diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index bb3ed7fb16ef..3374d3fc775d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -493,6 +493,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add `http.request.mime_type` for Elasticsearch audit log fileset. {pull}22975[22975] - Add new httpjson input features and mark old config ones for deprecation {pull}22320[22320] - Add configuration option to set external and internal networks for panw panos fileset {pull}22998[22998] +- Add `subbdomain` fields for rsa2elk modules. {pull}23035[23035] - Add subdomain enrichment for suricata/eve fileset. {pull}23011[23011] - Add subdomain enrichment for zeek/dns fileset. {pull}23011[23011] - Add `event.category` "configuration" to auditd module events. {pull}23010[23010] diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json index 904c408eb474..2e82bd8d32bc 100644 --- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json @@ -551,4 +551,4 @@ "trace.id": "Root=1-58337262-36d228ad5d99923122bbe354", "user_agent.original": "curl/7.46.0" } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json index 8c7935ff6ce2..66d06e583271 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json @@ -584,4 +584,4 @@ "trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", "user_agent.original": "-" } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json index ca2c95be8242..b8a96002e140 100644 --- a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json +++ b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json @@ -33,4 +33,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json index fb95fe0ba809..59669df1681e 100644 --- a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json +++ b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json @@ -28,4 +28,4 @@ "forwarded" ] } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml index 1d80deb1f074..1a1ed1bc28c8 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js b/x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml index 2ae84bd17e5b..c4d00a79eb6c 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml @@ -55,14 +55,9 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{url.domain}}' - if: ctx?.url?.domain != null && ctx?.url?.domain != "" - allow_duplicates: false - - append: - field: related.hosts - value: '{{server.domain}}' - if: ctx?.server?.domain != null && ctx?.url?.domain != "" + value: '{{host.name}}' allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml b/x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml index 9ffc06e93aac..e487203382f8 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9524 + default: 9540 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json index ed4c2bb4d7f3..c9ab9284cfc1 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json @@ -371,8 +371,7 @@ "tags": [ "barracuda.spamfirewall", "forwarded" - ], - "url.domain": "" + ] }, { "event.action": " RECV", @@ -496,8 +495,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.110.109.5", - "10.18.165.35" + "10.18.165.35", + "10.110.109.5" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, @@ -896,6 +895,8 @@ "rsa.time.endtime": "2017-02-03T21:16:50.000Z", "rsa.time.starttime": "2017-02-03T21:16:50.000Z", "server.domain": "lit5929.test", + "server.registered_domain": "lit5929.test", + "server.top_level_domain": "test", "service.type": "barracuda", "source.ip": [ "10.198.6.166" @@ -957,8 +958,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.hosts": [ - "equat", - "uptat3156.www5.test" + "uptat3156.www5.test", + "equat" ], "related.ip": [ "10.77.137.72" @@ -980,6 +981,9 @@ "rsa.time.endtime": "2017-03-04T11:21:59.000Z", "rsa.time.starttime": "2017-03-04T11:21:59.000Z", "server.domain": "uptat3156.www5.test", + "server.registered_domain": "www5.test", + "server.subdomain": "uptat3156", + "server.top_level_domain": "test", "service.type": "barracuda", "source.ip": [ "10.77.137.72" @@ -1027,6 +1031,9 @@ "rsa.time.endtime": "2017-03-18T18:24:33.000Z", "rsa.time.starttime": "2017-03-18T18:24:33.000Z", "server.domain": "neav6028.internal.domain", + "server.registered_domain": "internal.domain", + "server.subdomain": "neav6028", + "server.top_level_domain": "domain", "service.type": "barracuda", "source.ip": [ "10.128.114.77" @@ -1165,8 +1172,7 @@ "tags": [ "barracuda.spamfirewall", "forwarded" - ], - "url.domain": "" + ] }, { "event.action": "deny", @@ -1640,8 +1646,7 @@ "tags": [ "barracuda.spamfirewall", "forwarded" - ], - "url.domain": "" + ] }, { "event.code": "web", @@ -1844,8 +1849,7 @@ "tags": [ "barracuda.spamfirewall", "forwarded" - ], - "url.domain": "" + ] }, { "event.action": " SCAN", @@ -1861,8 +1865,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.hosts": [ - "aveni", - "oremagna3521.mail.home" + "oremagna3521.mail.home", + "aveni" ], "related.ip": [ "10.29.155.171" @@ -1884,6 +1888,9 @@ "rsa.time.endtime": "2018-03-25T09:31:24.000Z", "rsa.time.starttime": "2018-03-25T09:31:24.000Z", "server.domain": "oremagna3521.mail.home", + "server.registered_domain": "mail.home", + "server.subdomain": "oremagna3521", + "server.top_level_domain": "home", "service.type": "barracuda", "source.ip": [ "10.29.155.171" @@ -1927,8 +1934,7 @@ "tags": [ "barracuda.spamfirewall", "forwarded" - ], - "url.domain": "" + ] }, { "event.action": " RECV", @@ -2044,8 +2050,7 @@ "tags": [ "barracuda.spamfirewall", "forwarded" - ], - "url.domain": "" + ] }, { "event.code": "reports", @@ -2720,8 +2725,7 @@ "tags": [ "barracuda.spamfirewall", "forwarded" - ], - "url.domain": "" + ] }, { "event.action": "CHANGE", @@ -3155,8 +3159,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.1.6.115", - "10.178.30.158" + "10.178.30.158", + "10.1.6.115" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, @@ -3265,8 +3269,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.hosts": [ - "der", - "piciatis2460.api.host" + "piciatis2460.api.host", + "der" ], "related.ip": [ "10.77.182.191" @@ -3288,6 +3292,9 @@ "rsa.time.endtime": "2019-11-30T00:21:57.000Z", "rsa.time.starttime": "2019-11-30T00:21:57.000Z", "server.domain": "piciatis2460.api.host", + "server.registered_domain": "api.host", + "server.subdomain": "piciatis2460", + "server.top_level_domain": "host", "service.type": "barracuda", "source.ip": [ "10.77.182.191" diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml index c83846e675fb..30ae8228f704 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/input.yml +++ b/x-pack/filebeat/module/barracuda/waf/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js +++ b/x-pack/filebeat/module/barracuda/waf/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/barracuda/waf/config/pipeline.js b/x-pack/filebeat/module/barracuda/waf/config/pipeline.js index ce7de6631842..2d9dc88d0d3d 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/pipeline.js +++ b/x-pack/filebeat/module/barracuda/waf/config/pipeline.js @@ -35,7 +35,7 @@ var dup1 = call({ constant(" "), field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }); @@ -71,15 +71,15 @@ var dup13 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{r var dup14 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); -var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); +var dup15 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); -var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); +var dup16 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); var dup17 = setc("eventcategory","1204000000"); -var dup18 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type->} "); +var dup18 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type}"); -var dup19 = match("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "%{stransport}"); +var dup19 = match_copy("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "stransport"); var dup20 = setf("msg_id","web_method"); @@ -126,7 +126,7 @@ var dup27 = all_match({ ]), }); -var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -134,7 +134,7 @@ var hdr1 = match("HEADER#0:0001", "message", "%{messageid}:%{payload}", processo args: [ field("messageid"), constant(":"), - field("payload"), + field("p0"), ], }), ])); @@ -143,17 +143,17 @@ var hdr2 = match("HEADER#1:0005", "message", "time=%{hfld1->} %{hfld2->} %{timez setc("header_id","0005"), ])); -var hdr3 = match("HEADER#2:0003", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hfld12->} %{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hfld12->} %{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0003"), dup1, ])); -var hdr4 = match("HEADER#3:0002", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0002", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} %{hfld4->} %{hfld5->} %{hfld6->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0002"), dup1, ])); -var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} TR %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ +var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} TR %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ setc("header_id","0009"), dup2, call({ @@ -174,12 +174,12 @@ var hdr5 = match("HEADER#4:0009", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{h constant(" "), field("hfld8"), constant(" "), - field("payload"), + field("p0"), ], }), ])); -var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} AUDIT %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ setc("header_id","0007"), dup2, call({ @@ -200,12 +200,12 @@ var hdr6 = match("HEADER#5:0007", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{h constant(" "), field("hfld8"), constant(" "), - field("payload"), + field("p0"), ], }), ])); -var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} WF %{hfld5->} %{hfld6->} %{hfld8->} %{payload}", processor_chain([ +var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{hfld2->} %{hfld3->} WF %{hfld5->} %{hfld6->} %{hfld8->} %{p0}", processor_chain([ setc("header_id","0008"), dup2, call({ @@ -226,12 +226,12 @@ var hdr7 = match("HEADER#6:0008", "message", "%{hhost->} %{hfld7->} %{hfld8}.%{h constant(" "), field("hfld8"), constant(" "), - field("payload"), + field("p0"), ], }), ])); -var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime->} BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{payload}", processor_chain([ +var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime->} BARRACUDAWAF %{hhost->} %{hdate->} %{htime->} %{htimezone->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0006"), call({ dest: "nwparser.payload", @@ -247,12 +247,12 @@ var hdr8 = match("HEADER#7:0006", "message", "%{hmonth->} %{hday->} %{htime->} B constant(" "), field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }), ])); -var hdr9 = match("HEADER#8:0004", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hhost->} %{messageid->} %{payload}", processor_chain([ +var hdr9 = match("HEADER#8:0004", "message", "%{hfld9->} %{hfld10->} %{hfld11->} %{hhost->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0004"), call({ dest: "nwparser.payload", @@ -266,7 +266,7 @@ var hdr9 = match("HEADER#8:0004", "message", "%{hfld9->} %{hfld10->} %{hfld11->} constant(" "), field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }), ])); @@ -1296,13 +1296,13 @@ var part95 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_0", "nwparser.p0", "\"[%{ var part96 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/1_1", "nwparser.p0", "[%{result}] %{p0}"); -var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); +var part97 = match("MESSAGE#84:HEADER_COUNT_EXCEEDED/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} - %{stransaddr->} %{stransport->} %{web_referer}"); -var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{} %{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); +var part98 = match("MESSAGE#85:CROSS_SITE_SCRIPTING_IN_PARAM:01/2", "nwparser.p0", "%{web_method->} %{url->} %{protocol->} \"%{user_agent}\" %{stransaddr->} %{stransport->} %{web_referer}"); -var part99 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type->} "); +var part99 = match("MESSAGE#118:TR_Logs:01/1_0", "nwparser.p0", "%{stransport->} %{content_type}"); -var part100 = match("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "%{stransport}"); +var part100 = match_copy("MESSAGE#118:TR_Logs:01/1_1", "nwparser.p0", "stransport"); var select23 = linear_select([ dup13, diff --git a/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml index 8f0ef057c18c..80e68bb25231 100644 --- a/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml +++ b/x-pack/filebeat/module/barracuda/waf/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/barracuda/waf/manifest.yml b/x-pack/filebeat/module/barracuda/waf/manifest.yml index a49e3f69f81e..cab91dcb9297 100644 --- a/x-pack/filebeat/module/barracuda/waf/manifest.yml +++ b/x-pack/filebeat/module/barracuda/waf/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9503 + default: 9525 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log b/x-pack/filebeat/module/barracuda/waf/test/generated.log index 02e42897650f..da13bb9dbe3a 100644 --- a/x-pack/filebeat/module/barracuda/waf/test/generated.log +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log @@ -2,26 +2,25 @@ PROCMON: Started monitoring BYPASS: Mode set to BYPASS (nbyCic). UPDATE: [ALERT:tvolup] New attack definition version 1.1000 is available STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. -STM_WRAPPER: Successfully initialized STM. STM_WRAPPER: Initializing STM. eventmgr: Forwarding log messages to syslog host #imadm, address=10.16.222.151 PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading. BYPASS: Mode change: ccusant,epteurs UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available -STM: LB-doloreeu elillumq CreateServer =loremeum -STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu +STM: LB-doloreeu elillumq CreateServer =loremeum +STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available PROCMON: Monitoring links: lo4933 PROCMON: [ALERT:doconse] One of the RAID arrays is degrading. CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet -STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv +STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration. BYPASS: Mode change: urEx,labo eventmgr: Event manager startup succeeded. -STM: LB-Maloru lapariat SetServerdmin=oinBCSed +STM: LB-Maloru lapariat SetServerdmin=oinBCSed STM_WRAPPER: Successfully stopped STM. -PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua -STM: LB-isistena Malorum SetSapquelauda=enderit +CONFIG_AGENT: luptate Initiating config_agent database commit phase. +STM: LB-isistena Malorum SetSapquelauda=enderit eventmgr: Forwarding log messages to syslog host #equun, address=10.4.65.246 UPDATE: [ALERT:exer] New attack definition version 1.481 is available eventmgr: Event manager startup succeeded. @@ -33,9 +32,9 @@ PROCMON: [ALERT:onsequ] enp0s7094: link is up CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali eventmgr: Event manager startup succeeded. PROCMON: Started monitoring -STM: LB-mveniam rvelill EnableServer =iame +STM: LB-mveniam rvelill EnableServer =iame PROCMON: number of stm worker threads iseuf -STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios +STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios STM_WRAPPER: Successfully stopped STM. eventmgr: Forwarding log messages to syslog host #ccusa, address=10.58.33.30 PROCMON: [ALERT:uiadolo] eth321: link is up @@ -54,14 +53,17 @@ UPDATE: [ALERT:amei] New attack definition version 1.7778 is available UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available INSTALL: Migrating configuration from iceroin to qui INSTALL: Migrating configuration from pariatu to issusc -STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized. +STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized. STM_WRAPPER: Committing UI configuration. STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. -eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60 +INSTALL: Migrating configuration from ernat to Ute +STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed. STM_WRAPPER: Successfully initialized STM. STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration. -PROCMON: [ALERT:eumfu] eth5074: link is up +BYPASS: Mode set to never bypass. +CONFIG_AGENT: quaea RPC Name =eetd, RPC Result: fdeFin +PROCMON: number of stm worker threads isrro CONFIG_AGENT: tutlabo Initiating config_agent database commit phase. INSTALL: Loading the snapshot for pli release. CONFIG_AGENT: erit Initiating config_agent database commit phase. @@ -73,28 +75,26 @@ INSTALL: Migrating configuration from tfugit to taspern eventmgr: Forwarding log messages to syslog host #meiusm, address=10.48.248.158 STM_WRAPPER: Successfully initialized STM. PROCMON: number of stm worker threads isonula -STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor +STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor PROCMON: [ALERT:atev] One of the RAID arrays is degrading. CONFIG_AGENT: amaliq ept Received put-tree command BYPASS: Mode set to BYPASS (ectetura). -STM: COOKIE-icab quiado scipit = quiavolu +STM: COOKIE-icab quiado scipit = quiavolu BYPASS: Mode set to never bypass. -STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success -STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors +STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success +STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors INSTALL: Loading the snapshot for admi release. -STM: aps-Bon seosqui AddIpsCloakFilterRespHeader [idu] Ret stquidol, SapCtx itautfug, sapId byCi -STM_WRAPPER: Successfully stopped STM. +CONFIG_AGENT: aecons Initiating config_agent database commit phase. +PROCMON: Monitoring links: eth801 PROCMON: Started monitoring UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available INSTALL: Loading the snapshot for stru release. PROCMON: Monitoring links: enp0s6182 -STM_WRAPPER: command(--digest) execution status = quaeratv +PROCMON: number of stm worker threads isumwri +BYPASS: Mode set to never bypass. +BYPASS: Mode set to BYPASS (eniamqu). +UPDATE: [ALERT:tco] New attack definition version 1.6840 is available STM_WRAPPER: Successfully initialized STM. -eventmgr: Event manager startup succeeded. STM_WRAPPER: Initializing STM. STM_WRAPPER: Successfully initialized STM. PROCMON: Started monitoring -CONFIG_AGENT: tDuis isnis It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., metMa -STM_WRAPPER: Initializing STM. -STM: aps-quam etquasi CreateRC: RC Add policy Success -STM: WebLog-untutl eseosqui user: SapCtx=ons,SapId=ation, eabilloi diff --git a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json index 910233583b1e..ae69b15409b6 100644 --- a/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/waf/test/generated.log-expected.json @@ -77,25 +77,6 @@ "forwarded" ] }, - { - "event.code": "STM_WRAPPER", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully initialized STM.", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 227, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", - "rsa.internal.messageid": "STM_WRAPPER", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, { "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", @@ -103,7 +84,7 @@ "event.original": "STM_WRAPPER: Initializing STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 270, + "log.offset": 227, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -123,7 +104,7 @@ "fileset.name": "waf", "host.ip": "10.16.222.151", "input.type": "log", - "log.offset": 301, + "log.offset": 258, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -145,7 +126,7 @@ "event.original": "PROCMON: [ALERT:eritqui] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.offset": 380, + "log.offset": 337, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -164,7 +145,7 @@ "event.original": "BYPASS: Mode change: ccusant,epteurs", "fileset.name": "waf", "input.type": "log", - "log.offset": 442, + "log.offset": 399, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -183,7 +164,7 @@ "event.original": "UPDATE: [ALERT:modoco] New attack definition version 1.3971 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 479, + "log.offset": 436, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -201,16 +182,14 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: LB-doloreeu elillumq CreateServer =loremeum", + "event.original": "STM: LB-doloreeu elillumq CreateServer =loremeum", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 552, + "log.offset": 509, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: LB Create Server command.", "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ @@ -222,17 +201,16 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu", + "event.original": "STM: WebLog-radi ula itsed: SapCtx=rad,SapId=olupta, ididu", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 607, + "log.offset": 558, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: WebLog Set Sap variable.", "rsa.internal.messageid": "STM", + "rsa.misc.obj_name": "itsed", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -246,7 +224,7 @@ "event.original": "UPDATE: [ALERT:xcepte] New attack definition version 1.4012 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 668, + "log.offset": 617, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -267,7 +245,7 @@ "event.original": "PROCMON: Monitoring links: lo4933", "fileset.name": "waf", "input.type": "log", - "log.offset": 741, + "log.offset": 690, "network.interface.name": "lo4933", "observer.product": "Web", "observer.type": "WAF", @@ -288,7 +266,7 @@ "event.original": "PROCMON: [ALERT:doconse] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.offset": 775, + "log.offset": 724, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -307,7 +285,7 @@ "event.original": "CONFIG_AGENT: odite atn It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., sectet", "fileset.name": "waf", "input.type": "log", - "log.offset": 837, + "log.offset": 786, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -323,16 +301,14 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv", + "event.original": "STM: LB-tet voluptas ActiveServerOutOfBandMonitorAttr =inv", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 967, + "log.offset": 916, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: LB ActiveServerOutOfBandMonitorAttr command.", "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ @@ -347,7 +323,7 @@ "event.original": "STM_WRAPPER: [ALERT:obeata] Configuration size is pexeaco which exceeds the ercitati safe limit. Please check your configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1032, + "log.offset": 975, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -366,7 +342,7 @@ "event.original": "BYPASS: Mode change: urEx,labo", "fileset.name": "waf", "input.type": "log", - "log.offset": 1162, + "log.offset": 1105, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -385,7 +361,7 @@ "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1193, + "log.offset": 1136, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -401,16 +377,15 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: LB-Maloru lapariat SetServerdmin=oinBCSed", + "event.original": "STM: LB-Maloru lapariat SetServerdmin=oinBCSed", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1236, + "log.offset": 1179, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.db.index": "dmin", + "rsa.internal.event_desc": "STM: LB Set Server command.", "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ @@ -425,7 +400,7 @@ "event.original": "STM_WRAPPER: Successfully stopped STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1289, + "log.offset": 1226, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -438,19 +413,18 @@ ] }, { - "event.code": "PROCMON", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:amv] Firmware storage exceeds ipsaqua", + "event.original": "CONFIG_AGENT: luptate Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1328, + "log.offset": 1265, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.db.index": "ipsaqua", - "rsa.internal.event_desc": "PROCMON:Firmware storage exceeding.", - "rsa.internal.messageid": "PROCMON", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -461,16 +435,15 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: LB-isistena Malorum SetSapquelauda=enderit", + "event.original": "STM: LB-isistena Malorum SetSapquelauda=enderit", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1382, + "log.offset": 1334, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.db.index": "quelauda", + "rsa.internal.event_desc": "STM: LB Set Sap command.", "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ @@ -486,7 +459,7 @@ "fileset.name": "waf", "host.ip": "10.4.65.246", "input.type": "log", - "log.offset": 1436, + "log.offset": 1382, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -508,7 +481,7 @@ "event.original": "UPDATE: [ALERT:exer] New attack definition version 1.481 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 1513, + "log.offset": 1459, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -529,7 +502,7 @@ "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1583, + "log.offset": 1529, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -548,7 +521,7 @@ "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1626, + "log.offset": 1572, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -567,7 +540,7 @@ "event.original": "CONFIG_AGENT: isnisiu aspernat Update succeeded", "fileset.name": "waf", "input.type": "log", - "log.offset": 1715, + "log.offset": 1661, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -586,7 +559,7 @@ "event.original": "INSTALL: Loading the snapshot for mquel release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 1763, + "log.offset": 1709, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -605,7 +578,7 @@ "event.original": "INSTALL: Migrating configuration from ueporr to ptate", "fileset.name": "waf", "input.type": "log", - "log.offset": 1812, + "log.offset": 1758, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -624,7 +597,7 @@ "event.original": "PROCMON: [ALERT:onsequ] enp0s7094: link is up", "fileset.name": "waf", "input.type": "log", - "log.offset": 1866, + "log.offset": 1812, "network.interface.name": "enp0s7094", "observer.product": "Web", "observer.type": "WAF", @@ -645,7 +618,7 @@ "event.original": "CONFIG_AGENT: iquip tDuisau It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., amali", "fileset.name": "waf", "input.type": "log", - "log.offset": 1912, + "log.offset": 1858, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -664,7 +637,7 @@ "event.original": "eventmgr: Event manager startup succeeded.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2045, + "log.offset": 1991, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -683,7 +656,7 @@ "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", - "log.offset": 2088, + "log.offset": 2034, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -699,16 +672,14 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: LB-mveniam rvelill EnableServer =iame", + "event.original": "STM: LB-mveniam rvelill EnableServer =iame", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2116, + "log.offset": 2062, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: LB Enable Server command.", "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ @@ -723,7 +694,7 @@ "event.original": "PROCMON: number of stm worker threads iseuf", "fileset.name": "waf", "input.type": "log", - "log.offset": 2165, + "log.offset": 2105, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -740,17 +711,16 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios", + "event.original": "STM: WebLog-ipiscin idolore turExce: SapCtx=modoc,SapId=mdolors, borios", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2209, + "log.offset": 2149, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: WebLog Set Sap variable.", "rsa.internal.messageid": "STM", + "rsa.misc.obj_name": "turExce", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -764,7 +734,7 @@ "event.original": "STM_WRAPPER: Successfully stopped STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2283, + "log.offset": 2221, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -784,7 +754,7 @@ "fileset.name": "waf", "host.ip": "10.58.33.30", "input.type": "log", - "log.offset": 2322, + "log.offset": 2260, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -806,7 +776,7 @@ "event.original": "PROCMON: [ALERT:uiadolo] eth321: link is up", "fileset.name": "waf", "input.type": "log", - "log.offset": 2399, + "log.offset": 2337, "network.interface.name": "eth321", "observer.product": "Web", "observer.type": "WAF", @@ -827,7 +797,7 @@ "event.original": "CONFIG_AGENT: rsi ciduntut Update succeeded", "fileset.name": "waf", "input.type": "log", - "log.offset": 2443, + "log.offset": 2381, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -846,7 +816,7 @@ "event.original": "CONFIG_AGENT: radipis RPC Name =isa, RPC Result: aal", "fileset.name": "waf", "input.type": "log", - "log.offset": 2487, + "log.offset": 2425, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -865,7 +835,7 @@ "event.original": "INSTALL: Loading the snapshot for ris release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2540, + "log.offset": 2478, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -884,7 +854,7 @@ "event.original": "CONFIG_AGENT: aliqui rcitat Update succeeded", "fileset.name": "waf", "input.type": "log", - "log.offset": 2587, + "log.offset": 2525, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -903,7 +873,7 @@ "event.original": "CONFIG_AGENT: aeconse Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 2632, + "log.offset": 2570, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -922,7 +892,7 @@ "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", - "log.offset": 2701, + "log.offset": 2639, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -941,7 +911,7 @@ "event.original": "CONFIG_AGENT: iaecon ipexea Update succeeded", "fileset.name": "waf", "input.type": "log", - "log.offset": 2729, + "log.offset": 2667, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -960,7 +930,7 @@ "event.original": "INSTALL: Migrating configuration from nulapa to cillu", "fileset.name": "waf", "input.type": "log", - "log.offset": 2774, + "log.offset": 2712, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -979,7 +949,7 @@ "event.original": "PROCMON: [ALERT:ectetura] Firmware storage exceeds didun", "fileset.name": "waf", "input.type": "log", - "log.offset": 2828, + "log.offset": 2766, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -999,7 +969,7 @@ "event.original": "CONFIG_AGENT: rcit nul Received put-tree command", "fileset.name": "waf", "input.type": "log", - "log.offset": 2885, + "log.offset": 2823, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1018,7 +988,7 @@ "event.original": "UPDATE: [ALERT:aliquaU] New attack definition version 1.1278 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 2934, + "log.offset": 2872, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1039,7 +1009,7 @@ "event.original": "UPDATE: [ALERT:amei] New attack definition version 1.7778 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 3008, + "log.offset": 2946, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1060,7 +1030,7 @@ "event.original": "UPDATE: [ALERT:gelitse] New attack definition version 1.3018 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 3079, + "log.offset": 3017, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1081,7 +1051,7 @@ "event.original": "INSTALL: Migrating configuration from iceroin to qui", "fileset.name": "waf", "input.type": "log", - "log.offset": 3153, + "log.offset": 3091, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1100,7 +1070,7 @@ "event.original": "INSTALL: Migrating configuration from pariatu to issusc", "fileset.name": "waf", "input.type": "log", - "log.offset": 3206, + "log.offset": 3144, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1116,16 +1086,14 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized.", + "event.original": "STM: FAILOVE-roinBCSe oreet Stateful Failover Module initialized.", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3262, + "log.offset": 3200, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: FAILOVE Stateful Failover Module initialized.", "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ @@ -1140,7 +1108,7 @@ "event.original": "STM_WRAPPER: Committing UI configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3329, + "log.offset": 3266, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1159,7 +1127,7 @@ "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3371, + "log.offset": 3308, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1172,22 +1140,37 @@ ] }, { - "event.code": "eventmgr", + "event.code": "INSTALL", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "eventmgr: Forwarding log messages to syslog host #rroquisq, address=10.126.62.60", + "event.original": "INSTALL: Migrating configuration from ernat to Ute", "fileset.name": "waf", - "host.ip": "10.126.62.60", "input.type": "log", - "log.offset": 3460, + "log.offset": 3397, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "related.ip": [ - "10.126.62.60" - ], - "rsa.internal.event_desc": "eventmgr: Forwarding log messages to syslog host", - "rsa.internal.messageid": "eventmgr", + "rsa.internal.event_desc": " INSTALL: migrating configuration.", + "rsa.internal.messageid": "INSTALL", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "STM_WRAPPER", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3448, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM_WRAPPER: Rolling back the current database transaction. Configuration digest failed.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1201,7 +1184,7 @@ "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3541, + "log.offset": 3537, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1220,7 +1203,7 @@ "event.original": "STM: RespPage-rinrepr rvelill CreateRP: Response Page mve created successfully", "fileset.name": "waf", "input.type": "log", - "log.offset": 3584, + "log.offset": 3580, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1239,7 +1222,7 @@ "event.original": "STM_WRAPPER: [ALERT:ineav] Configuration size is onp which exceeds the gnaaliqu safe limit. Please check your configuration.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3663, + "log.offset": 3659, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1251,21 +1234,58 @@ "forwarded" ] }, + { + "event.code": "BYPASS", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "BYPASS: Mode set to never bypass.", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3784, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": " Mode set to never BYPASS.", + "rsa.internal.messageid": "BYPASS", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, + { + "event.code": "CONFIG_AGENT", + "event.dataset": "barracuda.waf", + "event.module": "barracuda", + "event.original": "CONFIG_AGENT: quaea RPC Name =eetd, RPC Result: fdeFin", + "fileset.name": "waf", + "input.type": "log", + "log.offset": 3818, + "observer.product": "Web", + "observer.type": "WAF", + "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "CONFIG_AGENT: RPC information.", + "rsa.internal.messageid": "CONFIG_AGENT", + "service.type": "barracuda", + "tags": [ + "barracuda.waf", + "forwarded" + ] + }, { "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "PROCMON: [ALERT:eumfu] eth5074: link is up", + "event.original": "PROCMON: number of stm worker threads isrro", "fileset.name": "waf", "input.type": "log", - "log.offset": 3788, - "network.interface.name": "eth5074", + "log.offset": 3873, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON:Link is up.", + "rsa.db.index": "rro", + "rsa.internal.event_desc": "PROCMON: number of stm worker threads", "rsa.internal.messageid": "PROCMON", - "rsa.network.interface": "eth5074", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1279,7 +1299,7 @@ "event.original": "CONFIG_AGENT: tutlabo Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3831, + "log.offset": 3917, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1298,7 +1318,7 @@ "event.original": "INSTALL: Loading the snapshot for pli release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3900, + "log.offset": 3986, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1317,7 +1337,7 @@ "event.original": "CONFIG_AGENT: erit Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.offset": 3947, + "log.offset": 4033, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1336,7 +1356,7 @@ "event.original": "INSTALL: Loading the snapshot for mod release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4013, + "log.offset": 4099, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1355,7 +1375,7 @@ "event.original": "INSTALL: Loading the snapshot for lamcolab release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4060, + "log.offset": 4146, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1374,7 +1394,7 @@ "event.original": "INSTALL: Migrating configuration from estlab to tis", "fileset.name": "waf", "input.type": "log", - "log.offset": 4112, + "log.offset": 4198, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1393,7 +1413,7 @@ "event.original": "PROCMON: [ALERT:uamqua] Firmware storage exceeds labo", "fileset.name": "waf", "input.type": "log", - "log.offset": 4164, + "log.offset": 4250, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1413,7 +1433,7 @@ "event.original": "INSTALL: Migrating configuration from tfugit to taspern", "fileset.name": "waf", "input.type": "log", - "log.offset": 4218, + "log.offset": 4304, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1433,7 +1453,7 @@ "fileset.name": "waf", "host.ip": "10.48.248.158", "input.type": "log", - "log.offset": 4274, + "log.offset": 4360, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1455,7 +1475,7 @@ "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4354, + "log.offset": 4440, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1474,7 +1494,7 @@ "event.original": "PROCMON: number of stm worker threads isonula", "fileset.name": "waf", "input.type": "log", - "log.offset": 4397, + "log.offset": 4483, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1491,16 +1511,15 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor", + "event.original": "STM: FTPSVC-nimi ilmoles Ftp proxy initialized labor", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4443, + "log.offset": 4529, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.db.index": "labor", + "rsa.internal.event_desc": "STM: FTPSVC Ftp proxy initialized.", "rsa.internal.messageid": "STM", "service.type": "barracuda", "tags": [ @@ -1515,7 +1534,7 @@ "event.original": "PROCMON: [ALERT:atev] One of the RAID arrays is degrading.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4498, + "log.offset": 4582, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1534,7 +1553,7 @@ "event.original": "CONFIG_AGENT: amaliq ept Received put-tree command", "fileset.name": "waf", "input.type": "log", - "log.offset": 4557, + "log.offset": 4641, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1553,7 +1572,7 @@ "event.original": "BYPASS: Mode set to BYPASS (ectetura).", "fileset.name": "waf", "input.type": "log", - "log.offset": 4608, + "log.offset": 4692, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1569,17 +1588,17 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: COOKIE-icab quiado scipit = quiavolu", + "event.original": "STM: COOKIE-icab quiado scipit = quiavolu", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4647, + "log.offset": 4731, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.db.index": "quiavolu", + "rsa.internal.event_desc": "STM: COOKIE Cookie parameters set.", "rsa.internal.messageid": "STM", + "rsa.misc.obj_name": "scipit", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1593,7 +1612,7 @@ "event.original": "BYPASS: Mode set to never bypass.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4691, + "log.offset": 4773, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1609,17 +1628,17 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success", + "event.original": "STM: CACHE-oconseq tsedd untin SapCtx susc, SapId amr, Return Code success", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4725, + "log.offset": 4807, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: CACHE SapCtx log.", "rsa.internal.messageid": "STM", + "rsa.misc.obj_name": "untin", + "rsa.misc.result": "success", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1630,17 +1649,17 @@ "event.code": "STM", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors", + "event.original": "STM: aps-ddoeius tautfugi ParamProtectionClonePatterns: Old:cin, New:fugia, PatternsNode:olors", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4803, + "log.offset": 4882, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", + "rsa.internal.event_desc": "STM: aps ParamProtectionClonePatterns values changed.", "rsa.internal.messageid": "STM", + "rsa.misc.change_new": "fugia", + "rsa.misc.change_old": "cin", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1654,7 +1673,7 @@ "event.original": "INSTALL: Loading the snapshot for admi release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 4903, + "log.offset": 4977, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1667,20 +1686,18 @@ ] }, { - "event.code": "STM", + "event.code": "CONFIG_AGENT", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: aps-Bon seosqui AddIpsCloakFilterRespHeader [idu] Ret stquidol, SapCtx itautfug, sapId byCi", + "event.original": "CONFIG_AGENT: aecons Initiating config_agent database commit phase.", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 4951, + "log.offset": 5025, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.messageid": "STM", + "rsa.internal.event_desc": "CONFIG_AGENT:Initiating config_agent database commit phase.", + "rsa.internal.messageid": "CONFIG_AGENT", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1688,18 +1705,20 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully stopped STM.", + "event.original": "PROCMON: Monitoring links: eth801", "fileset.name": "waf", "input.type": "log", - "log.offset": 5053, + "log.offset": 5093, + "network.interface.name": "eth801", "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully stopped STM.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": "PROCMON: Monitoring links.", + "rsa.internal.messageid": "PROCMON", + "rsa.network.interface": "eth801", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1713,7 +1732,7 @@ "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", - "log.offset": 5092, + "log.offset": 5127, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1732,7 +1751,7 @@ "event.original": "UPDATE: [ALERT:ntoc] New attack definition version 1.7781 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 5120, + "log.offset": 5155, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1753,7 +1772,7 @@ "event.original": "INSTALL: Loading the snapshot for stru release.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5191, + "log.offset": 5226, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1772,7 +1791,7 @@ "event.original": "PROCMON: Monitoring links: enp0s6182", "fileset.name": "waf", "input.type": "log", - "log.offset": 5239, + "log.offset": 5274, "network.interface.name": "enp0s6182", "observer.product": "Web", "observer.type": "WAF", @@ -1787,19 +1806,19 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: command(--digest) execution status = quaeratv", + "event.original": "PROCMON: number of stm worker threads isumwri", "fileset.name": "waf", "input.type": "log", - "log.offset": 5276, + "log.offset": 5311, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.db.index": "quaeratv", - "rsa.internal.event_desc": "STM_WRAPPER: command execution status.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.db.index": "umwri", + "rsa.internal.event_desc": "PROCMON: number of stm worker threads", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1807,18 +1826,18 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "BYPASS", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Successfully initialized STM.", + "event.original": "BYPASS: Mode set to never bypass.