fmts: [[dU]]},
- {field: "secs", fmts: [[dO]]},
- {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]},
-];
-
-function alternate_datetime(evt) {
- if (evt.Get(FIELDS_PREFIX + "event_time") != null) {
- return;
- }
- var tzOffset = tz_offset;
- if (tzOffset === "event") {
- tzOffset = evt.Get("event.timezone");
- }
- var container = new DateContainer(tzOffset);
- for (var i=0; i} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: [%{husername}] [%{hfld2}] %{payload}", processor_chain([
- setc("header_id","0005"),
-]));
-
-var hdr2 = match("HEADER#1:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: [%{husername}] %{payload}", processor_chain([
- setc("header_id","0006"),
-]));
-
-var hdr3 = match("HEADER#2:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: %{payload}", processor_chain([
- setc("header_id","0007"),
-]));
-
-var hdr4 = match("HEADER#3:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}: %{payload}", processor_chain([
- setc("header_id","0008"),
- dup1,
-]));
-
-var hdr5 = match("HEADER#4:0001", "message", "%{messageid}[%{hfld1}]: [%{husername}] [%{hfld2}] %{payload}", processor_chain([
- setc("header_id","0001"),
-]));
-
-var hdr6 = match("HEADER#5:0002", "message", "%{messageid}[%{hfld1}]: [%{husername}] %{payload}", processor_chain([
- setc("header_id","0002"),
-]));
-
-var hdr7 = match("HEADER#6:0003", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([
- setc("header_id","0003"),
-]));
-
-var hdr8 = match("HEADER#7:0004", "message", "%{messageid}: %{payload}", processor_chain([
- setc("header_id","0004"),
- dup1,
-]));
-
-var select1 = linear_select([
- hdr1,
- hdr2,
- hdr3,
- hdr4,
- hdr5,
- hdr6,
- hdr7,
- hdr8,
-]);
-
-var part1 = match("MESSAGE#0:firepass:01", "nwparser.payload", "Entered %{fld2}", processor_chain([
- dup2,
- dup3,
- dup4,
-]));
-
-var msg1 = msg("firepass:01", part1);
-
-var part2 = match("MESSAGE#1:firepass:02", "nwparser.payload", "Logged out%{}", processor_chain([
- setc("eventcategory","1401070000"),
- dup5,
- dup6,
- dup3,
- dup4,
-]));
-
-var msg2 = msg("firepass:02", part2);
-
-var part3 = match("MESSAGE#2:firepass:03", "nwparser.payload", "Finished using %{fld2}", processor_chain([
- dup2,
- dup3,
- dup4,
-]));
-
-var msg3 = msg("firepass:03", part3);
-
-var part4 = match("MESSAGE#3:firepass:04", "nwparser.payload", "Open %{fld2->} to Remote Host:%{dhost}", processor_chain([
- dup7,
- dup3,
- dup4,
-]));
-
-var msg4 = msg("firepass:04", part4);
-
-var part5 = match("MESSAGE#4:firepass:05", "nwparser.payload", "param %{fld1->} = %{fld2}", processor_chain([
- setc("eventcategory","1701020000"),
- dup3,
- dup4,
-]));
-
-var msg5 = msg("firepass:05", part5);
-
-var part6 = match("MESSAGE#5:firepass:06", "nwparser.payload", "Access menu %{fld2}", processor_chain([
- dup2,
- dup3,
- dup4,
-]));
-
-var msg6 = msg("firepass:06", part6);
-
-var part7 = match("MESSAGE#6:firepass:07", "nwparser.payload", "Accessing %{url}", processor_chain([
- dup2,
- dup3,
- dup4,
-]));
-
-var msg7 = msg("firepass:07", part7);
-
-var part8 = match("MESSAGE#7:firepass:08", "nwparser.payload", "Network Access: dialing Click to connect to Network Access%{}", processor_chain([
- setc("eventcategory","1801000000"),
- dup3,
- dup4,
-]));
-
-var msg8 = msg("firepass:08", part8);
-
-var part9 = match("MESSAGE#8:firepass:09", "nwparser.payload", "FirePass service stopped on %{hostname}", processor_chain([
- dup8,
- dup9,
- setc("ec_activity","Stop"),
- dup3,
- dup4,
-]));
-
-var msg9 = msg("firepass:09", part9);
-
-var part10 = match("MESSAGE#9:firepass:10", "nwparser.payload", "FirePass service started on %{hostname}", processor_chain([
- dup8,
- dup9,
- setc("ec_activity","Start"),
- dup3,
- dup4,
-]));
-
-var msg10 = msg("firepass:10", part10);
-
-var part11 = match("MESSAGE#10:firepass:11", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([
- setc("eventcategory","1606000000"),
- dup3,
- setc("event_description","shutting down for system reboot"),
-]));
-
-var msg11 = msg("firepass:11", part11);
-
-var part12 = match("MESSAGE#11:firepass:12", "nwparser.payload", "%{event_description}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg12 = msg("firepass:12", part12);
-
-var select2 = linear_select([
- msg1,
- msg2,
- msg3,
- msg4,
- msg5,
- msg6,
- msg7,
- msg8,
- msg9,
- msg10,
- msg11,
- msg12,
-]);
-
-var part13 = match("MESSAGE#12:GarbageCollection:01", "nwparser.payload", "User: '%{username}' session expired due to inactivity. %{result}.", processor_chain([
- dup10,
- dup3,
-]));
-
-var msg13 = msg("GarbageCollection:01", part13);
-
-var part14 = match("MESSAGE#13:GarbageCollection:02", "nwparser.payload", "User: '%{username}' session was terminated.", processor_chain([
- dup10,
- dup3,
-]));
-
-var msg14 = msg("GarbageCollection:02", part14);
-
-var part15 = match("MESSAGE#14:GarbageCollection:03", "nwparser.payload", "session '%{sessionid}' is expired due to inactivity. %{result}.", processor_chain([
- dup10,
- dup3,
-]));
-
-var msg15 = msg("GarbageCollection:03", part15);
-
-var part16 = match("MESSAGE#15:GarbageCollection:04", "nwparser.payload", "apache server is not running. start it%{}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg16 = msg("GarbageCollection:04", part16);
-
-var part17 = match("MESSAGE#16:GarbageCollection:05", "nwparser.payload", "%{fld2->} already started with pid %{process_id}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg17 = msg("GarbageCollection:05", part17);
-
-var part18 = match("MESSAGE#17:GarbageCollection:06", "nwparser.payload", "no servers defined for Radius Accounting%{}", processor_chain([
- dup11,
- dup3,
-]));
-
-var msg18 = msg("GarbageCollection:06", part18);
-
-var part19 = match("MESSAGE#18:GarbageCollection:07", "nwparser.payload", "DHCP Agent is not running... Restarting it.%{}", processor_chain([
- dup11,
- dup3,
-]));
-
-var msg19 = msg("GarbageCollection:07", part19);
-
-var part20 = match("MESSAGE#19:GarbageCollection:08", "nwparser.payload", "session '%{sessionid}' is terminated.", processor_chain([
- dup11,
- dup3,
-]));
-
-var msg20 = msg("GarbageCollection:08", part20);
-
-var part21 = match("MESSAGE#20:GarbageCollection:09", "nwparser.payload", "can not connect to database %{fld1}", processor_chain([
- dup11,
- dup3,
- setc("event_description","can not connect to database"),
-]));
-
-var msg21 = msg("GarbageCollection:09", part21);
-
-var part22 = match("MESSAGE#21:GarbageCollection:10", "nwparser.payload", "timeout happened. restarting %{fld1->} services", processor_chain([
- dup11,
- dup3,
