diff --git a/.ci/jobs/beats-release-changelog.yml b/.ci/jobs/beats-release-changelog.yml new file mode 100644 index 00000000000..1cbd94c7168 --- /dev/null +++ b/.ci/jobs/beats-release-changelog.yml @@ -0,0 +1,20 @@ +--- +- job: + name: Beats/Release/beats-release-changelog + display-name: 'Prepare the Changelog for a Release' + description: 'Automate the steps to prepare the Changelog for a Release' + view: Beats + project-type: pipeline + pipeline-scm: + script-path: release_scripts/pipeline-release-changelog.groovy + scm: + - git: + url: git@github.com:elastic/ingest-dev.git + refspec: +refs/heads/*:refs/remotes/origin/* +refs/pull/*/head:refs/remotes/origin/pr/* + wipe-workspace: 'True' + name: origin + shallow-clone: true + credentials-id: f6c7695a-671e-4f4f-a331-acdce44ff9ba + reference-repo: /var/lib/jenkins/.git-references/ingest-dev.git + branches: + - master diff --git a/.ci/jobs/beats.yml b/.ci/jobs/beats.yml index 1e393bab6b9..b075d8bbdf2 100644 --- a/.ci/jobs/beats.yml +++ b/.ci/jobs/beats.yml @@ -53,6 +53,7 @@ recursive: true parent-credentials: true timeout: 100 + reference-repo: /var/lib/jenkins/.git-references/beats.git timeout: '15' use-author: true wipe-workspace: true diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index b0b31734005..c4d0f48005f 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -3,6 +3,47 @@ :issue: https://github.com/elastic/beats/issues/ :pull: https://github.com/elastic/beats/pull/ +[[release-notes-7.9.2]] +=== Beats version 7.9.2 +https://github.com/elastic/beats/compare/v7.9.1...v7.9.2[View commits] + +==== Breaking changes + +*Affecting all Beats* + +- Autodiscover doesn't generate any configuration when a variable is missing. Previously it generated an incomplete configuration. {pull}20898[20898] + +==== Bugfixes + +*Affecting all Beats* + +- Explicitly detect missing variables in autodiscover configuration, log them at the debug level. {issue}20568[20568] {pull}20898[20898] +- Fix `libbeat.output.write.bytes` and `libbeat.output.read.bytes` metrics of the Elasticsearch output. {issue}20752[20752] {pull}21197[21197] + +*Filebeat* + +- Provide backwards compatibility for the `set` processor when Elasticsearch is less than 7.9.0. {pull}20908[20908] +- Fix an error updating file size being logged when EOF is reached. {pull}21048[21048] +- Fix error when processing AWS Cloudtrail Digest logs. {pull}21086[21086] {issue}20943[20943] + +*Metricbeat* + +- The Kibana collector applies backoff when errored at getting usage stats {pull}20772[20772] +- The `elasticsearch/index` metricset only requests wildcard expansion for hidden indices if the monitored Elasticsearch cluster supports it. {pull}20938[20938] +- Fix panic index out of range error when getting AWS account name. {pull}21101[21101] {issue}21095[21095] +- Handle missing counters in the application_pool metricset. {pull}21071[21071] + +*Functionbeat* + +- Do not need Google credentials if not required for the operation. {issue}17329[17329] {pull}21072[21072] +- Fix dependency issues of GCP functions. {issue}20830[20830] {pull}21070[21070] + +==== Added + +*Affecting all Beats* + +- Add container ECS fields in kubernetes metadata. {pull}20984[20984] + [[release-notes-7.9.1]] === Beats version 7.9.1 https://github.com/elastic/beats/compare/v7.9.0...v7.9.1[View commits] diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 76a7f1edeb6..a96a23db9d8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -23,6 +23,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Autodiscover doesn't generate any configuration when a variable is missing. Previously it generated an incomplete configuration. {pull}20898[20898] - Remove redundant `cloudfoundry.*.timestamp` fields. This value is set in `@timestamp`. {pull}21175[21175] - Allow embedding of CAs, Certificate of private keys for anything that support TLS in ouputs and inputs https://github.com/elastic/beats/pull/21179 +- Update to Golang 1.12.1. {pull}11330[11330] +- Disable Alibaba Cloud and Tencent Cloud metadata providers by default. {pull}13812[12812] *Auditbeat* @@ -74,6 +76,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix PANW field spelling "veredict" to "verdict" on event.action {pull}18808[18808] - Removed experimental modules `citrix`, `kaspersky`, `rapid7` and `tenable`. {pull}20706[20706] - Add support for GMT timezone offsets in `decode_cef`. {pull}20993[20993] +- Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547] *Heartbeat* @@ -272,6 +275,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Handle multiple upstreams in ingress-controller. {pull}21215[21215] - Provide backwards compatibility for the `append` processor when Elasticsearch is less than 7.10.0. {pull}21159[21159] - Fix checkpoint module when logs contain time field. {pull}20567[20567] +- Add field limit check for AWS Cloudtrail flattened fields. {pull}21388[21388] {issue}21382[21382] *Heartbeat* @@ -356,6 +360,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix timestamp handling in remote_write. {pull}21166[21166] - Fix remote_write flaky test. {pull}21173[21173] - Visualization title fixes in aws, azure and googlecloud compute dashboards. {pull}21098[21098] +- Add a switch to the driver definition on SQL module to use pretty names {pull}17378[17378] *Packetbeat* @@ -597,6 +602,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add type and sub_type to panw panos fileset {pull}20912[20912] - Always attempt community_id processor on zeek module {pull}21155[21155] - Add related.hosts ecs field to all modules {pull}21160[21160] +- Keep cursor state between httpjson input restarts {pull}20751[20751] *Heartbeat* diff --git a/NOTICE.txt b/NOTICE.txt index 748fe0f5e98..527c1304379 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -10907,6 +10907,36 @@ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +-------------------------------------------------------------------------------- +Dependency : github.com/blakerouse/service +Version: v1.1.1-0.20200924160513-057808572ffa +Licence type (autodetected): Zlib +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/blakerouse/service@v1.1.1-0.20200924160513-057808572ffa/LICENSE: + +Copyright (c) 2015 Daniel Theophanes + +This software is provided 'as-is', without any express or implied +warranty. In no event will the authors be held liable for any damages +arising from the use of this software. + +Permission is granted to anyone to use this software for any purpose, +including commercial applications, and to alter it and redistribute it +freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + + 3. This notice may not be removed or altered from any source + distribution. + + -------------------------------------------------------------------------------- Dependency : github.com/lib/pq Version: v1.1.2-0.20190507191818-2ff3cb3adc01 @@ -11843,6 +11873,37 @@ Contents of probable licence file $GOMODCACHE/github.com/oklog/ulid@v1.3.1/LICEN limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/otiai10/copy +Version: v1.2.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/otiai10/copy@v1.2.0/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2018 otiai10 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/pierrre/gotestcover Version: v0.0.0-20160517101806-924dca7d15f0 @@ -34009,6 +34070,54 @@ Contents of probable licence file $GOMODCACHE/github.com/opencontainers/runtime- limitations under the License. +-------------------------------------------------------------------------------- +Dependency : github.com/otiai10/curr +Version: v1.0.0 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/otiai10/curr@v1.0.0/LICENSE: + +The MIT License (MIT) + +Copyright (c) 2020 Hiromu Ochiai + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + +-------------------------------------------------------------------------------- +Dependency : github.com/otiai10/mint +Version: v1.3.1 +Licence type (autodetected): MIT +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/otiai10/mint@v1.3.1/LICENSE: + +Copyright 2017 otiai10 (Hiromu OCHIAI) + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + -------------------------------------------------------------------------------- Dependency : github.com/oxtoacart/bpool Version: v0.0.0-20150712133111-4e1c5567d7c2 diff --git a/auditbeat/module/file_integrity/eventreader_test.go b/auditbeat/module/file_integrity/eventreader_test.go index 6d9b02f7867..a00367f350a 100644 --- a/auditbeat/module/file_integrity/eventreader_test.go +++ b/auditbeat/module/file_integrity/eventreader_test.go @@ -41,6 +41,7 @@ func init() { const ErrorSharingViolation syscall.Errno = 32 func TestEventReader(t *testing.T) { + t.Skip("Flaky test: about 1/10 of bulds fails https://github.com/elastic/beats/issues/21302") // Make dir to monitor. dir, err := ioutil.TempDir("", "audit") if err != nil { @@ -240,6 +241,7 @@ func TestEventReader(t *testing.T) { } func TestRaces(t *testing.T) { + t.Skip("Flaky test: about 1/20 of bulds fails https://github.com/elastic/beats/issues/21303") const ( fileMode os.FileMode = 0640 N = 100 diff --git a/deploy/kubernetes/metricbeat-kubernetes.yaml b/deploy/kubernetes/metricbeat-kubernetes.yaml index 4bc1976e40e..32d1010f4d0 100644 --- a/deploy/kubernetes/metricbeat-kubernetes.yaml +++ b/deploy/kubernetes/metricbeat-kubernetes.yaml @@ -36,8 +36,6 @@ data: - state_cronjob - state_resourcequota - state_statefulset - # Uncomment this to get k8s events: - #- event - module: kubernetes metricsets: - apiserver @@ -46,6 +44,10 @@ data: ssl.certificate_authorities: - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt period: 30s + # Uncomment this to get k8s events: + #- module: kubernetes + # metricsets: + # - event # To enable hints based autodiscover uncomment this: #- type: kubernetes # node: ${NODE_NAME} diff --git a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml index 98fffb86ad0..b95bf478765 100644 --- a/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml +++ b/deploy/kubernetes/metricbeat/metricbeat-daemonset-configmap.yaml @@ -36,8 +36,6 @@ data: - state_cronjob - state_resourcequota - state_statefulset - # Uncomment this to get k8s events: - #- event - module: kubernetes metricsets: - apiserver @@ -46,6 +44,10 @@ data: ssl.certificate_authorities: - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt period: 30s + # Uncomment this to get k8s events: + #- module: kubernetes + # metricsets: + # - event # To enable hints based autodiscover uncomment this: #- type: kubernetes # node: ${NODE_NAME} diff --git a/dev-tools/dependencies-report b/dev-tools/dependencies-report index a824d0f4bf9..a2662a4ab9a 100755 --- a/dev-tools/dependencies-report +++ b/dev-tools/dependencies-report @@ -41,3 +41,14 @@ go list -m -json all $@ | go run go.elastic.co/go-licence-detector \ -noticeTemplate "$SRCPATH/notice/dependencies.csv.tmpl" \ -noticeOut "$outfile" \ -depsOut "" + + +# Fill-in required values for UBI images +# Check headers in $SRCPATH/notice/dependencies.csv.tmpl: +# name,url,version,revision,license +ubi8url='https://catalog.redhat.com/software/containers/ubi8/ubi-minimal/5c359a62bed8bd75a2c3fba8' +ubi8source='https://oss-dependencies.elastic.co/redhat/ubi/ubi-minimal-8-source.tar.gz' +ubilicense='Custom;https://www.redhat.com/licenses/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf,https://oss-dependencies.elastic.co/redhat/ubi/ubi-minimal-8-source.tar.gz' +cat <> $outfile +Red Hat Universal Base Image,$ubi8url,8,,$ubilicense,$ubi8source +EOF diff --git a/dev-tools/notice/dependencies.csv.tmpl b/dev-tools/notice/dependencies.csv.tmpl index 6ab2a970199..088314378f6 100644 --- a/dev-tools/notice/dependencies.csv.tmpl +++ b/dev-tools/notice/dependencies.csv.tmpl @@ -1,7 +1,7 @@ {{- define "depInfo" -}} {{- range $i, $dep := . }} -{{ $dep.Name }},{{ $dep.URL }},{{ $dep.Version | canonicalVersion }},{{ $dep.Version | revision }},{{ $dep.LicenceType }} +{{ $dep.Name }},{{ $dep.URL }},{{ $dep.Version | canonicalVersion }},{{ $dep.Version | revision }},{{ $dep.LicenceType }},{{ $dep.URL }} {{- end -}} {{- end -}} -name,url,version,revision,license{{ template "depInfo" .Direct }}{{ template "depInfo" .Indirect }} +name,url,version,revision,license,sourceURL{{ template "depInfo" .Direct }}{{ template "depInfo" .Indirect }} diff --git a/dev-tools/notice/rules.json b/dev-tools/notice/rules.json index 73ce763cdae..c9638a9c6cf 100644 --- a/dev-tools/notice/rules.json +++ b/dev-tools/notice/rules.json @@ -9,7 +9,8 @@ "ISC", "MIT", "MPL-2.0", - "Public Domain" + "Public Domain", + "Zlib" ], "maybelist": [ "EPL-1.0", diff --git a/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl b/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl index 744abc05702..835b5955324 100644 --- a/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl +++ b/dev-tools/packaging/templates/linux/elastic-agent.sh.tmpl @@ -6,6 +6,5 @@ exec /usr/share/{{.BeatName}}/bin/{{.BeatName}} \ --path.home /var/lib/{{.BeatName}} \ --path.config /etc/{{.BeatName}} \ - --path.data /var/lib/{{.BeatName}}/data \ --path.logs /var/log/{{.BeatName}} \ "$@" diff --git a/filebeat/input/filestream/input.go b/filebeat/input/filestream/input.go new file mode 100644 index 00000000000..487a5f01c2a --- /dev/null +++ b/filebeat/input/filestream/input.go @@ -0,0 +1,68 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/feature" + "github.com/elastic/beats/v7/libbeat/logp" +) + +// filestream is the input for reading from files which +// are actively written by other applications. +type filestream struct{} + +const pluginName = "filestream" + +// Plugin creates a new filestream input plugin for creating a stateful input. +func Plugin(log *logp.Logger, store loginp.StateStore) input.Plugin { + return input.Plugin{ + Name: pluginName, + Stability: feature.Experimental, + Deprecated: false, + Info: "filestream input", + Doc: "The filestream input collects logs from the local filestream service", + Manager: &loginp.InputManager{ + Logger: log, + StateStore: store, + Type: pluginName, + Configure: configure, + }, + } +} + +func configure(cfg *common.Config) (loginp.Prospector, loginp.Harvester, error) { + panic("TODO: implement me") +} + +func (inp *filestream) Name() string { return pluginName } + +func (inp *filestream) Test(src loginp.Source, ctx input.TestContext) error { + panic("TODO: implement me") +} + +func (inp *filestream) Run( + ctx input.Context, + src loginp.Source, + cursor loginp.Cursor, + publisher loginp.Publisher, +) error { + panic("TODO: implement me") +} diff --git a/filebeat/input/filestream/internal/input-logfile/clean.go b/filebeat/input/filestream/internal/input-logfile/clean.go new file mode 100644 index 00000000000..d738dabbc55 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/clean.go @@ -0,0 +1,124 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "time" + + "github.com/elastic/go-concert/timed" + "github.com/elastic/go-concert/unison" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +// cleaner removes finished entries from the registry file. +type cleaner struct { + log *logp.Logger +} + +// run starts a loop that tries to clean entries from the registry. +// The cleaner locks the store, such that no new states can be created +// during the cleanup phase. Only resources that are finished and whos TTL +// (clean_timeout setting) has expired will be removed. +// +// Resources are considered "Finished" if they do not have a current owner (active input), and +// if they have no pending updates that still need to be written to the registry file after associated +// events have been ACKed by the outputs. +// The event acquisition timestamp is used as reference to clean resources. If a resources was blocked +// for a long time, and the life time has been exhausted, then the resource will be removed immediately +// once the last event has been ACKed. +func (c *cleaner) run(canceler unison.Canceler, store *store, interval time.Duration) { + started := time.Now() + timed.Periodic(canceler, interval, func() error { + gcStore(c.log, started, store) + return nil + }) +} + +// gcStore looks for resources to remove and deletes these. `gcStore` receives +// the start timestamp of the cleaner as reference. If we have entries without +// updates in the registry, that are older than `started`, we will use `started +// + ttl` to decide if an entry will be removed. This way old entries are not +// removed immediately on startup if the Beat is down for a longer period of +// time. +func gcStore(log *logp.Logger, started time.Time, store *store) { + log.Debugf("Start store cleanup") + defer log.Debugf("Done store cleanup") + + states := store.ephemeralStore + states.mu.Lock() + defer states.mu.Unlock() + + keys := gcFind(states.table, started, time.Now()) + if len(keys) == 0 { + log.Debug("No entries to remove were found") + return + } + + if err := gcClean(store, keys); err != nil { + log.Errorf("Failed to remove all entries from the registry: %+v", err) + } +} + +// gcFind searches the store of resources that can be removed. A set of keys to delete is returned. +func gcFind(table map[string]*resource, started, now time.Time) map[string]struct{} { + keys := map[string]struct{}{} + for key, resource := range table { + clean := checkCleanResource(started, now, resource) + if !clean { + // do not clean the resource if it is still live or not serialized to the persistent store yet. + continue + } + keys[key] = struct{}{} + } + + return keys +} + +// gcClean removes key value pairs in the removeSet from the store. +// If deletion in the persistent store fails the entry is kept in memory and +// eventually cleaned up later. +func gcClean(store *store, removeSet map[string]struct{}) error { + for key := range removeSet { + if err := store.persistentStore.Remove(key); err != nil { + return err + } + delete(store.ephemeralStore.table, key) + } + return nil +} + +// checkCleanResource returns true for a key-value pair is assumed to be old, +// if is not in use and there are no more pending updates that still need to be +// written to the persistent store anymore. +func checkCleanResource(started, now time.Time, resource *resource) bool { + if !resource.Finished() { + return false + } + + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + + ttl := resource.internalState.TTL + reference := resource.internalState.Updated + if started.After(reference) { + reference = started + } + + return reference.Add(ttl).Before(now) && resource.stored +} diff --git a/filebeat/input/filestream/internal/input-logfile/clean_test.go b/filebeat/input/filestream/internal/input-logfile/clean_test.go new file mode 100644 index 00000000000..83e5bff412f --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/clean_test.go @@ -0,0 +1,162 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "testing" + "time" + + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" +) + +func TestGCStore(t *testing.T) { + t.Run("empty store", func(t *testing.T) { + started := time.Now() + + backend := createSampleStore(t, nil) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + want := map[string]state{} + checkEqualStoreState(t, want, backend.snapshot()) + }) + + t.Run("state is still alive", func(t *testing.T) { + started := time.Now() + const ttl = 60 * time.Second + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl / 2), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + checkEqualStoreState(t, initState, backend.snapshot()) + }) + + t.Run("old state can be removed", func(t *testing.T) { + const ttl = 60 * time.Second + started := time.Now().Add(-5 * ttl) // cleanup process is running for a while already + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + want := map[string]state{} + checkEqualStoreState(t, want, backend.snapshot()) + }) + + t.Run("old state is not removed if cleanup is not active long enough", func(t *testing.T) { + const ttl = 60 * time.Minute + started := time.Now() + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-2 * ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + gcStore(logp.NewLogger("test"), started, store) + + checkEqualStoreState(t, initState, backend.snapshot()) + }) + + t.Run("old state but resource is accessed", func(t *testing.T) { + const ttl = 60 * time.Second + started := time.Now().Add(-5 * ttl) // cleanup process is running for a while already + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + // access resource and check it is not gc'ed + res := store.Get("test::key") + gcStore(logp.NewLogger("test"), started, store) + checkEqualStoreState(t, initState, backend.snapshot()) + + // release resource and check it gets gc'ed + res.Release() + want := map[string]state{} + gcStore(logp.NewLogger("test"), started, store) + checkEqualStoreState(t, want, backend.snapshot()) + }) + + t.Run("old state but resource has pending updates", func(t *testing.T) { + const ttl = 60 * time.Second + started := time.Now().Add(-5 * ttl) // cleanup process is running for a while already + + initState := map[string]state{ + "test::key": { + TTL: ttl, + Updated: started.Add(-ttl), + }, + } + + backend := createSampleStore(t, initState) + store := testOpenStore(t, "test", backend) + defer store.Release() + + // create pending update operation + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + res.Release() + + // cleanup fails + gcStore(logp.NewLogger("test"), started, store) + checkEqualStoreState(t, initState, backend.snapshot()) + + // cancel operation (no more pending operations) and try to gc again + op.done(1) + gcStore(logp.NewLogger("test"), started, store) + want := map[string]state{} + checkEqualStoreState(t, want, backend.snapshot()) + }) +} diff --git a/filebeat/input/filestream/internal/input-logfile/cursor.go b/filebeat/input/filestream/internal/input-logfile/cursor.go new file mode 100644 index 00000000000..37de24fe56c --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/cursor.go @@ -0,0 +1,43 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +// Cursor allows the input to check if cursor status has been stored +// in the past and unpack the status into a custom structure. +type Cursor struct { + store *store + resource *resource +} + +func makeCursor(store *store, res *resource) Cursor { + return Cursor{store: store, resource: res} +} + +// IsNew returns true if no cursor information has been stored +// for the current Source. +func (c Cursor) IsNew() bool { return c.resource.IsNew() } + +// Unpack deserialized the cursor state into to. Unpack fails if no pointer is +// given, or if the structure to points to is not compatible with the document +// stored. +func (c Cursor) Unpack(to interface{}) error { + if c.IsNew() { + return nil + } + return c.resource.UnpackCursor(to) +} diff --git a/filebeat/input/filestream/internal/input-logfile/cursor_test.go b/filebeat/input/filestream/internal/input-logfile/cursor_test.go new file mode 100644 index 00000000000..db2ff0c3a30 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/cursor_test.go @@ -0,0 +1,124 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestCursor_IsNew(t *testing.T) { + t.Run("true if key is not in store", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + cursor := makeCursor(store, store.Get("test::key")) + require.True(t, cursor.IsNew()) + }) + + t.Run("true if key is in store but without cursor value", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: nil}, + })) + defer store.Release() + + cursor := makeCursor(store, store.Get("test::key")) + require.True(t, cursor.IsNew()) + }) + + t.Run("false if key with cursor value is in persistent store", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + cursor := makeCursor(store, store.Get("test::key")) + require.False(t, cursor.IsNew()) + }) + + t.Run("false if key with cursor value is in memory store only", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: nil}, + })) + defer store.Release() + + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + defer op.done(1) + + cursor := makeCursor(store, res) + require.False(t, cursor.IsNew()) + }) +} + +func TestCursor_Unpack(t *testing.T) { + t.Run("nothing to unpack if key is new", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + var st string + cursor := makeCursor(store, store.Get("test::key")) + + require.NoError(t, cursor.Unpack(&st)) + require.Equal(t, "", st) + }) + + t.Run("unpack fails if types are not compatible", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + var st struct{ A uint } + cursor := makeCursor(store, store.Get("test::key")) + require.Error(t, cursor.Unpack(&st)) + }) + + t.Run("unpack from state in persistent store", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + var st string + cursor := makeCursor(store, store.Get("test::key")) + + require.NoError(t, cursor.Unpack(&st)) + require.Equal(t, "test", st) + }) + + t.Run("unpack from in memory state if updates are pending", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": {Cursor: "test"}, + })) + defer store.Release() + + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + defer op.done(1) + + var st string + cursor := makeCursor(store, store.Get("test::key")) + + require.NoError(t, cursor.Unpack(&st)) + require.Equal(t, "test-state-update", st) + }) +} diff --git a/filebeat/input/filestream/internal/input-logfile/doc.go b/filebeat/input/filestream/internal/input-logfile/doc.go new file mode 100644 index 00000000000..cf318d4bfed --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/doc.go @@ -0,0 +1,58 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Package cursor provides an InputManager for use with the v2 API, that is +// capable of storing an internal cursor state between restarts. +// +// The InputManager requires authors to Implement a configuration function and +// the cursor.Input interface. The configuration function returns a slice of +// sources ([]Source) that it has read from the configuration object, and the +// actual Input that will be used to collect events from each configured +// source. +// When Run a go-routine will be started per configured source. If two inputs have +// configured the same source, only one will be active, while the other waits +// for the resource to become free. +// The manager keeps track of the state per source. When publishing an event a +// new cursor value can be passed as well. Future instance of the input can +// read the last published cursor state. +// +// For each source an in-memory and a persitent state are tracked. Internal +// meta updates by the input manager can not be read by Inputs, and will be +// written to the persistent store immediately. Cursor state updates are read +// and update by the input. Cursor updates are written to the persistent store +// only after the events have been ACKed by the output. Internally the input +// manager keeps track of already ACKed updates and pending ACKs. +// In order to guarantee progress even if the pbulishing is slow or blocked, all cursor +// updates are written to the in-memory state immediately. Source without any +// pending updates are in-sync (in-memory state == persistet state). All +// updates are ordered, but we allow the in-memory state to be ahead of the +// persistent state. +// When an input is started, the cursor state is read from the in-memory state. +// This way a new input instance can continue where other inputs have been +// stopped, even if we still have in-flight events from older input instances. +// The coordination between inputs guarantees that all updates are always in +// order. +// +// When a shutdown signal is received, the publisher is directly disconnected +// from the outputs. As all coordination is directly handled by the +// InputManager, shutdown will be immediate (once the input itself has +// returned), and can not be blocked by the outputs. +// +// An input that is about to collect a source that is already collected by +// another input will wait until the other input has returned or the current +// input did receive a shutdown signal. +package input_logfile diff --git a/filebeat/input/filestream/internal/input-logfile/fswatch.go b/filebeat/input/filestream/internal/input-logfile/fswatch.go new file mode 100644 index 00000000000..685b54253a4 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/fswatch.go @@ -0,0 +1,65 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "os" + + "github.com/elastic/go-concert/unison" +) + +const ( + OpDone Operation = iota + OpCreate + OpWrite + OpDelete + OpRename +) + +// Operation describes what happened to a file. +type Operation uint8 + +// FSEvent returns inforamation about file system changes. +type FSEvent struct { + // NewPath is the new path of the file. + NewPath string + // OldPath is the previous path to the file, is it was + // deleted or renamed. + OldPath string + // Op is the file system event: create, write, rename, remove + Op Operation + // Info describes the file in the event. + Info os.FileInfo +} + +// FSScanner retrieves a list of files from the file system. +type FSScanner interface { + // GetFiles returns the list of monitored files. + // The keys of the map are the paths to the files and + // the values are the FileInfos describing the file. + GetFiles() map[string]os.FileInfo +} + +// FSWatcher returns file events of the monitored files. +type FSWatcher interface { + // Run is the event loop which watchers for changes + // in the file system and returns events based on the data. + Run(unison.Canceler) + // Event returns the next event captured by FSWatcher. + Event() FSEvent +} diff --git a/filebeat/input/filestream/internal/input-logfile/harvester.go b/filebeat/input/filestream/internal/input-logfile/harvester.go new file mode 100644 index 00000000000..d2f184cac7b --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/harvester.go @@ -0,0 +1,125 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "context" + "fmt" + "runtime/debug" + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/unison" +) + +// Harvester is the reader which collects the lines from +// the configured source. +type Harvester interface { + // Name returns the type of the Harvester + Name() string + // Test checks if the Harvester can be started with the given configuration. + Test(Source, input.TestContext) error + // Run is the event loop which reads from the source + // and forwards it to the publisher. + Run(input.Context, Source, Cursor, Publisher) error +} + +// HarvesterGroup is responsible for running the +// Harvesters started by the Prospector. +type HarvesterGroup struct { + manager *InputManager + readers map[string]context.CancelFunc + pipeline beat.PipelineConnector + harvester Harvester + cleanTimeout time.Duration + store *store + tg unison.TaskGroup +} + +// Run starts the Harvester for a Source. +func (hg *HarvesterGroup) Run(ctx input.Context, s Source) error { + log := ctx.Logger.With("source", s.Name()) + log.Debug("Starting harvester for file") + + harvesterCtx, cancelHarvester := context.WithCancel(ctxtool.FromCanceller(ctx.Cancelation)) + ctx.Cancelation = harvesterCtx + + resource, err := hg.manager.lock(ctx, s.Name()) + if err != nil { + cancelHarvester() + return err + } + + if _, ok := hg.readers[s.Name()]; ok { + cancelHarvester() + log.Debug("A harvester is already running for file") + return nil + } + hg.readers[s.Name()] = cancelHarvester + + hg.store.UpdateTTL(resource, hg.cleanTimeout) + + client, err := hg.pipeline.ConnectWith(beat.ClientConfig{ + CloseRef: ctx.Cancelation, + ACKHandler: newInputACKHandler(ctx.Logger), + }) + if err != nil { + cancelHarvester() + return err + } + + cursor := makeCursor(hg.store, resource) + publisher := &cursorPublisher{canceler: ctx.Cancelation, client: client, cursor: &cursor} + + go func(cancel context.CancelFunc) { + defer client.Close() + defer log.Debug("Stopped harvester for file") + defer cancel() + defer releaseResource(resource) + defer delete(hg.readers, s.Name()) + + defer func() { + if v := recover(); v != nil { + err := fmt.Errorf("harvester panic with: %+v\n%s", v, debug.Stack()) + ctx.Logger.Errorf("Harvester crashed with: %+v", err) + } + }() + + err := hg.harvester.Run(ctx, s, cursor, publisher) + if err != nil { + log.Errorf("Harvester stopped: %v", err) + } + }(cancelHarvester) + return nil +} + +// Cancel stops the running Harvester for a given Source. +func (hg *HarvesterGroup) Cancel(s Source) error { + if cancel, ok := hg.readers[s.Name()]; ok { + cancel() + return nil + } + return fmt.Errorf("no such harvester %s", s.Name()) +} + +func releaseResource(resource *resource) { + resource.lock.Unlock() + resource.Release() +} diff --git a/filebeat/input/filestream/internal/input-logfile/input.go b/filebeat/input/filestream/internal/input-logfile/input.go new file mode 100644 index 00000000000..7084315b0c1 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/input.go @@ -0,0 +1,106 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "context" + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common/acker" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/go-concert/ctxtool" + "github.com/elastic/go-concert/unison" +) + +type managedInput struct { + manager *InputManager + prospector Prospector + harvester Harvester + cleanTimeout time.Duration +} + +// Name is required to implement the v2.Input interface +func (inp *managedInput) Name() string { return inp.harvester.Name() } + +// Test runs the Test method for each configured source. +func (inp *managedInput) Test(ctx input.TestContext) error { + return inp.prospector.Test() +} + +// Run +func (inp *managedInput) Run( + ctx input.Context, + pipeline beat.PipelineConnector, +) (err error) { + // Setup cancellation using a custom cancel context. All workers will be + // stopped if one failed badly by returning an error. + cancelCtx, cancel := context.WithCancel(ctxtool.FromCanceller(ctx.Cancelation)) + defer cancel() + ctx.Cancelation = cancelCtx + + store := inp.manager.store + store.Retain() + defer store.Release() + + hg := &HarvesterGroup{ + pipeline: pipeline, + readers: make(map[string]context.CancelFunc), + manager: inp.manager, + cleanTimeout: inp.cleanTimeout, + harvester: inp.harvester, + store: store, + tg: unison.TaskGroup{}, + } + + stateStore, err := inp.manager.StateStore.Access() + if err != nil { + return err + } + defer stateStore.Close() + + inp.prospector.Run(ctx, stateStore, hg) + + return nil +} + +func newInputACKHandler(log *logp.Logger) beat.ACKer { + return acker.EventPrivateReporter(func(acked int, private []interface{}) { + var n uint + var last int + for i := 0; i < len(private); i++ { + current := private[i] + if current == nil { + continue + } + + if _, ok := current.(*updateOp); !ok { + continue + } + + n++ + last = i + } + + if n == 0 { + return + } + private[last].(*updateOp).Execute(n) + }) +} diff --git a/filebeat/input/filestream/internal/input-logfile/manager.go b/filebeat/input/filestream/internal/input-logfile/manager.go new file mode 100644 index 00000000000..db3c600d2bc --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/manager.go @@ -0,0 +1,199 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "errors" + "sync" + "time" + + "github.com/urso/sderr" + + "github.com/elastic/go-concert/unison" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// InputManager is used to create, manage, and coordinate stateful inputs and +// their persistent state. +// The InputManager ensures that only one input can be active for a unique source. +// If two inputs have overlapping sources, both can still collect data, but +// only one input will collect from the common source. +// +// The InputManager automatically cleans up old entries without an active +// input, and without any pending update operations for the persistent store. +// +// The Type field is used to create the key name in the persistent store. Users +// are allowed to add a custome per input configuration ID using the `id` +// setting, to collect the same source multiple times, but with different +// state. The key name in the persistent store becomes -[]- +type InputManager struct { + Logger *logp.Logger + + // StateStore gives the InputManager access to the persitent key value store. + StateStore StateStore + + // Type must contain the name of the input type. It is used to create the key name + // for all sources the inputs collect from. + Type string + + // DefaultCleanTimeout configures the key/value garbage collection interval. + // The InputManager will only collect keys for the configured 'Type' + DefaultCleanTimeout time.Duration + + // Configure returns an array of Sources, and a configured Input instances + // that will be used to collect events from each source. + Configure func(cfg *common.Config) (Prospector, Harvester, error) + + initOnce sync.Once + initErr error + store *store +} + +// Source describe a source the input can collect data from. +// The `Name` method must return an unique name, that will be used to identify +// the source in the persistent state store. +type Source interface { + Name() string +} + +var errNoSourceConfigured = errors.New("no source has been configured") +var errNoInputRunner = errors.New("no input runner available") + +// StateStore interface and configurations used to give the Manager access to the persistent store. +type StateStore interface { + Access() (*statestore.Store, error) + CleanupInterval() time.Duration +} + +func (cim *InputManager) init() error { + cim.initOnce.Do(func() { + if cim.DefaultCleanTimeout <= 0 { + cim.DefaultCleanTimeout = 30 * time.Minute + } + + log := cim.Logger.With("input_type", cim.Type) + var store *store + store, cim.initErr = openStore(log, cim.StateStore, cim.Type) + if cim.initErr != nil { + return + } + + cim.store = store + }) + + return cim.initErr +} + +// Init starts background processes for deleting old entries from the +// persistent store if mode is ModeRun. +func (cim *InputManager) Init(group unison.Group, mode v2.Mode) error { + if mode != v2.ModeRun { + return nil + } + + if err := cim.init(); err != nil { + return err + } + + log := cim.Logger.With("input_type", cim.Type) + + store := cim.store + cleaner := &cleaner{log: log} + store.Retain() + err := group.Go(func(canceler unison.Canceler) error { + defer cim.shutdown() + defer store.Release() + interval := cim.StateStore.CleanupInterval() + if interval <= 0 { + interval = 5 * time.Minute + } + cleaner.run(canceler, store, interval) + return nil + }) + if err != nil { + store.Release() + cim.shutdown() + return sderr.Wrap(err, "Can not start registry cleanup process") + } + + return nil +} + +func (cim *InputManager) shutdown() { + cim.store.Release() +} + +// Create builds a new v2.Input using the provided Configure function. +// The Input will run a go-routine per source that has been configured. +func (cim *InputManager) Create(config *common.Config) (input.Input, error) { + if err := cim.init(); err != nil { + return nil, err + } + + settings := struct { + ID string `config:"id"` + CleanTimeout time.Duration `config:"clean_timeout"` + }{ID: "", CleanTimeout: cim.DefaultCleanTimeout} + if err := config.Unpack(&settings); err != nil { + return nil, err + } + + prospector, harvester, err := cim.Configure(config) + if err != nil { + return nil, err + } + if harvester == nil { + return nil, errNoInputRunner + } + + return &managedInput{ + manager: cim, + prospector: prospector, + harvester: harvester, + cleanTimeout: settings.CleanTimeout, + }, nil +} + +// Lock locks a key for exclusive access and returns an resource that can be used to modify +// the cursor state and unlock the key. +func (cim *InputManager) lock(ctx input.Context, key string) (*resource, error) { + resource := cim.store.Get(key) + err := lockResource(ctx.Logger, resource, ctx.Cancelation) + if err != nil { + resource.Release() + return nil, err + } + return resource, nil +} + +func lockResource(log *logp.Logger, resource *resource, canceler input.Canceler) error { + if !resource.lock.TryLock() { + log.Infof("Resource '%v' currently in use, waiting...", resource.key) + err := resource.lock.LockContext(canceler) + if err != nil { + log.Infof("Input for resource '%v' has been stopped while waiting", resource.key) + return err + } + } + return nil +} diff --git a/filebeat/input/filestream/internal/input-logfile/prospector.go b/filebeat/input/filestream/internal/input-logfile/prospector.go new file mode 100644 index 00000000000..9488596eb2c --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/prospector.go @@ -0,0 +1,35 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// Prospector is responsible for starting, stopping harvesters +// based on the retrieved information about the configured paths. +// It also updates the statestore with the meta data of the running harvesters. +type Prospector interface { + // Run starts the event loop and handles the incoming events + // either by starting/stopping a harvester, or updating the statestore. + Run(input.Context, *statestore.Store, *HarvesterGroup) + // Test checks if the Prospector is able to run the configuration + // specified by the user. + Test() error +} diff --git a/filebeat/input/filestream/internal/input-logfile/publish.go b/filebeat/input/filestream/internal/input-logfile/publish.go new file mode 100644 index 00000000000..547a82c479f --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/publish.go @@ -0,0 +1,153 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "time" + + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common/transform/typeconv" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// Publisher is used to publish an event and update the cursor in a single call to Publish. +// Inputs are allowed to pass `nil` as cursor state. In this case the state is not updated, but the +// event will still be published as is. +type Publisher interface { + Publish(event beat.Event, cursor interface{}) error +} + +// cursorPublisher implements the Publisher interface and used internally by the managedInput. +// When publishing an event with cursor state updates, the cursorPublisher +// updates the in memory state and create an updateOp that is used to schedule +// an update for the persistent store. The updateOp is run by the inputs ACK +// handler, persisting the pending update. +type cursorPublisher struct { + canceler input.Canceler + client beat.Client + cursor *Cursor +} + +// updateOp keeps track of pending updates that are not written to the persistent store yet. +// Update operations are ordered. The input manager guarantees that only one +// input can create update operation for a source, such that new input +// instances can add update operations to be executed after already pending +// update operations from older inputs instances that have been shutdown. +type updateOp struct { + store *store + resource *resource + + // state updates to persist + timestamp time.Time + ttl time.Duration + delta interface{} +} + +// Publish publishes an event. Publish returns false if the inputs cancellation context has been marked as done. +// If cursorUpdate is not nil, Publish updates the in memory state and create and updateOp for the pending update. +// It overwrite event.Private with the update operation, before finally sending the event. +// The ACK ordering in the publisher pipeline guarantees that update operations +// will be ACKed and executed in the correct order. +func (c *cursorPublisher) Publish(event beat.Event, cursorUpdate interface{}) error { + if cursorUpdate == nil { + return c.forward(event) + } + + op, err := createUpdateOp(c.cursor.store, c.cursor.resource, cursorUpdate) + if err != nil { + return err + } + + event.Private = op + return c.forward(event) +} + +func (c *cursorPublisher) forward(event beat.Event) error { + c.client.Publish(event) + if c.canceler == nil { + return nil + } + return c.canceler.Err() +} + +func createUpdateOp(store *store, resource *resource, updates interface{}) (*updateOp, error) { + ts := time.Now() + + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + + cursor := resource.pendingCursor + if resource.activeCursorOperations == 0 { + var tmp interface{} + typeconv.Convert(&tmp, cursor) + resource.pendingCursor = tmp + cursor = tmp + } + if err := typeconv.Convert(&cursor, updates); err != nil { + return nil, err + } + resource.pendingCursor = cursor + + resource.Retain() + resource.activeCursorOperations++ + return &updateOp{ + resource: resource, + store: store, + timestamp: ts, + delta: updates, + }, nil +} + +// done releases resources held by the last N updateOps. +func (op *updateOp) done(n uint) { + op.resource.UpdatesReleaseN(n) + op.resource = nil + *op = updateOp{} +} + +// Execute updates the persistent store with the scheduled changes and releases the resource. +func (op *updateOp) Execute(n uint) { + resource := op.resource + defer op.done(n) + + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + + resource.activeCursorOperations -= n + if resource.activeCursorOperations == 0 { + resource.cursor = resource.pendingCursor + resource.pendingCursor = nil + } else { + typeconv.Convert(&resource.cursor, op.delta) + } + + if resource.internalState.Updated.Before(op.timestamp) { + resource.internalState.Updated = op.timestamp + } + + err := op.store.persistentStore.Set(resource.key, resource.inSyncStateSnapshot()) + if err != nil { + if !statestore.IsClosed(err) { + op.store.log.Errorf("Failed to update state in the registry for '%v'", resource.key) + } + } else { + resource.internalInSync = true + resource.stored = true + } +} diff --git a/filebeat/input/filestream/internal/input-logfile/publish_test.go b/filebeat/input/filestream/internal/input-logfile/publish_test.go new file mode 100644 index 00000000000..ede25670a95 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/publish_test.go @@ -0,0 +1,158 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/beat" + pubtest "github.com/elastic/beats/v7/libbeat/publisher/testing" +) + +func TestPublish(t *testing.T) { + t.Run("event with cursor state creates update operation", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + cursor := makeCursor(store, store.Get("test::key")) + + var actual beat.Event + client := &pubtest.FakeClient{ + PublishFunc: func(event beat.Event) { actual = event }, + } + publisher := cursorPublisher{nil, client, &cursor} + publisher.Publish(beat.Event{}, "test") + + require.NotNil(t, actual.Private) + }) + + t.Run("event without cursor creates no update operation", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + cursor := makeCursor(store, store.Get("test::key")) + + var actual beat.Event + client := &pubtest.FakeClient{ + PublishFunc: func(event beat.Event) { actual = event }, + } + publisher := cursorPublisher{nil, client, &cursor} + publisher.Publish(beat.Event{}, nil) + require.Nil(t, actual.Private) + }) + + t.Run("publish returns error if context has been cancelled", func(t *testing.T) { + ctx, cancel := context.WithCancel(context.TODO()) + cancel() + + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + cursor := makeCursor(store, store.Get("test::key")) + + publisher := cursorPublisher{ctx, &pubtest.FakeClient{}, &cursor} + err := publisher.Publish(beat.Event{}, nil) + require.Equal(t, context.Canceled, err) + }) +} + +func TestOp_Execute(t *testing.T) { + t.Run("applying final op marks the key as finished", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + res := store.Get("test::key") + + // create op and release resource. The 'resource' must still be active + op := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state") + res.Release() + require.False(t, res.Finished()) + + // this was the last op, the resource should become inactive + op.Execute(1) + require.True(t, res.Finished()) + + // validate state: + inSyncCursor := storeInSyncSnapshot(store)["test::key"].Cursor + inMemCursor := storeMemorySnapshot(store)["test::key"].Cursor + want := "test-updated-cursor-state" + assert.Equal(t, want, inSyncCursor) + assert.Equal(t, want, inMemCursor) + }) + + t.Run("acking multiple ops applies the latest update and marks key as finished", func(t *testing.T) { + // when acking N events, intermediate updates are dropped in favor of the latest update operation. + // This test checks that the resource is correctly marked as finished. + + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + res := store.Get("test::key") + + // create update operations and release resource. The 'resource' must still be active + mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-dropped") + op := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-final") + res.Release() + require.False(t, res.Finished()) + + // this was the last op, the resource should become inactive + op.Execute(2) + require.True(t, res.Finished()) + + // validate state: + inSyncCursor := storeInSyncSnapshot(store)["test::key"].Cursor + inMemCursor := storeMemorySnapshot(store)["test::key"].Cursor + want := "test-updated-cursor-state-final" + assert.Equal(t, want, inSyncCursor) + assert.Equal(t, want, inMemCursor) + }) + + t.Run("ACK only subset of pending ops will only update up to ACKed state", func(t *testing.T) { + // when acking N events, intermediate updates are dropped in favor of the latest update operation. + // This test checks that the resource is correctly marked as finished. + + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + res := store.Get("test::key") + + // create update operations and release resource. The 'resource' must still be active + op1 := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-intermediate") + op2 := mustCreateUpdateOp(t, store, res, "test-updated-cursor-state-final") + res.Release() + require.False(t, res.Finished()) + + defer op2.done(1) // cleanup after test + + // this was the intermediate op, the resource should still be active + op1.Execute(1) + require.False(t, res.Finished()) + + // validate state (in memory state is always up to data to most recent update): + inSyncCursor := storeInSyncSnapshot(store)["test::key"].Cursor + inMemCursor := storeMemorySnapshot(store)["test::key"].Cursor + assert.Equal(t, "test-updated-cursor-state-intermediate", inSyncCursor) + assert.Equal(t, "test-updated-cursor-state-final", inMemCursor) + }) +} + +func mustCreateUpdateOp(t *testing.T, store *store, resource *resource, updates interface{}) *updateOp { + op, err := createUpdateOp(store, resource, updates) + if err != nil { + t.Fatalf("Failed to create update op: %v", err) + } + return op +} diff --git a/filebeat/input/filestream/internal/input-logfile/store.go b/filebeat/input/filestream/internal/input-logfile/store.go new file mode 100644 index 00000000000..8267565f551 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/store.go @@ -0,0 +1,324 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "strings" + "sync" + "time" + + "github.com/elastic/beats/v7/libbeat/common/atomic" + "github.com/elastic/beats/v7/libbeat/common/cleanup" + "github.com/elastic/beats/v7/libbeat/common/transform/typeconv" + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/statestore" + "github.com/elastic/go-concert" + "github.com/elastic/go-concert/unison" +) + +// store encapsulates the persistent store and the in memory state store, that +// can be ahead of the the persistent store. +// The store lifetime is managed by a reference counter. Once all owners (the +// session, and the resource cleaner) have dropped ownership, backing resources +// will be released and closed. +type store struct { + log *logp.Logger + refCount concert.RefCount + persistentStore *statestore.Store + ephemeralStore *states +} + +// states stores resource states in memory. When a cursor for an input is updated, +// it's state is updated first. The entry in the persistent store 'follows' the internal state. +// As long as a resources stored in states is not 'Finished', the in memory +// store is assumed to be ahead (in memory and persistent state are out of +// sync). +type states struct { + mu sync.Mutex + table map[string]*resource +} + +// resource holds the in memory state and keeps track of pending updates and inputs collecting +// event for the resource its key. +// A resource is assumed active for as long as at least one input has (or tries +// to) acuired the lock, and as long as there are pending updateOp instances in +// the pipeline not ACKed yet. The key can not gc'ed by the cleaner, as long as the resource is active. +// +// State chagnes and writes to the persistent store are protected using the +// stateMutex, to ensure full consistency between direct writes and updates +// after ACK. +type resource struct { + // pending counts the number of Inputs and outstanding registry updates. + // as long as pending is > 0 the resource is in used and must not be garbage collected. + pending atomic.Uint64 + + // lock guarantees only one input create updates for this entry + lock unison.Mutex + + // key of the resource as used for the registry. + key string + + // stateMutex is used to lock the resource when it is update/read from + // multiple go-routines like the ACK handler or the input publishing an + // event. + // stateMutex is used to access the fields 'stored', 'state' and 'internalInSync' + stateMutex sync.Mutex + + // stored indicates that the state is available in the registry file. It is false for new entries. + stored bool + + // internalInSync is true if all 'Internal' metadata like TTL or update timestamp are in sync. + // Normally resources are added when being created. But if operations failed we will retry inserting + // them on each update operation until we eventually succeeded + internalInSync bool + + activeCursorOperations uint + internalState stateInternal + + // cursor states. The cursor holds the state as it is currently known to the + // persistent store, while pendingCursor contains the most recent update + // (in-memory state), that still needs to be synced to the persistent store. + // The pendingCursor is nil if there are no pending updates. + // When processing update operations on ACKs, the state is applied to cursor + // first, which is finally written to the persistent store. This ensures that + // we always write the complete state of the key/value pair. + cursor interface{} + pendingCursor interface{} +} + +type ( + // state represents the full document as it is stored in the registry. + // + // The TTL and Update fields are for internal use only. + // + // The `Cursor` namespace is used to store the cursor information that are + // required to continue processing from the last known position. Cursor + // updates in the registry file are only executed after events have been + // ACKed by the outputs. Therefore the cursor MUST NOT include any + // information that are require to identify/track the source we are + // collecting from. + state struct { + TTL time.Duration + Updated time.Time + Cursor interface{} + } + + stateInternal struct { + TTL time.Duration + Updated time.Time + } +) + +// hook into store close for testing purposes +var closeStore = (*store).close + +func openStore(log *logp.Logger, statestore StateStore, prefix string) (*store, error) { + ok := false + + persistentStore, err := statestore.Access() + if err != nil { + return nil, err + } + defer cleanup.IfNot(&ok, func() { persistentStore.Close() }) + + states, err := readStates(log, persistentStore, prefix) + if err != nil { + return nil, err + } + + ok = true + return &store{ + log: log, + persistentStore: persistentStore, + ephemeralStore: states, + }, nil +} + +func (s *store) Retain() { s.refCount.Retain() } +func (s *store) Release() { + if s.refCount.Release() { + closeStore(s) + } +} + +func (s *store) close() { + if err := s.persistentStore.Close(); err != nil { + s.log.Errorf("Closing registry store did report an error: %+v", err) + } +} + +// Get returns the resource for the key. +// A new shared resource is generated if the key is not known. The generated +// resource is not synced to disk yet. +func (s *store) Get(key string) *resource { + return s.ephemeralStore.Find(key, true) +} + +// UpdateTTL updates the time-to-live of a resource. Inactive resources with expired TTL are subject to removal. +// The TTL value is part of the internal state, and will be written immediately to the persistent store. +// On update the resource its `cursor` state is used, to keep the cursor state in sync with the current known +// on disk store state. +func (s *store) UpdateTTL(resource *resource, ttl time.Duration) { + resource.stateMutex.Lock() + defer resource.stateMutex.Unlock() + if resource.stored && resource.internalState.TTL == ttl { + return + } + + resource.internalState.TTL = ttl + if resource.internalState.Updated.IsZero() { + resource.internalState.Updated = time.Now() + } + + err := s.persistentStore.Set(resource.key, state{ + TTL: resource.internalState.TTL, + Updated: resource.internalState.Updated, + Cursor: resource.cursor, + }) + if err != nil { + s.log.Errorf("Failed to update resource management fields for '%v'", resource.key) + resource.internalInSync = false + } else { + resource.stored = true + resource.internalInSync = true + } +} + +// Find returns the resource for a given key. If the key is unknown and create is set to false nil will be returned. +// The resource returned by Find is marked as active. (*resource).Release must be called to mark the resource as inactive again. +func (s *states) Find(key string, create bool) *resource { + s.mu.Lock() + defer s.mu.Unlock() + + if resource := s.table[key]; resource != nil { + resource.Retain() + return resource + } + + if !create { + return nil + } + + // resource is owned by table(session) and input that uses the resource. + resource := &resource{ + stored: false, + key: key, + lock: unison.MakeMutex(), + } + s.table[key] = resource + resource.Retain() + return resource +} + +// IsNew returns true if we have no state recorded for the current resource. +func (r *resource) IsNew() bool { + r.stateMutex.Lock() + defer r.stateMutex.Unlock() + return r.pendingCursor == nil && r.cursor == nil +} + +// Retain is used to indicate that 'resource' gets an additional 'owner'. +// Owners of an resource can be active inputs or pending update operations +// not yet written to disk. +func (r *resource) Retain() { r.pending.Inc() } + +// Release reduced the owner ship counter of the resource. +func (r *resource) Release() { r.pending.Dec() } + +// UpdatesReleaseN is used to release ownership of N pending update operations. +func (r *resource) UpdatesReleaseN(n uint) { + r.pending.Sub(uint64(n)) +} + +// Finished returns true if the resource is not in use and if there are no pending updates +// that still need to be written to the registry. +func (r *resource) Finished() bool { return r.pending.Load() == 0 } + +// UnpackCursor deserializes the in memory state. +func (r *resource) UnpackCursor(to interface{}) error { + r.stateMutex.Lock() + defer r.stateMutex.Unlock() + if r.activeCursorOperations == 0 { + return typeconv.Convert(to, r.cursor) + } + return typeconv.Convert(to, r.pendingCursor) +} + +// syncStateSnapshot returns the current insync state based on already ACKed update operations. +func (r *resource) inSyncStateSnapshot() state { + return state{ + TTL: r.internalState.TTL, + Updated: r.internalState.Updated, + Cursor: r.cursor, + } +} + +// stateSnapshot returns the current in memory state, that already contains state updates +// not yet ACKed. +func (r *resource) stateSnapshot() state { + cursor := r.pendingCursor + if r.activeCursorOperations == 0 { + cursor = r.cursor + } + + return state{ + TTL: r.internalState.TTL, + Updated: r.internalState.Updated, + Cursor: cursor, + } +} + +func readStates(log *logp.Logger, store *statestore.Store, prefix string) (*states, error) { + keyPrefix := prefix + "::" + states := &states{ + table: map[string]*resource{}, + } + + err := store.Each(func(key string, dec statestore.ValueDecoder) (bool, error) { + if !strings.HasPrefix(string(key), keyPrefix) { + return true, nil + } + + var st state + if err := dec.Decode(&st); err != nil { + log.Errorf("Failed to read regisry state for '%v', cursor state will be ignored. Error was: %+v", + key, err) + return true, nil + } + + resource := &resource{ + key: key, + stored: true, + lock: unison.MakeMutex(), + internalInSync: true, + internalState: stateInternal{ + TTL: st.TTL, + Updated: st.Updated, + }, + cursor: st.Cursor, + } + states.table[resource.key] = resource + + return true, nil + }) + + if err != nil { + return nil, err + } + return states, nil +} diff --git a/filebeat/input/filestream/internal/input-logfile/store_test.go b/filebeat/input/filestream/internal/input-logfile/store_test.go new file mode 100644 index 00000000000..71ea41298b2 --- /dev/null +++ b/filebeat/input/filestream/internal/input-logfile/store_test.go @@ -0,0 +1,351 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package input_logfile + +import ( + "errors" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/elastic/beats/v7/libbeat/logp" + "github.com/elastic/beats/v7/libbeat/statestore" + "github.com/elastic/beats/v7/libbeat/statestore/storetest" +) + +type testStateStore struct { + Store *statestore.Store + GCPeriod time.Duration +} + +func TestStore_OpenClose(t *testing.T) { + t.Run("releasing store closes", func(t *testing.T) { + var closed bool + cleanup := closeStoreWith(func(s *store) { + closed = true + s.close() + }) + defer cleanup() + + store := testOpenStore(t, "test", nil) + store.Release() + + require.True(t, closed) + }) + + t.Run("fail if persistent store can not be accessed", func(t *testing.T) { + _, err := openStore(logp.NewLogger("test"), testStateStore{}, "test") + require.Error(t, err) + }) + + t.Run("load from empty", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + require.Equal(t, 0, len(storeMemorySnapshot(store))) + require.Equal(t, 0, len(storeInSyncSnapshot(store))) + }) + + t.Run("already available state is loaded", func(t *testing.T) { + states := map[string]state{ + "test::key0": {Cursor: "1"}, + "test::key1": {Cursor: "2"}, + } + + store := testOpenStore(t, "test", createSampleStore(t, states)) + defer store.Release() + + checkEqualStoreState(t, states, storeMemorySnapshot(store)) + checkEqualStoreState(t, states, storeInSyncSnapshot(store)) + }) + + t.Run("ignore entries with wrong index on open", func(t *testing.T) { + states := map[string]state{ + "test::key0": {Cursor: "1"}, + "other::key": {Cursor: "2"}, + } + + store := testOpenStore(t, "test", createSampleStore(t, states)) + defer store.Release() + + want := map[string]state{ + "test::key0": {Cursor: "1"}, + } + checkEqualStoreState(t, want, storeMemorySnapshot(store)) + checkEqualStoreState(t, want, storeInSyncSnapshot(store)) + }) +} + +func TestStore_Get(t *testing.T) { + t.Run("find existing resource", func(t *testing.T) { + cursorState := state{Cursor: "1"} + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key0": cursorState, + })) + defer store.Release() + + res := store.Get("test::key0") + require.NotNil(t, res) + defer res.Release() + + // check in memory state matches matches original persistent state + require.Equal(t, cursorState, res.stateSnapshot()) + // check assumed in-sync state matches matches original persistent state + require.Equal(t, cursorState, res.inSyncStateSnapshot()) + }) + + t.Run("access unknown resource", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + res := store.Get("test::key") + require.NotNil(t, res) + defer res.Release() + + // new resource has empty state + require.Equal(t, state{}, res.stateSnapshot()) + }) + + t.Run("same resource is returned", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + res1 := store.Get("test::key") + require.NotNil(t, res1) + defer res1.Release() + + res2 := store.Get("test::key") + require.NotNil(t, res2) + defer res2.Release() + + assert.Equal(t, res1, res2) + }) +} + +func TestStore_UpdateTTL(t *testing.T) { + t.Run("add TTL for new entry to store", func(t *testing.T) { + // when creating a resource we set the TTL and insert a new key value pair without cursor value into the store: + store := testOpenStore(t, "test", createSampleStore(t, nil)) + defer store.Release() + + res := store.Get("test::key") + store.UpdateTTL(res, 60*time.Second) + + want := map[string]state{ + "test::key": { + TTL: 60 * time.Second, + Updated: res.internalState.Updated, + Cursor: nil, + }, + } + + checkEqualStoreState(t, want, storeMemorySnapshot(store)) + checkEqualStoreState(t, want, storeInSyncSnapshot(store)) + }) + + t.Run("update TTL for in-sync resource does not overwrite state", func(t *testing.T) { + store := testOpenStore(t, "test", createSampleStore(t, map[string]state{ + "test::key": { + TTL: 1 * time.Second, + Cursor: "test", + }, + })) + defer store.Release() + + res := store.Get("test::key") + store.UpdateTTL(res, 60*time.Second) + want := map[string]state{ + "test::key": { + Updated: res.internalState.Updated, + TTL: 60 * time.Second, + Cursor: "test", + }, + } + + checkEqualStoreState(t, want, storeMemorySnapshot(store)) + checkEqualStoreState(t, want, storeInSyncSnapshot(store)) + }) + + t.Run("update TTL for resource with pending updates", func(t *testing.T) { + // This test updates the resource TTL while update operations are still + // pending, but not synced to the persistent store yet. + // UpdateTTL changes the state in the persistent store immediately, and must therefore + // serialize the old in-sync state with update meta-data. + + // create store + backend := createSampleStore(t, map[string]state{ + "test::key": { + TTL: 1 * time.Second, + Cursor: "test", + }, + }) + store := testOpenStore(t, "test", backend) + defer store.Release() + + // create pending update operation + res := store.Get("test::key") + op, err := createUpdateOp(store, res, "test-state-update") + require.NoError(t, err) + defer op.done(1) + + // Update key/value pair TTL. This will update the internal state in the + // persistent store only, not modifying the old cursor state yet. + store.UpdateTTL(res, 60*time.Second) + + // validate + wantMemoryState := state{ + Updated: res.internalState.Updated, + TTL: 60 * time.Second, + Cursor: "test-state-update", + } + wantInSyncState := state{ + Updated: res.internalState.Updated, + TTL: 60 * time.Second, + Cursor: "test", + } + + checkEqualStoreState(t, map[string]state{"test::key": wantMemoryState}, storeMemorySnapshot(store)) + checkEqualStoreState(t, map[string]state{"test::key": wantInSyncState}, storeInSyncSnapshot(store)) + checkEqualStoreState(t, map[string]state{"test::key": wantInSyncState}, backend.snapshot()) + }) +} + +func closeStoreWith(fn func(s *store)) func() { + old := closeStore + closeStore = fn + return func() { + closeStore = old + } +} + +func testOpenStore(t *testing.T, prefix string, persistentStore StateStore) *store { + if persistentStore == nil { + persistentStore = createSampleStore(t, nil) + } + + store, err := openStore(logp.NewLogger("test"), persistentStore, prefix) + if err != nil { + t.Fatalf("failed to open the store") + } + return store +} + +func createSampleStore(t *testing.T, data map[string]state) testStateStore { + storeReg := statestore.NewRegistry(storetest.NewMemoryStoreBackend()) + store, err := storeReg.Get("test") + if err != nil { + t.Fatalf("Failed to access store: %v", err) + } + + for k, v := range data { + if err := store.Set(k, v); err != nil { + t.Fatalf("Error when populating the sample store: %v", err) + } + } + + return testStateStore{ + Store: store, + } +} + +func (ts testStateStore) WithGCPeriod(d time.Duration) testStateStore { ts.GCPeriod = d; return ts } +func (ts testStateStore) CleanupInterval() time.Duration { return ts.GCPeriod } +func (ts testStateStore) Access() (*statestore.Store, error) { + if ts.Store == nil { + return nil, errors.New("no store configured") + } + return ts.Store, nil +} + +// snapshot copies all key/value pairs from the persistent store into a table for inspection. +func (ts testStateStore) snapshot() map[string]state { + states := map[string]state{} + err := ts.Store.Each(func(key string, dec statestore.ValueDecoder) (bool, error) { + var st state + if err := dec.Decode(&st); err != nil { + return false, err + } + states[key] = st + return true, nil + }) + + if err != nil { + panic("unexpected decode error from persistent test store") + } + return states +} + +// storeMemorySnapshot copies all key/value pairs into a table for inspection. +// The state returned reflects the in memory state, which can be ahead of the +// persistent state. +// +// Note: The state returned by storeMemorySnapshot is always ahead of the state returned by storeInSyncSnapshot. +// All key value pairs are fully in-sync, if both snapshot functions return the same state. +func storeMemorySnapshot(store *store) map[string]state { + store.ephemeralStore.mu.Lock() + defer store.ephemeralStore.mu.Unlock() + + states := map[string]state{} + for k, res := range store.ephemeralStore.table { + states[k] = res.stateSnapshot() + } + return states +} + +// storeInSyncSnapshot copies all key/value pairs into the table for inspection. +// The state returned reflects the current state that the in-memory tables assumed to be +// written to the persistent store already. + +// Note: The state returned by storeMemorySnapshot is always ahead of the state returned by storeInSyncSnapshot. +// All key value pairs are fully in-sync, if both snapshot functions return the same state. +func storeInSyncSnapshot(store *store) map[string]state { + store.ephemeralStore.mu.Lock() + defer store.ephemeralStore.mu.Unlock() + + states := map[string]state{} + for k, res := range store.ephemeralStore.table { + states[k] = res.inSyncStateSnapshot() + } + return states +} + +// checkEqualStoreState compares 2 store snapshot tables for equality. The test +// fails with Errorf if the state differ. +// +// Note: testify is too strict when comparing timestamp, better use checkEqualStoreState. +func checkEqualStoreState(t *testing.T, want, got map[string]state) bool { + if d := cmp.Diff(want, got); d != "" { + t.Errorf("store state mismatch (-want +got):\n%s", d) + return false + } + return true +} + +// requireEqualStoreState compares 2 store snapshot tables for equality. The test +// fails with Fatalf if the state differ. +// +// Note: testify is too strict when comparing timestamp, better use checkEqualStoreState. +func requireEqualStoreState(t *testing.T, want, got map[string]state) bool { + if d := cmp.Diff(want, got); d != "" { + t.Fatalf("store state mismatch (-want +got):\n%s", d) + return false + } + return true +} diff --git a/filebeat/input/filestream/prospector.go b/filebeat/input/filestream/prospector.go new file mode 100644 index 00000000000..257574b9ca1 --- /dev/null +++ b/filebeat/input/filestream/prospector.go @@ -0,0 +1,38 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package filestream + +import ( + loginp "github.com/elastic/beats/v7/filebeat/input/filestream/internal/input-logfile" + input "github.com/elastic/beats/v7/filebeat/input/v2" + "github.com/elastic/beats/v7/libbeat/statestore" +) + +// fileProspector implements the Prospector interface. +// It contains a file scanner which returns file system events. +// The FS events then trigger either new Harvester runs or updates +// the statestore. +type fileProspector struct{} + +func (p *fileProspector) Run(ctx input.Context, s *statestore.Store, hg *loginp.HarvesterGroup) { + panic("TODO: implement me") +} + +func (p *fileProspector) Test() error { + panic("TODO: implement me") +} diff --git a/filebeat/input/v2/input-cursor/manager.go b/filebeat/input/v2/input-cursor/manager.go index 2a4310dc778..766d6f17fa0 100644 --- a/filebeat/input/v2/input-cursor/manager.go +++ b/filebeat/input/v2/input-cursor/manager.go @@ -26,7 +26,6 @@ import ( "github.com/elastic/go-concert/unison" - input "github.com/elastic/beats/v7/filebeat/input/v2" v2 "github.com/elastic/beats/v7/filebeat/input/v2" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" @@ -145,7 +144,7 @@ func (cim *InputManager) shutdown() { // Create builds a new v2.Input using the provided Configure function. // The Input will run a go-routine per source that has been configured. -func (cim *InputManager) Create(config *common.Config) (input.Input, error) { +func (cim *InputManager) Create(config *common.Config) (v2.Input, error) { if err := cim.init(); err != nil { return nil, err } @@ -180,7 +179,7 @@ func (cim *InputManager) Create(config *common.Config) (input.Input, error) { // Lock locks a key for exclusive access and returns an resource that can be used to modify // the cursor state and unlock the key. -func (cim *InputManager) lock(ctx input.Context, key string) (*resource, error) { +func (cim *InputManager) lock(ctx v2.Context, key string) (*resource, error) { resource := cim.store.Get(key) err := lockResource(ctx.Logger, resource, ctx.Cancelation) if err != nil { @@ -190,7 +189,7 @@ func (cim *InputManager) lock(ctx input.Context, key string) (*resource, error) return resource, nil } -func lockResource(log *logp.Logger, resource *resource, canceler input.Canceler) error { +func lockResource(log *logp.Logger, resource *resource, canceler v2.Canceler) error { if !resource.lock.TryLock() { log.Infof("Resource '%v' currently in use, waiting...", resource.key) err := resource.lock.LockContext(canceler) diff --git a/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json b/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json index 9c61a6065af..1f3600f2e09 100644 --- a/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json +++ b/filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json @@ -76,6 +76,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -105,6 +106,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -134,6 +136,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", diff --git a/filebeat/module/apache/access/test/ssl-request.log-expected.json b/filebeat/module/apache/access/test/ssl-request.log-expected.json index 9898d82cef0..3eb3e283b19 100644 --- a/filebeat/module/apache/access/test/ssl-request.log-expected.json +++ b/filebeat/module/apache/access/test/ssl-request.log-expected.json @@ -38,6 +38,7 @@ "source.address": "11.19.0.217", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "11.19.0.217", diff --git a/filebeat/module/apache/error/test/test.log-expected.json b/filebeat/module/apache/error/test/test.log-expected.json index fbc9605ef38..d9f470db46a 100644 --- a/filebeat/module/apache/error/test/test.log-expected.json +++ b/filebeat/module/apache/error/test/test.log-expected.json @@ -56,6 +56,7 @@ "source.geo.city_name": "Newnan", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 33.3708, "source.geo.location.lon": -84.8154, "source.geo.region_iso_code": "US-GA", @@ -84,6 +85,7 @@ "source.geo.city_name": "Beijing", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 39.9288, "source.geo.location.lon": 116.3889, "source.geo.region_iso_code": "CN-BJ", diff --git a/filebeat/module/haproxy/log/test/default.log-expected.json b/filebeat/module/haproxy/log/test/default.log-expected.json index f58515d6172..4da9bc98f17 100644 --- a/filebeat/module/haproxy/log/test/default.log-expected.json +++ b/filebeat/module/haproxy/log/test/default.log-expected.json @@ -30,6 +30,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/filebeat/module/haproxy/log/test/haproxy.log-expected.json b/filebeat/module/haproxy/log/test/haproxy.log-expected.json index 474b7a5e5d3..b33e80ab073 100644 --- a/filebeat/module/haproxy/log/test/haproxy.log-expected.json +++ b/filebeat/module/haproxy/log/test/haproxy.log-expected.json @@ -47,6 +47,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index adb56a2eadd..786333c1379 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -34,6 +34,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -127,6 +128,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", diff --git a/filebeat/module/iis/error/test/iis_error_url.log-expected.json b/filebeat/module/iis/error/test/iis_error_url.log-expected.json index 0cb2fb038b4..8adb2e6d1d0 100644 --- a/filebeat/module/iis/error/test/iis_error_url.log-expected.json +++ b/filebeat/module/iis/error/test/iis_error_url.log-expected.json @@ -30,6 +30,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -67,6 +68,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -104,6 +106,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -141,6 +144,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -178,6 +182,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -215,6 +220,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -252,6 +258,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", @@ -289,6 +296,7 @@ "source.address": "149.42.83.135", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "149.42.83.135", diff --git a/filebeat/module/iis/error/test/test.log-expected.json b/filebeat/module/iis/error/test/test.log-expected.json index 50ec549dd6b..506ee6ba2ed 100644 --- a/filebeat/module/iis/error/test/test.log-expected.json +++ b/filebeat/module/iis/error/test/test.log-expected.json @@ -66,6 +66,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -108,6 +109,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -146,6 +148,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", diff --git a/filebeat/module/nginx/access/test/access.log-expected.json b/filebeat/module/nginx/access/test/access.log-expected.json index 92519cc1e81..7981a316c95 100644 --- a/filebeat/module/nginx/access/test/access.log-expected.json +++ b/filebeat/module/nginx/access/test/access.log-expected.json @@ -32,6 +32,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -80,6 +81,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -127,6 +129,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -174,6 +177,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -222,6 +226,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -269,6 +274,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -316,6 +322,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", @@ -363,6 +370,7 @@ "source.geo.city_name": "Germersheim", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.2231, "source.geo.location.lon": 8.3639, "source.geo.region_iso_code": "DE-RP", diff --git a/filebeat/module/nginx/access/test/test-with-host.log-expected.json b/filebeat/module/nginx/access/test/test-with-host.log-expected.json index a1968695184..e07836ce520 100644 --- a/filebeat/module/nginx/access/test/test-with-host.log-expected.json +++ b/filebeat/module/nginx/access/test/test-with-host.log-expected.json @@ -115,6 +115,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -164,6 +165,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -216,6 +218,7 @@ "source.geo.city_name": "Springfield", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.7647, "source.geo.location.lon": -89.7379, "source.geo.region_iso_code": "US-IL", @@ -260,6 +263,7 @@ "source.address": "2a03:0000:10ff:f00f:0000:0000:0:8000", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PT", + "source.geo.country_name": "Portugal", "source.geo.location.lat": 39.5, "source.geo.location.lon": -8.0, "source.ip": "2a03:0000:10ff:f00f:0000:0000:0:8000", diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json index 75caf6cf9f8..b27c9ccf19b 100644 --- a/filebeat/module/nginx/access/test/test.log-expected.json +++ b/filebeat/module/nginx/access/test/test.log-expected.json @@ -112,6 +112,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -159,6 +160,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -209,6 +211,7 @@ "source.geo.city_name": "Springfield", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.7647, "source.geo.location.lon": -89.7379, "source.geo.region_iso_code": "US-IL", @@ -251,6 +254,7 @@ "source.address": "2a03:0000:10ff:f00f:0000:0000:0:8000", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PT", + "source.geo.country_name": "Portugal", "source.geo.location.lat": 39.5, "source.geo.location.lon": -8.0, "source.ip": "2a03:0000:10ff:f00f:0000:0000:0:8000", diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json index e8b09bc1abd..89c37b4a38e 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json +++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json @@ -1322,4 +1322,4 @@ "user_agent.os.version": "10.14", "user_agent.version": "72.0." } -] +] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json index 7d8ece1d7f2..50134594bfc 100644 --- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json +++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json @@ -33,6 +33,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -94,6 +95,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -155,6 +157,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -284,6 +287,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -345,6 +349,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -406,6 +411,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -467,6 +473,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -528,6 +535,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -691,6 +699,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -752,6 +761,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -813,6 +823,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -874,6 +885,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -935,6 +947,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -996,6 +1009,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -1074,6 +1088,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1135,6 +1150,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1264,6 +1280,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1325,6 +1342,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1386,6 +1404,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1447,6 +1466,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1508,6 +1528,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1637,6 +1658,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1698,6 +1720,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1759,6 +1782,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1820,6 +1844,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -1881,6 +1906,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2010,6 +2036,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -2071,6 +2098,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -2132,6 +2160,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -2244,6 +2273,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2305,6 +2335,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2366,6 +2397,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2427,6 +2459,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2488,6 +2521,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", @@ -2617,6 +2651,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 28.55, "source.geo.location.lon": 115.9333, "source.geo.region_iso_code": "CN-JX", diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index 88d32188bb7..dc677ebb58c 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -140,6 +140,7 @@ "source.as.organization.name": "CHINANET Guangdong province network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 23.1167, "source.geo.location.lon": 113.25, "source.geo.region_iso_code": "CN-GD", @@ -196,6 +197,7 @@ "source.geo.city_name": "Hangzhou", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 30.294, "source.geo.location.lon": 120.1619, "source.geo.region_iso_code": "CN-ZJ", diff --git a/filebeat/module/traefik/access/test/test.log-expected.json b/filebeat/module/traefik/access/test/test.log-expected.json index a5723ed5c27..631673fe351 100644 --- a/filebeat/module/traefik/access/test/test.log-expected.json +++ b/filebeat/module/traefik/access/test/test.log-expected.json @@ -69,6 +69,7 @@ "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 52.4473, "source.geo.location.lon": 13.4531, "source.geo.region_iso_code": "DE-BE", @@ -116,6 +117,7 @@ "source.geo.city_name": "Ottawa", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "CA", + "source.geo.country_name": "Canada", "source.geo.location.lat": 45.2691, "source.geo.location.lon": -75.7518, "source.geo.region_iso_code": "CA-ON", @@ -203,6 +205,7 @@ "source.geo.city_name": "Warsaw", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 52.25, "source.geo.location.lon": 21.0, "source.geo.region_iso_code": "PL-14", @@ -249,6 +252,7 @@ "source.geo.city_name": "Gda\u0144sk", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.3605, "source.geo.location.lon": 18.649, "source.geo.region_iso_code": "PL-22", diff --git a/filebeat/tests/system/test_reload_inputs.py b/filebeat/tests/system/test_reload_inputs.py index 4de554fe2c6..4c5fa1abfba 100644 --- a/filebeat/tests/system/test_reload_inputs.py +++ b/filebeat/tests/system/test_reload_inputs.py @@ -1,4 +1,5 @@ import os +import pytest import time from filebeat import BaseTest @@ -249,6 +250,8 @@ def test_load_configs(self): assert output[0]["message"] == first_line assert output[1]["message"] == second_line + # 1/20 build fails https://github.com/elastic/beats/issues/21307 + @pytest.mark.flaky(reruns=1, reruns_delay=10) def test_reload_same_config(self): """ Test reload same config with same file but different config. Makes sure reloading also works on conflicts. diff --git a/go.mod b/go.mod index 2fafe750879..09cd086cbee 100644 --- a/go.mod +++ b/go.mod @@ -107,6 +107,7 @@ require ( github.com/josephspurrier/goversioninfo v0.0.0-20190209210621-63e6d1acd3dd github.com/jpillora/backoff v1.0.0 // indirect github.com/jstemmer/go-junit-report v0.9.1 + github.com/kardianos/service v1.1.0 github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect github.com/lib/pq v1.1.2-0.20190507191818-2ff3cb3adc01 github.com/magefile/mage v1.10.0 @@ -123,6 +124,7 @@ require ( github.com/oklog/ulid v1.3.1 github.com/opencontainers/go-digest v1.0.0-rc1.0.20190228220655-ac19fd6e7483 // indirect github.com/opencontainers/image-spec v1.0.2-0.20190823105129-775207bd45b6 // indirect + github.com/otiai10/copy v1.2.0 github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0 github.com/pkg/errors v0.9.1 github.com/pmezard/go-difflib v1.0.0 @@ -195,6 +197,7 @@ replace ( github.com/fsnotify/fsnotify => github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d github.com/google/gopacket => github.com/adriansr/gopacket v1.1.18-0.20200327165309-dd62abfa8a41 github.com/insomniacslk/dhcp => github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 // indirect + github.com/kardianos/service => github.com/blakerouse/service v1.1.1-0.20200924160513-057808572ffa github.com/tonistiigi/fifo => github.com/containerd/fifo v0.0.0-20190816180239-bda0ff6ed73c golang.org/x/tools => golang.org/x/tools v0.0.0-20200602230032-c00d67ef29d0 // release 1.14 ) diff --git a/go.sum b/go.sum index 44f6eeb2ba0..031f1faa095 100644 --- a/go.sum +++ b/go.sum @@ -127,6 +127,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blakerouse/service v1.1.1-0.20200924160513-057808572ffa h1:aXHPZwx8Y5z8r+1WPylnu095usTf6QSshaHs6nVMBc0= +github.com/blakerouse/service v1.1.1-0.20200924160513-057808572ffa/go.mod h1:RrJI2xn5vve/r32U5suTbeaSGoMU6GbNPoj36CVYcHc= github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2 h1:oMCHnXa6CCCafdPDbMh/lWRhRByN0VFLvv+g+ayx1SI= github.com/blakesmith/ar v0.0.0-20150311145944-8bd4349a67f2/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI= github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= @@ -563,6 +565,14 @@ github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rm github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= +github.com/otiai10/copy v1.2.0 h1:HvG945u96iNadPoG2/Ja2+AUJeW5YuFQMixq9yirC+k= +github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= +github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= +github.com/otiai10/curr v1.0.0 h1:TJIWdbX0B+kpNagQrjgq8bCMrbhiuX73M2XwgtDMoOI= +github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= +github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= +github.com/otiai10/mint v1.3.1 h1:BCmzIS3n71sGfHB5NMNDB3lHYPz8fWSkCAErHed//qc= +github.com/otiai10/mint v1.3.1/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2 h1:CXwSGu/LYmbjEab5aMCs5usQRVBGThelUKBNnoSOuso= github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2/go.mod h1:L3UMQOThbttwfYRNFOWLLVXMhk5Lkio4GGOtw5UrxS0= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= @@ -817,6 +827,7 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190204203706-41f3e6584952/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= diff --git a/libbeat/common/cli/input.go b/libbeat/common/cli/input.go new file mode 100644 index 00000000000..a6a516fd3d4 --- /dev/null +++ b/libbeat/common/cli/input.go @@ -0,0 +1,43 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package cli + +import ( + "bufio" + "fmt" + "io" + "os" + + "github.com/pkg/errors" +) + +// ReadInput shows the text and ask the user to provide input. +func ReadInput(prompt string) (string, error) { + reader := bufio.NewReader(os.Stdin) + return input(reader, prompt) +} + +func input(r io.Reader, prompt string) (string, error) { + reader := bufio.NewScanner(r) + fmt.Print(prompt + " ") + + if !reader.Scan() { + return "", errors.New("error reading user input") + } + return reader.Text(), nil +} diff --git a/libbeat/common/cli/input_test.go b/libbeat/common/cli/input_test.go new file mode 100644 index 00000000000..de87b5efe2a --- /dev/null +++ b/libbeat/common/cli/input_test.go @@ -0,0 +1,63 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package cli + +import ( + "strings" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestReadInput(t *testing.T) { + tests := []struct { + name string + input string + res string + }{ + { + name: "Question 1?", + input: "\n", + res: "", + }, + { + name: "Question 2?", + input: "full string input\n", + res: "full string input", + }, + { + name: "Question 3?", + input: "123456789\n", + res: "123456789", + }, + { + name: "Question 4?", + input: "false\n", + res: "false", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + r := strings.NewReader(test.input) + result, err := input(r, test.name) + assert.NoError(t, err) + assert.Equal(t, test.res, result) + }) + } +} diff --git a/libbeat/docs/release.asciidoc b/libbeat/docs/release.asciidoc index 4215186d430..24e0ee43651 100644 --- a/libbeat/docs/release.asciidoc +++ b/libbeat/docs/release.asciidoc @@ -8,6 +8,7 @@ This section summarizes the changes in each release. Also read <> for more detail about changes that affect upgrade. +* <> * <> * <> * <> diff --git a/libbeat/docs/repositories.asciidoc b/libbeat/docs/repositories.asciidoc index a7104414465..1b27a6c0b44 100644 --- a/libbeat/docs/repositories.asciidoc +++ b/libbeat/docs/repositories.asciidoc @@ -122,7 +122,7 @@ sudo apt-get update && sudo apt-get install {beatname_pkg} -------------------------------------------------- sudo systemctl enable {beatname_pkg} -------------------------------------------------- - ++ If your system does not use `systemd` then run: + ["source","sh",subs="attributes"] @@ -224,7 +224,7 @@ sudo yum install {beatname_pkg} -------------------------------------------------- sudo systemctl enable {beatname_pkg} -------------------------------------------------- - ++ If your system does not use `systemd` then run: + ["source","sh",subs="attributes"] @@ -233,4 +233,3 @@ sudo chkconfig --add {beatname_pkg} -------------------------------------------------- endif::[] - diff --git a/libbeat/processors/script/javascript/module/include.go b/libbeat/processors/script/javascript/module/include.go index f30e423e7a2..b498dc90e21 100644 --- a/libbeat/processors/script/javascript/module/include.go +++ b/libbeat/processors/script/javascript/module/include.go @@ -24,4 +24,5 @@ import ( _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/path" _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/processor" _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/require" + _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module/windows" ) diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go b/libbeat/processors/script/javascript/module/windows/doc.go similarity index 82% rename from winlogbeat/processors/script/javascript/module/winlogbeat/doc.go rename to libbeat/processors/script/javascript/module/windows/doc.go index fc782636d09..bca46a94340 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/doc.go +++ b/libbeat/processors/script/javascript/module/windows/doc.go @@ -15,7 +15,7 @@ // specific language governing permissions and limitations // under the License. -// Package winlogbeat registers the winlogbeat module with the javascript script -// processor. The module has utilities specific to Winlogbeat like parsing +// Package windows registers the windows module with the javascript script +// processor. The module has utilities specific to Windows like parsing // Windows command lines. -package winlogbeat +package windows diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go b/libbeat/processors/script/javascript/module/windows/windows.go similarity index 87% rename from winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go rename to libbeat/processors/script/javascript/module/windows/windows.go index dc9439c5c67..2bbe7817fad 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat.go +++ b/libbeat/processors/script/javascript/module/windows/windows.go @@ -17,7 +17,7 @@ // +build windows -package winlogbeat +package windows import ( "syscall" @@ -60,11 +60,11 @@ func commandLineToArgvW(in string) ([]string, error) { return args, nil } -// Require registers the winlogbeat module that has utilities specific to -// Winlogbeat like parsing Windows command lines. It can be accessed using: +// Require registers the windows module that has utilities specific to +// Windows like parsing Windows command lines. It can be accessed using: // // // javascript -// var winlogbeat = require('winlogbeat'); +// var windows = require('windows'); // func Require(vm *goja.Runtime, module *goja.Object) { o := module.Get("exports").(*goja.Object) @@ -74,9 +74,11 @@ func Require(vm *goja.Runtime, module *goja.Object) { // Enable adds path to the given runtime. func Enable(runtime *goja.Runtime) { + runtime.Set("windows", require.Require(runtime, "windows")) runtime.Set("winlogbeat", require.Require(runtime, "winlogbeat")) } func init() { + require.RegisterNativeModule("windows", Require) require.RegisterNativeModule("winlogbeat", Require) } diff --git a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go b/libbeat/processors/script/javascript/module/windows/windows_test.go similarity index 99% rename from winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go rename to libbeat/processors/script/javascript/module/windows/windows_test.go index 45c339cc1f2..be213a79ba8 100644 --- a/winlogbeat/processors/script/javascript/module/winlogbeat/winlogbeat_test.go +++ b/libbeat/processors/script/javascript/module/windows/windows_test.go @@ -17,7 +17,7 @@ // +build windows -package winlogbeat +package windows import ( "testing" diff --git a/libbeat/publisher/queue/diskqueue/config.go b/libbeat/publisher/queue/diskqueue/config.go index f39f608361d..6a165a665db 100644 --- a/libbeat/publisher/queue/diskqueue/config.go +++ b/libbeat/publisher/queue/diskqueue/config.go @@ -106,8 +106,8 @@ func DefaultSettings() Settings { MaxSegmentSize: 100 * (1 << 20), // 100MiB MaxBufferSize: (1 << 30), // 1GiB - ReadAheadLimit: 256, - WriteAheadLimit: 1024, + ReadAheadLimit: 512, + WriteAheadLimit: 2048, } } @@ -129,6 +129,14 @@ func SettingsForUserConfig(config *common.Config) (Settings, error) { // divided by 10. settings.MaxSegmentSize = uint64(userConfig.MaxSize) / 10 } + + if userConfig.ReadAheadLimit != nil { + settings.ReadAheadLimit = *userConfig.ReadAheadLimit + } + if userConfig.WriteAheadLimit != nil { + settings.WriteAheadLimit = *userConfig.WriteAheadLimit + } + return settings, nil } diff --git a/libbeat/publisher/queue/diskqueue/core_loop.go b/libbeat/publisher/queue/diskqueue/core_loop.go index 56a50b5a422..638d9da2f40 100644 --- a/libbeat/publisher/queue/diskqueue/core_loop.go +++ b/libbeat/publisher/queue/diskqueue/core_loop.go @@ -58,10 +58,15 @@ func (dq *diskQueue) run() { // The writer loop completed a request, so check if there is more // data to be sent. dq.maybeWritePending() - // We also check whether the reader loop is waiting for the data - // that was just written. + + // The data that was just written is now available for reading, so check + // if we should start a new read request. dq.maybeReadPending() + // pendingFrames should now be empty. If any producers were blocked + // because pendingFrames hit settings.WriteAheadLimit, wake them up. + dq.maybeUnblockProducers() + // Reader loop handling case readerLoopResponse := <-dq.readerLoop.responseChan: dq.handleReaderLoopResponse(readerLoopResponse) @@ -417,22 +422,25 @@ func (dq *diskQueue) enqueueWriteFrame(frame *writeFrame) { }) } -// canAcceptFrameOfSize checks whether there is enough free space in the -// queue (subject to settings.MaxBufferSize) to accept a new frame with -// the given size. Size includes both the serialized data and the frame -// header / footer; the easy way to do this for a writeFrame is to pass +// canAcceptFrameOfSize checks whether there is enough free space in the queue +// (subject to settings.{MaxBufferSize, WriteAheadLimit}) to accept a new +// frame with the given size. Size includes both the serialized data and the +// frame header / footer; the easy way to do this for a writeFrame is to pass // in frame.sizeOnDisk(). // Capacity calculations do not include requests in the blockedProducers // list (that data is owned by its callers and we can't touch it until // we are ready to respond). That allows this helper to be used both while // handling producer requests and while deciding whether to unblock // producers after free capacity increases. -// If we decide to add limits on how many events / bytes can be stored -// in pendingFrames (to avoid unbounded memory use if the input is faster -// than the disk), this is the function to modify. func (dq *diskQueue) canAcceptFrameOfSize(frameSize uint64) bool { + // If pendingFrames is already at the WriteAheadLimit, we can't accept + // any new frames right now. + if len(dq.pendingFrames) >= dq.settings.WriteAheadLimit { + return false + } + + // If the queue size is unbounded (max == 0), we accept. if dq.settings.MaxBufferSize == 0 { - // Currently we impose no limitations if the queue size is unbounded. return true } diff --git a/libbeat/publisher/queue/diskqueue/state_file.go b/libbeat/publisher/queue/diskqueue/state_file.go index 2ff14e3e5e2..d8cbb5690ac 100644 --- a/libbeat/publisher/queue/diskqueue/state_file.go +++ b/libbeat/publisher/queue/diskqueue/state_file.go @@ -82,12 +82,14 @@ func writeQueuePositionToHandle( } // Want to write: version (0), segment id, segment offset. - elems := []interface{}{uint32(0), position.segmentID, position.offset} - for _, elem := range elems { - err = binary.Write(file, binary.LittleEndian, &elem) - if err != nil { - return err - } + err = binary.Write(file, binary.LittleEndian, uint32(0)) + if err != nil { + return err + } + err = binary.Write(file, binary.LittleEndian, position.segmentID) + if err != nil { + return err } - return nil + err = binary.Write(file, binary.LittleEndian, position.offset) + return err } diff --git a/libbeat/tests/system/requirements.txt b/libbeat/tests/system/requirements.txt index 08843d6144d..86071d5dd65 100644 --- a/libbeat/tests/system/requirements.txt +++ b/libbeat/tests/system/requirements.txt @@ -37,6 +37,7 @@ PyYAML==5.3.1 redis==2.10.6 requests==2.20.0 semver==2.8.1 +setuptools==47.3.2 six==1.15.0 stomp.py==4.1.22 termcolor==1.1.0 diff --git a/metricbeat/docs/modules/sql.asciidoc b/metricbeat/docs/modules/sql.asciidoc index 69726a1fe7d..6e944cf5c13 100644 --- a/metricbeat/docs/modules/sql.asciidoc +++ b/metricbeat/docs/modules/sql.asciidoc @@ -8,24 +8,45 @@ This file is generated! See scripts/mage/docs_collector.go beta[] -The SQL module allows to execute custom queries against an SQL database and store the results to Elasticsearch. +The SQL module allows you to execute custom queries against an SQL database and +store the results in {es}. -The currently supported databases are the ones already included in Metricbeat, which are: -- PostgreSQL -- MySQL -- Oracle -- Microsoft SQL -- CockroachDB +This module supports the databases that you can monitor with {metricbeat}, +including: -== Quickstart +* PostgreSQL +* MySQL +* Oracle +* Microsoft SQL +* CockroachDB -You can setup the module by activating it first running +To enable the module, run: - metricbeat module enable sql +[source,shell] +---- +metricbeat module enable sql +---- + +After enabling the module, open `modules.d/sql.yml` and set the required +fields: + +`driver`:: The driver can be any driver that has a {metricbeat} module, such as +`mssql` or `postgres`. +`sql_query`:: The single query you want to run. +`sql_response_format`:: Either `variables` or `table`: +`variables`::: Expects a two-column table that looks like a key/value result. +The left column is considered a key and the right column the value. This mode +generates a single event on each fetch operation. +`table`::: Expects any number of columns. This mode generates a single event for +each row. + +[float] +=== Example: capture Innodb-related metrics -Once it is activated, open `modules.d/sql.yml` and fill the required fields. This is an example that captures Innodb related metrics from the result of the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL database: +This `sql.yml` configuration shows how to capture Innodb-related metrics that +result from the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL +database: -.sql.yml [source,yaml] ---- - module: sql @@ -39,7 +60,8 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi sql_response_format: variables ---- -.SHOW GLOBAL STATUS LIKE 'Innodb_system%' +The `SHOW GLOBAL STATUS` query results in this table: + |==== |Variable_name|Value @@ -49,18 +71,11 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi |Innodb_system_rows_updated|315 |==== +Results are grouped by type in the result event for convenient mapping in +{es}. For example, `strings` values are grouped into `sql.strings`, `numeric` +into `sql.numeric`, and so on. -Keys in the YAML are defined as follow: - -- `driver`: The drivers currently supported are those which already have a Metricbeat module like `mssql` or `postgres`. -- `sql_query`: Is the single query you want to run -- `sql_response_format`: You have 2 options here: - - `variables`: Expects a table which looks like a key/value result. With 2 columns, left column will be considered a key and the right column the value. This mode generates a single event on each fetch operation. - - `table`: Table mode can contain any number of columns and a single event will be generated for each row. - -Results will be grouped by type in the result event for convenient mapping in Elasticsearch. So `strings` values will be grouped into `sql.strings`, `numeric` into `sql.numeric` and so on and so forth. - -The event generated with the example above looks like this: +The example shown earlier generates this event: [source,json] ---- @@ -112,9 +127,13 @@ The event generated with the example above looks like this: } ---- -In this example, we are querying PostgreSQL and generate a "table" result, hence a single event for each row returned +[float] +=== Example: query PostgreSQL and generate a "table" result + +This `sql.yml` configuration shows how to query PostgreSQL and generate +a "table" result. This configuration generates a single event for each row +returned: -.sql.yml [source,yaml] ---- - module: sql @@ -128,7 +147,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence sql_response_format: table ---- -.SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database +The SELECT query results in this table: + |==== |datid|datname|blks_read|blks_hit|tup_returned|tup_fetched|stats_reset @@ -137,7 +157,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence |13407|template0|0|0|0|0| |==== -With 3 rows on the table, three events will be generated with the contents of each row. As an example, below you can see the event created for the first row: +Because the table contains three rows, three events are generated, one event +for each row. For example, this event is created for the first row: [source,json] ---- @@ -194,14 +215,11 @@ With 3 rows on the table, three events will be generated with the contents of ea } ---- +[float] +=== Example: get the buffer catch hit ratio in Oracle -== More examples - -=== Oracle: - -Get the buffer cache hit ratio: +This `sql.yml` configuration shows how to get the buffer cache hit ratio: -.sql.yml [source,yaml] ---- - module: sql @@ -215,6 +233,7 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: [source,json] ---- @@ -269,11 +288,11 @@ Get the buffer cache hit ratio: } ---- -=== MSSQL +[float] +=== Example: get the buffer cache hit ratio for MSSQL -Get the buffer cache hit ratio: +This `sql.yml` configuration gets the buffer cache hit ratio: -.sql.yml [source,yaml] ---- - module: sql @@ -287,6 +306,8 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: + [source,json] ---- { @@ -338,11 +359,12 @@ Get the buffer cache hit ratio: } ---- -=== Two or more queries +[float] +=== Example: launch two or more queries -If you want to launch two or more queries, you need to specify them with their full configuration for each query. For example: +To launch two or more queries, specify the full configuration for each query. +For example: -.sql.yml [source,yaml] ---- - module: sql diff --git a/winlogbeat/cmd/root.go b/winlogbeat/cmd/root.go index 7e25e717813..2cd26a9fe8e 100644 --- a/winlogbeat/cmd/root.go +++ b/winlogbeat/cmd/root.go @@ -30,7 +30,6 @@ import ( // Import processors and supporting modules. _ "github.com/elastic/beats/v7/libbeat/processors/script" _ "github.com/elastic/beats/v7/libbeat/processors/timestamp" - _ "github.com/elastic/beats/v7/winlogbeat/processors/script/javascript/module/winlogbeat" ) const ( diff --git a/x-pack/auditbeat/tests/system/test_metricsets.py b/x-pack/auditbeat/tests/system/test_metricsets.py index 26bddcef785..d60c1b82ef8 100644 --- a/x-pack/auditbeat/tests/system/test_metricsets.py +++ b/x-pack/auditbeat/tests/system/test_metricsets.py @@ -1,6 +1,7 @@ import jinja2 import os import platform +import pytest import sys import time import unittest @@ -42,6 +43,8 @@ def test_metricset_login(self): # Metricset is beta and that generates a warning, TODO: remove later self.check_metricset("system", "login", COMMON_FIELDS + fields, config, warnings_allowed=True) + # 1/20 build fails https://github.com/elastic/beats/issues/21308 + @pytest.mark.flaky(reruns=1, reruns_delay=10) @unittest.skipIf(sys.platform == "win32", "Not implemented for Windows") @unittest.skipIf(sys.platform.startswith('linux') and not (os.path.isdir("/var/lib/dpkg") or os.path.isdir("/var/lib/rpm")), "Only implemented for dpkg and rpm") diff --git a/x-pack/elastic-agent/CHANGELOG.next.asciidoc b/x-pack/elastic-agent/CHANGELOG.next.asciidoc index 3963dda9a12..2ba08864ae8 100644 --- a/x-pack/elastic-agent/CHANGELOG.next.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.next.asciidoc @@ -10,6 +10,7 @@ - Docker container is not run as root by default. {pull}21213[21213] ==== Bugfixes +- Fix rename *ConfigChange to *PolicyChange to align on changes in the UI. {pull}20779[20779] - Thread safe sorted set {pull}21290[21290] - Copy Action store on upgrade {pull}21298[21298] - Include inputs in action store actions {pull}21298[21298] @@ -26,3 +27,4 @@ - Add support for dynamic inputs with providers and `{{variable|"default"}}` substitution. {pull}20839[20839] - Add support for EQL based condition on inputs {pull}20994[20994] - Send `fleet.host.id` to Endpoint Security {pull}21042[21042] +- Add `install` and `uninstall` subcommands {pull}21206[21206] diff --git a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json index 327b79ed347..f08e98942ea 100644 --- a/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json +++ b/x-pack/elastic-agent/dev-tools/cmd/fakewebapi/action_example.json @@ -2,9 +2,9 @@ "action": "checkin", "actions": [ { - "type": "CONFIG_CHANGE", + "type": "POLICY_CHANGE", "data": { - "config": { + "policy": { "id": "default", "outputs": { "default": { diff --git a/x-pack/elastic-agent/magefile.go b/x-pack/elastic-agent/magefile.go index 7296e8189be..4fa067f8f8b 100644 --- a/x-pack/elastic-agent/magefile.go +++ b/x-pack/elastic-agent/magefile.go @@ -658,6 +658,7 @@ func buildVars() map[string]string { if isDevFlag, devFound := os.LookupEnv(devEnv); devFound { if isDev, err := strconv.ParseBool(isDevFlag); err == nil && isDev { vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.allowEmptyPgp"] = "true" + vars["github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release.allowUpgrade"] = "true" } } diff --git a/x-pack/elastic-agent/pkg/agent/application/action_store.go b/x-pack/elastic-agent/pkg/agent/application/action_store.go index 25dbf7a5b82..ce4ea785cf7 100644 --- a/x-pack/elastic-agent/pkg/agent/application/action_store.go +++ b/x-pack/elastic-agent/pkg/agent/application/action_store.go @@ -35,7 +35,7 @@ func newActionStore(log *logger.Logger, store storeLoad) (*actionStore, error) { } defer reader.Close() - var action actionConfigChangeSerializer + var action ActionPolicyChangeSerializer dec := yaml.NewDecoder(reader) err = dec.Decode(&action) @@ -49,7 +49,7 @@ func newActionStore(log *logger.Logger, store storeLoad) (*actionStore, error) { return nil, err } - apc := fleetapi.ActionConfigChange(action) + apc := fleetapi.ActionPolicyChange(action) return &actionStore{ log: log, @@ -62,7 +62,7 @@ func newActionStore(log *logger.Logger, store storeLoad) (*actionStore, error) { // any other type of action will be silently ignored. func (s *actionStore) Add(a action) { switch v := a.(type) { - case *fleetapi.ActionConfigChange, *fleetapi.ActionUnenroll: + case *fleetapi.ActionPolicyChange, *fleetapi.ActionUnenroll: // Only persist the action if the action is different. if s.action != nil && s.action.ID() == v.ID() { return @@ -79,8 +79,8 @@ func (s *actionStore) Save() error { } var reader io.Reader - if apc, ok := s.action.(*fleetapi.ActionConfigChange); ok { - serialize := actionConfigChangeSerializer(*apc) + if apc, ok := s.action.(*fleetapi.ActionPolicyChange); ok { + serialize := ActionPolicyChangeSerializer(*apc) r, err := yamlToReader(&serialize) if err != nil { @@ -120,7 +120,7 @@ func (s *actionStore) Actions() []action { return []action{s.action} } -// actionConfigChangeSerializer is a struct that adds a YAML serialization, I don't think serialization +// ActionPolicyChangeSerializer is a struct that adds a YAML serialization, I don't think serialization // is a concern of the fleetapi package. I went this route so I don't have to do much refactoring. // // There are four ways to achieve the same results: @@ -130,14 +130,14 @@ func (s *actionStore) Actions() []action { // 4. We have two sets of type. // // This could be done in a refactoring. -type actionConfigChangeSerializer struct { +type ActionPolicyChangeSerializer struct { ActionID string `yaml:"action_id"` ActionType string `yaml:"action_type"` - Config map[string]interface{} `yaml:"config"` + Policy map[string]interface{} `yaml:"policy"` } // Add a guards between the serializer structs and the original struct. -var _ actionConfigChangeSerializer = actionConfigChangeSerializer(fleetapi.ActionConfigChange{}) +var _ ActionPolicyChangeSerializer = ActionPolicyChangeSerializer(fleetapi.ActionPolicyChange{}) // actionUnenrollSerializer is a struct that adds a YAML serialization, type actionUnenrollSerializer struct { diff --git a/x-pack/elastic-agent/pkg/agent/application/action_store_test.go b/x-pack/elastic-agent/pkg/agent/application/action_store_test.go index 4205deda8b6..f2691d66db6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/action_store_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/action_store_test.go @@ -57,10 +57,10 @@ func TestActionStore(t *testing.T) { t.Run("can save to disk known action type", withFile(func(t *testing.T, file string) { - actionConfigChange := &fleetapi.ActionConfigChange{ + ActionPolicyChange := &fleetapi.ActionPolicyChange{ ActionID: "abc123", - ActionType: "CONFIG_CHANGE", - Config: map[string]interface{}{ + ActionType: "POLICY_CHANGE", + Policy: map[string]interface{}{ "hello": "world", }, } @@ -70,7 +70,7 @@ func TestActionStore(t *testing.T) { require.NoError(t, err) require.Equal(t, 0, len(store.Actions())) - store.Add(actionConfigChange) + store.Add(ActionPolicyChange) err = store.Save() require.NoError(t, err) require.Equal(t, 1, len(store.Actions())) @@ -82,12 +82,12 @@ func TestActionStore(t *testing.T) { actions := store1.Actions() require.Equal(t, 1, len(actions)) - require.Equal(t, actionConfigChange, actions[0]) + require.Equal(t, ActionPolicyChange, actions[0]) })) t.Run("when we ACK we save to disk", withFile(func(t *testing.T, file string) { - actionConfigChange := &fleetapi.ActionConfigChange{ + ActionPolicyChange := &fleetapi.ActionPolicyChange{ ActionID: "abc123", } @@ -98,7 +98,7 @@ func TestActionStore(t *testing.T) { acker := newActionStoreAcker(&testAcker{}, store) require.Equal(t, 0, len(store.Actions())) - require.NoError(t, acker.Ack(context.Background(), actionConfigChange)) + require.NoError(t, acker.Ack(context.Background(), ActionPolicyChange)) require.Equal(t, 1, len(store.Actions())) })) } diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go index 3a6a7843b72..4f9e753ba94 100644 --- a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go +++ b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker.go @@ -5,7 +5,6 @@ package filters import ( - "fmt" "strings" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" @@ -47,11 +46,7 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if nsNode, found := inputNode.Find("data_stream.namespace"); found { nsKey, ok := nsNode.(*transpiler.Key) if ok { - newNamespace := nsKey.Value().(transpiler.Node).String() - if !isValid(newNamespace) { - return ErrInvalidNamespace - } - namespace = newNamespace + namespace = nsKey.Value().(transpiler.Node).String() } } else { dsNode, found := inputNode.Find("data_stream") @@ -63,17 +58,17 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if found { nsKey, ok := nsNode.(*transpiler.Key) if ok { - newNamespace := nsKey.Value().(transpiler.Node).String() - if !isValid(newNamespace) { - return ErrInvalidNamespace - } - namespace = newNamespace + namespace = nsKey.Value().(transpiler.Node).String() } } } } } + if !matchesNamespaceContraints(namespace) { + return ErrInvalidNamespace + } + // get the type, longest type for now is metrics datasetType := "metrics" if nsNode, found := inputNode.Find("data_stream.type"); found { @@ -100,6 +95,10 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { } } + if !matchesTypeConstraints(datasetType) { + return ErrInvalidIndex + } + streamsNode, ok := inputNode.Find("streams") if ok { streamsList, ok := streamsNode.Value().(*transpiler.List) @@ -119,11 +118,8 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if dsNameNode, found := streamMap.Find("data_stream.dataset"); found { dsKey, ok := dsNameNode.(*transpiler.Key) if ok { - newDataset := dsKey.Value().(transpiler.Node).String() - if !isValid(newDataset) { - return ErrInvalidDataset - } - datasetName = newDataset + datasetName = dsKey.Value().(transpiler.Node).String() + break } } else { datasetNode, found := streamMap.Find("data_stream") @@ -137,11 +133,8 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { if found { dsKey, ok := dsNameNode.(*transpiler.Key) if ok { - newDataset := dsKey.Value().(transpiler.Node).String() - if !isValid(newDataset) { - return ErrInvalidDataset - } - datasetName = newDataset + datasetName = dsKey.Value().(transpiler.Node).String() + break } } } @@ -149,49 +142,65 @@ func StreamChecker(log *logger.Logger, ast *transpiler.AST) error { } } } - - if indexName := fmt.Sprintf("%s-%s-%s", datasetType, datasetName, namespace); !matchesIndexContraints(indexName) { - return ErrInvalidIndex + if !matchesDatasetConstraints(datasetName) { + return ErrInvalidDataset } } return nil } -// The only two requirement are that it has only characters allowed in an Elasticsearch index name -// and does NOT contain a `-`. -func isValid(namespace string) bool { - return matchesIndexContraints(namespace) && !strings.Contains(namespace, "-") -} - // The only two requirement are that it has only characters allowed in an Elasticsearch index name // Index names must meet the following criteria: +// Not longer than 100 bytes // Lowercase only // Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # +func matchesNamespaceContraints(namespace string) bool { + // length restriction is in bytes, not characters + if len(namespace) <= 0 || len(namespace) > 100 { + return false + } + + return isCharactersetValid(namespace) +} + +// matchesTypeConstraints fails for following rules. As type is first element of resulting index prefix restrictions need to be applied. +// Not longer than 20 bytes +// Lowercase only // Cannot start with -, _, + -// Cannot be . or .. -func matchesIndexContraints(namespace string) bool { - // Cannot be . or .. - if namespace == "." || namespace == ".." { +// Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # +func matchesTypeConstraints(dsType string) bool { + // length restriction is in bytes, not characters + if len(dsType) <= 0 || len(dsType) > 20 { return false } - if len(namespace) <= 0 || len(namespace) > 255 { + if strings.HasPrefix(dsType, "-") || strings.HasPrefix(dsType, "_") || strings.HasPrefix(dsType, "+") { return false } - // Lowercase only - if strings.ToLower(namespace) != namespace { + return isCharactersetValid(dsType) +} + +// matchesDatasetConstraints fails for following rules +// Not longer than 100 bytes +// Lowercase only +// Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # +func matchesDatasetConstraints(dataset string) bool { + // length restriction is in bytes, not characters + if len(dataset) <= 0 || len(dataset) > 100 { return false } - // Cannot include \, /, *, ?, ", <, >, |, ` ` (space character), ,, # - if strings.ContainsAny(namespace, "\\/*?\"<>| ,#") { + return isCharactersetValid(dataset) +} + +func isCharactersetValid(input string) bool { + if strings.ToLower(input) != input { return false } - // Cannot start with -, _, + - if strings.HasPrefix(namespace, "-") || strings.HasPrefix(namespace, "_") || strings.HasPrefix(namespace, "+") { + if strings.ContainsAny(input, "\\/*?\"<>| ,#:") { return false } diff --git a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go index 1daa14a1ad6..5750734c477 100644 --- a/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/filters/stream_checker_test.go @@ -93,25 +93,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidDataset, }, - - { - name: "dataset invalid dot - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"data_stream.dataset": "."}}}, - }, - }, - result: ErrInvalidDataset, - }, - { - name: "dataset invalid dotdot- compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"data_stream.dataset": ".."}}}, - }, - }, - result: ErrInvalidDataset, - }, { name: "dataset invalid uppercase - compact", configMap: map[string]interface{}{ @@ -139,16 +120,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidDataset, }, - { - name: "dataset invalid invalid prefix- compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"streams": []map[string]interface{}{{"data_stream.dataset": "_isthisvalid"}}}, - }, - }, - result: ErrInvalidDataset, - }, - { name: "namespace invalid - compact", configMap: map[string]interface{}{ @@ -156,22 +127,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidNamespace, }, - { - name: "namespace invalid name 1 - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{ - {"data_stream.namespace": "."}, - }, - }, - result: ErrInvalidNamespace, - }, - { - name: "namespace invalid name 2 - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"data_stream.namespace": ".."}}, - }, - result: ErrInvalidNamespace, - }, { name: "namespace invalid name uppercase - compact", configMap: map[string]interface{}{ @@ -193,13 +148,6 @@ func TestStreamCheck(t *testing.T) { }, result: ErrInvalidNamespace, }, - { - name: "namespace invalid name invalid prefix - compact", - configMap: map[string]interface{}{ - "inputs": []map[string]interface{}{{"data_stream.namespace": "+isitok"}}, - }, - result: ErrInvalidNamespace, - }, { name: "namespace invalid - long", configMap: map[string]interface{}{ @@ -274,6 +222,33 @@ func TestStreamCheck(t *testing.T) { }, result: nil, }, + { + name: "type invalid prefix _", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": "_type"}, + }, + }, + result: ErrInvalidIndex, + }, + { + name: "type invalid prefix -", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": "-type"}, + }, + }, + result: ErrInvalidIndex, + }, + { + name: "type invalid prefix +", + configMap: map[string]interface{}{ + "inputs": []map[string]interface{}{ + {"data_stream.type": "+type"}, + }, + }, + result: ErrInvalidIndex, + }, } log, err := logger.New("") diff --git a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go index bd9037416dc..cfcd1f46994 100644 --- a/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/fleet_gateway_test.go @@ -208,10 +208,10 @@ func TestFleetGateway(t *testing.T) { { "actions": [ { - "type": "CONFIG_CHANGE", + "type": "POLICY_CHANGE", "id": "id1", "data": { - "config": { + "policy": { "id": "policy-id" } } diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go index 34fd5716980..81dc1444816 100644 --- a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change.go @@ -13,24 +13,24 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" ) -type handlerConfigChange struct { +type handlerPolicyChange struct { log *logger.Logger emitter emitterFunc } -func (h *handlerConfigChange) Handle(ctx context.Context, a action, acker fleetAcker) error { - h.log.Debugf("handlerConfigChange: action '%+v' received", a) - action, ok := a.(*fleetapi.ActionConfigChange) +func (h *handlerPolicyChange) Handle(ctx context.Context, a action, acker fleetAcker) error { + h.log.Debugf("handlerPolicyChange: action '%+v' received", a) + action, ok := a.(*fleetapi.ActionPolicyChange) if !ok { - return fmt.Errorf("invalid type, expected ActionConfigChange and received %T", a) + return fmt.Errorf("invalid type, expected ActionPolicyChange and received %T", a) } - c, err := LoadConfig(action.Config) + c, err := LoadConfig(action.Policy) if err != nil { return errors.New(err, "could not parse the configuration from the policy", errors.TypeConfig) } - h.log.Debugf("handlerConfigChange: emit configuration for action %+v", a) + h.log.Debugf("handlerPolicyChange: emit configuration for action %+v", a) if err := h.emitter(c); err != nil { return err } diff --git a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change_test.go b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change_test.go index b95c259e7c7..ce4802b68e6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/handler_action_policy_change_test.go @@ -36,13 +36,13 @@ func TestPolicyChange(t *testing.T) { emitter := &mockEmitter{} conf := map[string]interface{}{"hello": "world"} - action := &fleetapi.ActionConfigChange{ + action := &fleetapi.ActionPolicyChange{ ActionID: "abc123", - ActionType: "CONFIG_CHANGE", - Config: conf, + ActionType: "POLICY_CHANGE", + Policy: conf, } - handler := &handlerConfigChange{log: log, emitter: emitter.Emitter} + handler := &handlerPolicyChange{log: log, emitter: emitter.Emitter} err := handler.Handle(context.Background(), action, ack) require.NoError(t, err) @@ -54,13 +54,13 @@ func TestPolicyChange(t *testing.T) { emitter := &mockEmitter{err: mockErr} conf := map[string]interface{}{"hello": "world"} - action := &fleetapi.ActionConfigChange{ + action := &fleetapi.ActionPolicyChange{ ActionID: "abc123", - ActionType: "CONFIG_CHANGE", - Config: conf, + ActionType: "POLICY_CHANGE", + Policy: conf, } - handler := &handlerConfigChange{log: log, emitter: emitter.Emitter} + handler := &handlerPolicyChange{log: log, emitter: emitter.Emitter} err := handler.Handle(context.Background(), action, ack) require.Error(t, err) @@ -77,13 +77,13 @@ func TestPolicyAcked(t *testing.T) { config := map[string]interface{}{"hello": "world"} actionID := "abc123" - action := &fleetapi.ActionConfigChange{ + action := &fleetapi.ActionPolicyChange{ ActionID: actionID, - ActionType: "CONFIG_CHANGE", - Config: config, + ActionType: "POLICY_CHANGE", + Policy: config, } - handler := &handlerConfigChange{log: log, emitter: emitter.Emitter} + handler := &handlerPolicyChange{log: log, emitter: emitter.Emitter} err := handler.Handle(context.Background(), action, tacker) require.Error(t, err) @@ -99,13 +99,13 @@ func TestPolicyAcked(t *testing.T) { config := map[string]interface{}{"hello": "world"} actionID := "abc123" - action := &fleetapi.ActionConfigChange{ + action := &fleetapi.ActionPolicyChange{ ActionID: actionID, - ActionType: "CONFIG_CHANGE", - Config: config, + ActionType: "POLICY_CHANGE", + Policy: config, } - handler := &handlerConfigChange{log: log, emitter: emitter.Emitter} + handler := &handlerPolicyChange{log: log, emitter: emitter.Emitter} err := handler.Handle(context.Background(), action, tacker) require.NoError(t, err) diff --git a/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go b/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go index c98f9b8e015..c5712646cfb 100644 --- a/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go +++ b/x-pack/elastic-agent/pkg/agent/application/info/agent_metadata.go @@ -10,6 +10,7 @@ import ( "runtime" "strings" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" "github.com/elastic/go-sysinfo" "github.com/elastic/go-sysinfo/types" @@ -33,6 +34,12 @@ type AgentECSMeta struct { ID string `json:"id"` // Version specifies current version of an agent. Version string `json:"version"` + // Snapshot is a flag specifying that the agent used is a snapshot build. + Snapshot bool `json:"snapshot"` + // BuildOriginal is an extended build information for the agent. + BuildOriginal string `json:"build.original"` + // Upgradeable is a flag specifying if it is possible for agent to be upgraded. + Upgradeable bool `json:"upgradeable"` } // SystemECSMeta is a collection of operating system metadata in ECS compliant object form. @@ -126,8 +133,13 @@ func (i *AgentInfo) ECSMetadata() (*ECSMeta, error) { return &ECSMeta{ Elastic: &ElasticECSMeta{ Agent: &AgentECSMeta{ - ID: i.agentID, - Version: release.Version(), + ID: i.agentID, + Version: release.Version(), + Snapshot: release.Snapshot(), + BuildOriginal: release.Info().String(), + // only upgradeable if running from Agent installer and running under the + // control of the system supervisor (or built specifically with upgrading enabled) + Upgradeable: release.Upgradeable() || (install.RunningInstalled() && install.RunningUnderSupervisor()), }, }, Host: &HostECSMeta{ diff --git a/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go b/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go index 2c53fc62bf2..edf1ad8cdf2 100644 --- a/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go +++ b/x-pack/elastic-agent/pkg/agent/application/inspect_config_cmd.go @@ -106,13 +106,13 @@ func loadFleetConfig(cfg *config.Config) (map[string]interface{}, error) { } for _, c := range as.Actions() { - cfgChange, ok := c.(*fleetapi.ActionConfigChange) + cfgChange, ok := c.