diff --git a/.ci/scripts/generate_build_table.py b/.ci/scripts/generate_build_table.py index 350eb3e83e3..47e26cc1755 100755 --- a/.ci/scripts/generate_build_table.py +++ b/.ci/scripts/generate_build_table.py @@ -31,6 +31,7 @@ if "withModule" in doc["stages"][stage]: withModule = doc["stages"][stage]["withModule"] if "when" in doc["stages"][stage]: - when = f"optional" + if "not_changeset_full_match" not in doc["stages"][stage]["when"]: + when = "optional" print("| {} | {} | `{}` | {} | `{}` | {} |".format( module, stage, command, withModule, platforms, when)) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3fa0e65f2d4..0480d59e246 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -230,6 +230,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix typo in config docs {pull}23185[23185] - Fix `nested` subfield handling in generated Elasticsearch templates. {issue}23178[23178] {pull}23183[23183] - Fix CPU usage metrics on VMs with dynamic CPU config {pull}23154[23154] +- Add FAQ entry for madvdontneed variable {pull}23429[23429] - Fix panic due to unhandled DeletedFinalStateUnknown in k8s OnDelete {pull}23419[23419] - Fix error loop with runaway CPU use when the Kafka output encounters some connection errors {pull}23484[23484] @@ -269,6 +270,13 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix integer overflow in S3 offsets when collecting very large files. {pull}22523[22523] - Fix various processing errors in the Suricata module. {pull}23236[23236] - Fix CredentialsJSON unpacking for `gcp-pubsub` and `httpjson` inputs. {pull}23277[23277] +- CheckPoint Firewall module: Change event.severity JSON data type to a number because the field mapping is a `long`. {pull}23424[23424] +- Cisco IOS: Change icmp.type/code and igmp.type JSON data types to strings because the fields mappings are `keyword`. {pull}23424[23424] +- CrowdStrike Falcon: Change JSON field types to match the field mappings. {pull}23424[23424] +- Fortinet Firewall: Drop `fortinet.firewall.assignip` when the value is "N/A". {pull}23424[23424] +- Juniper SRX: Change JSON field types to match the field mappings. {pull}23424[23424] +- Suricata EVE: Convert `suricata.eve.flow_id` to string because the field is a keyword in the mapping. {pull}23424[23424] +- Zeek DNS: Ignore failures in data type conversions. And change `dns.id` JSON field to a string to match its `keyword` mapping. {pull}23424[23424] - Change the `event.created` in Netflow events to be the time the event was created by Filebeat to be consistent with ECS. {pull}23094[23094] - Update `filestream` reader offset when a line is skipped. {pull}23417[23417] @@ -487,6 +495,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update config in `windows.yml` file. {issue}23027[23027]{pull}23327[23327] - Add stack monitoring section to elasticsearch module documentation {pull}#23286[23286] - Fix metric grouping for windows/perfmon module {issue}23489[23489] {pull}23505[23505] +- Add check for iis/application_pool metricset for nil worker process id values. {issue}23605[23605] {pull}23647[23647] *Packetbeat* @@ -503,6 +512,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Functionbeat* +*Elastic Logging Plugin* +- Fix out of date CLI flags on docs. {pull}23628[23628] + ==== Added @@ -812,6 +824,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added support for first_event context in filebeat httpjson input {pull}23437[23437] - Add parsing of tcp flags to AWS vpcflow fileset {issue}228020[22820] {pull}23157[23157] - Added `alternative_host` option to google pubsub input {pull}23215[23215] +- Added username parsing from Cisco ASA message 302013. {pull}21196[21196] - Added `encode_as` and `decode_as` options to httpjson along with pluggable encoders/decoders {pull}23478[23478] - Added `application/x-ndjson` as decode option for httpjson input {pull}23521[23521] - Added `application/x-www-form-urlencoded` as encode option for httpjson input {pull}23521[23521] @@ -978,6 +991,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add additional event categorization for security and sysmon modules. {pull}22988[22988] - Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999] - Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046] +- Add Audit and Authentication Polixy Change Events and related.ip information {pull}20684[20684] *Elastic Log Driver* diff --git a/auditbeat/Jenkinsfile.yml b/auditbeat/Jenkinsfile.yml index 3a022706d8c..755449b552c 100644 --- a/auditbeat/Jenkinsfile.yml +++ b/auditbeat/Jenkinsfile.yml @@ -72,45 +72,33 @@ stages: platforms: ## override default labels in this specific stage. - "windows-2016" when: ## Override the top-level when. - comments: - - "/test auditbeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" when: ## Override the top-level when. - comments: - - "/test auditbeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" when: ## Override the top-level when. - comments: - - "/test auditbeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" when: ## Override the top-level when. - comments: - - "/test auditbeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags #windows-7: See https://github.com/elastic/beats/issues/19831 # mage: "mage build unitTest" # platforms: ## override default labels in this specific stage. diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index 712ebf7ee67..cc8cfdba2db 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -527,8 +527,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -660,8 +658,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -867,8 +863,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1029,8 +1023,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1331,8 +1323,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1534,8 +1524,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/filebeat/Jenkinsfile.yml b/filebeat/Jenkinsfile.yml index 403b1fcc291..1680583d1bc 100644 --- a/filebeat/Jenkinsfile.yml +++ b/filebeat/Jenkinsfile.yml @@ -66,34 +66,25 @@ stages: platforms: ## override default labels in this specific stage. - "windows-2016" when: ## Override the top-level when. - comments: - - "/test filebeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" when: ## Override the top-level when. - comments: - - "/test filebeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" when: ## Override the top-level when. - comments: - - "/test filebeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags #windows-7: See https://github.com/elastic/beats/issues/22317 # mage: "mage build unitTest" # platforms: ## override default labels in this specific stage. @@ -110,9 +101,6 @@ stages: platforms: ## override default labels in this specific stage. - "windows-7-32-bit" when: ## Override the top-level when. - comments: - - "/test filebeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/filebeat/docs/running-on-kubernetes.asciidoc b/filebeat/docs/running-on-kubernetes.asciidoc index bab7de20b58..a04fde00ef1 100644 --- a/filebeat/docs/running-on-kubernetes.asciidoc +++ b/filebeat/docs/running-on-kubernetes.asciidoc @@ -112,6 +112,28 @@ oc patch namespace kube-system -p \ This command sets the node selector for the project to an empty string. If you don't run this command, the default node selector will skip master nodes. +[float] +==== Load {kib} dashboards + +{beatname_uc} comes packaged with various pre-built {kib} dashboards +that you can use to visualize logs from your Kubernetes environment. + +If these dashboards are not already loaded into {kib}, you must <<{beatname_lc}-installation-configuration,install {beatname_uc}>> +on any system that can connect to the {stack}, and then run the `setup` command to load the dashboards. +To learn how, see <>. + +The `setup` command does not load the ingest pipelines used to parse log lines. By default, ingest pipelines +are set up automatically the first time you run {beatname_uc} and connect to {es}. + +[IMPORTANT] +======================================= +If you are using a different output other than {es}, such as {ls}, you +need to: + +* <> +* <> +* <> +======================================= [float] ==== Deploy diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index 858d307a57e..2a5533bb636 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -1407,8 +1407,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1540,8 +1538,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1747,8 +1743,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1909,8 +1903,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -2211,8 +2203,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -2414,8 +2404,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/heartbeat/Jenkinsfile.yml b/heartbeat/Jenkinsfile.yml index ac2fc59cc64..ce0488be4e3 100644 --- a/heartbeat/Jenkinsfile.yml +++ b/heartbeat/Jenkinsfile.yml @@ -64,75 +64,54 @@ stages: platforms: ## override default labels in this specific stage. - "windows-2016" when: ## Override the top-level when. - comments: - - "/test heartbeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" when: ## Override the top-level when. - comments: - - "/test heartbeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" when: ## Override the top-level when. - comments: - - "/test heartbeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-2008: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2008-r2" when: ## Override the top-level when. - comments: - - "/test heartbeat for windows-2008" - labels: - - "windows-2008" - branches: true ## for all the branches - tags: true ## for all the tag + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" when: ## Override the top-level when. - comments: - - "/test heartbeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tag + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" when: ## Override the top-level when. - comments: - - "/test heartbeat for windows-7" - labels: - - "windows-7" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-7-32: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" when: ## Override the top-level when. - comments: - - "/test heartbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index 63501b14e2d..85e00f43342 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -705,8 +705,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -838,8 +836,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1045,8 +1041,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1207,8 +1201,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1509,8 +1501,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1712,8 +1702,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/journalbeat/journalbeat.reference.yml b/journalbeat/journalbeat.reference.yml index 7664a3edbd4..35c6dbb4c05 100644 --- a/journalbeat/journalbeat.reference.yml +++ b/journalbeat/journalbeat.reference.yml @@ -470,8 +470,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -603,8 +601,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -810,8 +806,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -972,8 +966,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1274,8 +1266,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1477,8 +1467,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/libbeat/_meta/config/ssl.reference.yml.tmpl b/libbeat/_meta/config/ssl.reference.yml.tmpl index 69b666f9c97..65920fb646f 100644 --- a/libbeat/_meta/config/ssl.reference.yml.tmpl +++ b/libbeat/_meta/config/ssl.reference.yml.tmpl @@ -5,8 +5,6 @@ # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. -# * certificate, which verifies that the provided certificate is signed by a -# trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/libbeat/common/transport/tlscommon/testdata/ca.crt b/libbeat/common/transport/tlscommon/testdata/ca.crt index da2bce043f7..f08fd34367e 100644 --- a/libbeat/common/transport/tlscommon/testdata/ca.crt +++ b/libbeat/common/transport/tlscommon/testdata/ca.crt @@ -1,19 +1,32 @@ -----BEGIN CERTIFICATE----- -MIIC/zCCAeegAwIBAgIJAIVZ8xw3LMNkMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV -BAMMC21vcmVsbG8ub3ZoMB4XDTE5MDgwOTA5MzQwMFoXDTI5MDgwNjA5MzQwMFow -FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQCoM2HYyuTTlu41SlgVO0Hdx7eUQevGSKO6pjPjN49/KKY1z/3DoKzr -seWaGOjiWUAqx/GHX8AsR9ToVoKGBbSNeDxT33pt3I9aCnnOPTt3yDIOlr4ZWnKq -NnNHwfydsMBfBAYgdU/L506KuNHJQ18Zey5+A0roTWyHUT48mQBsjetXg77RfDMB -MYVOWETfl70GKAaAlVGZfJHCkfBzYnPcEjqtcuU/7d27WZrSMhXifzHAEmm0KPER -EWdo4UHTK23wLY6dvkp2O5i0bKHv+PuLpqYrm7R7SWGhhwD651n5S5W20FHDow+d -js0yW2gqYsZZN6S1uAsJ8rdYAEPhK9J9AgMBAAGjUDBOMB0GA1UdDgQWBBQ6Lsen -0HbE+7M6iV9r8n5rZrbl4jAfBgNVHSMEGDAWgBQ6Lsen0HbE+7M6iV9r8n5rZrbl -4jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAgrLJnK4s/OVnh8CRk -GmikP+ZxhDs4k1nlr7+rTYkU0huoHK8p802w4zd74szYsHpo8kON/zSmFD7JpU4L -o2kseENqMsgrCPhF3+TDwf/Li43pbK162iAq8ZEpYnSXbQsRyP+Tz0lzoEoli6o7 -6KVn4VNookLMyhGIAOmhfbNm0jG+B2zz+bvoTAe9CiDfvq1k0fnuKFzRtRsj09NJ -FNMhSc02N4EDrGpL5CYmEXjPZS3lUsoYPwbYlmUt3Bzuf5hI0mDHCt3BYKH1vFI4 -W8/h9wwGn/yytsH21dkj41KEQK6N65gT9i0fBBiubuS2H1SVMMJ/J7PUqol278Ar -zGpS +MIIFhzCCA2+gAwIBAgIUL0vc8AdVKIcjap/RSpH21trR70swDQYJKoZIhvcNAQEL +BQAwUzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xFzAVBgNVBAMMDmNhQGV4YW1wbGUuY29tMB4XDTIxMDEy +NTE2MzQ0OFoXDTMxMDEyMzE2MzQ0OFowUzELMAkGA1UEBhMCVVMxEzARBgNVBAgM +CkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFzAVBgNVBAMMDmNh +QGV4YW1wbGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx0rP +p+sMWe3RehThE5Mh1s8uKsujG0q+Q62s4G4mBE5tQnmSS0LoezWuGMKNyjWQR4dt +IvicPZQfEhqOvdYAIA5fsQE8CMoXW50Q43kQlBUbvZH0yldUFtFtRLPD4RRtwB26 +sUhWLUUCdk4mZBUmAuhMbIoov+TZ8/EZBdqjRBqM9p+k/C9xfitqXKmBWvWOmc0i +NUpxMjJ0C18vVcoAneiMQbB4iBNFviSLxrhnH9sno6IKG/WSCmOaPirmGzMr/PYQ +Wa4j69xQfGd4VBwolShI+fkoCmMQMk06XENUXo9V75sgbV0U0PAjBv4Kqye/r6s2 +1wJKNnS8Ib4rBJAeh5PqebVmpgJUc8lAeC/4SE3Edw6yGILwuGnfZjZJeRgX+OMd +u5K29gvx4Kf0ZZ5F34vzsDwa8CGTTvdth8aNDhO4ETThxUtjqXSA91ewf93Tf3X5 +Rzbg1K5hSHFVcd53Hec6/5Aqiw5PBARa2Ekj1ZW9PHHrSf/x+axyOyK+akUOoI8X +FlgImdr21pKZPSFNpvrYURRYDz8/ftFlcbsx32D3/uQZJW6FpvyguFWnVrGFm7He +ptWvYP2wM0XSOsHQXhogv09sgZhxgViHbc7/PZXOpTFlQt1MXygXVuf0eBUTiJI4 +a595gF4F6Kx/ppBjWge+ZUUsnFjhHVhHvhzvncUCAwEAAaNTMFEwHQYDVR0OBBYE +FHg4mXfbBjMpE8mJUh/yPrfuD2yBMB8GA1UdIwQYMBaAFHg4mXfbBjMpE8mJUh/y +PrfuD2yBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAA+yu1mF +QoMeL5MwWr7O8q41Fu1n6BpRMm6KD0JOVWCJezW7anOJmcuySk6j2FRMPl3Z2fMH +p1I4420LlxN9H7QD5TVUJWCcujb2W9vhH9/R0qj9G9gkixfI0H/cGWd+Pe71ub5b +wxBTIe7U20uQ9imje8rShiZvgg3EocbWgPZcDnfHFjXVw/A1ocyIwpqjxooU8jiN +n1479sYR+R5TMc0zgZrTOKspcbNq5TEK138sFt79VB2d4oJNV/D0p0GktKpwisiZ ++xjr6iD2gZ9GGi0l0nQmtmLs+QAMuj+yOZX8CPwJlg7JuJYJ/nu0I5tBB1kOBml6 +Jk2o5o3gU6FbfLc3j7aQ/kRP14ByfXqXPTVNbPxrVzFEsAx/NVWaVqbH9iwSye1G +M4kpvZ9RvEHHegNxoN3spKaJkpM056gTBJhWQIHGCOAqv7Izm68NqjSX6+wx92iZ +ujR1PR9pJdOYtjhdmQrWGLK7a06AaOo1v5iQOJ9SN48ucyN2hY2wIZ5IMdQC2I9P +IhIRTSX28cT0WRnH9Sdv9fWQLSfNwrcYWiTDd5+0ImspCC3HzwcTjqTCoT6utrmU +eHAzLPjoUu9FvnrZJW3eMOffvHSh3lK8yW3dv2HKFoXaBD5dL2irk4yacSAIIo2f +4T44UqQSs2U1ip1CHbP64vI1FRNfhDdZRU8w -----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/ca.key b/libbeat/common/transport/tlscommon/testdata/ca.key new file mode 100644 index 00000000000..9061f4479dc --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/ca.key @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEAx0rPp+sMWe3RehThE5Mh1s8uKsujG0q+Q62s4G4mBE5tQnmS +S0LoezWuGMKNyjWQR4dtIvicPZQfEhqOvdYAIA5fsQE8CMoXW50Q43kQlBUbvZH0 +yldUFtFtRLPD4RRtwB26sUhWLUUCdk4mZBUmAuhMbIoov+TZ8/EZBdqjRBqM9p+k +/C9xfitqXKmBWvWOmc0iNUpxMjJ0C18vVcoAneiMQbB4iBNFviSLxrhnH9sno6IK +G/WSCmOaPirmGzMr/PYQWa4j69xQfGd4VBwolShI+fkoCmMQMk06XENUXo9V75sg +bV0U0PAjBv4Kqye/r6s21wJKNnS8Ib4rBJAeh5PqebVmpgJUc8lAeC/4SE3Edw6y +GILwuGnfZjZJeRgX+OMdu5K29gvx4Kf0ZZ5F34vzsDwa8CGTTvdth8aNDhO4ETTh +xUtjqXSA91ewf93Tf3X5Rzbg1K5hSHFVcd53Hec6/5Aqiw5PBARa2Ekj1ZW9PHHr +Sf/x+axyOyK+akUOoI8XFlgImdr21pKZPSFNpvrYURRYDz8/ftFlcbsx32D3/uQZ +JW6FpvyguFWnVrGFm7HeptWvYP2wM0XSOsHQXhogv09sgZhxgViHbc7/PZXOpTFl +Qt1MXygXVuf0eBUTiJI4a595gF4F6Kx/ppBjWge+ZUUsnFjhHVhHvhzvncUCAwEA +AQKCAgBD0xIY88WgVW+VPMXdA5XgpWHw7pz0DNvz7IeJWfNWQ9qrZPSE6KB2Ti6R +/qSCzPftYAmkfTevPVnVr3Qk50/jmQC4HNNxqlWIuEunHuyleQmX2rSUqGPV4DBv +0T44u9seJwAClbu+bF4KJU6rgQcOtkBMMDjuFdSXUNZTR7WI2ABhbrOXoA3gAqaQ +IqADdM6zSTz7JfqgOsuDk0Fo0Pakxx/0uzpKFUUHESkA2IFANjWnWt5V5Z1uK7ey +sKbfWur9jEDERJ+1BaXesNgix/KH0M4FROZ7ontAo0fZXpC4HdABW6oNjkAnW5KQ +LqUy2rRB9OMVCZJ4NgJQ+YdqZiH9J63IIObGDyV5MDNmu3N88aGaT/29LrOTX2+A +g1FZZxdEBapRonk1KRvoX2PfPWReB02ThSQePVb7LEQ4ETMP/Qdc4ACynTrkhRot +ehcHpuiSkpu0sZgZh+7l5+PxTIHspmeg/Dws6f0m9yJjpzS4ATOfo5AX6ZjFy6vf +IEJZ9Rj7F4CB15jj5jQ1Bd6lYgqqaHbrUOupLLN8fIe/S+IK6uETczAgvYaNazhf +8sS2xxFRNWKwImHrhg8yq/oA5Zfpyu4ypEck/XM/cXh49b3HjxhyKA1Xa2tBaXjX +JPgIw+lMRBMLkxCcp3B5s0pPqw+FB2JNW9xOE3aaRcmPmRm0AQKCAQEA+i6/U4kW +gVkDIqykj2OmBzIyWFnJSrnnDWKUmwf5F8X3oT6F5+v9ltqBeHuwfH8FaOQ4kf7e +5G2BT9mujay4yUtFX0/ok+/UdfWBli718JYp6TnqGQHn/ABwvngDKdDkvx4UJ9bV +jUZiQnKbMCHuuXlpiV6ByzyCPGdvU+ND5m5WBln82B184FicnsUQWcU4XnLVu3Rs +WBeLR42/mP91byQc/ZUjEUWnYPyiK/SFcHP2B5B88aJYNboMGwfupePTijl278Oh +Y0U8zcPaY9fp/tjEJtDvv299psY42wfv+kUl9qPWv9wY9DB47Itc+ecdmUeL2w76 +thi1ZeTL7Of8LQKCAQEAy+0ha/p/F3AkX4vZs2Du+u04BcU+Lnjn6jpXFVudeJl/ +o8X3ctcv5C8Lf2Zb3cl5xgDV17/W0sH8oVcyOje78mAC180mMrTSbGECMdgy5y0/ +kVu+qaksPL/PuVz1rdFGSJGh588DTGVceXGqEnvZwPO+zwbGExgXKDfZQirq95Fp +7ocvQqRHOj/jVyNhSzSMJEcjG6fWCzBLIvQGYnT/pmVZCV3zJhKyRf8LwDu01nZf +b62YYuzrrHm5xUXs/GtySdfibDgDDCAu0WBJzDlayaVttQHIXV98/1zdEMo3WQmz +QfhN6q1iXNP0TDZdixvSY7qPPkwpuAgoFIAVarBu+QKCAQAlkTl3oME5YRVgco4v +XeZDdF0s+SaJywqP7vqjoPndgQOjOdE/tycYLO1+GwywVR6J1qNMAPqVUIA3bleQ +vJvu1hevrT8eX8gGgnwYAis6GkJm3CRz5t5f7+z+HOVUtSJ0NF8QcGkW0rfUhIMb +Ii1HupyHXSKeUxK3YUzNSvYaNv1B7OdTyHHE+mliSfMfl8bUH+hKQrw2Kirm7rkT +j2Ch9MlJpshiQpRUsvrjIM+cyDzse9zXJ+qY/rvsny9Nx70vJ1vduwGT94Se3UcA +8R4Y/5HMxlkJ5QL4NRG6iiGV8iY2N/n6S2GP4Wt3EaI/gF3oc17j4QbyqxkqGMYq +Z9dtAoIBABHAdb1ZlACtUW1D1lKoKIWNaugNsIkJG18nbvc7/2xFKHhQPmcv1kpt +0floJq0a4c/buMHMQF4eZuiAl627tk+2DelNQXr+hKbMlw1RvbSkGrmDnAhW4rPz +GpkPP4++/PhKPSbZvXbECBXGUEDFqUIDteN9unZlDXcBzZbV95hPf0I1YGbTuCOY +9ihauxh53Y026BZ7OMXGkXPcfEXL24lXnzWSiR0SWZSATDyStf5JVat6GB7ccvOT +sRk8KhIbJFrLQTmccp92mby+Pg5aG84b6X3tRsziCBaOtevFPqYwkvs2K0o3h61/ +AfA0d1YpuNnXnqqUpLkRdLO8JqEf9LkCggEBALDwHe1SSdKc7BDws8zxr6bJyVxL +h2nvA43SWhhSA3jsQtxi4xS0f1GRzWoczjAJFNcLRCdnKkEBfMpBL03s9rexy1Pa +3Dd1WaiyDfvGpbTr8l0M+R5kEcr5MfCfsAKcnoN4/egaqkNLKMi7eFfrEloiRO3y +rX7DmH2p8Oe0cY5bhSBJrwMS2fVh/SYfOiCVLhymmuH4hVmtJ6YCBWAY4Fhk16Iu +wsiTfvbibKSvFA9MJe+25UQugdVgHLzG84OSK4lMDMd37BTex84dH1P/r5shvuLx +nBSUOKXETOQMAA71hoMveHxox9fwGSmh2oLeaEVvdpADpWfpsCZzt05iXjM= +-----END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/testdata/server.crt b/libbeat/common/transport/tlscommon/testdata/server.crt new file mode 100644 index 00000000000..50ca5ce8b32 --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/server.