- setc("event_description","timeout happened. restarting services"),
-]));
-
-var msg22 = msg("GarbageCollection:10", part22);
-
-var select3 = linear_select([
- msg13,
- msg14,
- msg15,
- msg16,
- msg17,
- msg18,
- msg19,
- msg20,
- msg21,
- msg22,
-]);
-
-var part23 = match("MESSAGE#22:maintenance:01", "nwparser.payload", "Failed to upload backup file %{filename}. %{info->} Server returned:%{result}", processor_chain([
- dup11,
- dup3,
- dup4,
-]));
-
-var msg23 = msg("maintenance:01", part23);
-
-var part24 = match("MESSAGE#23:maintenance:02", "nwparser.payload", "Logged out Sid = %{sessionid}", processor_chain([
- dup8,
- dup12,
- dup6,
- dup13,
- dup3,
- dup4,
-]));
-
-var msg24 = msg("maintenance:02", part24);
-
-var part25 = match("MESSAGE#24:maintenance:03", "nwparser.payload", "Network Access: %{info}", processor_chain([
- dup8,
- dup3,
- dup4,
-]));
-
-var msg25 = msg("maintenance:03", part25);
-
-var part26 = match("MESSAGE#25:maintenance:04", "nwparser.payload", "Trying connect to %{fld2->} on %{fqdn}:%{network_port}", processor_chain([
- dup11,
- dup3,
- dup4,
-]));
-
-var msg26 = msg("maintenance:04", part26);
-
-var part27 = match("MESSAGE#26:maintenance:05", "nwparser.payload", "%{info}", processor_chain([
- dup11,
- dup3,
- dup4,
-]));
-
-var msg27 = msg("maintenance:05", part27);
-
-var select4 = linear_select([
- msg23,
- msg24,
- msg25,
- msg26,
- msg27,
-]);
-
-var part28 = match("MESSAGE#27:NetworkAccess:01", "nwparser.payload", "\u003c\u003c%{sessionid}> Open Network Access Connection using remote IP address %{daddr}", processor_chain([
- dup7,
- dup12,
- dup13,
- dup3,
- dup4,
-]));
-
-var msg28 = msg("NetworkAccess:01", part28);
-
-var part29 = match("MESSAGE#28:NetworkAccess:02", "nwparser.payload", "\u003c\u003c%{sessionid}> Network Access Connection terminated", processor_chain([
- dup10,
- dup12,
- dup13,
- dup3,
- dup4,
-]));
-
-var msg29 = msg("NetworkAccess:02", part29);
-
-var part30 = match("MESSAGE#29:NetworkAccess:03", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - %{info}", processor_chain([
- setc("eventcategory","1801010000"),
- dup12,
- dup13,
- dup3,
- dup4,
-]));
-
-var msg30 = msg("NetworkAccess:03", part30);
-
-var select5 = linear_select([
- msg28,
- msg29,
- msg30,
-]);
-
-var part31 = match("MESSAGE#30:security:01/0", "nwparser.payload", "User %{username->} logged on from %{p0}");
-
-var part32 = match("MESSAGE#30:security:01/1_0", "nwparser.p0", "%{saddr->} to %{daddr->} Sid = %{sessionid->} ");
-
-var part33 = match("MESSAGE#30:security:01/1_1", "nwparser.p0", "%{saddr->} Sid = %{sessionid->} ");
-
-var part34 = match("MESSAGE#30:security:01/1_2", "nwparser.p0", "%{saddr->} ");
-
-var select6 = linear_select([
- part32,
- part33,
- part34,
-]);
-
-var all1 = all_match({
- processors: [
- part31,
- select6,
- ],
- on_success: processor_chain([
- setc("eventcategory","1401060000"),
- dup5,
- dup14,
- dup15,
- dup3,
- ]),
-});
-
-var msg31 = msg("security:01", all1);
-
-var part35 = match("MESSAGE#31:security:02/0", "nwparser.payload", "%{} %{p0}");
-
-var part36 = match("MESSAGE#31:security:02/1_0", "nwparser.p0", "Invalid %{p0}");
-
-var part37 = match("MESSAGE#31:security:02/1_1", "nwparser.p0", "Valid %{p0}");
-
-var select7 = linear_select([
- part36,
- part37,
-]);
-
-var part38 = match("MESSAGE#31:security:02/2", "nwparser.p0", "%{}user %{username->} failed to log on from %{saddr}");
-
-var all2 = all_match({
- processors: [
- part35,
- select7,
- part38,
- ],
- on_success: processor_chain([
- dup16,
- dup5,
- dup14,
- dup15,
- dup17,
- dup3,
- ]),
-});
-
-var msg32 = msg("security:02", all2);
-
-var part39 = match("MESSAGE#32:security:03", "nwparser.payload", "Successful password update for user %{user_fullname}, username: %{username}", processor_chain([
- setc("eventcategory","1402040100"),
- setc("ec_activity","Modify"),
- setc("ec_theme","Password"),
- setc("ec_outcome","Success"),
- dup3,
-]));
-
-var msg33 = msg("security:03", part39);
-
-var part40 = match("MESSAGE#33:security:04", "nwparser.payload", "Possible intrusion attempt! %{fld1->} consecutive authentication failures happened within %{fld2->} min. Last Source IP Address: %{saddr->} %{info}", processor_chain([
- dup16,
- dup14,
- dup15,
- dup17,
- dup3,
-]));
-
-var msg34 = msg("security:04", part40);
-
-var part41 = match("MESSAGE#34:security:05", "nwparser.payload", "User [%{action}] logon from %{saddr}", processor_chain([
- dup18,
- dup5,
- dup14,
- dup15,
- setc("ec_outcome","Error"),
- dup3,
-]));
-
-var msg35 = msg("security:05", part41);
-
-var part42 = match("MESSAGE#35:security:06", "nwparser.payload", "Non-administrator account %{username->} attempted to access admin account", processor_chain([
- dup18,
- dup5,
- dup14,
- setc("ec_theme","Policy"),
- dup17,
- dup3,
-]));
-
-var msg36 = msg("security:06", part42);
-
-var part43 = match("MESSAGE#36:security:07", "nwparser.payload", "User %{username->} exceeded the allowed number of concurrent logons", processor_chain([
- dup16,
- dup5,
- dup14,
- dup15,
- dup17,
- dup3,
- setc("event_description","user exceeded the allowed number of concurrent logons"),
-]));
-
-var msg37 = msg("security:07", part43);
-
-var part44 = match("MESSAGE#37:security:08", "nwparser.payload", "User %{username->} from %{saddr->} presented with challenge", processor_chain([
- dup19,
- dup5,
- dup3,
- setc("event_description","user presented with challenge"),
-]));
-
-var msg38 = msg("security:08", part44);
-
-var part45 = match("MESSAGE#38:security:09", "nwparser.payload", "Possible intrusion attempt detected against account %{fld1->} from source IP address %{saddr->} for URI=[%{fld2}]%{info}", processor_chain([
- dup19,
- dup5,
- dup3,
- setc("event_description","Possible intrusion attempt detected"),
-]));
-
-var msg39 = msg("security:09", part45);
-
-var select8 = linear_select([
- msg31,
- msg32,
- msg33,
- msg34,
- msg35,
- msg36,
- msg37,
- msg38,
- msg39,
-]);
-
-var part46 = match("MESSAGE#39:httpd", "nwparser.payload", "scr_monitor: %{fld1}", processor_chain([
- dup8,
- dup3,
- dup4,
-]));
-
-var msg40 = msg("httpd", part46);
-
-var part47 = match("MESSAGE#40:Miscellaneous:01", "nwparser.payload", "Purge logs: not started. Next purge scheduled time %{fld1->} is not exceeded", processor_chain([
- dup8,
- dup3,
- dup4,
-]));
-
-var msg41 = msg("Miscellaneous:01", part47);
-
-var part48 = match("MESSAGE#41:Miscellaneous:02", "nwparser.payload", "Purge logs: finished. Deleted %{fld1->} logon records", processor_chain([
- dup8,
- dup3,
- dup4,
-]));
-
-var msg42 = msg("Miscellaneous:02", part48);