(*fleetapi.ActionPolicyChange) if !ok { continue } fmt.Println("Action ID:", cfgChange.ID()) - return cfgChange.Config, nil + return cfgChange.Policy, nil } return nil, nil } diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go index a4e4bf92379..12a9c242780 100644 --- a/x-pack/elastic-agent/pkg/agent/application/managed_mode.go +++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode.go @@ -207,8 +207,8 @@ func newManaged( acker) actionDispatcher.MustRegister( - &fleetapi.ActionConfigChange{}, - &handlerConfigChange{ + &fleetapi.ActionPolicyChange{}, + &handlerPolicyChange{ log: log, emitter: emit, }, diff --git a/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go b/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go index 9b51016a126..81f2419f936 100644 --- a/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/managed_mode_test.go @@ -40,8 +40,8 @@ func TestManagedModeRouting(t *testing.T) { require.NoError(t, err) actionDispatcher.MustRegister( - &fleetapi.ActionConfigChange{}, - &handlerConfigChange{ + &fleetapi.ActionPolicyChange{}, + &handlerPolicyChange{ log: log, emitter: emit, }, @@ -100,9 +100,9 @@ const fleetResponse = ` "action": "checkin", "actions": [{ "agent_id": "17e93530-7f42-11ea-9330-71e968b29fa4", - "type": "CONFIG_CHANGE", + "type": "POLICY_CHANGE", "data": { - "config": { + "policy": { "id": "86561d50-7f3b-11ea-9fab-3db3bdb4efa4", "outputs": { "default": { diff --git a/x-pack/elastic-agent/pkg/agent/application/paths/paths.go b/x-pack/elastic-agent/pkg/agent/application/paths/paths.go index 48544ec7593..b646f3796ba 100644 --- a/x-pack/elastic-agent/pkg/agent/application/paths/paths.go +++ b/x-pack/elastic-agent/pkg/agent/application/paths/paths.go @@ -6,121 +6,87 @@ package paths import ( "flag" + "fmt" "os" "path/filepath" - "runtime" - "sync" + "strings" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" ) var ( - homePath string - configPath string - dataPath string - logsPath string - serviceName string - - overridesLoader sync.Once + topPath string + configPath string + logsPath string ) func init() { - initialHome := initialHome() + topPath = initialTop() + configPath = topPath + logsPath = topPath fs := flag.CommandLine - fs.StringVar(&homePath, "path.home", initialHome, "Agent root path") - fs.StringVar(&configPath, "path.config", initialHome, "Config path is the directory Agent looks for its config file") - fs.StringVar(&dataPath, "path.data", filepath.Join(initialHome, "data"), "Data path contains Agent managed binaries") - fs.StringVar(&logsPath, "path.logs", initialHome, "Logs path contains Agent log output") + fs.StringVar(&topPath, "path.home", topPath, "Agent root path") + fs.StringVar(&configPath, "path.config", configPath, "Config path is the directory Agent looks for its config file") + fs.StringVar(&logsPath, "path.logs", logsPath, "Logs path contains Agent log output") } -// UpdatePaths update paths based on changes in paths file. -func UpdatePaths() { - getOverrides() -} - -func getOverrides() { - type paths struct { - HomePath string `config:"path.home" yaml:"path.home"` - ConfigPath string `config:"path.config" yaml:"path.config"` - DataPath string `config:"path.data" yaml:"path.data"` - LogsPath string `config:"path.logs" yaml:"path.logs"` - ServiceName string `config:"path.service_name" yaml:"path.service_name"` - } - - defaults := &paths{ - HomePath: homePath, - ConfigPath: configPath, - DataPath: dataPath, - LogsPath: logsPath, - } - - pathsFile := filepath.Join(dataPath, "paths.yml") - rawConfig, err := config.LoadYAML(pathsFile) - if err != nil { - return - } - - rawConfig.Unpack(defaults) - homePath = defaults.HomePath - configPath = defaults.ConfigPath - dataPath = defaults.DataPath - logsPath = defaults.LogsPath - serviceName = defaults.ServiceName -} - -// ServiceName return predefined service name if defined by initial call. -func ServiceName() string { - // needs to do this at this place because otherwise it will - // get overwritten by flags behavior. - overridesLoader.Do(getOverrides) - return serviceName +// Top returns the top directory for Elastic Agent, all the versioned +// home directories live under this top-level/data/elastic-agent-${hash} +func Top() string { + return topPath } // Home returns a directory where binary lives -// Executable is not supported on nacl. func Home() string { - overridesLoader.Do(getOverrides) - return homePath + return versionedHome(topPath) } // Config returns a directory where configuration file lives func Config() string { - overridesLoader.Do(getOverrides) return configPath } // Data returns the data directory for Agent func Data() string { - overridesLoader.Do(getOverrides) - return dataPath + return filepath.Join(Top(), "data") } // Logs returns a the log directory for Agent func Logs() string { - overridesLoader.Do(getOverrides) return logsPath } +// initialTop returns the initial top-level path for the binary +// +// When nested in top-level/data/elastic-agent-${hash}/ the result is top-level/. +func initialTop() string { + exePath := retrieveExecutablePath() + if insideData(exePath) { + return filepath.Dir(filepath.Dir(exePath)) + } + return exePath +} + +// retrieveExecutablePath returns the executing binary, even if the started binary was a symlink func retrieveExecutablePath() string { execPath, err := os.Executable() if err != nil { panic(err) } - evalPath, err := filepath.EvalSymlinks(execPath) if err != nil { panic(err) } - return filepath.Dir(evalPath) } -func initialHome() string { - exePath := retrieveExecutablePath() - if runtime.GOOS == "windows" { - return exePath - } +// insideData returns true when the exePath is inside of the current Agents data path. +func insideData(exePath string) bool { + expectedPath := filepath.Join("data", fmt.Sprintf("elastic-agent-%s", release.ShortCommit())) + return strings.HasSuffix(exePath, expectedPath) +} - return filepath.Dir(filepath.Dir(exePath)) // is two level up the executable (symlink evaluated) +func versionedHome(base string) string { + return filepath.Join(base, "data", fmt.Sprintf("elastic-agent-%s", release.ShortCommit())) } diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go index 0d8253bb9ca..53920e6ecff 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_mark.go @@ -6,11 +6,8 @@ package upgrade import ( "context" - "fmt" "io/ioutil" - "os" "path/filepath" - "runtime" "time" "gopkg.in/yaml.v2" @@ -41,10 +38,6 @@ type updateMarker struct { // markUpgrade marks update happened so we can handle grace period func (h *Upgrader) markUpgrade(ctx context.Context, hash string, action *fleetapi.ActionUpgrade) error { - if err := updateHomePath(hash); err != nil { - return err - } - prevVersion := release.Version() prevHash := release.Commit() if len(prevHash) > hashLen { @@ -69,55 +62,10 @@ func (h *Upgrader) markUpgrade(ctx context.Context, hash string, action *fleetap return errors.New(err, errors.TypeFilesystem, "failed to create update marker file", errors.M(errors.MetaKeyPath, markerPath)) } - activeCommitPath := filepath.Join(paths.Config(), agentCommitFile) + activeCommitPath := filepath.Join(paths.Top(), agentCommitFile) if err := ioutil.WriteFile(activeCommitPath, []byte(hash), 0644); err != nil { return errors.New(err, errors.TypeFilesystem, "failed to update active commit", errors.M(errors.MetaKeyPath, activeCommitPath)) } return nil } - -func updateHomePath(hash string) error { - if err := createPathsSymlink(hash); err != nil { - return errors.New(err, errors.TypeFilesystem, "failed to create paths symlink") - } - - pathsMap := make(map[string]string) - pathsFilepath := filepath.Join(paths.Data(), "paths.yml") - - pathsBytes, err := ioutil.ReadFile(pathsFilepath) - if err != nil { - return errors.New(err, errors.TypeConfig, "failed to read paths file") - } - - if err := yaml.Unmarshal(pathsBytes, &pathsMap); err != nil { - return errors.New(err, errors.TypeConfig, "failed to parse paths file") - } - - pathsMap["path.home"] = filepath.Join(filepath.Dir(paths.Home()), fmt.Sprintf("%s-%s", agentName, hash)) - - pathsBytes, err = yaml.Marshal(pathsMap) - if err != nil { - return errors.New(err, errors.TypeConfig, "failed to marshal paths file") - } - - return ioutil.WriteFile(pathsFilepath, pathsBytes, 0740) -} - -func createPathsSymlink(hash string) error { - // only on windows, as windows resolves PWD using symlinks in a different way. - // we create symlink for each versioned agent inside `data/` directory - // on other systems path is shared - if runtime.GOOS != "windows" { - return nil - } - - dir := filepath.Join(paths.Data(), fmt.Sprintf("%s-%s", agentName, hash)) - versionedPath := filepath.Join(dir, "data", "paths.yml") - if err := os.MkdirAll(filepath.Dir(versionedPath), 0700); err != nil { - return err - } - - pathsCfgPath := filepath.Join(paths.Data(), "paths.yml") - return os.Symlink(pathsCfgPath, versionedPath) -} diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go index 48d22de36cf..7cbd78d4849 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_relink.go @@ -21,22 +21,22 @@ func (u *Upgrader) changeSymlink(ctx context.Context, newHash string) error { // create symlink to elastic-agent-{hash} hashedDir := fmt.Sprintf("%s-%s", agentName, newHash) - agentBakName := agentName + ".bak" - symlinkPath := filepath.Join(paths.Config(), agentName) - newPath := filepath.Join(paths.Data(), hashedDir, agentName) + agentPrevName := agentName + ".prev" + symlinkPath := filepath.Join(paths.Top(), agentName) + newPath := filepath.Join(paths.Top(), "data", hashedDir, agentName) // handle windows suffixes if runtime.GOOS == "windows" { - agentBakName = agentName + ".exe.back" //.bak is already used + agentPrevName = agentName + ".exe.prev" symlinkPath += ".exe" newPath += ".exe" } - bakNewPath := filepath.Join(paths.Config(), agentBakName) - if err := os.Symlink(newPath, bakNewPath); err != nil { + prevNewPath := filepath.Join(paths.Top(), agentPrevName) + if err := os.Symlink(newPath, prevNewPath); err != nil { return errors.New(err, errors.TypeFilesystem, "failed to update agent symlink") } // safely rotate - return file.SafeFileRotate(symlinkPath, bakNewPath) + return file.SafeFileRotate(symlinkPath, prevNewPath) } diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go index ae3d05edd16..8efb2de2140 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/step_unpack.go @@ -23,8 +23,8 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" ) -// untar unpacks archive correctly, skips root (symlink, config...) unpacks data/* -func (u *Upgrader) unpack(ctx context.Context, version, sourceURI, archivePath string) (string, error) { +// unpack unpacks archive correctly, skips root (symlink, config...) unpacks data/* +func (u *Upgrader) unpack(ctx context.Context, version, archivePath string) (string, error) { // unpack must occur in directory that holds the installation directory // or the extraction will be double nested var hash string diff --git a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go index 08c38aba8c5..cac36ef7922 100644 --- a/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go +++ b/x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go @@ -17,6 +17,7 @@ import ( "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/info" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/fleetapi" @@ -32,11 +33,12 @@ const ( // Upgrader performs an upgrade type Upgrader struct { - settings *artifact.Config - log *logger.Logger - closers []context.CancelFunc - reexec reexecManager - acker acker + settings *artifact.Config + log *logger.Logger + closers []context.CancelFunc + reexec reexecManager + acker acker + upgradeable bool } type reexecManager interface { @@ -51,22 +53,35 @@ type acker interface { // NewUpgrader creates an upgrader which is capable of performing upgrade operation func NewUpgrader(settings *artifact.Config, log *logger.Logger, closers []context.CancelFunc, reexec reexecManager, a acker) *Upgrader { return &Upgrader{ - settings: settings, - log: log, - closers: closers, - reexec: reexec, - acker: a, + settings: settings, + log: log, + closers: closers, + reexec: reexec, + acker: a, + upgradeable: getUpgradable(), } } +// Upgradeable returns true if the Elastic Agent can be upgraded. +func (u *Upgrader) Upgradeable() bool { + return u.upgradeable +} + // Upgrade upgrades running agent func (u *Upgrader) Upgrade(ctx context.Context, a *fleetapi.ActionUpgrade) error { - archivePath, err := u.downloadArtifact(ctx, a.Version, a.SourceURI) + if !u.upgradeable { + return fmt.Errorf( + "cannot be upgraded; must be installed with install sub-command and " + + "running under control of the systems supervisor") + } + + sourceURI, err := u.sourceURI(a.Version, a.SourceURI) + archivePath, err := u.downloadArtifact(ctx, a.Version, sourceURI) if err != nil { return err } - newHash, err := u.unpack(ctx, a.Version, a.SourceURI, archivePath) + newHash, err := u.unpack(ctx, a.Version, archivePath) if err != nil { return err } @@ -133,16 +148,27 @@ func (u *Upgrader) Ack(ctx context.Context) error { return ioutil.WriteFile(markerFile, markerBytes, 0600) } +func (u *Upgrader) sourceURI(version, retrievedURI string) (string, error) { + if strings.HasSuffix(version, "-SNAPSHOT") && retrievedURI == "" { + return "", errors.New("snapshot upgrade requires source uri", errors.TypeConfig) + } + if retrievedURI != "" { + return retrievedURI, nil + } -func isSubdir(base, target string) (bool, error) { - relPath, err := filepath.Rel(base, target) - return strings.HasPrefix(relPath, ".."), err + return u.settings.SourceURI, nil } func rollbackInstall(hash string) { os.RemoveAll(filepath.Join(paths.Data(), fmt.Sprintf("%s-%s", agentName, hash))) } +func getUpgradable() bool { + // only upgradeable if running from Agent installer and running under the + // control of the system supervisor (or built specifically with upgrading enabled) + return release.Upgradeable() || (install.RunningInstalled() && install.RunningUnderSupervisor()) +} + func copyActionStore(newHash string) error { currentActionStorePath := info.AgentActionStoreFile() diff --git a/x-pack/elastic-agent/pkg/agent/cmd/checks.go b/x-pack/elastic-agent/pkg/agent/cmd/checks.go deleted file mode 100644 index 4fee7497009..00000000000 --- a/x-pack/elastic-agent/pkg/agent/cmd/checks.go +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// +build !windows - -package cmd - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - - "github.com/spf13/cobra" - - // import logp flags - _ "github.com/elastic/beats/v7/libbeat/logp/configure" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" -) - -// preRunCheck is noop because -// - darwin.tar - symlink created during packaging -// - linux.tar - symlink created during packaging -// - linux.rpm - symlink created using install script -// - linux.deb - symlink created using install script -// - linux.docker - symlink created using Dockerfile -func preRunCheck(flags *globalFlags) func(cmd *cobra.Command, args []string) error { - return func(cmd *cobra.Command, args []string) error { - if sn := paths.ServiceName(); sn != "" { - // paths were created we're running as child. - return nil - } - - // get versioned path - smallHash := fmt.Sprintf("elastic-agent-%s", smallHash(release.Commit())) - commitFilepath := filepath.Join(paths.Config(), commitFile) // use other file in the future - if content, err := ioutil.ReadFile(commitFilepath); err == nil { - smallHash = hashedDirName(content) - } - - origExecPath, err := os.Executable() - if err != nil { - return err - } - reexecPath := filepath.Join(paths.Data(), smallHash, filepath.Base(origExecPath)) - - // generate paths - if err := generatePaths(filepath.Dir(reexecPath), origExecPath); err != nil { - return err - } - - paths.UpdatePaths() - return nil - } -} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go b/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go deleted file mode 100644 index 36108c8e08b..00000000000 --- a/x-pack/elastic-agent/pkg/agent/cmd/checks_windows.go +++ /dev/null @@ -1,114 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// +build windows - -package cmd - -import ( - "fmt" - "io/ioutil" - "os" - "path/filepath" - - "github.com/spf13/cobra" - - // import logp flags - _ "github.com/elastic/beats/v7/libbeat/logp/configure" - - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/reexec" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/configuration" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger" - "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" -) - -func preRunCheck(flags *globalFlags) func(cmd *cobra.Command, args []string) error { - return func(cmd *cobra.Command, args []string) error { - if sn := paths.ServiceName(); sn != "" { - // replacing with correct service name so we - // can talk to service manager. - if !filepath.IsAbs(os.Args[0]) { - os.Args[0] = sn - } - - // paths were created we're running as child. - return nil - } - - smallHash := fmt.Sprintf("elastic-agent-%s", smallHash(release.Commit())) - commitFilepath := filepath.Join(paths.Config(), commitFile) - if content, err := ioutil.ReadFile(commitFilepath); err == nil { - smallHash = hashedDirName(content) - } - - // rename itself - origExecPath, err := os.Executable() - if err != nil { - return err - } - - if err := os.Rename(origExecPath, origExecPath+".bak"); err != nil { - return err - } - - // create symlink to elastic-agent-{hash} - reexecPath := filepath.Join(paths.Data(), smallHash, filepath.Base(origExecPath)) - if err := os.Symlink(reexecPath, origExecPath); err != nil { - return err - } - - // generate paths - if err := generatePaths(filepath.Dir(reexecPath), origExecPath); err != nil { - return err - } - - paths.UpdatePaths() - - // reexec if running run - if cmd.Use == "run" { - pathConfigFile := flags.Config() - rawConfig, err := config.LoadYAML(pathConfigFile) - if err != nil { - return errors.New(err, - fmt.Sprintf("could not read configuration file %s", pathConfigFile), - errors.TypeFilesystem, - errors.M(errors.MetaKeyPath, pathConfigFile)) - } - - cfg, err := configuration.NewFromConfig(rawConfig) - if err != nil { - return errors.New(err, - fmt.Sprintf("could not parse configuration file %s", pathConfigFile), - errors.TypeFilesystem, - errors.M(errors.MetaKeyPath, pathConfigFile)) - } - - logger, err := logger.NewFromConfig("", cfg.Settings.LoggingConfig) - if err != nil { - return err - } - - rexLogger := logger.Named("reexec") - rm := reexec.NewManager(rexLogger, reexecPath) - - argsOverrides := []string{ - "--path.data", paths.Data(), - "--path.home", filepath.Dir(reexecPath), - "--path.config", paths.Config(), - } - rm.ReExec(argsOverrides...) - - // trigger reexec - rm.ShutdownComplete() - - // return without running Run method - os.Exit(0) - } - - return nil - } -} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/common.go b/x-pack/elastic-agent/pkg/agent/cmd/common.go index d5c195566bd..8ca5700f3c6 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/common.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/common.go @@ -6,15 +6,10 @@ package cmd import ( "flag" - "fmt" - "io/ioutil" "os" "path/filepath" - "runtime" - "strings" "github.com/spf13/cobra" - "gopkg.in/yaml.v2" // import logp flags _ "github.com/elastic/beats/v7/libbeat/logp/configure" @@ -58,7 +53,6 @@ func NewCommandWithArgs(args []string, streams *cli.IOStreams) *cobra.Command { // path flags cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.home")) cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.config")) - cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.data")) cmd.PersistentFlags().AddGoFlag(flag.CommandLine.Lookup("path.logs")) cmd.PersistentFlags().StringVarP(&flags.PathConfigFile, "c", "c", defaultConfig, `Configuration file, relative to path.config`) @@ -72,6 +66,8 @@ func NewCommandWithArgs(args []string, streams *cli.IOStreams) *cobra.Command { run := newRunCommandWithArgs(flags, args, streams) cmd.AddCommand(basecmd.NewDefaultCommandsWithArgs(args, streams)...) cmd.AddCommand(run) + cmd.AddCommand(newInstallCommandWithArgs(flags, args, streams)) + cmd.AddCommand(newUninstallCommandWithArgs(flags, args, streams)) cmd.AddCommand(newEnrollCommandWithArgs(flags, args, streams)) cmd.AddCommand(newInspectCommandWithArgs(flags, args, streams)) @@ -80,58 +76,7 @@ func NewCommandWithArgs(args []string, streams *cli.IOStreams) *cobra.Command { if reexec != nil { cmd.AddCommand(reexec) } - cmd.PersistentPreRunE = preRunCheck(flags) cmd.Run = run.Run return cmd } - -func hashedDirName(filecontent []byte) string { - s := strings.TrimSpace(string(filecontent)) - if len(s) == 0 { - return "elastic-agent" - } - - s = smallHash(s) - - return fmt.Sprintf("elastic-agent-%s", s) -} - -func smallHash(hash string) string { - if len(hash) > hashLen { - hash = hash[:hashLen] - } - - return hash -} - -func generatePaths(dir, origExec string) error { - pathsCfg := map[string]interface{}{ - "path.data": paths.Data(), - "path.home": dir, - "path.config": paths.Config(), - "path.service_name": origExec, - } - - pathsCfgPath := filepath.Join(paths.Data(), "paths.yml") - pathsContent, err := yaml.Marshal(pathsCfg) - if err != nil { - return err - } - - if err := ioutil.WriteFile(pathsCfgPath, pathsContent, 0740); err != nil { - return err - } - - if runtime.GOOS == "windows" { - // due to two binaries we need to do a path dance - // as versioned binary will look for path inside it's own directory - versionedPath := filepath.Join(dir, "data", "paths.yml") - if err := os.MkdirAll(filepath.Dir(versionedPath), 0700); err != nil { - return err - } - return os.Symlink(pathsCfgPath, versionedPath) - } - - return nil -} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go index 6749b57b250..6a604554136 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/enroll.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/enroll.go @@ -42,18 +42,55 @@ func newEnrollCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStr }, } + addEnrollFlags(cmd) + cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") + cmd.Flags().Bool("no-restart", false, "Skip restarting the currently running daemon") + + // used by install command + cmd.Flags().BoolP("from-install", "", false, "Set by install command to signal this was executed from install") + cmd.Flags().MarkHidden("from-install") + + return cmd +} + +func addEnrollFlags(cmd *cobra.Command) { cmd.Flags().StringP("certificate-authorities", "a", "", "Comma separated list of root certificate for server verifications") cmd.Flags().StringP("ca-sha256", "p", "", "Comma separated list of certificate authorities hash pins used for certificate verifications") - cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") cmd.Flags().BoolP("insecure", "i", false, "Allow insecure connection to Kibana") cmd.Flags().StringP("staging", "", "", "Configures agent to download artifacts from a staging build") - cmd.Flags().Bool("no-restart", false, "Skip restarting the currently running daemon") +} - return cmd +func buildEnrollmentFlags(cmd *cobra.Command) []string { + ca, _ := cmd.Flags().GetString("certificate-authorities") + sha256, _ := cmd.Flags().GetString("ca-sha256") + insecure, _ := cmd.Flags().GetBool("insecure") + staging, _ := cmd.Flags().GetString("staging") + + args := []string{} + if ca != "" { + args = append(args, "--certificate-authorities") + args = append(args, ca) + } + if sha256 != "" { + args = append(args, "--ca-sha256") + args = append(args, sha256) + } + if insecure { + args = append(args, "--insecure") + } + if staging != "" { + args = append(args, "--staging") + args = append(args, staging) + } + return args } func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { - warn.PrintNotGA(streams.Out) + fromInstall, _ := cmd.Flags().GetBool("from-install") + if !fromInstall { + warn.PrintNotGA(streams.Out) + } + pathConfigFile := flags.Config() rawConfig, err := application.LoadConfigFromFile(pathConfigFile) if err != nil { @@ -79,13 +116,16 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args } force, _ := cmd.Flags().GetBool("force") + if fromInstall { + force = true + } if !force { confirm, err := c.Confirm("This will replace your current settings. Do you want to continue?", true) if err != nil { return errors.New(err, "problem reading prompt response") } if !confirm { - fmt.Fprintln(streams.Out, "Enrollment was canceled by the user") + fmt.Fprintln(streams.Out, "Enrollment was cancelled by the user") return nil } } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/install.go b/x-pack/elastic-agent/pkg/agent/cmd/install.go new file mode 100644 index 00000000000..177f79912c9 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/install.go @@ -0,0 +1,154 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cmd + +import ( + "fmt" + "os" + "os/exec" + + "github.com/spf13/cobra" + + c "github.com/elastic/beats/v7/libbeat/common/cli" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/warn" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +func newInstallCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { + cmd := &cobra.Command{ + Use: "install", + Short: "Install Elastic Agent permanently on this system", + Long: `This will install Elastic Agent permanently on this system and will become managed by the systems service manager. + +Unless all the require command-line parameters are provided or -f is used this command will ask questions on how you +would like the Agent to operate. +`, + Run: func(c *cobra.Command, args []string) { + if err := installCmd(streams, c, flags, args); err != nil { + fmt.Fprintf(streams.Err, "%v\n", err) + os.Exit(1) + } + }, + } + + cmd.Flags().StringP("kibana-url", "k", "", "URL of Kibana to enroll Agent into Fleet") + cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet") + cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") + addEnrollFlags(cmd) + + return cmd +} + +func installCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { + if !install.HasRoot() { + return fmt.Errorf("unable to perform install command, not executed with %s permissions", install.PermissionUser) + } + status, reason := install.Status() + if status == install.Installed { + return fmt.Errorf("already installed at: %s", install.InstallPath) + } + + warn.PrintNotGA(streams.Out) + force, _ := cmd.Flags().GetBool("force") + if status == install.Broken { + if !force { + fmt.Fprintf(streams.Out, "Elastic Agent is installed but currently broken: %s\n", reason) + confirm, err := c.Confirm(fmt.Sprintf("Continuing will re-install Elastic Agent over the current installation at %s. Do you want to continue?", install.InstallPath), true) + if err != nil { + return fmt.Errorf("Error: problem reading prompt response") + } + if !confirm { + return fmt.Errorf("installation was cancelled by the user") + } + } + } else { + if !force { + confirm, err := c.Confirm(fmt.Sprintf("Elastic Agent will be installed at %s and will run as a service. Do you want to continue?", install.InstallPath), true) + if err != nil { + return fmt.Errorf("Error: problem reading prompt response") + } + if !confirm { + return fmt.Errorf("installation was cancelled by the user") + } + } + } + + err := install.Install() + if err != nil { + return fmt.Errorf("Error: %s", err) + } + err = install.StartService() + if err != nil { + fmt.Fprintf(streams.Out, "Installation of required system files was successful, but starting of the service failed.\n") + return err + } + fmt.Fprintf(streams.Out, "Installation was successful and Elastic Agent is running.\n") + + askEnroll := true + kibana, _ := cmd.Flags().GetString("kibana-url") + token, _ := cmd.Flags().GetString("enrollment-token") + if kibana != "" && token != "" { + askEnroll = false + } + if force { + askEnroll = false + } + if askEnroll { + confirm, err := c.Confirm("Do you want to enroll this Agent into Fleet?", true) + if err != nil { + return fmt.Errorf("problem reading prompt response") + } + if !confirm { + // not enrolling, all done (standalone mode) + return nil + } + } + if !askEnroll && (kibana == "" || token == "") { + // force was performed without required enrollment arguments, all done (standalone mode) + return nil + } + + if kibana == "" { + kibana, err = c.ReadInput("Kibana URL you want to enroll this Agent into:") + if err != nil { + return fmt.Errorf("problem reading prompt response") + } + if kibana == "" { + fmt.Fprintf(streams.Out, "Enrollment cancelled because no URL was provided.\n") + return nil + } + } + if token == "" { + token, err = c.ReadInput("Fleet enrollment token:") + if err != nil { + return fmt.Errorf("problem reading prompt response") + } + if token == "" { + fmt.Fprintf(streams.Out, "Enrollment cancelled because no enrollment token was provided.\n") + return nil + } + } + + enrollArgs := []string{"enroll", kibana, token, "--from-install"} + enrollArgs = append(enrollArgs, buildEnrollmentFlags(cmd)...) + enrollCmd := exec.Command(install.ExecutablePath(), enrollArgs...) + enrollCmd.Stdin = os.Stdin + enrollCmd.Stdout = os.Stdout + enrollCmd.Stderr = os.Stderr + err = enrollCmd.Start() + if err != nil { + return fmt.Errorf("failed to execute enroll command: %s", err) + } + err = enrollCmd.Wait() + if err == nil { + return nil + } + exitErr, ok := err.(*exec.ExitError) + if ok { + return fmt.Errorf("enroll command failed with exit code: %d", exitErr.ExitCode()) + } + return fmt.Errorf("enroll command failed for unknown reason: %s", err) +} diff --git a/x-pack/elastic-agent/pkg/agent/cmd/uninstall.go b/x-pack/elastic-agent/pkg/agent/cmd/uninstall.go new file mode 100644 index 00000000000..d215a15e337 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/cmd/uninstall.go @@ -0,0 +1,95 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package cmd + +import ( + "fmt" + "os" + "os/exec" + "path/filepath" + "runtime" + + "github.com/spf13/cobra" + + c "github.com/elastic/beats/v7/libbeat/common/cli" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/cli" +) + +func newUninstallCommandWithArgs(flags *globalFlags, _ []string, streams *cli.IOStreams) *cobra.Command { + cmd := &cobra.Command{ + Use: "uninstall", + Short: "Uninstall permanent Elastic Agent from this system", + Long: `This will uninstall permanent Elastic Agent from this system and will no longer be managed by this system. + +Unless -f is used this command will ask confirmation before performing removal. +`, + Run: func(c *cobra.Command, args []string) { + if err := uninstallCmd(streams, c, flags, args); err != nil { + fmt.Fprintf(streams.Err, "%v\n", err) + os.Exit(1) + } + }, + } + + cmd.Flags().BoolP("force", "f", false, "Force overwrite the current and do not prompt for confirmation") + + return cmd +} + +func uninstallCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error { + if !install.HasRoot() { + return fmt.Errorf("unable to perform uninstall command, not executed with %s permissions", install.PermissionUser) + } + status, reason := install.Status() + if status == install.NotInstalled { + return fmt.Errorf("not installed") + } + if status == install.Installed && !install.RunningInstalled() { + return fmt.Errorf("can only be uninstall by executing the installed Elastic Agent at: %s", install.ExecutablePath()) + } + + force, _ := cmd.Flags().GetBool("force") + if status == install.Broken { + if !force { + fmt.Fprintf(streams.Out, "Elastic Agent is installed but currently broken: %s\n", reason) + confirm, err := c.Confirm(fmt.Sprintf("Continuing will uninstall the broken Elastic Agent at %s. Do you want to continue?", install.InstallPath), true) + if err != nil { + return fmt.Errorf("problem reading prompt response") + } + if !confirm { + return fmt.Errorf("uninstall was cancelled by the user") + } + } + } else { + if !force { + confirm, err := c.Confirm(fmt.Sprintf("Elastic Agent will be uninstalled from your system at %s. Do you want to continue?", install.InstallPath), true) + if err != nil { + return fmt.Errorf("problem reading prompt response") + } + if !confirm { + return fmt.Errorf("uninstall was cancelled by the user") + } + } + } + + err := install.Uninstall() + if err != nil { + return err + } + fmt.Fprintf(streams.Out, "Elastic Agent has been uninstalled.\n") + + if runtime.GOOS == "windows" { + // The installation path will still exists because we are executing from that + // directory. So cmd.exe is spawned that sleeps for 2 seconds (using ping, recommend way from + // from Windows) then rmdir is performed. + rmdir := exec.Command( + filepath.Join(os.Getenv("windir"), "system32", "cmd.exe"), + "/C", "ping", "-n", "2", "127.0.0.1", "&&", "rmdir", "/s", "/q", install.InstallPath) + _ = rmdir.Start() + } + + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/control/addr.go b/x-pack/elastic-agent/pkg/agent/control/addr.go index 20bc1e6a005..31005e8e34d 100644 --- a/x-pack/elastic-agent/pkg/agent/control/addr.go +++ b/x-pack/elastic-agent/pkg/agent/control/addr.go @@ -11,10 +11,17 @@ import ( "fmt" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" ) // Address returns the address to connect to Elastic Agent daemon. func Address() string { + // when installed the control address is fixed + if install.RunningInstalled() { + return install.SocketPath + } + + // not install, adjust the path based on data path data := paths.Data() // entire string cannot be longer than 107 characters, this forces the // length to always be 88 characters (but unique per data path) diff --git a/x-pack/elastic-agent/pkg/agent/control/addr_windows.go b/x-pack/elastic-agent/pkg/agent/control/addr_windows.go index bf2e164fbae..cbfcdf2c99e 100644 --- a/x-pack/elastic-agent/pkg/agent/control/addr_windows.go +++ b/x-pack/elastic-agent/pkg/agent/control/addr_windows.go @@ -11,10 +11,17 @@ import ( "fmt" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/application/paths" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/install" ) // Address returns the address to connect to Elastic Agent daemon. func Address() string { + // when installed the control address is fixed + if install.RunningInstalled() { + return install.SocketPath + } + + // not install, adjust the path based on data path data := paths.Data() // entire string cannot be longer than 256 characters, this forces the // length to always be 87 characters (but unique per data path) diff --git a/x-pack/elastic-agent/pkg/agent/control/server/listener.go b/x-pack/elastic-agent/pkg/agent/control/server/listener.go index 7edfc7b8ee9..3090f3d140d 100644 --- a/x-pack/elastic-agent/pkg/agent/control/server/listener.go +++ b/x-pack/elastic-agent/pkg/agent/control/server/listener.go @@ -8,7 +8,6 @@ package server import ( "fmt" - "net" "os" "path/filepath" diff --git a/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go b/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go index f98c32bcee3..eaedc9f88f2 100644 --- a/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go +++ b/x-pack/elastic-agent/pkg/agent/control/server/listener_windows.go @@ -10,6 +10,8 @@ import ( "net" "os/user" + "github.com/pkg/errors" + "github.com/elastic/beats/v7/libbeat/api/npipe" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/control" @@ -18,11 +20,7 @@ import ( // createListener creates a named pipe listener on Windows func createListener(_ *logger.Logger) (net.Listener, error) { - u, err := user.Current() - if err != nil { - return nil, err - } - sd, err := npipe.DefaultSD(u.Username) + sd, err := securityDescriptor() if err != nil { return nil, err } @@ -32,3 +30,26 @@ func createListener(_ *logger.Logger) (net.Listener, error) { func cleanupListener(_ *logger.Logger) { // nothing to do on windows } + +func securityDescriptor() (string, error) { + u, err := user.Current() + if err != nil { + return "", errors.Wrap(err, "failed to get current user") + } + // Named pipe security and access rights. + // We create the pipe and the specific users should only be able to write to it. + // See docs: https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights + // String definition: https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings + // Give generic read/write access to the specified user. + descriptor := "D:P(A;;GA;;;" + u.Uid + ")" + if u.Username == "NT AUTHORITY\\SYSTEM" { + // running as SYSTEM, include Administrators group so Administrators can talk over + // the named pipe to the running Elastic Agent system process + admin, err := user.LookupGroup("Administrators") + if err != nil { + return "", errors.Wrap(err, "failed to lookup Administrators group") + } + descriptor += "(A;;GA;;;" + admin.Gid + ")" + } + return descriptor, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/install/install.go b/x-pack/elastic-agent/pkg/agent/install/install.go new file mode 100644 index 00000000000..2705ea0bfd9 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/install.go @@ -0,0 +1,142 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package install + +import ( + "fmt" + "io/ioutil" + "os" + "path/filepath" + "strings" + + "github.com/otiai10/copy" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +// Install installs Elastic Agent persistently on the system including creating and starting its service. +func Install() error { + dir, err := findDirectory() + if err != nil { + return errors.New(err, "failed to discover the source directory for installation", errors.TypeFilesystem) + } + + // uninstall current installation + err = Uninstall() + if err != nil { + return err + } + + // ensure parent directory exists, copy source into install path + err = os.MkdirAll(filepath.Dir(InstallPath), 0755) + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to create installation parent directory (%s)", filepath.Dir(InstallPath)), + errors.M("directory", filepath.Dir(InstallPath))) + } + err = copy.Copy(dir, InstallPath, copy.Options{ + OnSymlink: func(_ string) copy.SymlinkAction { + return copy.Shallow + }, + Sync: true, + }) + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to copy source directory (%s) to destination (%s)", dir, InstallPath), + errors.M("source", dir), errors.M("destination", InstallPath)) + } + + // place shell wrapper, if present on platform + if ShellWrapperPath != "" { + err = ioutil.WriteFile(ShellWrapperPath, []byte(ShellWrapper), 0755) + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to write shell wrapper (%s)", ShellWrapperPath), + errors.M("destination", ShellWrapperPath)) + } + } + + // post install (per platform) + err = postInstall() + if err != nil { + return err + } + + // install service + svc, err := newService() + if err != nil { + return err + } + err = svc.Install() + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to install service (%s)", ServiceName), + errors.M("service", ServiceName)) + } + return nil +} + +// StartService starts the installed service. +// +// This should only be called after Install is successful. +func StartService() error { + svc, err := newService() + if err != nil { + return err + } + err = svc.Start() + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to start service (%s)", ServiceName), + errors.M("service", ServiceName)) + } + return nil +} + +// findDirectory returns the directory to copy into the installation location. +// +// This also verifies that the discovered directory is a valid directory for installation. +func findDirectory() (string, error) { + execPath, err := os.Executable() + if err != nil { + return "", err + } + execPath, err = filepath.Abs(execPath) + if err != nil { + return "", err + } + sourceDir := filepath.Dir(execPath) + if insideData(sourceDir) { + // executable path is being reported as being down inside of data path + // move up to directories to perform the copy + sourceDir = filepath.Dir(filepath.Dir(sourceDir)) + } + err = verifyDirectory(sourceDir) + if err != nil { + return "", err + } + return sourceDir, nil +} + +// verifyDirectory ensures that the directory includes the executable. +func verifyDirectory(dir string) error { + _, err := os.Stat(filepath.Join(dir, BinaryName)) + if os.IsNotExist(err) { + return fmt.Errorf("missing %s", BinaryName) + } + return nil +} + +// insideData returns true when the exePath is inside of the current Agents data path. +func insideData(exePath string) bool { + expectedPath := filepath.Join("data", fmt.Sprintf("elastic-agent-%s", release.ShortCommit())) + return strings.HasSuffix(exePath, expectedPath) +} diff --git a/x-pack/elastic-agent/pkg/agent/install/install_unix.go b/x-pack/elastic-agent/pkg/agent/install/install_unix.go new file mode 100644 index 00000000000..07d696d580a --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/install_unix.go @@ -0,0 +1,13 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package install + +// postInstall performs post installation for unix-based systems. +func postInstall() error { + // do nothing + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/install/install_windows.go b/x-pack/elastic-agent/pkg/agent/install/install_windows.go new file mode 100644 index 00000000000..ec10467ce79 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/install_windows.go @@ -0,0 +1,35 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package install + +import ( + "fmt" + "os" + "path/filepath" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/release" +) + +// postInstall performs post installation for Windows systems. +func postInstall() error { + // delete the top-level elastic-agent.exe + binary := filepath.Join(InstallPath, BinaryName) + err := os.Remove(binary) + if err != nil { + // do not handle does not exist, it should have existed + return err + } + + // create top-level symlink to nested binary + realBinary := filepath.Join(InstallPath, "data", fmt.Sprintf("elastic-agent-%s", release.ShortCommit()), BinaryName) + err = os.Symlink(realBinary, binary) + if err != nil { + return err + } + + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/install/installed.go b/x-pack/elastic-agent/pkg/agent/install/installed.go new file mode 100644 index 00000000000..9f294078242 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/installed.go @@ -0,0 +1,75 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package install + +import ( + "os" + "path/filepath" + + "github.com/kardianos/service" +) + +// StatusType is the return status types. +type StatusType int + +const ( + // NotInstalled returned when Elastic Agent is not installed. + NotInstalled StatusType = iota + // Installed returned when Elastic Agent is installed currectly. + Installed + // Broken returned when Elastic Agent is installed but broken. + Broken +) + +// Status returns the installation status of Agent. +func Status() (StatusType, string) { + expected := filepath.Join(InstallPath, BinaryName) + status, reason := checkService() + _, err := os.Stat(expected) + if os.IsNotExist(err) { + if status == Installed { + // service installed, but no install path + return Broken, "service exists but installation path is missing" + } + return NotInstalled, "no install path or service" + } + if status == NotInstalled { + // install path present, but not service + return Broken, reason + } + return Installed, "" +} + +// RunningInstalled returns true when executing Agent is the installed Agent. +// +// This verifies the running executable path based on hard-coded paths +// for each platform type. +func RunningInstalled() bool { + expected := filepath.Join(InstallPath, BinaryName) + execPath, _ := os.Executable() + execPath, _ = filepath.Abs(execPath) + execName := filepath.Base(execPath) + execDir := filepath.Dir(execPath) + if insideData(execDir) { + // executable path is being reported as being down inside of data path + // move up to directories to perform the comparison + execDir = filepath.Dir(filepath.Dir(execDir)) + execPath = filepath.Join(execDir, execName) + } + return expected == execPath +} + +// checkService only checks the status of the service. +func checkService() (StatusType, string) { + svc, err := newService() + if err != nil { + return NotInstalled, "unable to check service status" + } + status, _ := svc.Status() + if status == service.StatusUnknown { + return NotInstalled, "service is not installed" + } + return Installed, "" +} diff --git a/x-pack/elastic-agent/pkg/agent/install/paths.go b/x-pack/elastic-agent/pkg/agent/install/paths.go new file mode 100644 index 00000000000..5936c31926a --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/paths.go @@ -0,0 +1,30 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !darwin +// +build !windows + +package install + +const ( + // BinaryName is the name of the installed binary. + BinaryName = "elastic-agent" + + // InstallPath is the installation path using for install command. + InstallPath = "/opt/Elastic/Agent" + + // SocketPath is the socket path used when installed. + SocketPath = "unix:///run/elastic-agent.sock" + + // ServiceName is the service name when installed. + ServiceName = "elastic-agent" + + // ShellWrapperPath is the path to the installed shell wrapper. + ShellWrapperPath = "/usr/bin/elastic-agent" + + // ShellWrapper is the wrapper that is installed. + ShellWrapper = `#!/bin/sh +exec /opt/Elastic/Agent/elastic-agent $@ +` +) diff --git a/x-pack/elastic-agent/pkg/agent/install/paths_darwin.go b/x-pack/elastic-agent/pkg/agent/install/paths_darwin.go new file mode 100644 index 00000000000..f6ebcdfdbae --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/paths_darwin.go @@ -0,0 +1,29 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build darwin + +package install + +const ( + // BinaryName is the name of the installed binary. + BinaryName = "elastic-agent" + + // InstallPath is the installation path using for install command. + InstallPath = "/Library/Elastic/Agent" + + // SocketPath is the socket path used when installed. + SocketPath = "unix:///var/run/elastic-agent.sock" + + // ServiceName is the service name when installed. + ServiceName = "co.elastic.elastic-agent" + + // ShellWrapperPath is the path to the installed shell wrapper. + ShellWrapperPath = "/usr/local/bin/elastic-agent" + + // ShellWrapper is the wrapper that is installed. + ShellWrapper = `#!/bin/sh +exec /Library/Elastic/Agent/elastic-agent $@ +` +) diff --git a/x-pack/elastic-agent/pkg/agent/install/paths_windows.go b/x-pack/elastic-agent/pkg/agent/install/paths_windows.go new file mode 100644 index 00000000000..3af4c79d941 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/paths_windows.go @@ -0,0 +1,27 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package install + +const ( + // BinaryName is the name of the installed binary. + BinaryName = "elastic-agent.exe" + + // InstallPath is the installation path using for install command. + InstallPath = `C:\Program Files\Elastic\Agent` + + // SocketPath is the socket path used when installed. + SocketPath = `\\.\pipe\elastic-agent-system` + + // ServiceName is the service name when installed. + ServiceName = "Elastic Agent" + + // ShellWrapperPath is the path to the installed shell wrapper. + ShellWrapperPath = "" // no wrapper on Windows + + // ShellWrapper is the wrapper that is installed. + ShellWrapper = "" // no wrapper on Windows +) diff --git a/x-pack/elastic-agent/pkg/agent/install/root_unix.go b/x-pack/elastic-agent/pkg/agent/install/root_unix.go new file mode 100644 index 00000000000..b79f104d98d --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/root_unix.go @@ -0,0 +1,19 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package install + +import "os" + +const ( + // PermissionUser is the permission level the user needs to be. + PermissionUser = "root" +) + +// HasRoot returns true if the user has root permissions. +func HasRoot() bool { + return os.Getegid() == 0 +} diff --git a/x-pack/elastic-agent/pkg/agent/install/root_windows.go b/x-pack/elastic-agent/pkg/agent/install/root_windows.go new file mode 100644 index 00000000000..c72432084ac --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/root_windows.go @@ -0,0 +1,27 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package install + +import ( + "os" +) + +const ( + // PermissionUser is the permission level the user needs to be. + PermissionUser = "Administrator" +) + +// HasRoot returns true if the user has Administrator/SYSTEM permissions. +func HasRoot() bool { + // only valid rights can open the physical drive + f, err := os.Open("\\\\.\\PHYSICALDRIVE0") + if err != nil { + return false + } + defer f.Close() + return true +} diff --git a/x-pack/elastic-agent/pkg/agent/install/svc.go b/x-pack/elastic-agent/pkg/agent/install/svc.go new file mode 100644 index 00000000000..18cbc6d840f --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/svc.go @@ -0,0 +1,38 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package install + +import ( + "path/filepath" + + "github.com/kardianos/service" +) + +const ( + // ServiceDisplayName is the service display name for the service. + ServiceDisplayName = "Elastic Agent" + + // ServiceDescription is the description for the service. + ServiceDescription = "Elastic Agent is a unified agent to observe, monitor and protect your system." +) + +// ExecutablePath returns the path for the installed Agents executable. +func ExecutablePath() string { + exec := filepath.Join(InstallPath, BinaryName) + if ShellWrapperPath != "" { + exec = ShellWrapperPath + } + return exec +} + +func newService() (service.Service, error) { + return service.New(nil, &service.Config{ + Name: ServiceName, + DisplayName: ServiceDisplayName, + Description: ServiceDescription, + Executable: ExecutablePath(), + WorkingDirectory: InstallPath, + }) +} diff --git a/x-pack/elastic-agent/pkg/agent/install/svc_unix.go b/x-pack/elastic-agent/pkg/agent/install/svc_unix.go new file mode 100644 index 00000000000..c7acb998489 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/svc_unix.go @@ -0,0 +1,15 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build !windows + +package install + +import "os" + +// RunningUnderSupervisor returns true when executing Agent is running under +// the supervisor processes of the OS. +func RunningUnderSupervisor() bool { + return os.Getppid() == 1 +} diff --git a/x-pack/elastic-agent/pkg/agent/install/svc_windows.go b/x-pack/elastic-agent/pkg/agent/install/svc_windows.go new file mode 100644 index 00000000000..9084f3b5ea7 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/svc_windows.go @@ -0,0 +1,49 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// +build windows + +package install + +import ( + "golang.org/x/sys/windows" +) + +// RunningUnderSupervisor returns true when executing Agent is running under +// the supervisor processes of the OS. +func RunningUnderSupervisor() bool { + serviceSid, err := allocSid(windows.SECURITY_SERVICE_RID) + if err != nil { + return false + } + defer windows.FreeSid(serviceSid) + + t, err := windows.OpenCurrentProcessToken() + if err != nil { + return false + } + defer t.Close() + + gs, err := t.GetTokenGroups() + if err != nil { + return false + } + + for _, g := range gs.AllGroups() { + if windows.EqualSid(g.Sid, serviceSid) { + return true + } + } + return false +} + +func allocSid(subAuth0 uint32) (*windows.SID, error) { + var sid *windows.SID + err := windows.AllocateAndInitializeSid(&windows.SECURITY_NT_AUTHORITY, + 1, subAuth0, 0, 0, 0, 0, 0, 0, 0, &sid) + if err != nil { + return nil, err + } + return sid, nil +} diff --git a/x-pack/elastic-agent/pkg/agent/install/uninstall.go b/x-pack/elastic-agent/pkg/agent/install/uninstall.go new file mode 100644 index 00000000000..381427eb8c7 --- /dev/null +++ b/x-pack/elastic-agent/pkg/agent/install/uninstall.go @@ -0,0 +1,71 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package install + +import ( + "fmt" + "os" + "runtime" + + "github.com/kardianos/service" + + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" +) + +// Uninstall uninstalls persistently Elastic Agent on the system. +func Uninstall() error { + // uninstall the current service + svc, err := newService() + if err != nil { + return err + } + status, _ := svc.Status() + if status == service.StatusRunning { + err := svc.Stop() + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to stop service (%s)", ServiceName), + errors.M("service", ServiceName)) + } + status = service.StatusStopped + } + if status == service.StatusStopped { + err := svc.Uninstall() + if err != nil { + return errors.New( + err, + fmt.Sprintf("failed to uninstall service (%s)", ServiceName), + errors.M("service", ServiceName)) + } + } + + // remove, if present on platform + if ShellWrapperPath != "" { + err = os.Remove(ShellWrapperPath) + if !os.IsNotExist(err) && err != nil { + return errors.New( + err, + fmt.Sprintf("failed to remove shell wrapper (%s)", ShellWrapperPath), + errors.M("destination", ShellWrapperPath)) + } + } + + // remove existing directory + err = os.RemoveAll(InstallPath) + if err != nil { + if runtime.GOOS == "windows" { + // possible to fail on Windows, because elastic-agent.exe is running from + // this directory. + return nil + } + return errors.New( + err, + fmt.Sprintf("failed to remove installation directory (%s)", InstallPath), + errors.M("directory", InstallPath)) + } + + return nil +} diff --git a/x-pack/elastic-agent/pkg/agent/warn/warn.go b/x-pack/elastic-agent/pkg/agent/warn/warn.go index 03d746992f6..182d2af50b0 100644 --- a/x-pack/elastic-agent/pkg/agent/warn/warn.go +++ b/x-pack/elastic-agent/pkg/agent/warn/warn.go @@ -21,4 +21,5 @@ func LogNotGA(log *logger.Logger) { // PrintNotGA writes to the received writer that the Agent is not GA. func PrintNotGA(output io.Writer) { fmt.Fprintln(output, message) + fmt.Fprintln(output) } diff --git a/x-pack/elastic-agent/pkg/fleetapi/ack_cmd_test.go b/x-pack/elastic-agent/pkg/fleetapi/ack_cmd_test.go index a9e3aebc25b..75940e928b7 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/ack_cmd_test.go +++ b/x-pack/elastic-agent/pkg/fleetapi/ack_cmd_test.go @@ -46,10 +46,10 @@ func TestAck(t *testing.T) { return mux }, withAPIKey, func(t *testing.T, client clienter) { - action := &ActionConfigChange{ + action := &ActionPolicyChange{ ActionID: "my-id", - ActionType: "CONFIG_CHANGE", - Config: map[string]interface{}{ + ActionType: "POLICY_CHANGE", + Policy: map[string]interface{}{ "id": "config_id", }, } diff --git a/x-pack/elastic-agent/pkg/fleetapi/action.go b/x-pack/elastic-agent/pkg/fleetapi/action.go index efb4e1672aa..2329546629c 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/action.go +++ b/x-pack/elastic-agent/pkg/fleetapi/action.go @@ -17,8 +17,8 @@ const ( ActionTypeUpgrade = "UPGRADE" // ActionTypeUnenroll specifies unenroll action. ActionTypeUnenroll = "UNENROLL" - // ActionTypeConfigChange specifies config change action. - ActionTypeConfigChange = "CONFIG_CHANGE" + // ActionTypePolicyChange specifies policy change action. + ActionTypePolicyChange = "POLICY_CHANGE" ) // Action base interface for all the implemented action from the fleet API. @@ -66,14 +66,14 @@ func (a *ActionUnknown) OriginalType() string { return a.originalType } -// ActionConfigChange is a request to apply a new -type ActionConfigChange struct { +// ActionPolicyChange is a request to apply a new +type ActionPolicyChange struct { ActionID string ActionType string - Config map[string]interface{} `json:"config"` + Policy map[string]interface{} `json:"policy"` } -func (a *ActionConfigChange) String() string { +func (a *ActionPolicyChange) String() string { var s strings.Builder s.WriteString("action_id: ") s.WriteString(a.ActionID) @@ -83,12 +83,12 @@ func (a *ActionConfigChange) String() string { } // Type returns the type of the Action. -func (a *ActionConfigChange) Type() string { +func (a *ActionPolicyChange) Type() string { return a.ActionType } // ID returns the ID of the Action. -func (a *ActionConfigChange) ID() string { +func (a *ActionPolicyChange) ID() string { return a.ActionID } @@ -97,7 +97,7 @@ type ActionUpgrade struct { ActionID string `json:"id" yaml:"id"` ActionType string `json:"type" yaml:"type"` Version string `json:"version" yaml:"version"` - SourceURI string `json:"source_uri" yaml:"source_uri"` + SourceURI string `json:"source_uri,omitempty" yaml:"source_uri,omitempty"` } func (a *ActionUpgrade) String() string { @@ -169,14 +169,14 @@ func (a *Actions) UnmarshalJSON(data []byte) error { for _, response := range responses { switch response.ActionType { - case ActionTypeConfigChange: - action = &ActionConfigChange{ + case ActionTypePolicyChange: + action = &ActionPolicyChange{ ActionID: response.ActionID, ActionType: response.ActionType, } if err := json.Unmarshal(response.Data, action); err != nil { return errors.New(err, - "fail to decode CONFIG_CHANGE action", + "fail to decode POLICY_CHANGE action", errors.TypeConfig) } case ActionTypeUnenroll: diff --git a/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd_test.go b/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd_test.go index 953b86a260e..af8b4da81ea 100644 --- a/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd_test.go +++ b/x-pack/elastic-agent/pkg/fleetapi/checkin_cmd_test.go @@ -56,10 +56,10 @@ func TestCheckin(t *testing.T) { raw := ` { "actions": [{ - "type": "CONFIG_CHANGE", + "type": "POLICY_CHANGE", "id": "id1", "data": { - "config": { + "policy": { "id": "policy-id", "outputs": { "default": { @@ -102,7 +102,7 @@ func TestCheckin(t *testing.T) { // ActionPolicyChange require.Equal(t, "id1", r.Actions[0].ID()) - require.Equal(t, "CONFIG_CHANGE", r.Actions[0].Type()) + require.Equal(t, "POLICY_CHANGE", r.Actions[0].Type()) }, )) @@ -112,10 +112,10 @@ func TestCheckin(t *testing.T) { { "actions": [ { - "type": "CONFIG_CHANGE", + "type": "POLICY_CHANGE", "id": "id1", "data": { - "config": { + "policy": { "id": "policy-id", "outputs": { "default": { @@ -163,7 +163,7 @@ func TestCheckin(t *testing.T) { // ActionPolicyChange require.Equal(t, "id1", r.Actions[0].ID()) - require.Equal(t, "CONFIG_CHANGE", r.Actions[0].Type()) + require.Equal(t, "POLICY_CHANGE", r.Actions[0].Type()) // UnknownAction require.Equal(t, "id2", r.Actions[1].ID()) diff --git a/x-pack/elastic-agent/pkg/release/upgrade.go b/x-pack/elastic-agent/pkg/release/upgrade.go new file mode 100644 index 00000000000..2e63eb47ad5 --- /dev/null +++ b/x-pack/elastic-agent/pkg/release/upgrade.go @@ -0,0 +1,10 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package release + +// Upgradeable return true when release is built specifically for upgrading. +func Upgradeable() bool { + return allowUpgrade == "true" +} diff --git a/x-pack/elastic-agent/pkg/release/version.go b/x-pack/elastic-agent/pkg/release/version.go index 37579ac86de..05f0063afdf 100644 --- a/x-pack/elastic-agent/pkg/release/version.go +++ b/x-pack/elastic-agent/pkg/release/version.go @@ -12,6 +12,10 @@ import ( libbeatVersion "github.com/elastic/beats/v7/libbeat/version" ) +const ( + hashLen = 6 +) + // snapshot is a flag marking build as a snapshot. var snapshot = "" @@ -19,11 +23,24 @@ var snapshot = "" // without valid pgp var allowEmptyPgp string +// allowUpgrade is used as a debug flag and allows working +// with upgrade without requiring Agent to be installed correctly +var allowUpgrade string + // Commit returns the current build hash or unknown if it was not injected in the build process. func Commit() string { return libbeatVersion.Commit() } +// ShortCommit returns commit up to 6 characters. +func ShortCommit() string { + hash := Commit() + if len(hash) > hashLen { + hash = hash[:hashLen] + } + return hash +} + // BuildTime returns the build time of the binaries. func BuildTime() time.Time { return libbeatVersion.BuildTime() @@ -59,7 +76,7 @@ func Info() VersionInfo { } // String returns the string format for the version information. -func (v *VersionInfo) String() string { +func (v VersionInfo) String() string { var sb strings.Builder sb.WriteString(v.Version) diff --git a/x-pack/elastic-agent/spec/apm-server.yml.disabled b/x-pack/elastic-agent/spec/apm-server.yml.disabled new file mode 100644 index 00000000000..c84405dfadd --- /dev/null +++ b/x-pack/elastic-agent/spec/apm-server.yml.disabled @@ -0,0 +1,16 @@ +name: APM-Server +cmd: apm-server +artifact: apm-server +args: ["-E", "management.enabled=true", "-E", "management.mode=x-pack-fleet"] +rules: + - fix_stream: {} + - filter_values: + selector: inputs + key: type + values: + - apm + - filter: + selectors: + - inputs + - output +when: length(${inputs}) > 0 and hasKey(${output}, 'elasticsearch') diff --git a/x-pack/filebeat/input/default-inputs/inputs.go b/x-pack/filebeat/input/default-inputs/inputs.go index 1fe245b80f7..cd8562560da 100644 --- a/x-pack/filebeat/input/default-inputs/inputs.go +++ b/x-pack/filebeat/input/default-inputs/inputs.go @@ -27,7 +27,7 @@ func xpackInputs(info beat.Info, log *logp.Logger, store beater.StateStore) []v2 return []v2.Plugin{ cloudfoundry.Plugin(), http_endpoint.Plugin(), - httpjson.Plugin(), + httpjson.Plugin(log, store), o365audit.Plugin(log, store), } } diff --git a/x-pack/filebeat/input/httpjson/config.go b/x-pack/filebeat/input/httpjson/config.go index 95ca205be0d..ee1445b8a3d 100644 --- a/x-pack/filebeat/input/httpjson/config.go +++ b/x-pack/filebeat/input/httpjson/config.go @@ -17,9 +17,9 @@ import ( "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" ) -// Config contains information about httpjson configuration +// config contains information about httpjson configuration type config struct { - OAuth2 *OAuth2 `config:"oauth2"` + OAuth2 *oauth2Config `config:"oauth2"` APIKey string `config:"api_key"` AuthenticationScheme string `config:"authentication_scheme"` HTTPClientTimeout time.Duration `config:"http_client_timeout"` @@ -30,21 +30,21 @@ type config struct { JSONObjects string `config:"json_objects_array"` SplitEventsBy string `config:"split_events_by"` NoHTTPBody bool `config:"no_http_body"` - Pagination *Pagination `config:"pagination"` - RateLimit *RateLimit `config:"rate_limit"` + Pagination *paginationConfig `config:"pagination"` + RateLimit *rateLimitConfig `config:"rate_limit"` RetryMax int `config:"retry.max_attempts"` RetryWaitMin time.Duration `config:"retry.wait_min"` RetryWaitMax time.Duration `config:"retry.wait_max"` TLS *tlscommon.Config `config:"ssl"` - URL *URL `config:"url" validate:"required"` - DateCursor *DateCursor `config:"date_cursor"` + URL *urlConfig `config:"url" validate:"required"` + DateCursor *dateCursorConfig `config:"date_cursor"` } // Pagination contains information about httpjson pagination settings -type Pagination struct { +type paginationConfig struct { Enabled *bool `config:"enabled"` ExtraBodyContent common.MapStr `config:"extra_body_content"` - Header *Header `config:"header"` + Header *headerConfig `config:"header"` IDField string `config:"id_field"` RequestField string `config:"req_field"` URLField string `config:"url_field"` @@ -52,76 +52,76 @@ type Pagination struct { } // IsEnabled returns true if the `enable` field is set to true in the yaml. -func (p *Pagination) IsEnabled() bool { +func (p *paginationConfig) isEnabled() bool { return p != nil && (p.Enabled == nil || *p.Enabled) } // HTTP Header information for pagination -type Header struct { +type headerConfig struct { FieldName string `config:"field_name" validate:"required"` RegexPattern *regexp.Regexp `config:"regex_pattern" validate:"required"` } // HTTP Header Rate Limit information -type RateLimit struct { +type rateLimitConfig struct { Limit string `config:"limit"` Reset string `config:"reset"` Remaining string `config:"remaining"` } -type DateCursor struct { - Enabled *bool `config:"enabled"` - Field string `config:"field"` - URLField string `config:"url_field" validate:"required"` - ValueTemplate *Template `config:"value_template"` - DateFormat string `config:"date_format"` - InitialInterval time.Duration `config:"initial_interval"` +type dateCursorConfig struct { + Enabled *bool `config:"enabled"` + Field string `config:"field"` + URLField string `config:"url_field" validate:"required"` + ValueTemplate *templateConfig `config:"value_template"` + DateFormat string `config:"date_format"` + InitialInterval time.Duration `config:"initial_interval"` } -type Template struct { +type templateConfig struct { *template.Template } -func (t *Template) Unpack(in string) error { +func (t *templateConfig) Unpack(in string) error { tpl, err := template.New("tpl").Parse(in) if err != nil { return err } - *t = Template{Template: tpl} + *t = templateConfig{Template: tpl} return nil } -type URL struct { +type urlConfig struct { *url.URL } -func (u *URL) Unpack(in string) error { +func (u *urlConfig) Unpack(in string) error { parsed, err := url.Parse(in) if err != nil { return err } - *u = URL{URL: parsed} + *u = urlConfig{URL: parsed} return nil } // IsEnabled returns true if the `enable` field is set to true in the yaml. -func (dc *DateCursor) IsEnabled() bool { +func (dc *dateCursorConfig) isEnabled() bool { return dc != nil && (dc.Enabled == nil || *dc.Enabled) } // IsEnabled returns true if the `enable` field is set to true in the yaml. -func (dc *DateCursor) GetDateFormat() string { +func (dc *dateCursorConfig) getDateFormat() string { if dc.DateFormat == "" { return time.RFC3339 } return dc.DateFormat } -func (dc *DateCursor) Validate() error { +func (dc *dateCursorConfig) Validate() error { if dc.DateFormat == "" { return nil } @@ -154,7 +154,7 @@ func (c *config) Validate() error { } } } - if c.OAuth2.IsEnabled() { + if c.OAuth2.isEnabled() { if c.APIKey != "" || c.AuthenticationScheme != "" { return errors.New("invalid configuration: oauth2 and api_key or authentication_scheme cannot be set simultaneously") } @@ -162,7 +162,7 @@ func (c *config) Validate() error { return nil } -func defaultConfig() config { +func newDefaultConfig() config { var c config c.HTTPMethod = "GET" c.HTTPClientTimeout = 60 * time.Second diff --git a/x-pack/filebeat/input/httpjson/config_oauth.go b/x-pack/filebeat/input/httpjson/config_oauth.go index 0ff55dcbc33..d7412fd0ba8 100644 --- a/x-pack/filebeat/input/httpjson/config_oauth.go +++ b/x-pack/filebeat/input/httpjson/config_oauth.go @@ -20,32 +20,32 @@ import ( "golang.org/x/oauth2/google" ) -// An OAuth2Provider represents a supported oauth provider. -type OAuth2Provider string +// An oauth2Provider represents a supported oauth provider. +type oauth2Provider string const ( - OAuth2ProviderDefault OAuth2Provider = "" // OAuth2ProviderDefault means no specific provider is set. - OAuth2ProviderAzure OAuth2Provider = "azure" // OAuth2ProviderAzure AzureAD. - OAuth2ProviderGoogle OAuth2Provider = "google" // OAuth2ProviderGoogle Google. + oauth2ProviderDefault oauth2Provider = "" // OAuth2ProviderDefault means no specific provider is set. + oauth2ProviderAzure oauth2Provider = "azure" // OAuth2ProviderAzure AzureAD. + oauth2ProviderGoogle oauth2Provider = "google" // OAuth2ProviderGoogle Google. ) -func (p *OAuth2Provider) Unpack(in string) error { - *p = OAuth2Provider(in) +func (p *oauth2Provider) Unpack(in string) error { + *p = oauth2Provider(in) return nil } -func (p OAuth2Provider) canonical() OAuth2Provider { - return OAuth2Provider(strings.ToLower(string(p))) +func (p oauth2Provider) canonical() oauth2Provider { + return oauth2Provider(strings.ToLower(string(p))) } -// OAuth2 contains information about oauth2 authentication settings. -type OAuth2 struct { +// oauth2Config contains information about oauth2 authentication settings. +type oauth2Config struct { // common oauth fields ClientID string `config:"client.id"` ClientSecret string `config:"client.secret"` Enabled *bool `config:"enabled"` EndpointParams map[string][]string `config:"endpoint_params"` - Provider OAuth2Provider `config:"provider"` + Provider oauth2Provider `config:"provider"` Scopes []string `config:"scopes"` TokenURL string `config:"token_url"` @@ -61,25 +61,26 @@ type OAuth2 struct { } // IsEnabled returns true if the `enable` field is set to true in the yaml. -func (o *OAuth2) IsEnabled() bool { +func (o *oauth2Config) isEnabled() bool { return o != nil && (o.Enabled == nil || *o.Enabled) } // Client wraps the given http.Client and returns a new one that will use the oauth authentication. -func (o *OAuth2) Client(ctx context.Context, client *http.Client) (*http.Client, error) { - ctx = context.WithValue(ctx, oauth2.HTTPClient, client) +func (o *oauth2Config) client(ctx context.Context, client *http.Client) (*http.Client, error) { + // only required to let oauth2 library to find our custom client in the context + ctx = context.WithValue(context.Background(), oauth2.HTTPClient, client) - switch o.GetProvider() { - case OAuth2ProviderAzure, OAuth2ProviderDefault: + switch o.getProvider() { + case oauth2ProviderAzure, oauth2ProviderDefault: creds := clientcredentials.Config{ ClientID: o.ClientID, ClientSecret: o.ClientSecret, - TokenURL: o.GetTokenURL(), + TokenURL: o.getTokenURL(), Scopes: o.Scopes, - EndpointParams: o.GetEndpointParams(), + EndpointParams: o.getEndpointParams(), } return creds.Client(ctx), nil - case OAuth2ProviderGoogle: + case oauth2ProviderGoogle: if o.GoogleJWTFile != "" { cfg, err := google.JWTConfigFromJSON(o.GoogleCredentialsJSON, o.Scopes...) if err != nil { @@ -100,9 +101,9 @@ func (o *OAuth2) Client(ctx context.Context, client *http.Client) (*http.Client, } // GetTokenURL returns the TokenURL. -func (o *OAuth2) GetTokenURL() string { - switch o.GetProvider() { - case OAuth2ProviderAzure: +func (o *oauth2Config) getTokenURL() string { + switch o.getProvider() { + case oauth2ProviderAzure: if o.TokenURL == "" { return endpoints.AzureAD(o.AzureTenantID).TokenURL } @@ -112,14 +113,14 @@ func (o *OAuth2) GetTokenURL() string { } // GetProvider returns provider in its canonical form. -func (o OAuth2) GetProvider() OAuth2Provider { +func (o oauth2Config) getProvider() oauth2Provider { return o.Provider.canonical() } // GetEndpointParams returns endpoint params with any provider ones combined. -func (o OAuth2) GetEndpointParams() map[string][]string { - switch o.GetProvider() { - case OAuth2ProviderAzure: +func (o oauth2Config) getEndpointParams() map[string][]string { + switch o.getProvider() { + case oauth2ProviderAzure: if o.AzureResource != "" { if o.EndpointParams == nil { o.EndpointParams = map[string][]string{} @@ -132,18 +133,18 @@ func (o OAuth2) GetEndpointParams() map[string][]string { } // Validate checks if oauth2 config is valid. -func (o *OAuth2) Validate() error { - switch o.GetProvider() { - case OAuth2ProviderAzure: +func (o *oauth2Config) Validate() error { + switch o.getProvider() { + case oauth2ProviderAzure: return o.validateAzureProvider() - case OAuth2ProviderGoogle: + case oauth2ProviderGoogle: return o.validateGoogleProvider() - case OAuth2ProviderDefault: + case oauth2ProviderDefault: if o.TokenURL == "" || o.ClientID == "" || o.ClientSecret == "" { return errors.New("invalid configuration: both token_url and client credentials must be provided") } default: - return fmt.Errorf("invalid configuration: unknown provider %q", o.GetProvider()) + return fmt.Errorf("invalid configuration: unknown provider %q", o.getProvider()) } return nil } @@ -151,7 +152,7 @@ func (o *OAuth2) Validate() error { // findDefaultGoogleCredentials will default to google.FindDefaultCredentials and will only be changed for testing purposes var findDefaultGoogleCredentials = google.FindDefaultCredentials -func (o *OAuth2) validateGoogleProvider() error { +func (o *oauth2Config) validateGoogleProvider() error { if o.TokenURL != "" || o.ClientID != "" || o.ClientSecret != "" || o.AzureTenantID != "" || o.AzureResource != "" || len(o.EndpointParams) > 0 { return errors.New("invalid configuration: none of token_url and client credentials can be used, use google.credentials_file, google.jwt_file, google.credentials_json or ADC instead") @@ -191,7 +192,7 @@ func (o *OAuth2) validateGoogleProvider() error { return fmt.Errorf("invalid configuration: no authentication credentials were configured or detected (ADC)") } -func (o *OAuth2) populateCredentialsJSONFromFile(file string) error { +func (o *oauth2Config) populateCredentialsJSONFromFile(file string) error { if _, err := os.Stat(file); os.IsNotExist(err) { return fmt.Errorf("invalid configuration: the file %q cannot be found", file) } @@ -210,7 +211,7 @@ func (o *OAuth2) populateCredentialsJSONFromFile(file string) error { return nil } -func (o *OAuth2) validateAzureProvider() error { +func (o *oauth2Config) validateAzureProvider() error { if o.TokenURL == "" && o.AzureTenantID == "" { return errors.New("invalid configuration: at least one of token_url or tenant_id must be provided") } diff --git a/x-pack/filebeat/input/httpjson/config_oauth_test.go b/x-pack/filebeat/input/httpjson/config_oauth_test.go index 3fa0eed4284..67ec63b6650 100644 --- a/x-pack/filebeat/input/httpjson/config_oauth_test.go +++ b/x-pack/filebeat/input/httpjson/config_oauth_test.go @@ -11,8 +11,8 @@ import ( func TestProviderCanonical(t *testing.T) { const ( - a OAuth2Provider = "gOoGle" - b OAuth2Provider = "google" + a oauth2Provider = "gOoGle" + b oauth2Provider = "google" ) if a.canonical() != b.canonical() { @@ -21,74 +21,74 @@ func TestProviderCanonical(t *testing.T) { } func TestGetProviderIsCanonical(t *testing.T) { - const expected OAuth2Provider = "google" + const expected oauth2Provider = "google" - oauth2 := OAuth2{Provider: "GOogle"} - if oauth2.GetProvider() != expected { + oauth2 := oauth2Config{Provider: "GOogle"} + if oauth2.getProvider() != expected { t.Fatal("GetProvider should return canonical provider") } } func TestIsEnabled(t *testing.T) { - oauth2 := OAuth2{} - if !oauth2.IsEnabled() { + oauth2 := oauth2Config{} + if !oauth2.isEnabled() { t.Fatal("OAuth2 should be enabled by default") } var enabled = false oauth2.Enabled = &enabled - if oauth2.IsEnabled() { + if oauth2.isEnabled() { t.Fatal("OAuth2 should be disabled") } enabled = true - if !oauth2.IsEnabled() { + if !oauth2.isEnabled() { t.Fatal("OAuth2 should be enabled") } } func TestGetTokenURL(t *testing.T) { const expected = "http://localhost" - oauth2 := OAuth2{TokenURL: "http://localhost"} - if got := oauth2.GetTokenURL(); got != expected { + oauth2 := oauth2Config{TokenURL: "http://localhost"} + if got := oauth2.getTokenURL(); got != expected { t.Fatalf("GetTokenURL should return the provided TokenURL but got %q", got) } } func TestGetTokenURLWithAzure(t *testing.T) { const expectedWithoutTenantID = "http://localhost" - oauth2 := OAuth2{TokenURL: "http://localhost", Provider: "azure"} - if got := oauth2.GetTokenURL(); got != expectedWithoutTenantID { + oauth2 := oauth2Config{TokenURL: "http://localhost", Provider: "azure"} + if got := oauth2.getTokenURL(); got != expectedWithoutTenantID { t.Fatalf("GetTokenURL should return the provided TokenURL but got %q", got) } oauth2.TokenURL = "" oauth2.AzureTenantID = "a_tenant_id" const expectedWithTenantID = "https://login.microsoftonline.com/a_tenant_id/oauth2/v2.0/token" - if got := oauth2.GetTokenURL(); got != expectedWithTenantID { + if got := oauth2.getTokenURL(); got != expectedWithTenantID { t.Fatalf("GetTokenURL should return the generated TokenURL but got %q", got) } } func TestGetEndpointParams(t *testing.T) { var expected = map[string][]string{"foo": {"bar"}} - oauth2 := OAuth2{EndpointParams: map[string][]string{"foo": {"bar"}}} - if got := oauth2.GetEndpointParams(); !reflect.DeepEqual(got, expected) { + oauth2 := oauth2Config{EndpointParams: map[string][]string{"foo": {"bar"}}} + if got := oauth2.getEndpointParams(); !reflect.DeepEqual(got, expected) { t.Fatalf("GetEndpointParams should return the provided EndpointParams but got %q", got) } } func TestGetEndpointParamsWithAzure(t *testing.T) { var expectedWithoutResource = map[string][]string{"foo": {"bar"}} - oauth2 := OAuth2{Provider: "azure", EndpointParams: map[string][]string{"foo": {"bar"}}} - if got := oauth2.GetEndpointParams(); !reflect.DeepEqual(got, expectedWithoutResource) { + oauth2 := oauth2Config{Provider: "azure", EndpointParams: map[string][]string{"foo": {"bar"}}} + if got := oauth2.getEndpointParams(); !reflect.DeepEqual(got, expectedWithoutResource) { t.Fatalf("GetEndpointParams should return the provided EndpointParams but got %q", got) } oauth2.AzureResource = "baz" var expectedWithResource = map[string][]string{"foo": {"bar"}, "resource": {"baz"}} - if got := oauth2.GetEndpointParams(); !reflect.DeepEqual(got, expectedWithResource) { + if got := oauth2.getEndpointParams(); !reflect.DeepEqual(got, expectedWithResource) { t.Fatalf("GetEndpointParams should return the provided EndpointParams but got %q", got) } } diff --git a/x-pack/filebeat/input/httpjson/config_test.go b/x-pack/filebeat/input/httpjson/config_test.go index 0de07311239..85c7c64848d 100644 --- a/x-pack/filebeat/input/httpjson/config_test.go +++ b/x-pack/filebeat/input/httpjson/config_test.go @@ -25,7 +25,7 @@ func TestConfigValidationCase1(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. no_http_body and http_request_body cannot coexist.") } @@ -39,7 +39,7 @@ func TestConfigValidationCase2(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. no_http_body and pagination.extra_body_content cannot coexist.") } @@ -53,7 +53,7 @@ func TestConfigValidationCase3(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. no_http_body and pagination.req_field cannot coexist.") } @@ -66,7 +66,7 @@ func TestConfigValidationCase4(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. pagination.header and pagination.req_field cannot coexist.") } @@ -79,7 +79,7 @@ func TestConfigValidationCase5(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. pagination.header and pagination.id_field cannot coexist.") } @@ -92,7 +92,7 @@ func TestConfigValidationCase6(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. pagination.header and extra_body_content cannot coexist.") } @@ -105,7 +105,7 @@ func TestConfigValidationCase7(t *testing.T) { "url": "localhost", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() if err := cfg.Unpack(&conf); err == nil { t.Fatal("Configuration validation failed. http_method DELETE is not allowed.") } @@ -116,7 +116,7 @@ func TestConfigMustFailWithInvalidURL(t *testing.T) { "url": "::invalid::", } cfg := common.MustNewConfigFrom(m) - conf := defaultConfig() + conf := newDefaultConfig() err := cfg.Unpack(&conf) assert.EqualError(t, err, `parse "::invalid::": missing protocol scheme accessing 'url'`) } @@ -414,7 +414,7 @@ func TestConfigOauth2Validation(t *testing.T) { } cfg := common.MustNewConfigFrom(c.input) - conf := defaultConfig() + conf := newDefaultConfig() err := cfg.Unpack(&conf) switch { diff --git a/x-pack/filebeat/input/httpjson/date_cursor.go b/x-pack/filebeat/input/httpjson/date_cursor.go index 2a9db44bd2a..66ca659de78 100644 --- a/x-pack/filebeat/input/httpjson/date_cursor.go +++ b/x-pack/filebeat/input/httpjson/date_cursor.go @@ -7,6 +7,7 @@ package httpjson import ( "bytes" "net/url" + "text/template" "time" "github.com/elastic/beats/v7/libbeat/common" @@ -22,13 +23,12 @@ type dateCursor struct { initialInterval time.Duration dateFormat string - value string - valueTpl *Template + valueTpl *template.Template } func newDateCursorFromConfig(config config, log *logp.Logger) *dateCursor { c := &dateCursor{ - enabled: config.DateCursor.IsEnabled(), + enabled: config.DateCursor.isEnabled(), url: *config.URL.URL, } @@ -40,23 +40,23 @@ func newDateCursorFromConfig(config config, log *logp.Logger) *dateCursor { c.field = config.DateCursor.Field c.urlField = config.DateCursor.URLField c.initialInterval = config.DateCursor.InitialInterval - c.dateFormat = config.DateCursor.GetDateFormat() - c.valueTpl = config.DateCursor.ValueTemplate + c.dateFormat = config.DateCursor.getDateFormat() + c.valueTpl = config.DateCursor.ValueTemplate.Template return c } -func (c *dateCursor) getURL() string { +func (c *dateCursor) getURL(prevValue string) string { if !c.enabled { return c.url.String() } var dateStr string - if c.value == "" { + if prevValue == "" { t := timeNow().UTC().Add(-c.initialInterval) dateStr = t.Format(c.dateFormat) } else { - dateStr = c.value + dateStr = prevValue } q := c.url.Query() @@ -66,7 +66,7 @@ func (c *dateCursor) getURL() string { value = dateStr } else { buf := new(bytes.Buffer) - if err := c.valueTpl.Template.Execute(buf, dateStr); err != nil { + if err := c.valueTpl.Execute(buf, dateStr); err != nil { return c.url.String() } value = buf.String() @@ -74,32 +74,33 @@ func (c *dateCursor) getURL() string { q.Set(c.urlField, value) - c.url.RawQuery = q.Encode() + url := c.url + url.RawQuery = q.Encode() - return c.url.String() + return url.String() } -func (c *dateCursor) advance(m common.MapStr) { +func (c *dateCursor) getNextValue(m common.MapStr) string { if c.field == "" { - c.value = time.Now().UTC().Format(c.dateFormat) - return + return time.Now().UTC().Format(c.dateFormat) } v, err := m.GetValue(c.field) if err != nil { c.log.Warnf("date_cursor field: %q", err) - return + return "" } + switch t := v.