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDlTCCAX0CAQEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFzAVBgNVBAMM +DmNhQGV4YW1wbGUuY29tMB4XDTIxMDEyNTE2MzQ0OVoXDTMxMDEyMzE2MzQ0OVow +UjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh +biBGcmFuY2lzY28xFjAUBgNVBAMMDSouZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBALFuNygrGLLSnD//JRfU6xMDqgizeVdQqDlLaP/HxQ84 +9RPWnjfbyx2M25JYcLvewPqKQ80lOYnMRhpvujmuKP7gQHNDWOsyXH5JljTX78Wb +I+nuVMeYjbUOh+6EgYNY59G5rH7xqgeu3y1YERfNdchEG8xjSxYeIZ7Ev6VMFF8r +AgMBAAEwDQYJKoZIhvcNAQELBQADggIBALyHDjVcY6Po1eHWTUCLLOW1ZzzkX4qu +gsfJM6qTIZIqh/O6tROGqH9kRw8SarIIZvtztfzuYtmQBE0qkBMzPzdN3x+3C4pz +jf2vsEKRqva9mf9y+JM0Mv0WUuPfusHxPKOCl1on71kP1GL1bYylKqazgVa2tAVa +78xs35YIuCM5apt0X+QO+Tnz/qfqJ7t3F7mP1aeCjYm8J20S8vKTYgkRkFX/8VJB +1zRPl0CAMyoHOMcrmb7wX8V1CIER7VBQ7h580B7/7okrw+Hr3xyMOA0w1DiRUQJE +biHBuDTRDmRg6W5nAwNLFLp/RfHttny0nEEcnzcjEStEKyDGbNg1W2ieWuIhgUza +L3W3ld9LDD9pMnQ8yYTMcL+J2Ir6ErhpGL3Hks42W2c/qYhvo3we6B2ADfsS7P+m +ku5W7/G2fDIlj6rtzaAeur+LSgsjU6kc1et2SJxjcJMPrS4xHxpAhJzD7h7f5N/B +RBc5cT2sE2vuUBRGkz0wC9AC2/kxmv4RwjsrYTY8rEOqHRkxDF18lfFocAoq7Hvr +lO6ft9/knzTQzKiizc6unXsLhUCvBzt50bA/gVLXmUmr1sncATKHWOLbvfRWat4I +0m52jlowgqnJPsXtl+wwNYHaw9gF71RTx/Ov2vZ8xm5SeBNkO8cpdAftETAEqpgp +fDlIVeywLvoN +-----END CERTIFICATE----- diff --git a/libbeat/common/transport/tlscommon/testdata/server.key b/libbeat/common/transport/tlscommon/testdata/server.key new file mode 100644 index 00000000000..8bb153a9006 --- /dev/null +++ b/libbeat/common/transport/tlscommon/testdata/server.key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQCxbjcoKxiy0pw//yUX1OsTA6oIs3lXUKg5S2j/x8UPOPUT1p43 +28sdjNuSWHC73sD6ikPNJTmJzEYab7o5rij+4EBzQ1jrMlx+SZY01+/FmyPp7lTH +mI21DofuhIGDWOfRuax+8aoHrt8tWBEXzXXIRBvMY0sWHiGexL+lTBRfKwIDAQAB +AoGAaBKW5cfJl/JzVhJphn4MWL3YeXwUW4Pi+KBj+UwLKW+mSTmk2mzgyfd6P3AC +yB/Tn+GD/YutIUehgxYv7G9ceZC85EsPM6+1s887olgKNKbCiZZvrLBcBCzEhzkN +QpC2/cuOOVYdYYQJZp9RX7herAJ5aqxZHUUtCrudgfCiAckCQQDo37NhBBfUlLc4 +LW3ryxydsh7MrTMU63+5IVtXosV3TFdWN9LC6CCarkILcOG5tmEmM6v1UQRAgCkm +lb+/3SrXAkEAwwz9+mcAU1lTTiy+dCJkKepviT4Ex+BFl0yJPfSN5+/Wg15DjwsN +vdE0H5nAT65aECiYy8V9DKNwHNcTIaZXzQJBAMvoPOBhPiCVC410MgC6e9cVRWTA +766Muuy26Y1l6HQac4r6HGEv8oSeuxPbhrsfmBdkPVjz1L5Juj6f9yOgHEcCQHMH +pHkaaay+D00ZQjDHX38AzUqJEtS1xRTXhFDPeyj/3uiWnQ0tHauGR1EjobDcSC0j +ZAk4rOjZMnMvvA6qRTkCQQCT6B0edwnMc9q/4XcdF+LptWRiYNbSKkrisb304N+d +lqbB76fGQY22onWcZEvcOmifmzmgj56QXSUot+fkNlVK +-----END RSA PRIVATE KEY----- diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go index 9e7eb4548db..718dbe42db9 100644 --- a/libbeat/common/transport/tlscommon/tls_config.go +++ b/libbeat/common/transport/tlscommon/tls_config.go @@ -288,7 +288,7 @@ func verifyHostname(cert *x509.Certificate, hostname string) error { } for _, name := range dnsnames { - if len(name) > 0 && len(hostname) > 0 && name == hostname { + if matchHostnames(name, hostname) { if !validHostname(name, true) { return fmt.Errorf("invalid hostname in cert") } diff --git a/libbeat/common/transport/tlscommon/tls_config_test.go b/libbeat/common/transport/tlscommon/tls_config_test.go index 1490664d3d3..76dfa61497f 100644 --- a/libbeat/common/transport/tlscommon/tls_config_test.go +++ b/libbeat/common/transport/tlscommon/tls_config_test.go @@ -34,7 +34,10 @@ func TestMakeVerifyServerConnection(t *testing.T) { t.Fatalf("failed to open test certs: %+v", err) } - testCA, errs := LoadCertificateAuthorities([]string{filepath.Join("testdata", "cacert.crt")}) + testCA, errs := LoadCertificateAuthorities([]string{ + filepath.Join("testdata", "ca.crt"), + filepath.Join("testdata", "cacert.crt"), + }) if len(errs) > 0 { t.Fatalf("failed to load test certificate authorities: %+v", errs) } @@ -83,6 +86,15 @@ func TestMakeVerifyServerConnection(t *testing.T) { expectedCallback: true, expectedError: nil, }, + "default verification with certificates when required with correct wildcard cert": { + verificationMode: VerifyFull, + clientAuth: tls.RequireAndVerifyClientCert, + certAuthorities: testCA, + peerCerts: []*x509.Certificate{testCerts["wildcard"]}, + serverName: "hello.example.com", + expectedCallback: true, + expectedError: nil, + }, "certificate verification with certificates when required with correct cert": { verificationMode: VerifyCertificate, clientAuth: tls.RequireAndVerifyClientCert, @@ -181,6 +193,7 @@ func openTestCerts() (map[string]*x509.Certificate, error) { "expired": "tls.crt", "unknown authority": "unsigned_tls.crt", "correct": "client1.crt", + "wildcard": "server.crt", } { certBytes, err := ioutil.ReadFile(filepath.Join("testdata", certname)) diff --git a/libbeat/common/transport/tlscommon/validhostname.go b/libbeat/common/transport/tlscommon/validhostname.go index 15370b4d4f9..a6b2af7fb7c 100644 --- a/libbeat/common/transport/tlscommon/validhostname.go +++ b/libbeat/common/transport/tlscommon/validhostname.go @@ -47,7 +47,69 @@ package tlscommon -import "strings" +import ( + "strings" + "unicode/utf8" +) + +func matchHostnames(pattern, host string) bool { + pattern = toLowerCaseASCII(pattern) + host = toLowerCaseASCII(strings.TrimSuffix(host, ".")) + + if len(pattern) == 0 || len(host) == 0 { + return false + } + + patternParts := strings.Split(pattern, ".") + hostParts := strings.Split(host, ".") + + if len(patternParts) != len(hostParts) { + return false + } + + for i, patternPart := range patternParts { + if i == 0 && patternPart == "*" { + continue + } + if patternPart != hostParts[i] { + return false + } + } + + return true +} + +// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use +// an explicitly ASCII function to avoid any sharp corners resulting from +// performing Unicode operations on DNS labels. +func toLowerCaseASCII(in string) string { + // If the string is already lower-case then there's nothing to do. + isAlreadyLowerCase := true + for _, c := range in { + if c == utf8.RuneError { + // If we get a UTF-8 error then there might be + // upper-case ASCII bytes in the invalid sequence. + isAlreadyLowerCase = false + break + } + if 'A' <= c && c <= 'Z' { + isAlreadyLowerCase = false + break + } + } + + if isAlreadyLowerCase { + return in + } + + out := []byte(in) + for i, c := range out { + if 'A' <= c && c <= 'Z' { + out[i] += 'a' - 'A' + } + } + return string(out) +} // validHostname reports whether host is a valid hostname that can be matched or // matched against according to RFC 6125 2.2, with some leniency to accommodate diff --git a/libbeat/docs/howto/load-dashboards.asciidoc b/libbeat/docs/howto/load-dashboards.asciidoc index c03b512d636..2b70e48e3ff 100644 --- a/libbeat/docs/howto/load-dashboards.asciidoc +++ b/libbeat/docs/howto/load-dashboards.asciidoc @@ -15,98 +15,44 @@ ifdef::has_solutions[] TIP: For deeper observability into your infrastructure, you can use the {metrics-app} and the {logs-app} in {kib}. -For more details, see {observability-guide}/analyze-metrics.html[Analyze metrics] -and {observability-guide}/monitor-logs.html[Monitor logs]. +For more details, see {observability-guide}/analyze-metrics.html[Metrics monitoring] +and {observability-guide}/monitor-logs.html[Log monitoring]. endif::has_solutions[] {beatname_uc} comes packaged with example Kibana dashboards, visualizations, and searches for visualizing {beatname_uc} data in Kibana. Before you can use the dashboards, you need to create the index pattern, +{beat_default_index_prefix}-*+, and -load the dashboards into Kibana. To do this, you can either run the `setup` +load the dashboards into Kibana. + +To do this, you can either run the `setup` command (as described here) or <> in the -+{beatname_lc}.yml+ config file. - -This requires a Kibana endpoint configuration. If you didn't already configure ++{beatname_lc}.yml+ config file. This requires a Kibana endpoint configuration. If you didn't already configure a Kibana endpoint, see <>. +[float] +[[load-dashboards]] +=== Load dashboards + Make sure Kibana is running before you perform this step. If you are accessing a secured Kibana instance, make sure you've configured credentials as described in the <<{beatname_lc}-installation-configuration>>. -To set up the Kibana dashboards for {beatname_uc}, use the appropriate command -for your system. The command shown here loads the dashboards from the {beatname_uc} -package. For more options, such as loading customized dashboards, see -{beatsdevguide}/import-dashboards.html[Importing Existing Beat Dashboards] in -the _Beats Developer Guide_. -ifndef::no-output-logstash[] -If you've configured the Logstash output, see -<>. -endif::[] +To load the recommended index template for writing to {es} and deploy the sample dashboards +for visualizing the data in {kib}, use the command that works with your system. ifdef::requires-sudo[] include::{libbeat-dir}/shared-note-sudo.asciidoc[] endif::requires-sudo[] -ifdef::deb_os,rpm_os[] -*deb and rpm:* - -["source","sh",subs="attributes"] ----------------------------------------------------------------------- -{beatname_lc} setup --dashboards ----------------------------------------------------------------------- -endif::deb_os,rpm_os[] - -ifdef::mac_os[] -*mac:* - -["source","sh",subs="attributes"] ----------------------------------------------------------------------- -./{beatname_lc} setup --dashboards ----------------------------------------------------------------------- - -*brew:* - -["source","sh",subs="attributes"] ----------------------------------------------------------------------- -{beatname_lc} setup --dashboards ----------------------------------------------------------------------- -endif::mac_os[] +include::{libbeat-dir}/tab-widgets/load-dashboards-widget.asciidoc[] -ifdef::linux_os[] -*linux:* - -["source","sh",subs="attributes"] ----------------------------------------------------------------------- -./{beatname_lc} setup --dashboards ----------------------------------------------------------------------- -endif::linux_os[] - -ifdef::docker_platform[] -*docker:* - -["source","sh",subs="attributes"] ----------------------------------------------------------------------- -docker run --net="host" {dockerimage} setup --dashboards ----------------------------------------------------------------------- -endif::docker_platform[] - -ifdef::win_os[] -ifndef::win_only[] -*win:* -endif::win_only[] - -Open a PowerShell prompt as an Administrator (right-click the PowerShell icon -and select *Run As Administrator*). - -From the PowerShell prompt, change to the directory where you installed {beatname_uc}, -and run: - -["source","sh",subs="attributes"] ----------------------------------------------------------------------- -PS > .{backslash}{beatname_lc}.exe setup --dashboards ----------------------------------------------------------------------- -endif::win_os[] +For more options, such as loading customized dashboards, see +{beatsdevguide}/import-dashboards.html[Importing Existing Beat Dashboards]. +ifndef::no-output-logstash[] +If you've configured the Logstash output, see +<>. +endif::[] ifndef::no-output-logstash[] [float] @@ -128,95 +74,9 @@ ifdef::serverless[] in environment variables. endif::[] -ifdef::deb_os,rpm_os[] -*deb and rpm:* - -["source","sh",subs="attributes"] ----- -{beatname_lc} setup -e \ - -E output.logstash.enabled=false \ - -E output.elasticsearch.hosts=['localhost:9200'] \ - -E output.elasticsearch.username={beat_default_index_prefix}_internal \ - -E output.elasticsearch.password={pwd} \ - -E setup.kibana.host=localhost:5601 ----- -endif::deb_os,rpm_os[] - -ifdef::mac_os[] -*mac:* - -["source","sh",subs="attributes"] ----- -./{beatname_lc} setup -e \ - -E output.logstash.enabled=false \ - -E output.elasticsearch.hosts=['localhost:9200'] \ - -E output.elasticsearch.username={beat_default_index_prefix}_internal \ - -E output.elasticsearch.password={pwd} \ - -E setup.kibana.host=localhost:5601 ----- - -*brew:* - -["source","sh",subs="attributes"] ----- -{beatname_lc} setup -e \ - -E output.logstash.enabled=false \ - -E output.elasticsearch.hosts=['localhost:9200'] \ - -E output.elasticsearch.username={beat_default_index_prefix}_internal \ - -E output.elasticsearch.password={pwd} \ - -E setup.kibana.host=localhost:5601 ----- -endif::mac_os[] - -ifdef::linux_os[] -*linux:* - -["source","sh",subs="attributes"] ----- -./{beatname_lc} setup -e \ - -E output.logstash.enabled=false \ - -E output.elasticsearch.hosts=['localhost:9200'] \ - -E output.elasticsearch.username={beat_default_index_prefix}_internal \ - -E output.elasticsearch.password={pwd} \ - -E setup.kibana.host=localhost:5601 ----- -endif::linux_os[] - -ifdef::docker_platform[] -*docker:* - -["source","sh",subs="attributes"] ----- -docker run --net="host" {dockerimage} setup -e \ - -E output.logstash.enabled=false \ - -E output.elasticsearch.hosts=['localhost:9200'] \ - -E output.elasticsearch.username={beat_default_index_prefix}_internal \ - -E output.elasticsearch.password={pwd} \ - -E setup.kibana.host=localhost:5601 ----- -endif::docker_platform[] - -ifdef::win_os[] -ifndef::win_only[] -*win:* -endif::win_only[] - -Open a PowerShell prompt as an Administrator (right-click the PowerShell icon -and select *Run As Administrator*). - -From the PowerShell prompt, change to the directory where you installed {beatname_uc}, -and run: - -["source","sh",subs="attributes"] ----- -PS > .{backslash}{beatname_lc}.exe setup -e ` - -E output.logstash.enabled=false ` - -E output.elasticsearch.hosts=['localhost:9200'] ` - -E output.elasticsearch.username={beat_default_index_prefix}_internal ` - -E output.elasticsearch.password={pwd} ` - -E setup.kibana.host=localhost:5601 ----- -endif::win_os[] - endif::no-output-logstash[] +include::{libbeat-dir}/tab-widgets/load-dashboards-logstash-widget.asciidoc[] + +// Add Javascript and CSS for tabbed panels +include::{libbeat-dir}/tab-widgets/code.asciidoc[] diff --git a/libbeat/docs/shared-cloudfoundry.asciidoc b/libbeat/docs/shared-cloudfoundry.asciidoc index 1219a6312bc..ad75a2ba310 100644 --- a/libbeat/docs/shared-cloudfoundry.asciidoc +++ b/libbeat/docs/shared-cloudfoundry.asciidoc @@ -53,6 +53,35 @@ curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/cloud You need to modify the +{beatname_lc}.yml+ file to set the `api_address`, `client_id` and `client_secret`. +==== Load {kib} dashboards + +{beatname_uc} comes packaged with various pre-built {kib} dashboards +that you can use to visualize data in {kib}. + +If these dashboards are not already loaded into {kib}, you must run the {beatname_uc} `setup` command. +To learn how, see <>. + +ifeval::["{beatname_lc}"=="metricbeat"] +[IMPORTANT] +======================================= +If you are using a different output other than {es}, such as {ls}, you +need to <> and <>. +======================================= +endif::[] +ifeval::["{beatname_lc}"=="filebeat"] +The `setup` command does not load the ingest pipelines used to parse log lines. By default, ingest pipelines +are set up automatically the first time you run {beatname_uc} and connect to {es}. + +[IMPORTANT] +======================================= +If you are using a different output other than {es}, such as {ls}, you +need to: + +* <> +* <> +* <> +======================================= +endif::[] ==== Deploy {beatname_uc} diff --git a/libbeat/docs/shared-faq.asciidoc b/libbeat/docs/shared-faq.asciidoc index d6c48b73aa9..d1c35e4710c 100644 --- a/libbeat/docs/shared-faq.asciidoc +++ b/libbeat/docs/shared-faq.asciidoc @@ -154,7 +154,7 @@ To resolve this problem, try one of these solutions: * Create a DNS entry for the hostname mapping it to the server's IP. * Create an entry in `/etc/hosts` for the hostname. Or on Windows add an entry to `C:\Windows\System32\drivers\etc\hosts`. -* Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This make the +* Re-create the server certificate and add a SubjectAltName (SAN) for the IP address of the server. This makes the server's certificate valid for both the hostname and the IP address. [[getsockopt-no-route-to-host]] @@ -206,3 +206,10 @@ to +{beatname_lc}-customname-*+. For more information, see {kibana-ref}/index-patterns.html[Creating an index pattern] in the {kib} docs. endif::no_dashboards[] + +[[madvdontneed-rss]] +=== High RSS memory usage due to MADV settings + +In versions of {beatname_uc} prior to 7.10.2, the go runtime defaults to `MADV_FREE` by default. +In some cases, this can lead to high RSS memory usage while the kernel waits to reclaim any pages assigned to {beatname_uc}. +On versions prior to 7.10.2, set the `GODEBUG="madvdontneed=1"` environment variable if you run into RSS usage issues. diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc index ce573aae38d..31eedd1e19a 100644 --- a/libbeat/docs/shared-ssl-config.asciidoc +++ b/libbeat/docs/shared-ssl-config.asciidoc @@ -105,7 +105,7 @@ NOTE: SSL settings are disabled if either `enabled` is set to `false` or the ==== `certificate_authorities` The list of root certificates for server verifications. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used. If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well. -By default you can specify a list of file that +{beatname_lc} will read, but you can also embed a certificate directly in the `YAML` configuration: +By default you can specify a list of files that +{beatname_lc} will read, but you can also embed a certificate directly in the `YAML` configuration: [source,yaml] ---- @@ -234,6 +234,10 @@ Controls the verification of certificates. Valid values are: * `full`, which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server's hostname (or IP address) matches the names identified within the certificate. + * `strict`, which verifies that the provided certificate is signed by a trusted +authority (CA) and also verifies that the server's hostname (or IP address) +matches the names identified within the certificate. If the Subject Alternative +Name is empty, it returns an error. * `certificate`, which verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification. * `none`, which performs _no verification_ of the server's certificate. This diff --git a/libbeat/docs/tab-widgets/load-dashboards-logstash-widget.asciidoc b/libbeat/docs/tab-widgets/load-dashboards-logstash-widget.asciidoc new file mode 100644 index 00000000000..899775edccd --- /dev/null +++ b/libbeat/docs/tab-widgets/load-dashboards-logstash-widget.asciidoc @@ -0,0 +1,130 @@ +++++ +
+
+ + + + + + + +
+
+++++ + +include::load-dashboards-logstash.asciidoc[tag=deb] + +++++ +
+ + + + + + +
+++++ \ No newline at end of file diff --git a/libbeat/docs/tab-widgets/load-dashboards-logstash.asciidoc b/libbeat/docs/tab-widgets/load-dashboards-logstash.asciidoc new file mode 100644 index 00000000000..c49aefcfa19 --- /dev/null +++ b/libbeat/docs/tab-widgets/load-dashboards-logstash.asciidoc @@ -0,0 +1,88 @@ +// tag::deb[] +["source","sh",subs="attributes"] +---- +{beatname_lc} setup -e \ + -E output.logstash.enabled=false \ + -E output.elasticsearch.hosts=['localhost:9200'] \ + -E output.elasticsearch.username={beat_default_index_prefix}_internal \ + -E output.elasticsearch.password={pwd} \ + -E setup.kibana.host=localhost:5601 +---- +// end::deb[] + +// tag::rpm[] +["source","sh",subs="attributes"] +---- +{beatname_lc} setup -e \ + -E output.logstash.enabled=false \ + -E output.elasticsearch.hosts=['localhost:9200'] \ + -E output.elasticsearch.username={beat_default_index_prefix}_internal \ + -E output.elasticsearch.password={pwd} \ + -E setup.kibana.host=localhost:5601 +---- +// end::rpm[] + +// tag::mac[] +["source","sh",subs="attributes"] +---- +./{beatname_lc} setup -e \ + -E output.logstash.enabled=false \ + -E output.elasticsearch.hosts=['localhost:9200'] \ + -E output.elasticsearch.username={beat_default_index_prefix}_internal \ + -E output.elasticsearch.password={pwd} \ + -E setup.kibana.host=localhost:5601 +---- +// end::mac[] + +// tag::brew[] +["source","sh",subs="attributes"] +---- +{beatname_lc} setup -e \ + -E output.logstash.enabled=false \ + -E output.elasticsearch.hosts=['localhost:9200'] \ + -E output.elasticsearch.username={beat_default_index_prefix}_internal \ + -E output.elasticsearch.password={pwd} \ + -E setup.kibana.host=localhost:5601 +---- +// end::brew[] + +// tag::linux[] +["source","sh",subs="attributes"] +---- +./{beatname_lc} setup -e \ + -E output.logstash.enabled=false \ + -E output.elasticsearch.hosts=['localhost:9200'] \ + -E output.elasticsearch.username={beat_default_index_prefix}_internal \ + -E output.elasticsearch.password={pwd} \ + -E setup.kibana.host=localhost:5601 +---- +// end::linux[] + +// tag::docker[] +["source","sh",subs="attributes"] +---- +docker run --net="host" {dockerimage} setup -e \ + -E output.logstash.enabled=false \ + -E output.elasticsearch.hosts=['localhost:9200'] \ + -E output.elasticsearch.username={beat_default_index_prefix}_internal \ + -E output.elasticsearch.password={pwd} \ + -E setup.kibana.host=localhost:5601 +---- +// end::docker[] + +// tag::win[] + +Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select *Run As Administrator*). + +From the PowerShell prompt, change to the directory where you installed {beatname_uc}, and run: + +["source","sh",subs="attributes"] +---- +PS > .{backslash}{beatname_lc}.exe setup -e ` + -E output.logstash.enabled=false ` + -E output.elasticsearch.hosts=['localhost:9200'] ` + -E output.elasticsearch.username={beat_default_index_prefix}_internal ` + -E output.elasticsearch.password={pwd} ` + -E setup.kibana.host=localhost:5601 +---- +// end::win[] \ No newline at end of file diff --git a/libbeat/docs/tab-widgets/load-dashboards-widget.asciidoc b/libbeat/docs/tab-widgets/load-dashboards-widget.asciidoc new file mode 100644 index 00000000000..52d191b66a6 --- /dev/null +++ b/libbeat/docs/tab-widgets/load-dashboards-widget.asciidoc @@ -0,0 +1,130 @@ +++++ +
+
+ + + + + + + +
+
+++++ + +include::load-dashboards.asciidoc[tag=deb] + +++++ +
+ + + + + + +