-
-var part49 = match("MESSAGE#42:Miscellaneous:03", "nwparser.payload", "Purge logs: auto started%{}", processor_chain([
- dup8,
- dup3,
- dup4,
-]));
-
-var msg43 = msg("Miscellaneous:03", part49);
-
-var part50 = match("MESSAGE#43:Miscellaneous:04", "nwparser.payload", "Database error detected, dump: %{info}", processor_chain([
- setc("eventcategory","1603000000"),
- dup3,
- dup4,
-]));
-
-var msg44 = msg("Miscellaneous:04", part50);
-
-var part51 = match("MESSAGE#44:Miscellaneous:05", "nwparser.payload", "Recovered database successfully%{}", processor_chain([
- dup8,
- dup3,
- dup4,
-]));
-
-var msg45 = msg("Miscellaneous:05", part51);
-
-var select9 = linear_select([
- msg41,
- msg42,
- msg43,
- msg44,
- msg45,
-]);
-
-var part52 = match("MESSAGE#45:kernel:07", "nwparser.payload", "kernel: Marketing_resource:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg46 = msg("kernel:07", part52);
-
-var part53 = match("MESSAGE#46:kernel:01", "nwparser.payload", "kernel: Marketing_resource: %{info}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg47 = msg("kernel:01", part53);
-
-var part54 = match("MESSAGE#47:kernel:02", "nwparser.payload", "kernel: CSLIP: %{info}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg48 = msg("kernel:02", part54);
-
-var part55 = match("MESSAGE#48:kernel:03", "nwparser.payload", "kernel: PPP %{info}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg49 = msg("kernel:03", part55);
-
-var part56 = match("MESSAGE#49:kernel:04", "nwparser.payload", "kernel: cdrom: open failed.%{}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg50 = msg("kernel:04", part56);
-
-var part57 = match("MESSAGE#50:kernel:06", "nwparser.payload", "kernel: GlobalFilter:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg51 = msg("kernel:06", part57);
-
-var part58 = match("MESSAGE#51:kernel:05", "nwparser.payload", "kernel: %{info}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg52 = msg("kernel:05", part58);
-
-var select10 = linear_select([
- msg46,
- msg47,
- msg48,
- msg49,
- msg50,
- msg51,
- msg52,
-]);
-
-var part59 = match("MESSAGE#52:sshd", "nwparser.payload", "Accepted publickey for %{username->} from %{saddr->} port %{sport->} %{fld2}", processor_chain([
- setc("eventcategory","1401050100"),
- dup3,
-]));
-
-var msg53 = msg("sshd", part59);
-
-var part60 = match("MESSAGE#53:ntpd:01", "nwparser.payload", "frequency initialized %{fld1->} PPM from %{fld2}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg54 = msg("ntpd:01", part60);
-
-var part61 = match("MESSAGE#54:ntpd:02", "nwparser.payload", "kernel time sync status %{resultcode}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg55 = msg("ntpd:02", part61);
-
-var part62 = match("MESSAGE#55:ntpd:03", "nwparser.payload", "Listening on interface %{interface}, %{hostip}#%{network_port}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg56 = msg("ntpd:03", part62);
-
-var part63 = match("MESSAGE#56:ntpd:04", "nwparser.payload", "precision = %{duration_string}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg57 = msg("ntpd:04", part63);
-
-var part64 = match("MESSAGE#57:ntpd:05", "nwparser.payload", "ntpd %{info}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg58 = msg("ntpd:05", part64);
-
-var select11 = linear_select([
- msg54,
- msg55,
- msg56,
- msg57,
- msg58,
-]);
-
-var part65 = match("MESSAGE#58:AppTunnel:01", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2->} connection to %{dhost}(%{daddr}):%{dport->} terminated", processor_chain([
- dup10,
- dup12,
- dup13,
- dup3,
- dup4,
-]));
-
-var msg59 = msg("AppTunnel:01", part65);
-
-var part66 = match("MESSAGE#59:AppTunnel:02", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2->} connection to %{dhost}(%{daddr}):%{dport}", processor_chain([
- dup7,
- dup12,
- dup13,
- dup3,
- dup4,
-]));
-
-var msg60 = msg("AppTunnel:02", part66);
-
-var part67 = match("MESSAGE#60:AppTunnel:03", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - Connection timed out", processor_chain([
- dup7,
- dup12,
- dup13,
- dup17,
- dup3,
- dup4,
-]));
-
-var msg61 = msg("AppTunnel:03", part67);
-
-var part68 = match("MESSAGE#61:AppTunnel:04", "nwparser.payload", "Connection to %{daddr->} port %{dport->} failed", processor_chain([
- dup7,
- dup12,
- dup13,
- dup17,
- dup3,
- dup4,
-]));
-
-var msg62 = msg("AppTunnel:04", part68);
-
-var part69 = match("MESSAGE#62:AppTunnel:05", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - Invalid session id", processor_chain([
- dup7,
- dup12,
- dup13,
- dup3,
-]));
-
-var msg63 = msg("AppTunnel:05", part69);
-
-var select12 = linear_select([
- msg59,
- msg60,
- msg61,
- msg62,
- msg63,
-]);
-
-var part70 = match("MESSAGE#63:run-crons", "nwparser.payload", "%{fld2->} returned %{resultcode}", processor_chain([
- dup8,
- dup3,
-]));
-
-var msg64 = msg("run-crons", part70);
-
-var part71 = match("MESSAGE#64:/USR/SBIN/CRON", "nwparser.payload", "(%{username}) CMD (%{action})", processor_chain([
- dup2,
- dup3,
-]));
-
-var msg65 = msg("/USR/SBIN/CRON", part71);
-
-var part72 = match("MESSAGE#65:ntpdate", "nwparser.payload", "adjust time server %{daddr->} offset %{duration_string}", processor_chain([
- setc("eventcategory","1605030000"),
- dup3,
-]));
-
-var msg66 = msg("ntpdate", part72);
-
-var part73 = match("MESSAGE#66:heartbeat", "nwparser.payload", "info: %{info}", processor_chain([
- setc("eventcategory","1604000000"),
- dup3,
-]));
-
-var msg67 = msg("heartbeat", part73);
-
-var part74 = match("MESSAGE#67:mailer", "nwparser.payload", "Failed to send \\'%{subject}\\' to \\'%{to}\\'", processor_chain([
- setc("eventcategory","1207010200"),
- setc("ec_subject","Message"),
- setc("ec_activity","Send"),
- dup13,
- dup17,
- dup3,
-]));
-
-var msg68 = msg("mailer", part74);
-
-var part75 = match("MESSAGE#68:EndpointSecurity/0", "nwparser.payload", "id[%{fld1}]: \"%{p0}");
-
-var part76 = match("MESSAGE#68:EndpointSecurity/1_0", "nwparser.p0", "%{fld2->} - Connected%{p0}");
-
-var part77 = match("MESSAGE#68:EndpointSecurity/1_1", "nwparser.p0", "Connected%{p0}");
-
-var select13 = linear_select([
- part76,
- part77,
-]);
-
-var part78 = match("MESSAGE#68:EndpointSecurity/2", "nwparser.p0", "%{}from %{saddr->} %{info}\"");
-
-var all3 = all_match({
- processors: [
- part75,
- select13,
- part78,
- ],
- on_success: processor_chain([
- dup20,
- dup13,
- dup3,
- ]),
-});
-
-var msg69 = msg("EndpointSecurity", all3);
-
-var part79 = match("MESSAGE#69:EndpointSecurity:01", "nwparser.payload", "id[%{fld1}]: %{event_description}", processor_chain([
- dup20,
- dup13,