(type) { case string: _, err := time.Parse(c.dateFormat, t) if err != nil { c.log.Warn("date_cursor field does not have the expected layout") - return + return "" } - c.value = t - default: - c.log.Warn("date_cursor field must be a string, cursor will not advance") - return + return t } + + c.log.Warn("date_cursor field must be a string, cursor will not advance") + return "" } diff --git a/x-pack/filebeat/input/httpjson/input.go b/x-pack/filebeat/input/httpjson/input.go index 766fa364864..5445197f563 100644 --- a/x-pack/filebeat/input/httpjson/input.go +++ b/x-pack/filebeat/input/httpjson/input.go @@ -9,12 +9,14 @@ import ( "fmt" "net" "net/http" + "net/url" "time" "github.com/hashicorp/go-retryablehttp" "go.uber.org/zap" v2 "github.com/elastic/beats/v7/filebeat/input/v2" + cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/common" @@ -63,30 +65,25 @@ func (log *retryLogger) Warn(format string, args ...interface{}) { log.log.Warnf(format, args...) } -type httpJSONInput struct { - config config - tlsConfig *tlscommon.TLSConfig -} - -func Plugin() v2.Plugin { +func Plugin(log *logp.Logger, store cursor.StateStore) v2.Plugin { + sim := stateless.NewInputManager(statelessConfigure) return v2.Plugin{ Name: inputName, Stability: feature.Beta, Deprecated: false, - Manager: stateless.NewInputManager(configure), - } -} - -func configure(cfg *common.Config) (stateless.Input, error) { - conf := defaultConfig() - if err := cfg.Unpack(&conf); err != nil { - return nil, err + Manager: inputManager{ + stateless: &sim, + cursor: &cursor.InputManager{ + Logger: log, + StateStore: store, + Type: inputName, + Configure: cursorConfigure, + }, + }, } - - return newHTTPJSONInput(conf) } -func newHTTPJSONInput(config config) (*httpJSONInput, error) { +func newTLSConfig(config config) (*tlscommon.TLSConfig, error) { if err := config.Validate(); err != nil { return nil, err } @@ -96,54 +93,53 @@ func newHTTPJSONInput(config config) (*httpJSONInput, error) { return nil, err } - return &httpJSONInput{ - config: config, - tlsConfig: tlsConfig, - }, nil + return tlsConfig, nil } -func (*httpJSONInput) Name() string { return inputName } - -func (in *httpJSONInput) Test(v2.TestContext) error { +func test(url *url.URL) error { port := func() string { - if in.config.URL.Port() != "" { - return in.config.URL.Port() + if url.Port() != "" { + return url.Port() } - switch in.config.URL.Scheme { + switch url.Scheme { case "https": return "443" } return "80" }() - _, err := net.DialTimeout("tcp", net.JoinHostPort(in.config.URL.Hostname(), port), time.Second) + _, err := net.DialTimeout("tcp", net.JoinHostPort(url.Hostname(), port), time.Second) if err != nil { - return fmt.Errorf("url %q is unreachable", in.config.URL) + return fmt.Errorf("url %q is unreachable", url) } return nil } -// Run starts the input and blocks until it ends the execution. -// It will return on context cancellation, any other error will be retried. -func (in *httpJSONInput) Run(ctx v2.Context, publisher stateless.Publisher) error { - log := ctx.Logger.With("url", in.config.URL) +func run( + ctx v2.Context, + config config, + tlsConfig *tlscommon.TLSConfig, + publisher cursor.Publisher, + cursor *cursor.Cursor, +) error { + log := ctx.Logger.With("url", config.URL) stdCtx := ctxtool.FromCanceller(ctx.Cancelation) - httpClient, err := in.newHTTPClient(stdCtx) + httpClient, err := newHTTPClient(stdCtx, config, tlsConfig) if err != nil { return err } - dateCursor := newDateCursorFromConfig(in.config, log) + dateCursor := newDateCursorFromConfig(config, log) - rateLimiter := newRateLimiterFromConfig(in.config, log) + rateLimiter := newRateLimiterFromConfig(config, log) - pagination := newPaginationFromConfig(in.config) + pagination := newPaginationFromConfig(config) requester := newRequester( - in.config, + config, rateLimiter, dateCursor, pagination, @@ -151,12 +147,14 @@ func (in *httpJSONInput) Run(ctx v2.Context, publisher stateless.Publisher) erro log, ) + requester.loadCursor(cursor, log) + // TODO: disallow passing interval = 0 as a mean to run once. - if in.config.Interval == 0 { + if config.Interval == 0 { return requester.processHTTPRequest(stdCtx, publisher) } - err = timed.Periodic(stdCtx, in.config.Interval, func() error { + err = timed.Periodic(stdCtx, config.Interval, func() error { log.Info("Process another repeated request.") if err := requester.processHTTPRequest(stdCtx, publisher); err != nil { log.Error(err) @@ -169,29 +167,29 @@ func (in *httpJSONInput) Run(ctx v2.Context, publisher stateless.Publisher) erro return nil } -func (in *httpJSONInput) newHTTPClient(ctx context.Context) (*http.Client, error) { +func newHTTPClient(ctx context.Context, config config, tlsConfig *tlscommon.TLSConfig) (*http.Client, error) { // Make retryable HTTP client client := &retryablehttp.Client{ HTTPClient: &http.Client{ Transport: &http.Transport{ DialContext: (&net.Dialer{ - Timeout: in.config.HTTPClientTimeout, + Timeout: config.HTTPClientTimeout, }).DialContext, - TLSClientConfig: in.tlsConfig.ToConfig(), + TLSClientConfig: tlsConfig.ToConfig(), DisableKeepAlives: true, }, - Timeout: in.config.HTTPClientTimeout, + Timeout: config.HTTPClientTimeout, }, Logger: newRetryLogger(), - RetryWaitMin: in.config.RetryWaitMin, - RetryWaitMax: in.config.RetryWaitMax, - RetryMax: in.config.RetryMax, + RetryWaitMin: config.RetryWaitMin, + RetryWaitMax: config.RetryWaitMax, + RetryMax: config.RetryMax, CheckRetry: retryablehttp.DefaultRetryPolicy, Backoff: retryablehttp.DefaultBackoff, } - if in.config.OAuth2.IsEnabled() { - return in.config.OAuth2.Client(ctx, client.StandardClient()) + if config.OAuth2.isEnabled() { + return config.OAuth2.client(ctx, client.StandardClient()) } return client.StandardClient(), nil diff --git a/x-pack/filebeat/input/httpjson/input_cursor.go b/x-pack/filebeat/input/httpjson/input_cursor.go new file mode 100644 index 00000000000..d18a91f3918 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/input_cursor.go @@ -0,0 +1,67 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" +) + +type cursorInput struct{} + +func (cursorInput) Name() string { + return "httpjson-cursor" +} + +type source struct { + config config + tlsConfig *tlscommon.TLSConfig +} + +func (src source) Name() string { + return src.config.URL.String() +} + +func cursorConfigure(cfg *common.Config) ([]cursor.Source, cursor.Input, error) { + conf := newDefaultConfig() + if err := cfg.Unpack(&conf); err != nil { + return nil, nil, err + } + return newCursorInput(conf) +} + +func newCursorInput(config config) ([]cursor.Source, cursor.Input, error) { + tlsConfig, err := newTLSConfig(config) + if err != nil { + return nil, nil, err + } + // we only allow one url per config, if we wanted to allow more than one + // each source should hold only one url + return []cursor.Source{ + &source{config: config, + tlsConfig: tlsConfig, + }, + }, + &cursorInput{}, + nil +} + +func (in *cursorInput) Test(src cursor.Source, _ v2.TestContext) error { + return test((src.(*source)).config.URL.URL) +} + +// Run starts the input and blocks until it ends the execution. +// It will return on context cancellation, any other error will be retried. +func (in *cursorInput) Run( + ctx v2.Context, + src cursor.Source, + cursor cursor.Cursor, + publisher cursor.Publisher, +) error { + s := src.(*source) + return run(ctx, s.config, s.tlsConfig, publisher, &cursor) +} diff --git a/x-pack/filebeat/input/httpjson/input_manager.go b/x-pack/filebeat/input/httpjson/input_manager.go new file mode 100644 index 00000000000..21f5066dc05 --- /dev/null +++ b/x-pack/filebeat/input/httpjson/input_manager.go @@ -0,0 +1,49 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + "go.uber.org/multierr" + + "github.com/elastic/go-concert/unison" + + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" + "github.com/elastic/beats/v7/libbeat/common" +) + +// inputManager wraps one stateless input manager +// and one cursor input manager. It will create one or the other +// based on the config that is passed. +type inputManager struct { + stateless *stateless.InputManager + cursor *cursor.InputManager +} + +var _ v2.InputManager = inputManager{} + +// Init initializes both wrapped input managers. +func (m inputManager) Init(grp unison.Group, mode v2.Mode) error { + return multierr.Append( + m.stateless.Init(grp, mode), + m.cursor.Init(grp, mode), + ) +} + +// Create creates a cursor input manager if the config has a date cursor set up, +// otherwise it creates a stateless input manager. +func (m inputManager) Create(cfg *common.Config) (v2.Input, error) { + var config config + if err := cfg.Unpack(&config); err != nil { + return nil, err + } + + if config.DateCursor != nil { + return m.cursor.Create(cfg) + } + + return m.stateless.Create(cfg) +} diff --git a/x-pack/filebeat/input/httpjson/input_stateless.go b/x-pack/filebeat/input/httpjson/input_stateless.go new file mode 100644 index 00000000000..c7ebf6c3d4c --- /dev/null +++ b/x-pack/filebeat/input/httpjson/input_stateless.go @@ -0,0 +1,58 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package httpjson + +import ( + v2 "github.com/elastic/beats/v7/filebeat/input/v2" + stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common" + "github.com/elastic/beats/v7/libbeat/common/transport/tlscommon" +) + +type statelessInput struct { + config config + tlsConfig *tlscommon.TLSConfig +} + +func (statelessInput) Name() string { + return "httpjson-stateless" +} + +func statelessConfigure(cfg *common.Config) (stateless.Input, error) { + conf := newDefaultConfig() + if err := cfg.Unpack(&conf); err != nil { + return nil, err + } + return newStatelessInput(conf) +} + +func newStatelessInput(config config) (*statelessInput, error) { + tlsConfig, err := newTLSConfig(config) + if err != nil { + return nil, err + } + return &statelessInput{config: config, tlsConfig: tlsConfig}, nil +} + +func (in *statelessInput) Test(v2.TestContext) error { + return test(in.config.URL.URL) +} + +type statelessPublisher struct { + wrapped stateless.Publisher +} + +func (pub statelessPublisher) Publish(event beat.Event, _ interface{}) error { + pub.wrapped.Publish(event) + return nil +} + +// Run starts the input and blocks until it ends the execution. +// It will return on context cancellation, any other error will be retried. +func (in *statelessInput) Run(ctx v2.Context, publisher stateless.Publisher) error { + pub := statelessPublisher{wrapped: publisher} + return run(ctx, in.config, in.tlsConfig, pub, nil) +} diff --git a/x-pack/filebeat/input/httpjson/httpjson_test.go b/x-pack/filebeat/input/httpjson/input_test.go similarity index 96% rename from x-pack/filebeat/input/httpjson/httpjson_test.go rename to x-pack/filebeat/input/httpjson/input_test.go index b541c16002e..242811d2795 100644 --- a/x-pack/filebeat/input/httpjson/httpjson_test.go +++ b/x-pack/filebeat/input/httpjson/input_test.go @@ -23,7 +23,7 @@ import ( beattest "github.com/elastic/beats/v7/libbeat/publisher/testing" ) -func TestHTTPJSONInput(t *testing.T) { +func TestStatelessHTTPJSONInput(t *testing.T) { testCases := []struct { name string setupServer func(*testing.T, http.HandlerFunc, map[string]interface{}) @@ -224,20 +224,23 @@ func TestHTTPJSONInput(t *testing.T) { cfg := common.MustNewConfigFrom(tc.baseConfig) - input, err := configure(cfg) + conf := newDefaultConfig() + assert.NoError(t, cfg.Unpack(&conf)) + + input, err := newStatelessInput(conf) assert.NoError(t, err) - assert.Equal(t, "httpjson", input.Name()) + assert.Equal(t, "httpjson-stateless", input.Name()) assert.NoError(t, input.Test(v2.TestContext{})) - pub := beattest.NewChanClient(len(tc.expected)) - t.Cleanup(func() { _ = pub.Close() }) + chanClient := beattest.NewChanClient(len(tc.expected)) + t.Cleanup(func() { _ = chanClient.Close() }) ctx, cancel := newV2Context() t.Cleanup(cancel) var g errgroup.Group - g.Go(func() error { return input.Run(ctx, pub) }) + g.Go(func() error { return input.Run(ctx, chanClient) }) timeout := time.NewTimer(5 * time.Second) t.Cleanup(func() { _ = timeout.Stop() }) @@ -249,7 +252,7 @@ func TestHTTPJSONInput(t *testing.T) { case <-timeout.C: t.Errorf("timed out waiting for %d events", len(tc.expected)) return - case got := <-pub.Channel: + case got := <-chanClient.Channel: val, err := got.Fields.GetValue("message") assert.NoError(t, err) assert.JSONEq(t, tc.expected[receivedCount], val.(string)) diff --git a/x-pack/filebeat/input/httpjson/pagination.go b/x-pack/filebeat/input/httpjson/pagination.go index 9a7bf82b2b4..020bc783055 100644 --- a/x-pack/filebeat/input/httpjson/pagination.go +++ b/x-pack/filebeat/input/httpjson/pagination.go @@ -16,7 +16,7 @@ import ( type pagination struct { extraBodyContent common.MapStr - header *Header + header *headerConfig idField string requestField string urlField string @@ -24,7 +24,7 @@ type pagination struct { } func newPaginationFromConfig(config config) *pagination { - if !config.Pagination.IsEnabled() { + if !config.Pagination.isEnabled() { return nil } return &pagination{ diff --git a/x-pack/filebeat/input/httpjson/pagination_test.go b/x-pack/filebeat/input/httpjson/pagination_test.go index 9b04de75819..32e3261c1e6 100644 --- a/x-pack/filebeat/input/httpjson/pagination_test.go +++ b/x-pack/filebeat/input/httpjson/pagination_test.go @@ -42,7 +42,7 @@ func TestCreateRequestInfoFromBody(t *testing.T) { contentMap: common.MapStr{}, headers: common.MapStr{}, } - err := pagination.setRequestInfoFromBody( + _ = pagination.setRequestInfoFromBody( common.MapStr(m), common.MapStr(m), ri, diff --git a/x-pack/filebeat/input/httpjson/rate_limiter.go b/x-pack/filebeat/input/httpjson/rate_limiter.go index 57d206224ac..93c2b4a3fe7 100644 --- a/x-pack/filebeat/input/httpjson/rate_limiter.go +++ b/x-pack/filebeat/input/httpjson/rate_limiter.go @@ -122,7 +122,7 @@ func (r *rateLimiter) getRateLimit(header http.Header) (int64, error) { if err != nil { return 0, fmt.Errorf("failed to parse rate-limit reset value: %w", err) } - if time.Unix(epoch, 0).Sub(time.Now()) <= 0 { + if time.Until(time.Unix(epoch, 0)) <= 0 { return 0, nil } diff --git a/x-pack/filebeat/input/httpjson/requester.go b/x-pack/filebeat/input/httpjson/requester.go index b5f58179aa0..df0a1efb1eb 100644 --- a/x-pack/filebeat/input/httpjson/requester.go +++ b/x-pack/filebeat/input/httpjson/requester.go @@ -14,7 +14,7 @@ import ( "net/http" "strings" - stateless "github.com/elastic/beats/v7/filebeat/input/v2/input-stateless" + cursor "github.com/elastic/beats/v7/filebeat/input/v2/input-cursor" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/logp" ) @@ -40,6 +40,8 @@ type requester struct { authScheme string jsonObjects string splitEventsBy string + + cursorState cursorState } func newRequester( @@ -72,9 +74,9 @@ type response struct { } // processHTTPRequest processes HTTP request, and handles pagination if enabled -func (r *requester) processHTTPRequest(ctx context.Context, publisher stateless.Publisher) error { +func (r *requester) processHTTPRequest(ctx context.Context, publisher cursor.Publisher) error { ri := &requestInfo{ - url: r.dateCursor.getURL(), + url: r.dateCursor.getURL(r.cursorState.LastDateCursorValue), contentMap: common.MapStr{}, headers: r.headers, } @@ -166,7 +168,7 @@ func (r *requester) processHTTPRequest(ctx context.Context, publisher stateless. } if lastObj != nil && r.dateCursor.enabled { - r.dateCursor.advance(common.MapStr(lastObj)) + r.updateCursorState(ri.url, r.dateCursor.getNextValue(common.MapStr(lastObj))) } return nil @@ -210,7 +212,7 @@ func (r *requester) createHTTPRequest(ctx context.Context, ri *requestInfo) (*ht } // processEventArray publishes an event for each object contained in the array. It returns the last object in the array and an error if any. -func (r *requester) processEventArray(publisher stateless.Publisher, events []interface{}) (map[string]interface{}, error) { +func (r *requester) processEventArray(publisher cursor.Publisher, events []interface{}) (map[string]interface{}, error) { var last map[string]interface{} for _, t := range events { switch v := t.(type) { @@ -221,7 +223,9 @@ func (r *requester) processEventArray(publisher stateless.Publisher, events []in if err != nil { return nil, fmt.Errorf("failed to marshal %+v: %w", e, err) } - publisher.Publish(makeEvent(string(d))) + if err := publisher.Publish(makeEvent(string(d)), r.cursorState); err != nil { + return nil, fmt.Errorf("failed to publish: %w", err) + } } default: return nil, fmt.Errorf("expected only JSON objects in the array but got a %T", v) @@ -273,3 +277,23 @@ func splitEvent(splitKey string, event map[string]interface{}) []map[string]inte return events } + +type cursorState struct { + LastCalledURL string + LastDateCursorValue string +} + +func (r *requester) updateCursorState(url, value string) { + r.cursorState.LastCalledURL = url + r.cursorState.LastDateCursorValue = value +} + +func (r *requester) loadCursor(c *cursor.Cursor, log *logp.Logger) { + if c == nil || c.IsNew() { + return + } + + if err := c.Unpack(&r.cursorState); err != nil { + log.Errorf("Reset http cursor state. Failed to read from registry: %v", err) + } +} diff --git a/x-pack/filebeat/input/s3/input.go b/x-pack/filebeat/input/s3/input.go index 1085c9dccbd..83dc48428ee 100644 --- a/x-pack/filebeat/input/s3/input.go +++ b/x-pack/filebeat/input/s3/input.go @@ -190,11 +190,11 @@ func (p *s3Input) Run() { p.workerWg.Add(1) go p.run(svcSQS, svcS3, visibilityTimeout) - p.workerWg.Done() }) } func (p *s3Input) run(svcSQS sqsiface.ClientAPI, svcS3 s3iface.ClientAPI, visibilityTimeout int64) { + defer p.workerWg.Done() defer p.logger.Infof("s3 input worker for '%v' has stopped.", p.config.QueueURL) p.logger.Infof("s3 input worker has started. with queueURL: %v", p.config.QueueURL) @@ -288,7 +288,7 @@ func (p *s3Input) processorKeepAlive(svcSQS sqsiface.ClientAPI, message sqs.Mess // When ACK done, message will be deleted. Or when message is // not s3 ObjectCreated event related(handleSQSMessage function // failed), it will be removed as well. - p.logger.Debug("Deleting message from SQS: ", message.MessageId) + p.logger.Debug("Deleting message from SQS: ", *message.MessageId) // only delete sqs message when errC is closed with no error err := p.deleteMessage(queueURL, *message.ReceiptHandle, svcSQS) if err != nil { diff --git a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml index 8421e12d7f0..8ceec6ff100 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml @@ -146,37 +146,36 @@ processors: field: "json.errorMessage" target_field: "aws.cloudtrail.error_message" ignore_failure: true - - rename: - field: json.requestParameters - target_field: "aws.cloudtrail.flattened.request_parameters" - if: ctx?.json?.requestParameters != null - script: lang: painless source: | - if (ctx.aws.cloudtrail.flattened.request_parameters != null) { - ctx.aws.cloudtrail.request_parameters = ctx.aws.cloudtrail.flattened.request_parameters.toString(); + if (ctx.aws.cloudtrail?.flattened == null) { + Map map = new HashMap(); + ctx.aws.cloudtrail.put("flattened", map); + } + if (ctx.json.requestParameters != null) { + ctx.aws.cloudtrail.request_parameters = ctx.json.requestParameters.toString(); + if (ctx.aws.cloudtrail.request_parameters.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("request_parameters", ctx.json.requestParameters); + } } - ignore_failure: true - - rename: - field: json.responseElements - target_field: "aws.cloudtrail.flattened.response_elements" - if: ctx?.json?.responseElements != null - - script: - lang: painless - source: | - if (ctx.aws.cloudtrail.flattened.response_elements != null) { - ctx.aws.cloudtrail.response_elements = ctx.aws.cloudtrail.flattened.response_elements.toString(); + if (ctx.json.responseElements != null) { + ctx.aws.cloudtrail.response_elements = ctx.json.responseElements.toString(); + if (ctx.aws.cloudtrail.response_elements.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("response_elements", ctx.json.responseElements); + } } - ignore_failure: true - - rename: - field: json.additionalEventData - target_field: "aws.cloudtrail.flattened.additional_eventdata" - if: ctx?.json?.additionalEventData != null - - script: - lang: painless - source: | - if (ctx.aws.cloudtrail.flattened.additional_eventdata != null) { - ctx.aws.cloudtrail.additional_eventdata = ctx.aws.cloudtrail.flattened.additional_eventdata.toString(); + if (ctx.json.additionalEventData != null) { + ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString(); + if (ctx.aws.cloudtrail.additional_eventdata.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("additional_eventdata", ctx.json.additionalEventData); + } + } + if (ctx.json.serviceEventDetails != null) { + ctx.aws.cloudtrail.service_event_details = ctx.json.serviceEventDetails.toString(); + if (ctx.aws.cloudtrail.service_event_details.length() < 32766) { + ctx.aws.cloudtrail.flattened.put("service_event_details", ctx.json.serviceEventDetails); + } } ignore_failure: true - rename: @@ -219,17 +218,6 @@ processors: field: "json.recipientAccountId" target_field: "aws.cloudtrail.recipient_account_id" ignore_failure: true - - rename: - field: json.serviceEventDetails - target_field: "aws.cloudtrail.flattened.service_event_details" - if: ctx?.json?.serviceEventDetails != null - - script: - lang: painless - source: | - if (ctx.aws.cloudtrail.flattened.service_event_details != null) { - ctx.aws.cloudtrail.service_event_details = ctx.aws.cloudtrail.flattened.service_event_details.toString(); - } - ignore_failure: true - rename: field: "json.sharedEventId" target_field: "aws.cloudtrail.shared_event_id" diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json index 3bdb628e7fb..47691a242dc 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json @@ -63,6 +63,7 @@ "source.as.organization.name": "CHINA UNICOM China169 Backbone", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 29.5569, "source.geo.location.lon": 106.5531, "source.geo.region_iso_code": "CN-CQ", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json index 5783ade81ed..41cca74d099 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -39,6 +39,7 @@ "source.geo.city_name": "Ashburn", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.0481, "source.geo.location.lon": -77.4728, "source.geo.region_iso_code": "US-VA", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json index c9ee01ef238..1531a7c1e5a 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -32,6 +32,7 @@ "source.geo.city_name": "Boardman", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 45.8491, "source.geo.location.lon": -119.7143, "source.geo.region_iso_code": "US-OR", diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json index a566b2f9478..28e1564e928 100644 --- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json @@ -35,6 +35,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -83,6 +84,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -131,6 +133,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -179,6 +182,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -227,6 +231,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -275,6 +280,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -323,6 +329,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -375,6 +382,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -427,6 +435,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -479,6 +488,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", diff --git a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json index c1916fd1ec2..48701c8a985 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json @@ -31,6 +31,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -74,6 +75,7 @@ "source.geo.city_name": "Mytishchi", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.9089, "source.geo.location.lon": 37.7339, "source.geo.region_iso_code": "RU-MOS", @@ -117,6 +119,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -160,6 +163,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -203,6 +207,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", diff --git a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json index 8b394e2b07e..e960e211763 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json @@ -25,6 +25,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -61,6 +62,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -97,6 +99,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -133,6 +136,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -169,6 +173,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", @@ -205,6 +210,7 @@ "source.geo.city_name": "Teruel", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.3456, "source.geo.location.lon": -1.1065, "source.geo.region_iso_code": "ES-TE", diff --git a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json index e9564154424..b5db726de69 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json @@ -30,6 +30,7 @@ "source.geo.city_name": "Ashburn", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.0481, "source.geo.location.lon": -77.4728, "source.geo.region_iso_code": "US-VA", diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json index 273b1512556..187f7f33589 100644 --- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json @@ -33,6 +33,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -95,6 +96,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -158,6 +160,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -220,6 +223,7 @@ "geo.city_name": "Ashburn", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.0481, "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", @@ -279,6 +283,7 @@ "geo.city_name": "Teruel", "geo.continent_name": "Europe", "geo.country_iso_code": "ES", + "geo.country_name": "Spain", "geo.location.lat": 40.3456, "geo.location.lon": -1.1065, "geo.region_iso_code": "ES-TE", @@ -331,6 +336,7 @@ "geo.city_name": "Denver", "geo.continent_name": "North America", "geo.country_iso_code": "US", + "geo.country_name": "United States", "geo.location.lat": 39.7044, "geo.location.lon": -105.0023, "geo.region_iso_code": "US-CO", diff --git a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json index 170b8851ec9..1f1b3e061b2 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json @@ -13,6 +13,7 @@ "destination.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", "destination.geo.location.lat": 40.4172, "destination.geo.location.lon": -3.684, "destination.ip": "158.109.0.1", @@ -47,6 +48,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -72,6 +74,7 @@ "destination.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "ES", + "destination.geo.country_name": "Spain", "destination.geo.location.lat": 40.4172, "destination.geo.location.lon": -3.684, "destination.ip": "158.109.0.1", @@ -106,6 +109,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json index 6b7b788ac97..ba0293752ca 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json @@ -49,6 +49,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "IE", + "source.geo.country_name": "Ireland", "source.geo.location.lat": 53.3338, "source.geo.location.lon": -6.2488, "source.geo.region_iso_code": "IE-L", diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json index 4c0e8d4701a..3f86faee084 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json @@ -47,6 +47,7 @@ "fileset.name": "activitylogs", "geo.continent_name": "Europe", "geo.country_iso_code": "GB", + "geo.country_name": "United Kingdom", "geo.location.lat": 51.4964, "geo.location.lon": -0.1224, "input.type": "log", @@ -55,6 +56,7 @@ "service.type": "azure", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.4964, "source.geo.location.lon": -0.1224, "source.ip": "51.251.141.41", diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json index db962bd4df6..5f14108e4c4 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json @@ -52,6 +52,7 @@ "fileset.name": "activitylogs", "geo.continent_name": "Asia", "geo.country_iso_code": "JP", + "geo.country_name": "Japan", "geo.location.lat": 35.69, "geo.location.lon": 139.69, "input.type": "log", @@ -62,6 +63,7 @@ "source.as.organization.name": "KDDI CORPORATION", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "JP", + "source.geo.country_name": "Japan", "source.geo.location.lat": 35.69, "source.geo.location.lon": 139.69, "source.ip": "111.111.111.11", diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index 6a0f96ae261..db0643ccf25 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -66,6 +66,7 @@ "source.geo.city_name": "Farnham Royal", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5333, "source.geo.location.lon": -0.6167, "source.geo.region_iso_code": "GB-BKM", @@ -145,6 +146,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json index ff70486fab5..ed4c2bb4d7f 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json @@ -496,8 +496,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.18.165.35", - "10.110.109.5" + "10.110.109.5", + "10.18.165.35" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, diff --git a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json index ca0127defbd..d2902dc24b6 100644 --- a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json @@ -45,6 +45,7 @@ "service.type": "cef", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "6.7.8.9", @@ -77,6 +78,7 @@ "destination.geo.city_name": "Moscow", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7527, "destination.geo.location.lon": 37.6172, "destination.geo.region_iso_code": "RU-MOW", @@ -114,6 +116,7 @@ "service.type": "cef", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "6.7.8.9", diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json index 8d027229032..eefe063490d 100644 --- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json @@ -48,6 +48,7 @@ "destination.geo.city_name": "Des Moines", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 41.6006, "destination.geo.location.lon": -93.6112, "destination.geo.region_iso_code": "US-IA", diff --git a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json index fd07aa51eca..30fc5952b01 100644 --- a/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/checkpoint/firewall/test/checkpoint.log-expected.json @@ -150,6 +150,7 @@ "destination.geo.city_name": "Tel Aviv", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IL", + "destination.geo.country_name": "Israel", "destination.geo.location.lat": 32.0678, "destination.geo.location.lon": 34.7647, "destination.geo.region_iso_code": "IL-TA", @@ -270,6 +271,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -388,6 +390,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -506,6 +509,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -624,6 +628,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.81.142.43", @@ -742,6 +747,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -860,6 +866,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -978,6 +985,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -1096,6 +1104,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -1214,6 +1223,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -1332,6 +1342,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -1450,6 +1461,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -1568,6 +1580,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -1686,6 +1699,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -1804,6 +1818,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -1922,6 +1937,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -2040,6 +2056,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -2206,6 +2223,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -2298,6 +2316,7 @@ "destination.geo.city_name": "Tel Aviv", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IL", + "destination.geo.country_name": "Israel", "destination.geo.location.lat": 32.0678, "destination.geo.location.lon": 34.7647, "destination.geo.region_iso_code": "IL-TA", @@ -2526,6 +2545,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -2644,6 +2664,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -2762,6 +2783,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -2880,6 +2902,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -2998,6 +3021,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -3116,6 +3140,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -3282,6 +3307,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -3400,6 +3426,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -3518,6 +3545,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -3636,6 +3664,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -3754,6 +3783,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -3818,6 +3848,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -3990,6 +4021,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -4108,6 +4140,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -4254,6 +4287,7 @@ "destination.geo.city_name": "Tel Aviv", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IL", + "destination.geo.country_name": "Israel", "destination.geo.location.lat": 32.0678, "destination.geo.location.lon": 34.7647, "destination.geo.region_iso_code": "IL-TA", @@ -4428,6 +4462,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.81.142.43", @@ -4546,6 +4581,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -4664,6 +4700,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -4782,6 +4819,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -4900,6 +4938,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -5018,6 +5057,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", @@ -5136,6 +5176,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -5254,6 +5295,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.41", @@ -5372,6 +5414,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.36", @@ -5490,6 +5533,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.99.234.45", @@ -5608,6 +5652,7 @@ "destination.as.organization.name": "Sucuri", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "192.124.249.31", diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 73d42d43af7..66cc3da4b0c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -1136,6 +1136,7 @@ "destination.geo.city_name": "Thousand Oaks", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 34.197, "destination.geo.location.lon": -118.8199, "destination.geo.region_iso_code": "US-CA", @@ -2417,6 +2418,7 @@ "destination.geo.city_name": "Clermont-Ferrand", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 45.7838, "destination.geo.location.lon": 3.0966, "destination.geo.region_iso_code": "FR-63", @@ -2467,6 +2469,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -2542,6 +2545,7 @@ "destination.geo.city_name": "Riga", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "LV", + "destination.geo.country_name": "Latvia", "destination.geo.location.lat": 56.9496, "destination.geo.location.lon": 24.0978, "destination.geo.region_iso_code": "LV-RIX", @@ -2927,6 +2931,7 @@ "source.geo.city_name": "London", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.5888, "source.geo.location.lon": -0.0247, "source.geo.region_iso_code": "GB-ENG", @@ -2946,6 +2951,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5888, "destination.geo.location.lon": -0.0247, "destination.geo.region_iso_code": "GB-ENG", @@ -3029,6 +3035,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -3075,6 +3082,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -3093,6 +3101,7 @@ "destination.geo.city_name": "Stoke Newington", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5638, "destination.geo.location.lon": -0.0765, "destination.geo.region_iso_code": "GB-HCK", @@ -3139,6 +3148,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "IE", + "source.geo.country_name": "Ireland", "source.geo.location.lat": 53.3338, "source.geo.location.lon": -6.2488, "source.geo.region_iso_code": "IE-L", diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 94f2b616d27..a57299252ca 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -509,6 +509,7 @@ "destination.address": "1.2.33.40", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "CN", + "destination.geo.country_name": "China", "destination.geo.location.lat": 23.1167, "destination.geo.location.lon": 113.25, "destination.geo.region_iso_code": "CN-GD", diff --git a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json index bb691462f78..e86dd81aead 100644 --- a/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/dap_records.log-expected.json @@ -35,6 +35,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index 37efb99f483..b7b065dea1c 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -39,6 +39,7 @@ "destination.bytes": 145, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -147,6 +148,7 @@ "destination.bytes": 193, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -253,6 +255,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -361,6 +364,7 @@ "destination.bytes": 200, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -468,6 +472,7 @@ "destination.bytes": 193, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -574,6 +579,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -683,6 +689,7 @@ "destination.bytes": 199, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -789,6 +796,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -896,6 +904,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1004,6 +1013,7 @@ "destination.bytes": 722, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1111,6 +1121,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6109, "destination.geo.location.lon": -122.3303, "destination.geo.region_iso_code": "US-WA", @@ -1217,6 +1228,7 @@ "destination.bytes": 313, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1322,6 +1334,7 @@ "destination.bytes": 180, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1428,6 +1441,7 @@ "destination.bytes": 108, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1535,6 +1549,7 @@ "destination.bytes": 162, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "9.9.9.9", @@ -1643,6 +1658,7 @@ "destination.bytes": 199, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1749,6 +1765,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1855,6 +1872,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1961,6 +1979,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2066,6 +2085,7 @@ "destination.bytes": 131, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2173,6 +2193,7 @@ "destination.bytes": 722, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 3cef5df9a0f..7490bc1ac57 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -217,6 +217,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -321,6 +322,7 @@ "destination.bytes": 314, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -422,6 +424,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -526,6 +529,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -633,6 +637,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", @@ -736,6 +741,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index 8ab3e55fc87..135a2979210 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -581,6 +581,7 @@ "destination.geo.city_name": "Magdeburg", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 52.1333, "destination.geo.location.lon": 11.6167, "destination.geo.region_iso_code": "DE-ST", @@ -763,6 +764,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 73ab6378da1..0b669eb5dff 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -44,6 +44,7 @@ "destination.bytes": 246, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "2.2.2.2", @@ -102,6 +103,7 @@ "source.geo.city_name": "Seattle", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.6348, "source.geo.location.lon": -122.3451, "source.geo.region_iso_code": "US-WA", diff --git a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json index 3485b3ff583..0695d3730aa 100644 --- a/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json +++ b/x-pack/filebeat/module/cisco/ios/test/cisco-ios-syslog.log-expected.json @@ -331,6 +331,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -828,6 +829,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1022,6 +1024,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1122,6 +1125,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1210,6 +1214,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -1296,6 +1301,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", @@ -1537,6 +1543,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.10.46", diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index beeffa9b5eb..93b25705912 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -122,8 +122,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.155.236.240", - "10.112.46.169" + "10.112.46.169", + "10.155.236.240" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -345,8 +345,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.134.0.141", - "10.210.213.18" + "10.210.213.18", + "10.134.0.141" ], "rsa.internal.event_desc": "atquovosecurity_event iumto", "rsa.internal.messageid": "security_event", @@ -519,8 +519,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.85.10.165", - "10.53.150.119" + "10.53.150.119", + "10.85.10.165" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -623,8 +623,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.205.47.51", - "10.219.84.37" + "10.219.84.37", + "10.205.47.51" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -831,8 +831,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.31.77.157", - "10.12.182.70" + "10.12.182.70", + "10.31.77.157" ], "rsa.internal.event_desc": "uiac security_event epte", "rsa.internal.messageid": "security_event", @@ -896,8 +896,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.135.217.12", - "10.93.68.231" + "10.93.68.231", + "10.135.217.12" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -960,8 +960,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.247.30.212", - "10.66.89.5" + "10.66.89.5", + "10.247.30.212" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1064,8 +1064,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.37.86", - "10.58.64.108" + "10.58.64.108", + "10.54.37.86" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1142,8 +1142,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.183.44.198", - "10.0.200.27" + "10.0.200.27", + "10.183.44.198" ], "rsa.internal.event_desc": "uradi security_event tot", "rsa.internal.messageid": "security_event", @@ -1177,8 +1177,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.148.124.84", - "10.28.144.180" + "10.28.144.180", + "10.148.124.84" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1215,8 +1215,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.98.194.212", - "10.204.230.166" + "10.204.230.166", + "10.98.194.212" ], "rsa.counters.dclass_r1": "enimadmi", "rsa.internal.messageid": "events", @@ -1312,8 +1312,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.150.245.88", - "10.242.77.170" + "10.242.77.170", + "10.150.245.88" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1447,8 +1447,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.230.6.127", - "10.111.157.56" + "10.111.157.56", + "10.230.6.127" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1486,8 +1486,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.179.40.170", - "10.193.219.34" + "10.193.219.34", + "10.179.40.170" ], "rsa.counters.dclass_r1": "emip", "rsa.internal.messageid": "events", @@ -1638,8 +1638,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.124.63.4", - "10.90.99.245" + "10.90.99.245", + "10.124.63.4" ], "rsa.internal.event_desc": "etconsec", "rsa.internal.messageid": "security_event", @@ -1733,8 +1733,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.196.96.162", - "10.81.234.34" + "10.81.234.34", + "10.196.96.162" ], "rsa.internal.event_desc": "Utenima security_event iqua", "rsa.internal.messageid": "security_event", @@ -1903,8 +1903,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.86.188.179", - "10.201.168.116" + "10.201.168.116", + "10.86.188.179" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2011,8 +2011,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.120.4.9", - "10.97.46.16" + "10.97.46.16", + "10.120.4.9" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2084,8 +2084,8 @@ "uames4985.mail.localdomain" ], "related.ip": [ - "10.150.163.151", - "10.144.57.239" + "10.144.57.239", + "10.150.163.151" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2126,8 +2126,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.44.231", - "10.52.202.158" + "10.52.202.158", + "10.54.44.231" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2252,8 +2252,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.2.110.73", - "10.103.49.129" + "10.103.49.129", + "10.2.110.73" ], "rsa.counters.dclass_r1": "orumS", "rsa.internal.messageid": "events", @@ -2292,8 +2292,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.132.176.96", - "10.158.61.228" + "10.158.61.228", + "10.132.176.96" ], "rsa.counters.dclass_r1": "eserun", "rsa.internal.messageid": "events", @@ -2333,8 +2333,8 @@ "lors2232.api.example" ], "related.ip": [ - "10.46.217.155", - "10.105.136.146" + "10.105.136.146", + "10.46.217.155" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2374,8 +2374,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.123.62.215", - "10.245.199.23" + "10.245.199.23", + "10.123.62.215" ], "rsa.db.index": "iusmodt", "rsa.internal.messageid": "flows", @@ -2480,8 +2480,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.246.152.72", - "10.34.62.190" + "10.34.62.190", + "10.246.152.72" ], "rsa.internal.event_desc": "Nem", "rsa.internal.messageid": "security_event", @@ -2758,8 +2758,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.65.0.157", - "10.17.111.91" + "10.17.111.91", + "10.65.0.157" ], "rsa.db.index": "nostrum", "rsa.internal.messageid": "flows", @@ -2893,8 +2893,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.199.103.185", - "10.51.121.223" + "10.51.121.223", + "10.199.103.185" ], "rsa.internal.event_desc": "dipi security_event ecatc", "rsa.internal.messageid": "security_event", @@ -2988,8 +2988,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.113.152.241", - "10.121.37.244" + "10.121.37.244", + "10.113.152.241" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -3067,8 +3067,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.200.98.243", - "10.101.13.122" + "10.101.13.122", + "10.200.98.243" ], "rsa.counters.dclass_r1": "uteirur", "rsa.internal.messageid": "events", @@ -3143,8 +3143,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.147.165.30", - "10.195.90.73" + "10.195.90.73", + "10.147.165.30" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3206,8 +3206,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.162.202.14", - "10.137.166.97" + "10.137.166.97", + "10.162.202.14" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3330,8 +3330,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.75.122.111", - "10.85.59.172" + "10.85.59.172", + "10.75.122.111" ], "rsa.counters.dclass_r1": "sequat", "rsa.internal.messageid": "events", diff --git a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json index cb772d91268..837f7b744a7 100644 --- a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json +++ b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json @@ -101,8 +101,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.72.11.247", - "10.134.175.248" + "10.134.175.248", + "10.72.11.247" ], "rsa.counters.dclass_c1": 1279, "rsa.db.index": "antium", @@ -185,10 +185,10 @@ "observer.vendor": "Citrix", "related.ip": [ "10.96.119.12", + "10.156.210.168", "10.21.92.218", - "10.83.234.60", "10.109.68.21", - "10.156.210.168" + "10.83.234.60" ], "related.user": [ "picia" @@ -1332,11 +1332,11 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.45.114.111", - "10.180.83.140", - "10.243.226.122", "10.117.94.131", - "10.3.23.172" + "10.180.83.140", + "10.3.23.172", + "10.45.114.111", + "10.243.226.122" ], "related.user": [ "ehender" @@ -2085,8 +2085,8 @@ "observer.vendor": "Citrix", "related.ip": [ "10.225.146.5", - "10.41.65.89", - "10.80.5.101" + "10.80.5.101", + "10.41.65.89" ], "related.user": [ "picia" @@ -2209,8 +2209,8 @@ "observer.vendor": "Citrix", "related.ip": [ "10.33.231.173", - "10.183.26.222", - "10.22.34.206" + "10.22.34.206", + "10.183.26.222" ], "related.user": [ "abill" @@ -2585,10 +2585,10 @@ "observer.vendor": "Citrix", "related.ip": [ "10.148.244.55", + "10.76.129.136", "10.133.153.174", - "10.8.82.22", "10.113.135.78", - "10.76.129.136" + "10.8.82.22" ], "related.user": [ "asiar" @@ -2662,8 +2662,8 @@ "rsa.db.index": "aturE", "rsa.internal.messageid": "APPFW_REFERER_HEADER", "rsa.misc.action": [ - "remip", - "cancel" + "cancel", + "remip" ], "rsa.misc.policy_name": "oNemoeni", "rsa.misc.rule": "citation", @@ -2938,9 +2938,9 @@ "observer.vendor": "Citrix", "related.ip": [ "10.29.202.248", - "10.161.218.47", + "10.206.5.50", "10.247.251.223", - "10.206.5.50" + "10.161.218.47" ], "rsa.internal.event_desc": "A Server side and a Client side TCP connection is delinked. This is not tracked by Netscaler", "rsa.internal.messageid": "TCP_OTHERCONN_DELINK", @@ -3076,8 +3076,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.148.72.78", - "10.37.99.189" + "10.37.99.189", + "10.148.72.78" ], "rsa.crypto.cipher_src": "ritatis", "rsa.crypto.ssl_ver_src": "ugitsed", diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json index 2bf31b06a52..4056ed473ca 100644 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -20,9 +20,9 @@ "10.208.15.216" ], "related.user": [ - "quasiarc", "itv", - "utl" + "utl", + "quasiarc" ], "rsa.db.index": "nes", "rsa.internal.event_desc": "pexe", @@ -71,9 +71,9 @@ "10.175.75.18" ], "related.user": [ + "dolore", "nnumqu", - "orev", - "dolore" + "orev" ], "rsa.db.database": "umdo", "rsa.db.index": "vol", @@ -130,8 +130,8 @@ "anti4454.api.example" ], "related.ip": [ - "10.51.132.10", - "10.46.185.46" + "10.46.185.46", + "10.51.132.10" ], "related.user": [ "incid", @@ -197,9 +197,9 @@ "10.53.192.140" ], "related.user": [ - "psumquia", + "atcup", "ptass", - "atcup" + "psumquia" ], "rsa.db.database": "aperi", "rsa.db.index": "llumd", @@ -253,9 +253,9 @@ "10.81.199.122" ], "related.user": [ - "oremips", + "eos", "giatq", - "eos" + "oremips" ], "rsa.db.index": "tempo", "rsa.internal.event_desc": "uian", @@ -300,13 +300,13 @@ "temq1198.internal.example" ], "related.ip": [ - "10.139.186.201", - "10.172.14.142" + "10.172.14.142", + "10.139.186.201" ], "related.user": [ + "uam", "tcupida", - "aboris", - "uam" + "aboris" ], "rsa.db.database": "isiu", "rsa.db.index": "iatisu", @@ -363,13 +363,13 @@ "tenbyCic5882.api.home" ], "related.ip": [ - "10.104.111.129", - "10.47.76.251" + "10.47.76.251", + "10.104.111.129" ], "related.user": [ - "ele", "etconsec", - "ipis" + "ipis", + "ele" ], "rsa.db.database": "riat", "rsa.db.index": "umdolor", @@ -423,9 +423,9 @@ "10.116.120.216" ], "related.user": [ + "quiratio", "umdo", - "animi", - "quiratio" + "animi" ], "rsa.db.index": "oll", "rsa.internal.event_desc": "rumet", @@ -474,9 +474,9 @@ "10.62.54.220" ], "related.user": [ - "taevi", "psum", - "rnatura" + "rnatura", + "taevi" ], "rsa.db.database": "emeumfug", "rsa.db.index": "omn", @@ -530,9 +530,9 @@ "10.74.237.180" ], "related.user": [ - "tnon", "ema", - "cup" + "cup", + "tnon" ], "rsa.db.index": "remeumf", "rsa.internal.event_desc": "lup", @@ -574,8 +574,8 @@ "10.18.165.35" ], "related.user": [ - "modocons", "remeum", + "modocons", "lor" ], "rsa.db.index": "etM", @@ -618,9 +618,9 @@ "10.74.253.127" ], "related.user": [ + "onproide", "icab", - "tema", - "onproide" + "tema" ], "rsa.db.index": "mqui", "rsa.internal.event_desc": "eomnisis", @@ -664,8 +664,8 @@ "tlabo6088.www.localdomain" ], "related.ip": [ - "10.92.8.15", - "10.189.109.245" + "10.189.109.245", + "10.92.8.15" ], "related.user": [ "inima", @@ -722,9 +722,9 @@ "10.21.78.128" ], "related.user": [ - "upt", + "giatquov", "taut", - "giatquov" + "upt" ], "rsa.db.index": "iadese", "rsa.internal.event_desc": "deFinibu", @@ -766,9 +766,9 @@ "10.18.109.121" ], "related.user": [ - "pida", "hil", - "tatn" + "tatn", + "pida" ], "rsa.db.index": "quip", "rsa.internal.event_desc": "ecillu", @@ -813,13 +813,13 @@ "iavolu5352.localhost" ], "related.ip": [ - "10.63.37.192", - "10.225.115.13" + "10.225.115.13", + "10.63.37.192" ], "related.user": [ "iunt", - "reetd", - "equep" + "equep", + "reetd" ], "rsa.db.database": "aliqu", "rsa.db.index": "mipsumd", @@ -876,13 +876,13 @@ "estiae3750.api.corp" ], "related.ip": [ - "10.47.202.102", - "10.95.64.124" + "10.95.64.124", + "10.47.202.102" ], "related.user": [ "run", - "ice", - "ntor" + "ntor", + "ice" ], "rsa.db.database": "ite", "rsa.db.index": "iquipex", @@ -999,13 +999,13 @@ "etMalor4236.www5.host" ], "related.ip": [ - "10.53.168.235", - "10.125.160.129" + "10.125.160.129", + "10.53.168.235" ], "related.user": [ "abi", - "one", - "ione" + "ione", + "one" ], "rsa.db.database": "sperna", "rsa.db.index": "estia", @@ -1066,9 +1066,9 @@ "10.227.177.121" ], "related.user": [ - "iduntu", "liqui", - "tasuntex" + "tasuntex", + "iduntu" ], "rsa.db.database": "rvel", "rsa.db.index": "onsecte", @@ -1129,8 +1129,8 @@ "nsecte3304.mail.corp" ], "related.ip": [ - "10.98.182.220", - "10.167.85.181" + "10.167.85.181", + "10.98.182.220" ], "related.user": [ "fde", @@ -1189,9 +1189,9 @@ "10.89.208.95" ], "related.user": [ + "iciadese", "icabo", - "sintoc", - "iciadese" + "sintoc" ], "rsa.db.index": "eni", "rsa.internal.event_desc": "rcitati", @@ -1236,13 +1236,13 @@ "nevo4284.internal.local" ], "related.ip": [ - "10.72.148.32", - "10.214.191.180" + "10.214.191.180", + "10.72.148.32" ], "related.user": [ + "uteirure", "tDuisaut", - "luptatev", - "uteirure" + "luptatev" ], "rsa.db.database": "uamest", "rsa.db.index": "uae", @@ -1299,13 +1299,13 @@ "itas981.mail.domain" ], "related.ip": [ - "10.252.124.150", - "10.136.190.236" + "10.136.190.236", + "10.252.124.150" ], "related.user": [ - "ipsumd", + "com", "litessec", - "com" + "ipsumd" ], "rsa.db.database": "tasn", "rsa.db.index": "squirati", @@ -1424,12 +1424,12 @@ "rQuisau5300.www5.example" ], "related.ip": [ - "10.154.4.197", - "10.216.84.30" + "10.216.84.30", + "10.154.4.197" ], "related.user": [ - "untu", - "intoc" + "intoc", + "untu" ], "rsa.db.database": "oditem", "rsa.db.index": "borios", @@ -1529,13 +1529,13 @@ "uamei2389.internal.example" ], "related.ip": [ - "10.65.175.9", - "10.193.83.81" + "10.193.83.81", + "10.65.175.9" ], "related.user": [ - "umqu", "ritatise", - "essequam" + "essequam", + "umqu" ], "rsa.db.database": "ender", "rsa.db.index": "entorev", @@ -1589,9 +1589,9 @@ "10.205.72.243" ], "related.user": [ - "umdolo", "isiuta", - "tatn" + "tatn", + "umdolo" ], "rsa.db.index": "proide", "rsa.internal.event_desc": "ameiusm", @@ -1633,8 +1633,8 @@ "10.107.9.163" ], "related.user": [ - "mquisno", "sit", + "mquisno", "mac" ], "rsa.db.index": "sit", @@ -1677,9 +1677,9 @@ "10.80.101.72" ], "related.user": [ - "asiarc", + "umSe", "quidexea", - "umSe" + "asiarc" ], "rsa.db.index": "veli", "rsa.internal.event_desc": "quatu", @@ -1728,8 +1728,8 @@ "10.39.10.155" ], "related.user": [ - "aboreetd", "urExcept", + "aboreetd", "ptass" ], "rsa.db.database": "teirured", @@ -1828,9 +1828,9 @@ "10.71.238.250" ], "related.user": [ - "reseo", + "moenimi", "aec", - "moenimi" + "reseo" ], "rsa.db.index": "mac", "rsa.internal.event_desc": "quamest", @@ -1875,13 +1875,13 @@ "rum5798.home" ], "related.ip": [ - "10.226.101.180", - "10.226.20.199" + "10.226.20.199", + "10.226.101.180" ], "related.user": [ + "ritt", "rationev", - "veniamqu", - "ritt" + "veniamqu" ], "rsa.db.database": "conse", "rsa.db.index": "imveniam", @@ -1944,8 +1944,8 @@ ], "related.user": [ "quaUten", - "cab", - "utaliqu" + "utaliqu", + "cab" ], "rsa.db.database": "isciv", "rsa.db.index": "nofd", @@ -2002,9 +2002,9 @@ "10.70.147.120" ], "related.user": [ + "cidunt", "tten", - "emqu", - "cidunt" + "emqu" ], "rsa.db.index": "eaqu", "rsa.internal.event_desc": "quidol", @@ -2049,12 +2049,12 @@ "tesse1089.www.host" ], "related.ip": [ - "10.178.242.100", - "10.24.111.229" + "10.24.111.229", + "10.178.242.100" ], "related.user": [ - "loi", "dqu", + "loi", "idid" ], "rsa.db.database": "tenatuse", @@ -2110,8 +2110,8 @@ ], "related.user": [ "ritati", - "mmodoc", - "untincul" + "untincul", + "mmodoc" ], "rsa.db.index": "emvele", "rsa.internal.event_desc": "oluptas", @@ -2153,9 +2153,9 @@ "10.30.243.163" ], "related.user": [ + "illu", "mven", - "dolore", - "illu" + "dolore" ], "rsa.db.index": "idol", "rsa.internal.event_desc": "lore", @@ -2204,9 +2204,9 @@ "10.6.79.159" ], "related.user": [ - "midestl", + "amvo", "quid", - "amvo" + "midestl" ], "rsa.db.database": "urExce", "rsa.db.index": "ectiono", @@ -2263,13 +2263,13 @@ "aecatcup2241.www5.test" ], "related.ip": [ - "10.237.170.202", - "10.70.147.46" + "10.70.147.46", + "10.237.170.202" ], "related.user": [ "liquide", - "atDu", - "rcit" + "rcit", + "atDu" ], "rsa.db.database": "taedict", "rsa.db.index": "loremeu", @@ -2326,13 +2326,13 @@ "mad5185.www5.localhost" ], "related.ip": [ - "10.228.118.81", - "10.179.50.138" + "10.179.50.138", + "10.228.118.81" ], "related.user": [ "emoe", - "itasper", - "tatemU" + "tatemU", + "itasper" ], "rsa.db.database": "toditaut", "rsa.db.index": "ugit", @@ -2393,9 +2393,9 @@ "10.234.165.130" ], "related.user": [ + "henderit", "emip", - "iuntNequ", - "henderit" + "iuntNequ" ], "rsa.db.database": "veniamqu", "rsa.db.index": "atquo", @@ -2449,8 +2449,8 @@ "10.199.5.49" ], "related.user": [ - "turadipi", "emip", + "turadipi", "olorema" ], "rsa.db.index": "ataevi", @@ -2544,9 +2544,9 @@ "10.120.167.217" ], "related.user": [ - "animid", "dolorem", - "rsp" + "rsp", + "animid" ], "rsa.db.database": "tsuntinc", "rsa.db.index": "quovo", @@ -2603,13 +2603,13 @@ "mporainc2064.home" ], "related.ip": [ - "10.117.137.159", - "10.141.213.219" + "10.141.213.219", + "10.117.137.159" ], "related.user": [ "accusa", - "ate", - "atev" + "atev", + "ate" ], "rsa.db.database": "nibus", "rsa.db.index": "ser", @@ -2671,8 +2671,8 @@ ], "related.user": [ "eavol", - "rem", - "etconsec" + "etconsec", + "rem" ], "rsa.db.database": "oditempo", "rsa.db.index": "deF", @@ -2735,8 +2735,8 @@ "10.38.28.151" ], "related.user": [ - "tiumto", "incidid", + "tiumto", "mipsumqu" ], "rsa.db.database": "abor", @@ -2796,13 +2796,13 @@ "dolori6232.api.invalid" ], "related.ip": [ - "10.255.28.56", - "10.214.245.95" + "10.214.245.95", + "10.255.28.56" ], "related.user": [ "umdolors", - "uptatem", - "rerepre" + "rerepre", + "uptatem" ], "rsa.db.database": "odt", "rsa.db.index": "riosa", @@ -2856,8 +2856,8 @@ "10.45.35.180" ], "related.user": [ - "mip", "Utenima", + "mip", "qui" ], "rsa.db.index": "boree", @@ -2900,9 +2900,9 @@ "10.141.200.133" ], "related.user": [ - "enim", "iame", - "ess" + "ess", + "enim" ], "rsa.db.index": "nofdeFi", "rsa.internal.event_desc": "isnostru", @@ -2944,9 +2944,9 @@ "10.83.238.145" ], "related.user": [ - "ugi", + "runtmo", "illoi", - "runtmo" + "ugi" ], "rsa.db.index": "eetdo", "rsa.internal.event_desc": "quaer", @@ -2995,9 +2995,9 @@ "10.39.143.155" ], "related.user": [ + "sedquiac", "tem", - "tperspic", - "sedquiac" + "tperspic" ], "rsa.db.database": "radipis", "rsa.db.index": "nse", @@ -3059,8 +3059,8 @@ ], "related.user": [ "minim", - "unt", - "CSe" + "CSe", + "unt" ], "rsa.db.database": "atu", "rsa.db.index": "roi", @@ -3117,13 +3117,13 @@ "olu5333.www.domain" ], "related.ip": [ - "10.168.132.175", - "10.210.61.109" + "10.210.61.109", + "10.168.132.175" ], "related.user": [ + "eursinto", "giatquov", - "iamea", - "eursinto" + "iamea" ], "rsa.db.database": "ici", "rsa.db.index": "iquaUt", @@ -3223,8 +3223,8 @@ ], "related.user": [ "oeni", - "etquasia", - "xplic" + "xplic", + "etquasia" ], "rsa.db.index": "hend", "rsa.internal.event_desc": "piscivel", @@ -3271,8 +3271,8 @@ ], "related.user": [ "rsitvol", - "iati", - "Nemoenim" + "Nemoenim", + "iati" ], "rsa.db.index": "eFini", "rsa.internal.event_desc": "acom", @@ -3322,8 +3322,8 @@ ], "related.user": [ "orissu", - "eufug", - "ine" + "ine", + "eufug" ], "rsa.db.database": "stquidol", "rsa.db.index": "imadmini", @@ -3377,9 +3377,9 @@ "10.70.83.200" ], "related.user": [ - "ihilmole", + "metco", "riat", - "metco" + "ihilmole" ], "rsa.db.index": "urQuis", "rsa.internal.event_desc": "iutaliq", @@ -3491,9 +3491,9 @@ "10.52.150.104" ], "related.user": [ - "texplica", "eritq", - "oinBCSed" + "oinBCSed", + "texplica" ], "rsa.db.database": "lit", "rsa.db.index": "ritati", @@ -3554,9 +3554,9 @@ "10.61.175.217" ], "related.user": [ + "runtm", "ntexpl", - "tat", - "runtm" + "tat" ], "rsa.db.database": "rere", "rsa.db.index": "nonn", @@ -3610,9 +3610,9 @@ "10.150.30.95" ], "related.user": [ - "atnonpr", + "mini", "uisnos", - "mini" + "atnonpr" ], "rsa.db.index": "smod", "rsa.internal.event_desc": "isn", @@ -3654,8 +3654,8 @@ "10.98.71.45" ], "related.user": [ - "CSe", "fugitse", + "CSe", "onse" ], "rsa.db.index": "Dui", @@ -3698,9 +3698,9 @@ "10.252.251.143" ], "related.user": [ + "nonn", "remq", - "rspic", - "nonn" + "rspic" ], "rsa.db.index": "nre", "rsa.internal.event_desc": "tev", @@ -3742,8 +3742,8 @@ "10.197.203.167" ], "related.user": [ - "uta", "iumdo", + "uta", "eserun" ], "rsa.db.index": "smo", @@ -3786,9 +3786,9 @@ "10.187.170.23" ], "related.user": [ + "ibusBo", "sectetu", - "enima", - "ibusBo" + "enima" ], "rsa.db.index": "uido", "rsa.internal.event_desc": "lab", @@ -3833,13 +3833,13 @@ "involu1450.www.localhost" ], "related.ip": [ - "10.250.248.215", - "10.123.62.215" + "10.123.62.215", + "10.250.248.215" ], "related.user": [ "aevitaed", - "quaeratv", - "tinculpa" + "tinculpa", + "quaeratv" ], "rsa.db.database": "lica", "rsa.db.index": "uisnos", @@ -3997,9 +3997,9 @@ "10.154.172.82" ], "related.user": [ + "onnumqua", "nesci", - "tetura", - "onnumqua" + "tetura" ], "rsa.db.index": "oinBCSed", "rsa.internal.event_desc": "ntor", @@ -4041,9 +4041,9 @@ "10.47.63.70" ], "related.user": [ - "expl", "tpers", - "midestl" + "midestl", + "expl" ], "rsa.db.index": "olu", "rsa.internal.event_desc": "odocons", @@ -4085,9 +4085,9 @@ "10.178.160.245" ], "related.user": [ + "fdeFinib", "turQuis", - "olupta", - "fdeFinib" + "olupta" ], "rsa.db.index": "rsint", "rsa.internal.event_desc": "odico", @@ -4195,13 +4195,13 @@ "nimve2787.mail.test" ], "related.ip": [ - "10.222.32.183", - "10.65.207.234" + "10.65.207.234", + "10.222.32.183" ], "related.user": [ + "eve", "itame", - "eruntmo", - "eve" + "eruntmo" ], "rsa.db.database": "udexerc", "rsa.db.index": "volup", @@ -4255,8 +4255,8 @@ "10.16.181.60" ], "related.user": [ - "oinven", "gnama", + "oinven", "olore" ], "rsa.db.index": "uatu", @@ -4299,9 +4299,9 @@ "10.91.213.82" ], "related.user": [ - "illoin", "amnis", - "uianon" + "uianon", + "illoin" ], "rsa.db.index": "ons", "rsa.internal.event_desc": "temaccus", @@ -4343,9 +4343,9 @@ "10.204.214.98" ], "related.user": [ + "porissus", "tdolo", - "eprehe", - "porissus" + "eprehe" ], "rsa.db.index": "abo", "rsa.internal.event_desc": "ecte", @@ -4388,8 +4388,8 @@ ], "related.user": [ "etc", - "moenimip", - "evel" + "evel", + "moenimip" ], "rsa.db.index": "iarchit", "rsa.internal.event_desc": "apari", @@ -4434,13 +4434,13 @@ "ama6820.mail.example" ], "related.ip": [ - "10.26.33.181", - "10.26.137.126" + "10.26.137.126", + "10.26.33.181" ], "related.user": [ - "audant", + "taevit", "ati", - "taevit" + "audant" ], "rsa.db.database": "com", "rsa.db.index": "mveni", @@ -4497,13 +4497,13 @@ "olupt966.www5.corp" ], "related.ip": [ - "10.142.161.116", - "10.148.195.208" + "10.148.195.208", + "10.142.161.116" ], "related.user": [ - "mpori", "isi", - "quaerat" + "quaerat", + "mpori" ], "rsa.db.database": "squamest", "rsa.db.index": "pteu", @@ -4560,13 +4560,13 @@ "lit4112.www.localhost" ], "related.ip": [ - "10.10.174.253", - "10.107.24.54" + "10.107.24.54", + "10.10.174.253" ], "related.user": [ - "hend", + "itinvo", "uptasn", - "itinvo" + "hend" ], "rsa.db.database": "lup", "rsa.db.index": "isau", @@ -4621,8 +4621,8 @@ "10.87.92.17" ], "related.user": [ - "tamr", "luptate", + "tamr", "eeufug" ], "rsa.db.index": "oreeufug", @@ -4672,13 +4672,13 @@ "dictasun3408.internal.invalid" ], "related.ip": [ - "10.161.51.135", - "10.231.51.136" + "10.231.51.136", + "10.161.51.135" ], "related.user": [ "Finibus", - "asper", - "accus" + "accus", + "asper" ], "rsa.db.database": "litani", "rsa.db.index": "arch", @@ -4732,9 +4732,9 @@ "10.51.17.32" ], "related.user": [ + "itten", "mquido", - "llum", - "itten" + "llum" ], "rsa.db.index": "uscipit", "rsa.internal.event_desc": "llitani", @@ -4776,9 +4776,9 @@ "10.108.123.148" ], "related.user": [ - "cusa", + "ollita", "mmodicon", - "ollita" + "cusa" ], "rsa.db.index": "ercitati", "rsa.internal.event_desc": "pteurs", @@ -4828,8 +4828,8 @@ "10.198.187.144" ], "related.user": [ - "rsitamet", "equatD", + "rsitamet", "ons" ], "rsa.db.database": "periam", @@ -4888,9 +4888,9 @@ "10.61.140.120" ], "related.user": [ - "naaliq", "loru", - "equa" + "equa", + "naaliq" ], "rsa.db.index": "umfugiat", "rsa.internal.event_desc": "ora", @@ -4939,9 +4939,9 @@ "10.93.24.151" ], "related.user": [ - "sequamn", "ite", - "nven" + "nven", + "sequamn" ], "rsa.db.database": "fugi", "rsa.db.index": "nesciu", @@ -4995,9 +4995,9 @@ "10.101.45.225" ], "related.user": [ - "cipitla", "emi", - "uinesc" + "uinesc", + "cipitla" ], "rsa.db.index": "caecat", "rsa.internal.event_desc": "tsunt", @@ -5088,9 +5088,9 @@ "10.33.112.100" ], "related.user": [ - "ptatemse", "aliqu", - "enimad" + "enimad", + "ptatemse" ], "rsa.db.index": "Except", "rsa.internal.event_desc": "cons", @@ -5135,12 +5135,12 @@ "isno4595.local" ], "related.ip": [ - "10.151.110.250", - "10.94.152.238" + "10.94.152.238", + "10.151.110.250" ], "related.user": [ - "tla", "neavol", + "tla", "pidatatn" ], "rsa.db.database": "itaedict", @@ -5198,13 +5198,13 @@ "tatemse5403.home" ], "related.ip": [ - "10.146.61.5", - "10.77.9.17" + "10.77.9.17", + "10.146.61.5" ], "related.user": [ - "tevel", "umS", - "alorumwr" + "alorumwr", + "tevel" ], "rsa.db.database": "amremap", "rsa.db.index": "aqu", @@ -5305,8 +5305,8 @@ "reprehe650.www.corp" ], "related.ip": [ - "10.200.162.248", - "10.31.86.83" + "10.31.86.83", + "10.200.162.248" ], "related.user": [ "onnu", diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json index e6ca9516ad0..483625d8bea 100644 --- a/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json +++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy-json.log-expected.json @@ -7,6 +7,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", diff --git a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json index 1c9482cefdb..703b5e977b3 100644 --- a/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json +++ b/x-pack/filebeat/module/envoyproxy/log/test/envoy.log-expected.json @@ -140,6 +140,7 @@ "destination.as.organization.name": "Fastly", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "151.101.66.217", diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json index d1729062282..13fe3560c05 100644 --- a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json @@ -24,10 +24,10 @@ "tatemac3541.api.corp" ], "related.ip": [ + "10.208.121.85", "10.165.201.71", - "10.228.193.207", "10.11.196.142", - "10.208.121.85" + "10.228.193.207" ], "related.user": [ "billoi" @@ -93,9 +93,9 @@ ], "related.ip": [ "10.51.132.10", - "10.162.9.235", + "10.92.202.200", "10.94.67.230", - "10.92.202.200" + "10.162.9.235" ], "related.user": [ "byC" @@ -228,9 +228,9 @@ ], "related.ip": [ "10.12.44.169", - "10.202.66.28", + "10.131.233.27", "10.50.112.141", - "10.131.233.27" + "10.202.66.28" ], "related.user": [ "elits" @@ -296,9 +296,9 @@ ], "related.ip": [ "10.159.182.171", + "10.206.197.113", "10.151.111.38", - "10.96.35.212", - "10.206.197.113" + "10.96.35.212" ], "related.user": [ "mol" @@ -365,8 +365,8 @@ "related.ip": [ "10.126.177.162", "10.213.113.28", - "10.169.144.147", - "10.89.163.114" + "10.89.163.114", + "10.169.144.147" ], "related.user": [ "ist" @@ -430,10 +430,10 @@ "ittenbyC7838.api.localdomain" ], "related.ip": [ - "10.101.223.43", - "10.18.124.28", + "10.146.88.52", "10.103.107.47", - "10.146.88.52" + "10.101.223.43", + "10.18.124.28" ], "related.user": [ "rudexerc" @@ -498,8 +498,8 @@ "ume465.corp" ], "related.ip": [ - "10.150.220.75", "10.189.109.245", + "10.150.220.75", "10.69.57.206", "10.110.99.17" ], @@ -565,8 +565,8 @@ "iciatisu1463.www5.localdomain" ], "related.ip": [ - "10.199.34.241", "10.121.219.204", + "10.199.34.241", "10.153.136.222", "10.19.194.101" ], @@ -632,9 +632,9 @@ "aliqu6801.api.localdomain" ], "related.ip": [ - "10.57.103.192", "10.64.141.105", "10.46.27.57", + "10.57.103.192", "10.182.199.231" ], "related.user": [ @@ -699,10 +699,10 @@ "itame189.domain" ], "related.ip": [ - "10.32.67.231", - "10.3.134.237", + "10.164.6.207", "10.160.210.31", - "10.164.6.207" + "10.3.134.237", + "10.32.67.231" ], "related.user": [ "pic" @@ -768,8 +768,8 @@ ], "related.ip": [ "10.42.138.192", - "10.201.6.10", "10.235.101.253", + "10.201.6.10", "10.182.178.217" ], "related.user": [ @@ -835,9 +835,9 @@ "stlabo1228.mail.host" ], "related.ip": [ - "10.86.101.235", - "10.194.247.171", "10.151.161.70", + "10.194.247.171", + "10.86.101.235", "10.22.102.198" ], "related.user": [ @@ -904,9 +904,9 @@ ], "related.ip": [ "10.174.252.105", - "10.204.35.15", + "10.167.172.155", "10.107.168.60", - "10.167.172.155" + "10.204.35.15" ], "related.user": [ "mnisi" @@ -971,9 +971,9 @@ ], "related.ip": [ "10.99.249.210", + "10.214.249.164", "10.182.191.174", - "10.81.26.208", - "10.214.249.164" + "10.81.26.208" ], "related.user": [ "upta" @@ -1037,9 +1037,9 @@ "sauteiru4554.api.domain" ], "related.ip": [ + "10.220.5.143", "10.88.101.53", "10.201.238.90", - "10.220.5.143", "10.101.226.128" ], "related.user": [ @@ -1104,10 +1104,10 @@ "untut4046.internal.domain" ], "related.ip": [ - "10.243.218.215", - "10.217.150.196", + "10.30.133.66", "10.157.18.252", - "10.30.133.66" + "10.243.218.215", + "10.217.150.196" ], "related.user": [ "evit" @@ -1171,10 +1171,10 @@ "quid3147.mail.home" ], "related.ip": [ - "10.167.227.44", "10.181.133.187", "10.148.161.250", - "10.66.181.6" + "10.66.181.6", + "10.167.227.44" ], "related.user": [ "adipisc" @@ -1239,10 +1239,10 @@ "umdolo1029.mail.localhost" ], "related.ip": [ - "10.74.11.43", - "10.54.17.32", "10.84.163.178", - "10.107.9.163" + "10.107.9.163", + "10.54.17.32", + "10.74.11.43" ], "related.user": [ "mquisno" @@ -1307,9 +1307,9 @@ ], "related.ip": [ "10.230.129.252", - "10.184.73.211", + "10.112.32.213", "10.192.229.221", - "10.112.32.213" + "10.184.73.211" ], "related.user": [ "odi" @@ -1374,10 +1374,10 @@ "paquioff624.mail.invalid" ], "related.ip": [ - "10.161.148.64", + "10.198.213.189", "10.199.216.143", - "10.7.200.140", - "10.198.213.189" + "10.161.148.64", + "10.7.200.140" ], "related.user": [ "ccaeca" @@ -1441,10 +1441,10 @@ "mex2054.mail.corp" ], "related.ip": [ + "10.65.232.27", "10.206.96.56", - "10.22.187.69", "10.128.157.27", - "10.65.232.27" + "10.22.187.69" ], "related.user": [ "uaeab" @@ -1509,9 +1509,9 @@ ], "related.ip": [ "10.194.210.62", - "10.68.253.120", "10.183.130.225", - "10.71.114.14" + "10.71.114.14", + "10.68.253.120" ], "related.user": [ "admin" @@ -1576,10 +1576,10 @@ "loi7596.www5.home" ], "related.ip": [ - "10.47.255.237", - "10.45.253.103", "10.107.45.175", - "10.31.177.226" + "10.31.177.226", + "10.47.255.237", + "10.45.253.103" ], "related.user": [ "remagn" @@ -1644,10 +1644,10 @@ "nsequat1971.internal.invalid" ], "related.ip": [ + "10.225.212.189", "10.44.58.106", - "10.55.105.113", "10.213.94.135", - "10.225.212.189" + "10.55.105.113" ], "related.user": [ "dquia" @@ -1711,9 +1711,9 @@ "ectiono2241.lan" ], "related.ip": [ - "10.255.74.136", "10.69.161.78", "10.163.209.70", + "10.255.74.136", "10.2.114.9" ], "related.user": [ @@ -1778,10 +1778,10 @@ "umetMal1664.mail.lan" ], "related.ip": [ - "10.46.115.216", - "10.252.102.110", + "10.184.59.148", "10.12.129.137", - "10.184.59.148" + "10.46.115.216", + "10.252.102.110" ], "related.user": [ "perspici" @@ -1848,8 +1848,8 @@ "related.ip": [ "10.81.184.7", "10.199.194.79", - "10.155.204.243", - "10.105.52.140" + "10.105.52.140", + "10.155.204.243" ], "related.user": [ "eetd" @@ -1916,8 +1916,8 @@ "related.ip": [ "10.251.231.142", "10.177.238.45", - "10.18.226.72", - "10.110.2.166" + "10.110.2.166", + "10.18.226.72" ], "related.user": [ "taliqui" @@ -1982,10 +1982,10 @@ "iutali7297.www.domain" ], "related.ip": [ + "10.192.98.247", "10.99.202.229", - "10.100.199.226", "10.190.122.27", - "10.192.98.247" + "10.100.199.226" ], "related.user": [ "lloinven" @@ -2050,10 +2050,10 @@ "orumw5960.www5.home" ], "related.ip": [ + "10.172.154.97", "10.248.111.207", - "10.162.97.197", "10.37.193.70", - "10.172.154.97" + "10.162.97.197" ], "related.user": [ "culpaq" @@ -2117,10 +2117,10 @@ "oinv5493.internal.domain" ], "related.ip": [ + "10.36.63.31", "10.171.221.230", "10.222.165.250", - "10.45.35.180", - "10.36.63.31" + "10.45.35.180" ], "related.user": [ "otamr" @@ -2184,9 +2184,9 @@ "tnonproi195.api.home" ], "related.ip": [ - "10.1.171.61", - "10.199.127.211", "10.83.238.145", + "10.199.127.211", + "10.1.171.61", "10.238.4.219" ], "related.user": [ @@ -2252,9 +2252,9 @@ ], "related.ip": [ "10.170.252.219", - "10.65.141.244", + "10.44.226.104", "10.74.213.42", - "10.44.226.104" + "10.65.141.244" ], "related.user": [ "Nequepo" @@ -2385,10 +2385,10 @@ "redo6311.api.invalid" ], "related.ip": [ - "10.176.64.28", + "10.169.123.103", "10.97.138.181", "10.205.174.181", - "10.169.123.103" + "10.176.64.28" ], "related.user": [ "eseruntm" @@ -2453,10 +2453,10 @@ "dolorem1698.www.domain" ], "related.ip": [ + "10.204.4.40", "10.75.120.11", - "10.169.101.161", "10.53.101.131", - "10.204.4.40" + "10.169.101.161" ], "related.user": [ "tquo" @@ -2521,10 +2521,10 @@ "evitae7333.www.lan" ], "related.ip": [ - "10.156.117.169", "10.28.51.219", - "10.6.222.112", - "10.87.120.87" + "10.156.117.169", + "10.87.120.87", + "10.6.222.112" ], "related.user": [ "onsequu" @@ -2589,9 +2589,9 @@ ], "related.ip": [ "10.247.44.59", + "10.4.126.103", "10.57.89.155", - "10.253.167.17", - "10.4.126.103" + "10.253.167.17" ], "related.user": [ "ntorever" @@ -2655,10 +2655,10 @@ "olorsi2746.internal.localhost" ], "related.ip": [ - "10.36.69.125", "10.15.240.220", + "10.143.183.208", "10.248.206.210", - "10.143.183.208" + "10.36.69.125" ], "related.user": [ "met" @@ -2724,8 +2724,8 @@ ], "related.ip": [ "10.69.170.107", - "10.6.32.7", "10.34.133.2", + "10.6.32.7", "10.142.186.43" ], "related.user": [ @@ -2791,10 +2791,10 @@ "ender5647.www5.example" ], "related.ip": [ - "10.59.103.10", - "10.170.165.164", "10.121.153.197", - "10.142.22.24" + "10.142.22.24", + "10.59.103.10", + "10.170.165.164" ], "related.user": [ "borumSec" @@ -2859,9 +2859,9 @@ "sis3986.internal.lan" ], "related.ip": [ - "10.19.99.129", - "10.247.114.30", "10.176.83.7", + "10.247.114.30", + "10.19.99.129", "10.133.10.122" ], "related.user": [ @@ -2927,10 +2927,10 @@ "uatu2894.api.lan" ], "related.ip": [ + "10.64.139.17", "10.70.7.23", - "10.40.177.138", "10.8.29.219", - "10.64.139.17" + "10.40.177.138" ], "related.user": [ "rep" @@ -2996,8 +2996,8 @@ "related.ip": [ "10.2.189.20", "10.67.221.220", - "10.67.173.228", - "10.180.62.222" + "10.180.62.222", + "10.67.173.228" ], "related.user": [ "uptasnul" @@ -3062,10 +3062,10 @@ "uian521.www.example" ], "related.ip": [ - "10.147.127.181", + "10.196.176.243", "10.209.52.47", "10.56.134.118", - "10.196.176.243" + "10.147.127.181" ], "related.user": [ "tasu" @@ -3130,9 +3130,9 @@ ], "related.ip": [ "10.226.24.84", - "10.248.140.59", + "10.85.13.237", "10.231.18.90", - "10.85.13.237" + "10.248.140.59" ], "related.user": [ "Nem" @@ -3197,10 +3197,10 @@ "ntsunt4894.mail.domain" ], "related.ip": [ - "10.59.215.207", - "10.207.183.204", + "10.203.46.215", "10.8.224.72", - "10.203.46.215" + "10.207.183.204", + "10.59.215.207" ], "related.user": [ "eruntmo" @@ -3265,10 +3265,10 @@ "mexer3864.api.corp" ], "related.ip": [ - "10.98.154.146", "10.73.84.95", + "10.255.145.22", "10.230.38.148", - "10.255.145.22" + "10.98.154.146" ], "related.user": [ "sitam" @@ -3332,10 +3332,10 @@ "oluptat6960.www5.test" ], "related.ip": [ - "10.166.142.198", "10.105.120.162", - "10.175.181.138", - "10.211.29.187" + "10.211.29.187", + "10.166.142.198", + "10.175.181.138" ], "related.user": [ "tium" @@ -3400,10 +3400,10 @@ "fugiatnu2498.www.localhost" ], "related.ip": [ - "10.182.213.195", - "10.195.139.25", "10.122.133.162", - "10.220.202.102" + "10.220.202.102", + "10.182.213.195", + "10.195.139.25" ], "related.user": [ "aquae" @@ -3535,10 +3535,10 @@ "exer447.internal.localhost" ], "related.ip": [ - "10.241.143.145", - "10.35.190.164", "10.21.58.162", - "10.113.65.192" + "10.35.190.164", + "10.113.65.192", + "10.241.143.145" ], "related.user": [ "porin" @@ -3672,9 +3672,9 @@ ], "related.ip": [ "10.150.153.61", - "10.22.213.196", + "10.125.150.220", "10.120.50.13", - "10.125.150.220" + "10.22.213.196" ], "related.user": [ "inculpa" @@ -3739,10 +3739,10 @@ "edquiaco6562.api.lan" ], "related.ip": [ + "10.113.2.13", "10.85.52.249", - "10.229.155.171", "10.238.171.184", - "10.113.2.13" + "10.229.155.171" ], "related.user": [ "tatiset" @@ -3808,9 +3808,9 @@ ], "related.ip": [ "10.249.174.35", + "10.198.150.185", "10.51.245.225", - "10.220.1.249", - "10.198.150.185" + "10.220.1.249" ], "related.user": [ "quela" @@ -3875,8 +3875,8 @@ "eosqui3723.api.localdomain" ], "related.ip": [ - "10.38.185.31", "10.251.82.195", + "10.38.185.31", "10.190.96.181", "10.152.157.32" ], @@ -3942,10 +3942,10 @@ "itaedict199.mail.corp" ], "related.ip": [ - "10.103.102.242", - "10.190.247.194", "10.230.112.179", - "10.211.198.50" + "10.211.198.50", + "10.103.102.242", + "10.190.247.194" ], "related.user": [ "tDuisaut" @@ -4010,9 +4010,9 @@ ], "related.ip": [ "10.219.83.199", + "10.251.101.61", "10.47.223.155", - "10.101.13.122", - "10.251.101.61" + "10.101.13.122" ], "related.user": [ "ectetur" @@ -4077,10 +4077,10 @@ "saute7421.www.invalid" ], "related.ip": [ + "10.83.136.233", "10.31.86.83", - "10.21.30.43", "10.21.80.157", - "10.83.136.233" + "10.21.30.43" ], "related.user": [ "litsed" @@ -4145,9 +4145,9 @@ "oluptas1637.home" ], "related.ip": [ - "10.27.181.27", "10.45.152.205", "10.194.197.107", + "10.27.181.27", "10.195.90.73" ], "related.user": [ @@ -4213,10 +4213,10 @@ "ididu5505.api.localdomain" ], "related.ip": [ - "10.222.2.132", - "10.183.90.25", "10.43.239.97", - "10.129.161.18" + "10.129.161.18", + "10.183.90.25", + "10.222.2.132" ], "related.user": [ "aedicta" @@ -4280,10 +4280,10 @@ "mqui1099.api.corp" ], "related.ip": [ + "10.248.156.138", "10.67.129.100", - "10.231.167.171", "10.189.162.131", - "10.248.156.138" + "10.231.167.171" ], "related.user": [ "sedquia" @@ -4348,9 +4348,9 @@ "siuta2155.lan" ], "related.ip": [ + "10.63.103.30", "10.6.146.184", "10.185.107.27", - "10.63.103.30", "10.142.106.66" ], "related.user": [ @@ -4415,10 +4415,10 @@ "tatiset4191.localdomain" ], "related.ip": [ - "10.93.39.237", "10.119.179.182", + "10.214.93.200", "10.0.202.9", - "10.214.93.200" + "10.93.39.237" ], "related.user": [ "tionofd" @@ -4484,8 +4484,8 @@ ], "related.ip": [ "10.28.145.163", - "10.252.204.162", "10.123.154.140", + "10.252.204.162", "10.30.189.166" ], "related.user": [ @@ -4550,9 +4550,9 @@ "idolo6535.internal.example" ], "related.ip": [ + "10.46.162.198", "10.145.128.250", "10.79.49.3", - "10.46.162.198", "10.29.122.183" ], "related.user": [ @@ -4618,10 +4618,10 @@ "one7728.api.localdomain" ], "related.ip": [ - "10.166.169.167", - "10.65.174.196", + "10.142.235.217", "10.177.232.136", - "10.142.235.217" + "10.65.174.196", + "10.166.169.167" ], "related.user": [ "olors" @@ -4686,9 +4686,9 @@ "uptatem4446.internal.localhost" ], "related.ip": [ - "10.29.217.44", "10.215.184.154", "10.191.78.86", + "10.29.217.44", "10.53.188.140" ], "related.user": [ @@ -4754,8 +4754,8 @@ "emq2514.api.localhost" ], "related.ip": [ - "10.135.77.156", "10.46.222.149", + "10.135.77.156", "10.76.148.147", "10.74.74.129" ], @@ -4821,10 +4821,10 @@ "agna5654.www.corp" ], "related.ip": [ - "10.145.49.29", + "10.130.203.37", "10.96.200.223", - "10.11.146.253", - "10.130.203.37" + "10.145.49.29", + "10.11.146.253" ], "related.user": [ "mvele" @@ -4888,10 +4888,10 @@ "ipi4827.mail.lan" ], "related.ip": [ - "10.24.23.209", "10.162.78.48", - "10.48.75.140", - "10.162.2.180" + "10.162.2.180", + "10.24.23.209", + "10.48.75.140" ], "related.user": [ "rumwr" @@ -4955,10 +4955,10 @@ "sequatD163.internal.example" ], "related.ip": [ - "10.151.206.38", - "10.66.92.83", "10.119.12.186", - "10.97.105.115" + "10.97.105.115", + "10.151.206.38", + "10.66.92.83" ], "related.user": [ "nproide" @@ -5022,10 +5022,10 @@ "itamet1303.invalid" ], "related.ip": [ - "10.64.76.142", "10.169.139.250", "10.12.148.73", - "10.201.132.114" + "10.201.132.114", + "10.64.76.142" ], "related.user": [ "borisnis" @@ -5090,10 +5090,10 @@ "epr3512.internal.domain" ], "related.ip": [ - "10.111.128.11", - "10.9.236.18", "10.35.38.185", - "10.200.116.191" + "10.200.116.191", + "10.111.128.11", + "10.9.236.18" ], "related.user": [ "umfug" @@ -5157,10 +5157,10 @@ "uredol2174.home" ], "related.ip": [ - "10.134.238.8", "10.191.27.182", - "10.236.67.227", - "10.240.62.238" + "10.134.238.8", + "10.240.62.238", + "10.236.67.227" ], "related.user": [ "tlabo" @@ -5224,10 +5224,10 @@ "ididunt7607.mail.localhost" ], "related.ip": [ - "10.109.14.142", "10.22.231.91", - "10.65.35.64", - "10.165.66.92" + "10.165.66.92", + "10.109.14.142", + "10.65.35.64" ], "related.user": [ "perna" @@ -5292,9 +5292,9 @@ ], "related.ip": [ "10.64.161.215", + "10.29.230.203", "10.71.112.86", - "10.89.221.90", - "10.29.230.203" + "10.89.221.90" ], "related.user": [ "rnatur" @@ -5358,10 +5358,10 @@ "nonn1650.www.test" ], "related.ip": [ - "10.221.199.137", - "10.88.226.76", + "10.140.118.182", "10.79.208.135", - "10.140.118.182" + "10.221.199.137", + "10.88.226.76" ], "related.user": [ "erspic" @@ -5426,10 +5426,10 @@ "acons3940.api.lan" ], "related.ip": [ + "10.133.48.55", "10.35.73.208", - "10.126.61.230", "10.189.244.22", - "10.133.48.55" + "10.126.61.230" ], "related.user": [ "tia" @@ -5493,8 +5493,8 @@ "suscipit587.www.localhost" ], "related.ip": [ - "10.240.94.109", "10.239.194.105", + "10.240.94.109", "10.81.154.115", "10.35.65.72" ], @@ -5562,8 +5562,8 @@ ], "related.ip": [ "10.150.56.227", - "10.52.70.192", "10.248.72.104", + "10.52.70.192", "10.38.253.213" ], "related.user": [ @@ -5629,10 +5629,10 @@ "borios1067.www5.home" ], "related.ip": [ - "10.218.15.164", - "10.62.218.239", "10.73.172.186", - "10.203.193.134" + "10.203.193.134", + "10.218.15.164", + "10.62.218.239" ], "related.user": [ "reh" @@ -5696,9 +5696,9 @@ "msequ323.www.example" ], "related.ip": [ + "10.60.20.76", "10.10.46.43", "10.131.127.113", - "10.60.20.76", "10.136.211.234" ], "related.user": [ @@ -5764,10 +5764,10 @@ "tdolorem813.internal.host" ], "related.ip": [ + "10.50.177.151", "10.248.0.74", - "10.233.181.250", "10.187.237.220", - "10.50.177.151" + "10.233.181.250" ], "related.user": [ "ugiatq" @@ -5832,10 +5832,10 @@ "volupt4626.internal.test" ], "related.ip": [ - "10.96.223.46", - "10.80.129.81", + "10.248.248.120", "10.189.43.11", - "10.248.248.120" + "10.80.129.81", + "10.96.223.46" ], "related.user": [ "iatn" @@ -5900,9 +5900,9 @@ "ntium5103.www5.localhost" ], "related.ip": [ - "10.91.115.139", - "10.102.109.199", "10.173.114.63", + "10.102.109.199", + "10.91.115.139", "10.66.106.186" ], "related.user": [ @@ -5968,9 +5968,9 @@ "orpori3334.www.local" ], "related.ip": [ + "10.159.155.88", "10.0.175.17", "10.198.157.122", - "10.159.155.88", "10.221.223.127" ], "related.user": [ @@ -6035,10 +6035,10 @@ "equu7361.www5.localdomain" ], "related.ip": [ - "10.252.136.130", - "10.189.70.237", "10.30.20.187", - "10.7.212.201" + "10.7.212.201", + "10.189.70.237", + "10.252.136.130" ], "related.user": [ "ugiat" @@ -6103,10 +6103,10 @@ "tse2979.internal.localhost" ], "related.ip": [ - "10.60.224.93", - "10.242.121.165", "10.83.105.69", - "10.102.109.194" + "10.102.109.194", + "10.60.224.93", + "10.242.121.165" ], "related.user": [ "mni" @@ -6171,10 +6171,10 @@ "uisnostr2390.mail.domain" ], "related.ip": [ + "10.17.20.93", "10.219.174.45", - "10.181.134.69", "10.251.167.219", - "10.17.20.93" + "10.181.134.69" ], "related.user": [ "Uteni" @@ -6239,10 +6239,10 @@ "luptate4811.mail.example" ], "related.ip": [ - "10.28.233.253", - "10.37.14.20", + "10.223.99.90", "10.30.117.82", - "10.223.99.90" + "10.37.14.20", + "10.28.233.253" ], "related.user": [ "numqua" @@ -6307,10 +6307,10 @@ "lites1614.www.corp" ], "related.ip": [ - "10.57.85.113", - "10.8.32.17", + "10.125.20.22", "10.50.61.114", - "10.125.20.22" + "10.57.85.113", + "10.8.32.17" ], "related.user": [ "qua" @@ -6375,9 +6375,9 @@ "lorinrep7686.mail.corp" ], "related.ip": [ - "10.200.28.55", - "10.215.224.27", "10.113.78.101", + "10.215.224.27", + "10.200.28.55", "10.181.63.82" ], "related.user": [ @@ -6443,10 +6443,10 @@ "nderit6272.mail.example" ], "related.ip": [ - "10.243.43.168", + "10.169.95.128", "10.177.14.106", "10.139.20.223", - "10.169.95.128" + "10.243.43.168" ], "related.user": [ "ofd" @@ -6512,9 +6512,9 @@ ], "related.ip": [ "10.92.168.198", - "10.90.93.4", "10.39.100.88", - "10.18.176.44" + "10.18.176.44", + "10.90.93.4" ], "related.user": [ "adminima" @@ -6579,9 +6579,9 @@ "essequam1161.domain" ], "related.ip": [ - "10.163.203.191", "10.193.43.135", "10.49.68.8", + "10.163.203.191", "10.173.13.179" ], "related.user": [ @@ -6647,9 +6647,9 @@ ], "related.ip": [ "10.240.47.113", - "10.209.226.7", + "10.84.64.28", "10.31.147.51", - "10.84.64.28" + "10.209.226.7" ], "related.user": [ "ull" @@ -6714,9 +6714,9 @@ "item3647.home" ], "related.ip": [ + "10.52.13.192", "10.225.189.229", "10.86.1.244", - "10.52.13.192", "10.32.20.4" ], "related.user": [ diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index fe5ce75e182..81c2af5f702 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -367,8 +367,8 @@ "observer.vendor": "F5", "process.pid": 2289, "related.ip": [ - "10.204.123.107", - "10.225.160.182" + "10.225.160.182", + "10.204.123.107" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "eFinib", @@ -983,8 +983,8 @@ "observer.vendor": "F5", "process.pid": 4318, "related.ip": [ - "10.169.101.161", - "10.122.204.151" + "10.122.204.151", + "10.169.101.161" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "snulap", @@ -1565,8 +1565,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.47.99.72", - "10.187.64.126" + "10.187.64.126", + "10.47.99.72" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 69eab97fe35..2633519ac68 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -25,8 +25,8 @@ "litesse6379.api.domain" ], "related.ip": [ - "10.150.92.220", - "10.102.123.34" + "10.102.123.34", + "10.150.92.220" ], "related.user": [ "sumdo" @@ -143,8 +143,8 @@ "quis1130.internal.corp" ], "related.ip": [ - "10.118.175.9", - "10.173.116.41" + "10.173.116.41", + "10.118.175.9" ], "related.user": [ "uame" @@ -261,8 +261,8 @@ "enimad2283.internal.domain" ], "related.ip": [ - "10.245.142.250", - "10.70.0.60" + "10.70.0.60", + "10.245.142.250" ], "related.user": [ "eos" @@ -379,8 +379,8 @@ "iutal13.api.localdomain" ], "related.ip": [ - "10.12.44.169", - "10.214.225.125" + "10.214.225.125", + "10.12.44.169" ], "related.user": [ "erep" @@ -438,8 +438,8 @@ "uovol492.www.localhost" ], "related.ip": [ - "10.198.136.50", - "10.66.108.11" + "10.66.108.11", + "10.198.136.50" ], "related.user": [ "uptatev" @@ -556,8 +556,8 @@ "eniam7007.api.invalid" ], "related.ip": [ - "10.54.231.100", - "10.203.5.162" + "10.203.5.162", + "10.54.231.100" ], "related.user": [ "umdolore" @@ -615,8 +615,8 @@ "snulapar3794.api.domain" ], "related.ip": [ - "10.65.83.160", - "10.136.252.240" + "10.136.252.240", + "10.65.83.160" ], "related.user": [ "ender" @@ -674,8 +674,8 @@ "liq5883.localdomain" ], "related.ip": [ - "10.210.213.18", - "10.57.40.29" + "10.57.40.29", + "10.210.213.18" ], "related.user": [ "onse" @@ -969,8 +969,8 @@ "tion1761.home" ], "related.ip": [ - "10.73.69.75", - "10.19.201.13" + "10.19.201.13", + "10.73.69.75" ], "related.user": [ "tat" @@ -1028,8 +1028,8 @@ "santium4235.api.local" ], "related.ip": [ - "10.84.105.75", - "10.78.151.178" + "10.78.151.178", + "10.84.105.75" ], "related.user": [ "iquaUten" @@ -1087,8 +1087,8 @@ "CSed2857.www5.example" ], "related.ip": [ - "10.25.192.202", - "10.135.233.146" + "10.135.233.146", + "10.25.192.202" ], "related.user": [ "emeumfu" @@ -1146,8 +1146,8 @@ "equep5085.mail.domain" ], "related.ip": [ - "10.104.134.200", - "10.121.219.204" + "10.121.219.204", + "10.104.134.200" ], "related.user": [ "uptat" @@ -1205,8 +1205,8 @@ "conseq557.mail.lan" ], "related.ip": [ - "10.225.160.182", - "10.191.105.82" + "10.191.105.82", + "10.225.160.182" ], "related.user": [ "eirure" @@ -1323,8 +1323,8 @@ "lit5929.test" ], "related.ip": [ - "10.153.111.103", - "10.6.167.7" + "10.6.167.7", + "10.153.111.103" ], "related.user": [ "eumfug" @@ -1618,8 +1618,8 @@ "xeacomm6855.api.corp" ], "related.ip": [ - "10.168.90.81", - "10.101.57.120" + "10.101.57.120", + "10.168.90.81" ], "related.user": [ "eporr" @@ -1913,8 +1913,8 @@ "eprehen3224.www5.localdomain" ], "related.ip": [ - "10.195.2.130", - "10.75.99.127" + "10.75.99.127", + "10.195.2.130" ], "related.user": [ "inibusB" @@ -1972,8 +1972,8 @@ "ptasn6599.www.localhost" ], "related.ip": [ - "10.201.238.90", - "10.245.104.182" + "10.245.104.182", + "10.201.238.90" ], "related.user": [ "ovol" @@ -2090,8 +2090,8 @@ "gitsedqu2649.mail.lan" ], "related.ip": [ - "10.184.18.202", - "10.4.157.1" + "10.4.157.1", + "10.184.18.202" ], "related.user": [ "oditem" @@ -2208,8 +2208,8 @@ "tut2703.www.host" ], "related.ip": [ - "10.27.16.118", - "10.83.177.2" + "10.83.177.2", + "10.27.16.118" ], "related.user": [ "borios" @@ -2385,8 +2385,8 @@ "tot5313.mail.invalid" ], "related.ip": [ - "10.9.18.237", - "10.9.12.248" + "10.9.12.248", + "10.9.18.237" ], "related.user": [ "uradi" @@ -2444,8 +2444,8 @@ "rumet3801.internal.domain" ], "related.ip": [ - "10.41.123.102", - "10.83.130.226" + "10.83.130.226", + "10.41.123.102" ], "related.user": [ "tenim" @@ -2562,8 +2562,8 @@ "sequat7273.api.host" ], "related.ip": [ - "10.134.18.114", - "10.142.25.100" + "10.142.25.100", + "10.134.18.114" ], "related.user": [ "osqui" @@ -2621,8 +2621,8 @@ "uidol4575.localhost" ], "related.ip": [ - "10.28.118.160", - "10.223.119.218" + "10.223.119.218", + "10.28.118.160" ], "related.user": [ "ntsunt" @@ -2916,8 +2916,8 @@ "iosamnis1047.internal.localdomain" ], "related.ip": [ - "10.210.89.183", - "10.150.245.88" + "10.150.245.88", + "10.210.89.183" ], "related.user": [ "sequa" @@ -2975,8 +2975,8 @@ "orroq6677.internal.example" ], "related.ip": [ - "10.85.185.13", - "10.180.195.43" + "10.180.195.43", + "10.85.185.13" ], "related.user": [ "voluptas" @@ -3093,8 +3093,8 @@ "itaedict7233.mail.localdomain" ], "related.ip": [ - "10.86.11.48", - "10.248.165.185" + "10.248.165.185", + "10.86.11.48" ], "related.user": [ "dquiac" @@ -3152,8 +3152,8 @@ "numquam5869.internal.example" ], "related.ip": [ - "10.118.6.177", - "10.47.125.38" + "10.47.125.38", + "10.118.6.177" ], "related.user": [ "quunt" @@ -3211,8 +3211,8 @@ "onu6137.api.home" ], "related.ip": [ - "10.60.142.127", - "10.50.233.155" + "10.50.233.155", + "10.60.142.127" ], "related.user": [ "atv" @@ -3270,8 +3270,8 @@ "aecatcup2241.www5.test" ], "related.ip": [ - "10.28.82.189", - "10.120.10.211" + "10.120.10.211", + "10.28.82.189" ], "related.user": [ "rcit" @@ -3388,8 +3388,8 @@ "mveleum4322.www5.host" ], "related.ip": [ - "10.226.5.189", - "10.125.165.144" + "10.125.165.144", + "10.226.5.189" ], "related.user": [ "mvolu" @@ -3565,8 +3565,8 @@ "nreprehe715.api.home" ], "related.ip": [ - "10.17.87.79", - "10.123.199.198" + "10.123.199.198", + "10.17.87.79" ], "related.user": [ "ratvolu" @@ -3624,8 +3624,8 @@ "unte893.internal.host" ], "related.ip": [ - "10.38.86.177", - "10.115.68.40" + "10.115.68.40", + "10.38.86.177" ], "related.user": [ "mpo" @@ -4096,8 +4096,8 @@ "squira4455.api.domain" ], "related.ip": [ - "10.196.96.162", - "10.34.131.224" + "10.34.131.224", + "10.196.96.162" ], "related.user": [ "tnonproi" @@ -4804,8 +4804,8 @@ "lamcola4879.www5.localdomain" ], "related.ip": [ - "10.14.204.36", - "10.85.104.146" + "10.85.104.146", + "10.14.204.36" ], "related.user": [ "emp" @@ -4863,8 +4863,8 @@ "edquian330.mail.local" ], "related.ip": [ - "10.208.18.210", - "10.30.246.132" + "10.30.246.132", + "10.208.18.210" ], "related.user": [ "veniam" @@ -4922,8 +4922,8 @@ "santi837.api.domain" ], "related.ip": [ - "10.19.119.17", - "10.106.249.91" + "10.106.249.91", + "10.19.119.17" ], "related.user": [ "lit" @@ -5040,8 +5040,8 @@ "nonn4478.host" ], "related.ip": [ - "10.164.207.42", - "10.164.120.197" + "10.164.120.197", + "10.164.207.42" ], "related.user": [ "pta" @@ -5099,8 +5099,8 @@ "amquaer3985.www5.example" ], "related.ip": [ - "10.183.189.133", - "10.154.191.225" + "10.154.191.225", + "10.183.189.133" ], "related.user": [ "ita" @@ -5276,8 +5276,8 @@ "orumS757.www5.corp" ], "related.ip": [ - "10.91.2.135", - "10.126.245.73" + "10.126.245.73", + "10.91.2.135" ], "related.user": [ "olore" @@ -5335,8 +5335,8 @@ "emi4534.www.localdomain" ], "related.ip": [ - "10.137.85.123", - "10.183.243.246" + "10.183.243.246", + "10.137.85.123" ], "related.user": [ "cid" @@ -5453,8 +5453,8 @@ "aturQu7083.mail.host" ], "related.ip": [ - "10.79.73.195", - "10.125.143.153" + "10.125.143.153", + "10.79.73.195" ], "related.user": [ "emip" @@ -5571,8 +5571,8 @@ "siarc6339.internal.corp" ], "related.ip": [ - "10.222.245.80", - "10.87.90.49" + "10.87.90.49", + "10.222.245.80" ], "related.user": [ "ptatemse" @@ -5689,8 +5689,8 @@ "byC5766.internal.home" ], "related.ip": [ - "10.105.97.134", - "10.204.178.19" + "10.204.178.19", + "10.105.97.134" ], "related.user": [ "mexercit" @@ -5866,8 +5866,8 @@ "porissu1470.domain" ], "related.ip": [ - "10.180.90.112", - "10.116.153.19" + "10.116.153.19", + "10.180.90.112" ], "related.user": [ "itessequ" diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json index 367d81f9868..1bc7032f6d2 100644 --- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json @@ -6,6 +6,7 @@ "destination.bytes": 1130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -81,6 +82,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -151,6 +153,7 @@ "destination.bytes": 6812, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -225,6 +228,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -299,6 +303,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -373,6 +378,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -442,6 +448,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -512,6 +519,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -585,6 +593,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -654,6 +663,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -714,6 +724,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.4.4", @@ -825,6 +836,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.4.4", @@ -874,6 +886,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "8.8.8.8", @@ -889,6 +902,7 @@ "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.4.5.4", @@ -942,6 +956,7 @@ "source.as.organization.name": "Quad9", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": "9.9.9.9", @@ -1049,6 +1064,7 @@ "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.5.4", @@ -1100,6 +1116,7 @@ "service.type": "fortinet", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "7.6.3.4", @@ -1186,6 +1203,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.6", @@ -1235,6 +1253,7 @@ "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.5.4", @@ -1396,6 +1415,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1465,6 +1485,7 @@ "destination.bytes": 65446, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.6.4.7", @@ -1532,6 +1553,7 @@ "source.geo.city_name": "Beijing", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 39.9288, "source.geo.location.lon": 116.3889, "source.geo.region_iso_code": "CN-BJ", @@ -1553,6 +1575,7 @@ "destination.bytes": 20, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "2001:4860:4860::8888", @@ -1613,6 +1636,7 @@ "source.bytes": 3014, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "2001:4860:4860::8888", @@ -1629,6 +1653,7 @@ "destination.bytes": 10, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1689,6 +1714,7 @@ "source.bytes": 0, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "9.7.7.7", @@ -1772,6 +1798,7 @@ "destination.bytes": 77654, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1857,6 +1884,7 @@ "source.geo.city_name": "Ashburn", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 39.0481, "source.geo.location.lon": -77.4728, "source.geo.region_iso_code": "US-VA", @@ -1879,6 +1907,7 @@ "destination.as.organization.name": "Dailymotion S.A.", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "FR", + "destination.geo.country_name": "France", "destination.geo.location.lat": 48.8582, "destination.geo.location.lon": 2.3387, "destination.ip": "195.8.215.136", diff --git a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json index e3803f80ef3..0f8cf25378a 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json @@ -994,8 +994,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.68.246.187", - "10.140.7.83" + "10.140.7.83", + "10.68.246.187" ], "rsa.email.email_dst": "gna", "rsa.email.email_src": "icabo", @@ -1248,8 +1248,8 @@ "atise3421.www5.localdomain" ], "related.ip": [ - "10.179.210.218", - "10.73.207.70" + "10.73.207.70", + "10.179.210.218" ], "rsa.email.email_dst": "rumSecti", "rsa.email.email_src": "taut", @@ -3094,8 +3094,8 @@ "taevitae6868.www.corp" ], "related.ip": [ - "10.60.164.100", - "10.161.1.146" + "10.161.1.146", + "10.60.164.100" ], "rsa.email.email_dst": "nproiden", "rsa.email.email_src": "etconse", @@ -3194,8 +3194,8 @@ "tetura7106.www5.corp" ], "related.ip": [ - "10.93.239.216", - "10.44.35.57" + "10.44.35.57", + "10.93.239.216" ], "rsa.email.email_dst": "ciun", "rsa.email.email_src": "vento", @@ -3794,8 +3794,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.251.183.113", - "10.201.105.58" + "10.201.105.58", + "10.251.183.113" ], "rsa.email.email_dst": "ionemu", "rsa.email.email_src": "ent", @@ -3838,8 +3838,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.209.203.156", - "10.132.139.98" + "10.132.139.98", + "10.209.203.156" ], "rsa.email.email_dst": "borisnis", "rsa.email.email_src": "pariat", diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json index 78030aa2c53..ee8c3414d5e 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json @@ -26,8 +26,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.44.173.44", - "10.20.234.169", - "10.189.58.145" + "10.189.58.145", + "10.20.234.169" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -244,8 +244,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.131.233.27", "10.27.88.95", + "10.131.233.27", "10.50.112.141" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -314,8 +314,8 @@ "olo7148.mail.home" ], "related.ip": [ - "10.87.212.179", - "10.157.213.15" + "10.157.213.15", + "10.87.212.179" ], "related.user": [ "rveli" @@ -405,8 +405,8 @@ "agna7678.internal.host" ], "related.ip": [ - "10.76.73.140", - "10.114.150.67" + "10.114.150.67", + "10.76.73.140" ], "related.user": [ "aperia" @@ -507,8 +507,8 @@ "rsa.investigations.event_vcat": "quae", "rsa.misc.OS": "qui", "rsa.misc.action": [ - "accept", - "iadese" + "iadese", + "accept" ], "rsa.misc.category": "aturve", "rsa.misc.client": "utei", @@ -582,9 +582,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.114.16.155", + "10.186.85.3", "10.176.216.90", - "10.186.85.3" + "10.114.16.155" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -828,9 +828,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.58.214.16", "10.238.164.74", - "10.106.162.153", - "10.58.214.16" + "10.106.162.153" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -972,8 +972,8 @@ "rsa.investigations.event_vcat": "xer", "rsa.misc.OS": "fugi", "rsa.misc.action": [ - "umdolo", - "deny" + "deny", + "umdolo" ], "rsa.misc.category": "conseq", "rsa.misc.client": "cusant", @@ -1127,8 +1127,8 @@ "rsa.investigations.event_vcat": "psumqu", "rsa.misc.OS": "oraincid", "rsa.misc.action": [ - "ritt", - "deny" + "deny", + "ritt" ], "rsa.misc.category": "idunt", "rsa.misc.client": "siu", @@ -1202,9 +1202,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.98.194.212", "10.51.213.42", - "10.233.120.207" + "10.233.120.207", + "10.98.194.212" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1266,9 +1266,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.245.187.229", "10.67.132.242", - "10.241.132.176", - "10.245.187.229" + "10.241.132.176" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1335,8 +1335,8 @@ "tore7088.www.invalid" ], "related.ip": [ - "10.199.47.220", - "10.212.214.4" + "10.212.214.4", + "10.199.47.220" ], "related.user": [ "atv" @@ -1437,8 +1437,8 @@ "rsa.investigations.event_vcat": "metcons", "rsa.misc.OS": "ehende", "rsa.misc.action": [ - "deny", - "umf" + "umf", + "deny" ], "rsa.misc.category": "emUte", "rsa.misc.client": "archite", @@ -1517,8 +1517,8 @@ "eturad6143.www.home" ], "related.ip": [ - "10.128.46.70", - "10.95.117.134" + "10.95.117.134", + "10.128.46.70" ], "related.user": [ "enim" @@ -1608,8 +1608,8 @@ "orinrep5386.www.corp" ], "related.ip": [ - "10.253.228.140", - "10.208.21.135" + "10.208.21.135", + "10.253.228.140" ], "related.user": [ "inculp" @@ -1619,8 +1619,8 @@ "rsa.investigations.event_vcat": "emagn", "rsa.misc.OS": "oditempo", "rsa.misc.action": [ - "ugitse", - "cancel" + "cancel", + "ugitse" ], "rsa.misc.category": "magnid", "rsa.misc.client": "sci", @@ -1699,8 +1699,8 @@ "henderi724.www5.home" ], "related.ip": [ - "10.3.23.172", - "10.243.226.122" + "10.243.226.122", + "10.3.23.172" ], "related.user": [ "olorem" @@ -1710,8 +1710,8 @@ "rsa.investigations.event_vcat": "ess", "rsa.misc.OS": "equatDu", "rsa.misc.action": [ - "cancel", - "emullamc" + "emullamc", + "cancel" ], "rsa.misc.category": "niamquis", "rsa.misc.client": "tutlabo", @@ -1801,8 +1801,8 @@ "rsa.investigations.event_vcat": "snostrum", "rsa.misc.OS": "tiaecon", "rsa.misc.action": [ - "cancel", - "atiset" + "atiset", + "cancel" ], "rsa.misc.category": "ehende", "rsa.misc.client": "umquam", @@ -1878,8 +1878,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.117.63.181", - "10.247.53.179", - "10.168.20.20" + "10.168.20.20", + "10.247.53.179" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1947,8 +1947,8 @@ "tasnul4179.internal.host" ], "related.ip": [ - "10.141.156.217", - "10.53.168.187" + "10.53.168.187", + "10.141.156.217" ], "related.user": [ "amqu" @@ -1958,8 +1958,8 @@ "rsa.investigations.event_vcat": "illumq", "rsa.misc.OS": "idata", "rsa.misc.action": [ - "emacc", - "block" + "block", + "emacc" ], "rsa.misc.category": "ueporro", "rsa.misc.client": "veli", @@ -2050,8 +2050,8 @@ "rsa.investigations.event_vcat": "eturadip", "rsa.misc.OS": "turadip", "rsa.misc.action": [ - "accept", - "odoc" + "odoc", + "accept" ], "rsa.misc.category": "volup", "rsa.misc.client": "tur", @@ -2232,8 +2232,8 @@ "rsa.investigations.event_vcat": "uatu", "rsa.misc.OS": "tnulapar", "rsa.misc.action": [ - "deny", - "odic" + "odic", + "deny" ], "rsa.misc.category": "deri", "rsa.misc.client": "scivelit", @@ -2307,8 +2307,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.37.161.101", "10.111.182.212", + "10.37.161.101", "10.17.209.252" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -2371,9 +2371,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.170.196.181", + "10.153.166.133", "10.158.175.98", - "10.153.166.133" + "10.170.196.181" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2526,9 +2526,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.174.17.46", + "10.38.168.190", "10.77.105.81", - "10.38.168.190" + "10.174.17.46" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2654,9 +2654,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.214.156.161", + "10.66.90.225", "10.145.194.12", - "10.66.90.225" + "10.214.156.161" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2719,8 +2719,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.156.208.5", - "10.163.36.101", - "10.6.242.108" + "10.6.242.108", + "10.163.36.101" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2787,8 +2787,8 @@ "remeum2641.www5.corp" ], "related.ip": [ - "10.68.233.163", - "10.220.148.127" + "10.220.148.127", + "10.68.233.163" ], "related.user": [ "estiaec" @@ -2798,8 +2798,8 @@ "rsa.investigations.event_vcat": "olore", "rsa.misc.OS": "tatem", "rsa.misc.action": [ - "allow", - "itanimi" + "itanimi", + "allow" ], "rsa.misc.category": "psa", "rsa.misc.client": "ugits", @@ -2889,8 +2889,8 @@ "rsa.investigations.event_vcat": "ihi", "rsa.misc.OS": "amquaera", "rsa.misc.action": [ - "allow", - "nimides" + "nimides", + "allow" ], "rsa.misc.category": "mve", "rsa.misc.client": "plica", @@ -2970,8 +2970,8 @@ "mea6298.api.example" ], "related.ip": [ - "10.113.152.241", - "10.115.121.243" + "10.115.121.243", + "10.113.152.241" ], "related.user": [ "norumetM" @@ -3061,8 +3061,8 @@ "iqu7510.internal.corp" ], "related.ip": [ - "10.49.82.45", - "10.179.153.97" + "10.179.153.97", + "10.49.82.45" ], "related.user": [ "dictasun" @@ -3072,8 +3072,8 @@ "rsa.investigations.event_vcat": "tatemse", "rsa.misc.OS": "eturadi", "rsa.misc.action": [ - "ade", - "accept" + "accept", + "ade" ], "rsa.misc.category": "laboreet", "rsa.misc.client": "ano", @@ -3147,8 +3147,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.205.83.138", "10.98.52.184", + "10.205.83.138", "10.99.55.115" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3211,8 +3211,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.197.128.162", "10.228.11.50", + "10.197.128.162", "10.90.189.248" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3320,8 +3320,8 @@ "deFinibu3940.internal.lan" ], "related.ip": [ - "10.22.248.52", - "10.124.71.88" + "10.124.71.88", + "10.22.248.52" ], "related.user": [ "tcons" @@ -3331,8 +3331,8 @@ "rsa.investigations.event_vcat": "uiratio", "rsa.misc.OS": "xce", "rsa.misc.action": [ - "cancel", - "cons" + "cons", + "cancel" ], "rsa.misc.category": "ciun", "rsa.misc.client": "amquisn", @@ -3411,8 +3411,8 @@ "tatiset4191.localdomain" ], "related.ip": [ - "10.26.58.20", - "10.185.37.176" + "10.185.37.176", + "10.26.58.20" ], "related.user": [ "eumiure" @@ -3422,8 +3422,8 @@ "rsa.investigations.event_vcat": "iae", "rsa.misc.OS": "evelite", "rsa.misc.action": [ - "essequam", - "block" + "block", + "essequam" ], "rsa.misc.category": "tmollita", "rsa.misc.client": "uiinea", @@ -3497,8 +3497,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.14.145.107", "10.200.12.126", + "10.14.145.107", "10.250.231.196" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3561,9 +3561,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.225.34.176", "10.21.203.112", - "10.103.36.192" + "10.103.36.192", + "10.225.34.176" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3625,9 +3625,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.5.67.140", + "10.140.59.161", "10.118.111.183", - "10.140.59.161" + "10.5.67.140" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3694,8 +3694,8 @@ "nimadmi4084.api.home" ], "related.ip": [ - "10.7.70.169", - "10.28.212.191" + "10.28.212.191", + "10.7.70.169" ], "related.user": [ "itsed" @@ -3705,8 +3705,8 @@ "rsa.investigations.event_vcat": "Loremips", "rsa.misc.OS": "eritquii", "rsa.misc.action": [ - "accept", - "nostru" + "nostru", + "accept" ], "rsa.misc.category": "amnisiu", "rsa.misc.client": "rcita", @@ -3796,8 +3796,8 @@ "rsa.investigations.event_vcat": "uep", "rsa.misc.OS": "iatisund", "rsa.misc.action": [ - "block", - "nvo" + "nvo", + "block" ], "rsa.misc.category": "tenima", "rsa.misc.client": "iuntNe", @@ -4277,8 +4277,8 @@ "ntex5135.corp" ], "related.ip": [ - "10.239.194.105", - "10.234.171.117" + "10.234.171.117", + "10.239.194.105" ], "related.user": [ "tat" @@ -4288,8 +4288,8 @@ "rsa.investigations.event_vcat": "uia", "rsa.misc.OS": "mquae", "rsa.misc.action": [ - "deny", - "tenatus" + "tenatus", + "deny" ], "rsa.misc.category": "abo", "rsa.misc.client": "umtota", @@ -4743,8 +4743,8 @@ "spici5547.internal.test" ], "related.ip": [ - "10.112.242.68", - "10.216.49.112" + "10.216.49.112", + "10.112.242.68" ], "related.user": [ "urmag" @@ -4920,9 +4920,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.246.41.77", "10.228.61.5", - "10.157.22.21" + "10.157.22.21", + "10.246.41.77" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4984,9 +4984,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.188.131.18", "10.242.119.111", - "10.239.231.168", - "10.188.131.18" + "10.239.231.168" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5064,8 +5064,8 @@ "rsa.investigations.event_vcat": "amnihil", "rsa.misc.OS": "tten", "rsa.misc.action": [ - "inea", - "accept" + "accept", + "inea" ], "rsa.misc.category": "quam", "rsa.misc.client": "oreseo", @@ -5184,8 +5184,8 @@ "riaturE1644.www5.example" ], "related.ip": [ - "10.215.144.167", - "10.162.114.52" + "10.162.114.52", + "10.215.144.167" ], "related.user": [ "erspici" @@ -5195,8 +5195,8 @@ "rsa.investigations.event_vcat": "empori", "rsa.misc.OS": "ostru", "rsa.misc.action": [ - "quepor", - "allow" + "allow", + "quepor" ], "rsa.misc.category": "cipitla", "rsa.misc.client": "exeacomm", @@ -5361,9 +5361,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.75.198.93", + "10.51.106.43", "10.137.36.151", - "10.51.106.43" + "10.75.198.93" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5425,9 +5425,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.7.230.206", "10.154.151.111", - "10.249.93.150" + "10.249.93.150", + "10.7.230.206" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5505,8 +5505,8 @@ "rsa.investigations.event_vcat": "santiumd", "rsa.misc.OS": "oris", "rsa.misc.action": [ - "deny", - "rsitame" + "rsitame", + "deny" ], "rsa.misc.category": "agnaal", "rsa.misc.client": "urmagn", @@ -5585,8 +5585,8 @@ "dquiac6194.api.lan" ], "related.ip": [ - "10.241.140.241", - "10.180.162.174" + "10.180.162.174", + "10.241.140.241" ], "related.user": [ "nulapar" @@ -5596,8 +5596,8 @@ "rsa.investigations.event_vcat": "luptatev", "rsa.misc.OS": "emipsu", "rsa.misc.action": [ - "ido", - "accept" + "accept", + "ido" ], "rsa.misc.category": "litse", "rsa.misc.client": "evita", @@ -5687,8 +5687,8 @@ "rsa.investigations.event_vcat": "atvolupt", "rsa.misc.OS": "riosam", "rsa.misc.action": [ - "ssitasp", - "deny" + "deny", + "ssitasp" ], "rsa.misc.category": "enimadmi", "rsa.misc.client": "uatDui", @@ -5767,8 +5767,8 @@ "dicta7226.mail.example" ], "related.ip": [ - "10.53.50.77", - "10.4.244.115" + "10.4.244.115", + "10.53.50.77" ], "related.user": [ "idolo" @@ -5853,9 +5853,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.236.211.111", "10.120.212.78", - "10.221.100.157" + "10.221.100.157", + "10.236.211.111" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5933,8 +5933,8 @@ "rsa.investigations.event_vcat": "lauda", "rsa.misc.OS": "enatuser", "rsa.misc.action": [ - "accept", - "rios" + "rios", + "accept" ], "rsa.misc.category": "aUte", "rsa.misc.client": "iusm", @@ -6009,8 +6009,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.123.59.69", - "10.226.255.3", - "10.53.251.202" + "10.53.251.202", + "10.226.255.3" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6072,9 +6072,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.212.56.26", "10.3.85.176", - "10.29.141.252" + "10.29.141.252", + "10.212.56.26" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6227,9 +6227,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.11.150.136", + "10.83.98.220", "10.171.60.173", - "10.83.98.220" + "10.11.150.136" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6291,9 +6291,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.74.88.209", "10.92.3.166", - "10.238.49.73", - "10.74.88.209" + "10.238.49.73" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6355,9 +6355,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.84.200.121", "10.119.248.36", - "10.187.107.47", - "10.84.200.121" + "10.187.107.47" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6419,9 +6419,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.135.213.17", + "10.30.239.222", "10.167.128.229", - "10.30.239.222" + "10.135.213.17" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6488,8 +6488,8 @@ "rspic5637.api.local" ], "related.ip": [ - "10.169.133.219", - "10.115.166.48" + "10.115.166.48", + "10.169.133.219" ], "related.user": [ "emq" @@ -6499,8 +6499,8 @@ "rsa.investigations.event_vcat": "iumdol", "rsa.misc.OS": "min", "rsa.misc.action": [ - "eleumiur", - "block" + "block", + "eleumiur" ], "rsa.misc.category": "ero", "rsa.misc.client": "gia", @@ -6579,8 +6579,8 @@ "rror3870.www5.local" ], "related.ip": [ - "10.146.255.40", - "10.226.39.82" + "10.226.39.82", + "10.146.255.40" ], "related.user": [ "caecatcu" @@ -6729,8 +6729,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.66.149.234", "10.186.253.240", + "10.66.149.234", "10.233.128.7" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -6793,9 +6793,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.227.133.134", "10.46.11.114", - "10.173.140.201" + "10.173.140.201", + "10.227.133.134" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6926,8 +6926,8 @@ "velill3821.mail.invalid" ], "related.ip": [ - "10.97.254.192", - "10.124.34.251" + "10.124.34.251", + "10.97.254.192" ], "related.user": [ "epor" @@ -7012,9 +7012,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.9.41.221", + "10.204.98.238", "10.81.58.91", - "10.204.98.238" + "10.9.41.221" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7117,8 +7117,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.35.84.125", - "10.212.208.70", - "10.37.120.29" + "10.37.120.29", + "10.212.208.70" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7180,9 +7180,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.199.201.26", "10.207.207.106", - "10.143.65.84" + "10.143.65.84", + "10.199.201.26" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7244,8 +7244,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.41.61.88", "10.204.27.48", + "10.41.61.88", "10.163.236.253" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7308,8 +7308,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.246.81.164", "10.53.110.111", + "10.246.81.164", "10.185.44.26" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7378,8 +7378,8 @@ "cupida6106.www5.local" ], "related.ip": [ - "10.146.77.206", - "10.109.172.90" + "10.109.172.90", + "10.146.77.206" ], "related.user": [ "aquaeab" @@ -7469,8 +7469,8 @@ "unt2122.internal.local" ], "related.ip": [ - "10.202.250.141", - "10.38.18.72" + "10.38.18.72", + "10.202.250.141" ], "related.user": [ "maperia" @@ -7662,8 +7662,8 @@ "rsa.investigations.event_vcat": "olupt", "rsa.misc.OS": "rumw", "rsa.misc.action": [ - "block", - "tali" + "tali", + "block" ], "rsa.misc.category": "itsedq", "rsa.misc.client": "esciu", diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json index 2d1832bc54a..d8efe2892a5 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json @@ -282,6 +282,7 @@ "source.geo.city_name": "Moscow", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7527, "source.geo.location.lon": 37.6172, "source.geo.region_iso_code": "RU-MOW", @@ -327,6 +328,7 @@ "source.geo.city_name": "Clermont-Ferrand", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 45.7838, "source.geo.location.lon": 3.0966, "source.geo.region_iso_code": "FR-63", diff --git a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json index c8b16376e8f..73f9e79c29a 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -801,6 +802,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -866,6 +868,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json index 7c44c612d13..a3840436672 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-application-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_APPLICATION_SETTING", "event.category": [ "iam" @@ -42,6 +41,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -56,7 +56,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_APPLICATION_SETTING", "event.category": [ "iam" @@ -97,6 +96,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -111,7 +111,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_APPLICATION_SETTING", "event.category": [ "iam" @@ -152,6 +151,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -166,7 +166,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REORDER_GROUP_BASED_POLICIES_EVENT", "event.category": [ "iam" @@ -206,6 +205,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -220,7 +220,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GPLUS_PREMIUM_FEATURES", "event.category": [ "iam" @@ -255,6 +254,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -269,7 +269,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_MANAGED_CONFIGURATION", "event.category": [ "iam" @@ -304,6 +303,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -318,7 +318,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_MANAGED_CONFIGURATION", "event.category": [ "iam" @@ -353,6 +352,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -367,7 +367,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_MANAGED_CONFIGURATION", "event.category": [ "iam" @@ -402,6 +401,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -416,7 +416,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "FLASHLIGHT_EDU_NON_FEATURED_SERVICES_SELECTED", "event.category": [ "iam" @@ -450,6 +449,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json index 88580177907..2a8eb8eb3fe 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-calendar-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_BUILDING", "event.category": [ "iam" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_BUILDING", "event.category": [ "iam" @@ -84,6 +83,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -98,7 +98,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_BUILDING", "event.category": [ "iam" @@ -136,6 +135,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -150,7 +150,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -185,6 +184,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -199,7 +199,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -234,6 +233,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -248,7 +248,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_CALENDAR_RESOURCE_FEATURE", "event.category": [ "iam" @@ -283,6 +282,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -297,7 +297,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CALENDAR_RESOURCE_FEATURE", "event.category": [ "iam" @@ -332,6 +331,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -346,7 +346,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CALENDAR_RESOURCE_FEATURE", "event.category": [ "iam" @@ -384,6 +383,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -398,7 +398,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -434,6 +433,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -448,7 +448,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CALENDAR_RESOURCE", "event.category": [ "iam" @@ -486,6 +485,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -500,7 +500,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CALENDAR_SETTING", "event.category": [ "iam" @@ -541,6 +540,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -555,7 +555,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CANCEL_CALENDAR_EVENTS", "event.category": [ "iam" @@ -590,6 +589,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -604,7 +604,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RELEASE_CALENDAR_RESOURCES", "event.category": [ "iam" @@ -639,6 +638,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json index 70de8368e2c..4736114f427 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chat-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_CREATE_GATEWAY", "event.category": [ "iam" @@ -34,6 +33,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -48,7 +48,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_DELETE_GATEWAY", "event.category": [ "iam" @@ -82,6 +81,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -96,7 +96,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MEET_INTEROP_MODIFY_GATEWAY", "event.category": [ "iam" @@ -130,6 +129,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -144,7 +144,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHAT_SETTING", "event.category": [ "iam" @@ -185,6 +184,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json index 4ce27e5aff2..00f51c0bc79 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-chromeos-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_ANDROID_APPLICATION_SETTING", "event.category": [ "iam" @@ -42,6 +41,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -56,7 +56,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DEVICE_STATE", "event.category": [ "iam" @@ -93,6 +92,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -107,7 +107,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_APPLICATION_SETTING", "event.category": [ "iam" @@ -149,6 +148,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -163,7 +163,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SEND_CHROME_OS_DEVICE_COMMAND", "event.category": [ "iam" @@ -198,6 +197,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -212,7 +212,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_ANNOTATION", "event.category": [ "iam" @@ -246,6 +245,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -260,7 +260,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_SETTING", "event.category": [ "iam" @@ -297,6 +296,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -311,7 +311,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_DEVICE_STATE", "event.category": [ "iam" @@ -348,6 +347,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -362,7 +362,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_PUBLIC_SESSION_SETTING", "event.category": [ "iam" @@ -399,6 +398,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -413,7 +413,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "INSERT_CHROME_OS_PRINT_SERVER", "event.category": [ "iam" @@ -447,6 +446,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -461,7 +461,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CHROME_OS_PRINT_SERVER", "event.category": [ "iam" @@ -495,6 +494,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -509,7 +509,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CHROME_OS_PRINT_SERVER", "event.category": [ "iam" @@ -545,6 +544,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -559,7 +559,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "INSERT_CHROME_OS_PRINTER", "event.category": [ "iam" @@ -593,6 +592,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -607,7 +607,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_CHROME_OS_PRINTER", "event.category": [ "iam" @@ -641,6 +640,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -655,7 +655,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_CHROME_OS_PRINTER", "event.category": [ "iam" @@ -691,6 +690,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -705,7 +705,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_SETTING", "event.category": [ "iam" @@ -742,6 +741,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -756,7 +756,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CHROME_OS_USER_SETTING", "event.category": [ "iam" @@ -793,6 +792,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -807,7 +807,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ISSUE_DEVICE_COMMAND", "event.category": [ "iam" @@ -846,6 +845,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -860,7 +860,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOVE_DEVICE_TO_ORG_UNIT_DETAILED", "event.category": [ "iam" @@ -897,6 +896,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -911,7 +911,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_CHROME_OS_APPLICATION_SETTINGS", "event.category": [ "iam" @@ -945,6 +944,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -959,7 +959,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DEVICE", "event.category": [ "iam" @@ -994,6 +993,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1008,7 +1008,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ "iam" @@ -1046,6 +1045,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json index ed54f20525a..dee1917e48d 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-contacts-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONTACTS_SETTING", "event.category": [ "iam" @@ -38,6 +37,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json index c43835104fa..b5c6d47d8b3 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-delegatedadmin-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ASSIGN_ROLE", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -51,7 +51,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ROLE", "event.category": [ "iam" @@ -86,6 +85,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -100,7 +100,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_ROLE", "event.category": [ "iam" @@ -135,6 +134,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -149,7 +149,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_PRIVILEGE", "event.category": [ "iam" @@ -185,6 +184,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -199,7 +199,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_PRIVILEGE", "event.category": [ "iam" @@ -235,6 +234,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -249,7 +249,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_ROLE", "event.category": [ "iam" @@ -284,6 +283,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -298,7 +298,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_ROLE", "event.category": [ "iam" @@ -333,6 +332,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -347,7 +347,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNASSIGN_ROLE", "event.category": [ "iam" @@ -384,6 +383,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json index 4fb31027b62..e0f00e25443 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-docs-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TRANSFER_DOCUMENT_OWNERSHIP", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -51,7 +51,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DRIVE_DATA_RESTORE", "event.category": [ "iam" @@ -89,6 +88,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -103,7 +103,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOCS_SETTING", "event.category": [ "iam" @@ -144,6 +143,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -157,4 +157,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json index a8d965c7c8d..a349010fdb4 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-domain-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ACCOUNT_AUTO_RENEWAL", "event.category": [ "iam" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_APPLICATION", "event.category": [ "iam" @@ -85,6 +84,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -99,7 +99,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_APPLICATION_TO_WHITELIST", "event.category": [ "iam" @@ -134,6 +133,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -148,7 +148,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ADVERTISEMENT_OPTION", "event.category": [ "iam" @@ -184,6 +183,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -198,7 +198,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ALERT", "event.category": [ "iam" @@ -232,6 +231,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -246,7 +246,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ALERT_CRITERIA", "event.category": [ "iam" @@ -280,6 +279,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -294,7 +294,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_ALERT", "event.category": [ "iam" @@ -328,6 +327,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -342,7 +342,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALERT_RECEIVERS_CHANGED", "event.category": [ "iam" @@ -378,6 +377,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -392,7 +392,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_ALERT", "event.category": [ "iam" @@ -427,6 +426,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -441,7 +441,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALERT_STATUS_CHANGED", "event.category": [ "iam" @@ -477,6 +476,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -491,7 +491,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_DOMAIN_ALIAS", "event.category": [ "iam" @@ -526,6 +525,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -540,7 +540,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_DOMAIN_ALIAS", "event.category": [ "iam" @@ -575,6 +574,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -589,7 +589,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SKIP_DOMAIN_ALIAS_MX", "event.category": [ "iam" @@ -624,6 +623,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -638,7 +638,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_DOMAIN_ALIAS_MX", "event.category": [ "iam" @@ -673,6 +672,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -687,7 +687,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_DOMAIN_ALIAS", "event.category": [ "iam" @@ -723,6 +722,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -737,7 +737,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OAUTH_ACCESS_TO_ALL_APIS", "event.category": [ "iam" @@ -772,6 +771,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -786,7 +786,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ALLOW_ADMIN_PASSWORD_RESET", "event.category": [ "iam" @@ -821,6 +820,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -835,7 +835,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_API_ACCESS", "event.category": [ "iam" @@ -871,6 +870,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -885,7 +885,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "AUTHORIZE_API_CLIENT_ACCESS", "event.category": [ "iam" @@ -924,6 +923,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -938,7 +938,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_API_CLIENT_ACCESS", "event.category": [ "iam" @@ -973,6 +972,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -987,7 +987,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_LICENSES_REDEEMED", "event.category": [ "iam" @@ -1023,6 +1022,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1037,7 +1037,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_AUTO_ADD_NEW_SERVICE", "event.category": [ "iam" @@ -1072,6 +1071,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1086,7 +1086,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PRIMARY_DOMAIN", "event.category": [ "iam" @@ -1121,6 +1120,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1135,7 +1135,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_WHITELIST_SETTING", "event.category": [ "iam" @@ -1171,6 +1170,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1185,7 +1185,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMMUNICATION_PREFERENCES_SETTING_CHANGE", "event.category": [ "iam" @@ -1222,6 +1221,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1236,7 +1236,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CONFLICT_ACCOUNT_ACTION", "event.category": [ "iam" @@ -1272,6 +1271,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1286,7 +1286,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_FEEDBACK_SOLICITATION", "event.category": [ "iam" @@ -1322,6 +1321,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1336,7 +1336,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_CONTACT_SHARING", "event.category": [ "iam" @@ -1371,6 +1370,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1385,7 +1385,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_PLAY_FOR_WORK_TOKEN", "event.category": [ "iam" @@ -1419,6 +1418,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1433,7 +1433,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_USE_CUSTOM_LOGO", "event.category": [ "iam" @@ -1468,6 +1467,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1482,7 +1482,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CUSTOM_LOGO", "event.category": [ "iam" @@ -1516,6 +1515,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1530,7 +1530,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_LOCALIZATION_FOR_RUSSIA", "event.category": [ "iam" @@ -1566,6 +1565,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1580,7 +1580,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_LOCALIZATION_SETTING", "event.category": [ "iam" @@ -1616,6 +1615,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1630,7 +1630,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DATA_PROTECTION_OFFICER_CONTACT_INFO", "event.category": [ "iam" @@ -1666,6 +1665,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1680,7 +1680,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_PLAY_FOR_WORK_TOKEN", "event.category": [ "iam" @@ -1714,6 +1713,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1728,7 +1728,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VIEW_DNS_LOGIN_DETAILS", "event.category": [ "iam" @@ -1762,6 +1761,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1776,7 +1776,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_DEFAULT_LOCALE", "event.category": [ "iam" @@ -1812,6 +1811,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1826,7 +1826,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_DEFAULT_TIMEZONE", "event.category": [ "iam" @@ -1862,6 +1861,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1876,7 +1876,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_NAME", "event.category": [ "iam" @@ -1911,6 +1910,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1925,7 +1925,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ENABLE_PRE_RELEASE_FEATURES", "event.category": [ "iam" @@ -1960,6 +1959,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1974,7 +1974,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_DOMAIN_SUPPORT_MESSAGE", "event.category": [ "iam" @@ -2010,6 +2009,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2024,7 +2024,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_TRUSTED_DOMAINS", "event.category": [ "iam" @@ -2058,6 +2057,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2072,7 +2072,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_TRUSTED_DOMAINS", "event.category": [ "iam" @@ -2106,6 +2105,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2120,7 +2120,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EDU_TYPE", "event.category": [ "iam" @@ -2156,6 +2155,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2170,7 +2170,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_ENABLE_OAUTH_CONSUMER_KEY", "event.category": [ "iam" @@ -2205,6 +2204,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2219,7 +2219,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SSO_ENABLED", "event.category": [ "iam" @@ -2254,6 +2253,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2268,7 +2268,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SSL", "event.category": [ "iam" @@ -2303,6 +2302,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2317,7 +2317,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EU_REPRESENTATIVE_CONTACT_INFO", "event.category": [ "iam" @@ -2353,6 +2352,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2367,7 +2367,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GENERATE_TRANSFER_TOKEN", "event.category": [ "iam" @@ -2400,6 +2399,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2414,7 +2414,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LOGIN_BACKGROUND_COLOR", "event.category": [ "iam" @@ -2450,6 +2449,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2464,7 +2464,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LOGIN_BORDER_COLOR", "event.category": [ "iam" @@ -2500,6 +2499,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2514,7 +2514,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LOGIN_ACTIVITY_TRACE", "event.category": [ "iam" @@ -2550,6 +2549,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2564,7 +2564,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "PLAY_FOR_WORK_ENROLL", "event.category": [ "iam" @@ -2599,6 +2598,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2613,7 +2613,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "PLAY_FOR_WORK_UNENROLL", "event.category": [ "iam" @@ -2647,6 +2646,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2661,7 +2661,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MX_RECORD_VERIFICATION_CLAIM", "event.category": [ "iam" @@ -2697,6 +2696,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2711,7 +2711,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_NEW_APP_FEATURES", "event.category": [ "iam" @@ -2746,6 +2745,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2760,7 +2760,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_USE_NEXT_GEN_CONTROL_PANEL", "event.category": [ "iam" @@ -2795,6 +2794,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2809,7 +2809,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPLOAD_OAUTH_CERTIFICATE", "event.category": [ "iam" @@ -2843,6 +2842,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2857,7 +2857,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REGENERATE_OAUTH_CONSUMER_SECRET", "event.category": [ "iam" @@ -2891,6 +2890,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2905,7 +2905,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OPEN_ID_ENABLED", "event.category": [ "iam" @@ -2940,6 +2939,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2954,7 +2954,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ORGANIZATION_NAME", "event.category": [ "iam" @@ -2990,6 +2989,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3004,7 +3004,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_OUTBOUND_RELAY", "event.category": [ "iam" @@ -3041,6 +3040,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3055,7 +3055,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD_MAX_LENGTH", "event.category": [ "iam" @@ -3091,6 +3090,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3105,7 +3105,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD_MIN_LENGTH", "event.category": [ "iam" @@ -3141,6 +3140,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3155,7 +3155,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DOMAIN_PRIMARY_ADMIN_EMAIL", "event.category": [ "iam" @@ -3191,6 +3190,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3205,7 +3205,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_SERVICE_OR_FEATURE_NOTIFICATIONS", "event.category": [ "iam" @@ -3241,6 +3240,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3255,7 +3255,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_APPLICATION", "event.category": [ "iam" @@ -3290,6 +3289,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3304,7 +3304,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_APPLICATION_FROM_WHITELIST", "event.category": [ "iam" @@ -3339,6 +3338,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3353,7 +3353,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RENEW_DOMAIN_REGISTRATION", "event.category": [ "iam" @@ -3389,6 +3388,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3403,7 +3403,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RESELLER_ACCESS", "event.category": [ "iam" @@ -3438,6 +3437,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3452,7 +3452,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RULE_ACTIONS_CHANGED", "event.category": [ "iam" @@ -3486,6 +3485,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3500,7 +3500,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_RULE", "event.category": [ "iam" @@ -3534,6 +3533,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3548,7 +3548,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RULE_CRITERIA", "event.category": [ "iam" @@ -3582,6 +3581,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3596,7 +3596,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_RULE", "event.category": [ "iam" @@ -3630,6 +3629,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3644,7 +3644,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_RULE", "event.category": [ "iam" @@ -3679,6 +3678,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3693,7 +3693,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RULE_STATUS_CHANGED", "event.category": [ "iam" @@ -3729,6 +3728,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3743,7 +3743,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_SECONDARY_DOMAIN", "event.category": [ "iam" @@ -3778,6 +3777,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3792,7 +3792,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_SECONDARY_DOMAIN", "event.category": [ "iam" @@ -3827,6 +3826,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3841,7 +3841,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SKIP_SECONDARY_DOMAIN_MX", "event.category": [ "iam" @@ -3876,6 +3875,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3890,7 +3890,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_SECONDARY_DOMAIN_MX", "event.category": [ "iam" @@ -3925,6 +3924,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3939,7 +3939,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VERIFY_SECONDARY_DOMAIN", "event.category": [ "iam" @@ -3974,6 +3973,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3988,7 +3988,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DOMAIN_SECONDARY_EMAIL", "event.category": [ "iam" @@ -4024,6 +4023,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -4038,7 +4038,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SSO_SETTINGS", "event.category": [ "iam" @@ -4072,6 +4071,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -4086,7 +4086,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GENERATE_PIN", "event.category": [ "iam" @@ -4119,6 +4118,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -4133,7 +4133,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_RULE", "event.category": [ "iam" @@ -4167,6 +4166,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json index bdb57f64b88..f62dad33200 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-gmail-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DROP_FROM_QUARANTINE", "event.category": [ "iam" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EMAIL_LOG_SEARCH", "event.category": [ "iam" @@ -89,6 +88,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -103,7 +103,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EMAIL_UNDELETE", "event.category": [ "iam" @@ -141,6 +140,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -155,7 +155,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_EMAIL_SETTING", "event.category": [ "iam" @@ -196,6 +195,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -210,7 +210,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GMAIL_SETTING", "event.category": [ "iam" @@ -247,6 +246,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -261,7 +261,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_GMAIL_SETTING", "event.category": [ "iam" @@ -298,6 +297,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -312,7 +312,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_GMAIL_SETTING", "event.category": [ "iam" @@ -349,6 +348,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -363,7 +363,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REJECT_FROM_QUARANTINE", "event.category": [ "iam" @@ -398,6 +397,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -412,7 +412,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RELEASE_FROM_QUARANTINE", "event.category": [ "iam" @@ -447,6 +446,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -460,4 +460,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json index 42a9699094c..ff894cd6c05 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-groups-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_GROUP", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -51,7 +51,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_GROUP", "event.category": [ "iam" @@ -88,6 +87,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -102,7 +102,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GROUP_DESCRIPTION", "event.category": [ "iam" @@ -139,6 +138,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -153,7 +153,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GROUP_LIST_DOWNLOAD", "event.category": [ "iam" @@ -187,6 +186,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -201,7 +201,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_GROUP_MEMBER", "event.category": [ "iam" @@ -240,6 +239,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -254,7 +254,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_GROUP_MEMBER", "event.category": [ "iam" @@ -293,6 +292,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -307,7 +307,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_GROUP_MEMBER", "event.category": [ "iam" @@ -348,6 +347,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -362,7 +362,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS", "event.category": [ "iam" @@ -403,6 +402,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -417,7 +417,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_GROUP_MEMBER_DELIVERY_SETTINGS_CAN_EMAIL_OVERRIDE", "event.category": [ "iam" @@ -458,6 +457,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -472,7 +472,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GROUP_MEMBER_BULK_UPLOAD", "event.category": [ "iam" @@ -508,6 +507,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -522,7 +522,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GROUP_MEMBERS_DOWNLOAD", "event.category": [ "iam" @@ -556,6 +555,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -570,7 +570,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GROUP_NAME", "event.category": [ "iam" @@ -608,6 +607,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -622,7 +622,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_GROUP_SETTING", "event.category": [ "iam" @@ -662,6 +661,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -676,7 +676,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "WHITELISTED_GROUPS_UPDATED", "event.category": [ "iam" @@ -715,6 +714,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json index d51d602ae7b..1fd3a0da6e2 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-licenses-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ORG_USERS_LICENSE_ASSIGNMENT", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ORG_ALL_USERS_LICENSE_ASSIGNMENT", "event.category": [ "iam" @@ -86,6 +85,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -100,7 +100,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_LICENSE_ASSIGNMENT", "event.category": [ "iam" @@ -137,6 +136,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -151,7 +151,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LICENSE_AUTO_ASSIGN", "event.category": [ "iam" @@ -187,6 +186,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -201,7 +201,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_LICENSE_REASSIGNMENT", "event.category": [ "iam" @@ -239,6 +238,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -253,7 +253,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ORG_LICENSE_REVOKE", "event.category": [ "iam" @@ -289,6 +288,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -303,7 +303,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_LICENSE_REVOKE", "event.category": [ "iam" @@ -340,6 +339,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -354,7 +354,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_DYNAMIC_LICENSE", "event.category": [ "iam" @@ -391,6 +390,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json index 8e2f2896bdb..99bea4702c3 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-mobile-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ACTION_CANCELLED", "event.category": [ "iam" @@ -40,6 +39,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -54,7 +54,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ACTION_REQUESTED", "event.category": [ "iam" @@ -94,6 +93,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -108,7 +108,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_MOBILE_CERTIFICATE", "event.category": [ "iam" @@ -144,6 +143,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -158,7 +158,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_DEVICES_BULK_CREATION", "event.category": [ "iam" @@ -192,6 +191,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -206,7 +206,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_OWNED_DEVICE_BLOCKED", "event.category": [ "iam" @@ -241,6 +240,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -255,7 +255,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_DEVICE_DELETION", "event.category": [ "iam" @@ -290,6 +289,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -304,7 +304,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_OWNED_DEVICE_UNBLOCKED", "event.category": [ "iam" @@ -339,6 +338,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -353,7 +353,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "COMPANY_OWNED_DEVICE_WIPED", "event.category": [ "iam" @@ -388,6 +387,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -402,7 +402,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_PERMISSION_GRANT", "event.category": [ "iam" @@ -442,6 +441,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -456,7 +456,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_PRIORITY_ORDER", "event.category": [ "iam" @@ -491,6 +490,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -505,7 +505,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_MOBILE_APPLICATION_FROM_WHITELIST", "event.category": [ "iam" @@ -542,6 +541,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -556,7 +556,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_APPLICATION_SETTINGS", "event.category": [ "iam" @@ -596,6 +595,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -610,7 +610,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_MOBILE_APPLICATION_TO_WHITELIST", "event.category": [ "iam" @@ -647,6 +646,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -661,7 +661,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_APPROVE", "event.category": [ "iam" @@ -699,6 +698,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -713,7 +713,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_BLOCK", "event.category": [ "iam" @@ -751,6 +750,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -765,7 +765,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_DELETE", "event.category": [ "iam" @@ -803,6 +802,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -817,7 +817,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_WIPE", "event.category": [ "iam" @@ -855,6 +854,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -869,7 +869,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_SETTING", "event.category": [ "iam" @@ -907,6 +906,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -921,7 +921,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ADMIN_RESTRICTIONS_PIN", "event.category": [ "iam" @@ -956,6 +955,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -970,7 +970,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK", "event.category": [ "iam" @@ -1006,6 +1005,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1020,7 +1020,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_MOBILE_WIRELESS_NETWORK", "event.category": [ "iam" @@ -1056,6 +1055,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1070,7 +1070,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_MOBILE_WIRELESS_NETWORK", "event.category": [ "iam" @@ -1106,6 +1105,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1120,7 +1120,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_MOBILE_WIRELESS_NETWORK_PASSWORD", "event.category": [ "iam" @@ -1156,6 +1155,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1170,7 +1170,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_MOBILE_CERTIFICATE", "event.category": [ "iam" @@ -1206,6 +1205,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1220,7 +1220,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENROLL_FOR_GOOGLE_DEVICE_MANAGEMENT", "event.category": [ "iam" @@ -1253,6 +1252,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1267,7 +1267,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT", "event.category": [ "iam" @@ -1300,6 +1299,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1314,7 +1314,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_NON_IOS", "event.category": [ "iam" @@ -1347,6 +1346,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1361,7 +1361,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USE_GOOGLE_MOBILE_MANAGEMENT_FOR_IOS", "event.category": [ "iam" @@ -1394,6 +1393,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1408,7 +1408,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_ACCOUNT_WIPE", "event.category": [ "iam" @@ -1446,6 +1445,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1460,7 +1460,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_APPROVE", "event.category": [ "iam" @@ -1498,6 +1497,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1512,7 +1512,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOBILE_DEVICE_CANCEL_WIPE_THEN_BLOCK", "event.category": [ "iam" @@ -1550,6 +1549,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json index b2a88d67fe8..b4cdd02f0bd 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-org-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_LICENSES_ENABLED", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_CREATED", "event.category": [ "iam" @@ -87,6 +86,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -101,7 +101,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_DELETED", "event.category": [ "iam" @@ -137,6 +136,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -151,7 +151,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_APPLICATION_LICENSE_RESERVATION_UPDATED", "event.category": [ "iam" @@ -189,6 +188,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -203,7 +203,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_DEVICE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -237,6 +236,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -251,7 +251,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ASSIGN_CUSTOM_LOGO", "event.category": [ "iam" @@ -285,6 +284,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -299,7 +299,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNASSIGN_CUSTOM_LOGO", "event.category": [ "iam" @@ -333,6 +332,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -347,7 +347,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -381,6 +380,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -395,7 +395,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -429,6 +428,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -443,7 +443,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHROME_LICENSES_ALLOWED", "event.category": [ "iam" @@ -479,6 +478,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -493,7 +493,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_ORG_UNIT", "event.category": [ "iam" @@ -527,6 +526,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -541,7 +541,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_ORG_UNIT", "event.category": [ "iam" @@ -575,6 +574,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -589,7 +589,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EDIT_ORG_UNIT_DESCRIPTION", "event.category": [ "iam" @@ -623,6 +622,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -637,7 +637,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOVE_ORG_UNIT", "event.category": [ "iam" @@ -672,6 +671,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -686,7 +686,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "EDIT_ORG_UNIT_NAME", "event.category": [ "iam" @@ -721,6 +720,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -735,7 +735,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_DEVICE_ENROLLMENT_TOKEN", "event.category": [ "iam" @@ -769,6 +768,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -783,7 +783,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_SERVICE_ENABLED", "event.category": [ "iam" @@ -823,6 +822,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json index 65321e3842a..ccfe0f5b3ed 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-security-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALLOW_STRONG_AUTHENTICATION", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ "iam" @@ -85,6 +84,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -99,7 +99,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DISALLOW_SERVICE_FOR_OAUTH2_ACCESS", "event.category": [ "iam" @@ -134,6 +133,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -148,7 +148,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_APP_ACCESS_SETTINGS_COLLECTION_ID", "event.category": [ "iam" @@ -186,6 +185,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -200,7 +200,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_TO_TRUSTED_OAUTH2_APPS", "event.category": [ "iam" @@ -237,6 +236,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -251,7 +251,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_FROM_TRUSTED_OAUTH2_APPS", "event.category": [ "iam" @@ -288,6 +287,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -302,7 +302,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "BLOCK_ON_DEVICE_ACCESS", "event.category": [ "iam" @@ -337,6 +336,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -351,7 +351,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_ENROLLMENT_PERIOD_DURATION", "event.category": [ "iam" @@ -390,6 +389,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -404,7 +404,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_FREQUENCY", "event.category": [ "iam" @@ -443,6 +442,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -457,7 +457,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_GRACE_PERIOD_DURATION", "event.category": [ "iam" @@ -496,6 +495,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -510,7 +510,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_TWO_STEP_VERIFICATION_START_DATE", "event.category": [ "iam" @@ -549,6 +548,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -563,7 +563,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_ALLOWED_TWO_STEP_VERIFICATION_METHODS", "event.category": [ "iam" @@ -601,6 +600,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -615,7 +615,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_CAA_ENABLEMENT", "event.category": [ "iam" @@ -649,6 +648,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -663,7 +663,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CAA_ERROR_MESSAGE", "event.category": [ "iam" @@ -698,6 +697,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -712,7 +712,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_CAA_APP_ASSIGNMENTS", "event.category": [ "iam" @@ -750,6 +749,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -764,7 +764,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNTRUST_DOMAIN_OWNED_OAUTH2_APPS", "event.category": [ "iam" @@ -798,6 +797,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -812,7 +812,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TRUST_DOMAIN_OWNED_OAUTH2_APPS", "event.category": [ "iam" @@ -846,6 +845,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -860,7 +860,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_NON_ADMIN_USER_PASSWORD_RECOVERY", "event.category": [ "iam" @@ -899,6 +898,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -913,7 +913,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENFORCE_STRONG_AUTHENTICATION", "event.category": [ "iam" @@ -954,6 +953,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -968,7 +968,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_ERROR_MSG_FOR_RESTRICTED_OAUTH2_APPS", "event.category": [ "iam" @@ -1004,6 +1003,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1018,7 +1018,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "WEAK_PROGRAMMATIC_LOGIN_SETTINGS_CHANGED", "event.category": [ "iam" @@ -1057,6 +1056,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1071,7 +1071,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SESSION_CONTROL_SETTINGS_CHANGE", "event.category": [ "iam" @@ -1108,6 +1107,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1122,7 +1122,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SESSION_LENGTH", "event.category": [ "iam" @@ -1157,6 +1156,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1171,7 +1171,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNBLOCK_ON_DEVICE_ACCESS", "event.category": [ "iam" @@ -1206,6 +1205,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json index b5afcff1ea3..272f4fb77e7 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-sites-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_WEB_ADDRESS", "event.category": [ "iam" @@ -37,6 +36,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -53,7 +53,6 @@ "url.path": "/path/in/url" }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_WEB_ADDRESS", "event.category": [ "iam" @@ -90,6 +89,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -106,7 +106,6 @@ "url.path": "/path/in/url" }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SITES_SETTING", "event.category": [ "iam" @@ -144,6 +143,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -158,7 +158,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_SITES_WEB_ADDRESS_MAPPING_UPDATES", "event.category": [ "iam" @@ -192,6 +191,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -208,7 +208,6 @@ "url.path": "/path/in/url" }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VIEW_SITE_DETAILS", "event.category": [ "iam" @@ -242,6 +241,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json index f6220f7fcbd..b3be5557b03 100644 --- a/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/admin/test/gsuite-admin-user-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_2SV_SCRATCH_CODES", "event.category": [ "iam" @@ -36,6 +35,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -50,7 +50,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GENERATE_2SV_SCRATCH_CODES", "event.category": [ "iam" @@ -86,6 +85,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -100,7 +100,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_3LO_DEVICE_TOKENS", "event.category": [ "iam" @@ -138,6 +137,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -152,7 +152,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_3LO_TOKEN", "event.category": [ "iam" @@ -189,6 +188,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -203,7 +203,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_RECOVERY_EMAIL", "event.category": [ "iam" @@ -239,6 +238,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -253,7 +253,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_RECOVERY_PHONE", "event.category": [ "iam" @@ -289,6 +288,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -303,7 +303,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GRANT_ADMIN_PRIVILEGE", "event.category": [ "iam" @@ -339,6 +338,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -353,7 +353,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_ADMIN_PRIVILEGE", "event.category": [ "iam" @@ -389,6 +388,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -403,7 +403,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_ASP", "event.category": [ "iam" @@ -440,6 +439,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -454,7 +454,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TOGGLE_AUTOMATIC_CONTACT_SHARING", "event.category": [ "iam" @@ -491,6 +490,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -505,7 +505,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "BULK_UPLOAD", "event.category": [ "iam" @@ -541,6 +540,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -555,7 +555,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "BULK_UPLOAD_NOTIFICATION_SENT", "event.category": [ "iam" @@ -592,6 +591,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -606,7 +606,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CANCEL_USER_INVITE", "event.category": [ "iam" @@ -643,6 +642,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -657,7 +657,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_CUSTOM_FIELD", "event.category": [ "iam" @@ -696,6 +695,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -710,7 +710,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_EXTERNAL_ID", "event.category": [ "iam" @@ -748,6 +747,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -762,7 +762,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_GENDER", "event.category": [ "iam" @@ -800,6 +799,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -814,7 +814,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_IM", "event.category": [ "iam" @@ -852,6 +851,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -866,7 +866,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ENABLE_USER_IP_WHITELIST", "event.category": [ "iam" @@ -904,6 +903,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -918,7 +918,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_KEYWORD", "event.category": [ "iam" @@ -956,6 +955,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -970,7 +970,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_LANGUAGE", "event.category": [ "iam" @@ -1008,6 +1007,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1022,7 +1022,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_LOCATION", "event.category": [ "iam" @@ -1060,6 +1059,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1074,7 +1074,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_ORGANIZATION", "event.category": [ "iam" @@ -1112,6 +1111,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1126,7 +1126,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_PHONE_NUMBER", "event.category": [ "iam" @@ -1164,6 +1163,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1178,7 +1178,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RECOVERY_EMAIL", "event.category": [ "iam" @@ -1214,6 +1213,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1228,7 +1228,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_RECOVERY_PHONE", "event.category": [ "iam" @@ -1264,6 +1263,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1278,7 +1278,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_RELATION", "event.category": [ "iam" @@ -1316,6 +1315,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1330,7 +1330,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_USER_ADDRESS", "event.category": [ "iam" @@ -1368,6 +1367,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1382,7 +1382,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_EMAIL_MONITOR", "event.category": [ "iam" @@ -1426,6 +1425,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1440,7 +1440,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_DATA_TRANSFER_REQUEST", "event.category": [ "iam" @@ -1478,6 +1477,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1492,7 +1492,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GRANT_DELEGATED_ADMIN_PRIVILEGES", "event.category": [ "iam" @@ -1529,6 +1528,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1543,7 +1543,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_ACCOUNT_INFO_DUMP", "event.category": [ "iam" @@ -1580,6 +1579,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1594,7 +1594,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_EMAIL_MONITOR", "event.category": [ "iam" @@ -1631,6 +1630,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1645,7 +1645,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_MAILBOX_DUMP", "event.category": [ "iam" @@ -1682,6 +1681,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1696,7 +1696,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_FIRST_NAME", "event.category": [ "iam" @@ -1734,6 +1733,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1748,7 +1748,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "GMAIL_RESET_USER", "event.category": [ "iam" @@ -1785,6 +1784,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1799,7 +1799,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_LAST_NAME", "event.category": [ "iam" @@ -1837,6 +1836,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1851,7 +1851,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MAIL_ROUTING_DESTINATION_ADDED", "event.category": [ "iam" @@ -1888,6 +1887,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1902,7 +1902,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MAIL_ROUTING_DESTINATION_REMOVED", "event.category": [ "iam" @@ -1939,6 +1938,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1953,7 +1953,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ADD_NICKNAME", "event.category": [ "iam" @@ -1990,6 +1989,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2004,7 +2004,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_NICKNAME", "event.category": [ "iam" @@ -2041,6 +2040,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2055,7 +2055,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD", "event.category": [ "iam" @@ -2091,6 +2090,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2105,7 +2105,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CHANGE_PASSWORD_ON_NEXT_LOGIN", "event.category": [ "iam" @@ -2143,6 +2142,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2157,7 +2157,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DOWNLOAD_PENDING_INVITES_LIST", "event.category": [ "iam" @@ -2190,6 +2189,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2204,7 +2204,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_RECOVERY_EMAIL", "event.category": [ "iam" @@ -2240,6 +2239,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2254,7 +2254,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REMOVE_RECOVERY_PHONE", "event.category": [ "iam" @@ -2290,6 +2289,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2304,7 +2304,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REQUEST_ACCOUNT_INFO", "event.category": [ "iam" @@ -2340,6 +2339,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2354,7 +2354,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REQUEST_MAILBOX_DUMP", "event.category": [ "iam" @@ -2396,6 +2395,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2410,7 +2410,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RESEND_USER_INVITE", "event.category": [ "iam" @@ -2447,6 +2446,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2461,7 +2461,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RESET_SIGNIN_COOKIES", "event.category": [ "iam" @@ -2497,6 +2496,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2511,7 +2511,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SECURITY_KEY_REGISTERED_FOR_USER", "event.category": [ "iam" @@ -2547,6 +2546,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2561,7 +2561,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "REVOKE_SECURITY_KEY", "event.category": [ "iam" @@ -2597,6 +2596,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2611,7 +2611,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_INVITE", "event.category": [ "iam" @@ -2648,6 +2647,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2662,7 +2662,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "VIEW_TEMP_PASSWORD", "event.category": [ "iam" @@ -2699,6 +2698,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2713,7 +2713,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "TURN_OFF_2_STEP_VERIFICATION", "event.category": [ "iam" @@ -2749,6 +2748,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2763,7 +2763,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNBLOCK_USER_SESSION", "event.category": [ "iam" @@ -2799,6 +2798,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2813,7 +2813,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNENROLL_USER_FROM_TITANIUM", "event.category": [ "iam" @@ -2849,6 +2848,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2863,7 +2863,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ARCHIVE_USER", "event.category": [ "iam" @@ -2899,6 +2898,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2913,7 +2913,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPDATE_BIRTHDATE", "event.category": [ "iam" @@ -2950,6 +2949,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -2964,7 +2964,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "CREATE_USER", "event.category": [ "iam" @@ -3000,6 +2999,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3014,7 +3014,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DELETE_USER", "event.category": [ "iam" @@ -3050,6 +3049,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3064,7 +3064,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DOWNGRADE_USER_FROM_GPLUS", "event.category": [ "iam" @@ -3100,6 +3099,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3114,7 +3114,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_ENROLLED_IN_TWO_STEP_VERIFICATION", "event.category": [ "iam" @@ -3150,6 +3149,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3164,7 +3164,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "DOWNLOAD_USERLIST_CSV", "event.category": [ "iam" @@ -3197,6 +3196,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3211,7 +3211,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "MOVE_USER_TO_ORG_UNIT", "event.category": [ "iam" @@ -3249,6 +3248,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3263,7 +3263,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USER_PUT_IN_TWO_STEP_VERIFICATION_GRACE_PERIOD", "event.category": [ "iam" @@ -3300,6 +3299,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3314,7 +3314,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "RENAME_USER", "event.category": [ "iam" @@ -3351,6 +3350,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3365,7 +3365,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNENROLL_USER_FROM_STRONG_AUTH", "event.category": [ "iam" @@ -3401,6 +3400,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3415,7 +3415,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "SUSPEND_USER", "event.category": [ "iam" @@ -3451,6 +3450,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3465,7 +3465,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNARCHIVE_USER", "event.category": [ "iam" @@ -3501,6 +3500,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3515,7 +3515,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNDELETE_USER", "event.category": [ "iam" @@ -3551,6 +3550,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3565,7 +3565,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UNSUSPEND_USER", "event.category": [ "iam" @@ -3601,6 +3600,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3615,7 +3615,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "UPGRADE_USER_TO_GPLUS", "event.category": [ "iam" @@ -3651,6 +3650,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3665,7 +3665,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USERS_BULK_UPLOAD", "event.category": [ "iam" @@ -3700,6 +3699,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3714,7 +3714,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "USERS_BULK_UPLOAD_NOTIFICATION_SENT", "event.category": [ "iam" @@ -3750,6 +3749,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -3763,4 +3763,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json index 3d75fea232d..9ffde6ce107 100644 --- a/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/drive/test/gsuite-drive-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_to_folder", "event.category": [ "file" @@ -47,6 +46,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -61,7 +61,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_canceled", "event.category": [ "file", @@ -107,6 +106,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -121,7 +121,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_comment_added", "event.category": [ "file", @@ -167,6 +166,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -181,7 +181,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_requested", "event.category": [ "file", @@ -227,6 +226,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -241,7 +241,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approval_reviewer_responded", "event.category": [ "file", @@ -287,6 +286,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -301,7 +301,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "create", "event.category": [ "file" @@ -346,6 +345,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -360,7 +360,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "delete", "event.category": [ "file" @@ -405,6 +404,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -419,7 +419,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "download", "event.category": [ "file" @@ -464,6 +463,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -478,7 +478,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "edit", "event.category": [ "file" @@ -523,6 +522,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -537,7 +537,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_lock", "event.category": [ "file" @@ -582,6 +581,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -596,7 +596,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "move", "event.category": [ "file" @@ -645,6 +644,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -659,7 +659,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "preview", "event.category": [ "file" @@ -704,6 +703,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -718,7 +718,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "print", "event.category": [ "file" @@ -763,6 +762,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -777,7 +777,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_from_folder", "event.category": [ "file" @@ -824,6 +823,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -838,7 +838,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "rename", "event.category": [ "file" @@ -885,6 +884,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -899,7 +899,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "untrash", "event.category": [ "file" @@ -944,6 +943,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -958,7 +958,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "sheets_import_range", "event.category": [ "file" @@ -1003,6 +1002,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1017,7 +1017,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "trash", "event.category": [ "file" @@ -1062,6 +1061,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1076,7 +1076,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_lock", "event.category": [ "file" @@ -1121,6 +1120,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1135,7 +1135,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "upload", "event.category": [ "file" @@ -1180,6 +1179,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1194,7 +1194,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "view", "event.category": [ "file" @@ -1240,6 +1239,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1254,7 +1254,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_acl_editors", "event.category": [ "file", @@ -1304,6 +1303,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1318,7 +1318,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_document_access_scope", "event.category": [ "file", @@ -1369,6 +1368,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1383,7 +1383,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_document_visibility", "event.category": [ "file", @@ -1434,6 +1433,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1448,7 +1448,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "shared_drive_membership_change", "event.category": [ "file", @@ -1499,6 +1498,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1513,7 +1513,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "shared_drive_settings_change", "event.category": [ "file", @@ -1564,6 +1563,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1578,7 +1578,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "sheets_import_range_access_change", "event.category": [ "file", @@ -1624,6 +1623,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1638,7 +1638,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_user_access", "event.category": [ "file", @@ -1690,6 +1689,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json index 8944e12d5e7..f62ef0391c0 100644 --- a/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/groups/test/gsuite-groups-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_acl_permission", "event.category": [ "iam" @@ -45,6 +44,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -59,7 +59,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "accept_invitation", "event.category": [ "iam" @@ -97,6 +96,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -111,7 +111,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "approve_join_request", "event.category": [ "iam" @@ -151,6 +150,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -165,7 +165,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "join", "event.category": [ "iam" @@ -203,6 +202,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -217,7 +217,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "request_to_join", "event.category": [ "iam" @@ -255,6 +254,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -269,7 +269,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_basic_setting", "event.category": [ "iam" @@ -309,6 +308,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -323,7 +323,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "create_group", "event.category": [ "iam" @@ -360,6 +359,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -374,7 +374,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "delete_group", "event.category": [ "iam" @@ -411,6 +410,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -425,7 +425,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_identity_setting", "event.category": [ "iam" @@ -465,6 +464,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -479,7 +479,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_info_setting", "event.category": [ "iam" @@ -518,6 +517,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -532,7 +532,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_info_setting", "event.category": [ "iam" @@ -572,6 +571,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -586,7 +586,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_info_setting", "event.category": [ "iam" @@ -625,6 +624,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -639,7 +639,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_new_members_restrictions_setting", "event.category": [ "iam" @@ -679,6 +678,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -693,7 +693,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_post_replies_setting", "event.category": [ "iam" @@ -733,6 +732,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -747,7 +747,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_spam_moderation_setting", "event.category": [ "iam" @@ -787,6 +786,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -801,7 +801,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "change_topic_setting", "event.category": [ "iam" @@ -841,6 +840,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -855,7 +855,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "moderate_message", "event.category": [ "iam" @@ -896,6 +895,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -910,7 +910,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "always_post_from_user", "event.category": [ "iam" @@ -951,6 +950,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -965,7 +965,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "add_user", "event.category": [ "iam" @@ -1006,6 +1005,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1020,7 +1020,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "ban_user_with_moderation", "event.category": [ "iam" @@ -1061,6 +1060,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1075,7 +1075,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "revoke_invitation", "event.category": [ "iam" @@ -1115,6 +1114,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1129,7 +1129,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "invite_user", "event.category": [ "iam" @@ -1169,6 +1168,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1183,7 +1183,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "reject_join_request", "event.category": [ "iam" @@ -1223,6 +1222,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1237,7 +1237,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "reinvite_user", "event.category": [ "iam" @@ -1277,6 +1276,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -1291,7 +1291,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "remove_user", "event.category": [ "iam" @@ -1331,6 +1330,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json index 00731f235f3..287e6245a25 100644 --- a/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/login/test/gsuite-login-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_password_leak", "event.category": [ "authentication" @@ -35,6 +34,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -49,7 +49,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_generic", "event.category": [ "authentication" @@ -84,6 +83,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -98,7 +98,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_spamming_through_relay", "event.category": [ "authentication" @@ -133,6 +132,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -147,7 +147,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "account_disabled_spamming", "event.category": [ "authentication" @@ -182,6 +181,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -196,7 +196,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "gov_attack_warning", "event.category": [ "authentication" @@ -229,6 +228,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -243,7 +243,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_failure", "event.category": [ "authentication" @@ -280,6 +279,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -294,7 +294,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_challenge", "event.category": [ "authentication" @@ -330,6 +329,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -344,7 +344,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_verification", "event.category": [ "authentication" @@ -381,6 +380,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -395,7 +395,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "logout", "event.category": [ "authentication" @@ -429,6 +428,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -443,7 +443,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_success", "event.category": [ "authentication" @@ -480,6 +479,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json index 36dec3bfb61..6dd2d0216b0 100644 --- a/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/saml/test/gsuite-saml-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "login_failure", "event.category": [ "authentication" @@ -40,6 +39,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -54,7 +54,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:01.000Z", "event.action": "login_success", "event.category": [ "authentication" @@ -92,6 +91,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json index 47aba59e1da..689aad5cde2 100644 --- a/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json +++ b/x-pack/filebeat/module/gsuite/user_accounts/test/gsuite-user_accounts-test.json.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "2sv_disable", "event.category": [ "iam" @@ -34,6 +33,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -48,7 +48,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "2sv_enroll", "event.category": [ "iam" @@ -82,6 +81,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -96,7 +96,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "password_edit", "event.category": [ "iam" @@ -130,6 +129,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -144,7 +144,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "recovery_email_edit", "event.category": [ "iam" @@ -178,6 +177,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -192,7 +192,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "recovery_phone_edit", "event.category": [ "iam" @@ -226,6 +225,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -240,7 +240,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "recovery_secret_qa_edit", "event.category": [ "iam" @@ -274,6 +273,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -288,7 +288,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "titanium_enroll", "event.category": [ "iam" @@ -322,6 +321,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", @@ -336,7 +336,6 @@ ] }, { - "@timestamp": "2020-10-02T15:00:00.000Z", "event.action": "titanium_unenroll", "event.category": [ "iam" @@ -370,6 +369,7 @@ "source.geo.city_name": "State College", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.7957, "source.geo.location.lon": -77.8618, "source.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 7894d6ff317..9aee12937a0 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -112,13 +112,13 @@ "ccusan7572.api.home" ], "related.ip": [ - "10.58.116.231", - "10.159.182.171" + "10.159.182.171", + "10.58.116.231" ], "related.user": [ - "temUten", + "qua", "uradi", - "qua" + "temUten" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -174,9 +174,9 @@ "10.18.124.28" ], "related.user": [ - "modocons", + "mquidol", "lapariat", - "mquidol" + "modocons" ], "rsa.counters.dclass_c1": 6564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -239,8 +239,8 @@ ], "related.user": [ "oluptas", - "occae", - "intoc" + "intoc", + "occae" ], "rsa.counters.event_counter": 7243, "rsa.db.database": "tNequepo", @@ -374,9 +374,9 @@ "10.211.105.204" ], "related.user": [ + "orema", "eveli", - "labor", - "orema" + "labor" ], "rsa.counters.dclass_c1": 6855, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -432,13 +432,13 @@ "pora6854.www5.home" ], "related.ip": [ - "10.214.191.180", - "10.112.250.193" + "10.112.250.193", + "10.214.191.180" ], "related.user": [ - "Exc", + "ipsumdol", "ide", - "ipsumdol" + "Exc" ], "rsa.counters.dclass_c1": 6852, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -493,12 +493,12 @@ "ptasn6599.www.localhost" ], "related.ip": [ - "10.192.34.76", - "10.251.20.13" + "10.251.20.13", + "10.192.34.76" ], "related.user": [ - "iquipe", "tnonpro", + "iquipe", "ovol" ], "rsa.counters.dclass_c1": 3645, @@ -556,8 +556,8 @@ ], "related.user": [ "idunt", - "archite", - "boree" + "boree", + "archite" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -617,8 +617,8 @@ "10.168.159.13" ], "related.user": [ - "atemq", "inci", + "atemq", "isnostr" ], "rsa.counters.dclass_c1": 6135, @@ -679,9 +679,9 @@ "10.49.167.57" ], "related.user": [ + "tali", "ccaeca", - "sau", - "tali" + "sau" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -743,17 +743,17 @@ "10.216.125.252" ], "related.user": [ + "lorsita", "dolore", - "llamco", - "lorsita" + "llamco" ], "rsa.counters.event_counter": 4603, "rsa.db.database": "uptate", "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "quasia" + "quasia", + "accept" ], "rsa.misc.category": "boreetdo", "rsa.misc.disposition": "aturve", @@ -809,8 +809,8 @@ "umdolor4389.api.home" ], "related.ip": [ - "10.52.125.9", - "10.204.128.215" + "10.204.128.215", + "10.52.125.9" ], "related.user": [ "nci", @@ -875,8 +875,8 @@ "rationev6444.localhost" ], "related.ip": [ - "10.34.148.166", - "10.200.68.129" + "10.200.68.129", + "10.34.148.166" ], "related.user": [ "icabo", @@ -938,8 +938,8 @@ ], "related.user": [ "siu", - "conse", - "licabo" + "licabo", + "conse" ], "rsa.counters.dclass_c1": 6356, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -995,13 +995,13 @@ "spernatu5539.domain" ], "related.ip": [ - "10.30.98.10", - "10.126.26.131" + "10.126.26.131", + "10.30.98.10" ], "related.user": [ - "dipisci", + "velite", "olori", - "velite" + "dipisci" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1061,9 +1061,9 @@ "10.190.10.219" ], "related.user": [ - "item", + "accusant", "quamnih", - "accusant" + "item" ], "rsa.counters.dclass_c1": 3278, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1147,12 +1147,12 @@ "maliquam2147.internal.home" ], "related.ip": [ - "10.100.98.56", - "10.248.184.200" + "10.248.184.200", + "10.100.98.56" ], "related.user": [ - "ritati", "proident", + "ritati", "boru" ], "rsa.counters.dclass_c1": 5923, @@ -1209,13 +1209,13 @@ "olabor2983.internal.localhost" ], "related.ip": [ - "10.197.6.245", - "10.82.28.220" + "10.82.28.220", + "10.197.6.245" ], "related.user": [ - "oluptat", "dtempo", - "aecatcup" + "aecatcup", + "oluptat" ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1276,8 +1276,8 @@ ], "related.user": [ "redol", - "asnu", - "ationul" + "ationul", + "asnu" ], "rsa.counters.dclass_c1": 6606, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1339,17 +1339,17 @@ "10.88.45.111" ], "related.user": [ + "undeomni", "lmole", - "iameaque", - "undeomni" + "iameaque" ], "rsa.counters.event_counter": 6344, "rsa.db.database": "nderi", "rsa.internal.event_desc": "iae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "illu", - "deny" + "deny", + "illu" ], "rsa.misc.category": "quido", "rsa.misc.disposition": "emip", @@ -1407,8 +1407,8 @@ "10.214.3.140" ], "related.user": [ - "edolorin", "scipitl", + "edolorin", "taliqui" ], "rsa.counters.dclass_c1": 5140, @@ -1472,8 +1472,8 @@ ], "related.user": [ "caboNem", - "pta", - "etconsec" + "etconsec", + "pta" ], "rsa.counters.event_counter": 5347, "rsa.db.database": "urExcept", @@ -1535,13 +1535,13 @@ "nder347.www.corp" ], "related.ip": [ - "10.105.190.170", - "10.182.152.242" + "10.182.152.242", + "10.105.190.170" ], "related.user": [ + "doeiu", "litan", - "mquisn", - "doeiu" + "mquisn" ], "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1604,8 +1604,8 @@ ], "related.user": [ "emUte", - "liquam", - "min" + "min", + "liquam" ], "rsa.counters.event_counter": 7102, "rsa.db.database": "oluptat", @@ -1666,13 +1666,13 @@ "ectob4634.mail.localhost" ], "related.ip": [ - "10.72.75.207", - "10.201.168.116" + "10.201.168.116", + "10.72.75.207" ], "related.user": [ + "urau", "eFini", - "eufug", - "urau" + "eufug" ], "rsa.counters.dclass_c1": 3348, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1728,13 +1728,13 @@ "snu6436.www.local" ], "related.ip": [ - "10.9.46.123", - "10.58.133.175" + "10.58.133.175", + "10.9.46.123" ], "related.user": [ + "nde", "oco", - "mfu", - "nde" + "mfu" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1794,8 +1794,8 @@ "10.70.29.203" ], "related.user": [ - "mquisnos", "veniamq", + "mquisnos", "pta" ], "rsa.counters.dclass_c1": 2358, @@ -1856,8 +1856,8 @@ "10.165.182.111" ], "related.user": [ - "ames", "Bonorum", + "ames", "sis" ], "rsa.counters.dclass_c1": 6401, @@ -1944,8 +1944,8 @@ "upt6017.api.localdomain" ], "related.ip": [ - "10.64.184.196", - "10.173.178.109" + "10.173.178.109", + "10.64.184.196" ], "related.user": [ "tam", @@ -1957,8 +1957,8 @@ "rsa.internal.event_desc": "orin", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "lamco" + "lamco", + "block" ], "rsa.misc.category": "enia", "rsa.misc.disposition": "iavol", @@ -2012,13 +2012,13 @@ "turQuis4046.api.test" ], "related.ip": [ - "10.90.50.149", - "10.168.225.209" + "10.168.225.209", + "10.90.50.149" ], "related.user": [ "aUtenima", - "olupta", - "olu" + "olu", + "olupta" ], "rsa.counters.dclass_c1": 1127, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2079,8 +2079,8 @@ ], "related.user": [ "mtota", - "luptat", - "qua" + "qua", + "luptat" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2163,13 +2163,13 @@ "tatnonp1371.www.invalid" ], "related.ip": [ - "10.151.240.35", - "10.228.229.144" + "10.228.229.144", + "10.151.240.35" ], "related.user": [ + "lam", "ametcons", - "ama", - "lam" + "ama" ], "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2289,17 +2289,17 @@ "10.254.10.98" ], "related.user": [ - "civeli", "eufugia", - "ttenb" + "ttenb", + "civeli" ], "rsa.counters.event_counter": 7365, "rsa.db.database": "utlabore", "rsa.internal.event_desc": "culpaq", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "uptasn" + "uptasn", + "cancel" ], "rsa.misc.category": "quamq", "rsa.misc.disposition": "usan", @@ -2383,13 +2383,13 @@ "ihi7294.www5.localhost" ], "related.ip": [ - "10.169.28.157", - "10.116.1.130" + "10.116.1.130", + "10.169.28.157" ], "related.user": [ - "reseo", + "eturadip", "amco", - "eturadip" + "reseo" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "ons", @@ -2451,13 +2451,13 @@ "caecat4920.api.host" ], "related.ip": [ - "10.29.138.31", - "10.45.69.152" + "10.45.69.152", + "10.29.138.31" ], "related.user": [ - "volupta", "umq", - "tsunt" + "tsunt", + "volupta" ], "rsa.counters.dclass_c1": 744, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2513,13 +2513,13 @@ "setquas6188.internal.local" ], "related.ip": [ - "10.100.113.11", - "10.152.213.228" + "10.152.213.228", + "10.100.113.11" ], "related.user": [ - "ptatev", "itationu", - "velillum" + "velillum", + "ptatev" ], "rsa.counters.dclass_c1": 7245, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2603,13 +2603,13 @@ "nibusBo3674.www5.localhost" ], "related.ip": [ - "10.208.33.55", - "10.248.102.129" + "10.248.102.129", + "10.208.33.55" ], "related.user": [ + "ulapari", "mremaper", - "inimv", - "ulapari" + "inimv" ], "rsa.counters.dclass_c1": 6433, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2669,8 +2669,8 @@ "10.109.230.216" ], "related.user": [ - "mporin", "ectobea", + "mporin", "ibus" ], "rsa.counters.dclass_c1": 547, @@ -2731,9 +2731,9 @@ "10.117.81.75" ], "related.user": [ - "iconsequ", + "dol", "exeac", - "dol" + "iconsequ" ], "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2793,8 +2793,8 @@ "10.45.152.205" ], "related.user": [ - "eriti", "utlabo", + "eriti", "imav" ], "rsa.counters.dclass_c1": 922, @@ -2856,17 +2856,17 @@ "10.60.164.100" ], "related.user": [ - "hite", + "adipis", "ugi", - "adipis" + "hite" ], "rsa.counters.event_counter": 508, "rsa.db.database": "abo", "rsa.internal.event_desc": "epteurs", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "taevitae", - "allow" + "allow", + "taevitae" ], "rsa.misc.category": "itse", "rsa.misc.disposition": "rever", @@ -2919,13 +2919,13 @@ "aliquip7229.mail.domain" ], "related.ip": [ - "10.248.244.203", - "10.146.228.234" + "10.146.228.234", + "10.248.244.203" ], "related.user": [ "mquamei", - "eiusm", - "sum" + "sum", + "eiusm" ], "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2981,8 +2981,8 @@ "10.86.121.152" ], "related.user": [ - "ine", "consecte", + "ine", "nimv" ], "rsa.counters.dclass_c1": 2771, @@ -3039,13 +3039,13 @@ "agnama5013.internal.example" ], "related.ip": [ - "10.201.223.119", - "10.204.223.184" + "10.204.223.184", + "10.201.223.119" ], "related.user": [ + "tuserror", "rcit", - "teni", - "tuserror" + "teni" ], "rsa.counters.dclass_c1": 4113, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3106,8 +3106,8 @@ ], "related.user": [ "magnido", - "Nequepo", - "elitsedd" + "elitsedd", + "Nequepo" ], "rsa.counters.dclass_c1": 3243, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3169,17 +3169,17 @@ "10.65.225.101" ], "related.user": [ - "tuserror", "citation", - "emquel" + "emquel", + "tuserror" ], "rsa.counters.event_counter": 2513, "rsa.db.database": "rspiciat", "rsa.internal.event_desc": "atuse", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "eruntmol", - "cancel" + "cancel", + "eruntmol" ], "rsa.misc.category": "imad", "rsa.misc.disposition": "tura", @@ -3236,9 +3236,9 @@ "10.191.184.105" ], "related.user": [ + "uta", "iin", - "tione", - "uta" + "tione" ], "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3296,8 +3296,8 @@ "10.224.148.48" ], "related.user": [ - "equepor", "niam", + "equepor", "iosamn" ], "rsa.counters.event_counter": 7468, @@ -3360,12 +3360,12 @@ "amcorp7299.api.example" ], "related.ip": [ - "10.21.208.103", - "10.21.61.134" + "10.21.61.134", + "10.21.208.103" ], "related.user": [ - "ostr", "imidest", + "ostr", "mipsa" ], "rsa.counters.dclass_c1": 7766, @@ -3426,8 +3426,8 @@ "10.221.192.116" ], "related.user": [ - "iarchit", "iamquisn", + "iarchit", "tevelite" ], "rsa.counters.dclass_c1": 639, @@ -3486,8 +3486,8 @@ "tionevol3157.mail.invalid" ], "related.ip": [ - "10.191.142.143", - "10.240.62.238" + "10.240.62.238", + "10.191.142.143" ], "related.user": [ "nofde", @@ -3555,21 +3555,21 @@ "mquis319.api.local" ], "related.ip": [ - "10.178.79.217", - "10.111.22.134" + "10.111.22.134", + "10.178.79.217" ], "related.user": [ - "ccusan", + "tqui", "inibusBo", - "tqui" + "ccusan" ], "rsa.counters.event_counter": 3538, "rsa.db.database": "sequun", "rsa.internal.event_desc": "adeseru", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "orisnis" + "orisnis", + "deny" ], "rsa.misc.category": "sitas", "rsa.misc.disposition": "eni", @@ -3622,13 +3622,13 @@ "urad5712.api.host" ], "related.ip": [ - "10.161.225.172", - "10.77.86.215" + "10.77.86.215", + "10.161.225.172" ], "related.user": [ - "xerc", + "rcit", "meaqu", - "rcit" + "xerc" ], "rsa.counters.dclass_c1": 7286, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3687,9 +3687,9 @@ "10.211.161.187" ], "related.user": [ - "boriosa", "sci", - "acons" + "acons", + "boriosa" ], "rsa.counters.dclass_c1": 1578, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3740,13 +3740,13 @@ "inBCSed5308.api.corp" ], "related.ip": [ - "10.254.198.47", - "10.160.147.230" + "10.160.147.230", + "10.254.198.47" ], "related.user": [ - "nimvenia", "ndeomnis", - "illoin" + "illoin", + "nimvenia" ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3802,9 +3802,9 @@ "10.40.24.93" ], "related.user": [ - "exerci", + "orisnis", "mSecti", - "orisnis" + "exerci" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3860,13 +3860,13 @@ "itte6905.mail.invalid" ], "related.ip": [ - "10.249.13.159", - "10.108.130.106" + "10.108.130.106", + "10.249.13.159" ], "related.user": [ + "colab", "uisautei", - "exeacomm", - "colab" + "exeacomm" ], "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3924,13 +3924,13 @@ "caboNemo274.www.host" ], "related.ip": [ - "10.39.244.49", - "10.64.94.174" + "10.64.94.174", + "10.39.244.49" ], "related.user": [ + "estiae", "iunt", - "Sedut", - "estiae" + "Sedut" ], "rsa.counters.event_counter": 7128, "rsa.db.database": "eFinibu", @@ -4047,13 +4047,13 @@ "qui5978.api.test" ], "related.ip": [ - "10.115.203.143", - "10.134.135.22" + "10.134.135.22", + "10.115.203.143" ], "related.user": [ + "utoditau", "involu", - "orpori", - "utoditau" + "orpori" ], "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4203,9 +4203,9 @@ "10.20.231.188" ], "related.user": [ - "tesseq", + "mqu", "uatDuisa", - "mqu" + "tesseq" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4289,13 +4289,13 @@ "abor3266.mail.home" ], "related.ip": [ - "10.225.11.197", - "10.231.77.26" + "10.231.77.26", + "10.225.11.197" ], "related.user": [ + "rehe", "ineavol", - "volu", - "rehe" + "volu" ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4349,13 +4349,13 @@ "eprehe2455.www.home" ], "related.ip": [ - "10.148.3.197", - "10.106.166.105" + "10.106.166.105", + "10.148.3.197" ], "related.user": [ - "olupt", "usa", - "avolup" + "avolup", + "olupt" ], "rsa.counters.dclass_c1": 2658, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4411,9 +4411,9 @@ "10.172.121.239" ], "related.user": [ - "ipsu", + "ctas", "iuta", - "ctas" + "ipsu" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4469,13 +4469,13 @@ "exerc3694.api.home" ], "related.ip": [ - "10.129.234.200", - "10.42.218.103" + "10.42.218.103", + "10.129.234.200" ], "related.user": [ - "tevelit", "tisundeo", - "dquia" + "dquia", + "tevelit" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4535,9 +4535,9 @@ "10.111.132.221" ], "related.user": [ - "oloremi", + "ali", "scive", - "ali" + "oloremi" ], "rsa.counters.dclass_c1": 6155, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4593,13 +4593,13 @@ "boriosa7066.www.corp" ], "related.ip": [ - "10.195.8.141", - "10.17.214.21" + "10.17.214.21", + "10.195.8.141" ], "related.user": [ "dolo", - "ota", - "enimip" + "enimip", + "ota" ], "rsa.counters.dclass_c1": 469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4659,8 +4659,8 @@ "10.173.13.179" ], "related.user": [ - "apar", "ptasn", + "apar", "isn" ], "rsa.counters.dclass_c1": 758, @@ -4717,13 +4717,13 @@ "iatisund424.mail.localdomain" ], "related.ip": [ - "10.178.190.123", - "10.42.135.34" + "10.42.135.34", + "10.178.190.123" ], "related.user": [ - "tiset", "orsi", - "ore" + "ore", + "tiset" ], "rsa.counters.dclass_c1": 2290, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4872,9 +4872,9 @@ "10.206.221.180" ], "related.user": [ - "oNe", + "nseq", "litesseq", - "nseq" + "oNe" ], "rsa.counters.dclass_c1": 3218, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4930,9 +4930,9 @@ "10.86.180.150" ], "related.user": [ - "mnisis", + "etconsec", "itasper", - "etconsec" + "mnisis" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4994,8 +4994,8 @@ "10.158.161.5" ], "related.user": [ - "rrors", - "dolo" + "dolo", + "rrors" ], "rsa.counters.event_counter": 4098, "rsa.db.database": "tsed", @@ -5084,12 +5084,12 @@ "nisiutal4437.www.example" ], "related.ip": [ - "10.150.27.144", - "10.248.16.82" + "10.248.16.82", + "10.150.27.144" ], "related.user": [ - "res", "ditautf", + "res", "tuserror" ], "rsa.counters.dclass_c1": 4367, @@ -5211,9 +5211,9 @@ "10.69.5.227" ], "related.user": [ - "rumw", "ntocc", - "doloreme" + "doloreme", + "rumw" ], "rsa.counters.dclass_c1": 5201, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5269,9 +5269,9 @@ "10.253.175.129" ], "related.user": [ + "epteurs", "nrep", - "ate", - "epteurs" + "ate" ], "rsa.counters.dclass_c1": 6260, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5333,8 +5333,8 @@ "10.89.26.170" ], "related.user": [ - "atus", "aboris", + "atus", "orumetMa" ], "rsa.counters.event_counter": 5863, @@ -5398,8 +5398,8 @@ "gitse6744.api.local" ], "related.ip": [ - "10.81.108.232", - "10.52.106.68" + "10.52.106.68", + "10.81.108.232" ], "related.user": [ "uaturve", @@ -5411,8 +5411,8 @@ "rsa.internal.event_desc": "pis", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "Quisaut" + "Quisaut", + "allow" ], "rsa.misc.category": "idol", "rsa.misc.disposition": "mmodico", @@ -5472,9 +5472,9 @@ "10.223.10.28" ], "related.user": [ - "erit", "untex", - "usmodte" + "usmodte", + "erit" ], "rsa.counters.event_counter": 4029, "rsa.db.database": "ommodi", @@ -5541,8 +5541,8 @@ ], "related.user": [ "sequamn", - "res", - "tasnul" + "tasnul", + "res" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5600,12 +5600,12 @@ "labo3477.www5.domain" ], "related.ip": [ - "10.226.75.20", - "10.247.108.144" + "10.247.108.144", + "10.226.75.20" ], "related.user": [ - "maccusan", "tema", + "maccusan", "fugia" ], "rsa.counters.event_counter": 3711, @@ -5667,13 +5667,13 @@ "itseddo2209.mail.domain" ], "related.ip": [ - "10.97.22.61", - "10.192.15.65" + "10.192.15.65", + "10.97.22.61" ], "related.user": [ - "illumd", "rExcep", - "nimides" + "nimides", + "illumd" ], "rsa.counters.dclass_c1": 4173, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5798,9 +5798,9 @@ "10.28.77.79" ], "related.user": [ + "utlab", "rspic", - "upta", - "utlab" + "upta" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5855,13 +5855,13 @@ "tsunti1164.www.example" ], "related.ip": [ - "10.18.15.43", - "10.248.177.182" + "10.248.177.182", + "10.18.15.43" ], "related.user": [ - "quei", "caecat", - "quaturve" + "quaturve", + "quei" ], "rsa.counters.dclass_c1": 983, "rsa.counters.dclass_c1_str": "Affected Rows", diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json index 40bbac9e3f5..73f2a49fabc 100644 --- a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json @@ -55,6 +55,7 @@ "source.