+++++ \ No newline at end of file diff --git a/libbeat/docs/tab-widgets/load-dashboards.asciidoc b/libbeat/docs/tab-widgets/load-dashboards.asciidoc new file mode 100644 index 00000000000..6f93e08aa3b --- /dev/null +++ b/libbeat/docs/tab-widgets/load-dashboards.asciidoc @@ -0,0 +1,55 @@ +// tag::deb[] +["source","sh",subs="attributes"] +---- +{beatname_lc} setup --dashboards +---- +// end::deb[] + +// tag::rpm[] +["source","sh",subs="attributes"] +---- +{beatname_lc} setup --dashboards +---- +// end::rpm[] + +// tag::mac[] +["source","sh",subs="attributes"] +---- +./{beatname_lc} setup --dashboards +---- +// end::mac[] + +// tag::brew[] +["source","sh",subs="attributes"] +---- +{beatname_lc} setup --dashboards +---- +// end::brew[] + +// tag::linux[] +["source","sh",subs="attributes"] +---- +./{beatname_lc} setup --dashboards +---- +// end::linux[] + +// tag::docker[] +["source","sh",subs="attributes"] +---- +docker run --net="host" {dockerimage} setup --dashboards +---- +// end::docker[] + +// tag::win[] + +Open a PowerShell prompt as an Administrator (right-click the PowerShell icon +and select *Run As Administrator*). + +From the PowerShell prompt, change to the directory where you installed {beatname_uc}, +and run: + +["source","sh",subs="attributes"] +---- +PS > .{backslash}{beatname_lc}.exe setup --dashboards +---- +// end::win[] \ No newline at end of file diff --git a/metricbeat/Jenkinsfile.yml b/metricbeat/Jenkinsfile.yml index 3d624fbcaaa..588c6bbbdb8 100644 --- a/metricbeat/Jenkinsfile.yml +++ b/metricbeat/Jenkinsfile.yml @@ -71,75 +71,54 @@ stages: platforms: ## override default labels in this specific stage. - "windows-2016" when: ## Override the top-level when. - comments: - - "/test metricbeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" when: ## Override the top-level when. - comments: - - "/test metricbeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" when: ## Override the top-level when. - comments: - - "/test metricbeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" when: ## Override the top-level when. - comments: - - "/test metricbeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-2008: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2008-r2" when: ## Override the top-level when. - comments: - - "/test metricbeat for windows-2008" - labels: - - "windows-2008" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" when: ## Override the top-level when. - comments: - - "/test metricbeat for windows-7" - labels: - - "windows-7" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-7-32: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" when: ## Override the top-level when. - comments: - - "/test metricbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/metricbeat/docs/running-on-kubernetes.asciidoc b/metricbeat/docs/running-on-kubernetes.asciidoc index aa819488730..dde0235423d 100644 --- a/metricbeat/docs/running-on-kubernetes.asciidoc +++ b/metricbeat/docs/running-on-kubernetes.asciidoc @@ -169,6 +169,22 @@ oc patch namespace kube-system -p \ This command sets the node selector for the project to an empty string. If you don't run this command, the default node selector will skip master nodes. +[float] +==== Load {kib} dashboards + +{beatname_uc} comes packaged with various pre-built {kib} dashboards +that you can use to visualize metrics about your Kubernetes environment. + +If these dashboards are not already loaded into {kib}, you must <<{beatname_lc}-installation-configuration,install {beatname_uc}>> +on any system that can connect to the {stack}, and then run the `setup` command to load the dashboards. To learn how, +see <>. + +[IMPORTANT] +======================================= +If you are using a different output other than {es}, such as {ls}, you +need to <> and <>. +======================================= + [float] ==== Deploy diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 8250323ca04..bb2e7cdf8fb 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -1304,8 +1304,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1437,8 +1435,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1644,8 +1640,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1806,8 +1800,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -2108,8 +2100,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -2311,8 +2301,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/packetbeat/Jenkinsfile.yml b/packetbeat/Jenkinsfile.yml index 1d65795e022..b79b87b6d88 100644 --- a/packetbeat/Jenkinsfile.yml +++ b/packetbeat/Jenkinsfile.yml @@ -64,75 +64,54 @@ stages: platforms: ## override default labels in this specific stage. - "windows-2016" when: ## Override the top-level when. - comments: - - "/test packetbeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" when: ## Override the top-level when. - comments: - - "/test packetbeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" when: ## Override the top-level when. - comments: - - "/test packetbeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-2008: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2008-r2" when: ## Override the top-level when. - comments: - - "/test packetbeat for windows-2008" - labels: - - "windows-2008" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" when: ## Override the top-level when. - comments: - - "/test packetbeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" when: ## Override the top-level when. - comments: - - "/test packetbeat for windows-7" - labels: - - "windows-7" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-7-32: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" when: ## Override the top-level when. - comments: - - "/test packetbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 073bec9c768..9f25343877f 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -1022,8 +1022,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1155,8 +1153,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1362,8 +1358,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1524,8 +1518,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1826,8 +1818,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -2029,8 +2019,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/winlogbeat/Jenkinsfile.yml b/winlogbeat/Jenkinsfile.yml index aad1d6558e9..bcef5172022 100644 --- a/winlogbeat/Jenkinsfile.yml +++ b/winlogbeat/Jenkinsfile.yml @@ -39,62 +39,46 @@ stages: platforms: ## override default labels in this specific stage. - "windows-2016" when: ## Override the top-level when. - comments: - - "/test winlogbeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" when: ## Override the top-level when. - comments: - - "/test winlogbeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" when: ## Override the top-level when. - comments: - - "/test winlogbeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" when: ## Override the top-level when. - comments: - - "/test winlogbeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" when: ## Override the top-level when. - comments: - - "/test winlogbeat for windows-7" - labels: - - "windows-7" + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags windows-7-32: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" when: ## Override the top-level when. - comments: - - "/test winlogbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags + not_changeset_full_match: "^x-pack/.*" ## Disable the stage if ONLY changes for the x-pack + branches: true ## for all the branches + tags: true ## for all the tags diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index 1ab1796a809..7b98270f0bf 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -450,8 +450,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -583,8 +581,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -790,8 +786,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -952,8 +946,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1254,8 +1246,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1457,8 +1447,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/x-pack/auditbeat/Jenkinsfile.yml b/x-pack/auditbeat/Jenkinsfile.yml index 6bcd1ad9739..2c7ea3f176a 100644 --- a/x-pack/auditbeat/Jenkinsfile.yml +++ b/x-pack/auditbeat/Jenkinsfile.yml @@ -64,76 +64,27 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2016" - when: ## Override the top-level when. - comments: - - "/test x-pack/auditbeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/auditbeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" - when: ## Override the top-level when. - comments: - - "/test x-pack/auditbeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags windows-2008: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2008-r2" - when: ## Override the top-level when. - comments: - - "/test auditbeat for windows-2008" - labels: - - "windows-2008" - branches: true ## for all the branches - tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" - when: ## Override the top-level when. - comments: - - "/test x-pack/auditbeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" - when: ## Override the top-level when. - comments: - - "/test x-pack/auditbeat for windows-7" - labels: - - "windows-7" - branches: true ## for all the branches - tags: true ## for all the tags windows-7-32: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" - when: ## Override the top-level when. - comments: - - "/test auditbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index ac134703794..44b58a736e1 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -583,8 +583,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -716,8 +714,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -923,8 +919,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1085,8 +1079,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1387,8 +1379,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1590,8 +1580,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/x-pack/dockerlogbeat/docs/configuration.asciidoc b/x-pack/dockerlogbeat/docs/configuration.asciidoc index 7be2a1fe1f1..e8d398b0b87 100644 --- a/x-pack/dockerlogbeat/docs/configuration.asciidoc +++ b/x-pack/dockerlogbeat/docs/configuration.asciidoc @@ -152,7 +152,7 @@ The local log also supports the `max-file`, `max-size` and `compress` options th ["source","sh",subs="attributes"] ---- docker run --log-driver=elastic/{log-driver-alias}:{version} \ - --log-opt endpoint="myhost:9200" \ + --log-opt hosts="myhost:9200" \ --log-opt user="myusername" \ --log-opt password="mypassword" \ --log-opt max-file=10 \ diff --git a/x-pack/dockerlogbeat/docs/install.asciidoc b/x-pack/dockerlogbeat/docs/install.asciidoc index ab36f67877d..6aa51aba0b1 100644 --- a/x-pack/dockerlogbeat/docs/install.asciidoc +++ b/x-pack/dockerlogbeat/docs/install.asciidoc @@ -80,7 +80,7 @@ example: ["source","sh",subs="attributes"] ---- docker run --log-driver=elastic/{log-driver-alias}:{version} \ - --log-opt endpoint="https://myhost:9200" \ + --log-opt hosts="https://myhost:9200" \ --log-opt user="myusername" \ --log-opt password="mypassword" \ -it debian:jessie /bin/bash @@ -98,7 +98,7 @@ example: { "log-driver" : "elastic/{log-driver-alias}:{version}", "log-opts" : { - "endpoint" : "https://myhost:9200", + "hosts" : "https://myhost:9200", "user" : "myusername", "password" : "mypassword" } diff --git a/x-pack/dockerlogbeat/docs/usage.asciidoc b/x-pack/dockerlogbeat/docs/usage.asciidoc index bf23049c199..446206e3544 100644 --- a/x-pack/dockerlogbeat/docs/usage.asciidoc +++ b/x-pack/dockerlogbeat/docs/usage.asciidoc @@ -16,7 +16,7 @@ The following examples show common configurations for the {log-driver}. ["source","sh",subs="attributes"] ---- docker run --log-driver=elastic/{log-driver-alias}:{version} \ - --log-opt endpoint="myhost:9200" \ + --log-opt hosts="myhost:9200" \ --log-opt user="myusername" \ --log-opt password="mypassword" \ -it debian:jessie /bin/bash @@ -29,7 +29,7 @@ docker run --log-driver=elastic/{log-driver-alias}:{version} \ { "log-driver" : "elastic/{log-driver-alias}:{version}", "log-opts" : { - "endpoint" : "myhost:9200", + "hosts" : "myhost:9200", "user" : "myusername", "password" : "mypassword", } @@ -71,7 +71,7 @@ docker run --log-driver=elastic/{log-driver-alias}:{version} \ ["source","sh",subs="attributes"] ---- docker run --log-driver=elastic/{log-driver-alias}:{version} \ - --log-opt endpoint="myhost:9200" \ + --log-opt hosts="myhost:9200" \ --log-opt user="myusername" \ --log-opt password="mypassword" \ --log-opt index="eld-%{[agent.version]}-%{+yyyy.MM.dd}" \ @@ -85,7 +85,7 @@ docker run --log-driver=elastic/{log-driver-alias}:{version} \ { "log-driver" : "elastic/{log-driver-alias}:{version}", "log-opts" : { - "endpoint" : "myhost:9200", + "hosts" : "myhost:9200", "user" : "myusername", "index" : "eld-%{[agent.version]}-%{+yyyy.MM.dd}", "password" : "mypassword", diff --git a/x-pack/elastic-agent/Jenkinsfile.yml b/x-pack/elastic-agent/Jenkinsfile.yml index a237c483aad..0e6ecef9e4c 100644 --- a/x-pack/elastic-agent/Jenkinsfile.yml +++ b/x-pack/elastic-agent/Jenkinsfile.yml @@ -54,68 +54,26 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2016" - when: ## Override the top-level when. - comments: - - "/test x-pack/elastic-agent for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/elastic-agent for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" - when: ## Override the top-level when. - comments: - - "/test x-pack/elastic-agent for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags windows-2008: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2008-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/elastic-agent for windows-2008" - labels: - - "windows-2008" - branches: true ## for all the branches - tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" - when: ## Override the top-level when. - comments: - - "/test x-pack/elastic-agent for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" - when: ## Override the top-level when. - comments: - - "/test x-pack/elastic-agent for windows-7" - labels: - - "windows-7" - branches: true ## for all the branches - tags: true ## for all the tags #windows-7-32: See https://github.com/elastic/beats/issues/22316 # mage: "mage build unitTest" # platforms: ## override default labels in this specific stage. diff --git a/x-pack/filebeat/Jenkinsfile.yml b/x-pack/filebeat/Jenkinsfile.yml index 7740ca80a49..54dbf477352 100644 --- a/x-pack/filebeat/Jenkinsfile.yml +++ b/x-pack/filebeat/Jenkinsfile.yml @@ -64,68 +64,26 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2016" - when: ## Override the top-level when. - comments: - - "/test x-pack/filebeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/filebeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" - when: ## Override the top-level when. - comments: - - "/test x-pack/filebeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags windows-2008: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2008-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/filebeat for windows-2008" - labels: - - "windows-2008" - branches: true ## for all the branches - tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" - when: ## Override the top-level when. - comments: - - "/test x-pack/filebeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" - when: ## Override the top-level when. - comments: - - "/test x-pack/filebeat for windows-7" - labels: - - "windows-7" - branches: true ## for all the branches - tags: true ## for all the tags #windows-7-32: See https://github.com/elastic/beats/issues/22315 # mage: "mage build unitTest" # platforms: ## override default labels in this specific stage. diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 9104290b7ce..01f65a4c910 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -3205,8 +3205,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -3338,8 +3336,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -3545,8 +3541,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -3707,8 +3701,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -4009,8 +4001,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -4212,8 +4202,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 3dd78f82c6d..76cf0f936b6 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -152,25 +152,25 @@ processors: Map map = new HashMap(); ctx.aws.cloudtrail.put("flattened", map); } - if (ctx.json.requestParameters != null) { + if (ctx.json?.requestParameters != null) { ctx.aws.cloudtrail.request_parameters = ctx.json.requestParameters.toString(); if (ctx.aws.cloudtrail.request_parameters.length() < 32766) { ctx.aws.cloudtrail.flattened.put("request_parameters", ctx.json.requestParameters); } } - if (ctx.json.responseElements != null) { + if (ctx.json?.responseElements != null) { ctx.aws.cloudtrail.response_elements = ctx.json.responseElements.toString(); if (ctx.aws.cloudtrail.response_elements.length() < 32766) { ctx.aws.cloudtrail.flattened.put("response_elements", ctx.json.responseElements); } } - if (ctx.json.additionalEventData != null) { + if (ctx.json?.additionalEventData != null) { ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString(); if (ctx.aws.cloudtrail.additional_eventdata.length() < 32766) { ctx.aws.cloudtrail.flattened.put("additional_eventdata", ctx.json.additionalEventData); } } - if (ctx.json.serviceEventDetails != null) { + if (ctx.json?.serviceEventDetails != null) { ctx.aws.cloudtrail.service_event_details = ctx.json.serviceEventDetails.toString(); if (ctx.aws.cloudtrail.service_event_details.length() < 32766) { ctx.aws.cloudtrail.flattened.put("service_event_details", ctx.json.serviceEventDetails); diff --git a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml index 975a0e76104..b92624e2f6c 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/checkpoint/firewall/ingest/pipeline.yml @@ -309,9 +309,11 @@ processors: type: long ignore_failure: true ignore_missing: true -- rename: +- convert: field: checkpoint.severity target_field: event.severity + type: long + ignore_failure: true ignore_missing: true - rename: field: checkpoint.action @@ -859,6 +861,7 @@ processors: - checkpoint.xlatedst - checkpoint.uid - checkpoint.time + - checkpoint.severity - syslog5424_ts - _temp_ ignore_missing: true diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 8b07b91acb4..1d225c42add 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -1604,17 +1604,26 @@ ] }, { + "cisco.asa.destination_interface": "net", "cisco.asa.message_id": "302023", + "cisco.asa.source_interface": "fw111", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 10051, "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 302023, "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2021-05-05T19:02:58.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner", + "event.reason": "Cluster flow with CLU closed on owner", "event.severity": 6, + "event.start": "2021-05-05T21:02:58.000Z", "event.timezone": "-02:00", "event.type": [ "info" @@ -1624,31 +1633,52 @@ "input.type": "log", "log.level": "informational", "log.offset": 4949, + "network.bytes": "0", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "fw111", "observer.hostname": "dev01", + "observer.ingress.interface.name": "net", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ "dev01" ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 39210, "tags": [ "cisco-asa", "forwarded" ] }, { + "cisco.asa.destination_interface": "unknown", "cisco.asa.message_id": "302023", + "cisco.asa.source_interface": "net", + "destination.address": "192.168.2.2", + "destination.ip": "192.168.2.2", + "destination.port": 39222, "event.action": "firewall-rule", "event.category": [ "network" ], "event.code": 302023, "event.dataset": "cisco.asa", + "event.duration": 0, + "event.end": "2021-05-05T19:02:58.000-02:00", "event.kind": "event", "event.module": "cisco", "event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow", + "event.reason": "Forwarding or redirect flow removed to create director or backup flow", "event.severity": 6, + "event.start": "2021-05-05T21:02:58.000Z", "event.timezone": "-02:00", "event.type": [ "info" @@ -1658,14 +1688,26 @@ "input.type": "log", "log.level": "informational", "log.offset": 5142, + "network.bytes": "0", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "net", "observer.hostname": "dev01", + "observer.ingress.interface.name": "unknown", "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ "dev01" ], + "related.ip": [ + "10.10.10.10", + "192.168.2.2" + ], "service.type": "cisco", + "source.address": "10.10.10.10", + "source.ip": "10.10.10.10", + "source.port": 10051, "tags": [ "cisco-asa", "forwarded" diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log b/x-pack/filebeat/module/cisco/asa/test/sample.log index 699d191e377..73ea89341b0 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log @@ -38,7 +38,6 @@ Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/1 Apr 30 2013 09:23:43: %ASA-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 15 2018 09:34:34 EDT: %ASA-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) -Dec 11 2018 08:01:24 : %ASA-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] Dec 11 2018 08:01:24 : %ASA-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] Dec 11 2018 08:01:31 : %ASA-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) @@ -70,3 +69,4 @@ Jan 14 2015 13:16:14: %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traf Nov 16 2009 14:12:35: %ASA-5-304001: 10.30.30.30 Accessed URL 192.0.2.1:/app Nov 16 2009 14:12:36: %ASA-5-304001: 10.5.111.32 Accessed URL 192.0.2.32:http://example.com Nov 16 2009 14:12:37: %ASA-5-304002: Access denied URL http://www.example.net/images/favicon.ico SRC 10.69.6.39 DEST 192.0.0.19 on interface inside +Jan 13 2021 19:12:37: %ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username) diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index c990e91c7c3..b2c1d4cb876 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -2049,7 +2049,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 6318, + "log.offset": 6138, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2100,7 +2100,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 6468, + "log.offset": 6288, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2153,7 +2153,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 6618, + "log.offset": 6438, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2209,7 +2209,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 6788, + "log.offset": 6608, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2265,7 +2265,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 6958, + "log.offset": 6778, "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", @@ -2319,7 +2319,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 7123, + "log.offset": 6943, "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", @@ -2373,7 +2373,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 7289, + "log.offset": 7109, "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", @@ -2422,7 +2422,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 7455, + "log.offset": 7275, "network.transport": "(no", "observer.egress.interface.name": "outside", "observer.product": "asa", @@ -2468,7 +2468,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 7597, + "log.offset": 7417, "network.transport": "(no", "observer.egress.interface.name": "outside", "observer.product": "asa", @@ -2517,7 +2517,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 7739, + "log.offset": 7559, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2570,7 +2570,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 7890, + "log.offset": 7710, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2624,7 +2624,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 8064, + "log.offset": 7884, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2678,7 +2678,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 8238, + "log.offset": 8058, "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", @@ -2732,7 +2732,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "informational", - "log.offset": 8403, + "log.offset": 8223, "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", @@ -2781,7 +2781,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 8545, + "log.offset": 8365, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -2829,7 +2829,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 8666, + "log.offset": 8486, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -2877,7 +2877,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 8787, + "log.offset": 8607, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -2925,7 +2925,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 8908, + "log.offset": 8728, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -2973,7 +2973,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 9029, + "log.offset": 8849, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -3021,7 +3021,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 9150, + "log.offset": 8970, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -3069,7 +3069,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 9271, + "log.offset": 9091, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -3117,7 +3117,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "critical", - "log.offset": 9393, + "log.offset": 9213, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "asa", @@ -3168,7 +3168,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 9515, + "log.offset": 9335, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3220,7 +3220,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "error", - "log.offset": 9669, + "log.offset": 9489, "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "Outside", @@ -3269,7 +3269,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 9779, + "log.offset": 9599, "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "inside", @@ -3322,7 +3322,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 9915, + "log.offset": 9735, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3383,7 +3383,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 10166, + "log.offset": 9986, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3440,7 +3440,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "warning", - "log.offset": 10465, + "log.offset": 10285, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3487,7 +3487,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "notification", - "log.offset": 10762, + "log.offset": 10582, "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -3529,7 +3529,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "notification", - "log.offset": 10839, + "log.offset": 10659, "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -3572,7 +3572,7 @@ "input.type": "log", "log.file.path": "sample.log", "log.level": "notification", - "log.offset": 10931, + "log.offset": 10751, "observer.egress.interface.name": "inside", "observer.product": "asa", "observer.type": "firewall", @@ -3589,5 +3589,73 @@ "forwarded" ], "url.original": "http://www.example.net/images/favicon.ico" + }, + { + "@timestamp": "2021-01-13T19:12:37.000-02:00", + "cisco.asa.connection_id": "27215708", + "cisco.asa.destination_interface": "vlan-42", + "cisco.asa.mapped_destination_ip": "1.2.3.4", + "cisco.asa.mapped_destination_port": 80, + "cisco.asa.mapped_source_ip": "1.2.3.4", + "cisco.asa.mapped_source_port": 49926, + "cisco.asa.message_id": "302013", + "cisco.asa.source_interface": "internet", + "cisco.asa.source_username": "LOCAL\\username", + "destination.address": "1.2.3.4", + "destination.geo.city_name": "Moscow", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", + "destination.geo.location.lat": 55.7527, + "destination.geo.location.lon": 37.6172, + "destination.geo.region_iso_code": "RU-MOW", + "destination.geo.region_name": "Moscow", + "destination.ip": "1.2.3.4", + "destination.port": 80, + "destination.user.name": "username", + "event.action": "firewall-rule", + "event.category": [ + "network" + ], + "event.code": 302013, + "event.dataset": "cisco.asa", + "event.kind": "event", + "event.module": "cisco", + "event.original": "%ASA-6-302013: Built inbound TCP connection 27215708 for internet:10.2.3.4/49926 (1.2.3.4/49926)(LOCAL\\username) to vlan-42:1.2.3.4/80 (1.2.3.4/80) (username)", + "event.severity": 6, + "event.timezone": "-02:00", + "event.type": [ + "info" + ], + "fileset.name": "asa", + "input.type": "log", + "log.file.path": "sample.log", + "log.level": "informational", + "log.offset": 10899, + "network.direction": "inbound", + "network.iana_number": 6, + "network.transport": "tcp", + "observer.egress.interface.name": "internet", + "observer.ingress.interface.name": "vlan-42", + "observer.product": "asa", + "observer.type": "firewall", + "observer.vendor": "Cisco", + "related.ip": [ + "10.2.3.4", + "1.2.3.4" + ], + "related.user": [ + "username" + ], + "service.type": "cisco", + "source.address": "10.2.3.4", + "source.ip": "10.2.3.4", + "source.nat.ip": "1.2.3.4", + "source.port": 49926, + "tags": [ + "cisco-asa", + "forwarded" + ], + "user.name": "username" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log b/x-pack/filebeat/module/cisco/ftd/test/sample.log index df85fe9a096..09da866b488 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log @@ -38,7 +38,6 @@ Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/1 Apr 30 2013 09:23:43: %FTD-5-106100: access-list acl_in est-allowed tcp inside/10.0.0.16(2013) -> outside/192.0.0.89(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Apr 15 2018 09:34:34 EDT: %FTD-session-5-106100: access-list acl_in permitted tcp inside/10.0.0.16(2241) -> outside/192.0.0.99(2000) hit-cnt 1 first hit [0x71a87d94, 0x0] Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80 (10.0.13.13/80) -Dec 11 2018 08:01:24 127.0.0.1: %FTD-6-302015: Built outbound UDP connection 447235 for outside:192.168.77.12/11180 (192.168.77.12/11180) to identity:10.0.13.13/80port> (10.0.13.13/80) Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] Dec 11 2018 08:01:24 127.0.0.1: %FTD-4-106023: Deny udp src dmz:192.168.1.33/5555 dst outside:192.0.0.12/53 by access-group "dmz" [0x123a465e, 0x4c7bf613] Dec 11 2018 08:01:31 127.0.0.1: %FTD-6-302013: Built outbound TCP connection 447236 for outside:192.0.2.222/1234 (192.0.2.222/1234) to dmz:OCSP_Server/5678 (OCSP_Server/5678) diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 2da68247742..d416dcb068c 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -2013,7 +2013,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "warning", - "log.offset": 6328, + "log.offset": 6143, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2067,7 +2067,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "warning", - "log.offset": 6483, + "log.offset": 6298, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2123,7 +2123,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 6638, + "log.offset": 6453, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2180,7 +2180,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 6813, + "log.offset": 6628, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2237,7 +2237,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 6988, + "log.offset": 6803, "network.bytes": 14804, "network.iana_number": 6, "network.transport": "tcp", @@ -2294,7 +2294,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 7158, + "log.offset": 6973, "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", @@ -2351,7 +2351,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 7329, + "log.offset": 7144, "network.bytes": 134781, "network.iana_number": 6, "network.transport": "tcp", @@ -2403,7 +2403,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 7500, + "log.offset": 7315, "network.transport": "(no", "observer.egress.interface.name": "outside", "observer.hostname": "127.0.0.1", @@ -2452,7 +2452,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 7647, + "log.offset": 7462, "network.transport": "(no", "observer.egress.interface.name": "outside", "observer.hostname": "127.0.0.1", @@ -2504,7 +2504,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "warning", - "log.offset": 7794, + "log.offset": 7609, "network.iana_number": 17, "network.transport": "udp", "observer.egress.interface.name": "dmz", @@ -2560,7 +2560,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 7950, + "log.offset": 7765, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2617,7 +2617,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 8129, + "log.offset": 7944, "network.direction": "outbound", "network.iana_number": 6, "network.transport": "tcp", @@ -2674,7 +2674,7 @@ "host.hostname": "127.0.0.1", "input.type": "log", "log.level": "informational", - "log.offset": 8308, + "log.offset": 8123, "network.bytes": 11420, "network.iana_number": 6, "network.transport": "tcp", @@ -2730,7 +2730,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "informational", - "log.offset": 8478, + "log.offset": 8293, "network.bytes": 1416, "network.iana_number": 17, "network.transport": "udp", @@ -2778,7 +2778,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8620, + "log.offset": 8435, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -2825,7 +2825,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8741, + "log.offset": 8556, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -2872,7 +2872,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8862, + "log.offset": 8677, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -2919,7 +2919,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 8983, + "log.offset": 8798, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -2966,7 +2966,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9104, + "log.offset": 8919, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -3013,7 +3013,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9225, + "log.offset": 9040, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -3060,7 +3060,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9346, + "log.offset": 9161, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -3107,7 +3107,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "critical", - "log.offset": 9468, + "log.offset": 9283, "observer.egress.interface.name": "Mobile_Traffic", "observer.hostname": "GIFRCHN01", "observer.product": "ftd", @@ -3157,7 +3157,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "warning", - "log.offset": 9590, + "log.offset": 9405, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "outside", @@ -3208,7 +3208,7 @@ "host.hostname": "GIFRCHN01", "input.type": "log", "log.level": "error", - "log.offset": 9744, + "log.offset": 9559, "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "Outside", @@ -3256,7 +3256,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "warning", - "log.offset": 9854, + "log.offset": 9669, "network.iana_number": 1, "network.transport": "icmp", "observer.egress.interface.name": "inside", @@ -3308,7 +3308,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "warning", - "log.offset": 9990, + "log.offset": 9805, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3369,7 +3369,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "warning", - "log.offset": 10241, + "log.offset": 10056, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3426,7 +3426,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "warning", - "log.offset": 10540, + "log.offset": 10355, "network.iana_number": 6, "network.transport": "tcp", "observer.egress.interface.name": "inside", @@ -3472,7 +3472,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "notification", - "log.offset": 10839, + "log.offset": 10654, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -3513,7 +3513,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "notification", - "log.offset": 10916, + "log.offset": 10731, "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", @@ -3555,7 +3555,7 @@ "fileset.name": "ftd", "input.type": "log", "log.level": "notification", - "log.offset": 11008, + "log.offset": 10823, "observer.egress.interface.name": "inside", "observer.product": "ftd", "observer.type": "firewall", diff --git a/x-pack/filebeat/module/cisco/ios/config/pipeline.js b/x-pack/filebeat/module/cisco/ios/config/pipeline.js index 4506f67ccb3..42e10c6969d 100644 --- a/x-pack/filebeat/module/cisco/ios/config/pipeline.js +++ b/x-pack/filebeat/module/cisco/ios/config/pipeline.js @@ -166,9 +166,6 @@ var ciscoIOS = (function() { {from: "source.port", type: "long"}, {from: "source.packets", type: "long"}, {from: "source.packets", to: "network.packets", type: "long"}, - {from: "icmp.type", type: "long"}, - {from: "icmp.code", type: "long"}, - {from: "igmp.type", type: "long"}, ], ignore_missing: true, }).Run; diff --git a/x-pack/filebeat/module/cisco/ios/pipeline_test.go b/x-pack/filebeat/module/cisco/ios/pipeline_test.go index 6104c25a306..7f5e4a99120 100644 --- a/x-pack/filebeat/module/cisco/ios/pipeline_test.go +++ b/x-pack/filebeat/module/cisco/ios/pipeline_test.go @@ -71,8 +71,8 @@ var testCases = []testCase{ "event.outcome": "deny", "event.severity": int64(6), "event.type": []string{"connection", "firewall"}, - "icmp.code": int64(5), - "icmp.type": int64(3), + "icmp.code": "5", + "icmp.type": "3", "log.level": "informational", "log.original": isdef.IsNonEmptyString, "message": "list 100 denied icmp 198.51.100.1 -> 198.51.100.2 (3/5), 1 packet", @@ -117,7 +117,7 @@ var testCases = []testCase{ "event.outcome": "deny", "event.severity": int64(6), "event.type": []string{"connection", "firewall"}, - "igmp.type": int64(20), + "igmp.type": "20", "log.level": "informational", "log.original": isdef.IsNonEmptyString, "message": "list INBOUND-ON-AP denied igmp 198.51.100.1 -> 224.0.0.2 (20), 1 packet", diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json index 0695d3730aa..5841793ceb8 100644 --- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json +++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json @@ -66,7 +66,7 @@ "firewall" ], "fileset.name": "ios", - "igmp.type": 20, + "igmp.type": "20", "input.type": "log", "log.level": "informational", "log.offset": 140, @@ -251,8 +251,8 @@ "firewall" ], "fileset.name": "ios", - "icmp.code": 4, - "icmp.type": 3, + "icmp.code": "4", + "icmp.type": "3", "input.type": "log", "log.level": "informational", "log.offset": 760, @@ -1268,8 +1268,8 @@ "firewall" ], "fileset.name": "ios", - "icmp.code": 3, - "icmp.type": 3, + "icmp.code": "3", + "icmp.type": "3", "input.type": "log", "log.level": "informational", "log.offset": 4125, diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 72920d75a0e..581691ebcf9 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -71,7 +71,7 @@ processors: # Parse the date included in FTD logs # - date: - if: "ctx.event.timezone == null" + if: "ctx.event?.timezone == null && ctx._temp_?.raw_date != null" field: "_temp_.raw_date" target_field: "@timestamp" formats: @@ -103,7 +103,7 @@ processors: }, ] - date: - if: "ctx.event.timezone != null" + if: "ctx.event?.timezone != null && ctx._temp_?.raw_date != null" timezone: "{{ event.timezone }}" field: "_temp_.raw_date" target_field: "@timestamp" @@ -297,10 +297,11 @@ processors: if: "ctx._temp_.cisco.message_id == '113019'" field: "message" pattern: "Group = %{}, Username = %{source.user.name}, IP = %{destination.address}, Session disconnected. Session Type: %{}, Duration: %{_temp_.duration_hms}, Bytes xmt: %{source.bytes}, Bytes rcv: %{destination.bytes}, Reason: %{message}" - - dissect: + - grok: if: '["302013", "302015"].contains(ctx._temp_.cisco.message_id)' field: "message" - pattern: "Built %{network.direction} %{network.transport} connection %{_temp_.cisco.connection_id} for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} (%{_temp_.natsrcip}/%{_temp_.cisco.mapped_source_port}) to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} (%{_temp_.natdstip}/%{_temp_.cisco.mapped_destination_port})" + patterns: + - "Built %{NOTSPACE:network.direction} %{NOTSPACE:network.transport} connection %{NUMBER:_temp_.cisco.connection_id} for %{NOTSPACE:_temp_.cisco.source_interface}:%{IP:source.address}/%{NUMBER:source.port} \\(%{IP:_temp_.natsrcip}/%{NUMBER:_temp_.cisco.mapped_source_port}\\)(\\(%{NOTSPACE:_temp_.cisco.source_username}\\))? to %{NOTSPACE:_temp_.cisco.destination_interface}:%{NOTSPACE:destination.address}/%{NUMBER:destination.port} \\(%{NOTSPACE:_temp_.natdstip}/%{NUMBER:_temp_.cisco.mapped_destination_port}\\)( \\(%{NOTSPACE:destination.user.name}\\))?