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5335, + "log.offset": 5357, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", - "rsa.internal.messageid": "STM_WRAPPER", + "rsa.internal.event_desc": " Mode set to never BYPASS.", + "rsa.internal.messageid": "BYPASS", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1826,18 +1845,18 @@ ] }, { - "event.code": "eventmgr", + "event.code": "BYPASS", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "eventmgr: Event manager startup succeeded.", + "event.original": "BYPASS: Mode set to BYPASS (eniamqu).", "fileset.name": "waf", "input.type": "log", - "log.offset": 5378, + "log.offset": 5391, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "eventmgr: Event manager startup succeeded.", - "rsa.internal.messageid": "eventmgr", + "rsa.internal.event_desc": " Mode set to BYPASS.", + "rsa.internal.messageid": "BYPASS", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1845,18 +1864,20 @@ ] }, { - "event.code": "STM_WRAPPER", + "event.code": "UPDATE", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM_WRAPPER: Initializing STM.", + "event.original": "UPDATE: [ALERT:tco] New attack definition version 1.6840 is available", "fileset.name": "waf", "input.type": "log", - "log.offset": 5421, + "log.offset": 5429, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "STM_WRAPPER: Initializing STM.", - "rsa.internal.messageid": "STM_WRAPPER", + "observer.version": "1.6840", + "rsa.internal.event_desc": "UPDATE: ALERT New attack definition version is available", + "rsa.internal.messageid": "UPDATE", + "rsa.misc.version": "1.6840", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1870,7 +1891,7 @@ "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5452, + "log.offset": 5499, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1882,44 +1903,6 @@ "forwarded" ] }, - { - "event.code": "PROCMON", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "PROCMON: Started monitoring", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5495, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "PROCMON: Started monitoring", - "rsa.internal.messageid": "PROCMON", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, - { - "event.code": "CONFIG_AGENT", - "event.dataset": "barracuda.waf", - "event.module": "barracuda", - "event.original": "CONFIG_AGENT: tDuis isnis It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time., metMa", - "fileset.name": "waf", - "input.type": "log", - "log.offset": 5523, - "observer.product": "Web", - "observer.type": "WAF", - "observer.vendor": "Barracuda", - "rsa.internal.event_desc": "It is recommended to configure cookie_encryption_key_expiry atleast 7 days ahead of current time.", - "rsa.internal.messageid": "CONFIG_AGENT", - "service.type": "barracuda", - "tags": [ - "barracuda.waf", - "forwarded" - ] - }, { "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", @@ -1927,7 +1910,7 @@ "event.original": "STM_WRAPPER: Initializing STM.", "fileset.name": "waf", "input.type": "log", - "log.offset": 5654, + "log.offset": 5542, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", @@ -1940,20 +1923,18 @@ ] }, { - "event.code": "STM", + "event.code": "STM_WRAPPER", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: aps-quam etquasi CreateRC: RC Add policy Success", + "event.original": "STM_WRAPPER: Successfully initialized STM.", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 5685, + "log.offset": 5573, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.messageid": "STM", + "rsa.internal.event_desc": "STM_WRAPPER: Successfully initialized STM.", + "rsa.internal.messageid": "STM_WRAPPER", "service.type": "barracuda", "tags": [ "barracuda.waf", @@ -1961,20 +1942,18 @@ ] }, { - "event.code": "STM", + "event.code": "PROCMON", "event.dataset": "barracuda.waf", "event.module": "barracuda", - "event.original": "STM: WebLog-untutl eseosqui user: SapCtx=ons,SapId=ation, eabilloi", + "event.original": "PROCMON: Started monitoring", "fileset.name": "waf", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 5744, + "log.offset": 5616, "observer.product": "Web", "observer.type": "WAF", "observer.vendor": "Barracuda", - "rsa.internal.messageid": "STM", + "rsa.internal.event_desc": "PROCMON: Started monitoring", + "rsa.internal.messageid": "PROCMON", "service.type": "barracuda", "tags": [ "barracuda.waf", diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml index 5a7f220ec715..7b8167b42388 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/input.yml +++ b/x-pack/filebeat/module/bluecoat/director/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js +++ b/x-pack/filebeat/module/bluecoat/director/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/bluecoat/director/config/pipeline.js b/x-pack/filebeat/module/bluecoat/director/config/pipeline.js index e000b6702d9d..fbf91739e3d2 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/pipeline.js +++ b/x-pack/filebeat/module/bluecoat/director/config/pipeline.js @@ -21,40 +21,33 @@ var dup1 = call({ args: [ field("messageid"), constant(": "), - field("payload"), + field("p0"), ], }); -var dup2 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}"); +var dup2 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{username}@%{p0}"); -var dup3 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}"); +var dup3 = match_copy("MESSAGE#0:cli/2", "nwparser.p0", "action"); -var dup4 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}"); +var dup4 = setc("eventcategory","1605000000"); -var dup5 = setc("eventcategory","1605000000"); +var dup5 = setf("msg","$MSG"); -var dup6 = setf("msg","$MSG"); +var dup6 = setc("event_description","bad variable"); -var dup7 = setc("event_description","bad variable"); +var dup7 = setc("event_description","This file is automatically generated"); -var dup8 = setc("event_description","This file is automatically generated"); +var dup8 = setc("eventcategory","1603000000"); -var dup9 = setc("eventcategory","1603000000"); +var dup9 = setc("event_description","authentication failure"); -var dup10 = setc("event_description","authentication failure"); - -var dup11 = linear_select([ - dup3, +var dup10 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ dup4, -]); - -var dup12 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ dup5, dup6, - dup7, ])); -var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -64,17 +57,17 @@ var hdr1 = match("HEADER#0:0001", "message", "%{messageid}[%{hfld1}]: %{payload} constant("["), field("hfld1"), constant("]: "), - field("payload"), + field("p0"), ], }), ])); -var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{messageid}: %{p0}", processor_chain([ setc("header_id","0002"), dup1, ])); -var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}[%{hfld5}]: %{p0}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -84,12 +77,12 @@ var hdr3 = match("HEADER#2:0003", "message", "%{hfld1->} %{hfld2->} %{hfld3->} % constant("["), field("hfld5"), constant("]: "), - field("payload"), + field("p0"), ], }), ])); -var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0004", "message", "%{hfld1->} %{hfld2->} %{hfld3->} %{hfld4->} %{messageid}: %{p0}", processor_chain([ setc("header_id","0004"), dup1, ])); @@ -101,179 +94,241 @@ var select1 = linear_select([ hdr4, ]); -var part1 = match("MESSAGE#0:cli/2", "nwparser.p0", ": Processing command: %{action}"); +var part1 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing command: %{p0}"); + +var part2 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{domain->} : Processing command: %{p0}"); + +var select2 = linear_select([ + part1, + part2, +]); var all1 = all_match({ processors: [ dup2, - dup11, - part1, + select2, + dup3, ], on_success: processor_chain([ + dup4, dup5, - dup6, ]), }); var msg1 = msg("cli", all1); -var part2 = match("MESSAGE#1:cli:01/2", "nwparser.p0", ": Processing command %{action}"); +var part3 = match("MESSAGE#1:cli:01/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing command %{p0}"); + +var part4 = match("MESSAGE#1:cli:01/1_1", "nwparser.p0", "%{domain->} : Processing command %{p0}"); + +var select3 = linear_select([ + part3, + part4, +]); var all2 = all_match({ processors: [ dup2, - dup11, - part2, + select3, + dup3, ], on_success: processor_chain([ + dup4, dup5, - dup6, ]), }); var msg2 = msg("cli:01", all2); -var part3 = match("MESSAGE#2:cli:02/2", "nwparser.p0", ": Leaving config mode%{}"); +var part5 = match("MESSAGE#2:cli:02/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Leaving config mode"); + +var part6 = match("MESSAGE#2:cli:02/1_1", "nwparser.p0", "%{domain->} : Leaving config mode"); + +var select4 = linear_select([ + part5, + part6, +]); var all3 = all_match({ processors: [ dup2, - dup11, - part3, + select4, ], on_success: processor_chain([ + dup4, dup5, - dup6, setc("event_description","Leaving config mode"), ]), }); var msg3 = msg("cli:02", all3); -var part4 = match("MESSAGE#3:cli:03/2", "nwparser.p0", ": Entering config mode%{}"); +var part7 = match("MESSAGE#3:cli:03/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Entering config mode"); + +var part8 = match("MESSAGE#3:cli:03/1_1", "nwparser.p0", "%{domain->} : Entering config mode"); + +var select5 = linear_select([ + part7, + part8, +]); var all4 = all_match({ processors: [ dup2, - dup11, - part4, + select5, ], on_success: processor_chain([ + dup4, dup5, - dup6, setc("event_description","Entering config mode"), ]), }); var msg4 = msg("cli:03", all4); -var part5 = match("MESSAGE#4:cli:04/2", "nwparser.p0", ": CLI exiting%{}"); +var part9 = match("MESSAGE#4:cli:04/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : CLI exiting"); + +var part10 = match("MESSAGE#4:cli:04/1_1", "nwparser.p0", "%{domain->} : CLI exiting"); + +var select6 = linear_select([ + part9, + part10, +]); var all5 = all_match({ processors: [ dup2, - dup11, - part5, + select6, ], on_success: processor_chain([ + dup4, dup5, - dup6, setc("event_description","CLI exiting"), ]), }); var msg5 = msg("cli:04", all5); -var part6 = match("MESSAGE#5:cli:05/2", "nwparser.p0", ": CLI launched%{}"); +var part11 = match("MESSAGE#5:cli:05/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : CLI launched"); + +var part12 = match("MESSAGE#5:cli:05/1_1", "nwparser.p0", "%{domain->} : CLI launched"); + +var select7 = linear_select([ + part11, + part12, +]); var all6 = all_match({ processors: [ dup2, - dup11, - part6, + select7, ], on_success: processor_chain([ + dup4, dup5, - dup6, setc("event_description","CLI launched"), ]), }); var msg6 = msg("cli:05", all6); -var part7 = match("MESSAGE#6:Automatically/2", "nwparser.p0", ": Automatically logged out due to keyboard inactivity.%{}"); +var part13 = match("MESSAGE#6:Automatically/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Automatically logged out due to keyboard inactivity."); + +var part14 = match("MESSAGE#6:Automatically/1_1", "nwparser.p0", "%{domain->} : Automatically logged out due to keyboard inactivity."); + +var select8 = linear_select([ + part13, + part14, +]); var all7 = all_match({ processors: [ dup2, - dup11, - part7, + select8, ], on_success: processor_chain([ - dup5, + dup4, setc("ec_subject","User"), setc("ec_activity","Logoff"), - dup6, + dup5, setc("event_description","Automatically logged out due to keyboard inactivity"), ]), }); var msg7 = msg("Automatically", all7); -var part8 = match("MESSAGE#7:cli:06/2", "nwparser.p0", ": Entering enable mode%{}"); +var part15 = match("MESSAGE#7:cli:06/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Entering enable mode"); + +var part16 = match("MESSAGE#7:cli:06/1_1", "nwparser.p0", "%{domain->} : Entering enable mode"); + +var select9 = linear_select([ + part15, + part16, +]); var all8 = all_match({ processors: [ dup2, - dup11, - part8, + select9, ], on_success: processor_chain([ + dup4, dup5, - dup6, setc("event_description","Entering enable mode"), ]), }); var msg8 = msg("cli:06", all8); -var part9 = match("MESSAGE#8:cli:07/2", "nwparser.p0", ": Leaving enable mode%{}"); +var part17 = match("MESSAGE#8:cli:07/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Leaving enable mode"); + +var part18 = match("MESSAGE#8:cli:07/1_1", "nwparser.p0", "%{domain->} : Leaving enable mode"); + +var select10 = linear_select([ + part17, + part18, +]); var all9 = all_match({ processors: [ dup2, - dup11, - part9, + select10, ], on_success: processor_chain([ + dup4, dup5, - dup6, setc("event_description","Leaving enable mode"), ]), }); var msg9 = msg("cli:07", all9); -var part10 = match("MESSAGE#9:Processing/2", "nwparser.p0", ": Processing a secure command...%{}"); +var part19 = match("MESSAGE#9:Processing/1_0", "nwparser.p0", "::%{fld5}:%{saddr->} : Processing a secure command..."); + +var part20 = match("MESSAGE#9:Processing/1_1", "nwparser.p0", "%{domain->} : Processing a secure command..."); + +var select11 = linear_select([ + part19, + part20, +]); var all10 = all_match({ processors: [ dup2, - dup11, - part10, + select11, ], on_success: processor_chain([ + dup4, dup5, - dup6, setc("event_description","Processing a secure command"), ]), }); var msg10 = msg("Processing", all10); -var msg11 = msg("cli:pam", dup12); +var msg11 = msg("cli:pam", dup10); -var select2 = linear_select([ +var select12 = linear_select([ msg1, msg2, msg3, @@ -287,258 +342,258 @@ var select2 = linear_select([ msg11, ]); -var part11 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([ +var part21 = match("MESSAGE#11:schedulerd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executing Job \"%{operation_id}\" execution %{fld6}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg12 = msg("schedulerd", part11); +var msg12 = msg("schedulerd", part21); -var part12 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([ +var part22 = match("MESSAGE#12:schedulerd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System time changed, recomputing job run times.", processor_chain([ + dup4, dup5, - dup6, setc("event_description","System time changed, recomputing job run times"), ])); -var msg13 = msg("schedulerd:01", part12); +var msg13 = msg("schedulerd:01", part22); -var select3 = linear_select([ +var select13 = linear_select([ msg12, msg13, ]); -var part13 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([ +var part23 = match("MESSAGE#13:configd:Rotating", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Rotating out backup file \"%{filename}\" for device \"%{hostname}\".", processor_chain([ + dup4, dup5, - dup6, ])); -var msg14 = msg("configd:Rotating", part13); +var msg14 = msg("configd:Rotating", part23); -var part14 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([ +var part24 = match("MESSAGE#14:configd:Deleting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Deleting backup %{filename->} from device \"%{hostname}\"", processor_chain([ + dup4, dup5, - dup6, ])); -var msg15 = msg("configd:Deleting", part14); +var msg15 = msg("configd:Deleting", part24); -var part15 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([ +var part25 = match("MESSAGE#15:configd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) \u003c\u003c%{action}> ...", processor_chain([ + dup4, dup5, - dup6, ])); -var msg16 = msg("configd", part15); +var msg16 = msg("configd", part25); -var part16 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([ +var part26 = match("MESSAGE#16:configd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg17 = msg("configd:01", part16); +var msg17 = msg("configd:01", part26); -var part17 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([ +var part27 = match("MESSAGE#17:configd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Sending commands to Device %{hostname}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg18 = msg("configd:11", part17); +var msg18 = msg("configd:11", part27); -var part18 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ +var part28 = match("MESSAGE#18:file", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup4, dup5, - dup6, - dup8, + dup7, ])); -var msg19 = msg("file", part18); +var msg19 = msg("file", part28); -var part19 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([ +var part29 = match("MESSAGE#19:configd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: command: %{action}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg20 = msg("configd:02", part19); +var msg20 = msg("configd:02", part29); -var part20 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([ +var part30 = match("MESSAGE#20:configd:22", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: command: %{action}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg21 = msg("configd:22", part20); +var msg21 = msg("configd:22", part30); -var part21 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([ +var part31 = match("MESSAGE#21:configd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg22 = msg("configd:03", part21); +var msg22 = msg("configd:03", part31); -var part22 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([ +var part32 = match("MESSAGE#22:configd:33", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@%{fld6}: Commands sent to Device %{hostname}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg23 = msg("configd:33", part22); +var msg23 = msg("configd:33", part32); -var part23 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([ +var part33 = match("MESSAGE#23:Backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup import command finished for all devices.", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Backup import command finished for all devices"), ])); -var msg24 = msg("Backup", part23); +var msg24 = msg("Backup", part33); -var part24 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([ +var part34 = match("MESSAGE#24:Beginning", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Beginning to make backup of cache %{hostname}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Beginning to make backup of cache"), ])); -var msg25 = msg("Beginning", part24); +var msg25 = msg("Beginning", part34); -var part25 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([ +var part35 = match("MESSAGE#25:Inputting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Inputting overlay \u003c\u003c%{fld10}>", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Inputting overlay"), ])); -var msg26 = msg("Inputting", part25); +var msg26 = msg("Inputting", part35); -var part26 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([ +var part36 = match("MESSAGE#26:Saved", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Saved %{info->} to %{filename}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg27 = msg("Saved", part26); +var msg27 = msg("Saved", part36); -var part27 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([ +var part37 = match("MESSAGE#27:Importing", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Importing overlay \u003c\u003c%{fld25}> from %{hostname}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg28 = msg("Importing", part27); +var msg28 = msg("Importing", part37); -var part28 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([ +var part38 = match("MESSAGE#28:Overlay", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Overlay \"%{fld25}\" imported from device \"%{hostname}\"", processor_chain([ + dup4, dup5, - dup6, ])); -var msg29 = msg("Overlay", part28); +var msg29 = msg("Overlay", part38); -var part29 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([ +var part39 = match("MESSAGE#29:Executed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Executed the last created overlay. The filename is %{filename}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg30 = msg("Executed", part29); +var msg30 = msg("Executed", part39); -var part30 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([ +var part40 = match("MESSAGE#30:Configuration", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Configuration system online", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Configuration system online"), ])); -var msg31 = msg("Configuration", part30); +var msg31 = msg("Configuration", part40); -var part31 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([ +var part41 = match("MESSAGE#31:Create", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CREATE %{info}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Table creation"), ])); -var msg32 = msg("Create", part31); +var msg32 = msg("Create", part41); -var part32 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([ +var part42 = match("MESSAGE#32:Loaded", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Loaded config file initial", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Loaded config file initial"), ])); -var msg33 = msg("Loaded", part32); +var msg33 = msg("Loaded", part42); -var part33 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([ +var part43 = match("MESSAGE#33:Setting", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Setting set-reply timeout to %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Setting set-reply timeout"), ])); -var msg34 = msg("Setting", part33); +var msg34 = msg("Setting", part43); -var part34 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([ +var part44 = match("MESSAGE#34:CCD", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> CCD lost connection to device \"%{hostname}\": %{event_description}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg35 = msg("CCD", part34); +var msg35 = msg("CCD", part44); -var part35 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([ +var part45 = match("MESSAGE#35:Device", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" is now online.", processor_chain([ + dup4, dup5, - dup6, ])); -var msg36 = msg("Device", part35); +var msg36 = msg("Device", part45); -var part36 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([ +var part46 = match("MESSAGE#36:Output", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: %{fld9->} Output for device \"%{hostname}\" %{fld10}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg37 = msg("Output", part36); +var msg37 = msg("Output", part46); -var part37 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([ +var part47 = match("MESSAGE#37:ssh", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> (ssh) %{event_description}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg38 = msg("ssh", part37); +var msg38 = msg("ssh", part47); -var part38 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([ +var part48 = match("MESSAGE#38:Applying", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to group %{group_object}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Applying overlay to group"), ])); -var msg39 = msg("Applying", part38); +var msg39 = msg("Applying", part48); -var part39 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([ +var part49 = match("MESSAGE#39:Applying:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{username}@::%{fld5}:%{saddr}-%{fld6}: Applying overlay \u003c\u003c%{fld10}> to cache %{hostname}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Applying overlay to cache"), ])); -var msg40 = msg("Applying:01", part39); +var msg40 = msg("Applying:01", part49); -var part40 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([ +var part50 = match("MESSAGE#40:configd:backup", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Backup complete for device \"%{hostname}\". ID %{fld10}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Backup complete for device"), ])); -var msg41 = msg("configd:backup", part40); +var msg41 = msg("configd:backup", part50); -var part41 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ +var part51 = match("MESSAGE#41:file:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device \"%{hostname}\" completed command(s) %{action->} ;; CPL generated by Visual Policy Manager: %{fld10->} ;%{fld11->} ; %{fld12->} ; %{info}", processor_chain([ + dup4, dup5, - dup6, - dup8, + dup7, ])); -var msg42 = msg("file:01", part41); +var msg42 = msg("file:01", part51); -var part42 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([ +var part52 = match("MESSAGE#42:configd:connection", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> read: Connection reset by peer", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Connection reset by peer"), ])); -var msg43 = msg("configd:connection", part42); +var msg43 = msg("configd:connection", part52); -var part43 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([ +var part53 = match("MESSAGE#43:configd:failed", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{info->} failed", processor_chain([ + dup4, dup5, - dup6, setc("event_description","cd session read failed"), ])); -var msg44 = msg("configd:failed", part43); +var msg44 = msg("configd:failed", part53); -var select4 = linear_select([ +var select14 = linear_select([ msg14, msg15, msg16, @@ -572,61 +627,61 @@ var select4 = linear_select([ msg44, ]); -var part44 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([ +var part54 = match("MESSAGE#44:poller", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Querying content system for job results.", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Querying content system for job results"), ])); -var msg45 = msg("poller", part44); +var msg45 = msg("poller", part54); -var part45 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ +var part55 = match("MESSAGE#45:heartbeat", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg46 = msg("heartbeat", part45); +var msg46 = msg("heartbeat", part55); -var part46 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([ +var part56 = match("MESSAGE#46:heartbeat:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> The HB command is %{action}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg47 = msg("heartbeat:01", part46); +var msg47 = msg("heartbeat:01", part56); -var part47 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([ +var part57 = match("MESSAGE#47:heartbeat:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client exiting.", processor_chain([ + dup4, dup5, - dup6, setc("event_description","director heartbeat client exiting"), ])); -var msg48 = msg("heartbeat:02", part47); +var msg48 = msg("heartbeat:02", part57); -var part48 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([ +var part58 = match("MESSAGE#48:heartbeat:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> director heartbeat client launched.", processor_chain([ + dup4, dup5, - dup6, setc("event_description","director heartbeat client launched"), ])); -var msg49 = msg("heartbeat:03", part48); +var msg49 = msg("heartbeat:03", part58); -var part49 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([ +var part59 = match("MESSAGE#49:heartbeat:crit1", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> %{filename}: undefined symbol: %{info}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","undefined symbol"), ])); -var msg50 = msg("heartbeat:crit1", part49); +var msg50 = msg("heartbeat:crit1", part59); -var part50 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([ +var part60 = match("MESSAGE#50:heartbeat:crit2", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> connect: %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","No such file or directory"), ])); -var msg51 = msg("heartbeat:crit2", part50); +var msg51 = msg("heartbeat:crit2", part60); -var select5 = linear_select([ +var select15 = linear_select([ msg46, msg47, msg48, @@ -635,43 +690,43 @@ var select5 = linear_select([ msg51, ]); -var part51 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ +var part61 = match("MESSAGE#51:runner", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} command %{fld7}: \"%{action}\". Output %{fld9}: %{result}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg52 = msg("runner", part51); +var msg52 = msg("runner", part61); -var part52 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ +var part62 = match("MESSAGE#52:runner:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Processing command: %{action}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg53 = msg("runner:01", part52); +var msg53 = msg("runner:01", part62); -var part53 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([ +var part63 = match("MESSAGE#53:runner:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Job \"%{operation_id}\" execution %{fld6->} finished running.", processor_chain([ + dup4, dup5, - dup6, ])); -var msg54 = msg("runner:02", part53); +var msg54 = msg("runner:02", part63); -var part54 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([ +var part64 = match("MESSAGE#54:runner:crit1", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Failed to exec %{filename}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg55 = msg("runner:crit1", part54); +var msg55 = msg("runner:crit1", part64); -var part55 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([ +var part65 = match("MESSAGE#55:runner:crit2", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> File reading failed", processor_chain([ + dup4, dup5, - dup6, setc("event_description","File reading failed"), ])); -var msg56 = msg("runner:crit2", part55); +var msg56 = msg("runner:crit2", part65); -var select6 = linear_select([ +var select16 = linear_select([ msg52, msg53, msg54, @@ -679,75 +734,75 @@ var select6 = linear_select([ msg56, ]); -var part56 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([ +var part66 = match("MESSAGE#56:ccd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: attempting connection using %{fld6->} on port: %{fld7}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg57 = msg("ccd", part56); +var msg57 = msg("ccd", part66); -var part57 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([ +var part67 = match("MESSAGE#57:ccd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{event_description}, Reason %{result}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg58 = msg("ccd:01", part57); +var msg58 = msg("ccd:01", part67); -var part58 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([ +var part68 = match("MESSAGE#58:ccd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: couldn't match the response \u003c\u003c%{event_description}>", processor_chain([ + dup4, dup5, - dup6, ])); -var msg59 = msg("ccd:03", part58); +var msg59 = msg("ccd:03", part68); -var part59 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([ +var part69 = match("MESSAGE#59:ccd:04", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: Did not get echo for the command \u003c\u003c%{action}>for past %{fld10}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg60 = msg("ccd:04", part59); +var msg60 = msg("ccd:04", part69); -var part60 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([ +var part70 = match("MESSAGE#60:ccd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device %{hostname}: %{info}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","info on device connection"), ])); -var msg61 = msg("ccd:02", part60); +var msg61 = msg("ccd:02", part70); -var part61 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([ +var part71 = match("MESSAGE#61:ccd:05", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> write to %{fld1->} pipe : %{info}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","write to ssh pipe"), ])); -var msg62 = msg("ccd:05", part61); +var msg62 = msg("ccd:05", part71); -var part62 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([ +var part72 = match("MESSAGE#62:ccd:06", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> ccd_handle_read_failure(), %{info}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","ccd handle read failure"), ])); -var msg63 = msg("ccd:06", part62); +var msg63 = msg("ccd:06", part72); -var part63 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([ +var part73 = match("MESSAGE#63:ccd:07", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device Communication Daemon online", processor_chain([ + dup4, dup5, - dup6, setc("event_description","device communication daemon online"), ])); -var msg64 = msg("ccd:07", part63); +var msg64 = msg("ccd:07", part73); -var part64 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([ +var part74 = match("MESSAGE#64:ccd:08", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> System memory is: %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","system memory size"), ])); -var msg65 = msg("ccd:08", part64); +var msg65 = msg("ccd:08", part74); -var select7 = linear_select([ +var select17 = linear_select([ msg57, msg58, msg59, @@ -759,48 +814,48 @@ var select7 = linear_select([ msg65, ]); -var part65 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([ - dup9, - dup6, +var part75 = match("MESSAGE#65:sshd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> error: Bind to port %{fld10->} on %{fld5->} failed: %{result}", processor_chain([ + dup8, + dup5, ])); -var msg66 = msg("sshd", part65); +var msg66 = msg("sshd", part75); -var part66 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([ +var part76 = match("MESSAGE#66:sshd:01", "nwparser.payload", "%{agent}: bad username %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","bad username"), ])); -var msg67 = msg("sshd:01", part66); +var msg67 = msg("sshd:01", part76); -var part67 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([ +var part77 = match("MESSAGE#67:sshd:02", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): authentication failure; %{info}", processor_chain([ + dup4, dup5, - dup6, - dup10, + dup9, ])); -var msg68 = msg("sshd:02", part67); +var msg68 = msg("sshd:02", part77); -var part68 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([ +var part78 = match("MESSAGE#68:sshd:03", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): check pass; %{fld3}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","check pass, user unknown"), ])); -var msg69 = msg("sshd:03", part68); +var msg69 = msg("sshd:03", part78); -var part69 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([ +var part79 = match("MESSAGE#69:sshd:04", "nwparser.payload", "%{agent}[%{process_id}]: PAM %{fld1->} more authentication failure; %{info}", processor_chain([ + dup4, dup5, - dup6, - dup10, + dup9, ])); -var msg70 = msg("sshd:04", part69); +var msg70 = msg("sshd:04", part79); -var msg71 = msg("sshd:pam", dup12); +var msg71 = msg("sshd:pam", dup10); -var select8 = linear_select([ +var select18 = linear_select([ msg66, msg67, msg68, @@ -809,42 +864,42 @@ var select8 = linear_select([ msg71, ]); -var part70 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([ +var part80 = match("MESSAGE#71:dmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> inserted device id = %{hostname->} and serial number = %{fld6->} into DB", processor_chain([ + dup4, dup5, - dup6, ])); -var msg72 = msg("dmd", part70); +var msg72 = msg("dmd", part80); -var part71 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([ +var part81 = match("MESSAGE#72:dmd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for metric\"%{hostname}\" \"%{change_old}\" changed to \"%{change_new}\", reason: \"%{result}\"", processor_chain([ + dup4, dup5, - dup6, ])); -var msg73 = msg("dmd:01", part71); +var msg73 = msg("dmd:01", part81); -var part72 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([ +var part82 = match("MESSAGE#73:dmd:11", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Health state for group \"%{group_object}\" changed from \"%{change_old}\" to \"%{change_new}\"", processor_chain([ + dup4, dup5, - dup6, ])); -var msg74 = msg("dmd:11", part72); +var msg74 = msg("dmd:11", part82); -var part73 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([ +var part83 = match("MESSAGE#74:dmd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Filter on (%{fld5}) things. %{event_description}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg75 = msg("dmd:02", part73); +var msg75 = msg("dmd:02", part83); -var part74 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([ - dup9, - dup6, +var part84 = match("MESSAGE#75:dmd:03", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> Device ID \"%{hostname}\" error: %{event_description}", processor_chain([ + dup8, + dup5, ])); -var msg76 = msg("dmd:03", part74); +var msg76 = msg("dmd:03", part84); -var select9 = linear_select([ +var select19 = linear_select([ msg72, msg73, msg74, @@ -852,109 +907,109 @@ var select9 = linear_select([ msg76, ]); -var part75 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([ +var part85 = match("MESSAGE#76:logrotate", "nwparser.payload", "%{agent}: ALERT exited abnormally with %{fld10}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","ALERT exited abnormally"), ])); -var msg77 = msg("logrotate", part75); +var msg77 = msg("logrotate", part85); -var part76 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([ +var part86 = match("MESSAGE#77:ntpd", "nwparser.payload", "%{agent}[%{process_id}]: kernel time sync enabled %{fld10}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","kernel time sync enabled"), ])); -var msg78 = msg("ntpd", part76); +var msg78 = msg("ntpd", part86); -var part77 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([ +var part87 = match("MESSAGE#78:ntpd:01", "nwparser.payload", "%{agent}[%{process_id}]: time reset %{fld10}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","time reset"), ])); -var msg79 = msg("ntpd:01", part77); +var msg79 = msg("ntpd:01", part87); -var part78 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([ +var part88 = match("MESSAGE#79:ntpd:02", "nwparser.payload", "%{agent}[%{process_id}]: ntpd %{fld10}-r %{fld11}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg80 = msg("ntpd:02", part78); +var msg80 = msg("ntpd:02", part88); -var part79 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([ +var part89 = match("MESSAGE#80:ntpd:03", "nwparser.payload", "%{agent}[%{process_id}]: ntpd exiting on signal %{fld10}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","ntpd exiting on signal"), ])); -var msg81 = msg("ntpd:03", part79); +var msg81 = msg("ntpd:03", part89); -var select10 = linear_select([ +var select20 = linear_select([ msg78, msg79, msg80, msg81, ]); -var part80 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([ +var part90 = match("MESSAGE#81:pm", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd will start in %{fld10}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","ntpd will start in few secs"), ])); -var msg82 = msg("pm", part80); +var msg82 = msg("pm", part90); -var part81 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([ +var part91 = match("MESSAGE#82:pm:01", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> ntpd started", processor_chain([ + dup4, dup5, - dup6, setc("event_description","ntpd started"), ])); -var msg83 = msg("pm:01", part81); +var msg83 = msg("pm:01", part91); -var part82 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([ +var part92 = match("MESSAGE#83:pm:02", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> print_msg(), %{info}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","print message"), ])); -var msg84 = msg("pm:02", part82); +var msg84 = msg("pm:02", part92); -var part83 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([ +var part93 = match("MESSAGE#84:pm:03", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} started", processor_chain([ + dup4, dup5, - dup6, setc("event_description","service started"), ])); -var msg85 = msg("pm:03", part83); +var msg85 = msg("pm:03", part93); -var part84 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([ +var part94 = match("MESSAGE#85:pm:04", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> %{info->} will start in %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","service will start"), ])); -var msg86 = msg("pm:04", part84); +var msg86 = msg("pm:04", part94); -var part85 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([ +var part95 = match("MESSAGE#86:pm:05", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> check_license_validity(), %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","check license validity"), ])); -var msg87 = msg("pm:05", part85); +var msg87 = msg("pm:05", part95); -var part86 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([ +var part96 = match("MESSAGE#87:pm:06", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c%{fld20}.%{severity}> Connected to config daemon", processor_chain([ + dup4, dup5, - dup6, setc("event_description","connected to config daemon"), ])); -var msg88 = msg("pm:06", part86); +var msg88 = msg("pm:06", part96); -var select11 = linear_select([ +var select21 = linear_select([ msg82, msg83, msg84, @@ -964,212 +1019,205 @@ var select11 = linear_select([ msg88, ]); -var part87 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([ +var part97 = match("MESSAGE#88:anacron", "nwparser.payload", "%{agent}[%{process_id}]: Updated timestamp for job %{info->} to %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","updated timestamp"), ])); -var msg89 = msg("anacron", part87); +var msg89 = msg("anacron", part97); -var part88 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([ +var part98 = match("MESSAGE#89:anacron:01", "nwparser.payload", "%{agent}[%{process_id}]: Anacron %{version->} started on %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","anacron started"), ])); -var msg90 = msg("anacron:01", part88); +var msg90 = msg("anacron:01", part98); -var part89 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([ +var part99 = match("MESSAGE#90:anacron:02", "nwparser.payload", "%{agent}[%{process_id}]: Normal exit %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","normal exit"), ])); -var msg91 = msg("anacron:02", part89); +var msg91 = msg("anacron:02", part99); -var select12 = linear_select([ +var select22 = linear_select([ msg89, msg90, msg91, ]); -var part90 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([ +var part100 = match("MESSAGE#91:epmd", "nwparser.payload", "%{agent}: epmd: invalid packet size (%{fld1})", processor_chain([ + dup4, dup5, - dup6, setc("event_description","invalid packet size"), ])); -var msg92 = msg("epmd", part90); +var msg92 = msg("epmd", part100); -var part91 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([ +var part101 = match("MESSAGE#92:epmd:01", "nwparser.payload", "%{agent}: epmd: got %{info}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg93 = msg("epmd:01", part91); +var msg93 = msg("epmd:01", part101); -var part92 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([ +var part102 = match("MESSAGE#93:epmd:02", "nwparser.payload", "%{agent}: epmd: epmd running %{info}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg94 = msg("epmd:02", part92); +var msg94 = msg("epmd:02", part102); -var select13 = linear_select([ +var select23 = linear_select([ msg92, msg93, msg94, ]); -var part93 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([ +var part103 = match("MESSAGE#94:xinetd", "nwparser.payload", "%{agent}[%{process_id}]: xinetd %{event_description}", processor_chain([ + dup4, dup5, - dup6, ])); -var msg95 = msg("xinetd", part93); +var msg95 = msg("xinetd", part103); -var part94 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([ +var part104 = match("MESSAGE#95:xinetd:01", "nwparser.payload", "%{agent}[%{process_id}]: Started working: %{fld1->} available services", processor_chain([ + dup4, dup5, - dup6, ])); -var msg96 = msg("xinetd:01", part94); +var msg96 = msg("xinetd:01", part104); -var select14 = linear_select([ +var select24 = linear_select([ msg95, msg96, ]); -var part95 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([ +var part105 = match("MESSAGE#96:auditd", "nwparser.payload", "%{agent}[%{process_id}]: Audit daemon rotating log files", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Audit daemon rotating log files"), ])); -var msg97 = msg("auditd", part95); +var msg97 = msg("auditd", part105); -var part96 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([ +var part106 = match("MESSAGE#97:restorecond", "nwparser.payload", "%{agent}: Reset file context %{filename}: %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","Reset file"), ])); -var msg98 = msg("restorecond", part96); +var msg98 = msg("restorecond", part106); -var part97 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([ +var part107 = match("MESSAGE#98:authd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> handle_authd unknown message =%{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","handle authd unknown message"), ])); -var msg99 = msg("authd", part97); +var msg99 = msg("authd", part107); -var part98 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([ +var part108 = match("MESSAGE#99:authd:01", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_signal_handler(), %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","authd signal handler"), ])); -var msg100 = msg("authd:01", part98); +var msg100 = msg("authd:01", part108); -var part99 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([ +var part109 = match("MESSAGE#100:authd:02", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> authd_close(): %{info}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","authd close"), ])); -var msg101 = msg("authd:02", part99); +var msg101 = msg("authd:02", part109); -var select15 = linear_select([ +var select25 = linear_select([ msg99, msg100, msg101, ]); -var part100 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}"); +var part110 = match("MESSAGE#101:rsyslogd/0", "nwparser.payload", "%{agent}: W%{p0}"); -var part101 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}"); +var part111 = match("MESSAGE#101:rsyslogd/1_0", "nwparser.p0", "ARNING%{p0}"); -var part102 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}"); +var part112 = match("MESSAGE#101:rsyslogd/1_1", "nwparser.p0", "arning%{p0}"); -var select16 = linear_select([ - part101, - part102, +var select26 = linear_select([ + part111, + part112, ]); -var part103 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}"); +var part113 = match("MESSAGE#101:rsyslogd/2", "nwparser.p0", ": %{event_description}"); var all11 = all_match({ processors: [ - part100, - select16, - part103, + part110, + select26, + part113, ], on_success: processor_chain([ + dup4, dup5, - dup6, ]), }); var msg102 = msg("rsyslogd", all11); -var part104 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([ +var part114 = match("MESSAGE#102:shutdown", "nwparser.payload", "%{agent}[%{process_id}]: shutting down %{info}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","shutting down"), ])); -var msg103 = msg("shutdown", part104); +var msg103 = msg("shutdown", part114); -var part105 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([ +var part115 = match("MESSAGE#103:cmd", "nwparser.payload", "%{agent}: \u003c\u003c%{fld20}.%{severity}> cmd starting %{fld1}", processor_chain([ + dup4, dup5, - dup6, setc("event_description","cmd starting"), ])); -var msg104 = msg("cmd", part105); +var msg104 = msg("cmd", part115); var chain1 = processor_chain([ select1, msgid_select({ - "anacron": select12, + "anacron": select22, "auditd": msg97, - "authd": select15, - "ccd": select7, - "cli": select2, + "authd": select25, + "ccd": select17, + "cli": select12, "cmd": msg104, - "configd": select4, - "dmd": select9, - "epmd": select13, - "heartbeat": select5, + "configd": select14, + "dmd": select19, + "epmd": select23, + "heartbeat": select15, "logrotate": msg77, - "ntpd": select10, - "pm": select11, + "ntpd": select20, + "pm": select21, "poller": msg45, "restorecond": msg98, "rsyslogd": msg102, - "runner": select6, - "schedulerd": select3, + "runner": select16, + "schedulerd": select13, "shutdown": msg103, - "sshd": select8, - "xinetd": select14, + "sshd": select18, + "xinetd": select24, }), ]); -var part106 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{p0}"); - -var part107 = match("MESSAGE#0:cli/1_0", "nwparser.p0", "%{username}@::%{fld5}:%{saddr->} %{p0}"); +var part116 = match("MESSAGE#0:cli/0", "nwparser.payload", "%{agent}[%{process_id}]: \u003c\u003c-%{fld20}.