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "158.109.0.1", diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json index a33eb424fdd..fb4fca25df2 100644 --- a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json +++ b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json @@ -1353,8 +1353,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.142.21.251", - "10.154.16.147" + "10.154.16.147", + "10.142.21.251" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "ute", @@ -1387,8 +1387,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.105.212.51", - "10.119.53.68" + "10.119.53.68", + "10.105.212.51" ], "rsa.db.index": "giatqu", "rsa.internal.messageid": "00042", @@ -1852,8 +1852,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.51.161.245", - "10.193.80.21" + "10.193.80.21", + "10.51.161.245" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "modi", @@ -2318,8 +2318,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.185.50.112", - "10.126.150.15" + "10.126.150.15", + "10.185.50.112" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "tot", @@ -2479,8 +2479,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.96.165.147", - "10.96.218.99" + "10.96.218.99", + "10.96.165.147" ], "related.user": [ "utla" diff --git a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json index a4b6019bc5d..163acbfd544 100644 --- a/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json +++ b/x-pack/filebeat/module/misp/threat/test/misp-test.json.log-expected.json @@ -4,6 +4,7 @@ "destination.geo.city_name": "State College", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 40.7957, "destination.geo.location.lon": -77.8618, "destination.geo.region_iso_code": "US-PA", diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 530aa6f4cc1..2ac0d3443e7 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -317,8 +317,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.66.171.247", - "10.155.162.162" + "10.155.162.162", + "10.66.171.247" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -396,8 +396,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.179.26.34", - "10.38.77.13" + "10.38.77.13", + "10.179.26.34" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1101,8 +1101,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.97.164.220", - "10.128.31.83" + "10.128.31.83", + "10.97.164.220" ], "rsa.internal.messageid": "anomaly", "rsa.misc.category": "aera", @@ -1816,8 +1816,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.98.209.10", - "10.31.177.226" + "10.31.177.226", + "10.98.209.10" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1848,8 +1848,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.44.47.27", - "10.179.210.218" + "10.179.210.218", + "10.44.47.27" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2129,8 +2129,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.151.129.181", - "10.55.156.64" + "10.55.156.64", + "10.151.129.181" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2236,8 +2236,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.166.90.130", - "10.73.89.189" + "10.73.89.189", + "10.166.90.130" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json index 56a4f778e7f..12d780947fb 100644 --- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -48,6 +48,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -116,6 +117,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -184,6 +186,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -252,6 +255,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json index b5c79d506d1..6f54a5ce22f 100644 --- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -55,6 +55,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -131,6 +132,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -207,6 +209,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -283,6 +286,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -360,6 +364,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -436,6 +441,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -512,6 +518,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -589,6 +596,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -665,6 +673,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -741,6 +750,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -817,6 +827,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json index cea77b1153f..78cfca3dbfb 100644 --- a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json @@ -130,6 +130,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -273,6 +274,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -416,6 +418,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -570,6 +573,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -724,6 +728,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -885,6 +890,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1046,6 +1052,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1207,6 +1214,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1368,6 +1376,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1529,6 +1538,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1690,6 +1700,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1851,6 +1862,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2012,6 +2024,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2173,6 +2186,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2334,6 +2348,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2495,6 +2510,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2656,6 +2672,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2817,6 +2834,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2960,6 +2978,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3103,6 +3122,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3257,6 +3277,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3400,6 +3421,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3543,6 +3565,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3686,6 +3709,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3840,6 +3864,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4001,6 +4026,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4162,6 +4188,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4323,6 +4350,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4484,6 +4512,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4645,6 +4674,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4806,6 +4836,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4967,6 +4998,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5128,6 +5160,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5290,6 +5323,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5452,6 +5486,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5742,6 +5777,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5903,6 +5939,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6064,6 +6101,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6225,6 +6263,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6386,6 +6425,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6547,6 +6587,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6708,6 +6749,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6869,6 +6911,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7030,6 +7073,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7191,6 +7235,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7352,6 +7397,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7513,6 +7559,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7674,6 +7721,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7835,6 +7883,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -7996,6 +8045,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8158,6 +8208,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8320,6 +8371,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8481,6 +8533,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8642,6 +8695,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8803,6 +8857,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -8964,6 +9019,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9125,6 +9181,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9286,6 +9343,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9447,6 +9505,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9608,6 +9667,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9769,6 +9829,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -9912,6 +9973,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10055,6 +10117,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10198,6 +10261,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10341,6 +10405,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10494,6 +10559,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10648,6 +10714,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10802,6 +10869,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -10956,6 +11024,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11110,6 +11179,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11251,6 +11321,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11394,6 +11465,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11537,6 +11609,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11691,6 +11764,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11845,6 +11919,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -11999,6 +12074,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12142,6 +12218,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12285,6 +12362,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12428,6 +12506,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12582,6 +12661,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12736,6 +12816,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -12890,6 +12971,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13051,6 +13133,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13212,6 +13295,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13373,6 +13457,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13534,6 +13619,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13695,6 +13781,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -13856,6 +13943,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14017,6 +14105,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14178,6 +14267,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14339,6 +14429,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14500,6 +14591,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14661,6 +14753,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14823,6 +14916,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -14985,6 +15079,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15147,6 +15242,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15306,6 +15402,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15465,6 +15562,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -15624,6 +15722,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json index cc096b3acc2..97cb1f5bb01 100644 --- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -305,6 +305,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -379,6 +380,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -454,6 +456,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -529,6 +532,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -604,6 +608,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 60c77401b35..5470038d6b8 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -77,6 +77,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -174,6 +175,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -271,6 +273,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -368,6 +371,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -465,6 +469,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -562,6 +567,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -659,6 +665,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -756,6 +763,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -853,6 +861,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -950,6 +959,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1047,6 +1057,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1144,6 +1155,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1241,6 +1253,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1338,6 +1351,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1434,6 +1448,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -1529,6 +1544,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1626,6 +1642,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1722,6 +1739,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -1817,6 +1835,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -1914,6 +1933,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2011,6 +2031,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2108,6 +2129,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2205,6 +2227,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2302,6 +2325,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2399,6 +2423,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2496,6 +2521,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2593,6 +2619,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2690,6 +2717,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2787,6 +2815,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2883,6 +2912,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -2981,6 +3011,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3067,6 +3098,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3162,6 +3194,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3248,6 +3281,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3344,6 +3378,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3430,6 +3465,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3526,6 +3562,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3623,6 +3660,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3720,6 +3758,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3806,6 +3845,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3902,6 +3942,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -3998,6 +4039,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -4093,6 +4135,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4190,6 +4233,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4276,6 +4320,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4371,6 +4416,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4468,6 +4514,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4565,6 +4612,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4662,6 +4710,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4759,6 +4808,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4856,6 +4906,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -4953,6 +5004,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5050,6 +5102,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5147,6 +5200,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5244,6 +5298,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5341,6 +5396,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5438,6 +5494,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5535,6 +5592,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5631,6 +5689,7 @@ "source.as.organization.name": "XFERA Moviles S.A.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", @@ -5726,6 +5785,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5823,6 +5883,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -5920,6 +5981,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6017,6 +6079,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6114,6 +6177,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6211,6 +6275,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6308,6 +6373,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6405,6 +6471,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6502,6 +6569,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", @@ -6599,6 +6667,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json index 4bd20443e07..e6326bf27b1 100644 --- a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json @@ -48,6 +48,7 @@ "source.geo.city_name": "Barcelona", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 41.3891, "source.geo.location.lon": 2.1611, "source.geo.region_iso_code": "ES-B", diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index 437a7ea5627..39d00244185 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -55,6 +55,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.7201, "source.geo.location.lon": -121.919, "source.geo.region_iso_code": "US-CA", @@ -130,6 +131,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.7201, "source.geo.location.lon": -121.919, "source.geo.region_iso_code": "US-CA", @@ -220,6 +222,7 @@ "source.geo.city_name": "Dublin", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.7201, "source.geo.location.lon": -121.919, "source.geo.region_iso_code": "US-CA", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index 96530ab70f3..54a45d4465e 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -739,6 +739,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index 37735ccfce0..8e5df2e94e4 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -10,6 +10,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -104,6 +105,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -198,6 +200,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -292,6 +295,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -386,6 +390,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -480,6 +485,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -574,6 +580,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -668,6 +675,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -762,6 +770,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -856,6 +865,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -950,6 +960,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1044,6 +1055,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1138,6 +1150,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1232,6 +1245,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1325,6 +1339,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1419,6 +1434,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1512,6 +1528,7 @@ "destination.as.organization.name": "Leaseweb Deutschland GmbH", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.geo.name": "Germany", @@ -1603,6 +1620,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1697,6 +1715,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1791,6 +1810,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1885,6 +1905,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -1979,6 +2000,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2073,6 +2095,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2167,6 +2190,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2261,6 +2285,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2355,6 +2380,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2449,6 +2475,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2543,6 +2570,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2637,6 +2665,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2731,6 +2760,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2825,6 +2855,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -2919,6 +2950,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3013,6 +3045,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3106,6 +3139,7 @@ "destination.as.organization.name": "Castle Access Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3196,6 +3230,7 @@ "destination.as.organization.name": "INAMES", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "KR", + "destination.geo.country_name": "South Korea", "destination.geo.location.lat": 37.5112, "destination.geo.location.lon": 126.9741, "destination.geo.name": "Korea Republic Of", @@ -3286,6 +3321,7 @@ "destination.as.organization.name": "CJSC Registrar R01", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -3377,6 +3413,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3469,6 +3506,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3559,6 +3597,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3650,6 +3689,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -3742,6 +3782,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3832,6 +3873,7 @@ "destination.as.organization.name": "Domain names registrar REG.RU, Ltd", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -3922,6 +3964,7 @@ "destination.as.organization.name": "Domain names registrar REG.RU, Ltd", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -4079,6 +4122,7 @@ "source.geo.city_name": "Fort Lauderdale", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 26.1792, "source.geo.location.lon": -80.1749, "source.geo.name": "United States", @@ -4103,6 +4147,7 @@ "destination.geo.city_name": "Kitchener", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 43.4419, "destination.geo.location.lon": -80.4216, "destination.geo.name": "Canada", @@ -4195,6 +4240,7 @@ "destination.as.organization.name": "Castle Access Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -4285,6 +4331,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "VG", + "destination.geo.country_name": "British Virgin Islands", "destination.geo.location.lat": 18.5, "destination.geo.location.lon": -64.5, "destination.geo.name": "Virgin Islands British", @@ -4375,6 +4422,7 @@ "destination.as.organization.name": "Confluence Networks Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -4466,6 +4514,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4559,6 +4608,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4652,6 +4702,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4745,6 +4796,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -4838,6 +4890,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -5000,6 +5053,7 @@ "source.geo.city_name": "Brea", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 33.9339, "source.geo.location.lon": -117.8854, "source.geo.name": "United States", @@ -5024,6 +5078,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -5186,6 +5241,7 @@ "source.geo.city_name": "Montreal", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "CA", + "source.geo.country_name": "Canada", "source.geo.location.lat": 45.4995, "source.geo.location.lon": -73.5848, "source.geo.name": "European Union", @@ -5278,6 +5334,7 @@ "source.as.organization.name": "No.31,Jin-rong Street", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 30.294, "source.geo.location.lon": 120.1619, "source.geo.name": "China", @@ -5302,6 +5359,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -5463,6 +5521,7 @@ "source.as.organization.name": "NForce Entertainment B.V.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "NL", + "source.geo.country_name": "Netherlands", "source.geo.location.lat": 52.3824, "source.geo.location.lon": 4.8995, "source.geo.name": "Netherlands", @@ -5554,6 +5613,7 @@ "source.geo.city_name": "Montreal", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "CA", + "source.geo.country_name": "Canada", "source.geo.location.lat": 45.4995, "source.geo.location.lon": -73.5848, "source.geo.name": "European Union", @@ -5577,6 +5637,7 @@ "destination.as.organization.name": "YANDEX LLC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -5667,6 +5728,7 @@ "destination.as.organization.name": "YANDEX LLC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -5757,6 +5819,7 @@ "destination.as.organization.name": "YANDEX LLC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.geo.name": "Russian Federation", @@ -5917,6 +5980,7 @@ "source.geo.city_name": "Brea", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 33.9339, "source.geo.location.lon": -117.8854, "source.geo.name": "United States", @@ -5941,6 +6005,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.name": "United States", @@ -6034,6 +6099,7 @@ "destination.geo.city_name": "Central", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "HK", + "destination.geo.country_name": "Hong Kong", "destination.geo.location.lat": 22.2909, "destination.geo.location.lon": 114.15, "destination.geo.name": "United States", @@ -6196,6 +6262,7 @@ "source.geo.city_name": "Redmond", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.6722, "source.geo.location.lon": -122.1257, "source.geo.name": "United States", @@ -6289,6 +6356,7 @@ "source.geo.city_name": "Redmond", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.6722, "source.geo.location.lon": -122.1257, "source.geo.name": "United States", @@ -6313,6 +6381,7 @@ "destination.geo.city_name": "Los Angeles", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 34.0544, "destination.geo.location.lon": -118.244, "destination.geo.name": "United States", @@ -6474,6 +6543,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -6495,6 +6565,7 @@ "destination.as.organization.name": "Pandora Media, Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -6654,6 +6725,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -6745,6 +6817,7 @@ "source.geo.city_name": "Oliva", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "ES", + "source.geo.country_name": "Spain", "source.geo.location.lat": 38.9197, "source.geo.location.lon": -0.1193, "source.geo.name": "Ukraine", @@ -6837,6 +6910,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -6927,6 +7001,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7017,6 +7092,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7107,6 +7183,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7128,6 +7205,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -7287,6 +7365,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7377,6 +7456,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7467,6 +7547,7 @@ "source.as.organization.name": "Wikimedia Foundation Inc.", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7557,6 +7638,7 @@ "source.as.organization.name": "Wikimedia Foundation Inc.", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7648,6 +7730,7 @@ "source.geo.city_name": "Los Angeles", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 34.0544, "source.geo.location.lon": -118.244, "source.geo.name": "United States", @@ -7740,6 +7823,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7830,6 +7914,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -7921,6 +8006,7 @@ "source.geo.city_name": "Liberal", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.0438, "source.geo.location.lon": -100.9286, "source.geo.name": "United States", @@ -8013,6 +8099,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8103,6 +8190,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8194,6 +8282,7 @@ "source.geo.city_name": "Albany", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 42.7008, "source.geo.location.lon": -73.8601, "source.geo.name": "United States", @@ -8286,6 +8375,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8307,6 +8397,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -8466,6 +8557,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8556,6 +8648,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8577,6 +8670,7 @@ "destination.as.organization.name": "Pandora Media, Inc", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -8736,6 +8830,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8826,6 +8921,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -8916,6 +9012,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -9006,6 +9103,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -9096,6 +9194,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", @@ -9186,6 +9285,7 @@ "source.as.organization.name": "Google LLC", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.geo.name": "United States", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index 587b481636f..44f7a7790ab 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -13,6 +13,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -113,6 +114,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -211,6 +213,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -310,6 +313,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -411,6 +415,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -511,6 +516,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -609,6 +615,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -708,6 +715,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -809,6 +817,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -910,6 +919,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1011,6 +1021,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1112,6 +1123,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1213,6 +1225,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1314,6 +1327,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1415,6 +1429,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1516,6 +1531,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1617,6 +1633,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1718,6 +1735,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1819,6 +1837,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -1919,6 +1938,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2017,6 +2037,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2116,6 +2137,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2216,6 +2238,7 @@ "destination.bytes": 98, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2315,6 +2338,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2416,6 +2440,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2517,6 +2542,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -2617,6 +2643,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2715,6 +2742,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -2814,6 +2842,7 @@ "destination.geo.city_name": "Westminster", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 33.7518, "destination.geo.location.lon": -117.9932, "destination.geo.region_iso_code": "US-CA", @@ -2915,6 +2944,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3015,6 +3045,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3114,6 +3145,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -3215,6 +3247,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3315,6 +3348,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3413,6 +3447,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3512,6 +3547,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3613,6 +3649,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -3713,6 +3750,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3811,6 +3849,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -3908,6 +3947,7 @@ "destination.bytes": 111, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4000,6 +4040,7 @@ "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -4098,6 +4139,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -4193,6 +4235,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -4294,6 +4337,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -4393,6 +4437,7 @@ "destination.bytes": 141, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4486,6 +4531,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -4586,6 +4632,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -4685,6 +4732,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -4785,6 +4833,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -4883,6 +4932,7 @@ "destination.bytes": 316, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -4981,6 +5031,7 @@ "destination.bytes": 121, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5079,6 +5130,7 @@ "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5177,6 +5229,7 @@ "destination.bytes": 954, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -5276,6 +5329,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -5377,6 +5431,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -5477,6 +5532,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5576,6 +5632,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -5676,6 +5733,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5774,6 +5832,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -5873,6 +5932,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -5974,6 +6034,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -6074,6 +6135,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6172,6 +6234,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6270,6 +6333,7 @@ "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -6368,6 +6432,7 @@ "destination.bytes": 163, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6466,6 +6531,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6564,6 +6630,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -6663,6 +6730,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -6763,6 +6831,7 @@ "destination.bytes": 922, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -6862,6 +6931,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -6962,6 +7032,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7060,6 +7131,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7159,6 +7231,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -7259,6 +7332,7 @@ "destination.bytes": 26786, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.5.1.1", @@ -7357,6 +7431,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7455,6 +7530,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -7554,6 +7630,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -7747,6 +7824,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -7848,6 +7926,7 @@ "destination.geo.city_name": "Assago", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 45.4087, "destination.geo.location.lon": 9.1225, "destination.geo.region_iso_code": "IT-MI", @@ -8133,6 +8212,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -8233,6 +8313,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8331,6 +8412,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8430,6 +8512,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -8530,6 +8613,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8720,6 +8804,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -8819,6 +8904,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -8919,6 +9005,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -9017,6 +9104,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "205.171.2.25", @@ -9115,6 +9203,7 @@ "destination.bytes": 906, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IT", + "destination.geo.country_name": "Italy", "destination.geo.location.lat": 43.1479, "destination.geo.location.lon": 12.1097, "destination.ip": "62.211.68.12", @@ -9214,6 +9303,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9315,6 +9405,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9416,6 +9507,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9609,6 +9701,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9710,6 +9803,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", @@ -9811,6 +9905,7 @@ "destination.geo.city_name": "Fort Lauderdale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 26.1792, "destination.geo.location.lon": -80.1749, "destination.geo.region_iso_code": "US-FL", diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index 93fe08f75d9..de6c83a2fa1 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -10,6 +10,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -111,6 +112,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -212,6 +214,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -313,6 +316,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -414,6 +418,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -515,6 +520,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -616,6 +622,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -717,6 +724,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -818,6 +826,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -919,6 +928,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1020,6 +1030,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1121,6 +1132,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1222,6 +1234,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1323,6 +1336,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1424,6 +1438,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1525,6 +1540,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1626,6 +1642,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1727,6 +1744,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1828,6 +1846,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -1929,6 +1948,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2030,6 +2050,7 @@ "destination.as.organization.name": "Akamai International B.V.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2131,6 +2152,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2232,6 +2254,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2333,6 +2356,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2434,6 +2458,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2535,6 +2560,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2636,6 +2662,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2737,6 +2764,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2838,6 +2866,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -2939,6 +2968,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3040,6 +3070,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3141,6 +3172,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3242,6 +3274,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3343,6 +3376,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3444,6 +3478,7 @@ "destination.as.organization.name": "MCI Communications Services, Inc. d/b/a Verizon Business", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3545,6 +3580,7 @@ "destination.as.organization.name": "Fastly", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -3647,6 +3683,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6109, "destination.geo.location.lon": -122.3303, "destination.geo.name": "United States", @@ -3751,6 +3788,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -3855,6 +3893,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -3959,6 +3998,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4063,6 +4103,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4167,6 +4208,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4271,6 +4313,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4375,6 +4418,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4479,6 +4523,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4583,6 +4628,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4687,6 +4733,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4791,6 +4838,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4895,6 +4943,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -4999,6 +5048,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3861, "destination.geo.location.lon": -122.0839, "destination.geo.name": "United States", @@ -5102,6 +5152,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5203,6 +5254,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5304,6 +5356,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5405,6 +5458,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5506,6 +5560,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5607,6 +5662,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5708,6 +5764,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5809,6 +5866,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -5910,6 +5968,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -6011,6 +6070,7 @@ "destination.as.organization.name": "Akamai Technologies, Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.geo.name": "United States", @@ -6113,6 +6173,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6217,6 +6278,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6321,6 +6383,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6425,6 +6488,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6529,6 +6593,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6633,6 +6698,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6737,6 +6803,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6841,6 +6908,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -6945,6 +7013,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7049,6 +7118,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7153,6 +7223,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7257,6 +7328,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7361,6 +7433,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7465,6 +7538,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7569,6 +7643,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", @@ -7673,6 +7748,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.name": "United States", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 5f979092c4b..200e02370d3 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -13,6 +13,7 @@ "destination.bytes": 5976, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.253.152", @@ -122,6 +123,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -232,6 +234,7 @@ "destination.geo.city_name": "Dallas", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 32.7787, "destination.geo.location.lon": -96.8217, "destination.geo.region_iso_code": "US-TX", @@ -343,6 +346,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -453,6 +457,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3861, "destination.geo.location.lon": -122.0839, "destination.geo.region_iso_code": "US-CA", @@ -564,6 +569,7 @@ "destination.bytes": 21111, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "209.234.224.22", @@ -673,6 +679,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -782,6 +789,7 @@ "destination.bytes": 3732, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.2.238", @@ -891,6 +899,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1000,6 +1009,7 @@ "destination.bytes": 221, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1109,6 +1119,7 @@ "destination.bytes": 5469, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "17.249.60.78", @@ -1218,6 +1229,7 @@ "destination.bytes": 224, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1327,6 +1339,7 @@ "destination.bytes": 117, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1436,6 +1449,7 @@ "destination.bytes": 307, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1545,6 +1559,7 @@ "destination.bytes": 365, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1654,6 +1669,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1763,6 +1779,7 @@ "destination.bytes": 161, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1872,6 +1889,7 @@ "destination.bytes": 7805, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "98.138.49.44", @@ -1981,6 +1999,7 @@ "destination.bytes": 6106, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "72.30.3.43", @@ -2090,6 +2109,7 @@ "destination.bytes": 196, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2199,6 +2219,7 @@ "destination.bytes": 3245, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.9.142", @@ -2308,6 +2329,7 @@ "destination.bytes": 179, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2418,6 +2440,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -2528,6 +2551,7 @@ "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.386, "destination.geo.location.lon": -122.0144, "destination.geo.region_iso_code": "US-CA", @@ -2639,6 +2663,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2748,6 +2773,7 @@ "destination.bytes": 130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -2853,6 +2879,7 @@ "destination.bytes": 1991, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "172.217.9.142", @@ -2959,6 +2986,7 @@ "destination.bytes": 523, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "151.101.2.2", @@ -3069,6 +3097,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3861, "destination.geo.location.lon": -122.0839, "destination.geo.region_iso_code": "US-CA", @@ -3180,6 +3209,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -3289,6 +3319,7 @@ "destination.bytes": 196, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -3398,6 +3429,7 @@ "destination.bytes": 5003, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.253.193", @@ -3507,6 +3539,7 @@ "destination.bytes": 171, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -3615,6 +3648,7 @@ "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.386, "destination.geo.location.lon": -122.0144, "destination.geo.region_iso_code": "US-CA", @@ -3727,6 +3761,7 @@ "destination.geo.city_name": "Sunnyvale", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.386, "destination.geo.location.lon": -122.0144, "destination.geo.region_iso_code": "US-CA", @@ -3839,6 +3874,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -3950,6 +3986,7 @@ "destination.bytes": 244, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4059,6 +4096,7 @@ "destination.bytes": 205, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4169,6 +4207,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -4389,6 +4428,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -4500,6 +4540,7 @@ "destination.bytes": 661, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.252.247", @@ -4610,6 +4651,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -4722,6 +4764,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -4833,6 +4876,7 @@ "destination.bytes": 182, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -4942,6 +4986,7 @@ "destination.bytes": 90, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5052,6 +5097,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -5163,6 +5209,7 @@ "destination.bytes": 661, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "184.51.252.247", @@ -5380,6 +5427,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5485,6 +5533,7 @@ "destination.bytes": 144, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5594,6 +5643,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5703,6 +5753,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5812,6 +5863,7 @@ "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -5921,6 +5973,7 @@ "destination.bytes": 132, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6030,6 +6083,7 @@ "destination.bytes": 127, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6139,6 +6193,7 @@ "destination.bytes": 105, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6248,6 +6303,7 @@ "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6357,6 +6413,7 @@ "destination.bytes": 134, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6466,6 +6523,7 @@ "destination.bytes": 179, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6575,6 +6633,7 @@ "destination.bytes": 218, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6684,6 +6743,7 @@ "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6793,6 +6853,7 @@ "destination.bytes": 305, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -6903,6 +6964,7 @@ "destination.geo.city_name": "Lanham", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9705, "destination.geo.location.lon": -76.8388, "destination.geo.region_iso_code": "US-MD", @@ -7014,6 +7076,7 @@ "destination.bytes": 153, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7123,6 +7186,7 @@ "destination.bytes": 169, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7232,6 +7296,7 @@ "destination.bytes": 128, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7341,6 +7406,7 @@ "destination.bytes": 181, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7450,6 +7516,7 @@ "destination.bytes": 121, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7560,6 +7627,7 @@ "destination.geo.city_name": "San Antonio", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 29.4551, "destination.geo.location.lon": -98.6498, "destination.geo.region_iso_code": "US-TX", @@ -7671,6 +7739,7 @@ "destination.bytes": 315, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7780,6 +7849,7 @@ "destination.bytes": 130, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -7890,6 +7960,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.54, "destination.geo.location.lon": -122.3032, "destination.geo.region_iso_code": "US-WA", @@ -8001,6 +8072,7 @@ "destination.bytes": 149, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8110,6 +8182,7 @@ "destination.bytes": 202, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8219,6 +8292,7 @@ "destination.bytes": 195, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8328,6 +8402,7 @@ "destination.bytes": 90, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "208.83.246.20", @@ -8437,6 +8512,7 @@ "destination.bytes": 192, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8545,6 +8621,7 @@ "destination.bytes": 208, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8653,6 +8730,7 @@ "destination.bytes": 100, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8761,6 +8839,7 @@ "destination.bytes": 7237, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.6583, "destination.geo.location.lon": -77.2481, "destination.geo.region_iso_code": "US-VA", @@ -8871,6 +8950,7 @@ "destination.bytes": 109, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -8980,6 +9060,7 @@ "destination.bytes": 116, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -9089,6 +9170,7 @@ "destination.bytes": 96, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -9199,6 +9281,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9311,6 +9394,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9423,6 +9507,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9534,6 +9619,7 @@ "destination.bytes": 7820, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "104.254.150.9", @@ -9644,6 +9730,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9756,6 +9843,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9868,6 +9956,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -9980,6 +10069,7 @@ "destination.geo.city_name": "Ashburn", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 39.0481, "destination.geo.location.lon": -77.4728, "destination.geo.region_iso_code": "US-VA", @@ -10092,6 +10182,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -10203,6 +10294,7 @@ "destination.bytes": 172, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10312,6 +10404,7 @@ "destination.bytes": 588, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10421,6 +10514,7 @@ "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10530,6 +10624,7 @@ "destination.bytes": 170, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10639,6 +10734,7 @@ "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10748,6 +10844,7 @@ "destination.bytes": 94, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -10857,6 +10954,7 @@ "destination.bytes": 166, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index f0150dcb87f..d1a9aa8535f 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -61,8 +61,8 @@ "uptatev4292.www.invalid" ], "related.ip": [ - "10.212.11.114", - "10.38.77.13" + "10.38.77.13", + "10.212.11.114" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "uam", @@ -826,8 +826,8 @@ "apari5002.api.test" ], "related.ip": [ - "10.9.200.197", - "10.182.213.195" + "10.182.213.195", + "10.9.200.197" ], "rsa.crypto.sig_type": "fugiatnu", "rsa.internal.messageid": "27813", @@ -1006,8 +1006,8 @@ "unturmag6190.api.lan" ], "related.ip": [ - "10.52.190.18", - "10.238.223.171" + "10.238.223.171", + "10.52.190.18" ], "rsa.crypto.sig_type": "Finibus", "rsa.internal.messageid": "16539", @@ -1209,8 +1209,8 @@ "iqu4858.mail.invalid" ], "related.ip": [ - "10.213.100.153", - "10.116.175.84" + "10.116.175.84", + "10.213.100.153" ], "rsa.crypto.sig_type": "exercit", "rsa.internal.messageid": "11634", @@ -1643,8 +1643,8 @@ "urau1660.www.lan" ], "related.ip": [ - "10.201.132.114", - "10.140.209.249" + "10.140.209.249", + "10.201.132.114" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "lor", @@ -1731,8 +1731,8 @@ "nofde7732.internal.test" ], "related.ip": [ - "10.198.44.231", - "10.36.122.169" + "10.36.122.169", + "10.198.44.231" ], "rsa.crypto.sig_type": "umquam", "rsa.internal.messageid": "13228", @@ -2113,8 +2113,8 @@ "uovol2459.www5.invalid" ], "related.ip": [ - "10.60.137.215", - "10.28.105.106" + "10.28.105.106", + "10.60.137.215" ], "rsa.crypto.sig_type": "tionu", "rsa.internal.messageid": "5155", @@ -2229,10 +2229,10 @@ "Loremips5368.www5.corp" ], "related.ip": [ + "10.20.167.114", "10.49.190.163", - "10.166.40.137", "10.65.144.119", - "10.20.167.114" + "10.166.40.137" ], "rsa.internal.event_desc": "Offloaded TCP Flow for connection", "rsa.internal.messageid": "FTD_events", @@ -2361,8 +2361,8 @@ "magn3657.api.invalid" ], "related.ip": [ - "10.180.28.156", - "10.234.234.205" + "10.234.234.205", + "10.180.28.156" ], "rsa.crypto.sig_type": "mnihil", "rsa.internal.messageid": "5315", @@ -2578,8 +2578,8 @@ "laparia5374.api.domain" ], "related.ip": [ - "10.147.155.100", - "10.232.67.182" + "10.232.67.182", + "10.147.155.100" ], "rsa.crypto.sig_type": "eufugi", "rsa.internal.messageid": "26152", @@ -2828,8 +2828,8 @@ "borios1685.www.localhost" ], "related.ip": [ - "10.231.10.63", - "10.38.22.60" + "10.38.22.60", + "10.231.10.63" ], "rsa.crypto.sig_type": "taliquip", "rsa.internal.messageid": "10329", @@ -2886,8 +2886,8 @@ "Bonoru5658.mail.invalid" ], "related.ip": [ - "10.29.231.11", - "10.46.57.181" + "10.46.57.181", + "10.29.231.11" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "remape", @@ -3160,8 +3160,8 @@ "onsecte5119.www.invalid" ], "related.ip": [ - "10.198.207.31", - "10.5.88.183" + "10.5.88.183", + "10.198.207.31" ], "rsa.internal.event_desc": "Failed to locate egress interface", "rsa.internal.messageid": "FTD_events", @@ -3836,9 +3836,9 @@ "erunt3957.internal.lan" ], "related.ip": [ - "10.118.103.185", "10.32.195.34", "10.240.77.10", + "10.118.103.185", "10.125.130.61" ], "rsa.internal.event_desc": "TCP Flow is no longer offloaded for connection", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json index 9f972c2e6fc..37d6d4325b7 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -28,6 +28,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -95,6 +96,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -243,6 +245,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -310,6 +313,7 @@ "source.as.organization.name": "Orange", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "FR", + "source.geo.country_name": "France", "source.geo.location.lat": 48.8582, "source.geo.location.lon": 2.3387, "source.ip": [ @@ -347,6 +351,7 @@ "service.type": "sonicwall", "source.geo.continent_name": "Oceania", "source.geo.country_iso_code": "NZ", + "source.geo.country_name": "New Zealand", "source.geo.location.lat": -41.0, "source.geo.location.lon": 174.0, "source.ip": [ @@ -436,6 +441,7 @@ "source.as.organization.name": "Cloudflare, Inc.", "source.geo.continent_name": "Oceania", "source.geo.country_iso_code": "AU", + "source.geo.country_name": "Australia", "source.geo.location.lat": -33.494, "source.geo.location.lon": 143.2104, "source.ip": [ diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 5b84648b930..bd92a3aa08a 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -23,8 +23,8 @@ "oreetdol1714.internal.corp" ], "related.ip": [ - "10.49.111.67", - "10.92.136.230" + "10.92.136.230", + "10.49.111.67" ], "rsa.internal.messageid": "914", "rsa.internal.msg": "lupt", @@ -86,8 +86,8 @@ "observer.vendor": "Sonicwall", "related.ip": [ "10.227.15.1", - "10.149.203.46", - "10.150.156.22" + "10.150.156.22", + "10.149.203.46" ], "rsa.internal.event_desc": "ctetur", "rsa.internal.messageid": "1369", @@ -171,8 +171,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.13.70.213", - "10.95.245.65" + "10.95.245.65", + "10.13.70.213" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", @@ -478,8 +478,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.78.151.178", - "10.157.161.103" + "10.157.161.103", + "10.78.151.178" ], "rsa.internal.event_desc": "taut", "rsa.internal.messageid": "24", @@ -551,9 +551,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.34.161.166", "10.245.200.97", - "10.219.116.137" + "10.219.116.137", + "10.34.161.166" ], "rsa.internal.event_desc": "rehend", "rsa.internal.messageid": "428", @@ -599,8 +599,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.118.80.140", - "10.252.122.195" + "10.252.122.195", + "10.118.80.140" ], "rsa.internal.messageid": "401", "rsa.internal.msg": "inesci", @@ -845,8 +845,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.248.101.25", - "10.60.129.15" + "10.60.129.15", + "10.248.101.25" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "ommodico", @@ -1006,8 +1006,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.101.74.44", - "10.251.20.13" + "10.251.20.13", + "10.101.74.44" ], "related.user": [ "rsitv" @@ -1219,8 +1219,8 @@ "ise5905.www.local" ], "related.ip": [ - "10.97.124.211", - "10.53.113.23" + "10.53.113.23", + "10.97.124.211" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1279,8 +1279,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.187.201.250", - "10.64.229.79" + "10.64.229.79", + "10.187.201.250" ], "rsa.db.index": "rumwrit", "rsa.internal.messageid": "83", @@ -1389,8 +1389,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.31.190.145", - "10.147.88.219" + "10.147.88.219", + "10.31.190.145" ], "related.user": [ "corpori" @@ -1431,9 +1431,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.108.84.24", "10.251.248.228", - "10.113.100.237" + "10.113.100.237", + "10.108.84.24" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1777,8 +1777,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.165.48.224", - "10.191.242.168" + "10.191.242.168", + "10.165.48.224" ], "rsa.internal.event_desc": "equep", "rsa.internal.messageid": "995", @@ -1831,8 +1831,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.185.37.32", - "10.116.173.79" + "10.116.173.79", + "10.185.37.32" ], "rsa.internal.messageid": "178", "rsa.internal.msg": "ende", @@ -1863,8 +1863,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.57.85.98", - "10.219.42.212" + "10.219.42.212", + "10.57.85.98" ], "rsa.internal.event_desc": "mquisno", "rsa.internal.messageid": "995", @@ -1917,8 +1917,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.135.70.159", - "10.195.223.82" + "10.195.223.82", + "10.135.70.159" ], "rsa.internal.messageid": "351", "rsa.internal.msg": "CSe", @@ -2068,8 +2068,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.56.10.84", - "10.12.54.142" + "10.12.54.142", + "10.56.10.84" ], "rsa.internal.messageid": "658", "rsa.internal.msg": "osquirat", @@ -2105,8 +2105,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.117.63.181", - "10.222.169.140" + "10.222.169.140", + "10.117.63.181" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "magnaal", @@ -2247,8 +2247,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.129.101.147", - "10.206.229.61" + "10.206.229.61", + "10.129.101.147" ], "rsa.internal.messageid": "413", "rsa.internal.msg": "upta", @@ -2383,8 +2383,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.29.120.226", - "10.203.146.137" + "10.203.146.137", + "10.29.120.226" ], "rsa.internal.messageid": "712", "rsa.misc.action": [ diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json index b57ab7067ab..392ac679e44 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json @@ -59,9 +59,9 @@ "10.57.170.140" ], "related.user": [ - "sunt", + "dexeac", "icistatuscode=giatquov", - "dexeac" + "sunt" ], "rsa.db.index": "run", "rsa.identity.logon_type": "nofdeF", @@ -70,8 +70,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "block", - "ugiatnu" + "ugiatnu", + "block" ], "rsa.misc.comments": "colabo", "rsa.misc.content_type": "sedd", @@ -163,8 +163,8 @@ "10.106.239.55" ], "related.user": [ - "itquiin", - "eaq" + "eaq", + "itquiin" ], "rsa.identity.logon_type": "stquidol", "rsa.internal.event_desc": "bor", @@ -638,8 +638,8 @@ "10.54.169.175" ], "related.user": [ - "taspe", - "scipit" + "scipit", + "taspe" ], "rsa.identity.logon_type": "olores", "rsa.internal.event_desc": "secil", @@ -974,8 +974,8 @@ "10.232.108.32" ], "related.user": [ - "rsp", - "llum" + "llum", + "rsp" ], "rsa.identity.logon_type": "ntut", "rsa.internal.event_desc": "ittenb", @@ -1033,13 +1033,13 @@ "Duis583.api.local" ], "related.ip": [ - "10.17.51.153", - "10.89.41.97" + "10.89.41.97", + "10.17.51.153" ], "related.user": [ - "tcustatuscode=eumiu", "tio", - "pteurs" + "pteurs", + "tcustatuscode=eumiu" ], "rsa.db.index": "eavolupt", "rsa.identity.logon_type": "ursintoc", @@ -1610,8 +1610,8 @@ "10.244.96.61" ], "related.user": [ - "itsedqui", - "iumt" + "iumt", + "itsedqui" ], "rsa.identity.logon_type": "psamvolu", "rsa.internal.event_desc": "orroqui", @@ -1851,13 +1851,13 @@ "tenbyCi4371.www5.localdomain" ], "related.ip": [ - "10.98.126.206", - "10.214.167.164" + "10.214.167.164", + "10.98.126.206" ], "related.user": [ - "hen", + "amremapstatuscode=dolorsit", "isnostru", - "amremapstatuscode=dolorsit" + "hen" ], "rsa.db.index": "spernatu", "rsa.identity.logon_type": "untutl", @@ -1866,8 +1866,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "nsectetu", - "block" + "block", + "nsectetu" ], "rsa.misc.comments": "uaer", "rsa.misc.content_type": "eaqu", @@ -1924,8 +1924,8 @@ "observer.vendor": "Sophos", "process.pid": 6722, "related.ip": [ - "10.32.236.117", - "10.203.157.250" + "10.203.157.250", + "10.32.236.117" ], "rsa.internal.event_desc": "Packet", "rsa.internal.messageid": "ulogd", @@ -2033,10 +2033,10 @@ "10.92.93.236" ], "related.user": [ - "ulpaq", + "ntoccae", "Sedutper", "dolorsistatuscode=acc", - "ntoccae" + "ulpaq" ], "rsa.db.index": "snisiut", "rsa.identity.logon_type": "umdol", @@ -2045,8 +2045,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "icons", - "block" + "block", + "icons" ], "rsa.misc.comments": "porincid", "rsa.misc.content_type": "temvele", @@ -2124,9 +2124,9 @@ "10.202.65.2" ], "related.user": [ - "atatno", "iscivelistatuscode=urve", - "tasu" + "tasu", + "atatno" ], "rsa.db.index": "amrem", "rsa.identity.logon_type": "nulamcol", @@ -2314,13 +2314,13 @@ "obea2960.mail.corp" ], "related.ip": [ - "10.33.138.154", - "10.45.12.53" + "10.45.12.53", + "10.33.138.154" ], "related.user": [ - "eturadip", + "porincid", "umqustatuscode=ntexpli", - "porincid" + "eturadip" ], "rsa.db.index": "dolor", "rsa.identity.logon_type": "eturadi", @@ -2481,8 +2481,8 @@ "10.32.85.21" ], "related.user": [ - "antium", - "etconsec" + "etconsec", + "antium" ], "rsa.identity.logon_type": "umiurere", "rsa.internal.event_desc": "serro", @@ -2628,14 +2628,14 @@ "nisiuta4810.api.test" ], "related.ip": [ - "10.85.200.58", - "10.210.175.52" + "10.210.175.52", + "10.85.200.58" ], "related.user": [ - "Loremi", - "rExce", "reetd", - "inimastatuscode=emipsum" + "inimastatuscode=emipsum", + "Loremi", + "rExce" ], "rsa.db.index": "apa", "rsa.identity.logon_type": "sedquia", @@ -2644,8 +2644,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "cancel", - "odte" + "odte", + "cancel" ], "rsa.misc.comments": "emquia", "rsa.misc.content_type": "sauteir", @@ -3619,8 +3619,8 @@ "10.96.200.83" ], "related.user": [ - "lapariat", - "acommod" + "acommod", + "lapariat" ], "rsa.identity.logon_type": "remeumf", "rsa.internal.event_desc": "dol", diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json index 90a40d0b095..a78e3c1ccb0 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -70,6 +70,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -131,6 +132,7 @@ "source.geo.city_name": "Miami", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 25.7806, "source.geo.location.lon": -80.1826, "source.geo.region_iso_code": "US-FL", @@ -154,6 +156,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -217,6 +220,7 @@ "source.geo.city_name": "Cabreuva", "source.geo.continent_name": "South America", "source.geo.country_iso_code": "BR", + "source.geo.country_name": "Brazil", "source.geo.location.lat": -23.3149, "source.geo.location.lon": -47.0763, "source.geo.region_iso_code": "BR-SP", @@ -240,6 +244,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -302,6 +307,7 @@ "source.domain": "ELTOBGI.COM", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", + "source.geo.country_name": "United Kingdom", "source.geo.location.lat": 51.4964, "source.geo.location.lon": -0.1224, "source.ip": "77.72.3.56", diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json index a78e27fa46e..42590edbb33 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -10,6 +10,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -87,6 +88,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -163,6 +165,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "South America", "destination.geo.country_iso_code": "UY", + "destination.geo.country_name": "Uruguay", "destination.geo.location.lat": -33.0, "destination.geo.location.lon": -56.0, "destination.ip": "186.8.209.194", @@ -225,6 +228,7 @@ "source.bytes": 0, "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "82.165.194.211", @@ -246,6 +250,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "185.7.209.194", @@ -309,6 +314,7 @@ "source.geo.city_name": "Seattle", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 47.4902, "source.geo.location.lon": -122.3004, "source.geo.region_iso_code": "US-WA", diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json index 7dbb6289456..38c2694478e 100644 --- a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -7,6 +7,7 @@ "destination.as.organization.name": "Petersburg Internet Network ltd.", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "RU", + "destination.geo.country_name": "Russia", "destination.geo.location.lat": 55.7386, "destination.geo.location.lon": 37.6068, "destination.ip": "46.161.30.47", @@ -76,6 +77,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -143,6 +145,7 @@ "destination.geo.city_name": "Seattle", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 47.6348, "destination.geo.location.lon": -122.3451, "destination.geo.region_iso_code": "US-WA", @@ -209,6 +212,7 @@ "destination.as.organization.name": "Accelerated IT Services & Consulting GmbH", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "82.211.30.202", diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json index a82d4550f57..84dc15e1aeb 100644 --- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -7,6 +7,7 @@ "destination.as.organization.name": "BHARTI Airtel Ltd.", "destination.geo.continent_name": "Asia", "destination.geo.country_iso_code": "IN", + "destination.geo.country_name": "India", "destination.geo.location.lat": 20.0, "destination.geo.location.lon": 77.0, "destination.ip": "182.79.221.19", @@ -78,6 +79,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -134,6 +136,7 @@ "source.as.organization.name": "Telefonica Germany", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "5.5.5.15", @@ -153,6 +156,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "74.125.130.188", @@ -213,6 +217,7 @@ "source.as.organization.name": "Telefonica Germany", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 51.2993, "source.geo.location.lon": 9.491, "source.ip": "5.5.5.15", @@ -231,6 +236,7 @@ "destination.geo.city_name": "Dublin", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "IE", + "destination.geo.country_name": "Ireland", "destination.geo.location.lat": 53.3338, "destination.geo.location.lon": -6.2488, "destination.geo.region_iso_code": "IE-L", @@ -302,6 +308,7 @@ "destination.geo.city_name": "Washington", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.7095, "destination.geo.location.lon": -78.1539, "destination.geo.region_iso_code": "US-VA", @@ -375,6 +382,7 @@ "destination.geo.city_name": "Bratislava", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", "destination.geo.location.lat": 48.15, "destination.geo.location.lon": 17.1078, "destination.geo.region_iso_code": "SK-BL", @@ -498,6 +506,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "64.233.189.147", @@ -569,6 +578,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "64.233.188.94", diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json index d14c2bb9924..89d6878ec6f 100644 --- a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -59,6 +59,7 @@ "destination.as.organization.name": "DoD Network Information Center", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "214.167.51.66", @@ -105,6 +106,7 @@ "source.geo.city_name": "Elblag", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.172, "source.geo.location.lon": 19.4195, "source.geo.region_iso_code": "PL-28", @@ -199,6 +201,7 @@ "source.geo.city_name": "August\u00f3w", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 53.845, "source.geo.location.lon": 22.985, "source.geo.region_iso_code": "PL-20", @@ -336,6 +339,7 @@ "source.geo.city_name": "Schleidweiler", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.8808, "source.geo.location.lon": 6.6593, "source.geo.region_iso_code": "DE-RP", @@ -438,6 +442,7 @@ "source.geo.city_name": "Fell", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", + "source.geo.country_name": "Germany", "source.geo.location.lat": 49.7667, "source.geo.location.lon": 6.7833, "source.geo.region_iso_code": "DE-RP", @@ -522,6 +527,7 @@ "sophos.xg.status": "Failed", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "172.66.35.15", diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index d392790d795..7f1e5d9190b 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -13,6 +13,7 @@ "destination.geo.city_name": "Bratislava", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", "destination.geo.location.lat": 48.15, "destination.geo.location.lon": 17.1078, "destination.geo.region_iso_code": "SK-BL", @@ -98,6 +99,7 @@ "source.bytes": 459, "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RU", + "source.geo.country_name": "Russia", "source.geo.location.lat": 55.7386, "source.geo.location.lon": 37.6068, "source.ip": "172.17.34.15", @@ -125,6 +127,7 @@ "destination.geo.city_name": "Bratislava", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SK", + "destination.geo.country_name": "Slovakia", "destination.geo.location.lat": 48.15, "destination.geo.location.lon": 17.1078, "destination.geo.region_iso_code": "SK-BL", @@ -211,6 +214,7 @@ "source.geo.city_name": "Saint-Prex", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "CH", + "source.geo.country_name": "Switzerland", "source.geo.location.lat": 46.4796, "source.geo.location.lon": 6.4599, "source.geo.region_iso_code": "CH-VD", @@ -410,6 +414,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 51.2993, "destination.geo.location.lon": 9.491, "destination.ip": "185.7.209.207", @@ -481,6 +486,7 @@ "source.geo.city_name": "Warsaw", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 52.25, "source.geo.location.lon": 21.0, "source.geo.region_iso_code": "PL-14", @@ -1030,6 +1036,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1437,6 +1444,7 @@ "destination.bytes": 0, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -1687,6 +1695,7 @@ "destination.geo.city_name": "Richardson", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 32.9473, "destination.geo.location.lon": -96.7028, "destination.geo.region_iso_code": "US-TX", diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json index 7caee4d72eb..d92a2b2e7e4 100644 --- a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -61,6 +61,7 @@ "source.as.organization.name": "Bestnet Service SRL", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RO", + "source.geo.country_name": "Romania", "source.geo.location.lat": 46.0, "source.geo.location.lon": 25.0, "source.ip": "89.40.182.58", @@ -132,6 +133,7 @@ "source.as.organization.name": "China Unicom Beijing Province Network", "source.geo.continent_name": "Asia", "source.geo.country_iso_code": "CN", + "source.geo.country_name": "China", "source.geo.location.lat": 31.0449, "source.geo.location.lon": 121.4012, "source.geo.region_iso_code": "CN-SH", @@ -205,6 +207,7 @@ "source.as.organization.name": "KPN B.V.", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "NL", + "source.geo.country_name": "Netherlands", "source.geo.location.lat": 52.3824, "source.geo.location.lon": 4.8995, "source.ip": "77.61.185.101", diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json index fe6af644611..ceed76baef1 100644 --- a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -9,6 +9,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -66,6 +67,7 @@ "source.geo.city_name": "Gdynia", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.5055, "source.geo.location.lon": 18.5403, "source.geo.region_iso_code": "PL-22", @@ -88,6 +90,7 @@ "destination.geo.city_name": "Saint-Prex", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "CH", + "destination.geo.country_name": "Switzerland", "destination.geo.location.lat": 46.4796, "destination.geo.location.lon": 6.4599, "destination.geo.region_iso_code": "CH-VD", @@ -146,6 +149,7 @@ "source.geo.city_name": "Gdynia", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PL", + "source.geo.country_name": "Poland", "source.geo.location.lat": 54.5055, "source.geo.location.lon": 18.5403, "source.geo.region_iso_code": "PL-22", @@ -303,6 +307,7 @@ "destination.bytes": 403, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "216.167.51.72", @@ -359,6 +364,7 @@ "source.geo.city_name": "Bucharest", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "RO", + "source.geo.country_name": "Romania", "source.geo.location.lat": 44.4176, "source.geo.location.lon": 26.1708, "source.geo.region_iso_code": "RO-B", diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 26b891ba4f1..e9284eed554 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -5,6 +5,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -36,8 +37,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -67,6 +68,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -89,8 +91,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -101,8 +103,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -132,6 +134,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -155,8 +158,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -167,8 +170,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -220,8 +223,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -273,8 +276,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/javascript", "rsa.misc.result_code": "200", @@ -304,6 +307,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -338,8 +342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -368,6 +372,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -389,8 +394,8 @@ "www.google-analytics.com" ], "related.ip": [ - "10.105.21.199", - "66.102.9.147" + "66.102.9.147", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -401,8 +406,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -432,6 +437,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -455,8 +461,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -467,8 +473,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -498,6 +504,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -521,8 +528,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -533,8 +540,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -564,6 +571,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -652,8 +660,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -683,6 +691,7 @@ "destination.geo.city_name": "Dallas", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 32.9379, "destination.geo.location.lon": -96.8384, "destination.geo.region_iso_code": "US-TX", @@ -706,8 +715,8 @@ "as.casalemedia.com" ], "related.ip": [ - "10.105.21.199", - "209.85.16.38" + "209.85.16.38", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -746,6 +755,7 @@ "@timestamp": "2006-09-08T04:22:06.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -766,8 +776,8 @@ "us.bc.yahoo.com" ], "related.ip": [ - "10.105.21.199", - "68.142.213.132" + "68.142.213.132", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -777,8 +787,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -807,6 +817,7 @@ "destination.as.organization.name": "Telia Company AB", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "SE", + "destination.geo.country_name": "Sweden", "destination.geo.location.lat": 59.3247, "destination.geo.location.lon": 18.056, "destination.ip": [ @@ -840,8 +851,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -871,6 +882,7 @@ "destination.geo.city_name": "Los Angeles", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 34.0675, "destination.geo.location.lon": -118.3521, "destination.geo.region_iso_code": "US-CA", @@ -894,8 +906,8 @@ "4.adbrite.com" ], "related.ip": [ - "10.105.21.199", - "206.169.136.22" + "206.169.136.22", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -959,8 +971,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -990,6 +1002,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -1013,8 +1026,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -1025,8 +1038,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1056,6 +1069,7 @@ "destination.geo.city_name": "Falls Church", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.9307, "destination.geo.location.lon": -77.1673, "destination.geo.region_iso_code": "US-VA", @@ -1079,8 +1093,8 @@ "www.goonernews.com" ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -1119,6 +1133,7 @@ "@timestamp": "2006-09-08T04:22:10.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1140,8 +1155,8 @@ "4.adbrite.com" ], "related.ip": [ - "10.105.21.199", - "64.127.126.178" + "64.127.126.178", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1152,8 +1167,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1183,6 +1198,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -1206,8 +1222,8 @@ "ff.connextra.com" ], "related.ip": [ - "213.160.98.161", - "10.105.21.199" + "10.105.21.199", + "213.160.98.161" ], "related.user": [ "badeyek" @@ -1218,8 +1234,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "302", @@ -1249,6 +1265,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -1284,8 +1301,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -1336,8 +1353,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1366,6 +1383,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1397,8 +1415,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1480,6 +1498,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1542,6 +1561,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1607,6 +1627,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1630,8 +1651,8 @@ "hi5.com" ], "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1672,6 +1693,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -1692,8 +1714,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1809,8 +1831,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1862,8 +1884,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1893,6 +1915,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1915,8 +1938,8 @@ "hi5.com" ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1958,6 +1981,7 @@ "destination.geo.city_name": "Victoria", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "CA", + "destination.geo.country_name": "Canada", "destination.geo.location.lat": 48.4267, "destination.geo.location.lon": -123.3655, "destination.geo.region_iso_code": "CA-BC", @@ -1993,8 +2017,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -2023,6 +2047,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2054,8 +2079,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2082,6 +2107,7 @@ "@timestamp": "2006-09-08T04:22:33.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2102,8 +2128,8 @@ "insider.msg.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2114,8 +2140,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2144,6 +2170,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2165,8 +2192,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2177,8 +2204,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2207,6 +2234,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2266,6 +2294,7 @@ "@timestamp": "2006-09-08T04:22:35.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2330,6 +2359,7 @@ "destination.geo.city_name": "Sacramento", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 38.6415, "destination.geo.location.lon": -121.5114, "destination.geo.region_iso_code": "US-CA", @@ -2395,6 +2425,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2455,6 +2486,7 @@ "@timestamp": "2006-09-08T04:22:37.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2487,8 +2519,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2538,8 +2570,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2642,8 +2674,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2723,6 +2755,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2837,6 +2870,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2900,6 +2934,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2920,8 +2955,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2961,6 +2996,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -2994,8 +3030,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3024,6 +3060,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3057,8 +3094,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3109,8 +3146,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3161,8 +3198,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3191,6 +3228,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3224,8 +3262,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3254,6 +3292,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3287,8 +3326,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3317,6 +3356,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3338,8 +3378,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3350,8 +3390,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3380,6 +3420,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3401,8 +3442,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3413,8 +3454,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3466,8 +3507,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3519,8 +3560,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3572,8 +3613,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3602,6 +3643,7 @@ "destination.as.organization.name": "BBC", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.4964, "destination.geo.location.lon": -0.1224, "destination.ip": [ @@ -3623,8 +3665,8 @@ "newsrss.bbc.co.uk" ], "related.ip": [ - "212.58.226.33", - "10.105.21.199" + "10.105.21.199", + "212.58.226.33" ], "related.user": [ "badeyek" @@ -3665,6 +3707,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3834,6 +3877,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3855,8 +3899,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3866,8 +3910,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -3897,6 +3941,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -3962,6 +4007,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -3983,8 +4029,8 @@ "radio.music.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3995,8 +4041,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4025,6 +4071,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4046,8 +4093,8 @@ "radio.music.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4058,8 +4105,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4088,6 +4135,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4121,8 +4169,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4227,8 +4275,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4258,6 +4306,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4281,8 +4330,8 @@ "us.news1.yimg.com" ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4293,8 +4342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4323,6 +4372,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4344,8 +4394,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4386,6 +4436,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4450,6 +4501,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4473,8 +4525,8 @@ "us.a2.yimg.com" ], "related.ip": [ - "10.105.33.214", - "213.160.98.152" + "213.160.98.152", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4515,6 +4567,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4536,8 +4589,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4576,6 +4629,7 @@ "@timestamp": "2006-09-08T04:22:54.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4597,8 +4651,8 @@ "us.bc.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.213.132" + "68.142.213.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4637,6 +4691,7 @@ "@timestamp": "2006-09-08T04:22:56.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4698,6 +4753,7 @@ "@timestamp": "2006-09-08T04:22:57.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4782,8 +4838,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "304", @@ -4813,6 +4869,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4836,8 +4893,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4879,6 +4936,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -4914,8 +4972,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4944,6 +5002,7 @@ "destination.as.organization.name": "Oath Holdings Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -4964,8 +5023,8 @@ "login.yahoo.com" ], "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -4975,8 +5034,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -5006,6 +5065,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5072,6 +5132,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5095,8 +5156,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -5191,6 +5252,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5257,6 +5319,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5323,6 +5386,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5346,8 +5410,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5358,8 +5422,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5411,8 +5475,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5492,6 +5556,7 @@ "@timestamp": "2006-09-08T04:23:01.000Z", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": [ @@ -5513,8 +5578,8 @@ "launch.adserver.yahoo.com" ], "related.ip": [ - "216.109.125.112", - "10.105.33.214" + "10.105.33.214", + "216.109.125.112" ], "related.user": [ "adeolaegbedokun" @@ -5525,8 +5590,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5555,6 +5620,7 @@ "destination.as.organization.name": "Yahoo! UK Services Limited", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.4964, "destination.geo.location.lon": -0.1224, "destination.ip": [ @@ -5576,8 +5642,8 @@ "uk.f250.mail.yahoo.com" ], "related.ip": [ - "217.12.10.96", - "10.105.21.199" + "10.105.21.199", + "217.12.10.96" ], "related.user": [ "badeyek" @@ -5639,8 +5705,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5670,6 +5736,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", @@ -5693,8 +5760,8 @@ "us.js2.yimg.com" ], "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" ], "related.user": [ "badeyek" @@ -5789,6 +5856,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5064, "destination.geo.location.lon": -0.02, "destination.geo.region_iso_code": "GB-ENG", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index 68412b504dc..a63e2fd592a 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -9,6 +9,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -89,6 +90,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -169,6 +171,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -249,6 +252,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -329,6 +333,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -409,6 +414,7 @@ "destination.geo.city_name": "Norwell", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.1596, "destination.geo.location.lon": -70.8217, "destination.geo.region_iso_code": "US-MA", @@ -489,6 +495,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -569,6 +576,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -649,6 +657,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -729,6 +738,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -809,6 +819,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -889,6 +900,7 @@ "destination.geo.city_name": "London", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "GB", + "destination.geo.country_name": "United Kingdom", "destination.geo.location.lat": 51.5132, "destination.geo.location.lon": -0.0961, "destination.geo.region_iso_code": "GB-ENG", @@ -969,6 +981,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1049,6 +1062,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1129,6 +1143,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1209,6 +1224,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1289,6 +1305,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1369,6 +1386,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1449,6 +1467,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", @@ -1528,6 +1547,7 @@ "destination.geo.city_name": "Boston", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 42.3562, "destination.geo.location.lon": -71.0631, "destination.geo.region_iso_code": "US-MA", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 5d113c8d370..4851f2db826 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -415,6 +415,7 @@ "destination.domain": "p33-btmmdns.icloud.com", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "17.142.164.13", diff --git a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json index 9b9183fe35a..0c6eccf2dcc 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json +++ b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json @@ -704,8 +704,8 @@ "bore5546.www.local" ], "related.ip": [ - "10.7.164.113", "10.175.83.138", + "10.7.164.113", "10.207.125.114" ], "related.user": [ @@ -2263,8 +2263,8 @@ "edi6108.internal.domain" ], "related.ip": [ - "10.72.200.11", - "10.132.171.142" + "10.132.171.142", + "10.72.200.11" ], "related.user": [ "ero" @@ -2579,8 +2579,8 @@ "dita2048.www5.home" ], "related.ip": [ - "10.171.13.85", - "10.40.133.90" + "10.40.133.90", + "10.171.13.85" ], "related.user": [ "bor" @@ -2795,8 +2795,8 @@ "urExcep6087.www5.localhost" ], "related.ip": [ - "10.155.163.6", - "10.31.231.57" + "10.31.231.57", + "10.155.163.6" ], "related.user": [ "norumetM" diff --git a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json index ccb28ef2f92..b7c0e0bc8cb 100644 --- a/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/connection/test/connection-json.log-expected.json @@ -59,6 +59,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -116,6 +117,7 @@ "destination.bytes": 206, "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", @@ -154,6 +156,7 @@ "source.bytes": 103, "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "4.4.2.2", diff --git a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json index c4364d77426..200950e922a 100644 --- a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json @@ -7,6 +7,7 @@ "destination.geo.city_name": "San Jose", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.3388, "destination.geo.location.lon": -121.8914, "destination.geo.region_iso_code": "US-CA", diff --git a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json index 245d1154e86..06d833b6a42 100644 --- a/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/irc/test/irc-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Team Cymru Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "38.229.70.20", @@ -52,6 +53,7 @@ "destination.as.organization.name": "Team Cymru Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "38.229.70.20", @@ -103,6 +105,7 @@ "destination.as.organization.name": "Team Cymru Inc.", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "38.229.70.20", diff --git a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json index a5838e9f3f1..90bb5e3145e 100644 --- a/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/notice/test/notice-json.log-expected.json @@ -40,6 +40,7 @@ "destination.geo.city_name": "Frankfurt am Main", "destination.geo.continent_name": "Europe", "destination.geo.country_iso_code": "DE", + "destination.geo.country_name": "Germany", "destination.geo.location.lat": 50.1188, "destination.geo.location.lon": 8.6843, "destination.geo.region_iso_code": "DE-HE", @@ -71,6 +72,7 @@ "source.geo.city_name": "Longmont", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 40.1559, "source.geo.location.lon": -105.1624, "source.geo.region_iso_code": "US-CO", diff --git a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json index 79b38a0717d..71061cd293b 100644 --- a/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/sip/test/sip-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Internap Corporation", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "74.63.41.218", @@ -72,6 +73,7 @@ "destination.geo.city_name": "Mexico City", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "MX", + "destination.geo.country_name": "Mexico", "destination.geo.location.lat": 19.4357, "destination.geo.location.lon": -99.1438, "destination.geo.region_iso_code": "MX-CMX", @@ -108,6 +110,7 @@ "source.geo.city_name": "Mexico City", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "MX", + "source.geo.country_name": "Mexico", "source.geo.location.lat": 19.4357, "source.geo.location.lon": -99.1438, "source.geo.region_iso_code": "MX-CMX", @@ -151,6 +154,7 @@ "destination.geo.city_name": "Mexico City", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "MX", + "destination.geo.country_name": "Mexico", "destination.geo.location.lat": 19.4357, "destination.geo.location.lon": -99.1438, "destination.geo.region_iso_code": "MX-CMX", @@ -187,6 +191,7 @@ "source.geo.city_name": "Mexico City", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "MX", + "source.geo.country_name": "Mexico", "source.geo.location.lat": 19.4357, "source.geo.location.lon": -99.1438, "source.geo.region_iso_code": "MX-CMX", diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json index 805d20d2a54..67817ff0a42 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -8,6 +8,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", @@ -88,6 +89,7 @@ "destination.geo.city_name": "Mountain View", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.4043, "destination.geo.location.lon": -122.0748, "destination.geo.region_iso_code": "US-CA", diff --git a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json index 8fdfd983c94..34d600174ac 100644 --- a/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/traceroute/test/traceroute-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "8.8.8.8", diff --git a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json index 1e00e616e36..3ef709508a3 100644 --- a/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/tunnel/test/tunnel-json.log-expected.json @@ -6,6 +6,7 @@ "destination.as.organization.name": "Air Force Systems Networking", "destination.geo.continent_name": "North America", "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", "destination.geo.location.lat": 37.751, "destination.geo.location.lon": -97.822, "destination.ip": "132.16.110.133", @@ -33,6 +34,7 @@ "source.as.organization.name": "Air Force Systems Networking", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", + "source.geo.country_name": "United States", "source.geo.location.lat": 37.751, "source.geo.location.lon": -97.822, "source.ip": "132.16.146.79", diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index b7bd436496b..1fbe44131f5 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -26,8 +26,8 @@ "rci737.www5.example" ], "related.ip": [ - "10.176.10.114", - "10.206.191.17" + "10.206.191.17", + "10.176.10.114" ], "related.user": [ "sumdo" @@ -115,8 +115,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "luptat", "rsa.misc.action": [ - "Allowed", - "tur" + "tur", + "Allowed" ], "rsa.misc.category": "eius", "rsa.misc.filter": "ameaqu", @@ -176,8 +176,8 @@ "orsitame3262.domain" ], "related.ip": [ - "10.254.146.57", - "10.204.86.149" + "10.204.86.149", + "10.254.146.57" ], "related.user": [ "tenima" @@ -191,8 +191,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "giatq", - "Blocked" + "Blocked", + "giatq" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -252,8 +252,8 @@ "tempor4496.www.localdomain" ], "related.ip": [ - "10.252.125.53", - "10.103.246.190" + "10.103.246.190", + "10.252.125.53" ], "related.user": [ "equun" @@ -267,8 +267,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ima", "rsa.misc.action": [ - "llam", - "Allowed" + "Allowed", + "llam" ], "rsa.misc.category": "aboris", "rsa.misc.filter": "atatnonp", @@ -328,8 +328,8 @@ "ore2933.www.test" ], "related.ip": [ - "10.61.78.108", - "10.136.153.149" + "10.136.153.149", + "10.61.78.108" ], "related.user": [ "ercit" @@ -343,8 +343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "reetdolo", - "Blocked" + "Blocked", + "reetdolo" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -480,8 +480,8 @@ "cup1793.local" ], "related.ip": [ - "10.243.224.205", - "10.123.104.59" + "10.123.104.59", + "10.243.224.205" ], "related.user": [ "xercitat" @@ -495,8 +495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lupt", "rsa.misc.action": [ - "Blocked", - "dun" + "dun", + "Blocked" ], "rsa.misc.category": "rsitamet", "rsa.misc.filter": "usmod", @@ -632,8 +632,8 @@ "aperia4409.www5.invalid" ], "related.ip": [ - "10.78.151.178", - "10.25.192.202" + "10.25.192.202", + "10.78.151.178" ], "related.user": [ "quip" @@ -647,8 +647,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "amvolup", - "Allowed" + "Allowed", + "amvolup" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -723,8 +723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "Allowed", - "psaquae" + "psaquae", + "Allowed" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -784,8 +784,8 @@ "ite2026.www.invalid" ], "related.ip": [ - "10.19.145.131", - "10.223.247.86" + "10.223.247.86", + "10.19.145.131" ], "related.user": [ "tNequepo" @@ -860,8 +860,8 @@ "radipisc7020.home" ], "related.ip": [ - "10.2.53.125", - "10.181.80.139" + "10.181.80.139", + "10.2.53.125" ], "related.user": [ "ihilmo" @@ -936,8 +936,8 @@ "uamei2493.www.test" ], "related.ip": [ - "10.31.240.6", - "10.167.98.76" + "10.167.98.76", + "10.31.240.6" ], "related.user": [ "ratvolu" @@ -951,8 +951,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "catc", "rsa.misc.action": [ - "Allowed", - "veni" + "veni", + "Allowed" ], "rsa.misc.category": "sBono", "rsa.misc.filter": "isnisiu", @@ -1027,8 +1027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "ionevo", - "Allowed" + "Allowed", + "ionevo" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1088,8 +1088,8 @@ "spi3544.www.host" ], "related.ip": [ - "10.63.250.128", - "10.111.187.12" + "10.111.187.12", + "10.63.250.128" ], "related.user": [ "saute" @@ -1164,8 +1164,8 @@ "tlab5981.www.host" ], "related.ip": [ - "10.5.126.127", - "10.252.124.150" + "10.252.124.150", + "10.5.126.127" ], "related.user": [ "inibusB" @@ -1179,8 +1179,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "Allowed", - "xeacomm" + "xeacomm", + "Allowed" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1331,8 +1331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "itecto", - "Allowed" + "Allowed", + "itecto" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1392,8 +1392,8 @@ "uamei2389.internal.example" ], "related.ip": [ - "10.215.205.216", - "10.31.198.58" + "10.31.198.58", + "10.215.205.216" ], "related.user": [ "aturve" @@ -1468,8 +1468,8 @@ "eacommod1930.internal.lan" ], "related.ip": [ - "10.229.83.165", - "10.29.155.171" + "10.29.155.171", + "10.229.83.165" ], "related.user": [ "ulapar" @@ -1483,8 +1483,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "llitanim", - "Allowed" + "Allowed", + "llitanim" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1544,8 +1544,8 @@ "tem6984.www5.domain" ], "related.ip": [ - "10.161.148.64", - "10.129.192.145" + "10.129.192.145", + "10.161.148.64" ], "related.user": [ "lor" @@ -1620,8 +1620,8 @@ "lapariat7287.internal.host" ], "related.ip": [ - "10.203.65.161", - "10.7.200.140" + "10.7.200.140", + "10.203.65.161" ], "related.user": [ "snost" @@ -1711,8 +1711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "atcupi", - "Blocked" + "Blocked", + "atcupi" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1772,8 +1772,8 @@ "stenatu4844.www.invalid" ], "related.ip": [ - "10.39.31.115", - "10.24.111.229" + "10.24.111.229", + "10.39.31.115" ], "related.user": [ "fugi" @@ -1848,8 +1848,8 @@ "sitam5077.internal.host" ], "related.ip": [ - "10.32.39.220", - "10.179.210.218" + "10.179.210.218", + "10.32.39.220" ], "related.user": [ "boreetdo" @@ -2000,8 +2000,8 @@ "lloin4019.www.localhost" ], "related.ip": [ - "10.130.241.232", - "10.238.224.49" + "10.238.224.49", + "10.130.241.232" ], "related.user": [ "onse" @@ -2015,8 +2015,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mnisiut", "rsa.misc.action": [ - "mod", - "Allowed" + "Allowed", + "mod" ], "rsa.misc.category": "uiinea", "rsa.misc.filter": "aturQu", @@ -2076,8 +2076,8 @@ "tamet6317.www.host" ], "related.ip": [ - "10.2.67.127", - "10.115.53.31" + "10.115.53.31", + "10.2.67.127" ], "related.user": [ "Cic" @@ -2091,8 +2091,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "tatem", - "Allowed" + "Allowed", + "tatem" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2167,8 +2167,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "quasiarc", - "Allowed" + "Allowed", + "quasiarc" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2228,8 +2228,8 @@ "utaliqu4248.www.localhost" ], "related.ip": [ - "10.18.226.72", - "10.101.85.169" + "10.101.85.169", + "10.18.226.72" ], "related.user": [ "rroqu" @@ -2319,8 +2319,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mag", "rsa.misc.action": [ - "tali", - "Allowed" + "Allowed", + "tali" ], "rsa.misc.category": "oconse", "rsa.misc.filter": "npr", @@ -2380,8 +2380,8 @@ "tatio6513.www.invalid" ], "related.ip": [ - "10.80.57.247", - "10.229.242.223" + "10.229.242.223", + "10.80.57.247" ], "related.user": [ "itasp" @@ -2471,8 +2471,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Allowed", - "Section" + "Section", + "Allowed" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2532,8 +2532,8 @@ "aquioff3853.www.localdomain" ], "related.ip": [ - "10.54.159.1", - "10.236.230.136" + "10.236.230.136", + "10.54.159.1" ], "related.user": [ "mUteni" @@ -2547,8 +2547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "tatema", - "Allowed" + "Allowed", + "tatema" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2623,8 +2623,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "utemvel", - "Allowed" + "Allowed", + "utemvel" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2684,8 +2684,8 @@ "iamea478.www5.host" ], "related.ip": [ - "10.142.120.198", - "10.166.10.42" + "10.166.10.42", + "10.142.120.198" ], "related.user": [ "olori" @@ -2699,8 +2699,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "doconse", - "Blocked" + "Blocked", + "doconse" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2775,8 +2775,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issu", "rsa.misc.action": [ - "Allowed", - "sed" + "sed", + "Allowed" ], "rsa.misc.category": "atur", "rsa.misc.filter": "iciadese", @@ -2851,8 +2851,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "Allowed", - "litanim" + "litanim", + "Allowed" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2927,8 +2927,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "Blocked", - "lestia" + "lestia", + "Blocked" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2988,8 +2988,8 @@ "pariatur7238.www5.invalid" ], "related.ip": [ - "10.202.224.79", - "10.33.144.10" + "10.33.144.10", + "10.202.224.79" ], "related.user": [ "rios" @@ -3079,8 +3079,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "quid", - "Allowed" + "Allowed", + "quid" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -3140,8 +3140,8 @@ "mquisnos7453.home" ], "related.ip": [ - "10.134.128.27", - "10.118.177.136" + "10.118.177.136", + "10.134.128.27" ], "related.user": [ "Utenima" @@ -3155,8 +3155,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "Allowed", - "olor" + "olor", + "Allowed" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3307,8 +3307,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "mwrit", - "Blocked" + "Blocked", + "mwrit" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3368,8 +3368,8 @@ "etdolore4227.internal.corp" ], "related.ip": [ - "10.30.87.51", - "10.156.177.53" + "10.156.177.53", + "10.30.87.51" ], "related.user": [ "psaquaea" @@ -3383,8 +3383,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "ptatev", - "Blocked" + "Blocked", + "ptatev" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3444,8 +3444,8 @@ "rors1935.api.domain" ], "related.ip": [ - "10.83.138.34", - "10.111.249.184" + "10.111.249.184", + "10.83.138.34" ], "related.user": [ "dentsunt" @@ -3459,8 +3459,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "Blocked", - "upta" + "upta", + "Blocked" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3520,8 +3520,8 @@ "idexeac1655.internal.test" ], "related.ip": [ - "10.141.195.13", - "10.180.150.47" + "10.180.150.47", + "10.141.195.13" ], "related.user": [ "taliq" @@ -3535,8 +3535,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "Allowed", - "uip" + "uip", + "Allowed" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3670,8 +3670,8 @@ "tecto708.www5.example" ], "related.ip": [ - "10.22.122.43", - "10.100.143.226" + "10.100.143.226", + "10.22.122.43" ], "related.user": [ "ute" @@ -3685,8 +3685,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ento", "rsa.misc.action": [ - "Bonoru", - "Blocked" + "Blocked", + "Bonoru" ], "rsa.misc.category": "luptasnu", "rsa.misc.filter": "quamni", @@ -3746,8 +3746,8 @@ "ine3181.www.invalid" ], "related.ip": [ - "10.119.53.68", - "10.121.9.5" + "10.121.9.5", + "10.119.53.68" ], "related.user": [ "ssec" @@ -3822,8 +3822,8 @@ "tsunt3403.www5.test" ], "related.ip": [ - "10.31.153.177", - "10.237.0.173" + "10.237.0.173", + "10.31.153.177" ], "related.user": [ "sci" @@ -3837,8 +3837,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "dolor", - "Blocked" + "Blocked", + "dolor" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -3911,8 +3911,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "etquasia", - "Allowed" + "Allowed", + "etquasia" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3983,8 +3983,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "exer", - "Blocked" + "Blocked", + "exer" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -4044,8 +4044,8 @@ "tamr1693.api.home" ], "related.ip": [ - "10.53.191.49", - "10.133.102.57" + "10.133.102.57", + "10.53.191.49" ], "related.user": [ "onsec" @@ -4059,8 +4059,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "Blocked", - "emp" + "emp", + "Blocked" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -4135,8 +4135,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iuntN", "rsa.misc.action": [ - "nim", - "Allowed" + "Allowed", + "nim" ], "rsa.misc.category": "etco", "rsa.misc.filter": "autodita", @@ -4272,8 +4272,8 @@ "pici1525.www5.corp" ], "related.ip": [ - "10.155.252.123", - "10.178.148.188" + "10.178.148.188", + "10.155.252.123" ], "related.user": [ "inrepreh" @@ -4348,8 +4348,8 @@ "dolo6418.internal.host" ], "related.ip": [ - "10.190.42.245", - "10.220.1.249" + "10.220.1.249", + "10.190.42.245" ], "related.user": [ "olup" @@ -4363,8 +4363,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "Blocked", - "aerat" + "aerat", + "Blocked" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4422,8 +4422,8 @@ "imveni193.www5.host" ], "related.ip": [ - "10.55.38.153", - "10.112.190.154" + "10.112.190.154", + "10.55.38.153" ], "related.user": [ "oremeu" @@ -4498,8 +4498,8 @@ "ionu3320.api.localhost" ], "related.ip": [ - "10.250.48.82", - "10.195.153.42" + "10.195.153.42", + "10.250.48.82" ], "related.user": [ "tsedquia" @@ -4574,8 +4574,8 @@ "remips1499.www.local" ], "related.ip": [ - "10.252.164.230", - "10.60.52.219" + "10.60.52.219", + "10.252.164.230" ], "related.user": [ "gnamali" @@ -4589,8 +4589,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "fdeFin", - "Blocked" + "Blocked", + "fdeFin" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4646,8 +4646,8 @@ "mdoloree96.domain" ], "related.ip": [ - "10.187.16.73", - "10.122.102.156" + "10.122.102.156", + "10.187.16.73" ], "related.user": [ "emoen" @@ -4796,8 +4796,8 @@ "sBonoru1929.example" ], "related.ip": [ - "10.51.161.245", - "10.15.254.181" + "10.15.254.181", + "10.51.161.245" ], "related.user": [ "abo" @@ -4872,8 +4872,8 @@ "onorumet4871.lan" ], "related.ip": [ - "10.7.152.238", - "10.129.66.196" + "10.129.66.196", + "10.7.152.238" ], "related.user": [ "equamn" @@ -4887,8 +4887,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vento", "rsa.misc.action": [ - "Blocked", - "reh" + "reh", + "Blocked" ], "rsa.misc.category": "atev", "rsa.misc.filter": "umq", @@ -4948,8 +4948,8 @@ "onproi4354.www5.invalid" ], "related.ip": [ - "10.185.107.27", - "10.29.162.157" + "10.29.162.157", + "10.185.107.27" ], "related.user": [ "evelite" @@ -4963,8 +4963,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "Blocked", - "squirat" + "squirat", + "Blocked" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -5024,8 +5024,8 @@ "beataevi7552.api.test" ], "related.ip": [ - "10.215.63.248", - "10.138.0.214" + "10.138.0.214", + "10.215.63.248" ], "related.user": [ "eavolupt" @@ -5039,8 +5039,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "dqu", - "Blocked" + "Blocked", + "dqu" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -5115,8 +5115,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "Allowed", - "rmagnido" + "rmagnido", + "Allowed" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -5191,8 +5191,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "Blocked", - "umq" + "umq", + "Blocked" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -5267,8 +5267,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "Allowed", - "userro" + "userro", + "Allowed" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5328,8 +5328,8 @@ "olo7317.www5.localhost" ], "related.ip": [ - "10.249.1.143", - "10.124.177.226" + "10.124.177.226", + "10.249.1.143" ], "related.user": [ "isciveli" @@ -5343,8 +5343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Utenim", "rsa.misc.action": [ - "onevo", - "Allowed" + "Allowed", + "onevo" ], "rsa.misc.category": "tdolore", "rsa.misc.filter": "ptasn", @@ -5419,8 +5419,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ect", "rsa.misc.action": [ - "Blocked", - "maccu" + "maccu", + "Blocked" ], "rsa.misc.category": "iaecon", "rsa.misc.filter": "eni", @@ -5480,8 +5480,8 @@ "agna5654.www.corp" ], "related.ip": [ - "10.203.47.23", - "10.200.74.101" + "10.200.74.101", + "10.203.47.23" ], "related.user": [ "litesse" @@ -5495,8 +5495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "Allowed", - "iqu" + "iqu", + "Allowed" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5556,8 +5556,8 @@ "ites5711.internal.host" ], "related.ip": [ - "10.162.78.48", - "10.24.23.209" + "10.24.23.209", + "10.162.78.48" ], "related.user": [ "ntore" @@ -5571,8 +5571,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "Blocked", - "tutl" + "tutl", + "Blocked" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -5632,8 +5632,8 @@ "oluptat2848.api.home" ], "related.ip": [ - "10.211.66.68", - "10.55.151.53" + "10.55.151.53", + "10.211.66.68" ], "related.user": [ "squir" @@ -5647,8 +5647,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "diconseq", "rsa.misc.action": [ - "Allowed", - "umet" + "umet", + "Allowed" ], "rsa.misc.category": "ciad", "rsa.misc.filter": "oeiusmod", @@ -5708,8 +5708,8 @@ "ngelitse7535.internal.lan" ], "related.ip": [ - "10.110.16.169", - "10.209.203.156" + "10.209.203.156", + "10.110.16.169" ], "related.user": [ "mes" @@ -5723,8 +5723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "Blocked", - "lupta" + "lupta", + "Blocked" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5784,8 +5784,8 @@ "tiumtot3611.internal.localdomain" ], "related.ip": [ - "10.107.68.114", - "10.84.9.150" + "10.84.9.150", + "10.107.68.114" ], "related.user": [ "sequatDu" @@ -5799,8 +5799,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "uianonnu", - "Allowed" + "Allowed", + "uianonnu" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5875,8 +5875,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "ici", - "Blocked" + "Blocked", + "ici" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5936,8 +5936,8 @@ "psaqu6066.www5.localhost" ], "related.ip": [ - "10.164.190.2", - "10.223.11.164" + "10.223.11.164", + "10.164.190.2" ], "related.user": [ "ten" @@ -6012,8 +6012,8 @@ "iavol5202.api.example" ], "related.ip": [ - "10.121.181.243", - "10.14.37.8" + "10.14.37.8", + "10.121.181.243" ], "related.user": [ "umwr" @@ -6027,8 +6027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "Blocked", - "rinc" + "rinc", + "Blocked" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -6103,8 +6103,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tat", "rsa.misc.action": [ - "nia", - "Blocked" + "Blocked", + "nia" ], "rsa.misc.category": "turQuis", "rsa.misc.filter": "nonp", @@ -6164,8 +6164,8 @@ "rsitame4049.internal.corp" ], "related.ip": [ - "10.77.102.206", - "10.34.98.144" + "10.34.98.144", + "10.77.102.206" ], "related.user": [ "tectobe" @@ -6179,8 +6179,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Exce", "rsa.misc.action": [ - "Allowed", - "ulapa" + "ulapa", + "Allowed" ], "rsa.misc.category": "reprehen", "rsa.misc.filter": "itsedqui", @@ -6240,8 +6240,8 @@ "elit912.www5.test" ], "related.ip": [ - "10.176.233.249", - "10.75.144.118" + "10.75.144.118", + "10.176.233.249" ], "related.user": [ "isnos" @@ -6255,8 +6255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "essequa", "rsa.misc.action": [ - "Blocked", - "odic" + "odic", + "Blocked" ], "rsa.misc.category": "cto", "rsa.misc.filter": "odite", @@ -6331,8 +6331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "Allowed", - "mvele" + "mvele", + "Allowed" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6620,8 +6620,8 @@ "archite4407.mail.invalid" ], "related.ip": [ - "10.247.255.107", - "10.234.34.40" + "10.234.34.40", + "10.247.255.107" ], "related.user": [ "aeabillo" @@ -6696,8 +6696,8 @@ "aria1424.mail.home" ], "related.ip": [ - "10.250.102.42", - "10.124.81.20" + "10.124.81.20", + "10.250.102.42" ], "related.user": [ "tNequ" @@ -6711,8 +6711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "tatisetq", - "Blocked" + "Blocked", + "tatisetq" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6772,8 +6772,8 @@ "Bonoru7444.www5.example" ], "related.ip": [ - "10.166.205.159", - "10.154.188.132" + "10.154.188.132", + "10.166.205.159" ], "related.user": [ "uptat" @@ -6787,8 +6787,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "proid", "rsa.misc.action": [ - "Allowed", - "onevolu" + "onevolu", + "Allowed" ], "rsa.misc.category": "iratio", "rsa.misc.filter": "odita", @@ -6916,8 +6916,8 @@ "oloremeu5047.www5.invalid" ], "related.ip": [ - "10.172.159.251", - "10.254.119.31" + "10.254.119.31", + "10.172.159.251" ], "related.user": [ "usm" @@ -6931,8 +6931,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "tatemacc", - "Blocked" + "Blocked", + "tatemacc" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6992,8 +6992,8 @@ "edutpe1255.internal.lan" ], "related.ip": [ - "10.195.62.230", - "10.98.126.206" + "10.98.126.206", + "10.195.62.230" ], "related.user": [ "ptassit" @@ -7007,8 +7007,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "Allowed", - "oriosa" + "oriosa", + "Allowed" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -7068,8 +7068,8 @@ "nderit1171.www5.domain" ], "related.ip": [ - "10.144.93.186", - "10.84.140.5" + "10.84.140.5", + "10.144.93.186" ], "related.user": [ "eroi" @@ -7220,8 +7220,8 @@ "oremeum4231.internal.host" ], "related.ip": [ - "10.139.90.218", - "10.131.81.172" + "10.131.81.172", + "10.139.90.218" ], "related.user": [ "hende" @@ -7235,8 +7235,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "Allowed", - "exe" + "exe", + "Allowed" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7296,8 +7296,8 @@ "ueip6097.api.host" ], "related.ip": [ - "10.152.217.174", - "10.128.43.71" + "10.128.43.71", + "10.152.217.174" ], "related.user": [ "mquiado" @@ -7387,8 +7387,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "Blocked", - "rehe" + "rehe", + "Blocked" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7448,8 +7448,8 @@ "onsequ3168.www.corp" ], "related.ip": [ - "10.172.17.6", - "10.109.192.53" + "10.109.192.53", + "10.172.17.6" ], "related.user": [ "eprehen" @@ -7463,8 +7463,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "Blocked", - "tassit" + "tassit", + "Blocked" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", @@ -7524,8 +7524,8 @@ "oremquel3120.internal.localhost" ], "related.ip": [ - "10.135.38.213", - "10.119.106.108" + "10.119.106.108", + "10.135.38.213" ], "related.user": [ "ore" @@ -7539,8 +7539,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "Blocked", - "volup" + "volup", + "Blocked" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index bdf9957b55d..d2e89ea6140 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -31,8 +31,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", diff --git a/x-pack/metricbeat/module/sql/_meta/docs.asciidoc b/x-pack/metricbeat/module/sql/_meta/docs.asciidoc index 31751f264ec..d445d62e305 100644 --- a/x-pack/metricbeat/module/sql/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/sql/_meta/docs.asciidoc @@ -1,21 +1,42 @@ -The SQL module allows to execute custom queries against an SQL database and store the results to Elasticsearch. +The SQL module allows you to execute custom queries against an SQL database and +store the results in {es}. -The currently supported databases are the ones already included in Metricbeat, which are: -- PostgreSQL -- MySQL -- Oracle -- Microsoft SQL -- CockroachDB +This module supports the databases that you can monitor with {metricbeat}, +including: -== Quickstart +* PostgreSQL +* MySQL +* Oracle +* Microsoft SQL +* CockroachDB -You can setup the module by activating it first running +To enable the module, run: - metricbeat module enable sql +[source,shell] +---- +metricbeat module enable sql +---- + +After enabling the module, open `modules.d/sql.yml` and set the required +fields: + +`driver`:: The driver can be any driver that has a {metricbeat} module, such as +`mssql` or `postgres`. +`sql_query`:: The single query you want to run. +`sql_response_format`:: Either `variables` or `table`: +`variables`::: Expects a two-column table that looks like a key/value result. +The left column is considered a key and the right column the value. This mode +generates a single event on each fetch operation. +`table`::: Expects any number of columns. This mode generates a single event for +each row. -Once it is activated, open `modules.d/sql.yml` and fill the required fields. This is an example that captures Innodb related metrics from the result of the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL database: +[float] +=== Example: capture Innodb-related metrics + +This `sql.yml` configuration shows how to capture Innodb-related metrics that +result from the query `SHOW GLOBAL STATUS LIKE 'Innodb_system%'` in a MySQL +database: -.sql.yml [source,yaml] ---- - module: sql @@ -29,7 +50,8 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi sql_response_format: variables ---- -.SHOW GLOBAL STATUS LIKE 'Innodb_system%' +The `SHOW GLOBAL STATUS` query results in this table: + |==== |Variable_name|Value @@ -39,18 +61,11 @@ Once it is activated, open `modules.d/sql.yml` and fill the required fields. Thi |Innodb_system_rows_updated|315 |==== +Results are grouped by type in the result event for convenient mapping in +{es}. For example, `strings` values are grouped into `sql.strings`, `numeric` +into `sql.numeric`, and so on. -Keys in the YAML are defined as follow: - -- `driver`: The drivers currently supported are those which already have a Metricbeat module like `mssql` or `postgres`. -- `sql_query`: Is the single query you want to run -- `sql_response_format`: You have 2 options here: - - `variables`: Expects a table which looks like a key/value result. With 2 columns, left column will be considered a key and the right column the value. This mode generates a single event on each fetch operation. - - `table`: Table mode can contain any number of columns and a single event will be generated for each row. - -Results will be grouped by type in the result event for convenient mapping in Elasticsearch. So `strings` values will be grouped into `sql.strings`, `numeric` into `sql.numeric` and so on and so forth. - -The event generated with the example above looks like this: +The example shown earlier generates this event: [source,json] ---- @@ -102,9 +117,13 @@ The event generated with the example above looks like this: } ---- -In this example, we are querying PostgreSQL and generate a "table" result, hence a single event for each row returned +[float] +=== Example: query PostgreSQL and generate a "table" result + +This `sql.yml` configuration shows how to query PostgreSQL and generate +a "table" result. This configuration generates a single event for each row +returned: -.sql.yml [source,yaml] ---- - module: sql @@ -118,7 +137,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence sql_response_format: table ---- -.SELECT datid, datname, blks_read, blks_hit, tup_returned, tup_fetched, stats_reset FROM pg_stat_database +The SELECT query results in this table: + |==== |datid|datname|blks_read|blks_hit|tup_returned|tup_fetched|stats_reset @@ -127,7 +147,8 @@ In this example, we are querying PostgreSQL and generate a "table" result, hence |13407|template0|0|0|0|0| |==== -With 3 rows on the table, three events will be generated with the contents of each row. As an example, below you can see the event created for the first row: +Because the table contains three rows, three events are generated, one event +for each row. For example, this event is created for the first row: [source,json] ---- @@ -184,14 +205,11 @@ With 3 rows on the table, three events will be generated with the contents of ea } ---- +[float] +=== Example: get the buffer catch hit ratio in Oracle -== More examples +This `sql.yml` configuration shows how to get the buffer cache hit ratio: -=== Oracle: - -Get the buffer cache hit ratio: - -.sql.yml [source,yaml] ---- - module: sql @@ -205,6 +223,7 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: [source,json] ---- @@ -259,11 +278,11 @@ Get the buffer cache hit ratio: } ---- -=== MSSQL +[float] +=== Example: get the buffer cache hit ratio for MSSQL -Get the buffer cache hit ratio: +This `sql.yml` configuration gets the buffer cache hit ratio: -.sql.yml [source,yaml] ---- - module: sql @@ -277,6 +296,8 @@ Get the buffer cache hit ratio: sql_response_format: table ---- +The example generates this event: + [source,json] ---- { @@ -328,11 +349,12 @@ Get the buffer cache hit ratio: } ---- -=== Two or more queries +[float] +=== Example: launch two or more queries -If you want to launch two or more queries, you need to specify them with their full configuration for each query. For example: +To launch two or more queries, specify the full configuration for each query. +For example: -.sql.yml [source,yaml] ---- - module: sql diff --git a/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc b/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc index df05a99c95c..8f48f8507de 100644 --- a/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/sql/query/_meta/docs.asciidoc @@ -1,4 +1,4 @@ -The sql `query` metricset collect rows returned by a query. +The sql `query` metricset collects rows returned by a query. -Fields names (columns) will be returned as lowercase. -Values will be returned as numeric or string. \ No newline at end of file +Field names (columns) are returned as lowercase strings. Values are returned as numeric +or string. diff --git a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js index 71ce567ccc7..4ef1155086b 100644 --- a/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js +++ b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js @@ -5,7 +5,7 @@ var powershell = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); var normalizeCommonFieldNames = new processor.Convert({ fields: [ @@ -183,7 +183,7 @@ var powershell = (function () { if (!commandLine) { return; } - evt.Put(target, winlogbeat.splitCommandLine(commandLine)); + evt.Put(target, windows.splitCommandLine(commandLine)); }; var addProcessArgs = function (evt) { diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 9a0899165b9..5a8e91b677b 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -5,7 +5,7 @@ var security = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); // Logon Types // https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events @@ -1670,7 +1670,7 @@ var security = (function () { if (!cl) { return; } - evt.Put("process.args", winlogbeat.splitCommandLine(cl)); + evt.Put("process.args", windows.splitCommandLine(cl)); evt.Put("process.command_line", cl); }) .Build(); diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 5fcedb9e40e..5b09c98fc32 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -15,7 +15,7 @@ if (!String.prototype.startsWith) { var sysmon = (function () { var path = require("path"); var processor = require("processor"); - var winlogbeat = require("winlogbeat"); + var windows = require("windows"); var net = require("net"); // Windows error codes for DNS. This list was generated using @@ -311,7 +311,7 @@ var sysmon = (function () { if (!commandLine) { return; } - evt.Put(target, winlogbeat.splitCommandLine(commandLine)); + evt.Put(target, windows.splitCommandLine(commandLine)); }; var splitProcessArgs = function (evt) { diff --git a/x-pack/winlogbeat/module/testing_windows.go b/x-pack/winlogbeat/module/testing_windows.go index 12b2102070f..058e2320a9d 100644 --- a/x-pack/winlogbeat/module/testing_windows.go +++ b/x-pack/winlogbeat/module/testing_windows.go @@ -28,7 +28,6 @@ import ( // Register javascript modules. _ "github.com/elastic/beats/v7/libbeat/processors/script/javascript/module" - _ "github.com/elastic/beats/v7/winlogbeat/processors/script/javascript/module/winlogbeat" ) var update = flag.Bool("update", false, "update golden files")