%{GREEDYDATA}" - dissect: if: "ctx._temp_.cisco.message_id == '303002'" field: "message" @@ -318,6 +319,10 @@ processors: if: "ctx._temp_.cisco.message_id == '302022'" field: "message" pattern: "Built %{} stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port}" + - dissect: + if: "ctx._temp_.cisco.message_id == '302023'" + field: "message" + pattern: "Teardown stub %{network.transport} connection for %{_temp_.cisco.source_interface}:%{source.address}/%{source.port} to %{_temp_.cisco.destination_interface}:%{destination.address}/%{destination.port} duration %{_temp_.duration_hms} forwarded bytes %{network.bytes} %{event.reason}" - grok: if: "ctx._temp_.cisco.message_id == '304001'" field: "message" @@ -1572,6 +1577,13 @@ processors: } } + - set: + description: copy destination.user.name to user.name if it is not set + field: user.name + value: "{{destination.user.name}}" + ignore_empty_value: true + if: ctx?.user?.name == null + # Configures observer fields with a copy from cisco and host fields. Later on these might replace host.hostname. - set: field: observer.hostname @@ -1609,6 +1621,11 @@ processors: field: related.user value: "{{user.name}}" if: "ctx?.user?.name != null" + - append: + field: related.user + value: "{{destination.user.name}}" + allow_duplicates: false + if: "ctx?.destination?.user?.name != null" - append: field: related.hash value: "{{file.hash.sha256}}" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index a447a25d15e..46bbf671518 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -12,6 +12,10 @@ var crowdstrikeFalconProcessor = (function () { function convertToMSEpoch(evt, field) { var timestamp = evt.Get(field); + if (timestamp == 0) { + evt.Delete(field) + return + } if (timestamp) { if (timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS evt.Put(field, timestamp * 1000); @@ -103,7 +107,8 @@ var crowdstrikeFalconProcessor = (function () { type: "ip" }, { from: "crowdstrike.event.ProcessId", - to: "process.pid" + to: "process.pid", + type: "long" }, { from: "crowdstrike.event.ParentImageFileName", to: "process.parent.executable" @@ -284,6 +289,7 @@ var crowdstrikeFalconProcessor = (function () { }, { from: "crowdstrike.event.PID", to: "process.pid", + type: "long" }, { from: "crowdstrike.event.RuleId", @@ -421,6 +427,44 @@ var crowdstrikeFalconProcessor = (function () { ignore_missing: false, fail_on_error: true }) + .Convert({ + fields: [ + { + from: "crowdstrike.event.LateralMovement", + type: "long", + }, + { + from: "crowdstrike.event.LocalPort", + type: "long", + }, + { + from: "crowdstrike.event.MatchCount", + type: "long", + }, + { + from: "crowdstrike.event.MatchCountSinceLastReport", + type: "long", + }, + { + from: "crowdstrike.event.PID", + type: "long", + }, + { + from: "crowdstrike.event.RemotePort", + type: "long", + }, + { + from: "source.port", + type: "long", + }, + { + from: "destination.port", + type: "long", + } + ], + ignore_missing: true, + fail_on_error: false + }) .Build() .Run })(); diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 47c0e10f47a..eab6fb1db0e 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -29,7 +29,6 @@ "crowdstrike.event.PatternDispositionFlags.Rooting": false, "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, "crowdstrike.event.PatternDispositionValue": 16, - "crowdstrike.event.ProcessEndTime": 0, "crowdstrike.event.ProcessId": 38684386611, "crowdstrike.event.ProcessStartTime": "2018-09-13T13:45:39.000Z", "crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json index a122e788b08..becdbecc7c8 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -10,16 +10,16 @@ "crowdstrike.event.HostName": "TESTDEVICE01", "crowdstrike.event.Ipv": "ipv4", "crowdstrike.event.LocalAddress": "10.37.60.194", - "crowdstrike.event.LocalPort": "445", + "crowdstrike.event.LocalPort": 445, "crowdstrike.event.MatchCount": 1, "crowdstrike.event.MatchCountSinceLastReport": 1, "crowdstrike.event.NetworkProfile": "2", - "crowdstrike.event.PID": "206158879910", + "crowdstrike.event.PID": 206158879910, "crowdstrike.event.PolicyID": "74e7f1552a3a4d90a6d65578642c8584", "crowdstrike.event.PolicyName": "PROD-FW-Workstations-General", "crowdstrike.event.Protocol": "6", "crowdstrike.event.RemoteAddress": "10.37.60.21", - "crowdstrike.event.RemotePort": "54952", + "crowdstrike.event.RemotePort": 54952, "crowdstrike.event.RuleAction": "2", "crowdstrike.event.RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", "crowdstrike.event.RuleGroupName": "SMB Rules", @@ -32,7 +32,7 @@ "crowdstrike.metadata.offset": 70689, "crowdstrike.metadata.version": "1.0", "destination.ip": "10.37.60.194", - "destination.port": "445", + "destination.port": 445, "event.action": "firewall_match_event", "event.category": [ "network" @@ -58,7 +58,7 @@ "message": "Firewall Rule 'Inbound SMB Block & Log Private' triggered", "network.direction": "ingress", "network.type": "ipv4", - "process.pid": "206158879910", + "process.pid": 206158879910, "related.ip": [ "10.37.60.21", "10.37.60.194" @@ -70,7 +70,7 @@ "rule.ruleset": "SMB Rules", "service.type": "crowdstrike", "source.ip": "10.37.60.21", - "source.port": "54952", + "source.port": 54952, "tags": [ "forwarded" ] diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml index 22d44e5664a..a227d770082 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml @@ -80,26 +80,26 @@ processors: formats: - UNIX_MS timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null && ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX timezone: "{{fortinet.firewall.tz}}" - if: "ctx.fortinet?.firewall?.tz != null && ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX_MS - if: "ctx.fortinet?.firewall?.tz == null && ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() > 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11" - date: field: fortinet.firewall.eventtime target_field: event.start formats: - UNIX - if: "ctx.fortinet?.firewall?.tz == null && ctx.fortinet?.firewall?.eventtime != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" + if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11" - script: lang: painless source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000" @@ -134,6 +134,9 @@ processors: field: fortinet.firewall.level target_field: log.level ignore_missing: true +- remove: + field: fortinet.firewall.assignip + if: "ctx.fortinet?.firewall?.assignip == 'N/A'" - remove: field: fortinet.firewall.dstip if: "ctx.fortinet?.firewall?.dstip == 'N/A'" @@ -222,16 +225,18 @@ processors: ) - remove: field: - - _temp - - message - - syslog5424_sd - - syslog5424_pri - - fortinet.firewall.tz - - fortinet.firewall.date - - fortinet.firewall.eventtime - - fortinet.firewall.time - - fortinet.firewall.duration - - host + - _temp.time + - _temp + - message + - syslog5424_sd + - syslog5424_pri + - fortinet.firewall.tz + - fortinet.firewall.date + - fortinet.firewall.devid + - fortinet.firewall.eventtime + - fortinet.firewall.time + - fortinet.firewall.duration + - host ignore_missing: true - pipeline: name: '{< IngestPipeline "event" >}' @@ -242,6 +247,18 @@ processors: - pipeline: name: '{< IngestPipeline "utm" >}' if: "ctx.fortinet?.firewall?.type == 'utm' || ctx.fortinet?.firewall?.type == 'dns'" +- convert: + field: fortinet.firewall.quotamax + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.quotaused + type: long + ignore_missing: true +- convert: + field: fortinet.firewall.size + type: long + ignore_missing: true on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml index 1a488a57bd8..0671bff51b2 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/flow.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/flow.yml @@ -13,11 +13,12 @@ processors: - append: field: event.category value: network -- rename: +- convert: field: juniper.srx.application_risk + type: float target_field: event.risk_score ignore_missing: true - if: "ctx.juniper?.srx?.application_risk != null" + ignore_failure: true - append: field: event.type value: @@ -344,6 +345,7 @@ processors: ############# - remove: field: + - juniper.srx.application_risk - juniper.srx.destination_port - juniper.srx.nat_destination_port - juniper.srx.bytes_from_client diff --git a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml index 5bc4d45e82e..9fb9057b8fa 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/pipeline.yml @@ -27,7 +27,7 @@ processors: # Parse the date # - date: - if: "ctx.event.timezone == null" + if: "ctx?.event?.timezone == null" field: _temp_.raw_date target_field: "@timestamp" formats: @@ -36,7 +36,7 @@ processors: - yyyy-MM-dd HH:mm:ss Z - ISO8601 - date: - if: "ctx.event.timezone != null" + if: "ctx?.event?.timezone != null" timezone: "{{ event.timezone }}" field: _temp_.raw_date target_field: "@timestamp" @@ -55,7 +55,7 @@ processors: - rename: field: juniper.srx.elapsed_time target_field: juniper.srx.duration - if: "ctx.juniper?.srx?.elapsed_time != null" + if: "ctx?.juniper?.srx?.elapsed_time != null" # Sets starts, end and duration when start and duration is known - script: @@ -88,9 +88,11 @@ processors: - set: field: event.dataset value: juniper.srx -- set: - field: event.severity - value: '{{syslog_pri}}' +- convert: + field: syslog_pri + type: long + target_field: event.severity + ignore_failure: true - rename: field: log.original target_field: event.original @@ -197,8 +199,7 @@ processors: - remove: field: - message - - _temp_ - - _temp + - _temp_.raw_date - juniper.srx.duration - juniper.srx.dir_disp - juniper.srx.srczone diff --git a/x-pack/filebeat/module/juniper/srx/ingest/utm.yml b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml index a80e5a94d97..794fe15883b 100644 --- a/x-pack/filebeat/module/juniper/srx/ingest/utm.yml +++ b/x-pack/filebeat/module/juniper/srx/ingest/utm.yml @@ -13,11 +13,12 @@ processors: - append: field: event.category value: network -- rename: +- convert: field: juniper.srx.urlcategory_risk + type: float target_field: event.risk_score ignore_missing: true - if: "ctx.juniper?.srx?.urlcategory_risk != null" + ignore_failure: true - set: field: event.kind value: alert @@ -380,6 +381,7 @@ processors: - juniper.srx.nat_source_port - juniper.srx.bytes_from_server - juniper.srx.packets_from_server + - juniper.srx.urlcategory_risk ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json index 4187866594e..69639938252 100644 --- a/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/atp.log-expected.json @@ -25,7 +25,7 @@ "event.module": "juniper", "event.original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=\u201dcloud/blacklist/whitelist\u201d source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", @@ -82,7 +82,7 @@ "event.module": "juniper", "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", @@ -130,7 +130,7 @@ "event.module": "juniper", "event.original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "allowed", @@ -182,7 +182,7 @@ "event.module": "juniper", "event.original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.timezone": "-02:00", "event.type": [ "allowed", diff --git a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json index b597ed2afc5..9eb70c83a64 100644 --- a/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/flow.log-expected.json @@ -17,8 +17,8 @@ "event.module": "juniper", "event.original": "source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", "event.outcome": "success", - "event.risk_score": "1", - "event.severity": "14", + "event.risk_score": 1.0, + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -78,8 +78,8 @@ "event.module": "juniper", "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", "event.outcome": "success", - "event.risk_score": "1", - "event.severity": "14", + "event.risk_score": 1.0, + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "denied", @@ -141,7 +141,7 @@ "event.module": "juniper", "event.original": "source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "denied", @@ -217,7 +217,7 @@ "event.module": "juniper", "event.original": "reason=\"unset\" source-address=\"1.2.3.4\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"1.2.3.4\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2014-05-01T06:28:10.933-02:00", "event.timezone": "-02:00", "event.type": [ @@ -299,7 +299,7 @@ "event.module": "juniper", "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -370,7 +370,7 @@ "event.module": "juniper", "event.original": "source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -442,7 +442,7 @@ "event.module": "juniper", "event.original": "reason=\"response received\" source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2010-09-30T04:55:07.188-02:00", "event.timezone": "-02:00", "event.type": [ @@ -524,8 +524,8 @@ "event.module": "juniper", "event.original": "reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"8.23.224.110\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"8.23.224.110\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"", "event.outcome": "success", - "event.risk_score": "4", - "event.severity": "14", + "event.risk_score": 4.0, + "event.severity": 14, "event.start": "2019-04-12T12:29:06.576-02:00", "event.timezone": "-02:00", "event.type": [ @@ -608,7 +608,7 @@ "event.module": "juniper", "event.original": "reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2019-04-13T12:33:06.576-02:00", "event.timezone": "-02:00", "event.type": [ @@ -690,7 +690,7 @@ "event.module": "juniper", "event.original": "reason=\"idle Timeout\" source-address=\"100.73.10.92\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2018-10-06T23:32:20.898-02:00", "event.timezone": "-02:00", "event.type": [ @@ -784,7 +784,7 @@ "event.module": "juniper", "event.original": "reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2018-06-30T00:17:22.753-02:00", "event.timezone": "-02:00", "event.type": [ @@ -861,7 +861,7 @@ "event.module": "juniper", "event.original": "reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2015-09-25T12:19:53.846-02:00", "event.timezone": "-02:00", "event.type": [ @@ -940,7 +940,7 @@ "event.module": "juniper", "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -1024,7 +1024,7 @@ "event.module": "juniper", "event.original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2013-01-19T15:18:17.040-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1115,7 +1115,7 @@ "event.module": "juniper", "event.original": "reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2013-01-19T15:18:17.040-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1208,7 +1208,7 @@ "event.module": "juniper", "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2013-01-19T15:18:18.040-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1296,7 +1296,7 @@ "event.module": "juniper", "event.original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=\u201dpf1\u201d rule-name=\u201dfacebook1\u201d routing-instance=\u201dinstance1\u201d destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -1386,7 +1386,7 @@ "event.module": "juniper", "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2013-01-19T15:18:20.040-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1471,7 +1471,7 @@ "event.module": "juniper", "event.original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -1534,8 +1534,8 @@ "event.module": "juniper", "event.original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", "event.outcome": "success", - "event.risk_score": "1", - "event.severity": "14", + "event.risk_score": 1.0, + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "denied", @@ -1606,7 +1606,7 @@ "event.module": "juniper", "event.original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=\u201dst0.0\u201d apbr-rule-type=\u201ddefault\u201d", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2020-01-19T15:18:20.040-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1702,7 +1702,7 @@ "event.module": "juniper", "event.original": "source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"46.165.154.241\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"46.165.154.241\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2020-07-14T12:17:11.928-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1788,8 +1788,8 @@ "event.module": "juniper", "event.original": "reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"91.228.167.172\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"91.228.167.172\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", - "event.risk_score": "1", - "event.severity": "14", + "event.risk_score": 1.0, + "event.severity": 14, "event.start": "2020-07-13T14:43:05.041-02:00", "event.timezone": "-02:00", "event.type": [ @@ -1875,8 +1875,8 @@ "event.module": "juniper", "event.original": "source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", - "event.risk_score": "1", - "event.severity": "14", + "event.risk_score": 1.0, + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "start", @@ -1954,7 +1954,7 @@ "event.module": "juniper", "event.original": "reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.start": "2020-07-13T14:12:05.530-02:00", "event.timezone": "-02:00", "event.type": [ diff --git a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json index 7704c88fac0..8a5a7307355 100644 --- a/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/idp.log-expected.json @@ -24,7 +24,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.start": "2020-03-02T21:13:03.193-02:00", "event.timezone": "-02:00", "event.type": [ @@ -112,7 +112,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.start": "2020-03-02T21:13:03.197-02:00", "event.timezone": "-02:00", "event.type": [ @@ -200,7 +200,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.111.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.start": "2007-02-15T07:17:15.719-02:00", "event.timezone": "-02:00", "event.type": [ @@ -285,7 +285,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.30.11\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.start": "2017-10-12T19:55:55.792-02:00", "event.timezone": "-02:00", "event.type": [ @@ -359,7 +359,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.timezone": "-02:00", "event.type": [ "info", @@ -414,7 +414,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.timezone": "-02:00", "event.type": [ "info", @@ -482,7 +482,7 @@ "event.module": "juniper", "event.original": "epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", "event.outcome": "success", - "event.severity": "165", + "event.severity": 165, "event.timezone": "-02:00", "event.type": [ "info", diff --git a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json index 10abae2fa6d..e92c17e6a4c 100644 --- a/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/ids.log-expected.json @@ -22,7 +22,7 @@ "event.module": "juniper", "event.original": "attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -82,7 +82,7 @@ "event.module": "juniper", "event.original": "attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -140,7 +140,7 @@ "event.module": "juniper", "event.original": "attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -206,7 +206,7 @@ "event.module": "juniper", "event.original": "attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -273,7 +273,7 @@ "event.module": "juniper", "event.original": "attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -337,7 +337,7 @@ "event.module": "juniper", "event.original": "attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -395,7 +395,7 @@ "event.module": "juniper", "event.original": "attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -448,7 +448,7 @@ "event.module": "juniper", "event.original": "attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -509,7 +509,7 @@ "event.module": "juniper", "event.original": "attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -553,7 +553,7 @@ "event.module": "juniper", "event.original": "attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -610,7 +610,7 @@ "event.module": "juniper", "event.original": "attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", @@ -661,7 +661,7 @@ "event.module": "juniper", "event.original": "attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", "event.outcome": "success", - "event.severity": "11", + "event.severity": 11, "event.timezone": "-02:00", "event.type": [ "info", diff --git a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json index 49667e85897..9385beef0b0 100644 --- a/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/secintel.log-expected.json @@ -15,7 +15,7 @@ "event.module": "juniper", "event.original": "category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", @@ -81,7 +81,7 @@ "event.module": "juniper", "event.original": "category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", diff --git a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json index f9890a6ca0f..6b0aa31072f 100644 --- a/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json +++ b/x-pack/filebeat/module/juniper/srx/test/utm.log-expected.json @@ -22,7 +22,7 @@ "event.module": "juniper", "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "info", @@ -83,7 +83,7 @@ "event.module": "juniper", "event.original": "source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "allowed", @@ -137,7 +137,7 @@ "event.module": "juniper", "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "info", @@ -197,7 +197,7 @@ "event.module": "juniper", "event.original": "source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "allowed", @@ -251,7 +251,7 @@ "event.module": "juniper", "event.original": "source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "allowed", @@ -295,7 +295,7 @@ "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", @@ -344,7 +344,7 @@ "event.module": "juniper", "event.original": "source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"", "event.outcome": "success", - "event.severity": "14", + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "info", @@ -406,7 +406,7 @@ "event.module": "juniper", "event.original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "info", @@ -462,7 +462,7 @@ "event.module": "juniper", "event.original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "info", @@ -529,8 +529,8 @@ "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"", "event.outcome": "success", - "event.risk_score": "0", - "event.severity": "14", + "event.risk_score": 0.0, + "event.severity": 14, "event.timezone": "-02:00", "event.type": [ "allowed", @@ -594,8 +594,8 @@ "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"", "event.outcome": "success", - "event.risk_score": "3", - "event.severity": "12", + "event.risk_score": 3.0, + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "info", @@ -651,7 +651,7 @@ "event.module": "juniper", "event.original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"", "event.outcome": "success", - "event.severity": "12", + "event.severity": 12, "event.timezone": "-02:00", "event.type": [ "allowed", diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 5b6d1c821e0..8ce69929983 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -24,6 +24,7 @@ processors: - {from: suricata.eve.dest_ip, to: destination.address} - {from: suricata.eve.dest_port, to: destination.port, type: long} - {from: suricata.eve.proto, to: network.transport} + - {from: suricata.eve.flow_id, type: string} - convert: ignore_missing: true fail_on_error: false diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index ecccab3a10f..457a16da86f 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -64,7 +64,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 2191386088856669, + "suricata.eve.flow_id": "2191386088856669", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -145,7 +145,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 