%{severity}> %{username}@%{p0}"); -var part108 = match("MESSAGE#0:cli/1_1", "nwparser.p0", "%{username}@%{domain->} %{p0}"); +var part117 = match_copy("MESSAGE#0:cli/2", "nwparser.p0", "action"); -var select17 = linear_select([ - dup3, +var part118 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ dup4, -]); - -var part109 = match("MESSAGE#10:cli:pam", "nwparser.payload", "%{agent}[%{process_id}]: %{fld21}(%{fld1}:%{fld2}): pam_putenv: %{fld3}", processor_chain([ dup5, dup6, - dup7, ])); diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml index 97fbbb72c92b..5a0a60c89711 100644 --- a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml +++ b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/bluecoat/director/manifest.yml b/x-pack/filebeat/module/bluecoat/director/manifest.yml index 10ad36cde947..32b44dfa8ee6 100644 --- a/x-pack/filebeat/module/bluecoat/director/manifest.yml +++ b/x-pack/filebeat/module/bluecoat/director/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9505 + default: 9527 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log b/x-pack/filebeat/module/bluecoat/director/test/generated.log index 7035845d2c63..6bf53ab90400 100644 --- a/x-pack/filebeat/module/bluecoat/director/test/generated.log +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log @@ -19,12 +19,14 @@ authd: : < authd_signal_handler(), quam xinetd[6547]: Started working: onproide available services logrotate: : ALERT exited abnormally with tfug heartbeat: : < Processing command: deny +rsyslogd: : Warning: rehe sshd: : < error: Bind to port erc on amqu failed: unknown ntpd[4515]: ntpd emp-r aperia restorecond: : Reset file context run: vol logrotate: : ALERT exited abnormally with mporain heartbeat: : < connect: atu cmd: : < cmd starting adeseru +cli[7108]: <<-uam.low> tmo@::fficiade:10.2.53.125 : CLI launched pm[7061]: < ntpd will start in tlabo poller[795]: < Querying content system for job results. runner[6134]: < Processing command: allow @@ -40,12 +42,15 @@ xinetd[5850]: Started working: rQu available services heartbeat: : < queips: undefined symbol: ncidi authd: : < authd_close(): npr anacron[6373]: Anacron 1.3962 started on epre +cli[3979]: <<-iduntu.medium> temUt@avol752.www5.test : Processing command accept cmd: : < cmd starting isiuta sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm ccd: : < Device elitse6672.internal.localdomain: mquisno runner[1859]: < Failed to exec umSe shutdown[6110]: shutting down itau sshd[2415]: PAM lorsita more authentication failure; dolore +rsyslogd: : Warning: tio +cli[802]: <<-gnaaliqu.very-high> velillu@::cteturad:10.18.204.87 : Processing a secure command... heartbeat: : < connect: inimveni authd: : < authd_close(): psumqu runner[2558]: < Failed to exec edquiac @@ -62,9 +67,11 @@ authd: : < authd_signal_handler(), gnaal logrotate: : ALERT exited abnormally with voluptas ntpd[627]: ntpd exiting on signal orin restorecond: : Reset file context ecillu: mmodoc +cli[1140]: <<-abore.high> modocon@ipsu3680.mail.test : Processing command: deny sshd: : bad username mquisn ntpd[1313]: ntpd derit-r orese ccd: : < Device Communication Daemon online +rsyslogd: : Warning: moles restorecond: : Reset file context olup: aco shutdown[609]: shutting down ser ntpd[2991]: ntpd orinrep-r quiavol @@ -80,6 +87,7 @@ ccd: : < Device eleumiu2454.api.local: tat schedulerd: : < System time changed, recomputing job run times. xinetd[3450]: Started working: aconsequ available services authd: : < handle_authd unknown message =utemvel +rsyslogd: : Warning: iusm ntpd[16]: time reset stquido ccd: : < Device olu5333.www.domain: orumSe anacron[80]: Normal exit ici @@ -90,11 +98,3 @@ logrotate: : ALERT exited abnormally with ntut poller[7151]: < Querying content system for job results. ntpd[2314]: ntpd litanim-r rQuisaut heartbeat: : < Processing command: block -epmd: : epmd: got emp -schedulerd: : < System time changed, recomputing job run times. -dmd: : < Health state for group "lab" changed from "llumq" to "tenim" -pm[5899]: < print_msg(), orem -epmd: : epmd: epmd running inBC -pm[2746]: < print_msg(), ptate -schedulerd: : < Executing Job "CSe" execution exerci -auditd[6012]: Audit daemon rotating log files diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json index 1d0de305beb0..06e026434778 100644 --- a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json @@ -467,6 +467,26 @@ "forwarded" ] }, + { + "event.code": "rsyslogd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "rsyslogd: : Warning: rehe", + "fileset.name": "director", + "input.type": "log", + "log.offset": 1092, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "rehe", + "rsa.internal.messageid": "rsyslogd", + "rsa.misc.client": "rsyslogd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, { "event.code": "sshd", "event.dataset": "bluecoat.director", @@ -475,7 +495,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "medium", - "log.offset": 1092, + "log.offset": 1118, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -496,7 +516,7 @@ "event.original": "ntpd[4515]: ntpd emp-r aperia", "fileset.name": "director", "input.type": "log", - "log.offset": 1164, + "log.offset": 1190, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -517,7 +537,7 @@ "file.name": "run", "fileset.name": "director", "input.type": "log", - "log.offset": 1194, + "log.offset": 1220, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -537,7 +557,7 @@ "event.original": "logrotate: : ALERT exited abnormally with mporain", "fileset.name": "director", "input.type": "log", - "log.offset": 1237, + "log.offset": 1263, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -558,7 +578,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 1287, + "log.offset": 1313, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -580,7 +600,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "medium", - "log.offset": 1332, + "log.offset": 1358, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -594,6 +614,39 @@ "forwarded" ] }, + { + "event.code": "cli", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cli[7108]: <<-uam.low> tmo@::fficiade:10.2.53.125 : CLI launched", + "fileset.name": "director", + "input.type": "log", + "log.level": "low", + "log.offset": 1401, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 7108, + "related.ip": [ + "10.2.53.125" + ], + "related.user": [ + "tmo" + ], + "rsa.internal.event_desc": "CLI launched", + "rsa.internal.messageid": "cli", + "rsa.misc.client": "cli", + "rsa.misc.severity": "low", + "service.type": "bluecoat", + "source.ip": [ + "10.2.53.125" + ], + "tags": [ + "bluecoat.director", + "forwarded" + ], + "user.name": "tmo" + }, { "event.code": "pm", "event.dataset": "bluecoat.director", @@ -602,7 +655,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 1375, + "log.offset": 1466, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -625,7 +678,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "low", - "log.offset": 1430, + "log.offset": 1521, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -649,7 +702,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 1500, + "log.offset": 1591, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -673,7 +726,7 @@ "event.original": "epmd: : epmd: epmd running orpor", "fileset.name": "director", "input.type": "log", - "log.offset": 1557, + "log.offset": 1648, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -695,7 +748,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 1590, + "log.offset": 1681, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -716,7 +769,7 @@ "event.original": "shutdown[2807]: shutting down non", "fileset.name": "director", "input.type": "log", - "log.offset": 1642, + "log.offset": 1733, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -740,7 +793,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "high", - "log.offset": 1676, + "log.offset": 1767, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -767,7 +820,7 @@ "event.original": "auditd[2986]: Audit daemon rotating log files", "fileset.name": "director", "input.type": "log", - "log.offset": 1735, + "log.offset": 1826, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -789,7 +842,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "medium", - "log.offset": 1781, + "log.offset": 1872, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -811,7 +864,7 @@ "event.original": "auditd[1243]: Audit daemon rotating log files", "fileset.name": "director", "input.type": "log", - "log.offset": 1824, + "log.offset": 1915, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -832,7 +885,7 @@ "event.original": "xinetd[6599]: Started working: naal available services", "fileset.name": "director", "input.type": "log", - "log.offset": 1870, + "log.offset": 1961, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -852,7 +905,7 @@ "event.original": "xinetd[5850]: Started working: rQu available services", "fileset.name": "director", "input.type": "log", - "log.offset": 1925, + "log.offset": 2016, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -874,7 +927,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "low", - "log.offset": 1979, + "log.offset": 2070, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -897,7 +950,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 2037, + "log.offset": 2128, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -919,7 +972,7 @@ "event.original": "anacron[6373]: Anacron 1.3962 started on epre", "fileset.name": "director", "input.type": "log", - "log.offset": 2083, + "log.offset": 2174, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -935,6 +988,44 @@ "forwarded" ] }, + { + "event.action": "accept", + "event.code": "cli", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cli[3979]: <<-iduntu.medium> temUt@avol752.www5.test : Processing command accept", + "fileset.name": "director", + "input.type": "log", + "log.level": "medium", + "log.offset": 2220, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 3979, + "related.hosts": [ + "avol752.www5.test" + ], + "related.user": [ + "temUt" + ], + "rsa.internal.messageid": "cli", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.client": "cli", + "rsa.misc.severity": "medium", + "rsa.network.domain": "avol752.www5.test", + "server.domain": "avol752.www5.test", + "server.registered_domain": "www5.test", + "server.subdomain": "avol752", + "server.top_level_domain": "test", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ], + "user.name": "temUt" + }, { "event.code": "cmd", "event.dataset": "bluecoat.director", @@ -943,7 +1034,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "medium", - "log.offset": 2129, + "log.offset": 2301, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -964,7 +1055,7 @@ "event.original": "sshd[5227]: dutp(psaquaea:taevita): pam_putenv: ameiusm", "fileset.name": "director", "input.type": "log", - "log.offset": 2170, + "log.offset": 2342, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -987,7 +1078,7 @@ "host.name": "elitse6672.internal.localdomain", "input.type": "log", "log.level": "low", - "log.offset": 2226, + "log.offset": 2398, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1017,7 +1108,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "high", - "log.offset": 2293, + "log.offset": 2465, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1038,7 +1129,7 @@ "event.original": "shutdown[6110]: shutting down itau", "fileset.name": "director", "input.type": "log", - "log.offset": 2344, + "log.offset": 2516, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1060,7 +1151,7 @@ "event.original": "sshd[2415]: PAM lorsita more authentication failure; dolore", "fileset.name": "director", "input.type": "log", - "log.offset": 2379, + "log.offset": 2551, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1075,6 +1166,59 @@ "forwarded" ] }, + { + "event.code": "rsyslogd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "rsyslogd: : Warning: tio", + "fileset.name": "director", + "input.type": "log", + "log.offset": 2611, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "tio", + "rsa.internal.messageid": "rsyslogd", + "rsa.misc.client": "rsyslogd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, + { + "event.code": "cli", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cli[802]: <<-gnaaliqu.very-high> velillu@::cteturad:10.18.204.87 : Processing a secure command...", + "fileset.name": "director", + "input.type": "log", + "log.level": "very-high", + "log.offset": 2636, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 802, + "related.ip": [ + "10.18.204.87" + ], + "related.user": [ + "velillu" + ], + "rsa.internal.event_desc": "Processing a secure command", + "rsa.internal.messageid": "cli", + "rsa.misc.client": "cli", + "rsa.misc.severity": "very-high", + "service.type": "bluecoat", + "source.ip": [ + "10.18.204.87" + ], + "tags": [ + "bluecoat.director", + "forwarded" + ], + "user.name": "velillu" + }, { "event.code": "heartbeat", "event.dataset": "bluecoat.director", @@ -1083,7 +1227,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "high", - "log.offset": 2439, + "log.offset": 2734, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1105,7 +1249,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "low", - "log.offset": 2486, + "log.offset": 2781, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1129,7 +1273,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "high", - "log.offset": 2531, + "log.offset": 2826, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1150,7 +1294,7 @@ "event.original": "anacron[4538]: Updated timestamp for job remips to uisaute", "fileset.name": "director", "input.type": "log", - "log.offset": 2582, + "log.offset": 2877, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1172,7 +1316,7 @@ "event.original": "auditd[6837]: Audit daemon rotating log files", "fileset.name": "director", "input.type": "log", - "log.offset": 2641, + "log.offset": 2936, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1194,7 +1338,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "high", - "log.offset": 2687, + "log.offset": 2982, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1220,7 +1364,7 @@ "host.name": "itation4168.api.domain", "input.type": "log", "log.level": "low", - "log.offset": 2730, + "log.offset": 3025, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1251,7 +1395,7 @@ "event.original": "epmd: : epmd: invalid packet size (mquae)", "fileset.name": "director", "input.type": "log", - "log.offset": 2889, + "log.offset": 3184, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1272,7 +1416,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 2931, + "log.offset": 3226, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1294,7 +1438,7 @@ "event.original": "shutdown[7595]: shutting down emqu", "fileset.name": "director", "input.type": "log", - "log.offset": 2985, + "log.offset": 3280, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1318,7 +1462,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "low", - "log.offset": 3020, + "log.offset": 3315, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1342,7 +1486,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 3073, + "log.offset": 3368, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1364,7 +1508,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "medium", - "log.offset": 3132, + "log.offset": 3427, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1385,7 +1529,7 @@ "event.original": "logrotate: : ALERT exited abnormally with voluptas", "fileset.name": "director", "input.type": "log", - "log.offset": 3188, + "log.offset": 3483, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1405,7 +1549,7 @@ "event.original": "ntpd[627]: ntpd exiting on signal orin", "fileset.name": "director", "input.type": "log", - "log.offset": 3239, + "log.offset": 3534, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1427,7 +1571,7 @@ "file.name": "ecillu", "fileset.name": "director", "input.type": "log", - "log.offset": 3278, + "log.offset": 3573, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1440,6 +1584,44 @@ "forwarded" ] }, + { + "event.action": "deny", + "event.code": "cli", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "cli[1140]: <<-abore.high> modocon@ipsu3680.mail.test : Processing command: deny", + "fileset.name": "director", + "input.type": "log", + "log.level": "high", + "log.offset": 3622, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "process.pid": 1140, + "related.hosts": [ + "ipsu3680.mail.test" + ], + "related.user": [ + "modocon" + ], + "rsa.internal.messageid": "cli", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.client": "cli", + "rsa.misc.severity": "high", + "rsa.network.domain": "ipsu3680.mail.test", + "server.domain": "ipsu3680.mail.test", + "server.registered_domain": "mail.test", + "server.subdomain": "ipsu3680", + "server.top_level_domain": "test", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ], + "user.name": "modocon" + }, { "event.code": "sshd", "event.dataset": "bluecoat.director", @@ -1447,7 +1629,7 @@ "event.original": "sshd: : bad username mquisn", "fileset.name": "director", "input.type": "log", - "log.offset": 3327, + "log.offset": 3702, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1467,7 +1649,7 @@ "event.original": "ntpd[1313]: ntpd derit-r orese", "fileset.name": "director", "input.type": "log", - "log.offset": 3355, + "log.offset": 3730, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1488,7 +1670,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "medium", - "log.offset": 3386, + "log.offset": 3761, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1502,6 +1684,26 @@ "forwarded" ] }, + { + "event.code": "rsyslogd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "rsyslogd: : Warning: moles", + "fileset.name": "director", + "input.type": "log", + "log.offset": 3821, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "moles", + "rsa.internal.messageid": "rsyslogd", + "rsa.misc.client": "rsyslogd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, { "event.code": "restorecond", "event.dataset": "bluecoat.director", @@ -1510,7 +1712,7 @@ "file.name": "olup", "fileset.name": "director", "input.type": "log", - "log.offset": 3446, + "log.offset": 3848, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1530,7 +1732,7 @@ "event.original": "shutdown[609]: shutting down ser", "fileset.name": "director", "input.type": "log", - "log.offset": 3490, + "log.offset": 3892, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1552,7 +1754,7 @@ "event.original": "ntpd[2991]: ntpd orinrep-r quiavol", "fileset.name": "director", "input.type": "log", - "log.offset": 3523, + "log.offset": 3925, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1574,7 +1776,7 @@ "host.name": "sBonor2001.www5.example", "input.type": "log", "log.level": "medium", - "log.offset": 3558, + "log.offset": 3960, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1601,7 +1803,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 3657, + "log.offset": 4059, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1624,7 +1826,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "high", - "log.offset": 3712, + "log.offset": 4114, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1647,7 +1849,7 @@ "host.name": "ersp6625.internal.domain", "input.type": "log", "log.level": "high", - "log.offset": 3756, + "log.offset": 4158, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1674,7 +1876,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "medium", - "log.offset": 3858, + "log.offset": 4260, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1697,7 +1899,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "low", - "log.offset": 3903, + "log.offset": 4305, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1720,7 +1922,7 @@ "event.original": "anacron[7360]: Normal exit tperspic", "fileset.name": "director", "input.type": "log", - "log.offset": 3952, + "log.offset": 4354, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1742,7 +1944,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 3988, + "log.offset": 4390, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1765,7 +1967,7 @@ "host.name": "eleumiu2454.api.local", "input.type": "log", "log.level": "low", - "log.offset": 4048, + "log.offset": 4450, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1794,7 +1996,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 4103, + "log.offset": 4505, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1815,7 +2017,7 @@ "event.original": "xinetd[3450]: Started working: aconsequ available services", "fileset.name": "director", "input.type": "log", - "log.offset": 4184, + "log.offset": 4586, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1836,7 +2038,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "high", - "log.offset": 4243, + "log.offset": 4645, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1850,6 +2052,26 @@ "forwarded" ] }, + { + "event.code": "rsyslogd", + "event.dataset": "bluecoat.director", + "event.module": "bluecoat", + "event.original": "rsyslogd: : Warning: iusm", + "fileset.name": "director", + "input.type": "log", + "log.offset": 4707, + "observer.product": "Director", + "observer.type": "Configuration", + "observer.vendor": "Bluecoat", + "rsa.internal.event_desc": "iusm", + "rsa.internal.messageid": "rsyslogd", + "rsa.misc.client": "rsyslogd:", + "service.type": "bluecoat", + "tags": [ + "bluecoat.director", + "forwarded" + ] + }, { "event.code": "ntpd", "event.dataset": "bluecoat.director", @@ -1857,7 +2079,7 @@ "event.original": "ntpd[16]: time reset stquido", "fileset.name": "director", "input.type": "log", - "log.offset": 4305, + "log.offset": 4733, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1880,7 +2102,7 @@ "host.name": "olu5333.www.domain", "input.type": "log", "log.level": "high", - "log.offset": 4334, + "log.offset": 4762, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1908,7 +2130,7 @@ "event.original": "anacron[80]: Normal exit ici", "fileset.name": "director", "input.type": "log", - "log.offset": 4389, + "log.offset": 4817, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1929,7 +2151,7 @@ "event.original": "ntpd[7612]: kernel time sync enabled nturmag", "fileset.name": "director", "input.type": "log", - "log.offset": 4418, + "log.offset": 4846, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1950,7 +2172,7 @@ "event.original": "cli[7128]: eseruntm(lpaquiof:oloreeu): pam_putenv: olor", "fileset.name": "director", "input.type": "log", - "log.offset": 4463, + "log.offset": 4891, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1972,7 +2194,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "very-high", - "log.offset": 4519, + "log.offset": 4947, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -1993,7 +2215,7 @@ "event.original": "logrotate: : ALERT exited abnormally with ntut", "fileset.name": "director", "input.type": "log", - "log.offset": 4587, + "log.offset": 5015, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -2014,7 +2236,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "high", - "log.offset": 4634, + "log.offset": 5062, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -2036,7 +2258,7 @@ "event.original": "ntpd[2314]: ntpd litanim-r rQuisaut", "fileset.name": "director", "input.type": "log", - "log.offset": 4701, + "log.offset": 5129, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -2058,7 +2280,7 @@ "fileset.name": "director", "input.type": "log", "log.level": "high", - "log.offset": 4737, + "log.offset": 5165, "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", @@ -2073,182 +2295,5 @@ "bluecoat.director", "forwarded" ] - }, - { - "event.code": "epmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "epmd: : epmd: got emp", - "fileset.name": "director", - "input.type": "log", - "log.offset": 4790, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.db.index": "emp", - "rsa.internal.messageid": "epmd", - "rsa.misc.client": "epmd:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "schedulerd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "schedulerd: : < System time changed, recomputing job run times.", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 4812, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.event_desc": "System time changed, recomputing job run times", - "rsa.internal.messageid": "schedulerd", - "rsa.misc.client": "schedulerd:", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "dmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "dmd: : < Health state for group \"lab\" changed from \"llumq\" to \"tenim\"", - "fileset.name": "director", - "input.type": "log", - "log.level": "medium", - "log.offset": 4893, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.messageid": "dmd", - "rsa.misc.change_new": "tenim", - "rsa.misc.change_old": "llumq", - "rsa.misc.client": "dmd:", - "rsa.misc.group_object": "lab", - "rsa.misc.severity": "medium", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "pm", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "pm[5899]: < print_msg(), orem", - "fileset.name": "director", - "input.type": "log", - "log.level": "low", - "log.offset": 4978, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 5899, - "rsa.db.index": "orem", - "rsa.internal.event_desc": "print message", - "rsa.internal.messageid": "pm", - "rsa.misc.client": "pm", - "rsa.misc.severity": "low", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "epmd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "epmd: : epmd: epmd running inBC", - "fileset.name": "director", - "input.type": "log", - "log.offset": 5018, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.db.index": "inBC", - "rsa.internal.messageid": "epmd", - "rsa.misc.client": "epmd:", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "pm", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "pm[2746]: < print_msg(), ptate", - "fileset.name": "director", - "input.type": "log", - "log.level": "very-high", - "log.offset": 5050, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 2746, - "rsa.db.index": "ptate", - "rsa.internal.event_desc": "print message", - "rsa.internal.messageid": "pm", - "rsa.misc.client": "pm", - "rsa.misc.severity": "very-high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "schedulerd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "schedulerd: : < Executing Job \"CSe\" execution exerci", - "fileset.name": "director", - "input.type": "log", - "log.level": "high", - "log.offset": 5099, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "rsa.internal.messageid": "schedulerd", - "rsa.misc.client": "schedulerd:", - "rsa.misc.operation_id": "CSe", - "rsa.misc.severity": "high", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] - }, - { - "event.code": "auditd", - "event.dataset": "bluecoat.director", - "event.module": "bluecoat", - "event.original": "auditd[6012]: Audit daemon rotating log files", - "fileset.name": "director", - "input.type": "log", - "log.offset": 5163, - "observer.product": "Director", - "observer.type": "Configuration", - "observer.vendor": "Bluecoat", - "process.pid": 6012, - "rsa.internal.event_desc": "Audit daemon rotating log files", - "rsa.internal.messageid": "auditd", - "rsa.misc.client": "auditd", - "service.type": "bluecoat", - "tags": [ - "bluecoat.director", - "forwarded" - ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/meraki/config/input.yml b/x-pack/filebeat/module/cisco/meraki/config/input.yml index 9afabbbf06f3..8f635db379e7 100644 --- a/x-pack/filebeat/module/cisco/meraki/config/input.yml +++ b/x-pack/filebeat/module/cisco/meraki/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/cisco/meraki/config/liblogparser.js b/x-pack/filebeat/module/cisco/meraki/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/cisco/meraki/config/liblogparser.js +++ b/x-pack/filebeat/module/cisco/meraki/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml index cf0d61d1a524..a18507659aa5 100644 --- a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml @@ -56,13 +56,8 @@ processors: - append: field: related.hosts value: '{{host.name}}' - if: ctx.host?.name != null - allow_duplicates: false - - append: - field: related.hosts - value: '{{host.hostname}}' - if: ctx.host?.hostname != null && ctx.host?.hostname != '' allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cisco/meraki/manifest.yml b/x-pack/filebeat/module/cisco/meraki/manifest.yml index a86afb8f0196..6adeb1975aa6 100644 --- a/x-pack/filebeat/module/cisco/meraki/manifest.yml +++ b/x-pack/filebeat/module/cisco/meraki/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9525 + default: 9541 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index 93b257059121..417800e7599a 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -17,8 +17,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.193.124.51", - "10.15.44.253" + "10.15.44.253", + "10.193.124.51" ], "rsa.internal.event_desc": "olaborissecurity_event tur", "rsa.internal.messageid": "security_event", @@ -56,9 +56,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.102.218.31", - "10.15.16.212" + "10.15.16.212", + "10.102.218.31" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -90,6 +93,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ "ceroinBC flows src=10.179.60.216 dst=10.69.53.104 protocol=udp pattern: 0 reprehe" @@ -121,9 +127,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.112.46.169", - "10.155.236.240" + "10.155.236.240", + "10.112.46.169" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -389,8 +398,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.163.72.17", - "10.74.237.180" + "10.74.237.180", + "10.163.72.17" ], "rsa.internal.event_desc": "remipsum security_event liq", "rsa.internal.messageid": "security_event", @@ -518,6 +527,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ "10.53.150.119", "10.85.10.165" @@ -622,9 +634,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.219.84.37", - "10.205.47.51" + "10.205.47.51", + "10.219.84.37" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -691,6 +706,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ "10.63.194.87", "10.182.178.217" @@ -731,6 +749,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ "10.153.0.77", "10.163.154.210" @@ -798,6 +819,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ "ese flows allow src=10.145.248.111 dst=10.57.6.252 mac=01:00:5e:94:6a:cf protocol=udp" @@ -831,8 +855,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.12.182.70", - "10.31.77.157" + "10.31.77.157", + "10.12.182.70" ], "rsa.internal.event_desc": "uiac security_event epte", "rsa.internal.messageid": "security_event", @@ -864,6 +888,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ "cancel" @@ -895,9 +922,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.93.68.231", - "10.135.217.12" + "10.135.217.12", + "10.93.68.231" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -959,9 +989,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.66.89.5", - "10.247.30.212" + "10.247.30.212", + "10.66.89.5" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1025,8 +1058,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.221.102.245", - "10.173.136.186" + "10.173.136.186", + "10.221.102.245" ], "rsa.internal.event_desc": "idestlab", "rsa.internal.messageid": "security_event", @@ -1064,8 +1097,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.58.64.108", - "10.54.37.86" + "10.54.37.86", + "10.58.64.108" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1099,9 +1132,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.147.76.202", - "10.163.93.20" + "10.163.93.20", + "10.147.76.202" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1176,9 +1212,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.28.144.180", - "10.148.124.84" + "10.148.124.84", + "10.28.144.180" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -1214,9 +1253,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.204.230.166", - "10.98.194.212" + "10.98.194.212", + "10.204.230.166" ], "rsa.counters.dclass_r1": "enimadmi", "rsa.internal.messageid": "events", @@ -1446,6 +1488,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ "10.111.157.56", "10.230.6.127" @@ -1485,9 +1530,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.193.219.34", - "10.179.40.170" + "10.179.40.170", + "10.193.219.34" ], "rsa.counters.dclass_r1": "emip", "rsa.internal.messageid": "events", @@ -1638,8 +1686,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.90.99.245", - "10.124.63.4" + "10.124.63.4", + "10.90.99.245" ], "rsa.internal.event_desc": "etconsec", "rsa.internal.messageid": "security_event", @@ -1733,8 +1781,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.81.234.34", - "10.196.96.162" + "10.196.96.162", + "10.81.234.34" ], "rsa.internal.event_desc": "Utenima security_event iqua", "rsa.internal.messageid": "security_event", @@ -1792,6 +1840,7 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.hosts": [ + "appliance", "remips188.api.invalid" ], "related.ip": [ @@ -1866,9 +1915,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.83.131.245", - "10.39.172.93" + "10.39.172.93", + "10.83.131.245" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1902,6 +1954,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ "10.201.168.116", "10.86.188.179" @@ -1979,6 +2034,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ "luptatem flows accept" @@ -2011,8 +2069,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.97.46.16", - "10.120.4.9" + "10.120.4.9", + "10.97.46.16" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2047,8 +2105,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.171.206.139", - "10.165.173.162" + "10.165.173.162", + "10.171.206.139" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2081,11 +2139,12 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.hosts": [ + "appliance", "uames4985.mail.localdomain" ], "related.ip": [ - "10.144.57.239", - "10.150.163.151" + "10.150.163.151", + "10.144.57.239" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2189,6 +2248,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ "orem flows src=10.71.22.225 dst=10.4.76.100 protocol=ggp pattern: allow serrorsi" @@ -2251,9 +2313,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.103.49.129", - "10.2.110.73" + "10.2.110.73", + "10.103.49.129" ], "rsa.counters.dclass_r1": "orumS", "rsa.internal.messageid": "events", @@ -2291,6 +2356,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ "10.158.61.228", "10.132.176.96" @@ -2330,11 +2398,12 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.hosts": [ + "appliance", "lors2232.api.example" ], "related.ip": [ - "10.105.136.146", - "10.46.217.155" + "10.46.217.155", + "10.105.136.146" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2373,6 +2442,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ "10.245.199.23", "10.123.62.215" @@ -2405,6 +2477,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ "cancel src=10.239.105.121 dst=10.70.7.23 mac=01:00:5e:8e:82:f0 protocol=ipv6" @@ -2436,9 +2511,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.196.176.243", - "10.16.230.121" + "10.16.230.121", + "10.196.176.243" ], "rsa.counters.dclass_r1": "velites", "rsa.internal.messageid": "events", @@ -2480,8 +2558,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.34.62.190", - "10.246.152.72" + "10.246.152.72", + "10.34.62.190" ], "rsa.internal.event_desc": "Nem", "rsa.internal.messageid": "security_event", @@ -2593,8 +2671,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.121.9.5", - "10.244.32.189" + "10.244.32.189", + "10.121.9.5" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2757,9 +2835,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.17.111.91", - "10.65.0.157" + "10.65.0.157", + "10.17.111.91" ], "rsa.db.index": "nostrum", "rsa.internal.messageid": "flows", @@ -2792,6 +2873,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ "cancel" @@ -2893,8 +2977,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.51.121.223", - "10.199.103.185" + "10.199.103.185", + "10.51.121.223" ], "rsa.internal.event_desc": "dipi security_event ecatc", "rsa.internal.messageid": "security_event", @@ -2987,6 +3071,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ "10.121.37.244", "10.113.152.241" @@ -3026,9 +3113,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.247.118.132", - "10.254.96.130" + "10.254.96.130", + "10.247.118.132" ], "rsa.counters.dclass_r1": "ectet", "rsa.internal.messageid": "events", @@ -3066,6 +3156,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ "10.101.13.122", "10.200.98.243" @@ -3329,9 +3422,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "appliance" + ], "related.ip": [ - "10.85.59.172", - "10.75.122.111" + "10.75.122.111", + "10.85.59.172" ], "rsa.counters.dclass_r1": "sequat", "rsa.internal.messageid": "events", diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml index 517e6c60216b..a685316e6399 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/input.yml +++ b/x-pack/filebeat/module/cisco/nexus/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js +++ b/x-pack/filebeat/module/cisco/nexus/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/cisco/nexus/config/pipeline.js b/x-pack/filebeat/module/cisco/nexus/config/pipeline.js index 6e00850108a4..8a33d4eccc4a 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/pipeline.js +++ b/x-pack/filebeat/module/cisco/nexus/config/pipeline.js @@ -61,281 +61,279 @@ var dup19 = setc("eventcategory","1402020100"); var dup20 = setc("ec_activity","Delete"); -var dup21 = match("MESSAGE#24:SYSTEM_MSG:08/0", "nwparser.payload", "%{} %{p0}"); +var dup21 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); -var dup22 = match("MESSAGE#24:SYSTEM_MSG:08/1_1", "nwparser.p0", "%{event_description}"); +var dup22 = setc("eventcategory","1701060000"); -var dup23 = setc("eventcategory","1701060000"); +var dup23 = setc("eventcategory","1603030000"); -var dup24 = setc("eventcategory","1603030000"); +var dup24 = setc("eventcategory","1701030000"); -var dup25 = setc("eventcategory","1701030000"); +var dup25 = setc("event_description","Interface is down"); -var dup26 = setc("event_description","Interface is down"); +var dup26 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); -var dup27 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); +var dup27 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); -var dup28 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); +var dup28 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); -var dup29 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); +var dup29 = setc("eventcategory","1701010000"); -var dup30 = setc("eventcategory","1701010000"); +var dup30 = setc("eventcategory","1701000000"); -var dup31 = setc("eventcategory","1701000000"); +var dup31 = setc("eventcategory","1603040000"); -var dup32 = setc("eventcategory","1603040000"); +var dup32 = setc("eventcategory","1603010000"); -var dup33 = setc("eventcategory","1603010000"); +var dup33 = setc("eventcategory","1603110000"); -var dup34 = setc("eventcategory","1603110000"); +var dup34 = setc("ec_subject","NetworkComm"); -var dup35 = setc("ec_subject","NetworkComm"); +var dup35 = setc("ec_theme","Communication"); -var dup36 = setc("ec_theme","Communication"); +var dup36 = setc("eventcategory","1801020000"); -var dup37 = setc("eventcategory","1801020000"); +var dup37 = setc("ec_activity","Enable"); -var dup38 = setc("ec_activity","Enable"); +var dup38 = setc("ec_theme","Configuration"); -var dup39 = setc("ec_theme","Configuration"); +var dup39 = setc("action","update"); -var dup40 = setc("action","update"); +var dup40 = setc("event_description","enabled telnet"); -var dup41 = setc("event_description","enabled telnet"); +var dup41 = setc("event_description","program update"); -var dup42 = setc("event_description","program update"); +var dup42 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); -var dup43 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); +var dup43 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); -var dup44 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); +var dup44 = setc("action","Update"); -var dup45 = setc("action","Update"); +var dup45 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); -var dup46 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); +var dup46 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); -var dup47 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); +var dup47 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); -var dup48 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); +var dup48 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); -var dup49 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); +var dup49 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); -var dup50 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); +var dup50 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); -var dup51 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); +var dup51 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); -var dup52 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); +var dup52 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); -var dup53 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); +var dup53 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); -var dup54 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); +var dup54 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); -var dup55 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); +var dup55 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); -var dup56 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); +var dup56 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); -var dup57 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); +var dup57 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); -var dup58 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); +var dup58 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); -var dup59 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); +var dup59 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); -var dup60 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); +var dup60 = setc("dclass_counter1_string","Hit Count"); -var dup61 = setc("dclass_counter1_string","Hit Count"); +var dup61 = setc("eventcategory","1603100000"); -var dup62 = setc("eventcategory","1603100000"); +var dup62 = setc("eventcategory","1701020000"); -var dup63 = setc("eventcategory","1701020000"); +var dup63 = setc("eventcategory","1801000000"); -var dup64 = setc("eventcategory","1801000000"); +var dup64 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); -var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); +var dup65 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); -var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); +var dup66 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); -var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); +var dup67 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); -var dup68 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); +var dup68 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); -var dup69 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "%{info}"); +var dup69 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); -var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); +var dup70 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); -var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); +var dup71 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); -var dup72 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); +var dup72 = setc("ec_outcome","Error"); -var dup73 = setc("ec_outcome","Error"); +var dup73 = setc("eventcategory","1703000000"); -var dup74 = setc("eventcategory","1703000000"); +var dup74 = setc("obj_type","vPC"); -var dup75 = setc("obj_type","vPC"); +var dup75 = setc("ec_subject","OS"); -var dup76 = setc("ec_subject","OS"); +var dup76 = setc("ec_activity","Start"); -var dup77 = setc("ec_activity","Start"); +var dup77 = setc("eventcategory","1801010000"); -var dup78 = setc("eventcategory","1801010000"); +var dup78 = setc("ec_activity","Receive"); -var dup79 = setc("ec_activity","Receive"); +var dup79 = setc("ec_activity","Send"); -var dup80 = setc("ec_activity","Send"); +var dup80 = setc("ec_activity","Create"); -var dup81 = setc("ec_activity","Create"); +var dup81 = setc("event_description","Switchover completed."); -var dup82 = setc("event_description","Switchover completed."); +var dup82 = setc("event_description","Invalid user"); -var dup83 = setc("event_description","Invalid user"); +var dup83 = setc("eventcategory","1401000000"); -var dup84 = setc("eventcategory","1401000000"); +var dup84 = setc("ec_subject","Service"); -var dup85 = setc("ec_subject","Service"); +var dup85 = setc("event_description","Duplicate address Detected."); -var dup86 = setc("event_description","Duplicate address Detected."); - -var dup87 = match("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "%{event_description}", processor_chain([ +var dup86 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ dup1, dup2, dup3, dup4, ])); -var dup88 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{event_description}", processor_chain([ +var dup87 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ dup15, dup2, dup3, dup4, ])); -var dup89 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, +var dup88 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var dup90 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup24, +var dup89 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var dup91 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ +var dup90 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var dup92 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup25, +var dup91 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, dup2, dup3, dup4, ])); -var dup93 = linear_select([ +var dup92 = linear_select([ + dup26, dup27, - dup28, ]); -var dup94 = match("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ +var dup93 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ dup1, dup2, dup3, dup4, ])); -var dup95 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{event_description}", processor_chain([ - dup25, +var dup94 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, dup2, dup3, dup4, ])); -var dup96 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ +var dup95 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var dup97 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ - dup24, +var dup96 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, dup35, - dup36, dup14, dup2, dup3, dup4, ])); -var dup98 = match("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ - dup34, +var dup97 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, dup2, dup3, dup4, ])); -var dup99 = linear_select([ +var dup98 = linear_select([ + dup46, dup47, - dup48, ]); -var dup100 = linear_select([ +var dup99 = linear_select([ + dup49, dup50, - dup51, ]); -var dup101 = linear_select([ +var dup100 = linear_select([ + dup54, dup55, - dup56, ]); -var dup102 = linear_select([ +var dup101 = linear_select([ + dup57, dup58, - dup59, ]); -var dup103 = match("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "%{event_description}", processor_chain([ - dup24, +var dup102 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var dup104 = linear_select([ +var dup103 = linear_select([ + dup65, dup66, - dup67, ]); -var dup105 = linear_select([ +var dup104 = linear_select([ + dup67, dup68, - dup69, ]); -var dup106 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ +var dup105 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var dup107 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ - dup24, +var dup106 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var dup108 = linear_select([ +var dup107 = linear_select([ + dup70, dup71, - dup72, ]); -var dup109 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup62, +var dup108 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, dup2, dup3, dup4, @@ -404,7 +402,7 @@ var select1 = linear_select([ hdr12, ]); -var msg1 = msg("LOG-7-SYSTEM_MSG", dup87); +var msg1 = msg("LOG-7-SYSTEM_MSG", dup86); var part1 = match("MESSAGE#1:SYSTEM_MSG", "nwparser.payload", "error: PAM: Authentication failure for illegal user %{username->} from %{saddr->} - %{agent}[%{process_id}]", processor_chain([ dup5, @@ -504,7 +502,7 @@ var select4 = linear_select([ part14, ]); -var part15 = match("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "%{agent}"); +var part15 = match_copy("MESSAGE#7:SYSTEM_MSG:03/3", "nwparser.p0", "agent"); var all2 = all_match({ processors: [ @@ -713,16 +711,16 @@ var msg23 = msg("SYSTEM_MSG:23", part36); var part37 = match("MESSAGE#23:SYSTEM_MSG:24/0", "nwparser.payload", "delete user %{p0}"); -var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{username}'%{p0}"); +var part38 = match("MESSAGE#23:SYSTEM_MSG:24/1_0", "nwparser.p0", "`%{p0}"); -var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{username}'%{p0}"); +var part39 = match("MESSAGE#23:SYSTEM_MSG:24/1_1", "nwparser.p0", "'%{p0}"); var select7 = linear_select([ part38, part39, ]); -var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "%{}- %{agent}[%{process_id}]"); +var part40 = match("MESSAGE#23:SYSTEM_MSG:24/2", "nwparser.p0", "'%{username->} - %{agent}[%{process_id}]"); var all5 = all_match({ processors: [ @@ -743,16 +741,15 @@ var all5 = all_match({ var msg24 = msg("SYSTEM_MSG:24", all5); -var part41 = match("MESSAGE#24:SYSTEM_MSG:08/1_0", "nwparser.p0", "%{event_description->} - %{agent}"); +var part41 = match("MESSAGE#24:SYSTEM_MSG:08/0_0", "nwparser.payload", "%{event_description->} - %{agent}"); var select8 = linear_select([ part41, - dup22, + dup21, ]); var all6 = all_match({ processors: [ - dup21, select8, ], on_success: processor_chain([ @@ -802,7 +799,7 @@ var part42 = match("MESSAGE#25:VDC_HOSTNAME_CHANGE", "nwparser.payload", "%{fld1 var msg26 = msg("VDC_HOSTNAME_CHANGE", part42); var part43 = match("MESSAGE#26:POLICY_ACTIVATE_EVENT", "nwparser.payload", "Policy %{policyname->} is activated by profile %{username}", processor_chain([ - dup23, + dup22, dup2, dup3, dup4, @@ -865,12 +862,12 @@ var select10 = linear_select([ msg32, ]); -var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup88); +var msg33 = msg("NEIGHBOR_UPDATE_AUTOCOPY", dup87); -var msg34 = msg("MTSERROR", dup87); +var msg34 = msg("MTSERROR", dup86); var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Interface %{interface->} is down (Error disabled. Reason:%{result})", processor_chain([ - dup24, + dup23, dup2, dup3, dup4, @@ -878,39 +875,39 @@ var part49 = match("MESSAGE#34:IF_DOWN_ERROR_DISABLED", "nwparser.payload", "Int var msg35 = msg("IF_DOWN_ERROR_DISABLED", part49); -var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup89); +var msg36 = msg("IF_DOWN_ADMIN_DOWN", dup88); -var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup90); +var msg37 = msg("IF_DOWN_ADMIN_DOWN:01", dup89); var select11 = linear_select([ msg36, msg37, ]); -var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup91); +var msg38 = msg("IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", dup90); -var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup92); +var msg39 = msg("IF_DOWN_INTERFACE_REMOVED", dup91); var part50 = match("MESSAGE#39:IF_DOWN_LINK_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, + dup23, dup2, dup3, dup4, - dup26, + dup25, ])); var msg40 = msg("IF_DOWN_LINK_FAILURE", part50); -var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup90); +var msg41 = msg("IF_DOWN_LINK_FAILURE:01", dup89); var select12 = linear_select([ msg40, msg41, ]); -var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup92); +var msg42 = msg("IF_DOWN_MODULE_REMOVED", dup91); -var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup89); +var msg43 = msg("IF_DOWN_PORT_CHANNEL_MEMBERS_DOWN", dup88); var part51 = match("MESSAGE#43:IF_DUPLEX", "nwparser.payload", "Interface %{interface}, operational duplex mode changed to %{result}", processor_chain([ dup15, @@ -927,8 +924,8 @@ var part52 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/0", "nwparser.payload", "Inter var all7 = all_match({ processors: [ part52, - dup93, - dup29, + dup92, + dup28, ], on_success: processor_chain([ dup15, @@ -941,8 +938,8 @@ var all7 = all_match({ var msg45 = msg("IF_RX_FLOW_CONTROL", all7); -var part53 = match("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ - dup24, +var part53 = match_copy("MESSAGE#45:IF_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ + dup23, dup2, dup3, dup4, @@ -955,8 +952,8 @@ var part54 = match("MESSAGE#46:IF_TX_FLOW_CONTROL/0", "nwparser.payload", "Inter var all8 = all_match({ processors: [ part54, - dup93, - dup29, + dup92, + dup28, ], on_success: processor_chain([ dup15, @@ -1005,7 +1002,7 @@ var part57 = match("MESSAGE#49:SPEED", "nwparser.payload", "Interface %{interfac var msg50 = msg("SPEED", part57); var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} created", processor_chain([ - dup30, + dup29, dup2, dup3, dup4, @@ -1014,7 +1011,7 @@ var part58 = match("MESSAGE#50:CREATED", "nwparser.payload", "%{group_object->} var msg51 = msg("CREATED", part58); var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object}: first operational port changed from %{change_old->} to %{change_new}", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -1023,7 +1020,7 @@ var part59 = match("MESSAGE#51:FOP_CHANGED", "nwparser.payload", "%{group_object var msg52 = msg("FOP_CHANGED", part59); var part60 = match("MESSAGE#52:PORT_DOWN", "nwparser.payload", "%{group_object}: %{interface->} is down", processor_chain([ - dup24, + dup23, dup2, dup3, dup4, @@ -1041,7 +1038,7 @@ var part61 = match("MESSAGE#53:PORT_UP", "nwparser.payload", "%{group_object}: % var msg54 = msg("PORT_UP", part61); var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Interface %{interface->} is added to %{group_object->} with subgroup id %{fld20}", processor_chain([ - dup30, + dup29, dup2, dup3, dup4, @@ -1050,7 +1047,7 @@ var part62 = match("MESSAGE#54:SUBGROUP_ID_PORT_ADDED", "nwparser.payload", "Int var msg55 = msg("SUBGROUP_ID_PORT_ADDED", part62); var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "Interface %{interface->} is removed from %{group_object->} with subgroup id %{fld20}", processor_chain([ - dup25, + dup24, dup2, dup3, dup4, @@ -1058,24 +1055,24 @@ var part63 = match("MESSAGE#55:SUBGROUP_ID_PORT_REMOVED", "nwparser.payload", "I var msg56 = msg("SUBGROUP_ID_PORT_REMOVED", part63); -var msg57 = msg("MTS_DROP", dup88); +var msg57 = msg("MTS_DROP", dup87); -var msg58 = msg("SYSLOG_LOG_WARNING", dup88); +var msg58 = msg("SYSLOG_LOG_WARNING", dup87); -var msg59 = msg("IM_SEQ_ERROR", dup94); +var msg59 = msg("IM_SEQ_ERROR", dup93); -var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup88); +var msg60 = msg("ADDON_IMG_DNLD_COMPLETE", dup87); -var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup88); +var msg61 = msg("ADDON_IMG_DNLD_STARTED", dup87); -var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup88); +var msg62 = msg("ADDON_IMG_DNLD_SUCCESSFUL", dup87); -var msg63 = msg("IMG_DNLD_COMPLETE", dup88); +var msg63 = msg("IMG_DNLD_COMPLETE", dup87); -var msg64 = msg("IMG_DNLD_STARTED", dup88); +var msg64 = msg("IMG_DNLD_STARTED", dup87); -var part64 = match("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "%{result}", processor_chain([ - dup32, +var part64 = match_copy("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "result", processor_chain([ + dup31, dup2, dup3, dup4, @@ -1083,7 +1080,7 @@ var part64 = match("MESSAGE#64:PORT_SOFTWARE_FAILURE", "nwparser.payload", "%{re var msg65 = msg("PORT_SOFTWARE_FAILURE", part64); -var msg66 = msg("MSM_CRIT", dup94); +var msg66 = msg("MSM_CRIT", dup93); var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authentication failed for a login from %{shost->} (%{result})", processor_chain([ dup5, @@ -1095,10 +1092,10 @@ var part65 = match("MESSAGE#66:LOG_CMP_AAA_FAILURE", "nwparser.payload", "Authen var msg67 = msg("LOG_CMP_AAA_FAILURE", part65); -var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup88); +var msg68 = msg("LOG_LIC_N1K_EXPIRY_WARNING", dup87); var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of module %{fld20->} (serial: %{serial_number}) failed", processor_chain([ - dup33, + dup32, dup2, dup3, dup4, @@ -1107,7 +1104,7 @@ var part66 = match("MESSAGE#68:MOD_FAIL", "nwparser.payload", "Initialization of var msg69 = msg("MOD_FAIL", part66); var part67 = match("MESSAGE#69:MOD_MAJORSWFAIL", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported a critical failure in service %{fld22}", processor_chain([ - dup34, + dup33, dup2, dup3, dup4, @@ -1125,7 +1122,7 @@ var part68 = match("MESSAGE#70:MOD_SRG_NOT_COMPATIBLE", "nwparser.payload", "Mod var msg71 = msg("MOD_SRG_NOT_COMPATIBLE", part68); var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warnings on %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ - dup33, + dup32, dup2, dup3, dup4, @@ -1134,7 +1131,7 @@ var part69 = match("MESSAGE#71:MOD_WARNING:01", "nwparser.payload", "Module %{fl var msg72 = msg("MOD_WARNING:01", part69); var part70 = match("MESSAGE#72:MOD_WARNING", "nwparser.payload", "Module %{fld20->} (serial: %{serial_number}) reported warning %{info->} due to %{result->} in device %{fld23->} (device error %{fld22})", processor_chain([ - dup33, + dup32, dup2, dup3, dup4, @@ -1194,13 +1191,13 @@ var part75 = match("MESSAGE#77:DISPUTE_DETECTED", "nwparser.payload", "Dispute d var msg78 = msg("DISPUTE_DETECTED", part75); -var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup88); +var msg79 = msg("DOMAIN_CFG_SYNC_DONE", dup87); -var msg80 = msg("CHASSIS_CLKMODOK", dup88); +var msg80 = msg("CHASSIS_CLKMODOK", dup87); -var msg81 = msg("CHASSIS_CLKSRC", dup88); +var msg81 = msg("CHASSIS_CLKSRC", dup87); -var msg82 = msg("FAN_OK", dup88); +var msg82 = msg("FAN_OK", dup87); var part76 = match("MESSAGE#82:MOD_DETECT", "nwparser.payload", "Module %{fld19->} detected (Serial number %{serial_number}) Module-Type %{fld20->} Model %{fld21}", processor_chain([ dup15, @@ -1230,7 +1227,7 @@ var part78 = match("MESSAGE#84:MOD_PWRUP", "nwparser.payload", "Module %{fld19-> var msg85 = msg("MOD_PWRUP", part78); var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19->} removed (Serial number %{serial_number})", processor_chain([ - dup25, + dup24, dup2, dup3, dup4, @@ -1238,21 +1235,21 @@ var part79 = match("MESSAGE#85:MOD_REMOVE", "nwparser.payload", "Module %{fld19- var msg86 = msg("MOD_REMOVE", part79); -var msg87 = msg("PFM_MODULE_POWER_ON", dup88); +var msg87 = msg("PFM_MODULE_POWER_ON", dup87); -var msg88 = msg("PFM_SYSTEM_RESET", dup88); +var msg88 = msg("PFM_SYSTEM_RESET", dup87); -var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup95); +var msg89 = msg("PFM_VEM_REMOVE_NO_HB", dup94); -var msg90 = msg("PFM_VEM_REMOVE_RESET", dup95); +var msg90 = msg("PFM_VEM_REMOVE_RESET", dup94); -var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup95); +var msg91 = msg("PFM_VEM_REMOVE_STATE_CONFLICT", dup94); -var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup95); +var msg92 = msg("PFM_VEM_REMOVE_TWO_ACT_VSM", dup94); -var msg93 = msg("PFM_VEM_UNLICENSED", dup88); +var msg93 = msg("PFM_VEM_UNLICENSED", dup87); -var msg94 = msg("PS_FANOK", dup88); +var msg94 = msg("PS_FANOK", dup87); var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19->} ok (Serial number %{serial_number})", processor_chain([ dup15, @@ -1263,8 +1260,8 @@ var part80 = match("MESSAGE#94:PS_OK", "nwparser.payload", "Power supply %{fld19 var msg95 = msg("PS_OK", part80); -var part81 = match("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "%{event_description}", processor_chain([ - dup32, +var part81 = match_copy("MESSAGE#95:MOD_BRINGUP_MULTI_LIMIT", "nwparser.payload", "event_description", processor_chain([ + dup31, dup2, dup3, dup4, @@ -1281,7 +1278,7 @@ var part82 = match("MESSAGE#96:FAN_DETECT", "nwparser.payload", "Fan module %{fl var msg97 = msg("FAN_DETECT", part82); -var msg98 = msg("MOD_STATUS", dup88); +var msg98 = msg("MOD_STATUS", dup87); var part83 = match("MESSAGE#98:PEER_VPC_CFGD_VLANS_CHANGED", "nwparser.payload", "Peer vPC %{obj_name->} configured vlans changed", processor_chain([ dup15, @@ -1302,7 +1299,7 @@ var part84 = match("MESSAGE#99:PEER_VPC_DELETED", "nwparser.payload", "Peer vPC var msg100 = msg("PEER_VPC_DELETED", part84); -var msg101 = msg("PFM_VEM_DETECTED", dup88); +var msg101 = msg("PFM_VEM_DETECTED", dup87); var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{fld19->} found (Serial number %{serial_number})", processor_chain([ dup15, @@ -1313,16 +1310,15 @@ var part85 = match("MESSAGE#101:PS_FOUND", "nwparser.payload", "Power supply %{f var msg102 = msg("PS_FOUND", part85); -var part86 = match("MESSAGE#102:PS_STATUS/1_0", "nwparser.p0", "PowerSupply %{fld1->} current-status is %{disposition}"); +var part86 = match("MESSAGE#102:PS_STATUS/0_0", "nwparser.payload", "PowerSupply %{fld1->} current-status is %{disposition}"); var select15 = linear_select([ part86, - dup22, + dup21, ]); var all9 = all_match({ processors: [ - dup21, select15, ], on_success: processor_chain([ @@ -1344,25 +1340,25 @@ var part87 = match("MESSAGE#103:PS_CAPACITY_CHANGE:01", "nwparser.payload", "Pow var msg104 = msg("PS_CAPACITY_CHANGE:01", part87); -var msg105 = msg("PS_CAPACITY_CHANGE", dup88); +var msg105 = msg("PS_CAPACITY_CHANGE", dup87); var select16 = linear_select([ msg104, msg105, ]); -var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup89); +var msg106 = msg("IF_DOWN_FCOT_NOT_PRESENT", dup88); -var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup90); +var msg107 = msg("IF_DOWN_FCOT_NOT_PRESENT:01", dup89); var select17 = linear_select([ msg106, msg107, ]); -var msg108 = msg("IF_DOWN_INITIALIZING", dup91); +var msg108 = msg("IF_DOWN_INITIALIZING", dup90); -var msg109 = msg("IF_DOWN_INITIALIZING:01", dup96); +var msg109 = msg("IF_DOWN_INITIALIZING:01", dup95); var select18 = linear_select([ msg108, @@ -1370,9 +1366,9 @@ var select18 = linear_select([ ]); var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, + dup23, + dup34, dup35, - dup36, dup14, dup2, dup3, @@ -1381,28 +1377,28 @@ var part88 = match("MESSAGE#109:IF_DOWN_NONE", "nwparser.payload", "Interface %{ var msg110 = msg("IF_DOWN_NONE", part88); -var msg111 = msg("IF_DOWN_NONE:01", dup97); +var msg111 = msg("IF_DOWN_NONE:01", dup96); var select19 = linear_select([ msg110, msg111, ]); -var msg112 = msg("IF_DOWN_NOS_RCVD", dup89); +var msg112 = msg("IF_DOWN_NOS_RCVD", dup88); -var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup90); +var msg113 = msg("IF_DOWN_NOS_RCVD:01", dup89); var select20 = linear_select([ msg112, msg113, ]); -var msg114 = msg("IF_DOWN_OFFLINE", dup89); +var msg114 = msg("IF_DOWN_OFFLINE", dup88); -var msg115 = msg("IF_DOWN_OLS_RCVD", dup89); +var msg115 = msg("IF_DOWN_OLS_RCVD", dup88); var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup32, + dup31, dup2, dup3, dup4, @@ -1410,10 +1406,10 @@ var part89 = match("MESSAGE#115:IF_DOWN_SOFTWARE_FAILURE", "nwparser.payload", " var msg116 = msg("IF_DOWN_SOFTWARE_FAILURE", part89); -var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup91); +var msg117 = msg("IF_DOWN_SRC_PORT_NOT_BOUND", dup90); var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface %{interface}, vsan %{fld20->} is down (%{info})", processor_chain([ - dup24, + dup23, dup2, dup3, dup4, @@ -1422,7 +1418,7 @@ var part90 = match("MESSAGE#117:IF_TRUNK_DOWN", "nwparser.payload", "Interface % var msg118 = msg("IF_TRUNK_DOWN", part90); var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} down", processor_chain([ - dup24, + dup23, dup2, dup3, dup4, @@ -1431,7 +1427,7 @@ var part91 = match("MESSAGE#118:IF_TRUNK_DOWN:01", "nwparser.payload", "Interfac var msg119 = msg("IF_TRUNK_DOWN:01", part91); var part92 = match("MESSAGE#119:IF_TRUNK_DOWN:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is down %{info}", processor_chain([ - dup24, + dup23, dup2, dup3, dup4, @@ -1455,7 +1451,7 @@ var part93 = match("MESSAGE#120:IF_TRUNK_UP", "nwparser.payload", "Interface %{i var msg121 = msg("IF_TRUNK_UP", part93); var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface %{interface}, vlan %{vlan->} up", processor_chain([ - dup24, + dup23, dup2, dup3, dup4, @@ -1464,7 +1460,7 @@ var part94 = match("MESSAGE#121:IF_TRUNK_UP:01", "nwparser.payload", "Interface var msg122 = msg("IF_TRUNK_UP:01", part94); var part95 = match("MESSAGE#122:IF_TRUNK_UP:02", "nwparser.payload", "%{fld43->} Interface %{interface}, vsan %{vlan->} is up %{info}", processor_chain([ - dup24, + dup23, dup2, dup3, dup4, @@ -1478,7 +1474,7 @@ var select22 = linear_select([ msg123, ]); -var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup98); +var msg124 = msg("PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", dup97); var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "Interface %{interface->} is inheriting port-profile %{fld20}", processor_chain([ dup15, @@ -1489,7 +1485,7 @@ var part96 = match("MESSAGE#124:IF_PORTPROFILE_ATTACHED", "nwparser.payload", "I var msg125 = msg("IF_PORTPROFILE_ATTACHED", part96); -var msg126 = msg("STANDBY_SUP_OK", dup88); +var msg126 = msg("STANDBY_SUP_OK", dup87); var part97 = match("MESSAGE#126:STM_LOOP_DETECT", "nwparser.payload", "Loops detected in the network among ports %{portname->} and %{info->} vlan %{vlan->} - %{result}", processor_chain([ dup15, @@ -1510,12 +1506,12 @@ var part98 = match("MESSAGE#127:SYNC_COMPLETE", "nwparser.payload", "Sync comple var msg128 = msg("SYNC_COMPLETE", part98); -var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup98); +var msg129 = msg("PVLAN_PPM_PORT_CONFIG_FAILED", dup97); -var msg130 = msg("MESG", dup88); +var msg130 = msg("MESG", dup87); var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", processor_chain([ - dup34, + dup33, dup2, dup3, dup4, @@ -1523,7 +1519,7 @@ var part99 = match("MESSAGE#130:ERR_MSG", "nwparser.payload", "ERROR:%{result}", var msg131 = msg("ERR_MSG", part99); -var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup98); +var msg132 = msg("RM_VICPP_RECREATE_ERROR", dup97); var part100 = match("MESSAGE#132:CFGWRITE_ABORTED_LOCK", "nwparser.payload", "Unable to lock the configuration (error-id %{resultcode}). Aborting configuration copy.", processor_chain([ dup15, @@ -1543,17 +1539,15 @@ var part101 = match("MESSAGE#133:CFGWRITE_FAILED", "nwparser.payload", "Configur var msg134 = msg("CFGWRITE_FAILED", part101); -var msg135 = msg("CFGWRITE_ABORTED", dup88); +var msg135 = msg("CFGWRITE_ABORTED", dup87); -var msg136 = msg("CFGWRITE_DONE", dup88); +var msg136 = msg("CFGWRITE_DONE", dup87); -var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", " %{event_description->} (PID %{process_id})."); - -var part103 = match("MESSAGE#136:CFGWRITE_STARTED/0_1", "nwparser.payload", "%{event_description}"); +var part102 = match("MESSAGE#136:CFGWRITE_STARTED/0_0", "nwparser.payload", "%{event_description->} (PID %{process_id})."); var select23 = linear_select([ part102, - part103, + dup21, ]); var all10 = all_match({ @@ -1570,93 +1564,93 @@ var all10 = all_match({ var msg137 = msg("CFGWRITE_STARTED", all10); -var msg138 = msg("IF_ATTACHED", dup88); +var msg138 = msg("IF_ATTACHED", dup87); -var msg139 = msg("IF_DELETE_AUTO", dup95); +var msg139 = msg("IF_DELETE_AUTO", dup94); -var part104 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ - dup25, +var part103 = match("MESSAGE#139:IF_DETACHED", "nwparser.payload", "Interface %{interface->} is detached", processor_chain([ + dup24, dup2, dup3, dup4, ])); -var msg140 = msg("IF_DETACHED", part104); +var msg140 = msg("IF_DETACHED", part103); -var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup95); +var msg141 = msg("IF_DETACHED_MODULE_REMOVED", dup94); -var msg142 = msg("IF_DOWN_INACTIVE", dup89); +var msg142 = msg("IF_DOWN_INACTIVE", dup88); -var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup89); +var msg143 = msg("IF_DOWN_NON_PARTICIPATING", dup88); -var part105 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ - dup24, +var part104 = match("MESSAGE#143:IF_DOWN_VEM_UNLICENSED", "nwparser.payload", "Interface %{interface->} is down", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part105); +var msg144 = msg("IF_DOWN_VEM_UNLICENSED", part104); -var part106 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ - dup37, +var part105 = match("MESSAGE#144:CONN_CONNECT", "nwparser.payload", "Connection %{hostname->} connected to the vCenter Server.", processor_chain([ + dup36, dup2, dup3, dup4, ])); -var msg145 = msg("CONN_CONNECT", part106); +var msg145 = msg("CONN_CONNECT", part105); -var part107 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ +var part106 = match("MESSAGE#145:CONN_DISCONNECT", "nwparser.payload", "Connection %{hostname->} disconnected from the vCenter Server.", processor_chain([ setc("eventcategory","1801030000"), dup2, dup3, dup4, ])); -var msg146 = msg("CONN_DISCONNECT", part107); +var msg146 = msg("CONN_DISCONNECT", part106); -var part108 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ - dup30, +var part107 = match("MESSAGE#146:DVPG_CREATE", "nwparser.payload", "created port-group %{info->} on the vCenter Server.", processor_chain([ + dup29, dup2, dup3, dup4, ])); -var msg147 = msg("DVPG_CREATE", part108); +var msg147 = msg("DVPG_CREATE", part107); -var part109 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ - dup25, +var part108 = match("MESSAGE#147:DVPG_DELETE", "nwparser.payload", "deleted port-group %{info->} from the vCenter Server.", processor_chain([ + dup24, dup2, dup3, dup4, ])); -var msg148 = msg("DVPG_DELETE", part109); +var msg148 = msg("DVPG_DELETE", part108); -var msg149 = msg("DVS_HOSTMEMBER_INFO", dup88); +var msg149 = msg("DVS_HOSTMEMBER_INFO", dup87); -var part110 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ +var part109 = match("MESSAGE#149:DVS_NAME_CHANGE", "nwparser.payload", "Changed dvswitch name to %{info->} on the vCenter Server.", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg150 = msg("DVS_NAME_CHANGE", part110); +var msg150 = msg("DVS_NAME_CHANGE", part109); -var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup88); +var msg151 = msg("VMS_PPM_SYNC_COMPLETE", dup87); -var part111 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ +var part110 = match("MESSAGE#151:VPC_DELETED", "nwparser.payload", "vPC %{obj_name->} is deleted", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg152 = msg("VPC_DELETED", part111); +var msg152 = msg("VPC_DELETED", part110); -var part112 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ +var part111 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} is up", processor_chain([ dup8, dup2, dup3, @@ -1664,22 +1658,22 @@ var part112 = match("MESSAGE#152:VPC_UP", "nwparser.payload", "vPC %{obj_name->} setc("event_description","VPC is up"), ])); -var msg153 = msg("VPC_UP", part112); +var msg153 = msg("VPC_UP", part111); -var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); +var part112 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/0", "nwparser.payload", "Configured from vty by %{username->} on %{p0}"); -var part114 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); +var part113 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_0", "nwparser.p0", "%{saddr}@%{terminal}"); -var part115 = match("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "%{saddr}"); +var part114 = match_copy("MESSAGE#153:VSHD_SYSLOG_CONFIG_I/1_1", "nwparser.p0", "saddr"); var select24 = linear_select([ + part113, part114, - part115, ]); var all11 = all_match({ processors: [ - part113, + part112, select24, ], on_success: processor_chain([ @@ -1692,44 +1686,44 @@ var all11 = all_match({ var msg154 = msg("VSHD_SYSLOG_CONFIG_I", all11); -var part116 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ +var part115 = match("MESSAGE#154:VSHD_SYSLOG_CONFIG_I:01", "nwparser.payload", "Configuring console from %{fld43->} %{saddr}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part116); +var msg155 = msg("VSHD_SYSLOG_CONFIG_I:01", part115); var select25 = linear_select([ msg154, msg155, ]); -var part117 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ - dup24, +var part116 = match("MESSAGE#155:AAA_ACCOUNTING_MESSAGE:18", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{event_description}; feature %{protocol->} (%{result})", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part117); +var msg156 = msg("AAA_ACCOUNTING_MESSAGE:18", part116); -var part118 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ - dup23, +var part117 = match("MESSAGE#156:AAA_ACCOUNTING_MESSAGE:17", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:enabled telnet", processor_chain([ + dup22, + dup37, dup38, - dup39, dup17, dup2, dup3, dup4, + dup39, dup40, - dup41, ])); -var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part118); +var msg157 = msg("AAA_ACCOUNTING_MESSAGE:17", part117); -var part119 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ +var part118 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "start:%{saddr}@%{application}:%{username}", processor_chain([ dup15, dup2, dup3, @@ -1737,189 +1731,189 @@ var part119 = match("MESSAGE#157:AAA_ACCOUNTING_MESSAGE", "nwparser.payload", "s setc("event_description","program start"), ])); -var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part119); +var msg158 = msg("AAA_ACCOUNTING_MESSAGE", part118); -var part120 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ +var part119 = match("MESSAGE#158:AAA_ACCOUNTING_MESSAGE:08", "nwparser.payload", "start:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part120); +var msg159 = msg("AAA_ACCOUNTING_MESSAGE:08", part119); -var part121 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ +var part120 = match("MESSAGE#159:AAA_ACCOUNTING_MESSAGE:03", "nwparser.payload", "start:%{saddr}(%{terminal}):%{username}:", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part121); +var msg160 = msg("AAA_ACCOUNTING_MESSAGE:03", part120); -var part122 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ +var part121 = match("MESSAGE#160:AAA_ACCOUNTING_MESSAGE:19", "nwparser.payload", "start:%{fld40}:%{username}:", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part122); +var msg161 = msg("AAA_ACCOUNTING_MESSAGE:19", part121); -var part123 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ +var part122 = match("MESSAGE#161:AAA_ACCOUNTING_MESSAGE:22", "nwparser.payload", "update:::added user %{username}", processor_chain([ dup19, dup2, dup3, dup4, ])); -var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part123); +var msg162 = msg("AAA_ACCOUNTING_MESSAGE:22", part122); -var part124 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ +var part123 = match("MESSAGE#162:AAA_ACCOUNTING_MESSAGE:23", "nwparser.payload", "update:::%{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part124); +var msg163 = msg("AAA_ACCOUNTING_MESSAGE:23", part123); -var part125 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ +var part124 = match("MESSAGE#163:AAA_ACCOUNTING_MESSAGE:11", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport}) deleted", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part125); +var msg164 = msg("AAA_ACCOUNTING_MESSAGE:11", part124); -var part126 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ +var part125 = match("MESSAGE#164:AAA_ACCOUNTING_MESSAGE:12", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:target (name:%{dhost->} address:%{daddr}:%{dport->} timeout:%{fld44->} retry:%{fld45->} tagList:trap params:%{fld46}) added", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part126); +var msg165 = msg("AAA_ACCOUNTING_MESSAGE:12", part125); -var part127 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ +var part126 = match("MESSAGE#165:AAA_ACCOUNTING_MESSAGE:13", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to up", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part127); +var msg166 = msg("AAA_ACCOUNTING_MESSAGE:13", part126); -var part128 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ +var part127 = match("MESSAGE#166:AAA_ACCOUNTING_MESSAGE:14", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Interface %{interface->} state updated to down", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part128); +var msg167 = msg("AAA_ACCOUNTING_MESSAGE:14", part127); -var part129 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ +var part128 = match("MESSAGE#167:AAA_ACCOUNTING_MESSAGE:15", "nwparser.payload", "update:snmp_%{fld43}_%{saddr}:%{username}:Performing configuration copy.", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part129); +var msg168 = msg("AAA_ACCOUNTING_MESSAGE:15", part128); -var part130 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ +var part129 = match("MESSAGE#168:AAA_ACCOUNTING_MESSAGE:16", "nwparser.payload", "update:%{saddr}@%{application}:%{username}:terminal length %{dclass_counter1->} (%{result})", processor_chain([ dup15, dup2, dup3, dup4, - dup42, + dup41, ])); -var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part130); +var msg169 = msg("AAA_ACCOUNTING_MESSAGE:16", part129); -var part131 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ +var part130 = match("MESSAGE#169:AAA_ACCOUNTING_MESSAGE:04", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal length %{fld5}:%{result}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part131); +var msg170 = msg("AAA_ACCOUNTING_MESSAGE:04", part130); -var part132 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ +var part131 = match("MESSAGE#170:AAA_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{application}:terminal width %{dclass_counter1->} (%{result})", processor_chain([ dup15, dup2, dup3, dup4, - dup42, + dup41, ])); -var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part132); +var msg171 = msg("AAA_ACCOUNTING_MESSAGE:01", part131); -var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); +var part132 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_0", "nwparser.p0", "configure terminal ; ntp source-interface %{sinterface->} (%{p0}"); -var part134 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); +var part133 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/1_1", "nwparser.p0", "show ntp statistics peer ipaddr %{hostip->} (%{p0}"); var select26 = linear_select([ + part132, part133, - part134, ]); var all12 = all_match({ processors: [ - dup43, + dup42, select26, - dup44, + dup43, ], on_success: processor_chain([ dup15, dup2, dup3, dup4, - dup45, + dup44, ]), }); var msg172 = msg("AAA_ACCOUNTING_MESSAGE:27", all12); -var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); +var part134 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_0", "nwparser.p0", "clock set %{event_time_string->} (%{p0}"); -var part136 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); +var part135 = match("MESSAGE#172:AAA_ACCOUNTING_MESSAGE:28/1_1", "nwparser.p0", "show logging last %{fld1->} (%{p0}"); var select27 = linear_select([ + part134, part135, - part136, ]); var all13 = all_match({ processors: [ - dup43, + dup42, select27, - dup44, + dup43, ], on_success: processor_chain([ dup15, dup2, dup3, dup4, - dup45, + dup44, ]), }); var msg173 = msg("AAA_ACCOUNTING_MESSAGE:28", all13); -var part137 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ +var part136 = match("MESSAGE#173:AAA_ACCOUNTING_MESSAGE:20", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info->} (%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part137); +var msg174 = msg("AAA_ACCOUNTING_MESSAGE:20", part136); -var part138 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ +var part137 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:added user %{c_username}", processor_chain([ dup18, dup2, dup3, @@ -1927,12 +1921,12 @@ var part138 = match("MESSAGE#174:AAA_ACCOUNTING_MESSAGE:30", "nwparser.payload", dup11, dup17, setc("event_description","Added user"), - dup45, + dup44, ])); -var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part138); +var msg175 = msg("AAA_ACCOUNTING_MESSAGE:30", part137); -var part139 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ +var part138 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:deleted user %{c_username}", processor_chain([ dup19, dup2, dup3, @@ -1940,66 +1934,66 @@ var part139 = match("MESSAGE#175:AAA_ACCOUNTING_MESSAGE:29", "nwparser.payload", dup11, dup17, setc("event_description","Deleted user"), - dup45, + dup44, ])); -var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part139); +var msg176 = msg("AAA_ACCOUNTING_MESSAGE:29", part138); -var part140 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ +var part139 = match("MESSAGE#176:AAA_ACCOUNTING_MESSAGE:21", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{info}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part140); +var msg177 = msg("AAA_ACCOUNTING_MESSAGE:21", part139); -var part141 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ +var part140 = match("MESSAGE#177:AAA_ACCOUNTING_MESSAGE:07", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal width %{dclass_counter1}:%{result}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part141); +var msg178 = msg("AAA_ACCOUNTING_MESSAGE:07", part140); -var part142 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ +var part141 = match("MESSAGE#178:AAA_ACCOUNTING_MESSAGE:05", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:terminal session-timeout %{fld5}:%{result}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part142); +var msg179 = msg("AAA_ACCOUNTING_MESSAGE:05", part141); -var part143 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ +var part142 = match("MESSAGE#179:AAA_ACCOUNTING_MESSAGE:10", "nwparser.payload", "update:%{saddr}(%{fld3}):%{username}:copy %{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part143); +var msg180 = msg("AAA_ACCOUNTING_MESSAGE:10", part142); -var part144 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ +var part143 = match("MESSAGE#180:AAA_ACCOUNTING_MESSAGE:24", "nwparser.payload", "update:%{terminal}:%{username}: %{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part144); +var msg181 = msg("AAA_ACCOUNTING_MESSAGE:24", part143); -var part145 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ +var part144 = match("MESSAGE#181:AAA_ACCOUNTING_MESSAGE:06", "nwparser.payload", "stop:%{saddr}(%{fld3}):%{username}:shell terminated", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part145); +var msg182 = msg("AAA_ACCOUNTING_MESSAGE:06", part144); -var part146 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ +var part145 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:shell %{result}", processor_chain([ dup15, dup2, dup3, @@ -2007,34 +2001,34 @@ var part146 = match("MESSAGE#182:AAA_ACCOUNTING_MESSAGE:02", "nwparser.payload", setc("event_description","shell terminated"), ])); -var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part146); +var msg183 = msg("AAA_ACCOUNTING_MESSAGE:02", part145); -var part147 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ +var part146 = match("MESSAGE#183:AAA_ACCOUNTING_MESSAGE:25", "nwparser.payload", "stop:%{saddr}@%{terminal}:%{username}:%{fld40}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part147); +var msg184 = msg("AAA_ACCOUNTING_MESSAGE:25", part146); -var part148 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ +var part147 = match("MESSAGE#184:AAA_ACCOUNTING_MESSAGE:09", "nwparser.payload", "stop:snmp_%{fld43}_%{saddr}:%{username}:", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part148); +var msg185 = msg("AAA_ACCOUNTING_MESSAGE:09", part147); -var part149 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ +var part148 = match("MESSAGE#185:AAA_ACCOUNTING_MESSAGE:26", "nwparser.payload", "stop:%{terminal}:%{username}:", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part149); +var msg186 = msg("AAA_ACCOUNTING_MESSAGE:26", part148); var select28 = linear_select([ msg156, @@ -2072,19 +2066,19 @@ var select28 = linear_select([ var all14 = all_match({ processors: [ - dup46, + dup45, + dup98, + dup48, dup99, - dup49, - dup100, + dup51, + dup98, dup52, dup99, dup53, dup100, - dup54, + dup56, dup101, - dup57, - dup102, - dup60, + dup59, ], on_success: processor_chain([ dup15, @@ -2092,36 +2086,36 @@ var all14 = all_match({ dup3, dup4, setc("event_description","ACL Log Flow Interval"), - dup61, + dup60, ]), }); var msg187 = msg("ACLLOG_FLOW_INTERVAL", all14); -var part150 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ +var part149 = match("MESSAGE#187:ACLLOG_MAXFLOW_REACHED", "nwparser.payload", "Maximum limit %{fld3->} reached for number of flows", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part150); +var msg188 = msg("ACLLOG_MAXFLOW_REACHED", part149); var all15 = all_match({ processors: [ - dup46, + dup45, + dup98, + dup48, dup99, - dup49, - dup100, + dup51, + dup98, dup52, dup99, dup53, dup100, - dup54, + dup56, dup101, - dup57, - dup102, - dup60, + dup59, ], on_success: processor_chain([ dup15, @@ -2129,13 +2123,13 @@ var all15 = all_match({ dup3, dup4, setc("event_description","ACL Lof New Flow"), - dup61, + dup60, ]), }); var msg189 = msg("ACLLOG_NEW_FLOW", all15); -var part151 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ +var part150 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{process->} [%{process_id}] Source address of packet received from %{smacaddr->} on %{vlan}(%{interface}) is duplicate of local virtual ip, %{saddr}", processor_chain([ dup1, dup2, dup3, @@ -2143,88 +2137,88 @@ var part151 = match("MESSAGE#189:DUP_VADDR_SRC_IP", "nwparser.payload", "%{proce setc("event_description","Source address of packet received on vlan is duplicate of local virtual ip"), ])); -var msg190 = msg("DUP_VADDR_SRC_IP", part151); +var msg190 = msg("DUP_VADDR_SRC_IP", part150); -var part152 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ +var part151 = match("MESSAGE#190:IF_ERROR_VLANS_REMOVED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are removed from suspended state.", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg191 = msg("IF_ERROR_VLANS_REMOVED", part152); +var msg191 = msg("IF_ERROR_VLANS_REMOVED", part151); -var part153 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ +var part152 = match("MESSAGE#191:IF_ERROR_VLANS_SUSPENDED", "nwparser.payload", "VLANs %{vlan->} on Interface %{sinterface->} are being suspended. (Reason: %{info})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part153); +var msg192 = msg("IF_ERROR_VLANS_SUSPENDED", part152); -var part154 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ +var part153 = match("MESSAGE#192:IF_DOWN_CFG_CHANGE", "nwparser.payload", "Interface %{sinterface->} is down(%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg193 = msg("IF_DOWN_CFG_CHANGE", part154); +var msg193 = msg("IF_DOWN_CFG_CHANGE", part153); -var part155 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ +var part154 = match("MESSAGE#193:PFM_CLOCK_CHANGE", "nwparser.payload", "Clock setting has been changed on the system. Please be aware that clock changes will force a recheckout of all existing VEM licenses. During this recheckout procedure, licensed VEMs which are offline will lose their licenses.%{}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg194 = msg("PFM_CLOCK_CHANGE", part155); +var msg194 = msg("PFM_CLOCK_CHANGE", part154); -var part156 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ +var part155 = match("MESSAGE#194:SYNC_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in syncing messages to standby for vdc %{fld3->} causing standby to reset.", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part156); +var msg195 = msg("SYNC_FAILURE_STANDBY_RESET", part155); -var part157 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ +var part156 = match("MESSAGE#195:snmpd", "nwparser.payload", "snmp_pss_snapshot : Copying local engine DB PSS file to url%{}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg196 = msg("snmpd", part157); +var msg196 = msg("snmpd", part156); -var part158 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ +var part157 = match("MESSAGE#196:snmpd:01", "nwparser.payload", "SNMPD_SYSLOG_CONFIG_I: Configuration update from %{fld43}_%{saddr->} %{info}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg197 = msg("snmpd:01", part158); +var msg197 = msg("snmpd:01", part157); var select29 = linear_select([ msg196, msg197, ]); -var part159 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ +var part158 = match("MESSAGE#197:CFGWRITE_USER_ABORT", "nwparser.payload", "Configuration copy aborted by the user.%{}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg198 = msg("CFGWRITE_USER_ABORT", part159); +var msg198 = msg("CFGWRITE_USER_ABORT", part158); -var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup96); +var msg199 = msg("IF_DOWN_BIT_ERR_RT_THRES_EXCEEDED", dup95); -var part160 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ +var part159 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{dclass_counter1->} time", processor_chain([ dup15, dup2, dup3, @@ -2233,57 +2227,57 @@ var part160 = match("MESSAGE#199:last", "nwparser.payload", "message repeated %{ setc("dclass_counter1_string","Number of times repeated"), ])); -var msg200 = msg("last", part160); +var msg200 = msg("last", part159); -var part161 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ - dup33, +var part160 = match("MESSAGE#200:SERVICE_CRASHED", "nwparser.payload", "Service %{service->} (PID %{parent_pid}) hasn't caught signal %{fld43->} (%{result}).", processor_chain([ + dup32, dup2, dup3, dup4, ])); -var msg201 = msg("SERVICE_CRASHED", part161); +var msg201 = msg("SERVICE_CRASHED", part160); -var part162 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ - dup62, +var part161 = match("MESSAGE#201:SERVICELOST", "nwparser.payload", "Service %{service->} lost on WCCP Client %{saddr}", processor_chain([ + dup61, dup2, dup3, dup4, setc("event_description","Service lost on WCCP Client"), ])); -var msg202 = msg("SERVICELOST", part162); +var msg202 = msg("SERVICELOST", part161); -var part163 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ - dup24, +var part162 = match("MESSAGE#202:IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", "nwparser.payload", "Interface %{interface->} is allowed to come up even with SFP checksum error", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part163); +var msg203 = msg("IF_BRINGUP_ALLOWED_FCOT_CHECKSUM_ERR", part162); -var part164 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); +var part163 = match("MESSAGE#203:PS_FAIL/0", "nwparser.payload", "Power supply %{fld43->} failed or shut%{p0}"); -var part165 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); +var part164 = match("MESSAGE#203:PS_FAIL/1_0", "nwparser.p0", " down %{p0}"); -var part166 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); +var part165 = match("MESSAGE#203:PS_FAIL/1_1", "nwparser.p0", "down %{p0}"); var select30 = linear_select([ + part164, part165, - part166, ]); -var part167 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "%{}(Serial number %{serial_number})"); +var part166 = match("MESSAGE#203:PS_FAIL/2", "nwparser.p0", "(Serial number %{serial_number})"); var all16 = all_match({ processors: [ - part164, + part163, select30, - part167, + part166, ], on_success: processor_chain([ - dup24, + dup23, dup2, dup3, dup4, @@ -2292,74 +2286,74 @@ var all16 = all_match({ var msg204 = msg("PS_FAIL", all16); -var msg205 = msg("INFORMATION", dup88); +var msg205 = msg("INFORMATION", dup87); -var msg206 = msg("EVENT", dup88); +var msg206 = msg("EVENT", dup87); -var part168 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ - dup24, +var part167 = match("MESSAGE#206:NATIVE_VLAN_MISMATCH", "nwparser.payload", "Native VLAN mismatch discovered on %{interface}, with %{fld23}", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var msg207 = msg("NATIVE_VLAN_MISMATCH", part168); +var msg207 = msg("NATIVE_VLAN_MISMATCH", part167); -var part169 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ - dup30, +var part168 = match("MESSAGE#207:NEIGHBOR_ADDED", "nwparser.payload", "Device %{fld22->} discovered of type %{fld23->} with port %{fld24->} on incoming port %{interface->} with ip addr %{fld25->} and mgmt ip %{hostip}", processor_chain([ + dup29, dup2, dup3, dup4, ])); -var msg208 = msg("NEIGHBOR_ADDED", part169); +var msg208 = msg("NEIGHBOR_ADDED", part168); -var part170 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ - dup25, +var part169 = match("MESSAGE#208:NEIGHBOR_REMOVED", "nwparser.payload", "CDP Neighbor %{fld22->} on port %{interface->} has been removed", processor_chain([ + dup24, dup2, dup3, dup4, ])); -var msg209 = msg("NEIGHBOR_REMOVED", part170); +var msg209 = msg("NEIGHBOR_REMOVED", part169); -var part171 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ +var part170 = match("MESSAGE#209:IF_BANDWIDTH_CHANGE", "nwparser.payload", "Interface %{interface},%{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var msg210 = msg("IF_BANDWIDTH_CHANGE", part171); +var msg210 = msg("IF_BANDWIDTH_CHANGE", part170); -var part172 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ - dup24, +var part171 = match("MESSAGE#210:IF_DOWN_PARENT_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (Parent interface down)", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part172); +var msg211 = msg("IF_DOWN_PARENT_ADMIN_DOWN", part171); -var part173 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ - dup24, +var part172 = match("MESSAGE#211:PORT_INDIVIDUAL_DOWN", "nwparser.payload", "individual port %{interface->} is down", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var msg212 = msg("PORT_INDIVIDUAL_DOWN", part173); +var msg212 = msg("PORT_INDIVIDUAL_DOWN", part172); -var part174 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ - dup24, +var part173 = match("MESSAGE#212:PORT_SUSPENDED", "nwparser.payload", "%{fld22}: %{interface->} is suspended", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var msg213 = msg("PORT_SUSPENDED", part174); +var msg213 = msg("PORT_SUSPENDED", part173); -var part175 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ +var part174 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Uplink-ID %{fld22->} of Fex %{fld23->} that is connected with %{interface->} changed its status from %{change_old->} to %{change_new}", processor_chain([ dup15, dup2, dup3, @@ -2367,42 +2361,42 @@ var part175 = match("MESSAGE#213:FEX_PORT_STATUS_NOTI", "nwparser.payload", "Upl setc("change_attribute","status"), ])); -var msg214 = msg("FEX_PORT_STATUS_NOTI", part175); +var msg214 = msg("FEX_PORT_STATUS_NOTI", part174); -var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup103); +var msg215 = msg("NOHMS_DIAG_ERR_PS_FAIL", dup102); -var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup88); +var msg216 = msg("NOHMS_DIAG_ERR_PS_RECOVERED", dup87); -var msg217 = msg("ADJCHANGE", dup88); +var msg217 = msg("ADJCHANGE", dup87); -var part176 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ - dup30, +var part175 = match("MESSAGE#217:PORT_ADDED", "nwparser.payload", "Interface %{interface}, added to VLAN%{vlan->} with role %{fld22}, state %{disposition}, %{info}", processor_chain([ + dup29, dup2, dup3, dup4, ])); -var msg218 = msg("PORT_ADDED", part176); +var msg218 = msg("PORT_ADDED", part175); -var part177 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ - dup25, +var part176 = match("MESSAGE#218:PORT_DELETED", "nwparser.payload", "Interface %{interface}, removed from VLAN%{vlan}", processor_chain([ + dup24, dup2, dup3, dup4, ])); -var msg219 = msg("PORT_DELETED", part177); +var msg219 = msg("PORT_DELETED", part176); -var part178 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ - dup63, +var part177 = match("MESSAGE#219:PORT_ROLE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} role changed to %{fld22}", processor_chain([ + dup62, dup2, dup3, dup4, ])); -var msg220 = msg("PORT_ROLE", part178); +var msg220 = msg("PORT_ROLE", part177); -var part179 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ +var part178 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interface->} instance VLAN%{vlan->} moving from %{change_old->} to %{change_new}", processor_chain([ dup15, dup2, dup3, @@ -2410,60 +2404,60 @@ var part179 = match("MESSAGE#220:PORT_STATE", "nwparser.payload", "Port %{interf setc("change_attribute","Port state"), ])); -var msg221 = msg("PORT_STATE", part179); +var msg221 = msg("PORT_STATE", part178); -var part180 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ - dup24, +var part179 = match("MESSAGE#221:TACACS_ACCOUNTING_MESSAGE", "nwparser.payload", "update: %{saddr}@%{terminal}: %{username}: %{event_description}; feature %{protocol->} (%{result}) %{info}", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part180); +var msg222 = msg("TACACS_ACCOUNTING_MESSAGE", part179); -var part181 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ - dup23, +var part180 = match("MESSAGE#222:TACACS_ACCOUNTING_MESSAGE:01", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}: enabled telnet", processor_chain([ + dup22, + dup37, dup38, - dup39, dup17, dup2, dup3, dup4, + dup39, dup40, - dup41, ])); -var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part181); +var msg223 = msg("TACACS_ACCOUNTING_MESSAGE:01", part180); -var part182 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ - dup64, +var part181 = match("MESSAGE#368:TACACS_ACCOUNTING_MESSAGE:04", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: configure terminal ; ntp source-interface %{sinterface->} (%{result})%{info}", processor_chain([ + dup63, dup2, dup4, ])); -var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part182); +var msg224 = msg("TACACS_ACCOUNTING_MESSAGE:04", part181); -var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); +var part182 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/0", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: show %{p0}"); -var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); +var part183 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_0", "nwparser.p0", "ntp statistics peer ipaddr %{hostip->} (%{p0}"); -var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); +var part184 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/1_1", "nwparser.p0", "logging last %{fld3->} (%{p0}"); var select31 = linear_select([ + part183, part184, - part185, ]); -var part186 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); +var part185 = match("MESSAGE#369:TACACS_ACCOUNTING_MESSAGE:05/2", "nwparser.p0", "%{result})%{info}"); var all17 = all_match({ processors: [ - part183, + part182, select31, - part186, + part185, ], on_success: processor_chain([ - dup64, + dup63, dup2, dup4, ]), @@ -2471,34 +2465,34 @@ var all17 = all_match({ var msg225 = msg("TACACS_ACCOUNTING_MESSAGE:05", all17); -var part187 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ - dup64, +var part186 = match("MESSAGE#370:TACACS_ACCOUNTING_MESSAGE:06", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: clock set %{event_time_string->} (%{result})%{info}", processor_chain([ + dup63, dup2, dup4, ])); -var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part187); +var msg226 = msg("TACACS_ACCOUNTING_MESSAGE:06", part186); -var part188 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ - dup64, +var part187 = match("MESSAGE#371:TACACS_ACCOUNTING_MESSAGE:08", "nwparser.payload", "%{action}: %{saddr}@%{terminal}: %{username}: Performing configuration copy. %{info}", processor_chain([ + dup63, dup2, dup4, setc("event_description","Performing configuration copy"), ])); -var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part188); +var msg227 = msg("TACACS_ACCOUNTING_MESSAGE:08", part187); -var part189 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); +var part188 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/2", "nwparser.p0", "%{username}: shell terminated because of session timeout %{p0}"); var all18 = all_match({ processors: [ - dup65, + dup64, + dup103, + part188, dup104, - part189, - dup105, ], on_success: processor_chain([ - dup64, + dup63, dup2, dup4, setc("event_description","shell terminated because of session timeout"), @@ -2507,17 +2501,17 @@ var all18 = all_match({ var msg228 = msg("TACACS_ACCOUNTING_MESSAGE:09", all18); -var part190 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); +var part189 = match("MESSAGE#373:TACACS_ACCOUNTING_MESSAGE:07/2", "nwparser.p0", "%{username}: %{event_description->} %{p0}"); var all19 = all_match({ processors: [ - dup65, + dup64, + dup103, + part189, dup104, - part190, - dup105, ], on_success: processor_chain([ - dup64, + dup63, dup2, dup4, ]), @@ -2536,19 +2530,19 @@ var select32 = linear_select([ msg229, ]); -var msg230 = msg("TACACS_ERROR_MESSAGE", dup103); +var msg230 = msg("TACACS_ERROR_MESSAGE", dup102); -var msg231 = msg("IF_SFP_WARNING", dup106); +var msg231 = msg("IF_SFP_WARNING", dup105); -var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup107); +var msg232 = msg("IF_DOWN_TCP_MAX_RETRANSMIT", dup106); -var msg233 = msg("FCIP_PEER_CAVIUM", dup88); +var msg233 = msg("FCIP_PEER_CAVIUM", dup87); -var msg234 = msg("IF_DOWN_PEER_CLOSE", dup107); +var msg234 = msg("IF_DOWN_PEER_CLOSE", dup106); -var msg235 = msg("IF_DOWN_PEER_RESET", dup107); +var msg235 = msg("IF_DOWN_PEER_RESET", dup106); -var part191 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ +var part190 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", "In domain %{domain}, VPC %{obj_name->} configuration is not consistent (%{result})", processor_chain([ dup15, dup2, dup3, @@ -2556,9 +2550,9 @@ var part191 = match("MESSAGE#229:INTF_CONSISTENCY_FAILED", "nwparser.payload", " setc("event_description","configuration is not consistent in domain"), ])); -var msg236 = msg("INTF_CONSISTENCY_FAILED", part191); +var msg236 = msg("INTF_CONSISTENCY_FAILED", part190); -var part192 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ +var part191 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC %{obj_name->} configuration is consistent", processor_chain([ dup8, dup2, dup3, @@ -2566,36 +2560,36 @@ var part192 = match("MESSAGE#230:INTF_CONSISTENCY_SUCCESS", "nwparser.payload", setc("event_description","configuration is consistent in domain"), ])); -var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part192); +var msg237 = msg("INTF_CONSISTENCY_SUCCESS", part191); -var msg238 = msg("INTF_COUNTERS_CLEARED", dup106); +var msg238 = msg("INTF_COUNTERS_CLEARED", dup105); -var msg239 = msg("IF_HARDWARE", dup106); +var msg239 = msg("IF_HARDWARE", dup105); -var part193 = match("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ +var part192 = match_copy("MESSAGE#233:HEARTBEAT_FAILURE", "nwparser.payload", "event_description", processor_chain([ setc("eventcategory","1604010000"), dup2, dup3, dup4, ])); -var msg240 = msg("HEARTBEAT_FAILURE", part193); +var msg240 = msg("HEARTBEAT_FAILURE", part192); -var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup88); +var msg241 = msg("SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG", dup87); -var msg242 = msg("PFM_FAN_FLTR_STATUS", dup88); +var msg242 = msg("PFM_FAN_FLTR_STATUS", dup87); -var msg243 = msg("MOUNT", dup88); +var msg243 = msg("MOUNT", dup87); -var msg244 = msg("LOG_CMP_UP", dup88); +var msg244 = msg("LOG_CMP_UP", dup87); -var part194 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "%{}Temperature Warning cleared"); +var part193 = match("MESSAGE#238:IF_XCVR_WARNING/2", "nwparser.p0", "Temperature Warning cleared%{}"); var all20 = all_match({ processors: [ - dup70, - dup108, - part194, + dup69, + dup107, + part193, ], on_success: processor_chain([ dup15, @@ -2607,20 +2601,20 @@ var all20 = all_match({ var msg245 = msg("IF_XCVR_WARNING", all20); -var msg246 = msg("IF_XCVR_WARNING:01", dup109); +var msg246 = msg("IF_XCVR_WARNING:01", dup108); var select33 = linear_select([ msg245, msg246, ]); -var part195 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "%{}Temperature Alarm cleared"); +var part194 = match("MESSAGE#240:IF_XCVR_ALARM/2", "nwparser.p0", "Temperature Alarm cleared%{}"); var all21 = all_match({ processors: [ - dup70, - dup108, - part195, + dup69, + dup107, + part194, ], on_success: processor_chain([ dup15, @@ -2632,24 +2626,24 @@ var all21 = all_match({ var msg247 = msg("IF_XCVR_ALARM", all21); -var msg248 = msg("IF_XCVR_ALARM:01", dup109); +var msg248 = msg("IF_XCVR_ALARM:01", dup108); var select34 = linear_select([ msg247, msg248, ]); -var msg249 = msg("MEMORY_ALERT", dup88); +var msg249 = msg("MEMORY_ALERT", dup87); -var msg250 = msg("MEMORY_ALERT_RECOVERED", dup88); +var msg250 = msg("MEMORY_ALERT_RECOVERED", dup87); -var part196 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "%{}Rx Power Alarm cleared"); +var part195 = match("MESSAGE#244:IF_SFP_ALARM/2", "nwparser.p0", "Rx Power Alarm cleared%{}"); var all22 = all_match({ processors: [ - dup70, - dup108, - part196, + dup69, + dup107, + part195, ], on_success: processor_chain([ dup15, @@ -2661,43 +2655,45 @@ var all22 = all_match({ var msg251 = msg("IF_SFP_ALARM", all22); -var msg252 = msg("IF_SFP_ALARM:01", dup109); +var msg252 = msg("IF_SFP_ALARM:01", dup108); var select35 = linear_select([ msg251, msg252, ]); -var part197 = match("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "%{event_description}", processor_chain([ - dup62, +var part196 = match_copy("MESSAGE#246:NBRCHANGE_DUAL", "nwparser.payload", "event_description", processor_chain([ + dup61, dup2, dup3, dup4, ])); -var msg253 = msg("NBRCHANGE_DUAL", part197); +var msg253 = msg("NBRCHANGE_DUAL", part196); -var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{device->} %{action}: System %{p0}"); +var part197 = match("MESSAGE#247:SOHMS_DIAG_ERROR/0", "nwparser.payload", "%{} %{device->} %{p0}"); -var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "%{device->} System %{p0}"); +var part198 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_0", "nwparser.p0", "%{action}: System %{p0}"); + +var part199 = match("MESSAGE#247:SOHMS_DIAG_ERROR/1_1", "nwparser.p0", "System %{p0}"); var select36 = linear_select([ part198, part199, ]); -var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "%{}minor alarm on fans in fan tray %{dclass_counter1}"); +var part200 = match("MESSAGE#247:SOHMS_DIAG_ERROR/2", "nwparser.p0", "minor alarm on fans in fan tray %{dclass_counter1}"); var all23 = all_match({ processors: [ - dup21, + part197, select36, part200, ], on_success: processor_chain([ - dup62, - dup39, - dup73, + dup61, + dup38, + dup72, dup2, dup3, dup4, @@ -2708,9 +2704,9 @@ var all23 = all_match({ var msg254 = msg("SOHMS_DIAG_ERROR", all23); var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{device->} System minor alarm on power supply %{fld42}: %{result}", processor_chain([ - dup62, - dup39, - dup73, + dup61, + dup38, + dup72, dup2, dup3, dup4, @@ -2720,9 +2716,9 @@ var part201 = match("MESSAGE#248:SOHMS_DIAG_ERROR:01", "nwparser.payload", "%{de var msg255 = msg("SOHMS_DIAG_ERROR:01", part201); var part202 = match("MESSAGE#249:SOHMS_DIAG_ERROR:02", "nwparser.payload", "%{device}: %{event_description}", processor_chain([ - dup62, - dup39, - dup73, + dup61, + dup38, + dup72, dup2, dup3, dup4, @@ -2737,10 +2733,10 @@ var select37 = linear_select([ ]); var part203 = match("MESSAGE#250:M2FIB_MAC_TBL_PRGMING", "nwparser.payload", "Failed to program the mac table on %{device->} for group: %{fld1}, (%{fld2->} (%{fld3}), %{fld4}, %{hostip}). Error: %{result}. %{info}", processor_chain([ - dup74, - dup35, - dup39, dup73, + dup34, + dup38, + dup72, dup2, dup3, dup4, @@ -2763,9 +2759,9 @@ var part204 = match("MESSAGE#251:DELETE_STALE_USER_ACCOUNT", "nwparser.payload", var msg258 = msg("DELETE_STALE_USER_ACCOUNT", part204); var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{interface->} is admin up", processor_chain([ - dup31, - dup35, - dup39, + dup30, + dup34, + dup38, dup17, dup2, dup3, @@ -2776,22 +2772,22 @@ var part205 = match("MESSAGE#252:IF_ADMIN_UP", "nwparser.payload", "Interface %{ var msg259 = msg("IF_ADMIN_UP", part205); var part206 = match("MESSAGE#253:VPC_CFGD", "nwparser.payload", "vPC %{obj_name->} is configured", processor_chain([ - dup31, - dup35, - dup39, + dup30, + dup34, + dup38, dup17, dup2, dup3, dup4, setc("event_description","vPC is configured"), - dup75, + dup74, ])); var msg260 = msg("VPC_CFGD", part206); var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Manager has received notification of %{info}", processor_chain([ - dup31, - dup39, + dup30, + dup38, dup17, dup2, dup3, @@ -2802,9 +2798,9 @@ var part207 = match("MESSAGE#254:MODULE_ONLINE", "nwparser.payload", "System Man var msg261 = msg("MODULE_ONLINE", part207); var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", "System booted from Primary BIOS Flash%{}", processor_chain([ - dup31, + dup30, + dup75, dup76, - dup77, dup2, dup3, dup4, @@ -2814,15 +2810,15 @@ var part208 = match("MESSAGE#255:BIOS_DAEMON_LC_PRI_BOOT", "nwparser.payload", " var msg262 = msg("BIOS_DAEMON_LC_PRI_BOOT", part208); var part209 = match("MESSAGE#256:PEER_VPC_DOWN", "nwparser.payload", "Peer %{obj_name->} is down ()", processor_chain([ - dup78, - dup35, - dup39, - dup73, + dup77, + dup34, + dup38, + dup72, dup2, dup3, dup4, setc("event_description","Peer vPC is down"), - dup75, + dup74, ])); var msg263 = msg("PEER_VPC_DOWN", part209); @@ -2860,7 +2856,7 @@ var all24 = all_match({ part216, ], on_success: processor_chain([ - dup37, + dup36, dup2, dup3, dup4, @@ -2871,10 +2867,10 @@ var all24 = all_match({ var msg264 = msg("PEER_KEEP_ALIVE_RECV_INT_LATEST", all24); var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive receive is successful", processor_chain([ - dup37, - dup35, - dup79, dup36, + dup34, + dup78, + dup35, dup17, dup2, dup3, @@ -2885,10 +2881,10 @@ var part217 = match("MESSAGE#258:PEER_KEEP_ALIVE_RECV_SUCCESS", "nwparser.payloa var msg265 = msg("PEER_KEEP_ALIVE_RECV_SUCCESS", part217); var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", "In domain %{domain}, VPC peer keep-alive receive has failed", processor_chain([ + dup77, + dup34, dup78, dup35, - dup79, - dup36, dup14, dup2, dup3, @@ -2899,10 +2895,10 @@ var part218 = match("MESSAGE#259:PEER_KEEP_ALIVE_RECV_FAIL", "nwparser.payload", var msg266 = msg("PEER_KEEP_ALIVE_RECV_FAIL", part218); var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.payload", "In domain %{domain}, VPC peer-keepalive sent on interface %{interface}", processor_chain([ - dup37, - dup35, - dup80, dup36, + dup34, + dup79, + dup35, dup2, dup3, dup4, @@ -2912,10 +2908,10 @@ var part219 = match("MESSAGE#260:PEER_KEEP_ALIVE_SEND_INT_LATEST", "nwparser.pay var msg267 = msg("PEER_KEEP_ALIVE_SEND_INT_LATEST", part219); var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payload", "In domain %{domain}, vPC peer keep-alive send is successful", processor_chain([ - dup37, - dup35, - dup80, dup36, + dup34, + dup79, + dup35, dup17, dup2, dup3, @@ -2926,10 +2922,10 @@ var part220 = match("MESSAGE#261:PEER_KEEP_ALIVE_SEND_SUCCESS", "nwparser.payloa var msg268 = msg("PEER_KEEP_ALIVE_SEND_SUCCESS", part220); var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "In domain %{domain}, peer keep-alive status changed to %{change_new}", processor_chain([ - dup31, - dup35, + dup30, + dup34, dup16, - dup39, + dup38, dup2, dup3, dup4, @@ -2940,9 +2936,9 @@ var part221 = match("MESSAGE#262:PEER_KEEP_ALIVE_STATUS", "nwparser.payload", "I var msg269 = msg("PEER_KEEP_ALIVE_STATUS", part221); var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Ejectors' status in slot %{fld47->} has changed, %{info}", processor_chain([ - dup31, + dup30, dup16, - dup39, + dup38, dup2, dup3, dup4, @@ -2952,9 +2948,9 @@ var part222 = match("MESSAGE#263:EJECTOR_STAT_CHANGED", "nwparser.payload", "Eje var msg270 = msg("EJECTOR_STAT_CHANGED", part222); var part223 = match("MESSAGE#264:XBAR_DETECT", "nwparser.payload", "Xbar %{fld41->} detected (Serial number %{fld42})", processor_chain([ - dup30, + dup29, setc("ec_activity","Detect"), - dup39, + dup38, dup2, dup3, dup4, @@ -2965,8 +2961,8 @@ var msg271 = msg("XBAR_DETECT", part223); var part224 = match("MESSAGE#265:XBAR_PWRUP", "nwparser.payload", "Xbar %{fld41->} powered up (Serial number %{fld42})", processor_chain([ dup15, + dup75, dup76, - dup77, dup2, dup3, dup4, @@ -2977,7 +2973,7 @@ var msg272 = msg("XBAR_PWRUP", part224); var part225 = match("MESSAGE#266:XBAR_PWRDN", "nwparser.payload", "Xbar %{fld41->} powered down (Serial number %{fld42})", processor_chain([ dup15, - dup76, + dup75, setc("ec_activity","Stop"), dup2, dup3, @@ -3018,7 +3014,7 @@ var part228 = match("MESSAGE#269:VPC_ISSU_END", "nwparser.payload", "Peer vPC sw var msg276 = msg("VPC_ISSU_END", part228); var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ - dup63, + dup62, dup2, dup3, dup4, @@ -3028,7 +3024,7 @@ var part229 = match("MESSAGE#270:PORT_RANGE_ROLE", "nwparser.payload", "new_role var msg277 = msg("PORT_RANGE_ROLE", part229); var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_state=%{obj_name->} interface=%{interface->} mst=%{fld42}", processor_chain([ - dup63, + dup62, dup2, dup3, dup4, @@ -3038,10 +3034,10 @@ var part230 = match("MESSAGE#271:PORT_RANGE_STATE", "nwparser.payload", "new_sta var msg278 = msg("PORT_RANGE_STATE", part230); var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Interface %{interface->} removed from mst=%{fld42}", processor_chain([ - dup25, - dup35, + dup24, + dup34, dup20, - dup39, + dup38, dup2, dup3, dup4, @@ -3051,10 +3047,10 @@ var part231 = match("MESSAGE#272:PORT_RANGE_DELETED", "nwparser.payload", "Inter var msg279 = msg("PORT_RANGE_DELETED", part231); var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interface %{interface->} added to mst=%{fld42->} with %{info}", processor_chain([ - dup30, - dup35, - dup81, - dup39, + dup29, + dup34, + dup80, + dup38, dup2, dup3, dup4, @@ -3064,10 +3060,10 @@ var part232 = match("MESSAGE#273:PORT_RANGE_ADDED", "nwparser.payload", "Interfa var msg280 = msg("PORT_RANGE_ADDED", part232); var part233 = match("MESSAGE#274:MST_PORT_BOUNDARY", "nwparser.payload", "Port %{portname->} removed as MST Boundary port", processor_chain([ - dup25, - dup35, + dup24, + dup34, dup20, - dup39, + dup38, dup2, dup3, dup4, @@ -3097,10 +3093,10 @@ var part235 = match("MESSAGE#276:IM_INTF_STATE", "nwparser.payload", "%{interfac var msg283 = msg("IM_INTF_STATE", part235); var part236 = match("MESSAGE#277:VDC_STATE_CHANGE", "nwparser.payload", "vdc %{fld43->} state changed to %{obj_name}", processor_chain([ - dup63, - dup35, + dup62, + dup34, dup16, - dup39, + dup38, dup2, dup3, dup4, @@ -3115,28 +3111,28 @@ var part237 = match("MESSAGE#278:SWITCHOVER_OVER", "nwparser.payload", "Switchov dup2, dup3, dup4, - dup82, + dup81, ])); var msg285 = msg("SWITCHOVER_OVER", part237); var part238 = match("MESSAGE#279:VDC_MODULETYPE", "nwparser.payload", "%{process}: Module type changed to %{obj_name}", processor_chain([ - dup63, + dup62, dup16, - dup39, + dup38, dup2, dup3, dup4, - dup82, + dup81, setc("obj_type"," New Module type"), ])); var msg286 = msg("VDC_MODULETYPE", part238); var part239 = match("MESSAGE#280:HASEQNO_SYNC_FAILED", "nwparser.payload", "Unable to sync HA sequence number %{fld44->} for service \"%{service}\" (PID %{process_id}): %{result}.", processor_chain([ - dup78, + dup77, + dup34, dup35, - dup36, dup14, dup2, dup3, @@ -3148,9 +3144,9 @@ var msg287 = msg("HASEQNO_SYNC_FAILED", part239); var part240 = match("MESSAGE#281:MSG_SEND_FAILURE_STANDBY_RESET", "nwparser.payload", "Failure in sending message to standby causing standby to reset.%{}", processor_chain([ dup1, + dup34, + dup79, dup35, - dup80, - dup36, dup14, dup2, dup3, @@ -3172,9 +3168,9 @@ var msg289 = msg("MODULE_LOCK_FAILED", part241); var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", "Failed to send Mac New Learns/Mac moves due to mts send failure errno %{resultcode}", processor_chain([ dup1, + dup34, + dup79, dup35, - dup80, - dup36, dup14, dup2, dup3, @@ -3185,9 +3181,9 @@ var part242 = match("MESSAGE#283:L2FMC_NL_MTS_SEND_FAILURE", "nwparser.payload", var msg290 = msg("L2FMC_NL_MTS_SEND_FAILURE", part242); var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} management address %{fld46->} discovered on local port %{portname->} in vlan %{vlan->} %{info}", processor_chain([ - dup30, - dup81, - dup39, + dup29, + dup80, + dup38, dup2, dup3, dup4, @@ -3197,9 +3193,9 @@ var part243 = match("MESSAGE#284:SERVER_ADDED", "nwparser.payload", "Server with var msg291 = msg("SERVER_ADDED", part243); var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server with Chassis ID %{id->} Port ID %{fld45->} on local port %{portname->} has been removed", processor_chain([ - dup25, + dup24, dup20, - dup39, + dup38, dup2, dup3, dup4, @@ -3209,13 +3205,13 @@ var part244 = match("MESSAGE#285:SERVER_REMOVED", "nwparser.payload", "Server wi var msg292 = msg("SERVER_REMOVED", part244); var part245 = match("MESSAGE#286:IF_DOWN_SUSPENDED_BY_SPEED", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ - dup24, - dup35, - dup73, + dup23, + dup34, + dup72, dup2, dup3, dup4, - dup26, + dup25, ])); var msg293 = msg("IF_DOWN_SUSPENDED_BY_SPEED", part245); @@ -3231,20 +3227,20 @@ var part246 = match("MESSAGE#287:PORT_INDIVIDUAL", "nwparser.payload", "port %{p var msg294 = msg("PORT_INDIVIDUAL", part246); var part247 = match("MESSAGE#288:IF_DOWN_CHANNEL_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down %{info}", processor_chain([ - dup24, - dup35, - dup39, - dup73, + dup23, + dup34, + dup38, + dup72, dup2, dup3, dup4, - dup26, + dup25, ])); var msg295 = msg("IF_DOWN_CHANNEL_ADMIN_DOWN", part247); var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Interface %{interface->} is being recovered from error disabled state %{info}", processor_chain([ - dup23, + dup22, dup2, dup3, dup4, @@ -3254,7 +3250,7 @@ var part248 = match("MESSAGE#289:IF_ERRDIS_RECOVERY", "nwparser.payload", "Inter var msg296 = msg("IF_ERRDIS_RECOVERY", part248); var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", "Non-Cisco transceiver on interface %{interface->} is detected", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3264,7 +3260,7 @@ var part249 = match("MESSAGE#290:IF_NON_CISCO_TRANSCEIVER", "nwparser.payload", var msg297 = msg("IF_NON_CISCO_TRANSCEIVER", part249); var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.payload", "Active supervisor in slot %{fld47->} is running with less memory than standby supervisor in slot %{fld48}.", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3274,9 +3270,9 @@ var part250 = match("MESSAGE#291:ACTIVE_LOWER_MEM_THAN_STANDBY", "nwparser.paylo var msg298 = msg("ACTIVE_LOWER_MEM_THAN_STANDBY", part250); var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configuration update started (PID %{process_id}).", processor_chain([ - dup31, + dup30, dup16, - dup39, + dup38, dup2, dup3, dup4, @@ -3286,7 +3282,7 @@ var part251 = match("MESSAGE#292:READCONF_STARTED", "nwparser.payload", "Configu var msg299 = msg("READCONF_STARTED", part251); var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor in slot %{fld47->} is running with less memory than active supervisor in slot %{fld48}", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3296,9 +3292,9 @@ var part252 = match("MESSAGE#293:SUP_POWERDOWN", "nwparser.payload", "Supervisor var msg300 = msg("SUP_POWERDOWN", part252); var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Starting linecard upgrade%{}", processor_chain([ - dup31, + dup30, dup16, - dup39, + dup38, dup2, dup3, dup4, @@ -3308,9 +3304,9 @@ var part253 = match("MESSAGE#294:LC_UPGRADE_START", "nwparser.payload", "Startin var msg301 = msg("LC_UPGRADE_START", part253); var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Rebooting linecard as a part of upgrade%{}", processor_chain([ - dup31, + dup30, dup16, - dup39, + dup38, dup2, dup3, dup4, @@ -3320,7 +3316,7 @@ var part254 = match("MESSAGE#295:LC_UPGRADE_REBOOT", "nwparser.payload", "Reboot var msg302 = msg("LC_UPGRADE_REBOOT", part254); var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload", "Runtime database controller started (PID %{process_id}).", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3330,7 +3326,7 @@ var part255 = match("MESSAGE#296:RUNTIME_DB_RESTORE_STARTED", "nwparser.payload" var msg303 = msg("RUNTIME_DB_RESTORE_STARTED", part255); var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload", "Runtime database successfully restored.%{}", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3340,9 +3336,9 @@ var part256 = match("MESSAGE#297:RUNTIME_DB_RESTORE_SUCCESS", "nwparser.payload" var msg304 = msg("RUNTIME_DB_RESTORE_SUCCESS", part256); var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", "Upgrade of module %{fld49->} started", processor_chain([ - dup31, + dup30, dup16, - dup39, + dup38, dup2, dup3, dup4, @@ -3352,7 +3348,7 @@ var part257 = match("MESSAGE#298:LCM_MODULE_UPGRADE_START", "nwparser.payload", var msg305 = msg("LCM_MODULE_UPGRADE_START", part257); var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "Upgrade of module %{fld49->} ended", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3362,10 +3358,10 @@ var part258 = match("MESSAGE#299:LCM_MODULE_UPGRADE_END", "nwparser.payload", "U var msg306 = msg("LCM_MODULE_UPGRADE_END", part258); var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recieved insert for %{fld50}", processor_chain([ - dup64, + dup63, + dup34, + dup78, dup35, - dup79, - dup36, dup2, dup3, dup4, @@ -3375,24 +3371,24 @@ var part259 = match("MESSAGE#300:FIPS_POST_INFO_MSG", "nwparser.payload", "Recie var msg307 = msg("FIPS_POST_INFO_MSG", part259); var part260 = match("MESSAGE#301:PEER_VPC_CFGD", "nwparser.payload", "peer vPC %{obj_name->} is configured", processor_chain([ - dup31, - dup35, - dup39, + dup30, + dup34, + dup38, dup17, dup2, dup3, dup4, setc("event_description","peer vPC is configured"), - dup75, + dup74, ])); var msg308 = msg("PEER_VPC_CFGD", part260); var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: Potential Interop issue on [%{interface}]: %{result}", processor_chain([ - dup74, - dup35, - dup39, dup73, + dup34, + dup38, + dup72, dup2, dup3, dup4, @@ -3402,7 +3398,7 @@ var part261 = match("MESSAGE#302:SYN_COLL_DIS_EN", "nwparser.payload", "%{info}: var msg309 = msg("SYN_COLL_DIS_EN", part261); var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{device->} Off-line (Serial Number %{fld42})", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3412,7 +3408,7 @@ var part262 = match("MESSAGE#303:NOHMS_ENV_FEX_OFFLINE", "nwparser.payload", "%{ var msg310 = msg("NOHMS_ENV_FEX_OFFLINE", part262); var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{device->} On-line", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3422,7 +3418,7 @@ var part263 = match("MESSAGE#304:NOHMS_ENV_FEX_ONLINE", "nwparser.payload", "%{d var msg311 = msg("NOHMS_ENV_FEX_ONLINE", part263); var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{device->} is online", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3432,7 +3428,7 @@ var part264 = match("MESSAGE#305:FEX_STATUS_online", "nwparser.payload", "%{devi var msg312 = msg("FEX_STATUS_online", part264); var part265 = match("MESSAGE#306:FEX_STATUS_offline", "nwparser.payload", "%{device->} is offline", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3447,9 +3443,9 @@ var select40 = linear_select([ ]); var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Power supply %{fld41->} present but all AC/DC inputs are not connected, power redundancy might be affected", processor_chain([ - dup74, - dup39, dup73, + dup38, + dup72, dup2, dup3, dup4, @@ -3459,9 +3455,9 @@ var part266 = match("MESSAGE#307:PS_PWR_INPUT_MISSING", "nwparser.payload", "Pow var msg314 = msg("PS_PWR_INPUT_MISSING", part266); var part267 = match("MESSAGE#308:PS_RED_MODE_RESTORED", "nwparser.payload", "Power redundancy operational mode changed to %{change_new}", processor_chain([ - dup31, + dup30, dup16, - dup39, + dup38, dup2, dup3, dup4, @@ -3482,9 +3478,9 @@ var part268 = match("MESSAGE#309:MOD_PWRFAIL_EJECTORS_OPEN", "nwparser.payload", var msg316 = msg("MOD_PWRFAIL_EJECTORS_OPEN", part268); var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device->} pinning information is changed", processor_chain([ - dup31, + dup30, dup16, - dup39, + dup38, dup2, dup3, dup4, @@ -3494,7 +3490,7 @@ var part269 = match("MESSAGE#310:PINNING_CHANGED", "nwparser.payload", "%{device var msg317 = msg("PINNING_CHANGED", part269); var part270 = match("MESSAGE#311:SATCTRL", "nwparser.payload", "%{device->} Module %{fld41}: Cold boot", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3524,9 +3520,9 @@ var part272 = match("MESSAGE#313:UNKNOWN_MTYPE", "nwparser.payload", "%{fld51->} var msg320 = msg("UNKNOWN_MTYPE", part272); var part273 = match("MESSAGE#314:SATCTRL_IMAGE", "nwparser.payload", "%{fld51->} %{event_description}", processor_chain([ - dup31, + dup30, dup16, - dup39, + dup38, dup2, dup3, dup4, @@ -3545,7 +3541,7 @@ var part274 = match("MESSAGE#315:API_FAILED", "nwparser.payload", "%{fld51->} [% var msg322 = msg("API_FAILED", part274); -var part275 = match("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "%{event_description}", processor_chain([ +var part275 = match_copy("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "event_description", processor_chain([ dup8, dup2, dup3, @@ -3555,7 +3551,7 @@ var part275 = match("MESSAGE#316:SENSOR_MSG1", "nwparser.payload", "%{event_desc var msg323 = msg("SENSOR_MSG1", part275); var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld51->} [%{fld52}] %{event_description}", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3564,7 +3560,7 @@ var part276 = match("MESSAGE#317:API_INIT_SEM_CLEAR", "nwparser.payload", "%{fld var msg324 = msg("API_INIT_SEM_CLEAR", part276); var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51->} has come online", processor_chain([ - dup31, + dup30, dup2, dup3, dup4, @@ -3574,11 +3570,11 @@ var part277 = match("MESSAGE#318:VDC_ONLINE", "nwparser.payload", "vdc %{fld51-> var msg325 = msg("VDC_ONLINE", part277); var part278 = match("MESSAGE#319:LACP_SUSPEND_INDIVIDUAL", "nwparser.payload", "LACP port %{portname->} of port-channel %{interface->} not receiving any LACP BPDUs %{result}", processor_chain([ + dup77, + dup34, dup78, dup35, - dup79, - dup36, - dup73, + dup72, dup2, dup3, dup4, @@ -3597,10 +3593,10 @@ var part279 = match("MESSAGE#320:dstats", "nwparser.payload", "%{process}: %{inf var msg327 = msg("dstats", part279); var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} logged OUT.", processor_chain([ - dup78, - dup35, + dup77, + dup34, setc("ec_activity","Logoff"), - dup36, + dup35, dup2, dup3, dup4, @@ -3609,10 +3605,10 @@ var part280 = match("MESSAGE#321:MSG_PORT_LOGGED_OUT", "nwparser.payload", "%{fl var msg328 = msg("MSG_PORT_LOGGED_OUT", part280); var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld52->} [VSAN %{fld51}, Interface %{interface}: %{fld53->} Nx Port %{portname->} with FCID %{fld54->} logged IN.", processor_chain([ - dup78, - dup35, + dup77, + dup34, dup13, - dup36, + dup35, dup2, dup3, dup4, @@ -3620,12 +3616,12 @@ var part281 = match("MESSAGE#322:MSG_PORT_LOGGED_IN", "nwparser.payload", "%{fld var msg329 = msg("MSG_PORT_LOGGED_IN", part281); -var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup97); +var msg330 = msg("IF_DOWN_ELP_FAILURE_ISOLATION", dup96); var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52->} Zone merge failure, isolating interface %{interface->} reason: %{result}:[%{resultcode}]", processor_chain([ - dup24, + dup23, + dup34, dup35, - dup36, dup14, dup2, dup3, @@ -3634,12 +3630,12 @@ var part282 = match("MESSAGE#324:ZS_MERGE_FAILED", "nwparser.payload", "%{fld52- var msg331 = msg("ZS_MERGE_FAILED", part282); -var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup97); +var msg332 = msg("IF_DOWN_ZONE_MERGE_FAILURE_ISOLATION", dup96); var part283 = match("MESSAGE#326:MAC_MOVE_NOTIFICATION", "nwparser.payload", "Host %{hostname->} in vlan %{vlan->} is flapping between port %{change_old->} and port %{change_new}", processor_chain([ - dup24, + dup23, + dup34, dup35, - dup36, dup2, dup3, dup4, @@ -3659,9 +3655,9 @@ var msg334 = msg("zone", part284); var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_description}: %{info}", processor_chain([ dup1, + dup34, dup35, - dup36, - dup73, + dup72, dup2, dup3, dup4, @@ -3670,11 +3666,11 @@ var part285 = match("MESSAGE#328:ERROR", "nwparser.payload", "%{event_descriptio var msg335 = msg("ERROR", part285); var part286 = match("MESSAGE#329:INVAL_IP", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid destination IP address (%{daddr}) from %{smacaddr->} on %{interface}", processor_chain([ + dup77, + dup34, dup78, dup35, - dup79, - dup36, - dup73, + dup72, dup2, dup3, dup4, @@ -3692,10 +3688,10 @@ var part287 = match("MESSAGE#330:SYSLOG_SL_MSG_WARNING", "nwparser.payload", "%{ var msg337 = msg("SYSLOG_SL_MSG_WARNING", part287); var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex mismatch discovered on %{interface}, with %{fld55}", processor_chain([ - dup78, + dup77, + dup34, dup35, - dup36, - dup73, + dup72, dup2, dup3, dup4, @@ -3704,10 +3700,10 @@ var part288 = match("MESSAGE#331:DUPLEX_MISMATCH", "nwparser.payload", "Duplex m var msg338 = msg("DUPLEX_MISMATCH", part288); var part289 = match("MESSAGE#332:NOHMS_DIAG_ERROR", "nwparser.payload", "Module %{fld20}: Runtime diag detected major event: Fabric port failure %{interface}", processor_chain([ - dup78, + dup77, + dup34, dup35, - dup36, - dup73, + dup72, dup2, dup3, dup4, @@ -3717,8 +3713,8 @@ var msg339 = msg("NOHMS_DIAG_ERROR", part289); var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "Re enabling dynamic learning on all interfaces%{}", processor_chain([ dup15, + dup34, dup35, - dup36, dup2, dup3, dup4, @@ -3727,10 +3723,10 @@ var part290 = match("MESSAGE#333:STM_LEARNING_RE_ENABLE", "nwparser.payload", "R var msg340 = msg("STM_LEARNING_RE_ENABLE", part290); var part291 = match("MESSAGE#334:UDLD_PORT_DISABLED", "nwparser.payload", "UDLD disabled interface %{interface}, %{result}", processor_chain([ - dup78, + dup77, + dup34, dup35, - dup36, - dup73, + dup72, dup2, dup3, dup4, @@ -3786,7 +3782,7 @@ var select41 = linear_select([ msg346, ]); -var part297 = match("MESSAGE#340:PFM_ALERT", "nwparser.payload", "%{event_description}", processor_chain([ +var part297 = match_copy("MESSAGE#340:PFM_ALERT", "nwparser.payload", "event_description", processor_chain([ dup9, dup2, dup3, @@ -3796,7 +3792,7 @@ var part297 = match("MESSAGE#340:PFM_ALERT", "nwparser.payload", "%{event_descri var msg347 = msg("PFM_ALERT", part297); var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Client %{saddr}", processor_chain([ - dup62, + dup61, dup2, dup3, dup4, @@ -3806,7 +3802,7 @@ var part298 = match("MESSAGE#341:SERVICEFOUND", "nwparser.payload", "Service %{s var msg348 = msg("SERVICEFOUND", part298); var part299 = match("MESSAGE#342:ROUTERFOUND", "nwparser.payload", "Service %{service->} acquired on WCCP Router %{saddr}", processor_chain([ - dup62, + dup61, dup2, dup3, dup4, @@ -3876,7 +3872,7 @@ var part305 = match("MESSAGE#348:%USER-6-SYSTEM_MSG", "nwparser.payload", "Inval dup2, dup3, dup4, - dup83, + dup82, ])); var msg355 = msg("%USER-6-SYSTEM_MSG", part305); @@ -3886,7 +3882,7 @@ var part306 = match("MESSAGE#349:%USER-6-SYSTEM_MSG:01", "nwparser.payload", "in dup2, dup3, dup4, - dup83, + dup82, ])); var msg356 = msg("%USER-6-SYSTEM_MSG:01", part306); @@ -3902,7 +3898,7 @@ var part307 = match("MESSAGE#350:%USER-6-SYSTEM_MSG:02", "nwparser.payload", "Fa var msg357 = msg("%USER-6-SYSTEM_MSG:02", part307); var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol->} - %{agent}", processor_chain([ - dup84, + dup83, dup2, dup3, dup4, @@ -3912,7 +3908,7 @@ var part308 = match("MESSAGE#351:%USER-6-SYSTEM_MSG:03", "nwparser.payload", "Ac var msg358 = msg("%USER-6-SYSTEM_MSG:03", part308); var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "lastlog_openseek: Couldn't stat %{directory}: No such file or directory - %{agent}", processor_chain([ - dup84, + dup83, dup2, dup3, dup4, @@ -3922,7 +3918,7 @@ var part309 = match("MESSAGE#352:%USER-6-SYSTEM_MSG:04", "nwparser.payload", "la var msg359 = msg("%USER-6-SYSTEM_MSG:04", part309); var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Could not load host key: %{encryption_type->} - %{agent}", processor_chain([ - dup84, + dup83, dup2, dup3, dup4, @@ -3932,7 +3928,7 @@ var part310 = match("MESSAGE#353:%USER-6-SYSTEM_MSG:05", "nwparser.payload", "Co var msg360 = msg("%USER-6-SYSTEM_MSG:05", part310); var part311 = match("MESSAGE#354:%USER-6-SYSTEM_MSG:06", "nwparser.payload", "%{event_description->} - %{agent}", processor_chain([ - dup84, + dup83, dup2, dup3, dup4, @@ -3951,7 +3947,7 @@ var select43 = linear_select([ ]); var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload", "Disabling learning in vlan %{vlan->} for %{duration}s due to too many mac moves", processor_chain([ - dup31, + dup30, dup2, dup4, setc("ec_activity","Disable"), @@ -3960,10 +3956,10 @@ var part312 = match("MESSAGE#355:L2FM_MAC_FLAP_DISABLE_LEARN", "nwparser.payload var msg362 = msg("L2FM_MAC_FLAP_DISABLE_LEARN", part312); var part313 = match("MESSAGE#356:L2FM_MAC_FLAP_RE_ENABLE_LEARN", "nwparser.payload", "Re-enabling learning in vlan %{vlan}", processor_chain([ - dup31, + dup30, dup2, dup4, - dup38, + dup37, ])); var msg363 = msg("L2FM_MAC_FLAP_RE_ENABLE_LEARN", part313); @@ -3996,14 +3992,14 @@ var part317 = match("MESSAGE#360:SUBPROC_SUCCESS_EXIT", "nwparser.payload", "\"% dup15, dup2, dup4, - dup85, + dup84, dup17, ])); var msg367 = msg("SUBPROC_SUCCESS_EXIT", part317); var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on Interface vlan %{vlan}, changed state to %{disposition}", processor_chain([ - dup31, + dup30, dup2, dup4, ])); @@ -4011,7 +4007,7 @@ var part318 = match("MESSAGE#361:UPDOWN", "nwparser.payload", "Line Protocol on var msg368 = msg("UPDOWN", part318); var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{smacaddr->} in vlan %{vlan->} has moved between %{change_old->} to %{change_new}", processor_chain([ - dup31, + dup30, dup2, dup4, setc("change_attribute","Interface"), @@ -4020,25 +4016,25 @@ var part319 = match("MESSAGE#362:L2FM_MAC_MOVE2", "nwparser.payload", "Mac %{sma var msg369 = msg("L2FM_MAC_MOVE2", part319); var part320 = match("MESSAGE#363:PFM_PS_RED_MODE_CHG", "nwparser.payload", "Power redundancy configured mode changed to %{event_state}", processor_chain([ - dup31, + dup30, dup2, dup4, - dup39, + dup38, ])); var msg370 = msg("PFM_PS_RED_MODE_CHG", part320); var part321 = match("MESSAGE#364:PS_RED_MODE_CHG", "nwparser.payload", "Power supply operational redundancy mode changed to %{event_state}", processor_chain([ - dup31, + dup30, dup2, dup4, - dup39, + dup38, ])); var msg371 = msg("PS_RED_MODE_CHG", part321); var part322 = match("MESSAGE#365:INVAL_MAC", "nwparser.payload", "%{agent->} [%{process_id}] Received packet with invalid source MAC address (%{smacaddr}) from %{saddr->} on %{vlan}", processor_chain([ - dup64, + dup63, dup2, dup4, ])); @@ -4054,8 +4050,8 @@ var part323 = match("MESSAGE#366:SRVSTATE_CHANGED", "nwparser.payload", "State f var msg373 = msg("SRVSTATE_CHANGED", part323); -var part324 = match("MESSAGE#367:INFO", "nwparser.payload", "%{event_description}", processor_chain([ - dup64, +var part324 = match_copy("MESSAGE#367:INFO", "nwparser.payload", "event_description", processor_chain([ + dup63, dup2, dup4, ])); @@ -4066,8 +4062,8 @@ var part325 = match("MESSAGE#374:SERVICE_STARTED", "nwparser.payload", "Service dup15, dup2, dup4, - dup85, - dup77, + dup84, + dup76, dup17, ])); @@ -4078,7 +4074,7 @@ var part326 = match("MESSAGE#375:DUP_VADDR_SRCIP_PROBE", "nwparser.payload", "%{ dup2, dup3, dup4, - dup86, + dup85, ])); var msg376 = msg("DUP_VADDR_SRCIP_PROBE", part326); @@ -4088,7 +4084,7 @@ var part327 = match("MESSAGE#376:DUP_SRCIP_PROBE", "nwparser.payload", "%{proces dup2, dup3, dup4, - dup86, + dup85, ])); var msg377 = msg("DUP_SRCIP_PROBE", part327); @@ -4382,209 +4378,207 @@ var chain1 = processor_chain([ }), ]); -var part328 = match("MESSAGE#24:SYSTEM_MSG:08/0", "nwparser.payload", "%{} %{p0}"); - -var part329 = match("MESSAGE#24:SYSTEM_MSG:08/1_1", "nwparser.p0", "%{event_description}"); +var part328 = match_copy("MESSAGE#24:SYSTEM_MSG:08/0_1", "nwparser.payload", "event_description"); -var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); +var part329 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_0", "nwparser.p0", "rol%{p0}"); -var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); +var part330 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/1_1", "nwparser.p0", "ol%{p0}"); -var part332 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); +var part331 = match("MESSAGE#44:IF_RX_FLOW_CONTROL/2", "nwparser.p0", "%{}state changed to %{result}"); -var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); +var part332 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/0", "nwparser.payload", "update:%{saddr}@%{terminal}:%{username}:%{p0}"); -var part334 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); +var part333 = match("MESSAGE#171:AAA_ACCOUNTING_MESSAGE:27/2", "nwparser.p0", "%{result})"); -var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); +var part334 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/0", "nwparser.payload", "S%{p0}"); -var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); +var part335 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_0", "nwparser.p0", "ource%{p0}"); -var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); +var part336 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/1_1", "nwparser.p0", "rc%{p0}"); -var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); +var part337 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/2", "nwparser.p0", "%{}IP: %{saddr}, D%{p0}"); -var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); +var part338 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_0", "nwparser.p0", "estination%{p0}"); -var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); +var part339 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/3_1", "nwparser.p0", "st%{p0}"); -var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); +var part340 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/4", "nwparser.p0", "%{}IP: %{daddr}, S%{p0}"); -var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); +var part341 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/6", "nwparser.p0", "%{}Port: %{sport}, D%{p0}"); -var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); +var part342 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/8", "nwparser.p0", "%{}Port: %{dport}, S%{p0}"); -var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); +var part343 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_0", "nwparser.p0", "ource Interface%{p0}"); -var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); +var part344 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/9_1", "nwparser.p0", "rc Intf%{p0}"); -var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); +var part345 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/10", "nwparser.p0", ": %{sinterface}, %{p0}"); -var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); +var part346 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_0", "nwparser.p0", "Protocol: %{p0}"); -var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); +var part347 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/11_1", "nwparser.p0", "protocol: %{p0}"); -var part349 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "%{}\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); +var part348 = match("MESSAGE#186:ACLLOG_FLOW_INTERVAL/12", "nwparser.p0", "\"%{protocol}\"(%{protocol_detail}),%{space->} Hit-count = %{dclass_counter1}"); -var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); +var part349 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/0", "nwparser.payload", "%{action}: %{p0}"); -var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); +var part350 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_0", "nwparser.p0", "%{saddr}@%{terminal}: %{p0}"); -var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); +var part351 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/1_1", "nwparser.p0", "%{fld1->} %{p0}"); -var part353 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); +var part352 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_0", "nwparser.p0", "(%{result})%{info}"); -var part354 = match("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "%{info}"); +var part353 = match_copy("MESSAGE#372:TACACS_ACCOUNTING_MESSAGE:09/3_1", "nwparser.p0", "info"); -var part355 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); +var part354 = match("MESSAGE#238:IF_XCVR_WARNING/0", "nwparser.payload", "Interface %{interface}, %{p0}"); -var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); +var part355 = match("MESSAGE#238:IF_XCVR_WARNING/1_0", "nwparser.p0", "Low %{p0}"); -var part357 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); +var part356 = match("MESSAGE#238:IF_XCVR_WARNING/1_1", "nwparser.p0", "High %{p0}"); -var part358 = match("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "%{event_description}", processor_chain([ +var part357 = match_copy("MESSAGE#0:LOG-7-SYSTEM_MSG", "nwparser.payload", "event_description", processor_chain([ dup1, dup2, dup3, dup4, ])); -var part359 = match("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "%{event_description}", processor_chain([ +var part358 = match_copy("MESSAGE#32:NEIGHBOR_UPDATE_AUTOCOPY", "nwparser.payload", "event_description", processor_chain([ dup15, dup2, dup3, dup4, ])); -var part360 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup24, +var part359 = match("MESSAGE#35:IF_DOWN_ADMIN_DOWN", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var part361 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ - dup24, +var part360 = match("MESSAGE#36:IF_DOWN_ADMIN_DOWN:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, dup2, dup3, dup4, ])); -var part362 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ +var part361 = match("MESSAGE#37:IF_DOWN_CHANNEL_MEMBERSHIP_UPDATE_IN_PROGRESS", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var part363 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ - dup25, +var part362 = match("MESSAGE#38:IF_DOWN_INTERFACE_REMOVED", "nwparser.payload", "Interface %{interface->} is down (%{result})", processor_chain([ + dup24, dup2, dup3, dup4, ])); var select44 = linear_select([ + dup26, dup27, - dup28, ]); -var part364 = match("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "%{result}", processor_chain([ +var part363 = match_copy("MESSAGE#58:IM_SEQ_ERROR", "nwparser.payload", "result", processor_chain([ dup1, dup2, dup3, dup4, ])); -var part365 = match("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "%{event_description}", processor_chain([ - dup25, +var part364 = match_copy("MESSAGE#88:PFM_VEM_REMOVE_NO_HB", "nwparser.payload", "event_description", processor_chain([ + dup24, dup2, dup3, dup4, ])); -var part366 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ +var part365 = match("MESSAGE#108:IF_DOWN_INITIALIZING:01", "nwparser.payload", "%{fld43->} Interface %{interface->} is down (%{result})", processor_chain([ dup15, dup2, dup3, dup4, ])); -var part367 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ - dup24, +var part366 = match("MESSAGE#110:IF_DOWN_NONE:01", "nwparser.payload", "%{fld52->} Interface %{interface->} is down (%{result})", processor_chain([ + dup23, + dup34, dup35, - dup36, dup14, dup2, dup3, dup4, ])); -var part368 = match("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "%{event_description}", processor_chain([ - dup34, +var part367 = match_copy("MESSAGE#123:PORT_PROFILE_CHANGE_VERIFY_REQ_FAILURE", "nwparser.payload", "event_description", processor_chain([ + dup33, dup2, dup3, dup4, ])); var select45 = linear_select([ + dup46, dup47, - dup48, ]); var select46 = linear_select([ + dup49, dup50, - dup51, ]); var select47 = linear_select([ + dup54, dup55, - dup56, ]); var select48 = linear_select([ + dup57, dup58, - dup59, ]); -var part369 = match("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "%{event_description}", processor_chain([ - dup24, +var part368 = match_copy("MESSAGE#214:NOHMS_DIAG_ERR_PS_FAIL", "nwparser.payload", "event_description", processor_chain([ + dup23, dup2, dup3, dup4, ])); var select49 = linear_select([ + dup65, dup66, - dup67, ]); var select50 = linear_select([ + dup67, dup68, - dup69, ]); -var part370 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ +var part369 = match("MESSAGE#224:IF_SFP_WARNING", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ dup15, dup2, dup3, dup4, ])); -var part371 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ - dup24, +var part370 = match("MESSAGE#225:IF_DOWN_TCP_MAX_RETRANSMIT", "nwparser.payload", "%{fld43->} Interface %{interface->} is down%{info}", processor_chain([ + dup23, dup2, dup3, dup4, ])); var select51 = linear_select([ + dup70, dup71, - dup72, ]); -var part372 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ - dup62, +var part371 = match("MESSAGE#239:IF_XCVR_WARNING:01", "nwparser.payload", "Interface %{interface}, %{event_description}", processor_chain([ + dup61, dup2, dup3, dup4, diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml index b85ab503dda0..c064c903dba0 100644 --- a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml @@ -56,13 +56,8 @@ processors: - append: field: related.hosts value: '{{host.name}}' - if: ctx.host?.name != null && ctx.host?.name != '' - allow_duplicates: false - - append: - field: related.hosts - value: '{{host.hostname}}' - if: ctx.host?.hostname != null && ctx.host?.hostname != '' allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cisco/nexus/manifest.yml b/x-pack/filebeat/module/cisco/nexus/manifest.yml index 37ec55fcf9fe..f1e88db6b391 100644 --- a/x-pack/filebeat/module/cisco/nexus/manifest.yml +++ b/x-pack/filebeat/module/cisco/nexus/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9506 + default: 9528 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/citrix/netscaler/config/input.yml b/x-pack/filebeat/module/citrix/netscaler/config/input.yml index 2ce7816844da..2956d79493b0 100644 --- a/x-pack/filebeat/module/citrix/netscaler/config/input.yml +++ b/x-pack/filebeat/module/citrix/netscaler/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/citrix/netscaler/config/liblogparser.js b/x-pack/filebeat/module/citrix/netscaler/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/citrix/netscaler/config/liblogparser.js +++ b/x-pack/filebeat/module/citrix/netscaler/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml index a2f7da6f2a0d..de4883b913fd 100644 --- a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml +++ b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml @@ -55,9 +55,9 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{server.domain}}' + value: '{{host.name}}' allow_duplicates: false - if: ctx?.server?.domain != null && ctx.server?.domain != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/citrix/netscaler/manifest.yml b/x-pack/filebeat/module/citrix/netscaler/manifest.yml index 4f7831e19366..9c1ee34c359e 100644 --- a/x-pack/filebeat/module/citrix/netscaler/manifest.yml +++ b/x-pack/filebeat/module/citrix/netscaler/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9526 + default: 9542 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json index 837f7b744a71..4214c12721f3 100644 --- a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json +++ b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json @@ -184,11 +184,11 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ + "10.83.234.60", + "10.21.92.218", "10.96.119.12", "10.156.210.168", - "10.21.92.218", - "10.109.68.21", - "10.83.234.60" + "10.109.68.21" ], "related.user": [ "picia" @@ -310,9 +310,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.92.161.8", "10.103.118.137", - "10.116.193.182" + "10.116.193.182", + "10.92.161.8" ], "related.user": [ "ationemu" @@ -380,7 +380,6 @@ "rsa.misc.msgIdPart2": "TRAP_SENT", "rsa.misc.obj_type": "amc", "rsa.misc.severity": "Notice", - "rsa.misc.space": "", "service.type": "citrix", "tags": [ "citrix.netscaler", @@ -585,6 +584,9 @@ "rsa.misc.msgIdPart2": "Message", "rsa.network.domain": "tor4410.api.localhost", "server.domain": "tor4410.api.localhost", + "server.registered_domain": "api.localhost", + "server.subdomain": "tor4410", + "server.top_level_domain": "localhost", "service.type": "citrix", "source.ip": [ "10.206.87.219" @@ -619,7 +621,6 @@ "rsa.misc.obj_name": "edquia", "rsa.misc.obj_type": "itas", "rsa.misc.severity": "Notice", - "rsa.misc.space": "", "service.type": "citrix", "tags": [ "citrix.netscaler", @@ -1028,9 +1029,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ + "10.197.6.245", "10.81.45.174", - "10.82.28.220", - "10.197.6.245" + "10.82.28.220" ], "related.user": [ "agnaaliq" @@ -1332,11 +1333,11 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.117.94.131", - "10.180.83.140", + "10.243.226.122", "10.3.23.172", "10.45.114.111", - "10.243.226.122" + "10.117.94.131", + "10.180.83.140" ], "related.user": [ "ehender" @@ -1543,8 +1544,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.29.207.55", - "10.61.175.217" + "10.61.175.217", + "10.29.207.55" ], "related.user": [ "scip" @@ -2084,9 +2085,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ + "10.41.65.89", "10.225.146.5", - "10.80.5.101", - "10.41.65.89" + "10.80.5.101" ], "related.user": [ "picia" @@ -2507,6 +2508,9 @@ "observer.product": "Netscaler", "observer.type": "Firewall", "observer.vendor": "Citrix", + "related.hosts": [ + "www5.example.com" + ], "related.ip": [ "10.163.217.101" ], @@ -2529,7 +2533,10 @@ ], "url.domain": "www5.example.com", "url.original": "https://www5.example.com/iscivel/rinci.txt?atcupi=eriti#uptateve", - "url.path": "https://www5.example.com" + "url.path": "https://www5.example.com", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com" }, { "destination.ip": [ @@ -2584,11 +2591,11 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.148.244.55", "10.76.129.136", - "10.133.153.174", "10.113.135.78", - "10.8.82.22" + "10.148.244.55", + "10.8.82.22", + "10.133.153.174" ], "related.user": [ "asiar" @@ -2733,8 +2740,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.215.229.78", "10.67.233.159", + "10.215.229.78", "10.213.112.186" ], "related.user": [ @@ -2845,8 +2852,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.73.45.19", - "10.96.104.212" + "10.96.104.212", + "10.73.45.19" ], "rsa.internal.messageid": "ICA_SESSION_UPDATE", "rsa.misc.msgIdPart1": "ICA", @@ -2937,10 +2944,10 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.29.202.248", - "10.206.5.50", "10.247.251.223", - "10.161.218.47" + "10.161.218.47", + "10.29.202.248", + "10.206.5.50" ], "rsa.internal.event_desc": "A Server side and a Client side TCP connection is delinked. This is not tracked by Netscaler", "rsa.internal.messageid": "TCP_OTHERCONN_DELINK", @@ -3036,7 +3043,9 @@ "observer.vendor": "Citrix", "observer.version": "1.897", "related.hosts": [ - "hend1170.www5.lan" + "orisnis403.www.localhost", + "hend1170.www5.lan", + "ptateve165.mail.corp" ], "related.ip": [ "10.111.22.134" @@ -3048,6 +3057,9 @@ "rsa.network.domain": "hend1170.www5.lan", "rsa.network.host_dst": "ptateve165.mail.corp", "server.domain": "hend1170.www5.lan", + "server.registered_domain": "www5.lan", + "server.subdomain": "hend1170", + "server.top_level_domain": "lan", "service.type": "citrix", "source.address": "orisnis403.www.localhost", "source.ip": [ @@ -3076,8 +3088,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.37.99.189", - "10.148.72.78" + "10.148.72.78", + "10.37.99.189" ], "rsa.crypto.cipher_src": "ritatis", "rsa.crypto.ssl_ver_src": "ugitsed", diff --git a/x-pack/filebeat/module/cyberark/corepas/config/input.yml b/x-pack/filebeat/module/cyberark/corepas/config/input.yml index e3cf7723b6d8..caf07675b0f6 100644 --- a/x-pack/filebeat/module/cyberark/corepas/config/input.yml +++ b/x-pack/filebeat/module/cyberark/corepas/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js b/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js +++ b/x-pack/filebeat/module/cyberark/corepas/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml index 4e401931415d..c0e79ff34d69 100644 --- a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml @@ -55,14 +55,9 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.hostname}}' + value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.hostname != null && ctx.host?.hostname != '' - - append: - field: related.hosts - value: '{{server.domain}}' - allow_duplicates: false - if: ctx?.server?.domain != null && ctx.server?.domain != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cyberark/corepas/manifest.yml b/x-pack/filebeat/module/cyberark/corepas/manifest.yml index 76d15f7b9d36..068553fbee91 100644 --- a/x-pack/filebeat/module/cyberark/corepas/manifest.yml +++ b/x-pack/filebeat/module/cyberark/corepas/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9527 + default: 9543 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json index b31c1f80eaea..d04fc32870f4 100644 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -64,6 +64,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.259", "related.hosts": [ + "volup208.invalid", "iatnu3810.mail.localdomain" ], "related.ip": [ @@ -71,9 +72,9 @@ "10.92.136.230" ], "related.user": [ + "dolore", "orev", - "nnumqu", - "dolore" + "nnumqu" ], "rsa.db.database": "umdo", "rsa.db.index": "vol", @@ -96,6 +97,9 @@ "rsa.network.domain": "iatnu3810.mail.localdomain", "rsa.network.host_dst": "volup208.invalid", "server.domain": "iatnu3810.mail.localdomain", + "server.registered_domain": "mail.localdomain", + "server.subdomain": "iatnu3810", + "server.top_level_domain": "localdomain", "service.type": "cyberark", "source.ip": [ "10.175.75.18" @@ -127,16 +131,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.7269", "related.hosts": [ + "tetu5280.www5.invalid", "anti4454.api.example" ], "related.ip": [ - "10.46.185.46", - "10.51.132.10" + "10.51.132.10", + "10.46.185.46" ], "related.user": [ + "serror", "incid", - "nse", - "serror" + "nse" ], "rsa.db.database": "byC", "rsa.db.index": "tur", @@ -159,6 +164,9 @@ "rsa.network.domain": "anti4454.api.example", "rsa.network.host_dst": "tetu5280.www5.invalid", "server.domain": "anti4454.api.example", + "server.registered_domain": "api.example", + "server.subdomain": "anti4454", + "server.top_level_domain": "example", "service.type": "cyberark", "source.ip": [ "10.46.185.46" @@ -190,11 +198,12 @@ "observer.vendor": "Cyberark", "observer.version": "1.6713", "related.hosts": [ - "uam6303.api.lan" + "uam6303.api.lan", + "llu4762.mail.localdomain" ], "related.ip": [ - "10.53.192.140", - "10.155.236.240" + "10.155.236.240", + "10.53.192.140" ], "related.user": [ "ptass", @@ -222,6 +231,9 @@ "rsa.network.domain": "uam6303.api.lan", "rsa.network.host_dst": "llu4762.mail.localdomain", "server.domain": "uam6303.api.lan", + "server.registered_domain": "api.lan", + "server.subdomain": "uam6303", + "server.top_level_domain": "lan", "service.type": "cyberark", "source.ip": [ "10.155.236.240" @@ -254,8 +266,8 @@ ], "related.user": [ "oremips", - "eos", - "giatq" + "giatq", + "eos" ], "rsa.db.index": "tempo", "rsa.internal.event_desc": "uian", @@ -297,15 +309,16 @@ "observer.vendor": "Cyberark", "observer.version": "1.3491", "related.hosts": [ - "temq1198.internal.example" + "temq1198.internal.example", + "aquaeab2275.www5.domain" ], "related.ip": [ - "10.172.14.142", - "10.139.186.201" + "10.139.186.201", + "10.172.14.142" ], "related.user": [ - "aboris", "tcupida", + "aboris", "uam" ], "rsa.db.database": "isiu", @@ -329,6 +342,9 @@ "rsa.network.domain": "temq1198.internal.example", "rsa.network.host_dst": "aquaeab2275.www5.domain", "server.domain": "temq1198.internal.example", + "server.registered_domain": "internal.example", + "server.subdomain": "temq1198", + "server.top_level_domain": "example", "service.type": "cyberark", "source.ip": [ "10.172.14.142" @@ -360,16 +376,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.6875", "related.hosts": [ - "tenbyCic5882.api.home" + "tenbyCic5882.api.home", + "amquisno3338.www5.lan" ], "related.ip": [ - "10.104.111.129", - "10.47.76.251" + "10.47.76.251", + "10.104.111.129" ], "related.user": [ + "etconsec", "ele", - "ipis", - "etconsec" + "ipis" ], "rsa.db.database": "riat", "rsa.db.index": "umdolor", @@ -392,6 +409,9 @@ "rsa.network.domain": "tenbyCic5882.api.home", "rsa.network.host_dst": "amquisno3338.www5.lan", "server.domain": "tenbyCic5882.api.home", + "server.registered_domain": "api.home", + "server.subdomain": "tenbyCic5882", + "server.top_level_domain": "home", "service.type": "cyberark", "source.ip": [ "10.104.111.129" @@ -423,9 +443,9 @@ "10.116.120.216" ], "related.user": [ + "umdo", "animi", - "quiratio", - "umdo" + "quiratio" ], "rsa.db.index": "oll", "rsa.internal.event_desc": "rumet", @@ -467,16 +487,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.5529", "related.hosts": [ - "isqu7224.localdomain" + "isqu7224.localdomain", + "idolores3839.localdomain" ], "related.ip": [ "10.57.40.29", "10.62.54.220" ], "related.user": [ + "taevi", "psum", - "rnatura", - "taevi" + "rnatura" ], "rsa.db.database": "emeumfug", "rsa.db.index": "omn", @@ -499,6 +520,8 @@ "rsa.network.domain": "isqu7224.localdomain", "rsa.network.host_dst": "idolores3839.localdomain", "server.domain": "isqu7224.localdomain", + "server.registered_domain": "isqu7224.localdomain", + "server.top_level_domain": "localdomain", "service.type": "cyberark", "source.ip": [ "10.57.40.29" @@ -574,9 +597,9 @@ "10.18.165.35" ], "related.user": [ - "remeum", "modocons", - "lor" + "lor", + "remeum" ], "rsa.db.index": "etM", "rsa.internal.event_desc": "etc", @@ -618,9 +641,9 @@ "10.74.253.127" ], "related.user": [ - "tema", + "onproide", "icab", - "onproide" + "tema" ], "rsa.db.index": "mqui", "rsa.internal.event_desc": "eomnisis", @@ -661,15 +684,16 @@ "observer.vendor": "Cyberark", "observer.version": "1.1697", "related.hosts": [ - "tlabo6088.www.localdomain" + "tlabo6088.www.localdomain", + "Lor5841.internal.example" ], "related.ip": [ "10.92.8.15", "10.189.109.245" ], "related.user": [ - "ono", - "inima" + "inima", + "ono" ], "rsa.db.database": "uines", "rsa.db.index": "onse", @@ -691,6 +715,9 @@ "rsa.network.domain": "tlabo6088.www.localdomain", "rsa.network.host_dst": "Lor5841.internal.example", "server.domain": "tlabo6088.www.localdomain", + "server.registered_domain": "www.localdomain", + "server.subdomain": "tlabo6088", + "server.top_level_domain": "localdomain", "service.type": "cyberark", "source.ip": [ "10.92.8.15" @@ -722,8 +749,8 @@ "10.21.78.128" ], "related.user": [ - "upt", "taut", + "upt", "giatquov" ], "rsa.db.index": "iadese", @@ -810,15 +837,16 @@ "observer.vendor": "Cyberark", "observer.version": "1.3727", "related.hosts": [ + "rpo79.mail.example", "iavolu5352.localhost" ], "related.ip": [ - "10.63.37.192", - "10.225.115.13" + "10.225.115.13", + "10.63.37.192" ], "related.user": [ - "iunt", "reetd", + "iunt", "equep" ], "rsa.db.database": "aliqu", @@ -842,6 +870,8 @@ "rsa.network.domain": "iavolu5352.localhost", "rsa.network.host_dst": "rpo79.mail.example", "server.domain": "iavolu5352.localhost", + "server.registered_domain": "iavolu5352.localhost", + "server.top_level_domain": "localhost", "service.type": "cyberark", "source.ip": [ "10.225.115.13" @@ -873,16 +903,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.3219", "related.hosts": [ + "tionof7613.domain", "estiae3750.api.corp" ], "related.ip": [ - "10.95.64.124", - "10.47.202.102" + "10.47.202.102", + "10.95.64.124" ], "related.user": [ "ntor", - "ice", - "run" + "run", + "ice" ], "rsa.db.database": "ite", "rsa.db.index": "iquipex", @@ -905,6 +936,9 @@ "rsa.network.domain": "estiae3750.api.corp", "rsa.network.host_dst": "tionof7613.domain", "server.domain": "estiae3750.api.corp", + "server.registered_domain": "api.corp", + "server.subdomain": "estiae3750", + "server.top_level_domain": "corp", "service.type": "cyberark", "source.ip": [ "10.95.64.124" @@ -935,6 +969,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.6371", "related.hosts": [ + "acc7692.home", "aquaeabi7735.internal.lan" ], "related.ip": [ @@ -942,8 +977,8 @@ "10.244.114.61" ], "related.user": [ - "serunt", - "itquiin" + "itquiin", + "serunt" ], "rsa.db.database": "itame", "rsa.db.index": "oluptas", @@ -965,6 +1000,9 @@ "rsa.network.domain": "aquaeabi7735.internal.lan", "rsa.network.host_dst": "acc7692.home", "server.domain": "aquaeabi7735.internal.lan", + "server.registered_domain": "internal.lan", + "server.subdomain": "aquaeabi7735", + "server.top_level_domain": "lan", "service.type": "cyberark", "source.ip": [ "10.244.114.61" @@ -996,16 +1034,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.821", "related.hosts": [ + "quatD4191.local", "etMalor4236.www5.host" ], "related.ip": [ - "10.53.168.235", - "10.125.160.129" + "10.125.160.129", + "10.53.168.235" ], "related.user": [ - "one", "abi", - "ione" + "ione", + "one" ], "rsa.db.database": "sperna", "rsa.db.index": "estia", @@ -1028,6 +1067,9 @@ "rsa.network.domain": "etMalor4236.www5.host", "rsa.network.host_dst": "quatD4191.local", "server.domain": "etMalor4236.www5.host", + "server.registered_domain": "www5.host", + "server.subdomain": "etMalor4236", + "server.top_level_domain": "host", "service.type": "cyberark", "source.ip": [ "10.53.168.235" @@ -1059,16 +1101,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.1123", "related.hosts": [ - "quioffi1359.internal.lan" + "quioffi1359.internal.lan", + "eturadi6608.mail.host" ], "related.ip": [ "10.227.177.121", "10.33.245.220" ], "related.user": [ - "liqui", + "iduntu", "tasuntex", - "iduntu" + "liqui" ], "rsa.db.database": "rvel", "rsa.db.index": "onsecte", @@ -1091,6 +1134,9 @@ "rsa.network.domain": "quioffi1359.internal.lan", "rsa.network.host_dst": "eturadi6608.mail.host", "server.domain": "quioffi1359.internal.lan", + "server.registered_domain": "internal.lan", + "server.subdomain": "quioffi1359", + "server.top_level_domain": "lan", "service.type": "cyberark", "source.ip": [ "10.33.245.220" @@ -1125,8 +1171,9 @@ "process.name": "laboree.exe", "process.pid": 6501, "related.hosts": [ + "nsecte3304.mail.corp", "xeacomm6855.api.corp", - "nsecte3304.mail.corp" + "eroi176.example" ], "related.ip": [ "10.167.85.181", @@ -1157,6 +1204,9 @@ "rsa.network.domain": "nsecte3304.mail.corp", "rsa.network.host_dst": "eroi176.example", "server.domain": "nsecte3304.mail.corp", + "server.registered_domain": "mail.corp", + "server.subdomain": "nsecte3304", + "server.top_level_domain": "corp", "service.type": "cyberark", "source.address": "xeacomm6855.api.corp", "source.ip": [ @@ -1233,16 +1283,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.509", "related.hosts": [ - "nevo4284.internal.local" + "nevo4284.internal.local", + "reetdolo6852.www.test" ], "related.ip": [ "10.72.148.32", "10.214.191.180" ], "related.user": [ + "luptatev", "uteirure", - "tDuisaut", - "luptatev" + "tDuisaut" ], "rsa.db.database": "uamest", "rsa.db.index": "uae", @@ -1265,6 +1316,9 @@ "rsa.network.domain": "nevo4284.internal.local", "rsa.network.host_dst": "reetdolo6852.www.test", "server.domain": "nevo4284.internal.local", + "server.registered_domain": "internal.local", + "server.subdomain": "nevo4284", + "server.top_level_domain": "local", "service.type": "cyberark", "source.ip": [ "10.72.148.32" @@ -1296,6 +1350,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.3599", "related.hosts": [ + "mporin6932.api.localdomain", "itas981.mail.domain" ], "related.ip": [ @@ -1303,9 +1358,9 @@ "10.252.124.150" ], "related.user": [ - "litessec", + "ipsumd", "com", - "ipsumd" + "litessec" ], "rsa.db.database": "tasn", "rsa.db.index": "squirati", @@ -1328,6 +1383,9 @@ "rsa.network.domain": "itas981.mail.domain", "rsa.network.host_dst": "mporin6932.api.localdomain", "server.domain": "itas981.mail.domain", + "server.registered_domain": "mail.domain", + "server.subdomain": "itas981", + "server.top_level_domain": "domain", "service.type": "cyberark", "source.ip": [ "10.252.124.150" @@ -1359,16 +1417,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.5649", "related.hosts": [ - "tnonpro7635.localdomain" + "tnonpro7635.localdomain", + "illoin2914.mail.lan" ], "related.ip": [ "10.213.144.249", "10.192.34.76" ], "related.user": [ - "temqu", + "iquipe", "lore", - "iquipe" + "temqu" ], "rsa.db.database": "gnamal", "rsa.db.index": "ntexplic", @@ -1391,6 +1450,8 @@ "rsa.network.domain": "tnonpro7635.localdomain", "rsa.network.host_dst": "illoin2914.mail.lan", "server.domain": "tnonpro7635.localdomain", + "server.registered_domain": "tnonpro7635.localdomain", + "server.top_level_domain": "localdomain", "service.type": "cyberark", "source.ip": [ "10.213.144.249" @@ -1421,15 +1482,16 @@ "observer.vendor": "Cyberark", "observer.version": "1.2217", "related.hosts": [ - "rQuisau5300.www5.example" + "rQuisau5300.www5.example", + "evit5780.www.corp" ], "related.ip": [ "10.216.84.30", "10.154.4.197" ], "related.user": [ - "untu", - "intoc" + "intoc", + "untu" ], "rsa.db.database": "oditem", "rsa.db.index": "borios", @@ -1451,6 +1513,9 @@ "rsa.network.domain": "rQuisau5300.www5.example", "rsa.network.host_dst": "evit5780.www.corp", "server.domain": "rQuisau5300.www5.example", + "server.registered_domain": "www5.example", + "server.subdomain": "rQuisau5300", + "server.top_level_domain": "example", "service.type": "cyberark", "source.ip": [ "10.216.84.30" @@ -1483,8 +1548,8 @@ ], "related.user": [ "tqu", - "quid", - "niamqui" + "niamqui", + "quid" ], "rsa.db.index": "inci", "rsa.internal.event_desc": "eroinBCS", @@ -1526,16 +1591,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.5632", "related.hosts": [ - "uamei2389.internal.example" + "uamei2389.internal.example", + "uisa5736.internal.local" ], "related.ip": [ - "10.193.83.81", - "10.65.175.9" + "10.65.175.9", + "10.193.83.81" ], "related.user": [ - "ritatise", + "essequam", "umqu", - "essequam" + "ritatise" ], "rsa.db.database": "ender", "rsa.db.index": "entorev", @@ -1558,6 +1624,9 @@ "rsa.network.domain": "uamei2389.internal.example", "rsa.network.host_dst": "uisa5736.internal.local", "server.domain": "uamei2389.internal.example", + "server.registered_domain": "internal.example", + "server.subdomain": "uamei2389", + "server.top_level_domain": "example", "service.type": "cyberark", "source.ip": [ "10.65.175.9" @@ -1589,8 +1658,8 @@ "10.205.72.243" ], "related.user": [ - "tatn", "isiuta", + "tatn", "umdolo" ], "rsa.db.index": "proide", @@ -1678,8 +1747,8 @@ ], "related.user": [ "asiarc", - "umSe", - "quidexea" + "quidexea", + "umSe" ], "rsa.db.index": "veli", "rsa.internal.event_desc": "quatu", @@ -1721,16 +1790,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.267", "related.hosts": [ + "utlab3706.api.host", "miurerep1152.internal.domain" ], "related.ip": [ - "10.235.136.109", - "10.39.10.155" + "10.39.10.155", + "10.235.136.109" ], "related.user": [ - "aboreetd", "ptass", - "urExcept" + "urExcept", + "aboreetd" ], "rsa.db.database": "teirured", "rsa.db.index": "dolorem", @@ -1753,6 +1823,9 @@ "rsa.network.domain": "miurerep1152.internal.domain", "rsa.network.host_dst": "utlab3706.api.host", "server.domain": "miurerep1152.internal.domain", + "server.registered_domain": "internal.domain", + "server.subdomain": "miurerep1152", + "server.top_level_domain": "domain", "service.type": "cyberark", "source.ip": [ "10.39.10.155" @@ -1785,8 +1858,8 @@ ], "related.user": [ "ibusBon", - "doloreme", - "itation" + "itation", + "doloreme" ], "rsa.db.index": "oremipsu", "rsa.internal.event_desc": "umexerc", @@ -1828,9 +1901,9 @@ "10.71.238.250" ], "related.user": [ + "reseo", "aec", - "moenimi", - "reseo" + "moenimi" ], "rsa.db.index": "mac", "rsa.internal.event_desc": "quamest", @@ -1872,15 +1945,16 @@ "observer.vendor": "Cyberark", "observer.version": "1.3804", "related.hosts": [ - "rum5798.home" + "rum5798.home", + "mvel1188.internal.localdomain" ], "related.ip": [ - "10.226.101.180", - "10.226.20.199" + "10.226.20.199", + "10.226.101.180" ], "related.user": [ - "ritt", "rationev", + "ritt", "veniamqu" ], "rsa.db.database": "conse", @@ -1904,6 +1978,8 @@ "rsa.network.domain": "rum5798.home", "rsa.network.host_dst": "mvel1188.internal.localdomain", "server.domain": "rum5798.home", + "server.registered_domain": "rum5798.home", + "server.top_level_domain": "home", "service.type": "cyberark", "source.ip": [ "10.226.101.180" @@ -1936,16 +2012,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.1493", "related.hosts": [ + "perspici5680.domain", "nisiut3624.api.example" ], "related.ip": [ - "10.134.65.15", - "10.86.22.67" + "10.86.22.67", + "10.134.65.15" ], "related.user": [ - "cab", "utaliqu", - "quaUten" + "quaUten", + "cab" ], "rsa.db.database": "isciv", "rsa.db.index": "nofd", @@ -1971,6 +2048,9 @@ "rsa.network.domain": "nisiut3624.api.example", "rsa.network.host_dst": "perspici5680.domain", "server.domain": "nisiut3624.api.example", + "server.registered_domain": "api.example", + "server.subdomain": "nisiut3624", + "server.top_level_domain": "example", "service.type": "cyberark", "source.ip": [ "10.134.65.15" @@ -2002,9 +2082,9 @@ "10.70.147.120" ], "related.user": [ - "cidunt", "emqu", - "tten" + "tten", + "cidunt" ], "rsa.db.index": "eaqu", "rsa.internal.event_desc": "quidol", @@ -2046,16 +2126,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.6255", "related.hosts": [ - "tesse1089.www.host" + "tesse1089.www.host", + "ptateve6909.www5.lan" ], "related.ip": [ "10.24.111.229", "10.178.242.100" ], "related.user": [ - "idid", "dqu", - "loi" + "loi", + "idid" ], "rsa.db.database": "tenatuse", "rsa.db.index": "ullamcor", @@ -2078,6 +2159,9 @@ "rsa.network.domain": "tesse1089.www.host", "rsa.network.host_dst": "ptateve6909.www5.lan", "server.domain": "tesse1089.www.host", + "server.registered_domain": "www.host", + "server.subdomain": "tesse1089", + "server.top_level_domain": "host", "service.type": "cyberark", "source.ip": [ "10.24.111.229" @@ -2153,9 +2237,9 @@ "10.30.243.163" ], "related.user": [ + "mven", "dolore", - "illu", - "mven" + "illu" ], "rsa.db.index": "idol", "rsa.internal.event_desc": "lore", @@ -2197,16 +2281,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.1844", "related.hosts": [ - "dictasun3878.internal.localhost" + "dictasun3878.internal.localhost", + "modocon5089.mail.example" ], "related.ip": [ "10.6.79.159", "10.212.214.4" ], "related.user": [ - "midestl", "amvo", - "quid" + "quid", + "midestl" ], "rsa.db.database": "urExce", "rsa.db.index": "ectiono", @@ -2229,6 +2314,9 @@ "rsa.network.domain": "dictasun3878.internal.localhost", "rsa.network.host_dst": "modocon5089.mail.example", "server.domain": "dictasun3878.internal.localhost", + "server.registered_domain": "internal.localhost", + "server.subdomain": "dictasun3878", + "server.top_level_domain": "localhost", "service.type": "cyberark", "source.ip": [ "10.212.214.4" @@ -2260,11 +2348,12 @@ "observer.vendor": "Cyberark", "observer.version": "1.3546", "related.hosts": [ - "aecatcup2241.www5.test" + "aecatcup2241.www5.test", + "tempor1282.www5.localhost" ], "related.ip": [ - "10.237.170.202", - "10.70.147.46" + "10.70.147.46", + "10.237.170.202" ], "related.user": [ "liquide", @@ -2292,6 +2381,9 @@ "rsa.network.domain": "aecatcup2241.www5.test", "rsa.network.host_dst": "tempor1282.www5.localhost", "server.domain": "aecatcup2241.www5.test", + "server.registered_domain": "www5.test", + "server.subdomain": "aecatcup2241", + "server.top_level_domain": "test", "service.type": "cyberark", "source.ip": [ "10.70.147.46" @@ -2323,6 +2415,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.4282", "related.hosts": [ + "mipsum2964.invalid", "mad5185.www5.localhost" ], "related.ip": [ @@ -2330,9 +2423,9 @@ "10.228.118.81" ], "related.user": [ - "itasper", "tatemU", - "emoe" + "emoe", + "itasper" ], "rsa.db.database": "toditaut", "rsa.db.index": "ugit", @@ -2355,6 +2448,9 @@ "rsa.network.domain": "mad5185.www5.localhost", "rsa.network.host_dst": "mipsum2964.invalid", "server.domain": "mad5185.www5.localhost", + "server.registered_domain": "www5.localhost", + "server.subdomain": "mad5185", + "server.top_level_domain": "localhost", "service.type": "cyberark", "source.ip": [ "10.228.118.81" @@ -2386,6 +2482,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.3806", "related.hosts": [ + "veniamq1236.invalid", "esseq7889.www.invalid" ], "related.ip": [ @@ -2393,9 +2490,9 @@ "10.234.165.130" ], "related.user": [ - "iuntNequ", "henderit", - "emip" + "emip", + "iuntNequ" ], "rsa.db.database": "veniamqu", "rsa.db.index": "atquo", @@ -2418,6 +2515,9 @@ "rsa.network.domain": "esseq7889.www.invalid", "rsa.network.host_dst": "veniamq1236.invalid", "server.domain": "esseq7889.www.invalid", + "server.registered_domain": "www.invalid", + "server.subdomain": "esseq7889", + "server.top_level_domain": "invalid", "service.type": "cyberark", "source.ip": [ "10.234.165.130" @@ -2450,8 +2550,8 @@ ], "related.user": [ "olorema", - "turadipi", - "emip" + "emip", + "turadipi" ], "rsa.db.index": "ataevi", "rsa.internal.event_desc": "minim", @@ -2493,9 +2593,9 @@ "10.193.219.34" ], "related.user": [ - "olorem", "uamei", - "utlabo" + "utlabo", + "olorem" ], "rsa.db.index": "nse", "rsa.internal.event_desc": "orisni", @@ -2537,6 +2637,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.7083", "related.hosts": [ + "taliqui5348.mail.localdomain", "tem6815.home" ], "related.ip": [ @@ -2544,9 +2645,9 @@ "10.174.185.109" ], "related.user": [ - "animid", + "dolorem", "rsp", - "dolorem" + "animid" ], "rsa.db.database": "tsuntinc", "rsa.db.index": "quovo", @@ -2569,6 +2670,8 @@ "rsa.network.domain": "tem6815.home", "rsa.network.host_dst": "taliqui5348.mail.localdomain", "server.domain": "tem6815.home", + "server.registered_domain": "tem6815.home", + "server.top_level_domain": "home", "service.type": "cyberark", "source.ip": [ "10.174.185.109" @@ -2600,16 +2703,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.1432", "related.hosts": [ - "mporainc2064.home" + "mporainc2064.home", + "atnulapa3548.www.domain" ], "related.ip": [ "10.141.213.219", "10.117.137.159" ], "related.user": [ + "ate", "accusa", - "atev", - "ate" + "atev" ], "rsa.db.database": "nibus", "rsa.db.index": "ser", @@ -2632,6 +2736,8 @@ "rsa.network.domain": "mporainc2064.home", "rsa.network.host_dst": "atnulapa3548.www.domain", "server.domain": "mporainc2064.home", + "server.registered_domain": "mporainc2064.home", + "server.top_level_domain": "home", "service.type": "cyberark", "source.ip": [ "10.141.213.219" @@ -2663,16 +2769,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.4043", "related.hosts": [ - "caboNem1043.internal.home" + "caboNem1043.internal.home", + "litesseq6785.host" ], "related.ip": [ - "10.166.90.130", - "10.94.224.229" + "10.94.224.229", + "10.166.90.130" ], "related.user": [ - "rem", "eavol", - "etconsec" + "etconsec", + "rem" ], "rsa.db.database": "oditempo", "rsa.db.index": "deF", @@ -2697,6 +2804,9 @@ "rsa.network.domain": "caboNem1043.internal.home", "rsa.network.host_dst": "litesseq6785.host", "server.domain": "caboNem1043.internal.home", + "server.registered_domain": "internal.home", + "server.subdomain": "caboNem1043", + "server.top_level_domain": "home", "service.type": "cyberark", "source.ip": [ "10.94.224.229" @@ -2728,16 +2838,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.2456", "related.hosts": [ + "onnu2272.mail.corp", "tatio6513.www.invalid" ], "related.ip": [ - "10.201.81.46", - "10.38.28.151" + "10.38.28.151", + "10.201.81.46" ], "related.user": [ - "incidid", + "mipsumqu", "tiumto", - "mipsumqu" + "incidid" ], "rsa.db.database": "abor", "rsa.db.index": "adol", @@ -2762,6 +2873,9 @@ "rsa.network.domain": "tatio6513.www.invalid", "rsa.network.host_dst": "onnu2272.mail.corp", "server.domain": "tatio6513.www.invalid", + "server.registered_domain": "www.invalid", + "server.subdomain": "tatio6513", + "server.top_level_domain": "invalid", "service.type": "cyberark", "source.ip": [ "10.201.81.46" @@ -2793,7 +2907,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.2721", "related.hosts": [ - "dolori6232.api.invalid" + "dolori6232.api.invalid", + "llit958.www.domain" ], "related.ip": [ "10.214.245.95", @@ -2801,8 +2916,8 @@ ], "related.user": [ "umdolors", - "rerepre", - "uptatem" + "uptatem", + "rerepre" ], "rsa.db.database": "odt", "rsa.db.index": "riosa", @@ -2825,6 +2940,9 @@ "rsa.network.domain": "dolori6232.api.invalid", "rsa.network.host_dst": "llit958.www.domain", "server.domain": "dolori6232.api.invalid", + "server.registered_domain": "api.invalid", + "server.subdomain": "dolori6232", + "server.top_level_domain": "invalid", "service.type": "cyberark", "source.ip": [ "10.255.28.56" @@ -2856,8 +2974,8 @@ "10.45.35.180" ], "related.user": [ - "mip", "qui", + "mip", "Utenima" ], "rsa.db.index": "boree", @@ -2900,9 +3018,9 @@ "10.141.200.133" ], "related.user": [ - "iame", "enim", - "ess" + "ess", + "iame" ], "rsa.db.index": "nofdeFi", "rsa.internal.event_desc": "isnostru", @@ -2944,9 +3062,9 @@ "10.83.238.145" ], "related.user": [ - "ugi", "illoi", - "runtmo" + "runtmo", + "ugi" ], "rsa.db.index": "eetdo", "rsa.internal.event_desc": "quaer", @@ -2988,16 +3106,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.3147", "related.hosts": [ - "mestq2106.api.host" + "mestq2106.api.host", + "llamc6724.www.lan" ], "related.ip": [ "10.39.143.155", "10.41.89.217" ], "related.user": [ - "tperspic", + "sedquiac", "tem", - "sedquiac" + "tperspic" ], "rsa.db.database": "radipis", "rsa.db.index": "nse", @@ -3020,6 +3139,9 @@ "rsa.network.domain": "mestq2106.api.host", "rsa.network.host_dst": "llamc6724.www.lan", "server.domain": "mestq2106.api.host", + "server.registered_domain": "api.host", + "server.subdomain": "mestq2106", + "server.top_level_domain": "host", "service.type": "cyberark", "source.ip": [ "10.41.89.217" @@ -3051,6 +3173,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.6382", "related.hosts": [ + "reseosqu1629.mail.lan", "lors7553.api.local" ], "related.ip": [ @@ -3058,8 +3181,8 @@ "10.153.123.20" ], "related.user": [ - "CSe", "unt", + "CSe", "minim" ], "rsa.db.database": "atu", @@ -3083,6 +3206,9 @@ "rsa.network.domain": "lors7553.api.local", "rsa.network.host_dst": "reseosqu1629.mail.lan", "server.domain": "lors7553.api.local", + "server.registered_domain": "api.local", + "server.subdomain": "lors7553", + "server.top_level_domain": "local", "service.type": "cyberark", "source.ip": [ "10.153.123.20" @@ -3114,16 +3240,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.3193", "related.hosts": [ - "olu5333.www.domain" + "olu5333.www.domain", + "orumSe4514.www.corp" ], "related.ip": [ - "10.210.61.109", - "10.168.132.175" + "10.168.132.175", + "10.210.61.109" ], "related.user": [ + "iamea", "eursinto", - "giatquov", - "iamea" + "giatquov" ], "rsa.db.database": "ici", "rsa.db.index": "iquaUt", @@ -3146,6 +3273,9 @@ "rsa.network.domain": "olu5333.www.domain", "rsa.network.host_dst": "orumSe4514.www.corp", "server.domain": "olu5333.www.domain", + "server.registered_domain": "www.domain", + "server.subdomain": "olu5333", + "server.top_level_domain": "domain", "service.type": "cyberark", "source.ip": [ "10.168.132.175" @@ -3178,8 +3308,8 @@ ], "related.user": [ "dolorsi", - "lmo", - "quiac" + "quiac", + "lmo" ], "rsa.db.index": "idunt", "rsa.internal.event_desc": "usantiu", @@ -3222,9 +3352,9 @@ "10.169.123.103" ], "related.user": [ + "oeni", "xplic", - "etquasia", - "oeni" + "etquasia" ], "rsa.db.index": "hend", "rsa.internal.event_desc": "piscivel", @@ -3270,9 +3400,9 @@ "10.126.205.76" ], "related.user": [ - "rsitvol", + "Nemoenim", "iati", - "Nemoenim" + "rsitvol" ], "rsa.db.index": "eFini", "rsa.internal.event_desc": "acom", @@ -3314,16 +3444,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.3184", "related.hosts": [ - "fic5107.home" + "fic5107.home", + "mmodoco2581.www5.host" ], "related.ip": [ "10.164.66.154", "10.169.101.161" ], "related.user": [ - "eufug", "ine", - "orissu" + "orissu", + "eufug" ], "rsa.db.database": "stquidol", "rsa.db.index": "imadmini", @@ -3346,6 +3477,8 @@ "rsa.network.domain": "fic5107.home", "rsa.network.host_dst": "mmodoco2581.www5.host", "server.domain": "fic5107.home", + "server.registered_domain": "fic5107.home", + "server.top_level_domain": "home", "service.type": "cyberark", "source.ip": [ "10.169.101.161" @@ -3377,8 +3510,8 @@ "10.70.83.200" ], "related.user": [ - "riat", "metco", + "riat", "ihilmole" ], "rsa.db.index": "urQuis", @@ -3421,16 +3554,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.4887", "related.hosts": [ - "onpr47.api.home" + "onpr47.api.home", + "oremqu7663.local" ], "related.ip": [ "10.207.97.192", "10.134.55.11" ], "related.user": [ - "mmod", + "tanimid", "madminim", - "tanimid" + "mmod" ], "rsa.db.database": "tetura", "rsa.db.index": "uptasnul", @@ -3453,6 +3587,9 @@ "rsa.network.domain": "onpr47.api.home", "rsa.network.host_dst": "oremqu7663.local", "server.domain": "onpr47.api.home", + "server.registered_domain": "api.home", + "server.subdomain": "onpr47", + "server.top_level_domain": "home", "service.type": "cyberark", "source.ip": [ "10.134.55.11" @@ -3484,16 +3621,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.3601", "related.hosts": [ - "rehen4859.api.host" + "rehen4859.api.host", + "eve234.www5.local" ], "related.ip": [ "10.31.187.19", "10.52.150.104" ], "related.user": [ + "eritq", "oinBCSed", - "texplica", - "eritq" + "texplica" ], "rsa.db.database": "lit", "rsa.db.index": "ritati", @@ -3516,6 +3654,9 @@ "rsa.network.domain": "rehen4859.api.host", "rsa.network.host_dst": "eve234.www5.local", "server.domain": "rehen4859.api.host", + "server.registered_domain": "api.host", + "server.subdomain": "rehen4859", + "server.top_level_domain": "host", "service.type": "cyberark", "source.ip": [ "10.31.187.19" @@ -3547,7 +3688,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.3175", "related.hosts": [ - "eufugia4481.corp" + "eufugia4481.corp", + "fficia2304.www5.home" ], "related.ip": [ "10.41.232.147", @@ -3555,8 +3697,8 @@ ], "related.user": [ "tat", - "ntexpl", - "runtm" + "runtm", + "ntexpl" ], "rsa.db.database": "rere", "rsa.db.index": "nonn", @@ -3579,6 +3721,8 @@ "rsa.network.domain": "eufugia4481.corp", "rsa.network.host_dst": "fficia2304.www5.home", "server.domain": "eufugia4481.corp", + "server.registered_domain": "eufugia4481.corp", + "server.top_level_domain": "corp", "service.type": "cyberark", "source.ip": [ "10.61.175.217" @@ -3610,8 +3754,8 @@ "10.150.30.95" ], "related.user": [ - "atnonpr", "uisnos", + "atnonpr", "mini" ], "rsa.db.index": "smod", @@ -3655,8 +3799,8 @@ ], "related.user": [ "onse", - "CSe", - "fugitse" + "fugitse", + "CSe" ], "rsa.db.index": "Dui", "rsa.internal.event_desc": "isci", @@ -3699,8 +3843,8 @@ ], "related.user": [ "remq", - "nonn", - "rspic" + "rspic", + "nonn" ], "rsa.db.index": "nre", "rsa.internal.event_desc": "tev", @@ -3786,9 +3930,9 @@ "10.187.170.23" ], "related.user": [ - "sectetu", + "ibusBo", "enima", - "ibusBo" + "sectetu" ], "rsa.db.index": "uido", "rsa.internal.event_desc": "lab", @@ -3830,16 +3974,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.3824", "related.hosts": [ - "involu1450.www.localhost" + "involu1450.www.localhost", + "udexerc2708.api.test" ], "related.ip": [ - "10.123.62.215", - "10.250.248.215" + "10.250.248.215", + "10.123.62.215" ], "related.user": [ - "tinculpa", "quaeratv", - "aevitaed" + "aevitaed", + "tinculpa" ], "rsa.db.database": "lica", "rsa.db.index": "uisnos", @@ -3862,6 +4007,9 @@ "rsa.network.domain": "involu1450.www.localhost", "rsa.network.host_dst": "udexerc2708.api.test", "server.domain": "involu1450.www.localhost", + "server.registered_domain": "www.localhost", + "server.subdomain": "involu1450", + "server.top_level_domain": "localhost", "service.type": "cyberark", "source.ip": [ "10.250.248.215" @@ -3892,6 +4040,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.3759", "related.hosts": [ + "temvele5776.www.test", "osa3211.www5.example" ], "related.ip": [ @@ -3899,8 +4048,8 @@ "10.147.154.118" ], "related.user": [ - "isiutali", - "tateveli" + "tateveli", + "isiutali" ], "rsa.db.database": "cin", "rsa.db.index": "onofdeF", @@ -3922,6 +4071,9 @@ "rsa.network.domain": "osa3211.www5.example", "rsa.network.host_dst": "temvele5776.www.test", "server.domain": "osa3211.www5.example", + "server.registered_domain": "www5.example", + "server.subdomain": "osa3211", + "server.top_level_domain": "example", "service.type": "cyberark", "source.ip": [ "10.147.154.118" @@ -3953,9 +4105,9 @@ "10.193.33.201" ], "related.user": [ - "ptatemU", + "uamestqu", "niamqui", - "uamestqu" + "ptatemU" ], "rsa.db.index": "doeiu", "rsa.internal.event_desc": "uasiarc", @@ -3998,8 +4150,8 @@ ], "related.user": [ "nesci", - "tetura", - "onnumqua" + "onnumqua", + "tetura" ], "rsa.db.index": "oinBCSed", "rsa.internal.event_desc": "ntor", @@ -4041,9 +4193,9 @@ "10.47.63.70" ], "related.user": [ + "tpers", "midestl", - "expl", - "tpers" + "expl" ], "rsa.db.index": "olu", "rsa.internal.event_desc": "odocons", @@ -4085,8 +4237,8 @@ "10.178.160.245" ], "related.user": [ - "fdeFinib", "olupta", + "fdeFinib", "turQuis" ], "rsa.db.index": "rsint", @@ -4129,7 +4281,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.6648", "related.hosts": [ - "tatemac5192.www5.test" + "tatemac5192.www5.test", + "teursint1321.www5.example" ], "related.ip": [ "10.89.154.115", @@ -4137,8 +4290,8 @@ ], "related.user": [ "Nem", - "emeu", - "luptat" + "luptat", + "emeu" ], "rsa.db.database": "nturmag", "rsa.db.index": "maliqua", @@ -4161,6 +4314,9 @@ "rsa.network.domain": "tatemac5192.www5.test", "rsa.network.host_dst": "teursint1321.www5.example", "server.domain": "tatemac5192.www5.test", + "server.registered_domain": "www5.test", + "server.subdomain": "tatemac5192", + "server.top_level_domain": "test", "service.type": "cyberark", "source.ip": [ "10.89.154.115" @@ -4192,7 +4348,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.3387", "related.hosts": [ - "nimve2787.mail.test" + "nimve2787.mail.test", + "boreet2051.internal.localdomain" ], "related.ip": [ "10.222.32.183", @@ -4200,8 +4357,8 @@ ], "related.user": [ "eruntmo", - "itame", - "eve" + "eve", + "itame" ], "rsa.db.database": "udexerc", "rsa.db.index": "volup", @@ -4224,6 +4381,9 @@ "rsa.network.domain": "nimve2787.mail.test", "rsa.network.host_dst": "boreet2051.internal.localdomain", "server.domain": "nimve2787.mail.test", + "server.registered_domain": "mail.test", + "server.subdomain": "nimve2787", + "server.top_level_domain": "test", "service.type": "cyberark", "source.ip": [ "10.65.207.234" @@ -4299,9 +4459,9 @@ "10.91.213.82" ], "related.user": [ - "amnis", + "uianon", "illoin", - "uianon" + "amnis" ], "rsa.db.index": "ons", "rsa.internal.event_desc": "temaccus", @@ -4343,9 +4503,9 @@ "10.204.214.98" ], "related.user": [ - "porissus", "eprehe", - "tdolo" + "tdolo", + "porissus" ], "rsa.db.index": "abo", "rsa.internal.event_desc": "ecte", @@ -4431,6 +4591,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.801", "related.hosts": [ + "umto3015.mail.lan", "ama6820.mail.example" ], "related.ip": [ @@ -4438,9 +4599,9 @@ "10.26.137.126" ], "related.user": [ + "ati", "audant", - "taevit", - "ati" + "taevit" ], "rsa.db.database": "com", "rsa.db.index": "mveni", @@ -4463,6 +4624,9 @@ "rsa.network.domain": "ama6820.mail.example", "rsa.network.host_dst": "umto3015.mail.lan", "server.domain": "ama6820.mail.example", + "server.registered_domain": "mail.example", + "server.subdomain": "ama6820", + "server.top_level_domain": "example", "service.type": "cyberark", "source.ip": [ "10.26.33.181" @@ -4494,6 +4658,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.10", "related.hosts": [ + "etquasia1800.www.host", "olupt966.www5.corp" ], "related.ip": [ @@ -4501,9 +4666,9 @@ "10.148.195.208" ], "related.user": [ - "mpori", "quaerat", - "isi" + "isi", + "mpori" ], "rsa.db.database": "squamest", "rsa.db.index": "pteu", @@ -4526,6 +4691,9 @@ "rsa.network.domain": "olupt966.www5.corp", "rsa.network.host_dst": "etquasia1800.www.host", "server.domain": "olupt966.www5.corp", + "server.registered_domain": "www5.corp", + "server.subdomain": "olupt966", + "server.top_level_domain": "corp", "service.type": "cyberark", "source.ip": [ "10.142.161.116" @@ -4557,16 +4725,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.1026", "related.hosts": [ - "lit4112.www.localhost" + "lit4112.www.localhost", + "quisquam2153.mail.host" ], "related.ip": [ - "10.10.174.253", - "10.107.24.54" + "10.107.24.54", + "10.10.174.253" ], "related.user": [ - "itinvo", "hend", - "uptasn" + "uptasn", + "itinvo" ], "rsa.db.database": "lup", "rsa.db.index": "isau", @@ -4589,6 +4758,9 @@ "rsa.network.domain": "lit4112.www.localhost", "rsa.network.host_dst": "quisquam2153.mail.host", "server.domain": "lit4112.www.localhost", + "server.registered_domain": "www.localhost", + "server.subdomain": "lit4112", + "server.top_level_domain": "localhost", "service.type": "cyberark", "source.ip": [ "10.10.174.253" @@ -4621,9 +4793,9 @@ "10.87.92.17" ], "related.user": [ + "eeufug", "tamr", - "luptate", - "eeufug" + "luptate" ], "rsa.db.index": "oreeufug", "rsa.internal.event_desc": "ura", @@ -4669,6 +4841,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.5649", "related.hosts": [ + "secte1774.localhost", "dictasun3408.internal.invalid" ], "related.ip": [ @@ -4676,9 +4849,9 @@ "10.231.51.136" ], "related.user": [ + "asper", "accus", - "Finibus", - "asper" + "Finibus" ], "rsa.db.database": "litani", "rsa.db.index": "arch", @@ -4701,6 +4874,9 @@ "rsa.network.domain": "dictasun3408.internal.invalid", "rsa.network.host_dst": "secte1774.localhost", "server.domain": "dictasun3408.internal.invalid", + "server.registered_domain": "internal.invalid", + "server.subdomain": "dictasun3408", + "server.top_level_domain": "invalid", "service.type": "cyberark", "source.ip": [ "10.231.51.136" @@ -4732,9 +4908,9 @@ "10.51.17.32" ], "related.user": [ - "mquido", "itten", - "llum" + "llum", + "mquido" ], "rsa.db.index": "uscipit", "rsa.internal.event_desc": "llitani", @@ -4777,8 +4953,8 @@ ], "related.user": [ "cusa", - "mmodicon", - "ollita" + "ollita", + "mmodicon" ], "rsa.db.index": "ercitati", "rsa.internal.event_desc": "pteurs", @@ -4821,6 +4997,7 @@ "observer.vendor": "Cyberark", "observer.version": "1.425", "related.hosts": [ + "uido2773.www5.test", "uidol6868.mail.localdomain" ], "related.ip": [ @@ -4857,6 +5034,9 @@ "rsa.network.domain": "uidol6868.mail.localdomain", "rsa.network.host_dst": "uido2773.www5.test", "server.domain": "uidol6868.mail.localdomain", + "server.registered_domain": "mail.localdomain", + "server.subdomain": "uidol6868", + "server.top_level_domain": "localdomain", "service.type": "cyberark", "source.ip": [ "10.198.187.144" @@ -4888,9 +5068,9 @@ "10.61.140.120" ], "related.user": [ - "naaliq", + "equa", "loru", - "equa" + "naaliq" ], "rsa.db.index": "umfugiat", "rsa.internal.event_desc": "ora", @@ -4932,16 +5112,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.6988", "related.hosts": [ - "ptat4878.lan" + "ptat4878.lan", + "quame1852.www.test" ], "related.ip": [ "10.149.238.108", "10.93.24.151" ], "related.user": [ - "sequamn", + "ite", "nven", - "ite" + "sequamn" ], "rsa.db.database": "fugi", "rsa.db.index": "nesciu", @@ -4964,6 +5145,8 @@ "rsa.network.domain": "ptat4878.lan", "rsa.network.host_dst": "quame1852.www.test", "server.domain": "ptat4878.lan", + "server.registered_domain": "ptat4878.lan", + "server.top_level_domain": "lan", "service.type": "cyberark", "source.ip": [ "10.149.238.108" @@ -4995,9 +5178,9 @@ "10.101.45.225" ], "related.user": [ + "uinesc", "emi", - "cipitla", - "uinesc" + "cipitla" ], "rsa.db.index": "caecat", "rsa.internal.event_desc": "tsunt", @@ -5040,8 +5223,8 @@ "10.2.204.161" ], "related.user": [ - "ore", "eumfugia", + "ore", "quela" ], "rsa.db.index": "olup", @@ -5088,9 +5271,9 @@ "10.33.112.100" ], "related.user": [ - "enimad", "aliqu", - "ptatemse" + "ptatemse", + "enimad" ], "rsa.db.index": "Except", "rsa.internal.event_desc": "cons", @@ -5132,15 +5315,16 @@ "observer.vendor": "Cyberark", "observer.version": "1.3175", "related.hosts": [ - "isno4595.local" + "isno4595.local", + "lla5407.lan" ], "related.ip": [ "10.94.152.238", "10.151.110.250" ], "related.user": [ - "tla", "neavol", + "tla", "pidatatn" ], "rsa.db.database": "itaedict", @@ -5164,6 +5348,8 @@ "rsa.network.domain": "isno4595.local", "rsa.network.host_dst": "lla5407.lan", "server.domain": "isno4595.local", + "server.registered_domain": "isno4595.local", + "server.top_level_domain": "local", "service.type": "cyberark", "source.ip": [ "10.151.110.250" @@ -5195,16 +5381,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.4965", "related.hosts": [ - "tatemse5403.home" + "tatemse5403.home", + "iquipexe4708.api.localhost" ], "related.ip": [ "10.77.9.17", "10.146.61.5" ], "related.user": [ + "alorumwr", "umS", - "tevel", - "alorumwr" + "tevel" ], "rsa.db.database": "amremap", "rsa.db.index": "aqu", @@ -5227,6 +5414,8 @@ "rsa.network.domain": "tatemse5403.home", "rsa.network.host_dst": "iquipexe4708.api.localhost", "server.domain": "tatemse5403.home", + "server.registered_domain": "tatemse5403.home", + "server.top_level_domain": "home", "service.type": "cyberark", "source.ip": [ "10.77.9.17" @@ -5302,16 +5491,17 @@ "observer.vendor": "Cyberark", "observer.version": "1.7701", "related.hosts": [ - "reprehe650.www.corp" + "reprehe650.www.corp", + "oremip4070.www5.invalid" ], "related.ip": [ - "10.31.86.83", - "10.200.162.248" + "10.200.162.248", + "10.31.86.83" ], "related.user": [ + "doloremi", "reseo", - "onnu", - "doloremi" + "onnu" ], "rsa.db.database": "billo", "rsa.db.index": "ectetura", @@ -5334,6 +5524,9 @@ "rsa.network.domain": "reprehe650.www.corp", "rsa.network.host_dst": "oremip4070.www5.invalid", "server.domain": "reprehe650.www.corp", + "server.registered_domain": "www.corp", + "server.subdomain": "reprehe650", + "server.top_level_domain": "corp", "service.type": "cyberark", "source.ip": [ "10.200.162.248" @@ -5365,9 +5558,9 @@ "10.103.215.159" ], "related.user": [ - "atatn", "apa", - "volup" + "volup", + "atatn" ], "rsa.db.index": "atcupi", "rsa.internal.event_desc": "did", diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml index 147d33c0d465..7727cd2b81e7 100644 --- a/x-pack/filebeat/module/cylance/protect/config/input.yml +++ b/x-pack/filebeat/module/cylance/protect/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/cylance/protect/config/liblogparser.js +++ b/x-pack/filebeat/module/cylance/protect/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/cylance/protect/config/pipeline.js b/x-pack/filebeat/module/cylance/protect/config/pipeline.js index ef18f1ce577b..840ea8244f28 100644 --- a/x-pack/filebeat/module/cylance/protect/config/pipeline.js +++ b/x-pack/filebeat/module/cylance/protect/config/pipeline.js @@ -36,21 +36,21 @@ var map_getEventLegacyCategory = { "Alert": constant("1609000000"), "Device Policy Assigned": constant("1502000000"), "Device Updated": constant("1804010000"), - "DeviceEdit": dup21, + "DeviceEdit": dup20, "DeviceRemove": constant("1804020000"), "LoginSuccess": constant("1401060000"), "PolicyAdd": constant("1502030000"), - "Registration": dup22, - "SyslogSettingsSave": dup21, + "Registration": dup21, + "SyslogSettingsSave": dup20, "SystemSecurity": constant("1600000000"), - "ThreatUpdated": dup23, - "ZoneAdd": dup21, - "ZoneAddDevice": dup21, - "fullaccess": dup22, - "pechange": dup21, - "threat_changed": dup23, - "threat_found": dup23, - "threat_quarantined": dup23, + "ThreatUpdated": dup22, + "ZoneAdd": dup20, + "ZoneAddDevice": dup20, + "fullaccess": dup21, + "pechange": dup20, + "threat_changed": dup22, + "threat_found": dup22, + "threat_quarantined": dup22, }, "default": constant("1901000000"), }; @@ -61,15 +61,13 @@ var dup2 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13-> var dup3 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); -var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); +var dup4 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); -var dup5 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); +var dup5 = setc("eventcategory","1901000000"); -var dup6 = setc("eventcategory","1901000000"); +var dup6 = setc("vendor_event_cat"," AuditLog"); -var dup7 = setc("vendor_event_cat"," AuditLog"); - -var dup8 = date_time({ +var dup7 = date_time({ dest: "event_time", args: ["hdate","htime"], fmts: [ @@ -77,27 +75,27 @@ var dup8 = date_time({ ], }); -var dup9 = field("event_type"); +var dup8 = field("event_type"); -var dup10 = field("event_cat"); +var dup9 = field("event_cat"); -var dup11 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); +var dup10 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); -var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); +var dup11 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); -var dup13 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); +var dup12 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); -var dup14 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); +var dup13 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); -var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); +var dup14 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); -var dup16 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); +var dup15 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); -var dup17 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); +var dup16 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); -var dup18 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); +var dup17 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); -var dup19 = date_time({ +var dup18 = date_time({ dest: "event_time", args: ["hmonth","hdate","hhour","hmin","hsec"], fmts: [ @@ -105,49 +103,49 @@ var dup19 = date_time({ ], }); -var dup20 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); +var dup19 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); -var dup21 = constant("1701000000"); +var dup20 = constant("1701000000"); -var dup22 = constant("1804000000"); +var dup21 = constant("1804000000"); -var dup23 = constant("1003010000"); +var dup22 = constant("1003010000"); -var dup24 = linear_select([ +var dup23 = linear_select([ dup3, dup4, ]); -var dup25 = lookup({ +var dup24 = lookup({ dest: "nwparser.event_cat", map: map_getEventLegacyCategory, - key: dup9, + key: dup8, }); -var dup26 = lookup({ +var dup25 = lookup({ dest: "nwparser.event_cat_name", map: map_getEventLegacyCategoryName, - key: dup10, + key: dup9, }); -var dup27 = linear_select([ +var dup26 = linear_select([ + dup11, dup12, - dup13, ]); -var dup28 = linear_select([ +var dup27 = linear_select([ + dup14, dup15, - dup16, ]); -var dup29 = linear_select([ +var dup28 = linear_select([ + dup16, dup17, - dup18, ]); -var dup30 = linear_select([ - dup20, - dup14, +var dup29 = linear_select([ + dup19, + dup13, ]); var hdr1 = match("HEADER#0:0001", "message", "%{hday}-%{hmonth}-%{hyear->} %{hhour}:%{hmin}:%{hsec->} %{hseverity->} %{hhost->} %{hfld2->} \u003c\u003c%{fld44}>%{hfld3->} %{hdate}T%{htime}.