- dup3,
-]));
-
-var msg70 = msg("EndpointSecurity:01", part79);
-
-var select14 = linear_select([
- msg69,
- msg70,
-]);
-
-var part80 = match("MESSAGE#70:snmp", "nwparser.payload", "SNMP handler started%{}", processor_chain([
- dup20,
- dup3,
- setc("event_description","SNMP handler started"),
- setc("action","started"),
- setc("protocol","SNMP"),
-]));
-
-var msg71 = msg("snmp", part80);
-
-var part81 = match("MESSAGE#71:snmp:01", "nwparser.payload", "%{event_description}", processor_chain([
- dup20,
- dup3,
-]));
-
-var msg72 = msg("snmp:01", part81);
-
-var select15 = linear_select([
- msg71,
- msg72,
-]);
-
-var chain1 = processor_chain([
- select1,
- msgid_select({
- "/USR/SBIN/CRON": msg65,
- "AppTunnel": select12,
- "EndpointSecurity": select14,
- "GarbageCollection": select3,
- "Miscellaneous": select9,
- "NetworkAccess": select5,
- "firepass": select2,
- "heartbeat": msg67,
- "httpd": msg40,
- "kernel": select10,
- "mailer": msg68,
- "maintenance": select4,
- "ntpd": select11,
- "ntpdate": msg66,
- "run-crons": msg64,
- "security": select8,
- "snmp": select15,
- "sshd": msg53,
- }),
-]);
diff --git a/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml b/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml
deleted file mode 100644
index d303dbfff86..00000000000
--- a/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml
+++ /dev/null
@@ -1,55 +0,0 @@
----
-description: Pipeline for F5 Firepass
-
-processors:
- # User agent
- - user_agent:
- field: user_agent.original
- ignore_missing: true
- # IP Geolocation Lookup
- - geoip:
- field: source.ip
- target_field: source.geo
- ignore_missing: true
- - geoip:
- field: destination.ip
- target_field: destination.geo
- ignore_missing: true
-
- # IP Autonomous System (AS) Lookup
- - geoip:
- database_file: GeoLite2-ASN.mmdb
- field: source.ip
- target_field: source.as
- properties:
- - asn
- - organization_name
- ignore_missing: true
- - geoip:
- database_file: GeoLite2-ASN.mmdb
- field: destination.ip
- target_field: destination.as
- properties:
- - asn
- - organization_name
- ignore_missing: true
- - rename:
- field: source.as.asn
- target_field: source.as.number
- ignore_missing: true
- - rename:
- field: source.as.organization_name
- target_field: source.as.organization.name
- ignore_missing: true
- - rename:
- field: destination.as.asn
- target_field: destination.as.number
- ignore_missing: true
- - rename:
- field: destination.as.organization_name
- target_field: destination.as.organization.name
- ignore_missing: true
-on_failure:
- - append:
- field: error.message
- value: "{{ _ingest.on_failure_message }}"
diff --git a/x-pack/filebeat/module/f5/firepass/manifest.yml b/x-pack/filebeat/module/f5/firepass/manifest.yml
deleted file mode 100644
index becd0eb7cd1..00000000000
--- a/x-pack/filebeat/module/f5/firepass/manifest.yml
+++ /dev/null
@@ -1,31 +0,0 @@
-module_version: "1.0"
-
-var:
- - name: paths
- - name: tags
- default: ["f5.firepass", "forwarded"]
- - name: syslog_host
- default: localhost
- - name: syslog_port
- default: 9509
- - name: input
- default: udp
- - name: community_id
- default: true
- - name: tz_offset
- default: local
- - name: rsa_fields
- default: true
- - name: keep_raw_fields
- default: false
- - name: debug
- default: false
-
-ingest_pipeline: ingest/pipeline.yml
-input: config/input.yml
-
-requires.processors:
-- name: geoip
- plugin: ingest-geoip
-- name: user_agent
- plugin: ingest-user_agent
diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log b/x-pack/filebeat/module/f5/firepass/test/generated.log
deleted file mode 100644
index dcd42eb4778..00000000000
--- a/x-pack/filebeat/module/f5/firepass/test/generated.log
+++ /dev/null
@@ -1,100 +0,0 @@
-January 29 06:09:59 avolupt1396.www.invalid ntpdate[nto]: adjust time server 10.232.59.7 offset tur
-February 12 13:12:33 aliqu5634.api.host ntpd[eni]: [vento] [ehend] Listening on interface lo4377, 10.58.254.89#4819
-February 26 20:15:08 mqui5286.mail.home sshd[litesse]: [orev] [pisciv] Accepted publickey for uii from 10.36.11.87 port 1803 doeiu
-firepass[eporr]: [quipexe] [alo] FirePass service stopped on eosquir5191.www.example
-NetworkAccess[ctetur]: [uidolor] < Open Network Access Connection using remote IP address 10.194.156.105
-April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id[luptat]: emape
-GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting
-May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS
-May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat
-June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: "con - Connected from 10.38.189.242 ommodic"
-/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept)
-/USR/SBIN/CRON[llu]: (uptassi) CMD (accept)
-/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny)
-August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev
-maintenance[giatq]: [quid] [fug] uatDuis
-firepass[veri]: [rsita] [siutaliq] exercit
-September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu
-September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \'uam\' to \'temq\'
-October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: "eataevit - Connected from 10.50.112.141 mqua"
-sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci
-November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \'idexea\' to \'riat\'
-heartbeat[umdolor]: [osquir] info: inim
-December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services
-December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: "Connected from 10.243.206.225 mol"
-January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan
-January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records
-snmp[gni]: [tquiinea] [mquaera] SNMP handler started
-February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb
-March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it
-sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus
-April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm
-ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup
-April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \'lupt\' to \'xea\'
-run-crons[luptatev]: admi returned modocons
-May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam
-June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214
-June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem
-firepass[rehe]: [ume] Logged out
-July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel)
-August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc
-kernel[olupt]: [modoco] kernel: cdrom: open failed.