678269478904081, + "suricata.eve.flow_id": "678269478904081", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -226,7 +226,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 1170030461115650, + "suricata.eve.flow_id": "1170030461115650", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -307,7 +307,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 49628113637132, + "suricata.eve.flow_id": "49628113637132", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -388,7 +388,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 116307482565223, + "suricata.eve.flow_id": "116307482565223", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -469,7 +469,7 @@ "suricata.eve.alert.signature": "ET POLICY curl User-Agent Outbound", "suricata.eve.alert.signature_id": 2013028, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 1205867738178946, + "suricata.eve.flow_id": "1205867738178946", "suricata.eve.http.http_content_type": "text/html", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", @@ -550,7 +550,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 764842923400056, + "suricata.eve.flow_id": "764842923400056", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 0, @@ -631,7 +631,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 0, @@ -712,7 +712,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 1, @@ -793,7 +793,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 764842923400056, + "suricata.eve.flow_id": "764842923400056", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 1, @@ -874,7 +874,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 764842923400056, + "suricata.eve.flow_id": "764842923400056", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 2, @@ -955,7 +955,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 764842923400056, + "suricata.eve.flow_id": "764842923400056", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 3, @@ -1036,7 +1036,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 2, @@ -1117,7 +1117,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 3, @@ -1198,7 +1198,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 4, @@ -1279,7 +1279,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 5, @@ -1360,7 +1360,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 6, @@ -1441,7 +1441,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 7, @@ -1521,7 +1521,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 8, @@ -1601,7 +1601,7 @@ "suricata.eve.alert.signature": "ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management", "suricata.eve.alert.signature_id": 2013504, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 112424506237238, + "suricata.eve.flow_id": "112424506237238", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "enp0s3", "suricata.eve.tx_id": 9, @@ -1651,7 +1651,7 @@ "source.ip": "10.126.2.140", "source.port": 45884, "suricata.eve.event_type": "tls", - "suricata.eve.flow_id": 1091813059495729, + "suricata.eve.flow_id": "1091813059495729", "suricata.eve.in_iface": "enp5s0", "suricata.eve.tls.fingerprint": "00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33", "suricata.eve.tls.issuerdn": "C=US, O=Google Inc, CN=Google Internet Authority G2", @@ -1741,7 +1741,7 @@ "suricata.eve.alert.signature": "SURICATA TLS on unusual port", "suricata.eve.alert.signature_id": 2610003, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 991192778198299, + "suricata.eve.flow_id": "991192778198299", "suricata.eve.in_iface": "enp0s31f6", "suricata.eve.tls.fingerprint": "36:3f:ee:2a:1c:fa:de:ad:be:ef:42:99:cf:a9:b0:91:01:eb:a9:cc", "suricata.eve.tls.issuerdn": "C=Unknown, ST=Unknown, L=Unknown, O=Unknown, OU=Unknown, CN=Unknown", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json index c61e3f6d12a..cdcf57030e6 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-dns-4.1.4.log-expected.json @@ -40,7 +40,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 885455453886936, + "suricata.eve.flow_id": "885455453886936", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -87,7 +87,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1418448010418810, + "suricata.eve.flow_id": "1418448010418810", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -151,7 +151,7 @@ "suricata.eve.dns.rrtype": "AAAA", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1418448010418810, + "suricata.eve.flow_id": "1418448010418810", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -215,7 +215,7 @@ "suricata.eve.dns.rrtype": "A", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 885455453886936, + "suricata.eve.flow_id": "885455453886936", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -263,7 +263,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 40074894954311, + "suricata.eve.flow_id": "40074894954311", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -311,7 +311,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 2130691028471842, + "suricata.eve.flow_id": "2130691028471842", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -406,7 +406,7 @@ "suricata.eve.dns.rrtype": "A", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 40074894954311, + "suricata.eve.flow_id": "40074894954311", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -501,7 +501,7 @@ "suricata.eve.dns.rrtype": "AAAA", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 2130691028471842, + "suricata.eve.flow_id": "2130691028471842", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -549,7 +549,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -597,7 +597,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -655,7 +655,7 @@ "suricata.eve.dns.ttl": 1315, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -717,7 +717,7 @@ "suricata.eve.dns.ttl": 15, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -779,7 +779,7 @@ "suricata.eve.dns.ttl": 15, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -841,7 +841,7 @@ "suricata.eve.dns.ttl": 15, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -903,7 +903,7 @@ "suricata.eve.dns.ttl": 15, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 814378410010223, + "suricata.eve.flow_id": "814378410010223", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -961,7 +961,7 @@ "suricata.eve.dns.ttl": 1268, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1023,7 +1023,7 @@ "suricata.eve.dns.ttl": 53, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1085,7 +1085,7 @@ "suricata.eve.dns.ttl": 53, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1147,7 +1147,7 @@ "suricata.eve.dns.ttl": 53, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1209,7 +1209,7 @@ "suricata.eve.dns.ttl": 53, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1887239765714716, + "suricata.eve.flow_id": "1887239765714716", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1257,7 +1257,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 2181951993205289, + "suricata.eve.flow_id": "2181951993205289", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1305,7 +1305,7 @@ "suricata.eve.dns.tx_id": 0, "suricata.eve.dns.type": "query", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 928596784370390, + "suricata.eve.flow_id": "928596784370390", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1400,7 +1400,7 @@ "suricata.eve.dns.rrtype": "A", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 2181951993205289, + "suricata.eve.flow_id": "2181951993205289", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" @@ -1495,7 +1495,7 @@ "suricata.eve.dns.rrtype": "AAAA", "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 928596784370390, + "suricata.eve.flow_id": "928596784370390", "suricata.eve.in_iface": "enp0s3", "tags": [ "suricata" diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 66204334c43..50125bc3f3c 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -29,7 +29,7 @@ "source.ip": "192.168.86.85", "source.port": 55406, "suricata.eve.event_type": "ssh", - "suricata.eve.flow_id": 298824096901438, + "suricata.eve.flow_id": "298824096901438", "suricata.eve.in_iface": "en0", "suricata.eve.ssh.client.proto_version": "2.0", "suricata.eve.ssh.client.software_version": "OpenSSH_7.6", @@ -88,7 +88,7 @@ "suricata.eve.alert.signature": "ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)", "suricata.eve.alert.signature_id": 2024833, "suricata.eve.event_type": "alert", - "suricata.eve.flow_id": 904992230150281, + "suricata.eve.flow_id": "904992230150281", "suricata.eve.in_iface": "en0", "suricata.eve.tls.session_resumed": true, "suricata.eve.tls.sni": "l2.io", @@ -142,7 +142,7 @@ "source.ip": "192.168.86.85", "source.port": 56119, "suricata.eve.event_type": "http", - "suricata.eve.flow_id": 2115002772430095, + "suricata.eve.flow_id": "2115002772430095", "suricata.eve.http.http_content_type": "text/xml", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "en0", @@ -204,7 +204,7 @@ "suricata.eve.fileinfo.state": "CLOSED", "suricata.eve.fileinfo.stored": false, "suricata.eve.fileinfo.tx_id": 0, - "suricata.eve.flow_id": 2211411903323127, + "suricata.eve.flow_id": "2211411903323127", "suricata.eve.http.http_content_type": "application/xml", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "en0", @@ -274,7 +274,7 @@ "suricata.eve.dns.ttl": 299, "suricata.eve.dns.type": "answer", "suricata.eve.event_type": "dns", - "suricata.eve.flow_id": 1684780223079543, + "suricata.eve.flow_id": "1684780223079543", "suricata.eve.in_iface": "en0", "tags": [ "suricata" @@ -455,7 +455,7 @@ "source.ip": "192.168.86.85", "source.port": 56187, "suricata.eve.event_type": "tls", - "suricata.eve.flow_id": 89751777876473, + "suricata.eve.flow_id": "89751777876473", "suricata.eve.in_iface": "en0", "suricata.eve.tls.fingerprint": "6a:ff:ac:a6:5f:8a:05:e7:a9:8c:76:29:b9:08:c7:69:ad:dc:72:47", "suricata.eve.tls.issuerdn": "CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US", @@ -532,7 +532,7 @@ "suricata.eve.flow.alerted": false, "suricata.eve.flow.reason": "timeout", "suricata.eve.flow.state": "new", - "suricata.eve.flow_id": 1828507008887644, + "suricata.eve.flow_id": "1828507008887644", "tags": [ "suricata" ] @@ -574,7 +574,7 @@ "source.ip": "192.168.50.1", "source.port": 57134, "suricata.eve.event_type": "http", - "suricata.eve.flow_id": 913701662641234, + "suricata.eve.flow_id": "913701662641234", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "eno6", "suricata.eve.tx_id": 0, @@ -622,7 +622,7 @@ "source.ip": "192.168.50.1", "source.port": 60614, "suricata.eve.event_type": "tls", - "suricata.eve.flow_id": 1298574590709840, + "suricata.eve.flow_id": "1298574590709840", "suricata.eve.in_iface": "eno6", "suricata.eve.tls.fingerprint": "18:3c:11:45:46:e9:26:c7:87:64:0f:ed:47:86:1b:31:bf:0f:84:25", "suricata.eve.tls.issuerdn": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018", @@ -693,7 +693,7 @@ "source.ip": "192.168.50.1", "source.port": 50898, "suricata.eve.event_type": "http", - "suricata.eve.flow_id": 1097935193623328, + "suricata.eve.flow_id": "1097935193623328", "suricata.eve.http.protocol": "HTTP/1.1", "suricata.eve.in_iface": "eno6", "suricata.eve.tx_id": 0, @@ -742,7 +742,7 @@ "source.ip": "192.168.50.1", "source.port": 12509, "suricata.eve.event_type": "tls", - "suricata.eve.flow_id": 289459143040794, + "suricata.eve.flow_id": "289459143040794", "suricata.eve.in_iface": "eno6", "suricata.eve.tls.ja3.hash": "44d502d471cfdb99c59bdfb0f220e5a8", "suricata.eve.tls.ja3.string": "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-41,29-23-24,0", diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index 091cacf2a18..9381f616b89 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -164,7 +164,7 @@ processors: } - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: rename fields: - {from: zeek.dns.id.orig_h, to: source.address} @@ -175,16 +175,21 @@ processors: - {from: zeek.dns.proto, to: network.transport} - convert: ignore_missing: true - ignore_failure: true + fail_on_error: false mode: copy fields: - {from: source.address, to: source.ip, type: ip} - {from: destination.address, to: destination.ip, type: ip} - {from: zeek.session_id, to: event.id} - - {from: zeek.dns.trans_id, to: dns.id} + - {from: zeek.dns.trans_id, to: dns.id, type: string} - {from: zeek.dns.query, to: dns.question.name} - {from: zeek.dns.qtype_name, to: dns.question.type} - {from: zeek.dns.rcode_name, to: dns.response_code} + - convert: + ignore_missing: true + fail_on_error: false + fields: + - {from: zeek.dns.trans_id, type: string} - add_fields: target: event fields: diff --git a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json index 61a57b55bd8..5be6888c0c9 100644 --- a/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/dns/test/dns-json.log-expected.json @@ -22,7 +22,7 @@ "RD", "RA" ], - "dns.id": 15209, + "dns.id": "15209", "dns.question.class": "IN", "dns.question.name": "dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io", "dns.question.registered_domain": "es.io", @@ -88,7 +88,7 @@ "zeek.dns.rcode_name": "NOERROR", "zeek.dns.rejected": false, "zeek.dns.rtt": 0.076967, - "zeek.dns.trans_id": 15209, + "zeek.dns.trans_id": "15209", "zeek.session_id": "CAcJw21BbVedgFnYH3" }, { @@ -96,7 +96,7 @@ "destination.address": "ff02::fb", "destination.ip": "ff02::fb", "destination.port": 5353, - "dns.id": 0, + "dns.id": "0", "dns.question.class": "IN", "dns.question.name": "_googlecast._tcp.local", "dns.question.registered_domain": "_tcp.local", @@ -143,7 +143,7 @@ "zeek.dns.qtype_name": "PTR", "zeek.dns.query": "_googlecast._tcp.local", "zeek.dns.rejected": false, - "zeek.dns.trans_id": 0, + "zeek.dns.trans_id": "0", "zeek.session_id": "C19a1k4lTv46YMbeOk" }, { @@ -158,7 +158,7 @@ } ], "dns.header_flags": "AA", - "dns.id": 0, + "dns.id": "0", "dns.question.name": "_googlecast._tcp.local", "dns.question.registered_domain": "_tcp.local", "dns.question.subdomain": "_googlecast", @@ -209,7 +209,7 @@ "zeek.dns.rcode": 0, "zeek.dns.rcode_name": "NOERROR", "zeek.dns.rejected": false, - "zeek.dns.trans_id": 0, + "zeek.dns.trans_id": "0", "zeek.session_id": "CdiVAw7jJw6gsX5H" } ] \ No newline at end of file diff --git a/x-pack/functionbeat/Jenkinsfile.yml b/x-pack/functionbeat/Jenkinsfile.yml index 59d3ddf22dd..ec9a4ec57f0 100644 --- a/x-pack/functionbeat/Jenkinsfile.yml +++ b/x-pack/functionbeat/Jenkinsfile.yml @@ -52,76 +52,27 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2016" - when: ## Override the top-level when. - comments: - - "/test x-pack/functionbeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/functionbeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" - when: ## Override the top-level when. - comments: - - "/test x-pack/functionbeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags windows-2008: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2008-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/functionbeat for windows-2008" - labels: - - "windows-2008" - branches: true ## for all the branches - tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" - when: ## Override the top-level when. - comments: - - "/test x-pack/functionbeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" - when: ## Override the top-level when. - comments: - - "/test x-pack/functionbeat for windows-7" - labels: - - "windows-7" - branches: true ## for all the branches - tags: true ## for all the tags windows-7-32: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" - when: ## Override the top-level when. - comments: - - "/test x-pack/functionbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index d96ab60094e..d0d5ecf487a 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -813,8 +813,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -946,8 +944,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1231,8 +1227,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1434,8 +1428,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml index 63501b14e2d..85e00f43342 100644 --- a/x-pack/heartbeat/heartbeat.reference.yml +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -705,8 +705,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -838,8 +836,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1045,8 +1041,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1207,8 +1201,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1509,8 +1501,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1712,8 +1702,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/x-pack/metricbeat/Jenkinsfile.yml b/x-pack/metricbeat/Jenkinsfile.yml index aadb02d3a77..5b0fd456f6b 100644 --- a/x-pack/metricbeat/Jenkinsfile.yml +++ b/x-pack/metricbeat/Jenkinsfile.yml @@ -62,76 +62,27 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2016" - when: ## Override the top-level when. - comments: - - "/test x-pack/metricbeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/metricbeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" - when: ## Override the top-level when. - comments: - - "/test x-pack/metricbeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags windows-2008: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2008-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/metricbeat for windows-2008" - labels: - - "windows-2008" - branches: true ## for all the branches - tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" - when: ## Override the top-level when. - comments: - - "/test x-pack/metricbeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" - when: ## Override the top-level when. - comments: - - "/test x-pack/metricbeat for windows-7" - labels: - - "windows-7" - branches: true ## for all the branches - tags: true ## for all the tags # windows-7-32: # mage: "mage build unitTest" # platforms: ## override default labels in this specific stage. # - "windows-7-32-bit" -# when: ## Override the top-level when. -# comments: -# - "/test x-pack/metricbeat for windows-7-32" -# labels: -# - "windows-7-32" -# branches: true ## for all the branches -# tags: true ## for all the tags diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 71eaa8f800f..dfa898fbe80 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1805,8 +1805,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1938,8 +1936,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -2145,8 +2141,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -2307,8 +2301,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -2609,8 +2601,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -2812,8 +2802,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/x-pack/metricbeat/module/iis/application_pool/reader.go b/x-pack/metricbeat/module/iis/application_pool/reader.go index 32c0c2d7ec3..d15b0a47747 100644 --- a/x-pack/metricbeat/module/iis/application_pool/reader.go +++ b/x-pack/metricbeat/module/iis/application_pool/reader.go @@ -263,7 +263,7 @@ func getw3wpProceses() (map[int]string, error) { func getProcessIds(counterValues map[string][]pdh.CounterValue) []WorkerProcess { var workers []WorkerProcess for key, values := range counterValues { - if strings.Contains(key, "\\ID Process") { + if strings.Contains(key, "\\ID Process") && values[0].Measurement != nil { workers = append(workers, WorkerProcess{instanceName: values[0].Instance, processId: int(values[0].Measurement.