diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 849baa0d304..96bb75681d9 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -172,6 +172,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - google-pubsub input: ACK pub/sub message when acknowledged by publisher. {issue}13346[13346] {pull}14715[14715] - Remove Beta label from google-pubsub input. {issue}13346[13346] {pull}14715[14715] - Set event.outcome field based on googlecloud audit log output. {pull}15731[15731] +- Add dashboard for AWS vpcflow fileset. {pull}16007[16007] *Heartbeat* diff --git a/filebeat/docs/images/filebeat-aws-vpcflow-overview.png b/filebeat/docs/images/filebeat-aws-vpcflow-overview.png new file mode 100644 index 00000000000..4f8ab6bfbbb Binary files /dev/null and b/filebeat/docs/images/filebeat-aws-vpcflow-overview.png differ diff --git a/filebeat/docs/modules/aws.asciidoc b/filebeat/docs/modules/aws.asciidoc index d2f23e55961..0686304fb89 100644 --- a/filebeat/docs/modules/aws.asciidoc +++ b/filebeat/docs/modules/aws.asciidoc @@ -15,22 +15,14 @@ beta[] This is a module for aws logs. It uses filebeat s3 input to get log files from AWS S3 buckets with SQS notification. This module supports reading s3 server access logs with `s3access` fileset, ELB access logs with `elb` fileset, VPC -flow logs with `vpc` fileset, and CloudTrail logs with `cloudtrail` fileset. +flow logs with `vpcflow` fileset, and CloudTrail logs with `cloudtrail` fileset. Access logs contain detailed information about the requests made to these services. VPC flow logs captures information about the IP traffic going to and -from network interfaces in AWS VPC. CloudTrail logs contain events +from network interfaces in AWS VPC. ELB access logs captures detailed information +about requests sent to the load balancer. CloudTrail logs contain events that represent actions taken by a user, role or AWS service. -[float] -=== Example dashboard - -This module comes with several predefined dashboards. For example, here is the -dashboard for `s3access` fileset: - -[role="screenshot"] -image::./images/filebeat-aws-s3access-overview.png[] - [float] === Module configuration @@ -112,12 +104,60 @@ Filename of AWS credential file. AWS credential profile name. -=== CloudTrail fileset +=== cloudtrail fileset +CloudTrail monitors events for the account. If user creates a trail, it +delivers those events as log files to a specific Amazon S3 bucket. The `cloudtrail` fileset does not read the CloudTrail Digest files that are delivered to the S3 bucket when Log File Integrity is turned on, it only reads the CloudTrail logs. +=== elb fileset + +Elastic Load Balancing provides access logs that capture detailed information +about requests sent to the load balancer. Each log contains information such +as the time the request was received, the client's IP address, latencies, +request paths, and server responses. Users can use these access logs to analyze +traffic patterns and to troubleshoot issues. + +Please follow https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html[enable access logs for classic load balancer] +for sending Classic ELB access logs to S3 bucket. +For application load balancer, please follow https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging[enable access log for application load balancer]. +For network load balancer, please follow https://docs.aws.amazon.com/elasticloadbalancing/latest//network/load-balancer-access-logs.html[enable access log for network load balancer]. + +This fileset comes with a predefined dashboard: + +[role="screenshot"] +image::./images/filebeat-aws-elb-overview.png[] + +=== s3access fileset + +Server access logging provides detailed records for the requests that are made +to a bucket. Server access logs are useful for many applications. For example, +access log information can be useful in security and access audits. It can also +help you learn about customer base and understand Amazon S3 bill. + +Please follow https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html#server-access-logging-overview[how to enable server access logging] +for sending server access logs