-September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia
-September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames
-Miscellaneous[iciatisu]: [rehender] Purge logs: auto started
-October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42
-heartbeat[dolo]: [Loremip] [idolor] info: emeumfu
-November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio
-EndpointSecurity[rumetM]: [equi] id[agnaali]: "gnam - Connected from 10.26.236.35 lumqui"
-httpd[rpo]: [uipe] [inesci] scr_monitor: serror
-ntpd[apariat]: kernel time sync status tlabore
-January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny)
-snmp[ationemu]: [ice] estiae
-February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect
-maintenance[etconse]: [tincu] ari
-March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp
-Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded
-EndpointSecurity[rehender]: [iae] id[dantiumt]: "luptasn - Connected from 10.164.6.207 olestiae"
-/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow)
-May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \'sectetur\' to \'uioffi\'
-May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \'reseos\' to \'pariatu\'
-June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor
-June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex
-/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny)
-run-crons: returned gel
-August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate
-August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started
-mailer[itatione]: [isnis] [uptasn] Failed to send \'reme\' to \'acommod\'
-mailer[udantium]: Failed to send \'pre\' to \'xeacom\'
-httpd[dictasu]: [lorinre] scr_monitor: olorsita
-ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide
-October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc
-ntpd[aturQui]: frequency initialized utlabor PPM from rau
-firepass[nisi]: [dant] shutting down for system reboot
-AppTunnel[tinvolu]: < Error - Invalid session id
-December 21 23:20:14 quidolor5025.home run-crons: returned rem
-run-crons[idolor]: [uisau] [eleum] sintoc returned volupt
-heartbeat[uiinea]: info: Utenima
-February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese
-February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc
-kernel: ionofdeF
-March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte
-AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id
-/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny)
-April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980
-heartbeat[exe]: [imadmini] [sauteiru] info: mod
-/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny)
-httpd[eriti]: [litessec] scr_monitor: itas
-June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor
-July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host
-mailer[untut]: [uamni] Failed to send \'ctet\' to \'ati\'
-August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist
-August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel)
-kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm
-September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi
-October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau
-October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo
-November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account
-heartbeat[iduntu]: [idestlab] info: rnatur
-run-crons[essequam]: acommo returned nturma
-December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut
diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json
deleted file mode 100644
index 6c58cc63ba7..00000000000
--- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json
+++ /dev/null
@@ -1,2321 +0,0 @@
-[
- {
- "destination.ip": [
- "10.232.59.7"
- ],
- "event.code": "ntpdate",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "January 29 06:09:59 avolupt1396.www.invalid ntpdate[nto]: adjust time server 10.232.59.7 offset tur",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 0,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.232.59.7"
- ],
- "rsa.internal.messageid": "ntpdate",
- "rsa.time.duration_str": "tur",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "ntpd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "February 12 13:12:33 aliqu5634.api.host ntpd[eni]: [vento] [ehend] Listening on interface lo4377, 10.58.254.89#4819",
- "fileset.name": "firepass",
- "host.ip": "10.58.254.89",
- "input.type": "log",
- "log.offset": 100,
- "network.interface.name": "lo4377",
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.58.254.89"
- ],
- "rsa.internal.messageid": "ntpd",
- "rsa.network.interface": "lo4377",
- "rsa.network.network_port": 4819,
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "sshd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "February 26 20:15:08 mqui5286.mail.home sshd[litesse]: [orev] [pisciv] Accepted publickey for uii from 10.36.11.87 port 1803 doeiu",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 216,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.36.11.87"
- ],
- "related.user": [
- "uii"
- ],
- "rsa.internal.messageid": "sshd",
- "service.type": "f5",
- "source.ip": [
- "10.36.11.87"
- ],
- "source.port": 1803,
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "uii"
- },
- {
- "event.code": "firepass",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "firepass[eporr]: [quipexe] [alo] FirePass service stopped on eosquir5191.www.example",
- "fileset.name": "firepass",
- "host.name": "eosquir5191.www.example",
- "input.type": "log",
- "log.offset": 347,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "quipexe"
- ],
- "rsa.internal.messageid": "firepass",
- "rsa.investigations.ec_activity": "Stop",
- "rsa.investigations.ec_subject": "Service",
- "rsa.network.alias_host": [
- "eosquir5191.www.example"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "quipexe"
- },
- {
- "destination.ip": [
- "10.194.156.105"
- ],
- "event.code": "NetworkAccess",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "NetworkAccess[ctetur]: [uidolor] < Open Network Access Connection using remote IP address 10.194.156.105",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 432,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.194.156.105"
- ],
- "related.user": [
- "uidolor"
- ],
- "rsa.internal.messageid": "NetworkAccess",
- "rsa.investigations.ec_subject": "NetworkComm",
- "rsa.investigations.ec_theme": "Communication",
- "rsa.misc.log_session_id": "nibus",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "uidolor"
- },
- {
- "event.code": "EndpointSecurity",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id[luptat]: emape",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 544,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.event_desc": "emape",
- "rsa.internal.messageid": "EndpointSecurity",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "GarbageCollection",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 640,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "GarbageCollection",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 720,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "roinBCS",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "firepass",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 795,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.event_desc": "equat",
- "rsa.internal.messageid": "firepass",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "EndpointSecurity",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: \"con - Connected from 10.38.189.242 ommodic\"",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 869,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.38.189.242"
- ],
- "rsa.db.index": "ommodic",
- "rsa.internal.messageid": "EndpointSecurity",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "source.ip": [
- "10.38.189.242"
- ],
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.action": "accept",
- "event.code": "/USR/SBIN/CRON",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept)",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 996,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "atcup"
- ],
- "rsa.internal.messageid": "/USR/SBIN/CRON",
- "rsa.misc.action": [
- "accept"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "atcup"
- },
- {
- "event.action": "accept",
- "event.code": "/USR/SBIN/CRON",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "/USR/SBIN/CRON[llu]: (uptassi) CMD (accept)",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1060,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "uptassi"
- ],
- "rsa.internal.messageid": "/USR/SBIN/CRON",
- "rsa.misc.action": [
- "accept"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "uptassi"
- },
- {
- "event.action": "deny",
- "event.code": "/USR/SBIN/CRON",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny)",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1104,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "isetq"
- ],
- "rsa.internal.messageid": "/USR/SBIN/CRON",
- "rsa.misc.action": [
- "deny"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "isetq"
- },
- {
- "event.code": "sshd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1155,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.175.6.112"
- ],
- "related.user": [
- "sum"
- ],
- "rsa.internal.messageid": "sshd",
- "service.type": "f5",
- "source.ip": [
- "10.175.6.112"
- ],
- "source.port": 5509,
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "sum"
- },
- {
- "event.code": "maintenance",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "maintenance[giatq]: [quid] [fug] uatDuis",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1267,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "quid"
- ],
- "rsa.db.index": "uatDuis",
- "rsa.internal.messageid": "maintenance",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "quid"
- },
- {
- "event.code": "firepass",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "firepass[veri]: [rsita] [siutaliq] exercit",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1308,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.event_desc": "exercit",
- "rsa.internal.messageid": "firepass",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "destination.ip": [