%{hfld4->} %{hostname->} CylancePROTECT %{payload}", processor_chain([ @@ -179,568 +177,583 @@ var select1 = linear_select([ var part1 = match("MESSAGE#0:CylancePROTECT:01/2", "nwparser.p0", "%{event_type}, Message: S%{p0}"); -var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{checksum}; %{p0}"); +var part2 = match("MESSAGE#0:CylancePROTECT:01/3_0", "nwparser.p0", "ource: %{product}; SHA256: %{p0}"); -var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{checksum}; %{p0}"); +var part3 = match("MESSAGE#0:CylancePROTECT:01/3_1", "nwparser.p0", "HA256: %{p0}"); var select2 = linear_select([ part2, part3, ]); -var part4 = match("MESSAGE#0:CylancePROTECT:01/4_0", "nwparser.p0", "Category: %{category}; Reason: %{result}, User: %{p0}"); +var part4 = match("MESSAGE#0:CylancePROTECT:01/4", "nwparser.p0", "%{checksum}; %{p0}"); -var part5 = match("MESSAGE#0:CylancePROTECT:01/4_1", "nwparser.p0", "Reason: %{result}, User: %{p0}"); +var part5 = match("MESSAGE#0:CylancePROTECT:01/5_0", "nwparser.p0", "Category: %{category}; Reason: %{p0}"); + +var part6 = match("MESSAGE#0:CylancePROTECT:01/5_1", "nwparser.p0", "Reason: %{p0}"); var select3 = linear_select([ - part4, part5, + part6, ]); +var part7 = match("MESSAGE#0:CylancePROTECT:01/6", "nwparser.p0", "%{result}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); + var all1 = all_match({ processors: [ dup2, - dup24, + dup23, part1, select2, + part4, select3, - dup5, + part7, ], on_success: processor_chain([ + dup5, dup6, dup7, - dup8, + dup24, dup25, - dup26, ]), }); var msg1 = msg("CylancePROTECT:01", all1); -var part6 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); +var part8 = match("MESSAGE#1:CylancePROTECT:02/3_0", "nwparser.p0", "Device: %{node}; SHA256: %{p0}"); -var part7 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); +var part9 = match("MESSAGE#1:CylancePROTECT:02/3_1", "nwparser.p0", "Policy: %{policyname}; SHA256: %{p0}"); var select4 = linear_select([ - part6, - part7, + part8, + part9, ]); -var part8 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); +var part10 = match("MESSAGE#1:CylancePROTECT:02/4_0", "nwparser.p0", "%{checksum}; Category: %{category}, User: %{p0}"); -var part9 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); +var part11 = match("MESSAGE#1:CylancePROTECT:02/4_1", "nwparser.p0", "%{checksum}, User: %{p0}"); var select5 = linear_select([ - part8, - part9, + part10, + part11, ]); +var part12 = match("MESSAGE#1:CylancePROTECT:02/5", "nwparser.p0", ")%{mail_id->} (%{user_lname->} %{user_fname}"); + var all2 = all_match({ processors: [ dup2, - dup24, - dup11, + dup23, + dup10, select4, select5, + part12, ], on_success: processor_chain([ + dup5, dup6, dup7, - dup8, + dup24, dup25, - dup26, ]), }); var msg2 = msg("CylancePROTECT:02", all2); -var part10 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); +var part13 = match("MESSAGE#2:CylancePROTECT:03/3_0", "nwparser.p0", "Devices: %{node},%{p0}"); -var part11 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); +var part14 = match("MESSAGE#2:CylancePROTECT:03/3_1", "nwparser.p0", "Device: %{node};%{p0}"); -var part12 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); +var part15 = match("MESSAGE#2:CylancePROTECT:03/3_2", "nwparser.p0", "Policy: %{policyname},%{p0}"); var select6 = linear_select([ - part10, - part11, - part12, + part13, + part14, + part15, ]); -var part13 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); +var part16 = match("MESSAGE#2:CylancePROTECT:03/4", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id})"); var all3 = all_match({ processors: [ dup2, - dup24, - dup11, + dup23, + dup10, select6, - part13, + part16, ], on_success: processor_chain([ + dup5, dup6, dup7, - dup8, + dup24, dup25, - dup26, ]), }); var msg3 = msg("CylancePROTECT:03", all3); -var part14 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); +var part17 = match("MESSAGE#3:CylancePROTECT:04/2", "nwparser.p0", "%{event_type}, Message: Zone: %{info}; Policy: %{policyname}; Value: %{fld3}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); var all4 = all_match({ processors: [ dup2, - dup24, - part14, + dup23, + part17, ], on_success: processor_chain([ + dup5, dup6, dup7, - dup8, + dup24, dup25, - dup26, ]), }); var msg4 = msg("CylancePROTECT:04", all4); -var part15 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); +var part18 = match("MESSAGE#4:CylancePROTECT:05/3_0", "nwparser.p0", "Policy Assigned:%{signame}; Devices: %{node->} , User: %{p0}"); -var part16 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", " Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); +var part19 = match("MESSAGE#4:CylancePROTECT:05/3_1", "nwparser.p0", "Provider: %{product}, Source IP: %{saddr}, User: %{p0}"); -var part17 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); +var part20 = match("MESSAGE#4:CylancePROTECT:05/3_2", "nwparser.p0", "%{info}, User: %{p0}"); var select7 = linear_select([ - part15, - part16, - part17, + part18, + part19, + part20, ]); +var part21 = match("MESSAGE#4:CylancePROTECT:05/4", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); + var all5 = all_match({ processors: [ dup2, - dup24, - dup11, + dup23, + dup10, select7, - dup5, + part21, ], on_success: processor_chain([ + dup5, dup6, dup7, - dup8, + dup24, dup25, - dup26, ]), }); var msg5 = msg("CylancePROTECT:05", all5); -var part18 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); +var part22 = match("MESSAGE#5:CylancePROTECT:06/2", "nwparser.p0", "%{event_type}, Message: The Device: %{node->} was auto assigned to the Zone: IP Address: %{p0}"); -var part19 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); +var part23 = match("MESSAGE#5:CylancePROTECT:06/3_0", "nwparser.p0", "Fake Devices, User: %{p0}"); -var part20 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); +var part24 = match("MESSAGE#5:CylancePROTECT:06/3_1", "nwparser.p0", "%{saddr}, User: %{p0}"); var select8 = linear_select([ - part19, - part20, + part23, + part24, ]); -var part21 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", " (%{mail_id})"); +var part25 = match("MESSAGE#5:CylancePROTECT:06/4_0", "nwparser.p0", "(%{p0}"); + +var part26 = match("MESSAGE#5:CylancePROTECT:06/4_1", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{p0}"); var select9 = linear_select([ - part21, - dup5, + part25, + part26, ]); +var part27 = match("MESSAGE#5:CylancePROTECT:06/5", "nwparser.p0", ")%{mail_id}"); + var all6 = all_match({ processors: [ dup2, - dup24, - part18, + dup23, + part22, select8, select9, + part27, ], on_success: processor_chain([ + dup5, dup6, dup7, - dup8, + dup24, dup25, - dup26, ]), }); var msg6 = msg("CylancePROTECT:06", all6); -var part22 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); +var part28 = match("MESSAGE#6:CylancePROTECT:07/1_0", "nwparser.p0", "[%{fld2}] Event Type: ExploitAttempt, Event Name: %{p0}"); -var part23 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", " %{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); +var part29 = match("MESSAGE#6:CylancePROTECT:07/1_1", "nwparser.p0", "%{fld5->} Event Type: ExploitAttempt, Event Name: %{p0}"); var select10 = linear_select([ - part22, - part23, + part28, + part29, ]); -var part24 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); +var part30 = match("MESSAGE#6:CylancePROTECT:07/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names: %{info}"); var all7 = all_match({ processors: [ dup2, select10, - part24, + part30, ], on_success: processor_chain([ - dup6, + dup5, setc("vendor_event_cat"," ExploitAttempt"), - dup8, + dup7, + dup24, dup25, - dup26, ]), }); var msg7 = msg("CylancePROTECT:07", all7); -var part25 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); +var part31 = match("MESSAGE#7:CylancePROTECT:08/1_0", "nwparser.p0", "[%{fld2}] Event Type: DeviceControl, Event Name: %{p0}"); -var part26 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", " %{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); +var part32 = match("MESSAGE#7:CylancePROTECT:08/1_1", "nwparser.p0", "%{fld5->} Event Type: DeviceControl, Event Name: %{p0}"); var select11 = linear_select([ - part25, - part26, + part31, + part32, ]); -var part27 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); +var part33 = match("MESSAGE#7:CylancePROTECT:08/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, External Device Type: %{fld3}, External Device Vendor ID: %{fld18}, External Device Name: %{fld4}, External Device Product ID: %{fld17}, External Device Serial Number: %{serial_number}, Zone Names: %{info}"); var all8 = all_match({ processors: [ dup2, select11, - part27, + part33, ], on_success: processor_chain([ - dup6, + dup5, setc("vendor_event_cat"," DeviceControl"), - dup8, + dup7, + dup24, dup25, - dup26, ]), }); var msg8 = msg("CylancePROTECT:08", all8); -var part28 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); +var part34 = match("MESSAGE#8:CylancePROTECT:09/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version->} (%{fld3}), Zone Names: %{p0}"); -var part29 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); +var part35 = match("MESSAGE#8:CylancePROTECT:09/3_0", "nwparser.p0", "%{info}, User Name: %{username}"); var select12 = linear_select([ - part29, - dup14, + part35, + dup13, ]); var all9 = all_match({ processors: [ dup2, - dup27, - part28, + dup26, + part34, select12, ], on_success: processor_chain([ - dup6, + dup5, setc("vendor_event_cat"," ScriptControl"), - dup8, + dup7, + dup24, dup25, - dup26, ]), }); var msg9 = msg("CylancePROTECT:09", all9); -var part30 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); +var part36 = match("MESSAGE#9:CylancePROTECT:10/1_0", "nwparser.p0", "[%{fld2}] Event Type: Threat, Event Name: %{p0}"); -var part31 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", " %{fld4->} Event Type: Threat, Event Name: %{p0}"); +var part37 = match("MESSAGE#9:CylancePROTECT:10/1_1", "nwparser.p0", "%{fld4->} Event Type: Threat, Event Name: %{p0}"); var select13 = linear_select([ - part30, - part31, + part36, + part37, ]); -var part32 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); +var part38 = match("MESSAGE#9:CylancePROTECT:10/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), File Name: %{filename}, Path: %{directory}, Drive Type: %{fld1}, SHA256: %{checksum}, MD5: %{fld3}, Status: %{event_state}, Cylance Score: %{reputation_num}, Found Date: %{fld5}, File Type: %{filetype}, Is Running: %{fld6}, Auto Run: %{fld7}, Detected By: %{fld8}, Zone Names: %{info}, Is Malware: %{fld10}, Is Unique To Cylance: %{fld11}, Threat Classification: %{sigtype}"); var all10 = all_match({ processors: [ dup2, select13, - part32, + part38, ], on_success: processor_chain([ - dup6, + dup5, setc("vendor_event_cat"," Threat"), - dup8, + dup7, + dup24, dup25, - dup26, ]), }); var msg10 = msg("CylancePROTECT:10", all10); -var part33 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); +var part39 = match("MESSAGE#10:CylancePROTECT:11/1_0", "nwparser.p0", "[%{fld2}] Event Type: AppControl, Event Name: %{p0}"); -var part34 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", " %{fld5->} Event Type: AppControl, Event Name: %{p0}"); +var part40 = match("MESSAGE#10:CylancePROTECT:11/1_1", "nwparser.p0", "%{fld5->} Event Type: AppControl, Event Name: %{p0}"); var select14 = linear_select([ - part33, - part34, + part39, + part40, ]); -var part35 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); +var part41 = match("MESSAGE#10:CylancePROTECT:11/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, IP Address: (%{saddr}), Action: %{action}, Action Type: %{fld3}, File Path: %{directory}, SHA256: %{checksum}, Zone Names: %{info}"); var all11 = all_match({ processors: [ dup2, select14, - part35, + part41, ], on_success: processor_chain([ - dup6, + dup5, setc("vendor_event_cat"," AppControl"), + dup24, dup25, - dup26, ]), }); var msg11 = msg("CylancePROTECT:11", all11); -var part36 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); +var part42 = match("MESSAGE#11:CylancePROTECT:15/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Threat Class: %{sigtype}, Threat Subclass: %{fld7}, SHA256: %{checksum}, MD5: %{fld8}"); var all12 = all_match({ processors: [ dup2, - dup28, - part36, + dup27, + part42, ], on_success: processor_chain([ - dup6, - dup8, + dup5, + dup7, + dup24, dup25, - dup26, ]), }); var msg12 = msg("CylancePROTECT:15", all12); -var part37 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); +var part43 = match("MESSAGE#12:CylancePROTECT:14/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Names: (%{node}), Policy Name: %{policyname}, User: %{user_fname->} %{user_lname->} (%{mail_id})"); var all13 = all_match({ processors: [ dup2, - dup28, - part37, + dup27, + part43, ], on_success: processor_chain([ - dup6, - dup8, + dup5, + dup7, + dup24, dup25, - dup26, ]), }); var msg13 = msg("CylancePROTECT:14", all13); -var part38 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); +var part44 = match("MESSAGE#13:CylancePROTECT:13/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld6}, IP Address: (%{saddr}, %{fld15}), MAC Address: (%{macaddr}, %{fld16}), Logged On Users: (%{username}), OS: %{p0}"); var all14 = all_match({ processors: [ dup2, + dup27, + part44, dup28, - part38, - dup29, ], on_success: processor_chain([ - dup6, - dup8, + dup5, + dup7, + dup24, dup25, - dup26, ]), }); var msg14 = msg("CylancePROTECT:13", all14); -var part39 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); +var part45 = match("MESSAGE#14:CylancePROTECT:16/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, Device Name: %{node}, Agent Version: %{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS: %{p0}"); var all15 = all_match({ processors: [ dup2, + dup27, + part45, dup28, - part39, - dup29, ], on_success: processor_chain([ - dup6, - dup8, + dup5, + dup7, + dup24, dup25, - dup26, ]), }); var msg15 = msg("CylancePROTECT:16", all15); -var part40 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); +var part46 = match("MESSAGE#15:CylancePROTECT:25/2", "nwparser.p0", "%{event_type}, Device Name: %{node}, File Path: %{directory}, Interpreter: %{application}, Interpreter Version: %{version}, Zone Names: %{info}, User Name: %{username}"); var all16 = all_match({ processors: [ dup2, - dup27, - part40, + dup26, + part46, ], on_success: processor_chain([ - dup6, - dup8, + dup5, + dup7, + dup24, dup25, - dup26, ]), }); var msg16 = msg("CylancePROTECT:25", all16); -var part41 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); +var part47 = match("MESSAGE#16:CylancePROTECT:12/2", "nwparser.p0", "%{vendor_event_cat}, Event Name: %{event_type}, %{p0}"); -var part42 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); +var part48 = match("MESSAGE#16:CylancePROTECT:12/3_0", "nwparser.p0", "Device Name: %{node}, Zone Names:%{info}"); -var part43 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); +var part49 = match("MESSAGE#16:CylancePROTECT:12/3_1", "nwparser.p0", "Device Name: %{node}"); -var part44 = match("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "%{fld1}"); +var part50 = match_copy("MESSAGE#16:CylancePROTECT:12/3_2", "nwparser.p0", "fld1"); var select15 = linear_select([ - part42, - part43, - part44, + part48, + part49, + part50, ]); var all17 = all_match({ processors: [ dup2, - dup28, - part41, + dup27, + part47, select15, ], on_success: processor_chain([ - dup6, - dup8, + dup5, + dup7, + dup24, dup25, - dup26, ]), }); var msg17 = msg("CylancePROTECT:12", all17); -var part45 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); +var part51 = match("MESSAGE#17:CylancePROTECT:17/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, File Path:%{filename}, Interpreter:%{application}, Interpreter Version:%{version}, Zone Names:%{info}, User Name: %{p0}"); -var part46 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); +var part52 = match("MESSAGE#17:CylancePROTECT:17/1_0", "nwparser.p0", "%{username}, Device Id: %{fld3}, Policy Name: %{policyname}"); -var part47 = match("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "%{username}"); +var part53 = match_copy("MESSAGE#17:CylancePROTECT:17/1_1", "nwparser.p0", "username"); var select16 = linear_select([ - part46, - part47, + part52, + part53, ]); var all18 = all_match({ processors: [ - part45, + part51, select16, ], on_success: processor_chain([ - dup6, - dup19, + dup5, + dup18, + dup24, dup25, - dup26, ]), }); var msg18 = msg("CylancePROTECT:17", all18); -var part48 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ - dup6, - dup19, +var part54 = match("MESSAGE#18:CylancePROTECT:18", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, Agent Version:%{fld1}, IP Address: (%{saddr}), MAC Address: (%{macaddr}), Logged On Users: (%{username}), OS:%{os}, Zone Names:%{info}", processor_chain([ + dup5, + dup18, + dup24, dup25, - dup26, ])); -var msg19 = msg("CylancePROTECT:18", part48); +var msg19 = msg("CylancePROTECT:18", part54); -var part49 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); +var part55 = match("MESSAGE#19:CylancePROTECT:19/0", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, External Device Type:%{device}, External Device Vendor ID:%{fld2}, External Device Name:%{fld3}, External Device Product ID:%{fld4}, External Device Serial Number:%{serial_number}, Zone Names:%{p0}"); -var part50 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname->} "); +var part56 = match("MESSAGE#19:CylancePROTECT:19/1_0", "nwparser.p0", "%{info}, Device Id: %{fld5}, Policy Name: %{policyname}"); var select17 = linear_select([ - part50, - dup14, + part56, + dup13, ]); var all19 = all_match({ processors: [ - part49, + part55, select17, ], on_success: processor_chain([ - dup6, - dup19, + dup5, + dup18, + dup24, dup25, - dup26, ]), }); var msg20 = msg("CylancePROTECT:19", all19); -var part51 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); +var part57 = match("MESSAGE#20:CylancePROTECT:20/0", "nwparser.payload", "Event Name:%{event_type}, Message: %{p0}"); -var part52 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); +var part58 = match("MESSAGE#20:CylancePROTECT:20/1_0", "nwparser.p0", "The Device%{p0}"); -var part53 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); +var part59 = match("MESSAGE#20:CylancePROTECT:20/1_1", "nwparser.p0", "Device%{p0}"); var select18 = linear_select([ - part52, - part53, + part58, + part59, ]); -var part54 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned %{p0}"); +var part60 = match("MESSAGE#20:CylancePROTECT:20/2", "nwparser.p0", ":%{node}was auto assigned to%{p0}"); -var part55 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", "to the%{p0}"); +var part61 = match("MESSAGE#20:CylancePROTECT:20/3_0", "nwparser.p0", " the%{p0}"); -var part56 = match("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", " to%{p0}"); +var part62 = match_copy("MESSAGE#20:CylancePROTECT:20/3_1", "nwparser.p0", "p0"); var select19 = linear_select([ - part55, - part56, + part61, + part62, ]); -var part57 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); +var part63 = match("MESSAGE#20:CylancePROTECT:20/4", "nwparser.p0", "%{}Zone:%{zone}, User:%{user_fname}"); var all20 = all_match({ processors: [ - part51, + part57, select18, - part54, + part60, select19, - part57, + part63, ], on_success: processor_chain([ - dup6, - dup19, + dup5, + dup18, + dup24, dup25, - dup26, ]), }); var msg21 = msg("CylancePROTECT:20", all20); -var part58 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ - dup6, - dup19, +var part64 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Name:%{event_type}, Device Name:%{node}, IP Address: (%{saddr}), File Name:%{filename}, Path:%{directory}, Drive Type:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}, Status:%{event_state}, Cylance Score:%{fld4}, Found Date:%{fld51}, File Type:%{fld6}, Is Running:%{fld7}, Auto Run:%{fld8}, Detected By:%{fld9}, Zone Names: (%{info}), Is Malware:%{fld10}, Is Unique To Cylance:%{fld11}, Threat Classification:%{sigtype}", processor_chain([ + dup5, + dup18, + dup24, dup25, - dup26, date_time({ dest: "effective_time", args: ["fld51"], @@ -750,148 +763,148 @@ var part58 = match("MESSAGE#21:CylancePROTECT:21", "nwparser.payload", "Event Na }), ])); -var msg22 = msg("CylancePROTECT:21", part58); +var msg22 = msg("CylancePROTECT:21", part64); -var part59 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); +var part65 = match("MESSAGE#22:CylancePROTECT:22/0", "nwparser.payload", "Event Name:%{p0}"); -var part60 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); +var part66 = match("MESSAGE#22:CylancePROTECT:22/1_0", "nwparser.p0", " %{event_type}, Device Name: %{device}, IP Address: (%{saddr}), Action: %{action}, Process ID: %{process_id}, Process Name: %{process}, User Name: %{username}, Violation Type: %{signame}, Zone Names:%{p0}"); -var part61 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); +var part67 = match("MESSAGE#22:CylancePROTECT:22/1_1", "nwparser.p0", "%{event_type}, Device Name:%{node}, Zone Names:%{p0}"); var select20 = linear_select([ - part60, - part61, + part66, + part67, ]); var all21 = all_match({ processors: [ - part59, + part65, select20, - dup30, + dup29, ], on_success: processor_chain([ - dup6, - dup19, + dup5, + dup18, + dup24, dup25, - dup26, ]), }); var msg23 = msg("CylancePROTECT:22", all21); -var part62 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ - dup6, - dup19, +var part68 = match("MESSAGE#23:CylancePROTECT:23", "nwparser.payload", "Event Name:%{event_type}, Threat Class:%{sigtype}, Threat Subclass:%{fld1}, SHA256:%{checksum}, MD5:%{fld3}", processor_chain([ + dup5, + dup18, + dup24, dup25, - dup26, ])); -var msg24 = msg("CylancePROTECT:23", part62); +var msg24 = msg("CylancePROTECT:23", part68); -var part63 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{p0}"); +var part69 = match("MESSAGE#24:CylancePROTECT:24/0", "nwparser.payload", "Event Name:%{event_type}, Message: Provider:%{fld3}, Source IP:%{saddr}, User: %{user_fname->} %{user_lname->} (%{mail_id})%{p0}"); -var part64 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "%{mail_id})#015"); +var part70 = match("MESSAGE#24:CylancePROTECT:24/1_0", "nwparser.p0", "#015%{}"); -var part65 = match("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", "%{mail_id})"); +var part71 = match_copy("MESSAGE#24:CylancePROTECT:24/1_1", "nwparser.p0", ""); var select21 = linear_select([ - part64, - part65, + part70, + part71, ]); var all22 = all_match({ processors: [ - part63, + part69, select21, ], on_success: processor_chain([ - dup6, - dup19, + dup5, + dup18, + dup24, dup25, - dup26, ]), }); var msg25 = msg("CylancePROTECT:24", all22); -var part66 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); +var part72 = match("MESSAGE#25:CylancePROTECT:26/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Policy Changed: %{fld4->} to '%{policyname}', User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); var all23 = all_match({ processors: [ - part66, - dup30, + part72, + dup29, ], on_success: processor_chain([ - dup6, - dup19, + dup5, + dup18, + dup24, dup25, - dup26, ]), }); var msg26 = msg("CylancePROTECT:26", all23); -var part67 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); +var part73 = match("MESSAGE#26:CylancePROTECT:27/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device}; Zones Removed: %{p0}"); -var part68 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); +var part74 = match("MESSAGE#26:CylancePROTECT:27/1_0", "nwparser.p0", "%{fld4}; Zones Added: %{fld5},%{p0}"); -var part69 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); +var part75 = match("MESSAGE#26:CylancePROTECT:27/1_1", "nwparser.p0", "%{fld4},%{p0}"); var select22 = linear_select([ - part68, - part69, + part74, + part75, ]); -var part70 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); +var part76 = match("MESSAGE#26:CylancePROTECT:27/2", "nwparser.p0", "%{}User: %{user_fname->} %{user_lname->} (%{mail_id}), Zone Names:%{p0}"); -var part71 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); +var part77 = match("MESSAGE#26:CylancePROTECT:27/3_0", "nwparser.p0", "%{info->} Device Id: %{fld3}"); var select23 = linear_select([ - part71, - dup14, + part77, + dup13, ]); var all24 = all_match({ processors: [ - part67, + part73, select22, - part70, + part76, select23, ], on_success: processor_chain([ - dup6, - dup19, + dup5, + dup18, + dup24, dup25, - dup26, ]), }); var msg27 = msg("CylancePROTECT:27", all24); -var part72 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); +var part78 = match("MESSAGE#27:CylancePROTECT:28/0", "nwparser.payload", "Event Name:%{event_type}, Device Message: Device: %{device->} %{p0}"); -var part73 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); +var part79 = match("MESSAGE#27:CylancePROTECT:28/1_0", "nwparser.p0", "Agent Self Protection Level Changed: '%{change_old}' to '%{change_new}', User: %{p0}"); -var part74 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{user_fname->} %{user_lname->} (%{mail_id}),%{p0}"); +var part80 = match("MESSAGE#27:CylancePROTECT:28/1_1", "nwparser.p0", "User: %{p0}"); var select24 = linear_select([ - part73, - part74, + part79, + part80, ]); -var part75 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "%{}Zone Names: %{info->} Device Id: %{fld3}"); +var part81 = match("MESSAGE#27:CylancePROTECT:28/2", "nwparser.p0", "),%{mail_id->} (%{user_lname->} %{user_fname->} Zone Names: %{info->} Device Id: %{fld3}"); var all25 = all_match({ processors: [ - part72, + part78, select24, - part75, + part81, ], on_success: processor_chain([ - dup6, - dup19, + dup5, + dup18, + dup24, dup25, - dup26, ]), }); @@ -935,31 +948,29 @@ var chain1 = processor_chain([ }), ]); -var part76 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); - -var part77 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); +var part82 = match("MESSAGE#0:CylancePROTECT:01/0", "nwparser.payload", "%{fld13->} %{fld14->} %{p0}"); -var part78 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", " %{fld5->} Event Type: AuditLog, Event Name: %{p0}"); +var part83 = match("MESSAGE#0:CylancePROTECT:01/1_0", "nwparser.p0", "[%{fld2}] Event Type: AuditLog, Event Name: %{p0}"); -var part79 = match("MESSAGE#0:CylancePROTECT:01/5", "nwparser.p0", "%{user_fname->} %{user_lname->} (%{mail_id})"); +var part84 = match("MESSAGE#0:CylancePROTECT:01/1_1", "nwparser.p0", "%{fld5->} Event Type: AuditLog, Event Name: %{p0}"); -var part80 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); +var part85 = match("MESSAGE#1:CylancePROTECT:02/2", "nwparser.p0", "%{event_type}, Message: %{p0}"); -var part81 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); +var part86 = match("MESSAGE#8:CylancePROTECT:09/1_0", "nwparser.p0", "[%{fld2}] Event Type: ScriptControl, Event Name: %{p0}"); -var part82 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", " %{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); +var part87 = match("MESSAGE#8:CylancePROTECT:09/1_1", "nwparser.p0", "%{fld5->} Event Type: ScriptControl, Event Name: %{p0}"); -var part83 = match("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "%{info}"); +var part88 = match_copy("MESSAGE#8:CylancePROTECT:09/3_1", "nwparser.p0", "info"); -var part84 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); +var part89 = match("MESSAGE#11:CylancePROTECT:15/1_0", "nwparser.p0", "[%{fld2}] Event Type: %{p0}"); -var part85 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", " %{fld5->} Event Type: %{p0}"); +var part90 = match("MESSAGE#11:CylancePROTECT:15/1_1", "nwparser.p0", "%{fld5->} Event Type: %{p0}"); -var part86 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); +var part91 = match("MESSAGE#13:CylancePROTECT:13/3_0", "nwparser.p0", "%{os->} Zone Names: %{info}"); -var part87 = match("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "%{os}"); +var part92 = match_copy("MESSAGE#13:CylancePROTECT:13/3_1", "nwparser.p0", "os"); -var part88 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); +var part93 = match("MESSAGE#22:CylancePROTECT:22/2_0", "nwparser.p0", "%{info}, Device Id: %{fld3}"); var select26 = linear_select([ dup3, @@ -967,21 +978,21 @@ var select26 = linear_select([ ]); var select27 = linear_select([ + dup11, dup12, - dup13, ]); var select28 = linear_select([ + dup14, dup15, - dup16, ]); var select29 = linear_select([ + dup16, dup17, - dup18, ]); var select30 = linear_select([ - dup20, - dup14, + dup19, + dup13, ]); diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml index 72aa57c217a7..a3b09859d585 100644 --- a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cylance/protect/manifest.yml b/x-pack/filebeat/module/cylance/protect/manifest.yml index d0f61417f4bd..58c1bc077be0 100644 --- a/x-pack/filebeat/module/cylance/protect/manifest.yml +++ b/x-pack/filebeat/module/cylance/protect/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9508 + default: 9529 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log b/x-pack/filebeat/module/cylance/protect/test/generated.log index 85f71671cc92..2649c0b66f4e 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log @@ -1,100 +1,100 @@ 29-January-2016 06:09:59 high boNemoe4402.www.invalid dolore <abo 2016-1-29T6:09:59.squira nostrud4819.mail.test CylancePROTECT mqui nci [billoi] Event Type: AuditLog, Event Name: ZoneAdd, Message: Policy Assigned:orev; Devices: pisciv , User: uii umexe (estlabo) 2016-2-12T1:12:33.olupt volup208.invalid CylancePROTECT eosquir orsi [nulapari] Event Type: AuditLog, Event Name: LoginSuccess, Message: Devices: vol, User: luptat isiutal (moenimi) -26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu +26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: ),lupt (tia oloremqu Zone Names: temvel Device Id: iatu 2016-3-12T3:17:42.ceroinBC ratvolup497.www.corp CylancePROTECT ionofde con [uia] Event Type: AuditLog, Event Name: SystemSecurity, Message: ommodic, User: mipsu consec (taliquip) 2016-3-26T10:20:16.gelit tatno5625.api.local CylancePROTECT taev roidents [oluptas] Event Type: AuditLog, Event Name: Alert, Message: Source: taliqu; SHA256: ommod; Reason: failure, User: tur aperi (iveli) uatDuis 2016-4-9T5:22:51.ude maveniam1399.mail.lan CylancePROTECT siutaliq exercit [tempor] Event Type: omnis, Event Name: SystemSecurity, Device Name: eip, Agent Version: lupta, IP Address: (10.124.61.119), MAC Address: (01:00:5e:dc:bb:8b), Logged On Users: (occ), OS: ect Zone Names: reetdolo -24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq -ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos) -2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan -2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc -20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu -2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute -July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc -olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend -2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd -ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib -13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae -Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit -12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat -ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi -Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam -24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex -8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum -Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur -6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame -20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame -2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi) -uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte) -2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin) -2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat) -uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu -Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015 -30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites) -14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq -iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom -2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte -2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons) -11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid -25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo -8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni -Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu -September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute -2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea -4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide -nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita -Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema -16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm -1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau -hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai -ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici -Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud -Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat -bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad) -Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse -Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl -2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever) -quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum -2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) -hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido -2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad) -2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun -2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui -3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati -17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu) -edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine -15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo -29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia -2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug) -2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum -2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex -25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt -9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat -inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo -2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica) -21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin -Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme -19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate -inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio -Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem -odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv -Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum -1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod -15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc) -isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae -2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam) -2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu) -11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu) -Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita -10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon -24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam -Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi -21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil -5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015 -19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did) -Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod -Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit -rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta -15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam -ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis) -14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int) +24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: ),urerep (aquaeab liqu Zone Names: lorem Device Id: emq +ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: )dmi (olab mquisnos +22-May-2016 14:30:33 medium tvol457.internal.local inim <roinBCSe 2016-5-22T2:30:33.onse tae1382.mail.localhost CylancePROTECT oluptate ofdeF tion Event Type: orsitame, Event Name: threat_quarantined, Threat Class: lit, Threat Subclass: iam, SHA256: qua, MD5: umdo +2016-6-5T9:33:08.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan +olo 2016-6-20T4:35:42.uaera sitas4259.mail.corp CylancePROTECT atquovo iumto aboreetd Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Zone: dun; Policy: enim; Value: saute, User: vel quu (undeo) +2016-7-4T11:38:16.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc +cup 2016-7-18T6:40:50.boNemoen uid7309.api.domain CylancePROTECT uradi aborumSe luptat Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Policy: antiumto, User: strude ctetura (usmod) +2-Aug-2016 1:43:25 high fugit7668.www5.invalid lupt <qua 2T01:43:25.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu +2016-8-16T8:45:59.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute +eomnisis 2016-8-30T3:48:33.mqui civeli370.www5.local CylancePROTECT sunt stl tdolorem Event Type: AuditLog, Event Name: Alert, Message: The Device: picia was auto assigned to the Zone: IP Address: Fake Devices, User: mUtenima emaperi ()tame +September 2016/09/13 22:51:07 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc +olupt 2016-9-28T5:53:42.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend +2016-10-12T12:56:16.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd +ipitla 2016-10-26T7:58:50.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib +10-Nov-2016 3:01:24 low eav3687.internal.local siar <iamquis 10T03:01:24.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae +Nov 24 10:03:59 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit +8-December-2016 17:06:33 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-12-8T5:06:33.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat +ihilmole 2016-12-23T12:09:07.eriamea amre146.mail.host CylancePROTECT pisciv iquidex radipisc Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Policy: nti; SHA256: abi; Category: sectetur, User: )uioffi (oru temqu +ommodico 2017-1-6T7:11:41.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi +Jan 20 2:14:16 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam +3-Feb-2017 9:16:50 very-high reme622.mail.example isnisiu <tsu 3T21:16:50.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: ),idata (rumwritt magnid Zone Names: enderit Device Id: untex +paquioff 2017-2-18T4:19:24.mquisnos maven3758.www.invalid CylancePROTECT labor didunt uptatema Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: udan, IP Address: (10.74.104.215), Action: cancel, Process ID: 7410, Process Name: mveleu.exe, User Name: nofdeFin, Violation Type: sequam, Zone Names: temvel +4-Mar-2017 11:21:59 medium tvolu3997.mail.home eiu <autfu 4T11:21:59.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum +Mar 18 6:24:33 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur +2-April-2017 01:27:07 very-high orem6702.invalid tev <ntocca 2017-4-2T1:27:07.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame +16-Apr-2017 8:29:41 high tobea2364.internal.localhost itinvol <fugiatn 16T08:29:41.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame +2017-4-30T3:32:16.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi) +uamni 2017-5-14T10:34:50.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte) +2017-5-29T5:37:24.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser ()oin +12-June-2017 12:39:58 medium meius3932.internal.example ccaeca <uptate 2017-6-12T12:39:58.amc cusant1701.api.localdomain CylancePROTECT siutaliq dutp psaquaea Event Type: taevita, Event Name: DeviceRemove, Device Name: siut, Agent Version: tconsect, IP Address: (10.190.175.158), MAC Address: (01:00:5e:45:8b:97), Logged On Users: (ditemp), OS: edqui +26-June-2017 19:42:33 very-high rnatu2805.www.home enderi <odoconse 2017-6-26T7:42:33.quamqua eacommod1930.internal.lan CylancePROTECT tpersp stla uptatema Event Type: AuditLog, Event Name: fullaccess, Message: Device: uradi; SHA256: tot; Category: llamco, User: )nea (psum tasnulap +2017-7-11T2:45:07.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: )ccaeca (niamq lapariat +uat 2017-7-25T9:47:41.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu +Aug 8 4:50:15 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015 +2017-8-22T11:52:50.dictasun veniamqu7284.mail.invalid CylancePROTECT nte mvel nof Event Type: AuditLog, Event Name: DeviceEdit, Message: The Device: tetur was auto assigned to the Zone: IP Address: Fake Devices, User: ()xce +6-September-2017 06:55:24 high isiu5733.api.domain etdolor <xeaco 2017-9-6T6:55:24.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites) +eri 2017-9-20T1:57:58.quunt olori416.api.test CylancePROTECT elit cidunt plica Event Type: ExploitAttempt, Event Name: Alert, Device Name: exeaco, IP Address: (10.31.190.145), Action: cancel, Process ID: 5530, Process Name: accusant.exe, User Name: onse, Violation Type: admin, Zone Names: stenatu +4-Oct-2017 9:00:32 high nvol6269.internal.local tla <nimid 4T21:00:32.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq +19-October-2017 04:03:07 medium toccaec7645.www5.home psaqua <itationu 2017-10-19T4:03:07.proident maliquam2147.internal.home CylancePROTECT lores ritati orisni Event Type: DeviceControl, Event Name: PolicyAdd, Device Name: estl, External Device Type: sitam, External Device Vendor ID: orem, External Device Name: rcit, External Device Product ID: llamco, External Device Serial Number: atu, Zone Names: untincul +iuntNe 2017-11-2T11:05:41.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom +2017-11-16T6:08:15.uov itlab6956.mail.local CylancePROTECT loremqu tetur amvo Event Type: siuta, Event Name: threat_changed, Device Name: ommodo, Agent Version: uptat, IP Address: (10.105.46.101, tatione), MAC Address: (01:00:5e:de:32:2c, ori), Logged On Users: (tconsect), OS: rum +2017-12-1T1:10:49.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte +ria 2017-12-15T8:13:24.atDu nsec923.internal.local CylancePROTECT agnaaliq tlaboree norumet Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: mod, IP Address: (10.28.120.149), Action: deny, Process ID: 3916, Process Name: tinvolup.exe, User Name: tsed, Violation Type: inv, Zone Names: rroq +2017-12-29T3:15:58.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: )dol (sciun metcons +12-January-2018 22:18:32 high asnu3806.api.lan tamet <ationul 2018/01/12T22:18:32.mquisn queips4947.mail.example CylancePROTECT molestia quir eavolup Event Type: AppControl, Event Name: Registration, Device Name: labore, IP Address: (10.165.16.231), Action: accept, Action Type: uto, File Path: iuntNequ, SHA256: esseq, Zone Names: aincidun +27-January-2018 05:21:06 low oloreseo5039.test derit <dolor 2018-1-27T5:21:06.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid +ree 2018-2-10T12:23:41.saquaea ation6657.www.home CylancePROTECT iatqu lorsi repreh Event Type: AuditLog, Event Name: Registration, Message: sitamet, User: utlabo tetur (tionula) +24-Feb-2018 7:26:15 very-high idolor3916.www5.home tas <tasun 24T19:26:15.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo +llam 2018-3-11T2:28:49.cti aparia1179.www.localdomain CylancePROTECT rever ore offici Event Type: AuditLog, Event Name: DeviceEdit, Message: Devices: metco, User: acom ceroinB (nim) +25-March-2018 09:31:24 medium taliqui5348.mail.localdomain loremag <iatqu 2018-3-25T9:31:24.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni +liquid 2018-4-8T4:33:58.enim Finibus1411.www5.corp CylancePROTECT xea taed umdolo Event Type: AuditLog, Event Name: fullaccess, Message: Policy Assigned:rroqu; Devices: dquiaco , User: nibus vitaed (ser) +Apr 22 11:36:32 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu +May 2018/05/07 06:39:06 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute +2018-5-21T1:41:41.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea +4-Jun-2018 8:44:15 high uptatem4483.localhost inrepr <umdolors 4T20:44:15.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide +riosa 2018-6-19T3:46:49.tNe pisc3553.internal.home CylancePROTECT rautod olest eataev Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: ritati, IP Address: (10.43.110.203), Action: allow, Process ID: 1359, Process Name: nim.exe, User Name: ame, Violation Type: amvolu, Zone Names: mip +3-July-2018 10:49:23 medium iame4937.local tiumd <mexer 2018/07/03T10:49:23.estla uipexe7153.api.corp CylancePROTECT saqu remips illoi Event Type: AppControl, Event Name: ZoneAdd, Device Name: abori, IP Address: (10.127.20.244), Action: block, Action Type: uelauda, File Path: ema, SHA256: odi, Zone Names: ptatems +nde 2018-7-17T5:51:58.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita +Aug 1 12:54:32 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema +15-August-2018 07:57:06 low tperspic7591.www.lan ict <tem 2018-8-15T7:57:06.mestq ura675.mail.localdomain CylancePROTECT eleumiu uei Nequepo Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: seddo, External Device Type: uam, External Device Vendor ID: orumSec, External Device Name: nisiuta, External Device Product ID: stiaecon, External Device Serial Number: dol, Zone Names: sumquiad +29-August-2018 14:59:40 high oeni179.api.localhost gna <lumqu 2018-8-29T2:59:40.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm +12-September-2018 22:02:15 medium mnihilm1903.internal.host ditautf <ori 2018-9-12T10:02:15.uamqu olori4584.mail.domain CylancePROTECT sunt autfugit emUte Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: nturmag; Policy: tura; Value: osquirat, User: equat aliquid (usantiu) +27-Sep-2018 5:04:49 very-high trudex4443.www5.localhost lor <eseruntm 27T05:04:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau +hend 2018-10-11T12:07:23.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai +ostr 2018-10-25T7:09:57.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici +Nov 9 2:12:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud +Nov 23 9:15:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat +bore 2018-12-7T4:17:40.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad) +Dec 21 11:20:14 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse +Jan 5 6:22:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: ),nvo (iamqui tassita Zone Names: colabori Device Id: imidestl +2019-1-19T1:25:23.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: ()ever +quiav 2019-2-2T8:27:57.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum +Feb 17 3:30:32 nvolupta126.www.domain CylancePROTECT Event Type:quas, Event Name:threat_found, Device Name:orp, File Path:ender, Interpreter:dico, Interpreter Version:1.5848, Zone Names:Utenima, User Name: olore +3-March-2019 10:33:06 medium radip4253.www.corp gna <quamnih 2019-3-3T10:33:06.asnulap yCiceroi5998.mail.home CylancePROTECT inc tect uiad Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: roinBCSe, External Device Type: maperiam, External Device Vendor ID: mSec, External Device Name: smoditem, External Device Product ID: tatisetq, External Device Serial Number: uidolo, Zone Names: umdolore +2019-3-17T5:35:40.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev) +iosamni 2019-4-1T12:38:14.idu sis3986.internal.lan CylancePROTECT tsedquia its umdolor Event Type: isiu, Event Name: Device Policy Assigned, Device Name: mmodi, Agent Version: snostr, IP Address: (10.232.90.3), MAC Address: (01:00:5e:e6:a6:a2), Logged On Users: (midestl), OS: nci +hilmole 2019-4-15T7:40:49.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido +2019-4-29T2:43:23.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad) +2019-5-13T9:45:57.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun +onorumet 2019-5-28T4:48:31.ptatema eavolup6981.www5.example CylancePROTECT psaquaea rchit psumq Event Type: DeviceControl, Event Name: threat_changed, Device Name: lum, External Device Type: xerc, External Device Vendor ID: ctetura, External Device Name: msequ, External Device Product ID: nvol, External Device Serial Number: enimadmi, Zone Names: tateveli +2019-6-11T11:51:06.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui +25-June-2019 18:53:40 high tnulapa7580.www.domain adeser <doeiu 2019-6-25T6:53:40.onsectet dentsunt6061.www5.home CylancePROTECT tobeata imven onnumqua Event Type: quioff, Event Name: SyslogSettingsSave, Device Names: (upt), Policy Name: atatnonp, User: nvol dtemp (mquis) +10-July-2019 01:56:14 medium midest133.www5.example tocca <ntor 2019-7-10T1:56:14.oinBCSed oid218.api.invalid CylancePROTECT roquisqu ariat midestl Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: mcorpori, User: mqu pteursi (orsitam) +totamre 2019-7-24T8:58:48.rpo velites4233.internal.home CylancePROTECT uisaute uun end Event Type: odocons, Event Name: Alert, Threat Class: asp, Threat Subclass: dexercit, SHA256: amn, MD5: itessequ +7-August-2019 16:01:23 low sumd3215.test aUtenima <taevi 2019-8-7T4:01:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati +21-Aug-2019 11:03:57 high oeiusmo5035.api.local tconse <tseddoei 21T23:03:57.teursint etMa3452.www5.test CylancePROTECT Event Name:threat_found, Device Name:nturmag, File Path:uredol, Interpreter:maliqua, Interpreter Version:1.4613, Zone Names:mquia, User Name: omnisi, Device Id: etMalor, Policy Name: mco +5-September-2019 06:06:31 high taspe1205.mail.domain cti <nse 2019-9-5T6:06:31.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu) +edqu 2019-9-19T1:09:05.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine +3-Oct-2019 8:11:40 low ditaut33.mail.localhost iumdo <mea 3T20:11:40.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo +18-October-2019 03:14:14 high porissus1225.www5.corp ddoe <ured 2019-10-18T3:14:14.ctetu oreeu6419.www.corp CylancePROTECT cul iinea snos Event Type: AuditLog, Event Name: PolicyAdd, Message: Device: moenimip; User: uames tium (ianonn) +2019-11-1T10:16:48.tiset sci333.mail.home CylancePROTECT doloreeu lors eumfu Event Type: docons, Event Name: PolicyAdd, Device Names: (eumf), Policy Name: roquisq, User: uasi maveniam (uis) +imi 2019-11-15T5:19:22.animi edutpers6452.api.host CylancePROTECT ntiumt sumquia vento Event Type: sitv, Event Name: LoginSuccess, Threat Class: com, Threat Subclass: rep, SHA256: mveni, MD5: aquae +30-November-2019 00:21:57 low iaturE3103.api.domain aturve <iatu 2019/11/30T00:21:57.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia +2019-12-14T7:24:31.