to S3 bucket. + +This fileset comes with a predefined dashboard: + +[role="screenshot"] +image::./images/filebeat-aws-s3access-overview.png[] + +=== vpcflow fileset + +VPC Flow Logs is a feature in AWS that enables users to capture information +about the IP traffic going to and from network interfaces in VPC. Flow log data +needs to be published to Amazon S3 in order for `vpcflow` fileset to retrieve. +Flow logs can help users to monitor traffic that is reaching each instance and +determine the direction of the traffic to and from the network interfaces. + +This fileset comes with a predefined dashboard: + +[role="screenshot"] +image::./images/filebeat-aws-vpcflow-overview.png[] + [float] === Fields diff --git a/x-pack/filebeat/module/aws/_meta/docs.asciidoc b/x-pack/filebeat/module/aws/_meta/docs.asciidoc index fcfa0956f2e..a0eb17e9088 100644 --- a/x-pack/filebeat/module/aws/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/aws/_meta/docs.asciidoc @@ -10,22 +10,14 @@ beta[] This is a module for aws logs. It uses filebeat s3 input to get log files from AWS S3 buckets with SQS notification. This module supports reading s3 server access logs with `s3access` fileset, ELB access logs with `elb` fileset, VPC -flow logs with `vpc` fileset, and CloudTrail logs with `cloudtrail` fileset. +flow logs with `vpcflow` fileset, and CloudTrail logs with `cloudtrail` fileset. Access logs contain detailed information about the requests made to these services. VPC flow logs captures information about the IP traffic going to and -from network interfaces in AWS VPC. CloudTrail logs contain events +from network interfaces in AWS VPC. ELB access logs captures detailed information +about requests sent to the load balancer. CloudTrail logs contain events that represent actions taken by a user, role or AWS service. -[float] -=== Example dashboard - -This module comes with several predefined dashboards. For example, here is the -dashboard for `s3access` fileset: - -[role="screenshot"] -image::./images/filebeat-aws-s3access-overview.png[] - [float] === Module configuration @@ -107,8 +99,56 @@ Filename of AWS credential file. AWS credential profile name. -=== CloudTrail fileset +=== cloudtrail fileset +CloudTrail monitors events for the account. If user creates a trail, it +delivers those events as log files to a specific Amazon S3 bucket. The `cloudtrail` fileset does not read the CloudTrail Digest files that are delivered to the S3 bucket when Log File Integrity is turned on, it only reads the CloudTrail logs. + +=== elb fileset + +Elastic Load Balancing provides access logs that capture detailed information +about requests sent to the load balancer. Each log contains information such +as the time the request was received, the client's IP address, latencies, +request paths, and server responses. Users can use these access logs to analyze +traffic patterns and to troubleshoot issues. + +Please follow https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html[enable access logs for classic load balancer] +for sending Classic ELB access logs to S3 bucket. +For application load balancer, please follow https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging[enable access log for application load balancer]. +For network load balancer, please follow https://docs.aws.amazon.com/elasticloadbalancing/latest//network/load-balancer-access-logs.html[enable access log for network load balancer]. + +This fileset comes with a predefined dashboard: + +[role="screenshot"] +image::./images/filebeat-aws-elb-overview.png[] + +=== s3access fileset + +Server access logging provides detailed records for the requests that are made +to a bucket. Server access logs are useful for many applications. For example, +access log information can be useful in security and access audits. It can also +help you learn about customer base and understand Amazon S3 bill. + +Please follow https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html#server-access-logging-overview[how to enable server access logging] +for sending server access logs to S3 bucket. + +This fileset comes with a predefined dashboard: + +[role="screenshot"] +image::./images/filebeat-aws-s3access-overview.png[] + +=== vpcflow fileset + +VPC Flow Logs is a feature in AWS that enables users to capture information +about the IP traffic going to and from network interfaces in VPC. Flow log data +needs to be published to Amazon S3 in order for `vpcflow` fileset to retrieve. +Flow logs can help users to monitor traffic that is reaching each instance and +determine the direction of the traffic to and from the network interfaces. + +This fileset comes with a predefined dashboard: + +[role="screenshot"] +image::./images/filebeat-aws-vpcflow-overview.png[] diff --git a/x-pack/filebeat/module/aws/_meta/kibana/7/dashboard/Filebeat-aws-vpcflow-overview.json b/x-pack/filebeat/module/aws/_meta/kibana/7/dashboard/Filebeat-aws-vpcflow-overview.json new file mode 100644 index 00000000000..c528fd0b038 --- /dev/null +++ b/x-pack/filebeat/module/aws/_meta/kibana/7/dashboard/Filebeat-aws-vpcflow-overview.json @@ -0,0 +1,580 @@ +{ + "objects": [ + { + "attributes": { + "description": "Filebeat AWS VPC Flow Log Overview Dashboard", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "isLayerTOCOpen": false, + "mapCenter": { + "lat": 9.09888, + "lon": 22.04487, + "zoom": 0.47 + }, + "openTOCDetails": [], + "title": "VPC Flow Action Geo Location" + }, + "gridData": { + "h": 15, + "i": "380eed85-225b-4d5d-88bc-1c70a3643ddb", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "380eed85-225b-4d5d-88bc-1c70a3643ddb", + "panelRefName": "panel_0", + "title": "VPC Flow Action Geo Location", + "version": "7.4.0" + }, + { + "embeddableConfig": { + "title": "VPC Flow Top IP Addresses" + }, + "gridData": { + "h": 15, + "i": "3dde08df-2d7e-464e-825d-03179e43e175", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "3dde08df-2d7e-464e-825d-03179e43e175", + "panelRefName": "panel_1", + "title": "VPC Flow Top IP Addresses", + "version": "7.4.0" + }, + { + "embeddableConfig": { + "title": "VPC Flow Total Requests" + }, + "gridData": { + "h": 12, + "i": "f7c6de04-c771-47ff-a32d-00a7940e414a", + "w": 48, + "x": 0, + "y": 15 + }, + "panelIndex": "f7c6de04-c771-47ff-a32d-00a7940e414a", + "panelRefName": "panel_2", + "title": "VPC Flow Total Requests", + "version": "7.4.0" + }, + { + "embeddableConfig": { + "title": "VPC Flow Reject Logs" + }, + "gridData": { + "h": 15, + "i": "b4dbbe72-0dc0-428b-b21e-91c6cc82745c", + "w": 48, + "x": 0, + "y": 27 + }, + "panelIndex": "b4dbbe72-0dc0-428b-b21e-91c6cc82745c", + "panelRefName": "panel_3", + "title": "VPC Flow Reject Logs", + "version": "7.4.0" + } + ], + "timeRestore": false, + "title": "[Filebeat AWS] VPC Flow Log Overview", + "version": 1 + }, + "id": "15503340-4488-11ea-ad63-791a5dc86f10", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "513a3d70-4482-11ea-ad63-791a5dc86f10", + "name": "panel_0", + "type": "map" + }, + { + "id": "75853f20-4484-11ea-ad63-791a5dc86f10", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "bad8c910-4485-11ea-ad63-791a5dc86f10", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "c1aee600-4487-11ea-ad63-791a5dc86f10", + "name": "panel_3", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2020-02-01T00:21:28.596Z", + "version": "WzU3MDQsMV0=" + }, + { + "attributes": { + "bounds": { + "coordinates": [ + [ + [ + -180, + 85.05113 + ], + [ + -180, + -85.05113 + ], + [ + 180, + -85.05113 + ], + [ + 180, + 85.05113 + ], + [ + -180, + 85.05113 + ] + ] + ], + "type": "Polygon" + }, + "description": "", + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"842c201e-96d7-413d-8688-de5ee4f8a1e0\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"applyGlobalQuery\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"97903038-e08d-4451-bbd2-eb92c894bdf5\",\"type\":\"ES_SEARCH\",\"geoField\":\"destination.geo.location\",\"filterByMapBounds\":true,\"tooltipProperties\":[],\"useTopHits\":false,\"topHitsTimeField\":\"@timestamp\",\"topHitsSize\":1,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#1EA593\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#167a6d\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":5}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbol\":{\"options\":{\"symbolizeAs\":\"circle\",\"symbolId\":\"airfield\"}}}},\"id\":\"401944dd-a371-4698-be17-bc4542e9a5d4\",\"label\":\"vpc