- "10.230.12.79"
- ],
- "destination.port": 340,
- "event.code": "kernel",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1351,
- "network.protocol": "ggp",
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.230.12.79",
- "10.18.220.102"
- ],
- "rsa.db.index": "obeataev",
- "rsa.internal.messageid": "kernel",
- "service.type": "f5",
- "source.ip": [
- "10.18.220.102"
- ],
- "source.port": 5000,
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "mailer",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \\'uam\\' to \\'temq\\'",
- "event.outcome": "failure",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1524,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.email.email_dst": "temq",
- "rsa.email.subject": "uam",
- "rsa.internal.messageid": "mailer",
- "rsa.investigations.ec_activity": "Send",
- "rsa.investigations.ec_outcome": "Failure",
- "rsa.investigations.ec_subject": "Message",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "EndpointSecurity",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: \"eataevit - Connected from 10.50.112.141 mqua\"",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1630,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.50.112.141"
- ],
- "rsa.db.index": "mqua",
- "rsa.internal.messageid": "EndpointSecurity",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "source.ip": [
- "10.50.112.141"
- ],
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "sshd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1754,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.61.78.108"
- ],
- "related.user": [
- "err"
- ],
- "rsa.internal.messageid": "sshd",
- "service.type": "f5",
- "source.ip": [
- "10.61.78.108"
- ],
- "source.port": 2398,
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "err"
- },
- {
- "event.code": "mailer",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \\'idexea\\' to \\'riat\\'",
- "event.outcome": "failure",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1842,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.email.email_dst": "riat",
- "rsa.email.subject": "idexea",
- "rsa.internal.messageid": "mailer",
- "rsa.investigations.ec_activity": "Send",
- "rsa.investigations.ec_outcome": "Failure",
- "rsa.investigations.ec_subject": "Message",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "heartbeat[umdolor]: [osquir] info: inim",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1935,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "inim",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "GarbageCollection",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 1975,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.event_desc": "timeout happened. restarting services",
- "rsa.internal.messageid": "GarbageCollection",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "EndpointSecurity",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: \"Connected from 10.243.206.225 mol\"",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 2080,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.243.206.225"
- ],
- "rsa.db.index": "mol",
- "rsa.internal.messageid": "EndpointSecurity",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "source.ip": [
- "10.243.206.225"
- ],
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "kernel",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 2210,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "ccusan",
- "rsa.internal.messageid": "kernel",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "Miscellaneous",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 2293,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "taevi"
- ],
- "rsa.internal.messageid": "Miscellaneous",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "taevi"
- },
- {
- "event.action": "started",
- "event.code": "snmp",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "snmp[gni]: [tquiinea] [mquaera] SNMP handler started",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 2426,
- "network.protocol": "SNMP",
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.event_desc": "SNMP handler started",
- "rsa.internal.messageid": "snmp",
- "rsa.misc.action": [
- "started"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "sshd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 2479,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.0.3.58"
- ],
- "related.user": [
- "labor"
- ],
- "rsa.internal.messageid": "sshd",
- "service.type": "f5",
- "source.ip": [
- "10.0.3.58"
- ],
- "source.port": 7224,
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "labor"
- },
- {
- "event.code": "GarbageCollection",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 2605,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "GarbageCollection",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "sshd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 2732,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.169.144.147"
- ],
- "related.user": [
- "ist"
- ],
- "rsa.internal.messageid": "sshd",
- "service.type": "f5",
- "source.ip": [
- "10.169.144.147"
- ],
- "source.port": 2399,
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "ist"
- },
- {
- "event.code": "kernel",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 2826,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "omm",
- "rsa.internal.messageid": "kernel",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "destination.ip": [
- "10.196.105.137"
- ],
- "event.code": "ntpdate",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 2921,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.196.105.137"
- ],
- "rsa.internal.messageid": "ntpdate",
- "rsa.time.duration_str": "lup",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "mailer",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \\'lupt\\' to \\'xea\\'",
- "event.outcome": "failure",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 2984,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.email.email_dst": "xea",
- "rsa.email.subject": "lupt",
- "rsa.internal.messageid": "mailer",
- "rsa.investigations.ec_activity": "Send",
- "rsa.investigations.ec_outcome": "Failure",
- "rsa.investigations.ec_subject": "Message",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "run-crons",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "run-crons[luptatev]: admi returned modocons",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3068,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "run-crons",
- "rsa.misc.result_code": "modocons",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "destination.ip": [
- "10.46.158.31"
- ],
- "destination.port": 3369,
- "event.code": "kernel",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3112,
- "network.protocol": "rdp",
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.46.158.31",
- "10.117.146.33"
- ],
- "rsa.db.index": "dun",
- "rsa.internal.messageid": "kernel",
- "service.type": "f5",
- "source.ip": [
- "10.117.146.33"
- ],
- "source.port": 703,
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.action": "block",
- "event.code": "security",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214",
- "event.outcome": "unknown",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3287,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.196.136.214"
- ],
- "rsa.internal.messageid": "security",
- "rsa.investigations.ec_activity": "Logon",
- "rsa.investigations.ec_outcome": "Error",
- "rsa.investigations.ec_subject": "User",
- "rsa.investigations.ec_theme": "Authentication",
- "rsa.misc.action": [
- "block"
- ],
- "service.type": "f5",
- "source.ip": [
- "10.196.136.214"
- ],
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "maintenance",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3385,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "mexercit"
- ],
- "rsa.internal.messageid": "maintenance",
- "rsa.investigations.ec_activity": "Logoff",
- "rsa.investigations.ec_subject": "NetworkComm",
- "rsa.investigations.ec_theme": "Communication",
- "rsa.misc.log_session_id": "dtem",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "mexercit"
- },
- {
- "event.code": "firepass",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "firepass[rehe]: [ume] Logged out",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3477,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "ume"
- ],
- "rsa.internal.messageid": "firepass",
- "rsa.investigations.ec_activity": "Logoff",
- "rsa.investigations.ec_subject": "User",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "ume"
- },
- {
- "event.action": "cancel",
- "event.code": "/USR/SBIN/CRON",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel)",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3510,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "dexeaco"
- ],
- "rsa.internal.messageid": "/USR/SBIN/CRON",
- "rsa.misc.action": [
- "cancel"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "dexeaco"
- },
- {
- "event.code": "snmp",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3602,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.event_desc": "erc",
- "rsa.internal.messageid": "snmp",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "kernel",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "kernel[olupt]: [modoco] kernel: cdrom: open failed.",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3670,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "kernel",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "EndpointSecurity",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3722,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.event_desc": "uasia",
- "rsa.internal.messageid": "EndpointSecurity",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "EndpointSecurity",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3808,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.event_desc": "uames",
- "rsa.internal.messageid": "EndpointSecurity",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "Miscellaneous",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "Miscellaneous[iciatisu]: [rehender] Purge logs: auto started",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3898,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "rehender"