(float64))}) } } diff --git a/x-pack/packetbeat/Jenkinsfile.yml b/x-pack/packetbeat/Jenkinsfile.yml index bb2aeb7edd9..f0d82e08940 100644 --- a/x-pack/packetbeat/Jenkinsfile.yml +++ b/x-pack/packetbeat/Jenkinsfile.yml @@ -64,76 +64,27 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2016" - when: ## Override the top-level when. - comments: - - "/test x-pack/packetbeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/packetbeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" - when: ## Override the top-level when. - comments: - - "/test x-pack/packetbeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags windows-2008: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2008-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/winlogbeat for windows-2008" - labels: - - "windows-2008" - branches: true ## for all the branches - tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" - when: ## Override the top-level when. - comments: - - "/test x-pack/packetbeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" - when: ## Override the top-level when. - comments: - - "/test x-pack/packetbeat for windows-7" - labels: - - "windows-7" - branches: true ## for all the branches - tags: true ## for all the tags windows-7-32: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" - when: ## Override the top-level when. - comments: - - "/test x-pack/packetbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml index 9aee618bed8..9f25343877f 100644 --- a/x-pack/packetbeat/packetbeat.reference.yml +++ b/x-pack/packetbeat/packetbeat.reference.yml @@ -80,7 +80,7 @@ packetbeat.flows: packetbeat.protocols: - type: icmp - # Enable ICMPv4 and ICMPv6 monitoring. Default: true + # Enable ICMPv4 and ICMPv6 monitoring. The default is true. #enabled: true # Set to true to publish fields with null values in events. @@ -1022,8 +1022,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1155,8 +1153,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1362,8 +1358,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1524,8 +1518,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1826,8 +1818,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -2029,8 +2019,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative diff --git a/x-pack/packetbeat/packetbeat.yml b/x-pack/packetbeat/packetbeat.yml index 2ac9186d43e..15a0df9ebd1 100644 --- a/x-pack/packetbeat/packetbeat.yml +++ b/x-pack/packetbeat/packetbeat.yml @@ -38,7 +38,7 @@ packetbeat.flows: packetbeat.protocols: - type: icmp - # Enable ICMPv4 and ICMPv6 monitoring. Default: false + # Enable ICMPv4 and ICMPv6 monitoring. The default is true. enabled: true - type: amqp @@ -47,7 +47,8 @@ packetbeat.protocols: ports: [5672] - type: cassandra - #Cassandra port for traffic monitoring. + # Configure the ports where to listen for Cassandra traffic. You can disable + # the Cassandra protocol by commenting out the list of ports. ports: [9042] - type: dhcpv4 @@ -112,7 +113,8 @@ packetbeat.protocols: - 9243 # Elasticsearch - type: sip - # Configure the ports where to listen for SIP traffic. You can disable the SIP protocol by commenting out the list of ports. + # Configure the ports where to listen for SIP traffic. You can disable + # the SIP protocol by commenting out the list of ports. ports: [5060] # ======================= Elasticsearch template setting ======================= diff --git a/x-pack/winlogbeat/Jenkinsfile.yml b/x-pack/winlogbeat/Jenkinsfile.yml index 3776d167f1f..0c77c16ac6d 100644 --- a/x-pack/winlogbeat/Jenkinsfile.yml +++ b/x-pack/winlogbeat/Jenkinsfile.yml @@ -34,76 +34,27 @@ stages: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2016" - when: ## Override the top-level when. - comments: - - "/test x-pack/winlogbeat for windows-2016" - labels: - - "windows-2016" - branches: true ## for all the branches - tags: true ## for all the tags windows-2012: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2012-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/winlogbeat for windows-2012" - labels: - - "windows-2012" - branches: true ## for all the branches - tags: true ## for all the tags windows-10: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-10" - when: ## Override the top-level when. - comments: - - "/test x-pack/winlogbeat for windows-10" - labels: - - "windows-10" - branches: true ## for all the branches - tags: true ## for all the tags windows-2008: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-2008-r2" - when: ## Override the top-level when. - comments: - - "/test x-pack/winlogbeat for windows-2008" - labels: - - "windows-2008" - branches: true ## for all the branches - tags: true ## for all the tags windows-8: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-8" - when: ## Override the top-level when. - comments: - - "/test x-pack/winlogbeat for windows-8" - labels: - - "windows-8" - branches: true ## for all the branches - tags: true ## for all the tags windows-7: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7" - when: ## Override the top-level when. - comments: - - "/test x-pack/winlogbeat for windows-7" - labels: - - "windows-7" - branches: true ## for all the branches - tags: true ## for all the tags windows-7-32: mage: "mage build unitTest" platforms: ## override default labels in this specific stage. - "windows-7-32-bit" - when: ## Override the top-level when. - comments: - - "/test x-pack/winlogbeat for windows-7-32" - labels: - - "windows-7-32" - branches: true ## for all the branches - tags: true ## for all the tags diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 56cdced6b51..44d0e8eb34d 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -180,6 +180,7 @@ var security = (function () { "4647": [["authentication"], ["end"], "logged-out"], "4648": [["authentication"], ["start"], "logged-in-explicit"], "4657": [["configuration"], ["change"], "registry-value-modified"], + "4670": [["iam", "configuration"],["admin", "change"],"permissions-changed"], "4672": [["iam"], ["admin"], "logged-in-special"], "4673": [["iam"], ["admin"], "privileged-service-called"], "4674": [["iam"], ["admin"], "privileged-operation"], @@ -197,6 +198,8 @@ var security = (function () { "4714": [["configuration"], ["change"], "encrypted-data-recovery-policy-changed"], "4715": [["configuration"], ["change"], "object-audit-policy-changed"], "4716": [["configuration"], ["change"], "trusted-domain-information-changed"], + "4717": [["iam", "configuration"],["admin", "change"],"system-security-access-granted"], + "4718": [["iam", "configuration"],["admin", "deletion"],"system-security-access-removed"], "4719": [["iam", "configuration"], ["admin", "change"], "changed-audit-config"], // remove iam and admin "4720": [["iam"], ["user", "creation"], "added-user-account"], "4722": [["iam"], ["user", "change"], "enabled-user-account"], @@ -252,7 +255,14 @@ var security = (function () { "4781": [["iam"], ["user", "change"], "renamed-user-account"], "4798": [["iam"], ["user", "info"], "group-membership-enumerated"], // process enumerates the local groups to which the specified user belongs "4799": [["iam"], ["group", "info"], "user-member-enumerated"], // a process enumerates the members of the specified local group - "4912": [["configuration"], ["change"], "per-user-audit-policy-changed"], + "4817": [["iam", "configuration"], ["admin", "change"],"object-audit-changed"], + "4902": [["iam", "configuration"], ["admin", "creation"],"user-audit-policy-created"], + "4904": [["iam", "configuration"], ["admin", "change"],"security-event-source-added"], + "4905": [["iam", "configuration"], ["admin", "deletion"], "security-event-source-removed"], + "4906": [["iam", "configuration"], ["admin", "change"], "crash-on-audit-changed"], + "4907": [["iam", "configuration"], ["admin", "change"], "audit-setting-changed"], + "4908": [["iam", "configuration"], ["admin", "change"], "special-group-table-changed"], + "4912": [["iam", "configuration"], ["admin", "change"], "per-user-audit-policy-changed"], "4950": [["configuration"], ["change"], "windows-firewall-setting-changed"], "4954": [["configuration"], ["change"], "windows-firewall-group-policy-changed"], "4964": [["iam"], ["admin", "group"], "logged-in-special"], @@ -263,16 +273,6 @@ var security = (function () { "5037": [["driver"], ["end"], "windows-firewall-driver-error"], }; - - // Audit Policy Changes Table - // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4719 - var auditActions = { - "8448": "Success Removed", - "8450": "Failure Removed", - "8449": "Success Added", - "8451": "Failure Added", - }; - // Services Types // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697 var serviceTypes = { @@ -1209,7 +1209,7 @@ var security = (function () { "8448": "Success removed", "8449": "Success Added", "8450": "Failure removed", - "8451": "Failure added", + "8451": "Failure Added", "8452": "Success include removed", "8453": "Success include added", "8454": "Success exclude removed", @@ -1351,6 +1351,250 @@ var security = (function () { "16903": "Publish", }; + // Trust Types + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + var trustTypes = { + "1": "TRUST_TYPE_DOWNLEVEL", + "2": "TRUST_TYPE_UPLEVEL", + "3": "TRUST_TYPE_MIT", + "4": "TRUST_TYPE_DCE" + } + + // Trust Direction + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + var trustDirection = { + "0": "TRUST_DIRECTION_DISABLED", + "1": "TRUST_DIRECTION_INBOUND", + "2": "TRUST_DIRECTION_OUTBOUND", + "3": "TRUST_DIRECTION_BIDIRECTIONAL" + } + + // Trust Attributes + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4706 + var trustAttributes = { + "0": "UNDEFINED", + "1": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "2": "TRUST_ATTRIBUTE_UPLEVEL_ONLY", + "4": "TRUST_ATTRIBUTE_QUARANTINED_DOMAIN", + "8": "TRUST_ATTRIBUTE_FOREST_TRANSITIVE", + "16": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION", + "32": "TRUST_ATTRIBUTE_WITHIN_FOREST", + "64": "TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL", + "128": "TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION", + "512": "TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION", + "1024": "TRUST_ATTRIBUTE_PIM_TRUST" + } + + // SDDL Ace Types + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + // https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + var aceTypes = { + "A": "Access Allowed", + "D": "Access Denied", + "OA": "Object Access Allowed", + "OD": "Object Access Denied", + "AU": "System Audit", + "AL": "System Alarm", + "OU": "System Object Audit", + "OL": "System Object Alarm", + "ML": "System Mandatory Label", + "SP": "Central Policy ID" + } + + // SDDL Permissions + // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4715 + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f4296d69-1c0f-491f-9587-a960b292d070 + var permissionDescription = { + "GA": "Generic All", + "GR": "Generic Read", + "GW": "Generic Write", + "GX": "Generic Execute", + "RC": "Read Permissions", + "SD": "Delete", + "WD": "Modify Permissions", + "WO": "Modify Owner", + "RP": "Read All Properties", + "WP": "Write All Properties", + "CC": "Create All Child Objects", + "DC": "Delete All Child Objects", + "LC": "List Contents", + "SW": "All Validated", + "LO": "List Object", + "DT": "Delete Subtree", + "CR": "All Extended Rights", + "FA": "File All Access", + "FR": "File Generic Read", + "FX": "FILE GENERIC EXECUTE", + "FW": "FILE GENERIC WRITE", + "KA": "KEY ALL ACCESS", + "KR": "KEY READ", + "KW": "KEY WRITE", + "KX": "KEY EXECUTE" + } + + // Known SIDs + // https://support.microsoft.com/en-au/help/243330/well-known-security-identifier"S-in-window"S-operating-systems + // https://docs.microsoft.com/en-us/windows/win32/secauthz/sid-strings + var accountSIDDescription = { + "AO": "Account operators", + "RU": "Alias to allow previous Windows 2000", + "AN": "Anonymous logon", + "AU": "Authenticated users", + "BA": "Built-in administrators", + "BG": "Built-in guests", + "BO": "Backup operators", + "BU": "Built-in users", + "CA": "Certificate server administrators", + "CG": "Creator group", + "CO": "Creator owner", + "DA": "Domain administrators", + "DC": "Domain computers", + "DD": "Domain controllers", + "DG": "Domain guests", + "DU": "Domain users", + "EA": "Enterprise administrators", + "ED": "Enterprise domain controllers", + "WD": "Everyone", + "PA": "Group Policy administrators", + "IU": "Interactively logged-on user", + "LA": "Local administrator", + "LG": "Local guest", + "LS": "Local service account", + "SY": "Local system", + "NU": "Network logon user", + "NO": "Network configuration operators", + "NS": "Network service account", + "PO": "Printer operators", + "PS": "Personal self", + "PU": "Power users", + "RS": "RAS servers group", + "RD": "Terminal server users", + "RE": "Replicator", + "RC": "Restricted code", + "SA": "Schema administrators", + "SO": "Server operators", + "SU": "Service logon user", + "S-1-0": "Null Authority", + "S-1-0-0": "Nobody", + "S-1-1": "World Authority", + "S-1-1-0": "Everyone", + "S-1-16-0": "Untrusted Mandatory Level", + "S-1-16-12288": "High Mandatory Level", + "S-1-16-16384": "System Mandatory Level", + "S-1-16-20480": "Protected Process Mandatory Level", + "S-1-16-28672": "Secure Process Mandatory Level", + "S-1-16-4096": "Low Mandatory Level", + "S-1-16-8192": "Medium Mandatory Level", + "S-1-16-8448": "Medium Plus Mandatory Level", + "S-1-2": "Local Authority", + "S-1-2-0": "Local", + "S-1-2-1": "Console Logon", + "S-1-3": "Creator Authority", + "S-1-3-0": "Creator Owner", + "S-1-3-1": "Creator Group", + "S-1-3-2": "Creator Owner Server", + "S-1-3-3": "Creator Group Server", + "S-1-3-4": "Owner Rights", + "S-1-4": "Non-unique Authority", + "S-1-5": "NT Authority", + "S-1-5-1": "Dialup", + "S-1-5-10": "Principal Self", + "S-1-5-11": "Authenticated Users", + "S-1-5-12": "Restricted Code", + "S-1-5-13": "Terminal Server Users", + "S-1-5-14": "Remote Interactive Logon", + "S-1-5-15": "This Organization", + "S-1-5-17": "This Organization", + "S-1-5-18": "Local System", + "S-1-5-19": "NT Authority", + "S-1-5-2": "Network", + "S-1-5-20": "NT Authority", + "S-1-5-3": "Batch", + "S-1-5-32-544": "Administrators", + "S-1-5-32-545": "Users", + "S-1-5-32-546": "Guests", + "S-1-5-32-547": "Power Users", + "S-1-5-32-548": "Account Operators", + "S-1-5-32-549": "Server Operators", + "S-1-5-32-550": "Print Operators", + "S-1-5-32-551": "Backup Operators", + "S-1-5-32-552": "Replicators", + "S-1-5-32-554": "Builtin\Pre-Windows 2000 Compatible Access", + "S-1-5-32-555": "Builtin\Remote Desktop Users", + "S-1-5-32-556": "Builtin\Network Configuration Operators", + "S-1-5-32-557": "Builtin\Incoming Forest Trust Builders", + "S-1-5-32-558": "Builtin\Performance Monitor Users", + "S-1-5-32-559": "Builtin\Performance Log Users", + "S-1-5-32-560": "Builtin\Windows Authorization Access Group", + "S-1-5-32-561": "Builtin\Terminal Server License Servers", + "S-1-5-32-562": "Builtin\Distributed COM Users", + "S-1-5-32-569": "Builtin\Cryptographic Operators", + "S-1-5-32-573": "Builtin\Event Log Readers", + "S-1-5-32-574": "Builtin\Certificate Service DCOM Access", + "S-1-5-32-575": "Builtin\RDS Remote Access Servers", + "S-1-5-32-576": "Builtin\RDS Endpoint Servers", + "S-1-5-32-577": "Builtin\RDS Management Servers", + "S-1-5-32-578": "Builtin\Hyper-V Administrators", + "S-1-5-32-579": "Builtin\Access Control Assistance Operators", + "S-1-5-32-580": "Builtin\Remote Management Users", + "S-1-5-32-582": "Storage Replica Administrators", + "S-1-5-4": "Interactive", + "S-1-5-5-X-Y": "Logon Session", + "S-1-5-6": "Service", + "S-1-5-64-10": "NTLM Authentication", + "S-1-5-64-14": "SChannel Authentication", + "S-1-5-64-21": "Digest Authentication", + "S-1-5-7": "Anonymous", + "S-1-5-8": "Proxy", + "S-1-5-80": "NT Service", + "S-1-5-80-0": "All Services", + "S-1-5-83-0": "NT Virtual Machine\Virtual Machines", + "S-1-5-9": "Enterprise Domain Controllers", + "S-1-5-90-0": "Windows Manager\Windows Manager Group" + } + + // Domain-specific SIDs + // https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems + var domainSpecificSID = { + "498": "Enterprise Read-only Domain Controllers", + "500": "Administrator", + "501": "Guest", + "502": "KRBTGT", + "512": "Domain Admins", + "513": "Domain Users", + "514": "Domain Guests", + "515": "Domain Computers", + "516": "Domain Controllers", + "517": "Cert Publishers", + "518": "Schema Admins", + "519": "Enterprise Admins", + "520": "Group Policy Creator Owners", + "521": "Read-only Domain Controllers", + "522": "Cloneable Domain Controllers", + "526": "Key Admins", + "527": "Enterprise Key Admins", + "553": "RAS and IAS Servers", + "571": "Allowed RODC Password Replication Group", + "572": "Denied RODC Password Replication Group" + } + + // Object Permission Flags + // https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b + var permsFlags = [ + [0x80000000, 'Generic Read'], + [0x4000000, 'Generic Write'], + [0x20000000, 'Generic Execute'], + [0x10000000, 'Generic All'], + [0x02000000, 'Maximun Allowed'], + [0x01000000, 'Access System Security'], + [0x00100000, 'Syncronize'], + [0x00080000, 'Write Owner'], + [0x00040000, 'Write DACL'], + [0x00020000, 'Read Control'], + [0x00010000, 'Delete'] + ]; + // lookupMessageCode returns the string associated with the code. key should // be the name of the field in evt containing the code (e.g. %%2313). var lookupMessageCode = function (evt, key) { @@ -1455,7 +1699,7 @@ var security = (function () { var actionResults = []; for (var j = 0; j < codedActions.length; j++) { var actionCode = codedActions[j].replace("%%", '').replace(' ', ''); - actionResults.push(auditActions[actionCode]); + actionResults.push(msobjsMessageTable[actionCode]); } evt.Put("winlog.event_data.AuditPolicyChangesDescription", actionResults); }; @@ -1495,12 +1739,118 @@ var security = (function () { evt.Put("winlog.event_data.StatusDescription", kerberosTktStatusCodes[code]); }; + var translateSID = function(sid){ + var translatedSID = accountSIDDescription[sid]; + if (translatedSID == undefined) { + if (/^S\-1\-5\-21/.test(sid)) { + var uid = sid.match(/[0-9]{1,5}$/g); + if (uid) { + translatedSID = domainSpecificSID[uid]; + } + } + } + if (translatedSID == undefined) { + translatedSID = sid; + } + return translatedSID; + } + + var translatePermissionMask = function(mask) { + if (!mask) { + return; + } + var permCode = parseInt(mask); + var permResult = []; + for (var i = 0; i < permsFlags.length; i++) { + if ((permCode | permsFlags[i][0]) === permCode) { + permResult.push(permsFlags[i][1]); + } + } + if (permResult) { + return permResult; + } else { + return mask; + } + }; + + var translateACL = function(dacl) { + var aceArray = dacl.split(";"); + var aceResult = []; + var aceType = aceArray[0]; + var acePerm = aceArray[2]; + var aceTrustedSid = aceArray[5]; + if (aceTrustedSid) { + aceResult['grantee'] = translateSID(aceTrustedSid); + } + if (aceType) { + aceResult['type'] = aceTypes[aceType]; + } + if (acePerm) { + if (/^0x/.test(acePerm)) { + var perms = translatePermissionMask(acePerm); + } + else { + var perms = [] + var permPairs = acePerm.match(/.{1,2}/g); + for ( var i = 0; i < permPairs.length; i ++) { + perms.push(permissionDescription[permPairs[i]]) + } + } + aceResult['perms'] = perms; + } + return aceResult; + }; + + var enrichSDDL = function(evt, sddl) { + var sddlStr = evt.Get(sddl); + if (!sddlStr) { + return; + } + var sdOwner = sddlStr.match(/^O\:[A-Z]{2}/g); + var sdGroup = sddlStr.match(/^G\:[A-Z]{2}/g); + var sdDacl = sddlStr.match(/(D:([A-Z]*(\(.*\))*))/g); + var sdSacl = sddlStr.match(/(S:([A-Z]*(\(.*\))*))?$/g); + if (sdOwner) { + evt.Put(sddl+"Owner", translateSID(sdOwner)); + } + if (sdGroup) { + evt.Put(sddl+"Group", translateSID(sdGroup)); + } + if (sdDacl) { + // Split each entry of the DACL + var daclList = (sdDacl[0]).match(/\([^*\)]*\)/g); + if (daclList) { + for (var i = 0; i < daclList.length; i++) { + var newDacl = translateACL(daclList[i].replace("(", '').replace(")", '')); + evt.Put(sddl+"Dacl"+i, newDacl['grantee']+" :"+newDacl['type']+" ("+newDacl['perms']+")"); + if ( newDacl['grantee'] === "Administrator" || newDacl['grantee'] === "Guest" || newDacl['grantee'] === "KRBTGT" ) { + evt.AppendTo('related.user', newDacl['grantee']); + } + } + } + } + if (sdSacl) { + // Split each entry of the SACL + var saclList = (sdSacl[0]).match(/\([^*\)]*\)/g); + if (saclList) { + for (var i = 0; i < saclList.length; i++) { + var newSacl = translateACL(saclList[i].replace("(", '').replace(")", '')); + evt.Put(sddl+"Sacl"+i, newSacl['grantee']+" :"+newSacl['type']+" ("+newSacl['perms']+")"); + if ( newSacl['grantee'] === "Administrator" || newSacl['grantee'] === "Guest" || newSacl['grantee'] === "KRBTGT" ) { + evt.AppendTo('related.user', newSacl['grantee']); + } + } + } + } + }; + var addSessionData = new processor.Chain() .Convert({ fields: [ {from: "winlog.event_data.AccountName", to: "user.name"}, {from: "winlog.event_data.AccountDomain", to: "user.domain"}, {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, + {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, {from: "winlog.event_data.ClientName", to: "source.domain"}, {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, ], @@ -1529,6 +1879,26 @@ var security = (function () { }) .Build(); + var addTrustInformation = new processor.Chain() + .Add(function(evt) { + var code = evt.Get("winlog.event_data.TdoType"); + if (!code) { + return; + } + evt.Put("winlog.trustType", trustTypes[code]); + code = evt.Get("winlog.event_data.TdoDirection"); + if (!code) { + return; + } + evt.Put("winlog.trustDirection", trustDirection[code]); + code = evt.Get("winlog.event_data.TdoAttributes"); + if (!code) { + return; + } + evt.Put("winlog.trustAttribute", trustAttributes[code]); + + }) + .Build(); var copyTargetUser = new processor.Chain() .Convert({ fields: [ @@ -1635,6 +2005,7 @@ var security = (function () { {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, {from: "winlog.event_data.ProcessName", to: "process.executable"}, {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, + {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, {from: "winlog.event_data.WorkstationName", to: "source.domain"}, ], @@ -1772,10 +2143,12 @@ var security = (function () { .Add(addEventFields) .Add(function(evt) { var user = evt.Get("winlog.event_data.TargetUserName"); - var res = /^-$/.test(user); - if (!res) { - evt.AppendTo('related.user', user); - } + if (user) { + var res = /^-$/.test(user); + if (!res) { + evt.AppendTo('related.user', user); + } + } }) .Build(); @@ -1831,7 +2204,6 @@ var security = (function () { } evt.AppendTo("related.user", member.split(',')[0].replace('CN=', '').replace('cn=', '')); }) - .Build(); var auditLogCleared = new processor.Chain() @@ -1890,8 +2262,11 @@ var security = (function () { .Add(addEventFields) .Add(function(evt) { var ip = evt.Get("source.ip"); - if (/::ffff:/.test(ip)) { - evt.Put("source.ip", ip.replace("::ffff:", "")); + if (ip) { + if (/::ffff:/.test(ip)) { + evt.Put("source.ip", ip.replace("::ffff:", "")); + evt.Put("related.ip", ip.replace("::ffff:", "")); + } } }) .Build(); @@ -1939,6 +2314,67 @@ var security = (function () { }) .Build(); + var trustDomainMgmtEvts = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(addEventFields) + .Add(addTrustInformation) + .Build(); + + var policyChange = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(addEventFields) + .Build(); + + var objectPolicyChange = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(renameCommonAuthFields) + .Add(addEventFields) + .Add(function(evt) { + var oldSd = evt.Get("winlog.event_data.OldSd"); + var newSd = evt.Get("winlog.event_data.NewSd"); + if (oldSd) { + enrichSDDL(evt, "winlog.event_data.OldSd"); + } + if (newSd) { + enrichSDDL(evt, "winlog.event_data.NewSd"); + } + }) + .Build(); + + var genericAuditChange = new processor.Chain() + .Add(addEventFields) + .Build(); + + var event4908 = new processor.Chain() + .Add(addEventFields) + .Add(function(evt) { + var sids = evt.Get("winlog.event_data.SidList"); + if (!sids) { + return; + } + var sidList = sids.split(/\s+/); + evt.Put("winlog.event_data.SidList", sids.split(/\s+/)); + var sidListDesc = []; + for (var i = 0; i < sidList.length; i++) { + var sidTemp = sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""); + if (sidTemp) { + sidListDesc.push(translateSID(sidTemp)); + } + } + evt.Put("winlog.event_data.SidListDesc", sidListDesc); + }) + .Build(); + + var securityEventSource = new processor.Chain() + .Add(copySubjectUser) + .Add(copySubjectUserLogonId) + .Add(renameCommonAuthFields) + .Add(addEventFields) + .Build(); + return { // 1100 - The event logging service has shut down. @@ -1971,6 +2407,9 @@ var security = (function () { // 4648 - A logon was attempted using explicit credentials. 