flow action accept\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"applyGlobalQuery\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"aws.vpcflow.action : \\\"ACCEPT\\\" \",\"language\":\"kuery\"}},{\"sourceDescriptor\":{\"id\":\"9c0e7cce-4f21-4bcd-bb50-ae36c0fffffb\",\"type\":\"ES_SEARCH\",\"geoField\":\"source.geo.location\",\"filterByMapBounds\":true,\"tooltipProperties\":[],\"useTopHits\":false,\"topHitsTimeField\":\"@timestamp\",\"topHitsSize\":1,\"indexPatternRefName\":\"layer_2_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#f00f0b\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#7a1a18\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":5}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"symbol\":{\"options\":{\"symbolizeAs\":\"circle\",\"symbolId\":\"airfield\"}}}},\"id\":\"b1d44a5c-3a04-4c80-8080-57585b02fd48\",\"label\":\"vpc flow action reject\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"applyGlobalQuery\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"aws.vpcflow.action : \\\"REJECT\\\" \",\"language\":\"kuery\"}}]", + "mapStateJSON": "{\"zoom\":0.47,\"center\":{\"lon\":-108.92402,\"lat\":0},\"timeFilters\":{\"from\":\"now-15d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[]}", + "title": "VPC Flow Action Geo Location[Filebeat AWS]", + "uiStateJSON": { + "isLayerTOCOpen": false, + "openTOCDetails": [] + } + }, + "id": "513a3d70-4482-11ea-ad63-791a5dc86f10", + "migrationVersion": { + "map": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "layer_2_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2020-01-31T23:35:26.739Z", + "version": "WzU2ODQsMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "VPC Flow Top IP Addresses [Filebeat AWS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": "0", + "axis_position": "left", + "axis_scale": "normal", + "background_color_rules": [ + { + "id": "29527130-3e86-11ea-9067-cf383a4ea3b3" + } + ], + "bar_color_rules": [ + { + "id": "cc6d5070-3e85-11ea-9067-cf383a4ea3b3" + } + ], + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "gauge_color_rules": [ + { + "id": "2b29c940-3e86-11ea-9067-cf383a4ea3b3" + } + ], + "gauge_inner_width": 10, + "gauge_style": "half", + "gauge_width": 10, + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "", + "interval": "", + "isModelInvalid": false, + "legend_position": "bottom", + "pivot_id": "user_agent.original", + "pivot_type": "string", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "color_rules": [ + { + "id": "42e14220-3e86-11ea-9067-cf383a4ea3b3" + } + ], + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "fileset.name : \"vpcflow\" " + }, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "IP address", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + }, + { + "field": "61ca57f2-469d-11e7-af02-69e470af7417", + "id": "40c52370-3e87-11ea-9067-cf383a4ea3b3", + "type": "cumulative_sum" + } + ], + "override_index_pattern": 1, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "series_index_pattern": "filebeat-*", + "split_mode": "terms", + "stacked": "none", + "terms_field": "source.ip", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "type": "top_n" + }, + "title": "VPC Flow Top IP Addresses [Filebeat AWS]", + "type": "metrics" + } + }, + "id": "75853f20-4484-11ea-ad63-791a5dc86f10", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-01-31T23:50:28.626Z", + "version": "WzU2ODksMV0=" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "VPC Flow Total Requests [Filebeat AWS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_min": "0", + "axis_position": "left", + "axis_scale": "normal", + "background_color": "rgba(255,255,255,1)", + "default_index_pattern": "metricbeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "", + "interval": "", + "isModelInvalid": false, + "legend_position": "right", + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(211,49,21,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "fileset.name : \"vpcflow\" and