- ],
- "rsa.internal.messageid": "Miscellaneous",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "rehender"
- },
- {
- "destination.ip": [
- "10.192.18.42"
- ],
- "event.code": "NetworkAccess",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 3959,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.192.18.42"
- ],
- "related.user": [
- "equatD"
- ],
- "rsa.internal.messageid": "NetworkAccess",
- "rsa.investigations.ec_subject": "NetworkComm",
- "rsa.investigations.ec_theme": "Communication",
- "rsa.misc.log_session_id": "isno",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "equatD"
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "heartbeat[dolo]: [Loremip] [idolor] info: emeumfu",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4103,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "emeumfu",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "sshd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4153,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.86.63.253"
- ],
- "related.user": [
- "amvolup"
- ],
- "rsa.internal.messageid": "sshd",
- "service.type": "f5",
- "source.ip": [
- "10.86.63.253"
- ],
- "source.port": 2133,
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "amvolup"
- },
- {
- "event.code": "EndpointSecurity",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "EndpointSecurity[rumetM]: [equi] id[agnaali]: \"gnam - Connected from 10.26.236.35 lumqui\"",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4288,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.26.236.35"
- ],
- "rsa.db.index": "lumqui",
- "rsa.internal.messageid": "EndpointSecurity",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "source.ip": [
- "10.26.236.35"
- ],
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "httpd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "httpd[rpo]: [uipe] [inesci] scr_monitor: serror",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4378,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "uipe"
- ],
- "rsa.internal.messageid": "httpd",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "uipe"
- },
- {
- "event.code": "ntpd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "ntpd[apariat]: kernel time sync status tlabore",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4426,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "ntpd",
- "rsa.misc.result_code": "tlabore",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.action": "deny",
- "event.code": "/USR/SBIN/CRON",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny)",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4473,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "isc"
- ],
- "rsa.internal.messageid": "/USR/SBIN/CRON",
- "rsa.misc.action": [
- "deny"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "isc"
- },
- {
- "event.code": "snmp",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "snmp[ationemu]: [ice] estiae",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4569,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.event_desc": "estiae",
- "rsa.internal.messageid": "snmp",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "destination.ip": [
- "10.170.148.40"
- ],
- "event.code": "ntpdate",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4598,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.170.148.40"
- ],
- "rsa.internal.messageid": "ntpdate",
- "rsa.time.duration_str": "hitect",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "maintenance",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "maintenance[etconse]: [tincu] ari",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4706,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "tincu"
- ],
- "rsa.db.index": "ari",
- "rsa.internal.messageid": "maintenance",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "tincu"
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4740,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "texp",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "Miscellaneous",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4819,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "eaq"
- ],
- "rsa.internal.messageid": "Miscellaneous",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "eaq"
- },
- {
- "event.code": "EndpointSecurity",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "EndpointSecurity[rehender]: [iae] id[dantiumt]: \"luptasn - Connected from 10.164.6.207 olestiae\"",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 4919,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.164.6.207"
- ],
- "rsa.db.index": "olestiae",
- "rsa.internal.messageid": "EndpointSecurity",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "source.ip": [
- "10.164.6.207"
- ],
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.action": "allow",
- "event.code": "/USR/SBIN/CRON",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow)",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5016,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "amre"
- ],
- "rsa.internal.messageid": "/USR/SBIN/CRON",
- "rsa.misc.action": [
- "allow"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "amre"
- },
- {
- "event.code": "mailer",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \\'sectetur\\' to \\'uioffi\\'",
- "event.outcome": "failure",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5071,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.email.email_dst": "uioffi",
- "rsa.email.subject": "sectetur",
- "rsa.internal.messageid": "mailer",
- "rsa.investigations.ec_activity": "Send",
- "rsa.investigations.ec_outcome": "Failure",
- "rsa.investigations.ec_subject": "Message",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "mailer",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \\'reseos\\' to \\'pariatu\\'",
- "event.outcome": "failure",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5170,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.email.email_dst": "pariatu",
- "rsa.email.subject": "reseos",
- "rsa.internal.messageid": "mailer",
- "rsa.investigations.ec_activity": "Send",
- "rsa.investigations.ec_outcome": "Failure",
- "rsa.investigations.ec_subject": "Message",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5259,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "olor",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "run-crons",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5350,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "run-crons",
- "rsa.misc.result_code": "tasuntex",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.action": "deny",
- "event.code": "/USR/SBIN/CRON",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny)",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5430,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "lamcolab"
- ],
- "rsa.internal.messageid": "/USR/SBIN/CRON",
- "rsa.misc.action": [
- "deny"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "lamcolab"
- },
- {
- "event.code": "run-crons",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "run-crons: returned gel",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5494,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "run-crons",
- "rsa.misc.result_code": "gel",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5519,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "uptate",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "Miscellaneous",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5599,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "aliquam"
- ],
- "rsa.internal.messageid": "Miscellaneous",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "aliquam"
- },
- {
- "event.code": "mailer",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "mailer[itatione]: [isnis] [uptasn] Failed to send \\'reme\\' to \\'acommod\\'",
- "event.outcome": "failure",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5692,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.email.email_dst": "acommod",
- "rsa.email.subject": "reme",
- "rsa.internal.messageid": "mailer",
- "rsa.investigations.ec_activity": "Send",
- "rsa.investigations.ec_outcome": "Failure",
- "rsa.investigations.ec_subject": "Message",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "mailer",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "mailer[udantium]: Failed to send \\'pre\\' to \\'xeacom\\'",
- "event.outcome": "failure",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5766,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.email.email_dst": "xeacom",
- "rsa.email.subject": "pre",
- "rsa.internal.messageid": "mailer",
- "rsa.investigations.ec_activity": "Send",
- "rsa.investigations.ec_outcome": "Failure",
- "rsa.investigations.ec_subject": "Message",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "httpd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "httpd[dictasu]: [lorinre] scr_monitor: olorsita",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5821,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "lorinre"
- ],
- "rsa.internal.messageid": "httpd",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "lorinre"
- },
- {
- "destination.ip": [
- "10.105.76.230"
- ],
- "event.code": "ntpdate",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5869,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.105.76.230"
- ],
- "rsa.internal.messageid": "ntpdate",
- "rsa.time.duration_str": "aliquide",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "run-crons",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 5942,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "run-crons",
- "rsa.misc.result_code": "intocc",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "ntpd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "ntpd[aturQui]: frequency initialized utlabor PPM from rau",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6036,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "ntpd",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "firepass",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "firepass[nisi]: [dant] shutting down for system reboot",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6094,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.event_desc": "shutting down for system reboot",