4648: event4648.Run, + // 4670 - Permissions on an object were changed. + 4670: objectPolicyChange.Run, + // 4672 - Special privileges assigned to new logon. 4672: event4672.Run, @@ -2004,6 +2443,24 @@ var security = (function () { // 4702 - A scheduled task was updated. 4702: scheduledTask.Run, + // 4706 - A new trust was created to a domain. + 4706: trustDomainMgmtEvts.Run, + + // 4707 - A trust to a domain was removed. + 4707: trustDomainMgmtEvts.Run, + + // 4713 - Kerberos policy was changed. + 4713: policyChange.Run, + + // 4716 - Trusted domain information was modified. + 4716: trustDomainMgmtEvts.Run, + + // 4717 - System security access was granted to an account. + 4717: policyChange.Run, + + // 4718 - System security access was removed from an account. + 4718: policyChange.Run, + // 4719 - System audit policy was changed. 4719: auditChanged.Run, @@ -2055,6 +2512,9 @@ var security = (function () { // 4737 - A security-enabled global group was changed. 4737: groupMgmtEvts.Run, + // 4739 - A security-enabled global group was changed. + 4739: policyChange.Run, + // 4738 - An user account was changed. 4738: userMgmtEvts.Run, @@ -2166,6 +2626,30 @@ var security = (function () { // 4799 - A security-enabled local group membership was enumerated. 4799: groupMgmtEvts.Run, + // 4817 - Auditing settings on object were changed. + 4817: objectPolicyChange.Run, + + // 4902 - The Per-user audit policy table was created. + 4902: genericAuditChange.Run, + + // 4904 - An attempt was made to register a security event source. + 4904: securityEventSource.Run, + + // 4905 - An attempt was made to unregister a security event source. + 4905: securityEventSource.Run, + + // 4906 - The CrashOnAuditFail value has changed. + 4906: genericAuditChange.Run, + + // 4907 - Auditing settings on object were changed. + 4907: objectPolicyChange.Run, + + // 4908 - Special Groups Logon table modified. + 4908: event4908.Run, + + // 4912 - Per User Audit Policy was changed. + 4912: auditChanged.Run, + // 4964 - Special groups have been assigned to a new logon. 4964: event4964.Run, diff --git a/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx new file mode 100644 index 00000000000..30c2adc8426 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..0666a8b5ac8 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,80 @@ +[ + { + "@timestamp": "2020-07-28T13:22:18.7993488Z", + "event": { + "action": "permissions-changed", + "category": [ + "iam", + "configuration" + ], + "code": 4670, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\services.exe", + "name": "services.exe", + "pid": 764 + }, + "related": { + "user": "WIN-BVM4LI1L1Q6$" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "HandleId": "0x56c", + "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", + "NewSdDacl0": "Local system :Access Allowed (Generic All)", + "NewSdDacl1": "OW :Access Allowed (Read Permissions)", + "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed (Generic All)", + "ObjectName": "-", + "ObjectServer": "Security", + "ObjectType": "Token", + "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)", + "OldSdDacl0": "Local system :Access Allowed (Generic All)", + "OldSdDacl1": "Network service account :Access Allowed (Generic All)", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": 4670, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 4604 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 31932, + "task": "Authorization Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx new file mode 100644 index 00000000000..e87e18d5441 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..7cdf639ce48 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,72 @@ +[ + { + "@timestamp": "2020-07-27T09:42:48.3690009Z", + "event": { + "action": "domain-trust-added", + "category": [ + "configuration" + ], + "code": 4706, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "Administrator" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SidFilteringEnabled": "%%1796", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "TdoAttributes": "1", + "TdoDirection": "3", + "TdoType": "3" + }, + "event_id": 4706, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 3056 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 6017, + "task": "Authentication Policy Change", + "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", + "trustType": "TRUST_TYPE_MIT" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx new file mode 100644 index 00000000000..3f9f51c4f98 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..d16ff334435 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,64 @@ +[ + { + "@timestamp": "2020-07-28T06:18:04.600444Z", + "event": { + "action": "domain-trust-removed", + "category": [ + "configuration" + ], + "code": 4707, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "Administrator" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" + }, + "event_id": 4707, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 13679, + "task": "Authentication Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx new file mode 100644 index 00000000000..5d4bb4d159a Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..9dcfe4ddb59 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,64 @@ +[ + { + "@timestamp": "2020-07-28T10:15:43.4951882Z", + "event": { + "action": "kerberos-policy-changed", + "category": [ + "configuration" + ], + "code": 4713, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "WIN-BVM4LI1L1Q6$" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": 4713, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 21265, + "task": "Authentication Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx new file mode 100644 index 00000000000..39053c8797e Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..6e43b04c6f3 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,72 @@ +[ + { + "@timestamp": "2020-07-28T08:17:00.4706442Z", + "event": { + "action": "trusted-domain-information-changed", + "category": [ + "configuration" + ], + "code": 4716, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "Administrator" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "-", + "DomainSid": "S-1-0-0", + "SidFilteringEnabled": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "TdoAttributes": "1", + "TdoDirection": "3", + "TdoType": "3" + }, + "event_id": 4716, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 3776 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 14929, + "task": "Authentication Policy Change", + "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", + "trustType": "TRUST_TYPE_MIT" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx new file mode 100644 index 00000000000..f27db52c536 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..fe3d49133e0 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,67 @@ +[ + { + "@timestamp": "2020-07-27T09:30:41.9034803Z", + "event": { + "action": "system-security-access-granted", + "category": [ + "iam", + "configuration" + ], + "code": 4717, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "log": { + "level": "information" + }, + "related": { + "user": "WIN-BVM4LI1L1Q6$" + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "event_data": { + "AccessGranted": "SeNetworkLogonRight", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18", + "TargetSid": "S-1-5-9" + }, + "event_id": 4717, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1571, + "task": "Authentication Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx new file mode 100644 index 00000000000..43ef6f5a787 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..6e5fc0f6d54 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,67 @@ +[ + { + "@timestamp": "2020-07-27T09:30:41.8778082Z", + "event": { + "action": "system-security-access-removed", + "category": [ + "iam", + "configuration" + ], + "code": 4718, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "log": { + "level": "information" + }, + "related": { + "user": "WIN-BVM4LI1L1Q6$" + }, + "user": { + "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "event_data": { + "AccessRemoved": "SeNetworkLogonRight", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18", + "TargetSid": "S-1-5-32-545" + }, + "event_id": 4718, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 1565, + "task": "Authentication Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx new file mode 100644 index 00000000000..c30822f456f Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..4bc9323ce3f --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,74 @@ +[ + { + "@timestamp": "2020-08-18T13:45:57.4803543Z", + "event": { + "action": "changed-audit-config", + "category": [ + "iam", + "configuration" + ], + "code": 4719, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "Administrator" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditPolicyChanges": "%%8448", + "AuditPolicyChangesDescription": [ + "Success removed" + ], + "Category": "Object Access", + "CategoryId": "%%8274", + "SubCategory": "Other Object Access Events", + "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", + "SubcategoryId": "%%12804", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x44d7d", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" + }, + "event_id": 4719, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x44d7d" + }, + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 2764 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 123879, + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx new file mode 100644 index 00000000000..60063744d4c Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..4035618ea1d --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,71 @@ +[ + { + "@timestamp": "2020-07-27T09:34:50.1578005Z", + "event": { + "action": "domain-policy-changed", + "category": [ + "configuration" + ], + "code": 4739, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": "WIN-BVM4LI1L1Q6$" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainBehaviorVersion": "-", + "DomainName": "TEST", + "DomainPolicyChanged": "Password Policy", + "DomainSid": "S-1-5-21-2024912787-2692429404-2351956786", + "MachineAccountQuota": "-", + "MixedDomainMode": "-", + "OemInformation": "-", + "PasswordHistoryLength": "-", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": 4739, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 812 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 3532, + "task": "Authentication Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx new file mode 100644 index 00000000000..7dda9113651 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..71607b7242c --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,74 @@ +[ + { + "@timestamp": "2020-08-17T12:49:09.4942066Z", + "event": { + "action": "object-audit-changed", + "category": [ + "iam", + "configuration" + ], + "code": 4817, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$", + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", + "NewSdSacl0": "Administrator :System Audit (Create All Child Objects,Delete All Child Objects,List Contents,All Validated,Read All Properties,Write All Properties,Delete Subtree,List Object,All Extended Rights,Delete,Read Permissions,Modify Permissions,Modify Owner)", + "NewSdSacl1": "S-1-5-21-2024912787-2692429404-2351956786-1000 :System Audit (Create All Child Objects,Delete All Child Objects,List Contents,All Validated,Read All Properties,Write All Properties,Delete Subtree,List Object,All Extended Rights,Delete,Read Permissions,Modify Permissions,Modify Owner)", + "ObjectName": "File", + "ObjectServer": "LSA", + "ObjectType": "Global SACL", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": 4817, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 776, + "thread": { + "id": 3052 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 114278, + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx new file mode 100644 index 00000000000..695eae2bb3b Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..0c21de310ab --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,51 @@ +[ + { + "@timestamp": "2020-08-19T06:07:08.801981Z", + "event": { + "action": "user-audit-policy-created", + "category": [ + "iam", + "configuration" + ], + "code": 4902, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "creation" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "PuaCount": "0", + "PuaPolicyId": "0x9fd2" + }, + "event_id": 4902, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 784, + "thread": { + "id": 832 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 140273, + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx new file mode 100644 index 00000000000..0fde0144e53 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..cb92cffa1b2 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,72 @@ +[ + { + "@timestamp": "2020-08-19T07:56:52.019802Z", + "event": { + "action": "security-event-source-added", + "category": [ + "iam", + "configuration" + ], + "code": 4904, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", + "name": "inetinfo.exe", + "pid": 3608 + }, + "related": { + "user": "WIN-BVM4LI1L1Q6$" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x460422", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": 4904, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 146939, + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx new file mode 100644 index 00000000000..7e43d61f913 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..7b5c2e7c0c7 --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,72 @@ +[ + { + "@timestamp": "2020-08-19T07:56:51.5792901Z", + "event": { + "action": "security-event-source-removed", + "category": [ + "iam", + "configuration" + ], + "code": 4905, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "-", + "name": "-", + "pid": 4964 + }, + "related": { + "user": "WIN-BVM4LI1L1Q6$" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x457b22", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": 4905, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 146938, + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx new file mode 100644 index 00000000000..43a47a29d32 Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..9711989c89e --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,50 @@ +[ + { + "@timestamp": "2020-08-18T09:19:00.2372249Z", + "event": { + "action": "crash-on-audit-changed", + "category": [ + "iam", + "configuration" + ], + "code": 4906, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "CrashOnAuditFailValue": "1" + }, + "event_id": 4906, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 780, + "thread": { + "id": 804 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 123786, + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx new file mode 100644 index 00000000000..6a9530c298e Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..32dd648fc2a --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,75 @@ +[ + { + "@timestamp": "2020-08-19T07:56:17.1121901Z", + "event": { + "action": "audit-setting-changed", + "category": [ + "iam", + "configuration" + ], + "code": 4907, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", + "name": "TiWorker.exe", + "pid": 4300 + }, + "related": { + "user": "WIN-BVM4LI1L1Q6$" + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "HandleId": "0x93c", + "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "NewSdSacl0": "Everyone :System Audit (Delete All Child Objects,List Contents,Read All Properties,All Extended Rights,Delete,Modify Permissions,Modify Owner)", + "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1", + "ObjectServer": "Security", + "ObjectType": "File", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": 4907, + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 4, + "thread": { + "id": 408 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 146933, + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx b/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx new file mode 100644 index 00000000000..e319bcf9a0b Binary files /dev/null and b/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx differ diff --git a/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json new file mode 100644 index 00000000000..fcbdbce1d3d --- /dev/null +++ b/x-pack/winlogbeat/module/security/test/testdata/4908_WindowsSrv2016.evtx.golden.json @@ -0,0 +1,58 @@ +[ + { + "@timestamp": "2020-08-19T06:07:25.0461779Z", + "event": { + "action": "special-group-table-changed", + "category": [ + "iam", + "configuration" + ], + "code": 4908, + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "level": "information" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "SidList": [ + "", + "%{S-1-5-32-544}", + "%{S-1-5-32-123-54-65}" + ], + "SidListDesc": [ + "Administrators", + "S-1-5-32-123-54-65" + ] + }, + "event_id": 4908, + "keywords": [ + "Audit Success" + ], + "opcode": "Info", + "process": { + "pid": 784, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": 140274, + "task": "Audit Policy Change" + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json index 6519408002c..977ea0fe116 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.evtx.golden.json @@ -22,6 +22,7 @@ "level": "information" }, "related": { + "ip": "192.168.5.44", "user": "MPUIG" }, "source": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json index 649db8b0e23..f7944a0c686 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.evtx.golden.json @@ -22,6 +22,7 @@ "level": "information" }, "related": { + "ip": "10.100.150.9", "user": "at_adm" }, "source": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json index 12c23f0a09d..93f89a592a6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.evtx.golden.json @@ -22,6 +22,7 @@ "level": "information" }, "related": { + "ip": "10.100.150.17", "user": "at_adm" }, "source": { diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 636325f5571..a9cb100ce33 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -493,8 +493,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -626,8 +624,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -833,8 +829,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -995,8 +989,6 @@ output.elasticsearch: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1297,8 +1289,6 @@ setup.kibana: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative @@ -1500,8 +1490,6 @@ logging.files: # * full, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. - # * certificate, which verifies that the provided certificate is signed by a - # trusted authority (CA), but does not perform any hostname verification. # * strict, which verifies that the provided certificate is signed by a trusted # authority (CA) and also verifies that the server's hostname (or IP address) # matches the names identified within the certificate. If the Subject Alternative