aws.vpcflow.action : \"REJECT\" " + }, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "label": "REJECT", + "line_width": "2", + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "override_index_pattern": 1, + "point_size": "3", + "separate_axis": 0, + "series_drop_last_bucket": 0, + "series_index_pattern": "filebeat-*", + "series_time_field": "@timestamp", + "split_color_mode": "rainbow", + "split_mode": "everything", + "stacked": "none", + "terms_field": "aws.vpcflow.action", + "terms_order_by": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(104,188,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "fileset.name : \"vpcflow\" and aws.vpcflow.action : \"ACCEPT\" " + }, + "formatter": "number", + "id": "7ec99260-4485-11ea-9ee9-2d27e9149ae8", + "label": "ACCEPT", + "line_width": "2", + "metrics": [ + { + "id": "7ec99261-4485-11ea-9ee9-2d27e9149ae8", + "type": "count" + } + ], + "override_index_pattern": 1, + "point_size": "3", + "separate_axis": 0, + "series_drop_last_bucket": 0, + "series_index_pattern": "filebeat-*", + "series_time_field": "@timestamp", + "split_color_mode": "rainbow", + "split_mode": "everything", + "stacked": "none", + "terms_field": "aws.vpcflow.action", + "terms_order_by": "7ec99261-4485-11ea-9ee9-2d27e9149ae8", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(252,220,0,1)", + "fill": "0", + "filter": { + "language": "kuery", + "query": "fileset.name : \"vpcflow\" and aws.vpcflow.action : \"-\" " + }, + "formatter": "number", + "id": "8d550580-4485-11ea-9ee9-2d27e9149ae8", + "label": "-", + "line_width": "2", + "metrics": [ + { + "id": "8d552c90-4485-11ea-9ee9-2d27e9149ae8", + "type": "count" + } + ], + "override_index_pattern": 1, + "point_size": "3", + "separate_axis": 0, + "series_drop_last_bucket": 0, + "series_index_pattern": "filebeat-*", + "series_time_field": "@timestamp", + "split_color_mode": "rainbow", + "split_mode": "everything", + "stacked": "none", + "terms_field": "aws.vpcflow.action", + "terms_order_by": "8d552c90-4485-11ea-9ee9-2d27e9149ae8", + "type": "timeseries" + }, + { + "axis_position": "right", + "chart_type": "line", + "color": "rgba(115,216,255,1)", + "fill": "0.5", + "filter": { + "language": "kuery", + "query": "fileset.name : \"vpcflow\"" + }, + "formatter": "number", + "id": "c8c27df0-4485-11ea-9ee9-2d27e9149ae8", + "label": "Total Requests", + "line_width": "2", + "metrics": [ + { + "id": "c8c27df1-4485-11ea-9ee9-2d27e9149ae8", + "type": "count" + } + ], + "override_index_pattern": 1, + "point_size": "3", + "separate_axis": 0, + "series_drop_last_bucket": 0, + "series_index_pattern": "filebeat-*", + "series_time_field": "@timestamp", + "split_color_mode": "rainbow", + "split_mode": "everything", + "stacked": "none", + "terms_field": "aws.vpcflow.action", + "terms_order_by": "c8c27df1-4485-11ea-9ee9-2d27e9149ae8", + "type": "timeseries" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "type": "timeseries" + }, + "title": "VPC Flow Total Requests [Filebeat AWS]", + "type": "metrics" + } + }, + "id": "bad8c910-4485-11ea-ad63-791a5dc86f10", + "migrationVersion": { + "visualization": "7.3.1" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-02-01T00:01:02.269Z", + "version": "WzU2OTMsMV0=" + }, + { + "attributes": { + "columns": [ + "source.ip", + "source.port", + "event.original" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "fileset.name", + "negate": false, + "params": { + "query": "vpcflow" + }, + "type": "phrase", + "value": "vpcflow" + }, + "query": { + "match": { + "fileset.name": { + "query": "vpcflow", + "type": "phrase" + } + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "aws.vpcflow.action", + "negate": false, + "params": { + "query": "REJECT" + }, + "type": "phrase", + "value": "REJECT" + }, + "query": { + "match": { + "aws.vpcflow.action": { + "query": "REJECT", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "VPC Flow Reject Logs [Filebeat AWS]", + "version": 1 + }, + "id": "c1aee600-4487-11ea-ad63-791a5dc86f10", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-02-01T00:14:04.896Z", + "version": "WzU3MDIsMV0=" + } + ], + "version": "7.4.0" +}