- "rsa.internal.messageid": "firepass",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "AppTunnel",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "AppTunnel[tinvolu]: < Error - Invalid session id",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6149,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "AppTunnel",
- "rsa.investigations.ec_subject": "NetworkComm",
- "rsa.investigations.ec_theme": "Communication",
- "rsa.misc.log_session_id": "iurer",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "run-crons",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "December 21 23:20:14 quidolor5025.home run-crons: returned rem",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6205,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "run-crons",
- "rsa.misc.result_code": "rem",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "run-crons",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "run-crons[idolor]: [uisau] [eleum] sintoc returned volupt",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6269,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "run-crons",
- "rsa.misc.result_code": "volupt",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "heartbeat[uiinea]: info: Utenima",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6327,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "Utenima",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "destination.ip": [
- "10.25.52.65"
- ],
- "event.code": "ntpdate",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6360,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.25.52.65"
- ],
- "rsa.internal.messageid": "ntpdate",
- "rsa.time.duration_str": "ese",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6466,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "ntocc",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "kernel",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "kernel: ionofdeF",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6547,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "ionofdeF",
- "rsa.internal.messageid": "kernel",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "ntpd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6564,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "ntpd",
- "rsa.time.duration_str": "epte",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "AppTunnel",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6636,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "AppTunnel",
- "rsa.investigations.ec_subject": "NetworkComm",
- "rsa.investigations.ec_theme": "Communication",
- "rsa.misc.log_session_id": "uatD",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.action": "deny",
- "event.code": "/USR/SBIN/CRON",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny)",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6709,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "ntocca"
- ],
- "rsa.internal.messageid": "/USR/SBIN/CRON",
- "rsa.misc.action": [
- "deny"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "ntocca"
- },
- {
- "event.code": "maintenance",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6764,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "ntmollit"
- ],
- "rsa.internal.messageid": "maintenance",
- "rsa.network.network_port": 6980,
- "rsa.web.fqdn": "ipsumd6116.local",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "ntmollit"
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "heartbeat[exe]: [imadmini] [sauteiru] info: mod",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6886,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "mod",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.action": "deny",
- "event.code": "/USR/SBIN/CRON",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny)",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6934,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "tnulapa"
- ],
- "rsa.internal.messageid": "/USR/SBIN/CRON",
- "rsa.misc.action": [
- "deny"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "tnulapa"
- },
- {
- "event.code": "httpd",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "httpd[eriti]: [litessec] scr_monitor: itas",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 6985,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "litessec"
- ],
- "rsa.internal.messageid": "httpd",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "litessec"
- },
- {
- "destination.ip": [
- "10.186.101.163"
- ],
- "event.code": "ntpdate",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7028,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.186.101.163"
- ],
- "rsa.internal.messageid": "ntpdate",
- "rsa.time.duration_str": "utlabor",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "firepass",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host",
- "fileset.name": "firepass",
- "host.name": "eufugi2923.internal.host",
- "input.type": "log",
- "log.offset": 7151,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "tvolupt"
- ],
- "rsa.internal.messageid": "firepass",
- "rsa.investigations.ec_activity": "Start",
- "rsa.investigations.ec_subject": "Service",
- "rsa.network.alias_host": [
- "eufugi2923.internal.host"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "tvolupt"
- },
- {
- "event.code": "mailer",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "mailer[untut]: [uamni] Failed to send \\'ctet\\' to \\'ati\\'",
- "event.outcome": "failure",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7270,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.email.email_dst": "ati",
- "rsa.email.subject": "ctet",
- "rsa.internal.messageid": "mailer",
- "rsa.investigations.ec_activity": "Send",
- "rsa.investigations.ec_outcome": "Failure",
- "rsa.investigations.ec_subject": "Message",
- "rsa.investigations.ec_theme": "Communication",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "NetworkAccess",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7328,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "ven"
- ],
- "rsa.db.index": "nisist",
- "rsa.internal.messageid": "NetworkAccess",
- "rsa.investigations.ec_subject": "NetworkComm",
- "rsa.investigations.ec_theme": "Communication",
- "rsa.misc.log_session_id": "con",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "ven"
- },
- {
- "event.action": "cancel",
- "event.code": "/USR/SBIN/CRON",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel)",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7416,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "laudant"
- ],
- "rsa.internal.messageid": "/USR/SBIN/CRON",
- "rsa.misc.action": [
- "cancel"
- ],
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "laudant"
- },
- {
- "event.code": "kernel",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7518,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "runtm",
- "rsa.internal.messageid": "kernel",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7569,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "oremi",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7646,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "mquelau",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "run-crons",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7717,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "run-crons",
- "rsa.misc.result_code": "idolo",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "security",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account",
- "event.outcome": "failure",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7821,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.user": [
- "fugi"
- ],
- "rsa.internal.messageid": "security",
- "rsa.investigations.ec_activity": "Logon",
- "rsa.investigations.ec_outcome": "Failure",
- "rsa.investigations.ec_subject": "User",
- "rsa.investigations.ec_theme": "Policy",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ],
- "user.name": "fugi"
- },
- {
- "event.code": "heartbeat",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "heartbeat[iduntu]: [idestlab] info: rnatur",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7948,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.db.index": "rnatur",
- "rsa.internal.messageid": "heartbeat",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "event.code": "run-crons",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "run-crons[essequam]: acommo returned nturma",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 7991,
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "rsa.internal.messageid": "run-crons",
- "rsa.misc.result_code": "nturma",
- "service.type": "f5",
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- },
- {
- "destination.ip": [
- "10.225.181.30"
- ],
- "destination.port": 5390,
- "event.code": "kernel",
- "event.dataset": "f5.firepass",
- "event.module": "f5",
- "event.original": "December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut",
- "fileset.name": "firepass",
- "input.type": "log",
- "log.offset": 8035,
- "network.protocol": "udp",
- "observer.product": "FirePass",
- "observer.type": "VPN",
- "observer.vendor": "F5",
- "related.ip": [
- "10.225.181.30",
- "10.65.175.9"
- ],
- "rsa.db.index": "uia",
- "rsa.internal.messageid": "kernel",
- "service.type": "f5",
- "source.ip": [
- "10.65.175.9"
- ],
- "source.port": 4412,
- "tags": [
- "f5.firepass",
- "forwarded"
- ]
- }
-]
\ No newline at end of file
diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled
index 2c0e0cd0dd0..7815a1e4452 100644
--- a/x-pack/filebeat/modules.d/f5.yml.disabled
+++ b/x-pack/filebeat/modules.d/f5.yml.disabled
@@ -20,22 +20,3 @@
# "local" (default) for system timezone.
# "+02:00" for GMT+02:00
# var.tz_offset: local
-
- firepass:
- enabled: true
-
- # Set which input to use between udp (default), tcp or file.
- # var.input: udp
- # var.syslog_host: localhost
- # var.syslog_port: 9509
-
- # Set paths for the log files when file input is used.
- # var.paths:
-
- # Toggle output of non-ECS fields (default true).
- # var.rsa_fields: true
-
- # Set custom timezone offset.
- # "local" (default) for system timezone.
- # "+02:00" for GMT+02:00
- # var.tz_offset: local