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug) diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index 4f73edba010c..f7fa14d1d715 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -73,7 +73,7 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: lupt tia (oloremqu), Zone Names: temvel Device Id: iatu", + "event.original": "26-Feb-2016 8:15:08 very-high anonnu410.internal.home aqu <squame 26T20:15:08.ntex eius6159.www5.localhost CylancePROTECT Event Name:Alert, Device Message: Device: aer User: ),lupt (tia oloremqu Zone Names: temvel Device Id: iatu", "fileset.name": "protect", "host.name": "eius6159.www5.localhost", "input.type": "log", @@ -85,14 +85,14 @@ "eius6159.www5.localhost" ], "rsa.db.index": "temvel", - "rsa.identity.firstname": "lupt", + "rsa.identity.firstname": "oloremqu", "rsa.identity.lastname": "tia", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1609000000, "rsa.investigations.event_cat_name": "System.Alerts", "rsa.misc.device_name": "aer", "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "oloremqu", + "rsa.misc.mail_id": "lupt", "rsa.network.alias_host": [ "eius6159.www5.localhost" ], @@ -221,7 +221,7 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: urerep aquaeab (liqu), Zone Names: lorem Device Id: emq", + "event.original": "24-Apr-2016 12:25:25 low lor340.mail.local natura <ima 24T00:25:25.tanimi nimadmin6499.local CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: dexe User: ),urerep (aquaeab liqu Zone Names: lorem Device Id: emq", "fileset.name": "protect", "host.name": "nimadmin6499.local", "input.type": "log", @@ -233,14 +233,14 @@ "nimadmin6499.local" ], "rsa.db.index": "lorem", - "rsa.identity.firstname": "urerep", + "rsa.identity.firstname": "liqu", "rsa.identity.lastname": "aquaeab", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502000000, "rsa.investigations.event_cat_name": "Policies.Rules", "rsa.misc.device_name": "dexe", "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.mail_id": "liqu", + "rsa.misc.mail_id": "urerep", "rsa.network.alias_host": [ "nimadmin6499.local" ], @@ -255,7 +255,7 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: dmi olab (mquisnos)", + "event.original": "ari 2016-5-8T7:27:59.equun suntinc4934.www5.test CylancePROTECT ipis gelits [tatevel] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Policy: uptatev; SHA256: uovol, User: )dmi (olab mquisnos", "fileset.name": "protect", "host.name": "suntinc4934.www5.test", "input.type": "log", @@ -266,7 +266,7 @@ "related.hosts": [ "suntinc4934.www5.test" ], - "rsa.identity.firstname": "dmi", + "rsa.identity.firstname": "mquisnos", "rsa.identity.lastname": "olab", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -274,7 +274,7 @@ "rsa.investigations.event_vcat": " AuditLog", "rsa.misc.checksum": "uovol", "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "mquisnos", + "rsa.misc.mail_id": "dmi", "rsa.misc.policy_name": "uptatev", "rsa.network.alias_host": [ "suntinc4934.www5.test" @@ -285,17 +285,49 @@ "forwarded" ] }, + { + "event.action": "threat_quarantined", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "22-May-2016 14:30:33 medium tvol457.internal.local inim <roinBCSe 2016-5-22T2:30:33.onse tae1382.mail.localhost CylancePROTECT oluptate ofdeF tion Event Type: orsitame, Event Name: threat_quarantined, Threat Class: lit, Threat Subclass: iam, SHA256: qua, MD5: umdo", + "fileset.name": "protect", + "host.name": "tae1382.mail.localhost", + "input.type": "log", + "log.offset": 1814, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "tae1382.mail.localhost" + ], + "rsa.crypto.sig_type": "lit", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "orsitame", + "rsa.misc.checksum": "qua", + "rsa.misc.event_type": "threat_quarantined", + "rsa.network.alias_host": [ + "tae1382.mail.localhost" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, { "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-5-22T2:30:33.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan", + "event.original": "2016-6-5T9:33:08.eniam reetdolo2451.www.example CylancePROTECT rumet oll [erc] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: llam, File Path: aspern, Interpreter: itlabori, Interpreter Version: 1.2344, Zone Names: ollit, User Name: usan", "file.directory": "aspern", "fileset.name": "protect", "host.name": "reetdolo2451.www.example", "input.type": "log", - "log.offset": 1814, + "log.offset": 2084, "network.application": "itlabori", "observer.product": "Protect", "observer.type": "Anti-Virus", @@ -324,16 +356,51 @@ ], "user.name": "usan" }, + { + "event.action": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "olo 2016-6-20T4:35:42.uaera sitas4259.mail.corp CylancePROTECT atquovo iumto aboreetd Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Zone: dun; Policy: enim; Value: saute, User: vel quu (undeo)", + "fileset.name": "protect", + "host.name": "sitas4259.mail.corp", + "input.type": "log", + "log.offset": 2343, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "sitas4259.mail.corp" + ], + "rsa.db.index": "dun", + "rsa.identity.firstname": "vel", + "rsa.identity.lastname": "quu", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "undeo", + "rsa.misc.policy_name": "enim", + "rsa.network.alias_host": [ + "sitas4259.mail.corp" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, { "event.action": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-6-5T9:33:08.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc", + "event.original": "2016-7-4T11:38:16.isqu uis7612.www5.domain CylancePROTECT llumquid tation [ips] Event Type: emeumfug, Event Name: Registration, emporinc", "fileset.name": "protect", "host.name": "uis7612.www5.domain", "input.type": "log", - "log.offset": 2074, + "log.offset": 2548, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -354,16 +421,50 @@ "forwarded" ] }, + { + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "cup 2016-7-18T6:40:50.boNemoen uid7309.api.domain CylancePROTECT uradi aborumSe luptat Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: Policy: antiumto, User: strude ctetura (usmod)", + "fileset.name": "protect", + "host.name": "uid7309.api.domain", + "input.type": "log", + "log.offset": 2685, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "uid7309.api.domain" + ], + "rsa.identity.firstname": "strude", + "rsa.identity.lastname": "ctetura", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "usmod", + "rsa.misc.policy_name": "antiumto", + "rsa.network.alias_host": [ + "uid7309.api.domain" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, { "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "20-Jun-2016 4:35:42 high fugit7668.www5.invalid lupt <qua 20T04:35:42.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu", + "event.original": "2-Aug-2016 1:43:25 high fugit7668.www5.invalid lupt <qua 2T01:43:25.luptatev admi3749.api.lan CylancePROTECT Event Name:DeviceRemove, Device Message: Device: tinvol; Zones Removed: dolore; Zones Added: abor, User: iqui etc (etM), Zone Names:nimadmin Device Id: ditautfu", "fileset.name": "protect", "host.name": "admi3749.api.lan", "input.type": "log", - "log.offset": 2210, + "log.offset": 2882, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -393,12 +494,12 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-7-4T11:38:16.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute", + "event.original": "2016-8-16T8:45:59.ostr rudexerc703.internal.host CylancePROTECT itaut imaven [liqua] Event Type: ScriptControl, Event Name: fullaccess, Device Name: onproide, File Path: Nemoen, Interpreter: tfug, Interpreter Version: 1.5383 (ccu), Zone Names: urE, User Name: isaute", "file.directory": "Nemoen", "fileset.name": "protect", "host.name": "rudexerc703.internal.host", "input.type": "log", - "log.offset": 2487, + "log.offset": 3157, "network.application": "tfug", "observer.product": "Protect", "observer.type": "Anti-Virus", @@ -428,16 +529,49 @@ ], "user.name": "isaute" }, + { + "event.action": "Alert", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "eomnisis 2016-8-30T3:48:33.mqui civeli370.www5.local CylancePROTECT sunt stl tdolorem Event Type: AuditLog, Event Name: Alert, Message: The Device: picia was auto assigned to the Zone: IP Address: Fake Devices, User: mUtenima emaperi ()tame", + "fileset.name": "protect", + "host.name": "civeli370.www5.local", + "input.type": "log", + "log.offset": 3424, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "civeli370.www5.local" + ], + "rsa.db.index": "The Device: picia was auto assigned to the Zone: IP Address: Fake Devices", + "rsa.identity.firstname": "mUtenima", + "rsa.identity.lastname": "emaperi", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "Alert", + "rsa.network.alias_host": [ + "civeli370.www5.local" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, { "event.action": "cancel", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "July 2016/07/18 18:40:50 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc", + "event.original": "September 2016/09/13 22:51:07 ivelits712.api.example CylancePROTECT Event Type: AppControl, etdolo inv [agnaali] Event Type: AppControl, Event Name: threat_found, Device Name: sequatur, IP Address: (10.199.98.186), Action: cancel, Action Type: nihi, File Path: Lor, SHA256: itecto, Zone Names: erc", "file.directory": "Lor", "fileset.name": "protect", "input.type": "log", - "log.offset": 2754, + "log.offset": 3665, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -469,14 +603,14 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "olupt 2016-8-2T1:43:25.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend", + "event.original": "olupt 2016-9-28T5:53:42.modoco estqu1709.internal.example CylancePROTECT ostrume molest [upt] Event Type: Threat, Event Name: LoginSuccess, Device Name: uasia, IP Address: (10.64.70.5), File Name: ici, Path: giatquov, Drive Type: eritquii, SHA256: dexeac, MD5: iscinge, Status: atvol, Cylance Score: 145.898000, Found Date: uames, File Type: tati, Is Running: utaliqu, Auto Run: oriosamn, Detected By: deFinibu, Zone Names: iadese, Is Malware: imidest, Is Unique To Cylance: emagnama, Threat Classification: eprehend", "file.directory": "giatquov", "file.name": "ici", "file.type": "tati", "fileset.name": "protect", "host.name": "estqu1709.internal.example", "input.type": "log", - "log.offset": 3047, + "log.offset": 3963, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -514,12 +648,12 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2016-8-16T8:45:59.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd", + "event.original": "2016-10-12T12:56:16.suntinc xeac7155.www.localdomain CylancePROTECT taliq intoccae [ents] Event Type: pida, Event Name: Alert, Device Name: idolor, Agent Version: emeumfu, IP Address: (10.143.239.210), MAC Address: (01:00:5e:93:1c:9f), Logged On Users: (oinBCSe), OS: mnisist Zone Names: sedd", "fileset.name": "protect", "host.mac": "01:00:5e:93:1c:9f", "host.name": "xeac7155.www.localdomain", "input.type": "log", - "log.offset": 3563, + "log.offset": 4480, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -559,11 +693,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ipitla 2016-8-30T3:48:33.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib", + "event.original": "ipitla 2016-10-26T7:58:50.quae maccusa5126.api.domain CylancePROTECT idex xerci [aqu] Event Type: ExploitAttempt, Event Name: Alert, Device Name: olorema, IP Address: (10.32.143.134), Action: accept, Process ID: 2289, Process Name: aliqu.exe, User Name: olupta, Violation Type: mipsumd, Zone Names: eFinib", "fileset.name": "protect", "host.name": "maccusa5126.api.domain", "input.type": "log", - "log.offset": 3854, + "log.offset": 4773, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -607,11 +741,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "13-Sep-2016 10:51:07 low eav3687.internal.local siar <iamquis 13T22:51:07.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae", + "event.original": "10-Nov-2016 3:01:24 low eav3687.internal.local siar <iamquis 10T03:01:24.quirat llu4718.localhost CylancePROTECT Event Name:DeviceEdit, Device Name:conseq, External Device Type:oidentsu, External Device Vendor ID:atiset, External Device Name:atu, External Device Product ID:umexerci, External Device Serial Number:ern, Zone Names:psaquae", "fileset.name": "protect", "host.name": "llu4718.localhost", "input.type": "log", - "log.offset": 4159, + "log.offset": 5079, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -640,10 +774,10 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Sep 28 5:53:42 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit", + "event.original": "Nov 24 10:03:59 doloremi7402.www.test CylancePROTECT Event Type:stquidol, Event Name:DeviceRemove, Device Message: Device: leumiu; Policy Changed: namali to 'taevit', User: rinrepre etconse (tincu), Zone Names:ari, Device Id: exercit", "fileset.name": "protect", "input.type": "log", - "log.offset": 4504, + "log.offset": 5423, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -669,11 +803,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "12-October-2016 12:56:16 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-10-12T12:56:16.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat", + "event.original": "8-December-2016 17:06:33 very-high occae1180.internal.localhost aquaeabi <adeseru 2016-12-8T5:06:33.emoe eaq908.api.home CylancePROTECT itame intoc [oluptas] Event Type: tNequepo, Event Name: ZoneAddDevice, Device Name: luptasn, Zone Names:equat", "fileset.name": "protect", "host.name": "eaq908.api.home", "input.type": "log", - "log.offset": 4737, + "log.offset": 5657, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -696,17 +830,53 @@ "forwarded" ] }, + { + "event.action": "ZoneAddDevice", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ihilmole 2016-12-23T12:09:07.eriamea amre146.mail.host CylancePROTECT pisciv iquidex radipisc Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Policy: nti; SHA256: abi; Category: sectetur, User: )uioffi (oru temqu", + "fileset.name": "protect", + "host.name": "amre146.mail.host", + "input.type": "log", + "log.offset": 5909, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "amre146.mail.host" + ], + "rsa.identity.firstname": "temqu", + "rsa.identity.lastname": "oru", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "sectetur", + "rsa.misc.checksum": "abi", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "uioffi", + "rsa.misc.policy_name": "nti", + "rsa.network.alias_host": [ + "amre146.mail.host" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, { "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ommodico 2016-10-26T7:58:50.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi", + "event.original": "ommodico 2017-1-6T7:11:41.quatD mcolab379.internal.home CylancePROTECT tsedqu agnid [proide] Event Type: ScriptControl, Event Name: DeviceRemove, Device Name: tper, File Path: olor, Interpreter: Neque, Interpreter Version: 1.4129 (xerc), Zone Names: iutali, User Name: fdeFi", "file.directory": "olor", "fileset.name": "protect", "host.name": "mcolab379.internal.home", "input.type": "log", - "log.offset": 4991, + "log.offset": 6132, "network.application": "Neque", "observer.product": "Protect", "observer.type": "Anti-Virus", @@ -741,11 +911,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Nov 10 3:01:24 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam", + "event.original": "Jan 20 2:14:16 tasuntex5037.www.corp CylancePROTECT Event Type:boN, Event Name:threat_quarantined, Device Name:ectio, Agent Version:dutper, IP Address: (10.237.205.140), MAC Address: (01:00:5e:3f:c4:6c), Logged On Users: (uames), OS:iduntu, Zone Names:veniam", "fileset.name": "protect", "host.mac": "01:00:5e:3f:c4:6c", "input.type": "log", - "log.offset": 5268, + "log.offset": 6407, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -779,11 +949,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "24-Nov-2016 10:03:59 very-high reme622.mail.example isnisiu <tsu 24T10:03:59.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: idata rumwritt (magnid), Zone Names: enderit Device Id: untex", + "event.original": "3-Feb-2017 9:16:50 very-high reme622.mail.example isnisiu <tsu 3T21:16:50.tcons sciun4694.api.lan CylancePROTECT Event Name:LoginSuccess, Device Message: Device: nsect User: ),idata (rumwritt magnid Zone Names: enderit Device Id: untex", "fileset.name": "protect", "host.name": "sciun4694.api.lan", "input.type": "log", - "log.offset": 5527, + "log.offset": 6666, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -791,14 +961,14 @@ "sciun4694.api.lan" ], "rsa.db.index": "enderit", - "rsa.identity.firstname": "idata", + "rsa.identity.firstname": "magnid", "rsa.identity.lastname": "rumwritt", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", "rsa.misc.device_name": "nsect", "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.mail_id": "magnid", + "rsa.misc.mail_id": "idata", "rsa.network.alias_host": [ "sciun4694.api.lan" ], @@ -808,16 +978,64 @@ "forwarded" ] }, + { + "event.action": "cancel", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "paquioff 2017-2-18T4:19:24.mquisnos maven3758.www.invalid CylancePROTECT labor didunt uptatema Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: udan, IP Address: (10.74.104.215), Action: cancel, Process ID: 7410, Process Name: mveleu.exe, User Name: nofdeFin, Violation Type: sequam, Zone Names: temvel", + "fileset.name": "protect", + "host.name": "maven3758.www.invalid", + "input.type": "log", + "log.offset": 6908, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "mveleu.exe", + "process.pid": 7410, + "related.hosts": [ + "maven3758.www.invalid" + ], + "related.ip": [ + "10.74.104.215" + ], + "related.user": [ + "nofdeFin" + ], + "rsa.db.index": "temvel", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "udan", + "rsa.misc.policy_name": "sequam", + "rsa.network.alias_host": [ + "maven3758.www.invalid" + ], + "service.type": "cylance", + "source.ip": [ + "10.74.104.215" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "nofdeFin" + }, { "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "8-Dec-2016 5:06:33 medium tvolu3997.mail.home eiu <autfu 8T17:06:33.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum", + "event.original": "4-Mar-2017 11:21:59 medium tvolu3997.mail.home eiu <autfu 4T11:21:59.gnaaliq mni7200.mail.localdomain CylancePROTECT Event Name:pechange, Device Name:idolor, Zone Names:uisau, Device Id: eleum", "fileset.name": "protect", "host.name": "mni7200.mail.localdomain", "input.type": "log", - "log.offset": 5772, + "log.offset": 7227, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -844,10 +1062,10 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Dec 23 12:09:07 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur", + "event.original": "Mar 18 6:24:33 ate4627.localdomain CylancePROTECT Event Type:officiad, Event Name:Device Policy Assigned, Message: The Device:quinescwas auto assigned to Zone:madmi, User:tur", "fileset.name": "protect", "input.type": "log", - "log.offset": 5973, + "log.offset": 7429, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -870,12 +1088,12 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "6-January-2017 07:11:41 very-high orem6702.invalid tev <ntocca 2017-1-6T7:11:41.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame", + "event.original": "2-April-2017 01:27:07 very-high orem6702.invalid tev <ntocca 2017-4-2T1:27:07.ostru ntoccae1705.internal.invalid CylancePROTECT temquiav equatu [upta] Event Type: ScriptControl, Event Name: Alert, Device Name: sBon, File Path: orro, Interpreter: tae, Interpreter Version: 1.3212, Zone Names: tlab, User Name: aperiame", "file.directory": "orro", "fileset.name": "protect", "host.name": "ntoccae1705.internal.invalid", "input.type": "log", - "log.offset": 6150, + "log.offset": 7604, "network.application": "tae", "observer.product": "Protect", "observer.type": "Anti-Virus", @@ -909,11 +1127,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "20-Jan-2017 2:14:16 high tobea2364.internal.localhost itinvol <fugiatn 20T14:14:16.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame", + "event.original": "16-Apr-2017 8:29:41 high tobea2364.internal.localhost itinvol <fugiatn 16T08:29:41.docon etconsec6708.internal.invalid CylancePROTECT Event Name:PolicyAdd, Device Name:ersp, External Device Type:tquov, External Device Vendor ID:diconseq, External Device Name:inven, External Device Product ID:osquira, External Device Serial Number:tes, Zone Names:mquame", "fileset.name": "protect", "host.name": "etconsec6708.internal.invalid", "input.type": "log", - "log.offset": 6477, + "log.offset": 7929, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -942,11 +1160,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-2-3T9:16:50.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi)", + "event.original": "2017-4-30T3:32:16.squirati Sedutp7428.internal.home CylancePROTECT utlabor itessequ [porro] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: iquipe; Policy: itempor; Value: quin, User: upida tvolupt (eufugi)", "fileset.name": "protect", "host.name": "Sedutp7428.internal.home", "input.type": "log", - "log.offset": 6841, + "log.offset": 8293, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -977,11 +1195,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "uamni 2017-2-18T4:19:24.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte)", + "event.original": "uamni 2017-5-14T10:34:50.ctet ati4639.www5.home CylancePROTECT archite loreme [untu] Event Type: AuditLog, Event Name: Alert, Message: Device: ven; User: con nisist (usmodte)", "fileset.name": "protect", "host.name": "ati4639.www5.home", "input.type": "log", - "log.offset": 7059, + "log.offset": 8512, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1011,11 +1229,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-3-4T11:21:59.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser (oin)", + "event.original": "2017-5-29T5:37:24.eturadi torever662.www5.home CylancePROTECT quam sumdolor [meaqueip] Event Type: AuditLog, Event Name: PolicyAdd, Message: The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240, User: amcol adeser ()oin", "fileset.name": "protect", "host.name": "torever662.www5.home", "input.type": "log", - "log.offset": 7233, + "log.offset": 8687, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1030,7 +1248,6 @@ "rsa.investigations.event_cat_name": "Policies.Rules.Added", "rsa.investigations.event_vcat": " AuditLog", "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "oin", "rsa.network.alias_host": [ "torever662.www5.home" ], @@ -1040,23 +1257,103 @@ "forwarded" ] }, + { + "event.action": "DeviceRemove", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "12-June-2017 12:39:58 medium meius3932.internal.example ccaeca <uptate 2017-6-12T12:39:58.amc cusant1701.api.localdomain CylancePROTECT siutaliq dutp psaquaea Event Type: taevita, Event Name: DeviceRemove, Device Name: siut, Agent Version: tconsect, IP Address: (10.190.175.158), MAC Address: (01:00:5e:45:8b:97), Logged On Users: (ditemp), OS: edqui", + "fileset.name": "protect", + "host.mac": "01:00:5e:45:8b:97", + "host.name": "cusant1701.api.localdomain", + "input.type": "log", + "log.offset": 8928, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "cusant1701.api.localdomain" + ], + "related.ip": [ + "10.190.175.158" + ], + "related.user": [ + "ditemp" + ], + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": "taevita", + "rsa.misc.OS": "edqui", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "siut", + "rsa.network.alias_host": [ + "cusant1701.api.localdomain" + ], + "rsa.network.eth_host": "01:00:5e:45:8b:97", + "service.type": "cylance", + "source.ip": [ + "10.190.175.158" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "ditemp" + }, + { + "event.action": "fullaccess", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "26-June-2017 19:42:33 very-high rnatu2805.www.home enderi <odoconse 2017-6-26T7:42:33.quamqua eacommod1930.internal.lan CylancePROTECT tpersp stla uptatema Event Type: AuditLog, Event Name: fullaccess, Message: Device: uradi; SHA256: tot; Category: llamco, User: )nea (psum tasnulap", + "fileset.name": "protect", + "host.name": "eacommod1930.internal.lan", + "input.type": "log", + "log.offset": 9287, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "eacommod1930.internal.lan" + ], + "rsa.identity.firstname": "tasnulap", + "rsa.identity.lastname": "psum", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.category": "llamco", + "rsa.misc.checksum": "tot", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.mail_id": "nea", + "rsa.misc.node": "uradi", + "rsa.network.alias_host": [ + "eacommod1930.internal.lan" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, { "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-3-18T6:24:33.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: ccaeca niamq (lapariat)", + "event.original": "2017-7-11T2:45:07.oremipsu emeumfug4387.internal.lan CylancePROTECT uidol litani [utodita] Event Type: AuditLog, Event Name: Alert, Message: Device: untincul; SHA256: iduntu, User: )ccaeca (niamq lapariat", "fileset.name": "protect", "host.name": "emeumfug4387.internal.lan", "input.type": "log", - "log.offset": 7474, + "log.offset": 9579, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ "emeumfug4387.internal.lan" ], - "rsa.identity.firstname": "ccaeca", + "rsa.identity.firstname": "lapariat", "rsa.identity.lastname": "niamq", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1609000000, @@ -1064,7 +1361,7 @@ "rsa.investigations.event_vcat": " AuditLog", "rsa.misc.checksum": "iduntu", "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "lapariat", + "rsa.misc.mail_id": "ccaeca", "rsa.misc.node": "untincul", "rsa.network.alias_host": [ "emeumfug4387.internal.lan" @@ -1080,11 +1377,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "uat 2017-4-2T1:27:07.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu", + "event.original": "uat 2017-7-25T9:47:41.tiaec rumwrit764.www5.local CylancePROTECT edquiac urerepr [eseru] Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: etMal, External Device Type: qua, External Device Vendor ID: rsita, External Device Name: ate, External Device Product ID: ipsamvo, External Device Serial Number: onula, Zone Names: miu", "fileset.name": "protect", "host.name": "rumwrit764.www5.local", "input.type": "log", - "log.offset": 7679, + "log.offset": 9784, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1113,10 +1410,10 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Apr 16 8:29:41 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015", + "event.original": "Aug 8 4:50:15 mex2054.mail.corp CylancePROTECT Event Type:luptat, Event Name:SyslogSettingsSave, Message: Provider:ica, Source IP:10.13.66.97, User: dicta taedicta (ritt)#015", "fileset.name": "protect", "input.type": "log", - "log.offset": 8019, + "log.offset": 10125, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1141,33 +1438,31 @@ ] }, { - "event.action": "threat_quarantined", + "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "30-April-2017 15:32:16 high isiu5733.api.domain etdolor <xeaco 2017-4-30T3:32:16.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites)", + "event.original": "2017-8-22T11:52:50.dictasun veniamqu7284.mail.invalid CylancePROTECT nte mvel nof Event Type: AuditLog, Event Name: DeviceEdit, Message: The Device: tetur was auto assigned to the Zone: IP Address: Fake Devices, User: ()xce", "fileset.name": "protect", - "host.name": "oremi1485.api.localhost", + "host.name": "veniamqu7284.mail.invalid", "input.type": "log", - "log.offset": 8195, + "log.offset": 10300, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "oremi1485.api.localhost" + "veniamqu7284.mail.invalid" ], - "rsa.identity.firstname": "atisund", - "rsa.identity.lastname": "xea", + "rsa.db.index": "The Device: tetur was auto assigned to the Zone: IP Address: Fake Devices", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.checksum": "amvolupt", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.mail_id": "ites", - "rsa.misc.result": "success", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.mail_id": "xce", + "rsa.misc.node": "tetur", "rsa.network.alias_host": [ - "oremi1485.api.localhost" + "veniamqu7284.mail.invalid" ], "service.type": "cylance", "tags": [ @@ -1176,29 +1471,33 @@ ] }, { - "event.action": "threat_found", + "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "14-May-2017 10:34:50 high nvol6269.internal.local tla <nimid 14T22:34:50.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq", + "event.original": "6-September-2017 06:55:24 high isiu5733.api.domain etdolor <xeaco 2017-9-6T6:55:24.nvolupt oremi1485.api.localhost CylancePROTECT iosa boNemoe [onsequ] Event Type: AuditLog, Event Name: threat_quarantined, Message: SHA256: amvolupt; Reason: success, User: atisund xea (ites)", "fileset.name": "protect", - "host.name": "periam126.api.host", + "host.name": "oremi1485.api.localhost", "input.type": "log", - "log.offset": 8475, + "log.offset": 10524, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "periam126.api.host" + "oremi1485.api.localhost" ], - "rsa.crypto.sig_type": "rExc", + "rsa.identity.firstname": "atisund", + "rsa.identity.lastname": "xea", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.checksum": "tame", - "rsa.misc.event_type": "threat_found", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.checksum": "amvolupt", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.mail_id": "ites", + "rsa.misc.result": "success", "rsa.network.alias_host": [ - "periam126.api.host" + "oremi1485.api.localhost" ], "service.type": "cylance", "tags": [ @@ -1207,29 +1506,141 @@ ] }, { - "event.action": "PolicyAdd", + "event.action": "cancel", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "iuntNe 2017-5-29T5:37:24.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom", - "file.directory": "sit", - "file.name": "iquamqua", - "file.type": "olorsit", + "event.original": "eri 2017-9-20T1:57:58.quunt olori416.api.test CylancePROTECT elit cidunt plica Event Type: ExploitAttempt, Event Name: Alert, Device Name: exeaco, IP Address: (10.31.190.145), Action: cancel, Process ID: 5530, Process Name: accusant.exe, User Name: onse, Violation Type: admin, Zone Names: stenatu", "fileset.name": "protect", - "host.name": "tate6578.api.localdomain", + "host.name": "olori416.api.test", "input.type": "log", - "log.offset": 8683, + "log.offset": 10806, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "process.name": "accusant.exe", + "process.pid": 5530, "related.hosts": [ - "tate6578.api.localdomain" + "olori416.api.test" ], "related.ip": [ - "10.252.165.146" + "10.31.190.145" ], - "rsa.crypto.sig_type": "undeom", - "rsa.db.index": "turadip", + "related.user": [ + "onse" + ], + "rsa.db.index": "stenatu", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "exeaco", + "rsa.misc.policy_name": "admin", + "rsa.network.alias_host": [ + "olori416.api.test" + ], + "service.type": "cylance", + "source.ip": [ + "10.31.190.145" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "onse" + }, + { + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "4-Oct-2017 9:00:32 high nvol6269.internal.local tla <nimid 4T21:00:32.dat periam126.api.host CylancePROTECT Event Name:threat_found, Threat Class:rExc, Threat Subclass:iusmo, SHA256:tame, MD5:naaliq", + "fileset.name": "protect", + "host.name": "periam126.api.host", + "input.type": "log", + "log.offset": 11104, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "periam126.api.host" + ], + "rsa.crypto.sig_type": "rExc", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.misc.checksum": "tame", + "rsa.misc.event_type": "threat_found", + "rsa.network.alias_host": [ + "periam126.api.host" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "19-October-2017 04:03:07 medium toccaec7645.www5.home psaqua <itationu 2017-10-19T4:03:07.proident maliquam2147.internal.home CylancePROTECT lores ritati orisni Event Type: DeviceControl, Event Name: PolicyAdd, Device Name: estl, External Device Type: sitam, External Device Vendor ID: orem, External Device Name: rcit, External Device Product ID: llamco, External Device Serial Number: atu, Zone Names: untincul", + "fileset.name": "protect", + "host.name": "maliquam2147.internal.home", + "input.type": "log", + "log.offset": 11309, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "maliquam2147.internal.home" + ], + "rsa.db.index": "untincul", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "estl", + "rsa.misc.serial_number": "atu", + "rsa.network.alias_host": [ + "maliquam2147.internal.home" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "PolicyAdd", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "iuntNe 2017-11-2T11:05:41.atise tate6578.api.localdomain CylancePROTECT emvele isnost [olorem] Event Type: Threat, Event Name: PolicyAdd, Device Name: yCiceroi, IP Address: (10.252.165.146), File Name: iquamqua, Path: sit, Drive Type: rumSect, SHA256: ita, MD5: vitaed, Status: exeaco, Cylance Score: 51.523000, Found Date: mven, File Type: olorsit, Is Running: tore, Auto Run: elits, Detected By: consequa, Zone Names: turadip, Is Malware: tatevel, Is Unique To Cylance: boreetdo, Threat Classification: undeom", + "file.directory": "sit", + "file.name": "iquamqua", + "file.type": "olorsit", + "fileset.name": "protect", + "host.name": "tate6578.api.localdomain", + "input.type": "log", + "log.offset": 11732, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "tate6578.api.localdomain" + ], + "related.ip": [ + "10.252.165.146" + ], + "rsa.crypto.sig_type": "undeom", + "rsa.db.index": "turadip", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502030000, "rsa.investigations.event_cat_name": "Policies.Rules.Added", @@ -1251,17 +1662,61 @@ "forwarded" ] }, + { + "event.action": "threat_changed", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "2017-11-16T6:08:15.uov itlab6956.mail.local CylancePROTECT loremqu tetur amvo Event Type: siuta, Event Name: threat_changed, Device Name: ommodo, Agent Version: uptat, IP Address: (10.105.46.101, tatione), MAC Address: (01:00:5e:de:32:2c, ori), Logged On Users: (tconsect), OS: rum", + "fileset.name": "protect", + "host.mac": "01:00:5e:de:32:2c", + "host.name": "itlab6956.mail.local", + "input.type": "log", + "log.offset": 12244, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "itlab6956.mail.local" + ], + "related.ip": [ + "10.105.46.101" + ], + "related.user": [ + "tconsect" + ], + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "siuta", + "rsa.misc.OS": "rum", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "ommodo", + "rsa.network.alias_host": [ + "itlab6956.mail.local" + ], + "rsa.network.eth_host": "01:00:5e:de:32:2c", + "service.type": "cylance", + "source.ip": [ + "10.105.46.101" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "tconsect" + }, { "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-6-12T12:39:58.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte", + "event.original": "2017-12-1T1:10:49.ugiatn midestl1919.host CylancePROTECT cingel modocon [ipsu] Event Type: ntNeq, Event Name: Device Policy Assigned, Device Name: aUt, Agent Version: boNem, IP Address: (10.124.88.222), MAC Address: (01:00:5e:f9:78:c2), Logged On Users: (onu), OS: liquaUte", "fileset.name": "protect", "host.mac": "01:00:5e:f9:78:c2", "host.name": "midestl1919.host", "input.type": "log", - "log.offset": 9194, + "log.offset": 12526, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1295,23 +1750,71 @@ ], "user.name": "onu" }, + { + "event.action": "deny", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ria 2017-12-15T8:13:24.atDu nsec923.internal.local CylancePROTECT agnaaliq tlaboree norumet Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: mod, IP Address: (10.28.120.149), Action: deny, Process ID: 3916, Process Name: tinvolup.exe, User Name: tsed, Violation Type: inv, Zone Names: rroq", + "fileset.name": "protect", + "host.name": "nsec923.internal.local", + "input.type": "log", + "log.offset": 12800, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "process.name": "tinvolup.exe", + "process.pid": 3916, + "related.hosts": [ + "nsec923.internal.local" + ], + "related.ip": [ + "10.28.120.149" + ], + "related.user": [ + "tsed" + ], + "rsa.db.index": "rroq", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "mod", + "rsa.misc.policy_name": "inv", + "rsa.network.alias_host": [ + "nsec923.internal.local" + ], + "service.type": "cylance", + "source.ip": [ + "10.28.120.149" + ], + "tags": [ + "cylance.protect", + "forwarded" + ], + "user.name": "tsed" + }, { "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-6-26T7:42:33.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: dol sciun (metcons)", + "event.original": "2017-12-29T3:15:58.mipsamvo eiusmod3517.internal.invalid CylancePROTECT oreveri ehende [eaqueip] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: Device: olup; SHA256: labor, User: )dol (sciun metcons", "fileset.name": "protect", "host.name": "eiusmod3517.internal.invalid", "input.type": "log", - "log.offset": 9469, + "log.offset": 13106, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ "eiusmod3517.internal.invalid" ], - "rsa.identity.firstname": "dol", + "rsa.identity.firstname": "metcons", "rsa.identity.lastname": "sciun", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1319,7 +1822,7 @@ "rsa.investigations.event_vcat": " AuditLog", "rsa.misc.checksum": "labor", "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "metcons", + "rsa.misc.mail_id": "dol", "rsa.misc.node": "olup", "rsa.network.alias_host": [ "eiusmod3517.internal.invalid" @@ -1330,17 +1833,60 @@ "forwarded" ] }, + { + "event.action": "accept", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "12-January-2018 22:18:32 high asnu3806.api.lan tamet <ationul 2018/01/12T22:18:32.mquisn queips4947.mail.example CylancePROTECT molestia quir eavolup Event Type: AppControl, Event Name: Registration, Device Name: labore, IP Address: (10.165.16.231), Action: accept, Action Type: uto, File Path: iuntNequ, SHA256: esseq, Zone Names: aincidun", + "file.directory": "iuntNequ", + "fileset.name": "protect", + "host.name": "queips4947.mail.example", + "input.type": "log", + "log.offset": 13316, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "queips4947.mail.example" + ], + "related.ip": [ + "10.165.16.231" + ], + "rsa.db.index": "aincidun", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.checksum": "esseq", + "rsa.misc.event_type": "Registration", + "rsa.misc.node": "labore", + "rsa.network.alias_host": [ + "queips4947.mail.example" + ], + "service.type": "cylance", + "source.ip": [ + "10.165.16.231" + ], + "tags": [ + "cylance.protect", + "forwarded" + ] + }, { "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "11-July-2017 02:45:07 low oloreseo5039.test derit <dolor 2017-7-11T2:45:07.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid", + "event.original": "27-January-2018 05:21:06 low oloreseo5039.test derit <dolor 2018-1-27T5:21:06.econs ntexpl3889.www.home CylancePROTECT yCic nder [mdolore] Event Type: Cic, Event Name: DeviceRemove, Device Name: saqu, Agent Version: iscive, IP Address: (10.156.34.19), MAC Address: (01:00:5e:54:ab:3f), Logged On Users: (imveni), OS: ariaturE Zone Names: stquid", "fileset.name": "protect", "host.mac": "01:00:5e:54:ab:3f", "host.name": "ntexpl3889.www.home", "input.type": "log", - "log.offset": 9678, + "log.offset": 13667, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1375,17 +1921,51 @@ ], "user.name": "imveni" }, + { + "event.action": "Registration", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "ree 2018-2-10T12:23:41.saquaea ation6657.www.home CylancePROTECT iatqu lorsi repreh Event Type: AuditLog, Event Name: Registration, Message: sitamet, User: utlabo tetur (tionula)", + "fileset.name": "protect", + "host.name": "ation6657.www.home", + "input.type": "log", + "log.offset": 14019, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "ation6657.www.home" + ], + "rsa.db.index": "sitamet", + "rsa.identity.firstname": "utlabo", + "rsa.identity.lastname": "tetur", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "Registration", + "rsa.misc.mail_id": "tionula", + "rsa.network.alias_host": [ + "ation6657.www.home" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, { "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "25-Jul-2017 9:47:41 very-high idolor3916.www5.home tas <tasun 25T09:47:41.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo", + "event.original": "24-Feb-2018 7:26:15 very-high idolor3916.www5.home tas <tasun 24T19:26:15.duntutla ntium4450.www5.localdomain CylancePROTECT Event Name:DeviceRemove, Device Name:vol, Agent Version:oremquel, IP Address: (10.22.94.10), MAC Address: (01:00:5e:ee:e8:77), Logged On Users: (ssusci), OS:animid, Zone Names:mpo", "fileset.name": "protect", "host.mac": "01:00:5e:ee:e8:77", "host.name": "ntium4450.www5.localdomain", "input.type": "log", - "log.offset": 10027, + "log.offset": 14198, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1419,16 +1999,50 @@ ], "user.name": "ssusci" }, + { + "event.action": "DeviceEdit", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "llam 2018-3-11T2:28:49.cti aparia1179.www.localdomain CylancePROTECT rever ore offici Event Type: AuditLog, Event Name: DeviceEdit, Message: Devices: metco, User: acom ceroinB (nim)", + "fileset.name": "protect", + "host.name": "aparia1179.www.localdomain", + "input.type": "log", + "log.offset": 14512, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "aparia1179.www.localdomain" + ], + "rsa.identity.firstname": "acom", + "rsa.identity.lastname": "ceroinB", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.mail_id": "nim", + "rsa.misc.node": "metco", + "rsa.network.alias_host": [ + "aparia1179.www.localdomain" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, { "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "8-August-2017 16:50:15 medium taliqui5348.mail.localdomain loremag <iatqu 2017-8-8T4:50:15.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", + "event.original": "25-March-2018 09:31:24 medium taliqui5348.mail.localdomain loremag <iatqu 2018-3-25T9:31:24.inBCSedu erspi5757.local CylancePROTECT suntex iacons [occaec] Event Type: DeviceControl, Event Name: LoginSuccess, Device Name: uov, External Device Type: quaeab, External Device Vendor ID: fici, External Device Name: imve, External Device Product ID: quide, External Device Serial Number: quaU, Zone Names: undeomni", "fileset.name": "protect", "host.name": "erspi5757.local", "input.type": "log", - "log.offset": 10341, + "log.offset": 14694, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1453,30 +2067,65 @@ ] }, { - "event.action": "threat_found", + "event.action": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Aug 22 11:52:50 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu", + "event.original": "liquid 2018-4-8T4:33:58.enim Finibus1411.www5.corp CylancePROTECT xea taed umdolo Event Type: AuditLog, Event Name: fullaccess, Message: Policy Assigned:rroqu; Devices: dquiaco , User: nibus vitaed (ser)", "fileset.name": "protect", + "host.name": "Finibus1411.www5.corp", "input.type": "log", - "log.offset": 10755, + "log.offset": 15109, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "lmolesti", - "rsa.identity.firstname": "uptate", - "rsa.identity.lastname": "lloinven", + "related.hosts": [ + "Finibus1411.www5.corp" + ], + "rsa.identity.firstname": "nibus", + "rsa.identity.lastname": "vitaed", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "idolo", - "rsa.misc.device_name": "edolo", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "econs", - "service.type": "cylance", - "tags": [ - "cylance.protect", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.mail_id": "ser", + "rsa.misc.node": "dquiaco", + "rsa.misc.policy_name": "rroqu", + "rsa.network.alias_host": [ + "Finibus1411.www5.corp" + ], + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "threat_found", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "Apr 22 11:36:32 upt7879.www5.example CylancePROTECT Event Type:idolo, Event Name:threat_found, Device Message: Device: edolo; Zones Removed: ugiatquo; Zones Added: ntium, User: uptate lloinven (econs), Zone Names:lmolesti Device Id: apariatu", + "fileset.name": "protect", + "input.type": "log", + "log.offset": 15313, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "rsa.db.index": "lmolesti", + "rsa.identity.firstname": "uptate", + "rsa.identity.lastname": "lloinven", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "idolo", + "rsa.misc.device_name": "edolo", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "econs", + "service.type": "cylance", + "tags": [ + "cylance.protect", "forwarded" ] }, @@ -1485,11 +2134,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "September 2017/09/06 06:55:24 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute", + "event.original": "May 2018/05/07 06:39:06 erspi4926.www5.test CylancePROTECT Event Type: AppControl, incidid quin [autemv] Event Type: AppControl, Event Name: PolicyAdd, Device Name: fugits, IP Address: (10.153.34.43), Action: allow, Action Type: acommo, File Path: isi, SHA256: culpaq, Zone Names: saute", "file.directory": "isi", "fileset.name": "protect", "input.type": "log", - "log.offset": 10997, + "log.offset": 15555, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1521,11 +2170,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2017-9-20T1:57:58.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea", + "event.original": "2018-5-21T1:41:41.abor magnid3343.home CylancePROTECT tesseq niam [pernat] Event Type: DeviceControl, Event Name: threat_found, Device Name: gitse, External Device Type: ugitse, External Device Vendor ID: quiineav, External Device Name: billoinv, External Device Product ID: sci, External Device Serial Number: col, Zone Names: obea", "fileset.name": "protect", "host.name": "magnid3343.home", "input.type": "log", - "log.offset": 11290, + "log.offset": 15842, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1554,11 +2203,11 @@ "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "4-Oct-2017 9:00:32 high uptatem4483.localhost inrepr <umdolors 4T21:00:32.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide", + "event.original": "4-Jun-2018 8:44:15 high uptatem4483.localhost inrepr <umdolors 4T20:44:15.dolori asperna7623.www.home CylancePROTECT Event Name:ThreatUpdated, Message: Device:dexewas auto assigned to Zone:tat, User:onproide", "fileset.name": "protect", "host.name": "asperna7623.www.home", "input.type": "log", - "log.offset": 11623, + "log.offset": 16175, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", @@ -1582,109 +2231,90 @@ ] }, { - "event.action": "LoginSuccess", + "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "nde 2017-10-19T4:03:07.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita", - "file.directory": "seddoeiu", + "event.original": "riosa 2018-6-19T3:46:49.tNe pisc3553.internal.home CylancePROTECT rautod olest eataev Event Type: ExploitAttempt, Event Name: DeviceEdit, Device Name: ritati, IP Address: (10.43.110.203), Action: allow, Process ID: 1359, Process Name: nim.exe, User Name: ame, Violation Type: amvolu, Zone Names: mip", "fileset.name": "protect", - "host.name": "undeom845.www5.example", + "host.name": "pisc3553.internal.home", "input.type": "log", - "log.offset": 11837, - "network.application": "nse", + "log.offset": 16388, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.3421", + "process.name": "nim.exe", + "process.pid": 1359, "related.hosts": [ - "undeom845.www5.example" + "pisc3553.internal.home" + ], + "related.ip": [ + "10.43.110.203" ], "related.user": [ - "tassita" + "ame" ], - "rsa.db.index": "quira", + "rsa.db.index": "mip", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "liq", - "rsa.misc.version": "1.3421", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " ExploitAttempt", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "DeviceEdit", + "rsa.misc.node": "ritati", + "rsa.misc.policy_name": "amvolu", "rsa.network.alias_host": [ - "undeom845.www5.example" + "pisc3553.internal.home" ], "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" + "source.ip": [ + "10.43.110.203" ], - "user.name": "tassita" - }, - { - "event.action": "threat_changed", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Nov 2 11:05:41 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 12101, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.identity.firstname": "tatema", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "nisiut", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.node": "quira", - "rsa.network.zone": "rror", - "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "ame" }, { - "event.action": "threat_quarantined", + "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "16-November-2017 18:08:15 high oeni179.api.localhost gna <lumqu 2017-11-16T6:08:15.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm", - "file.directory": "nculpaq", - "file.name": "psa", - "file.type": "iame", + "event.original": "3-July-2018 10:49:23 medium iame4937.local tiumd <mexer 2018/07/03T10:49:23.estla uipexe7153.api.corp CylancePROTECT saqu remips illoi Event Type: AppControl, Event Name: ZoneAdd, Device Name: abori, IP Address: (10.127.20.244), Action: block, Action Type: uelauda, File Path: ema, SHA256: odi, Zone Names: ptatems", + "file.directory": "ema", "fileset.name": "protect", - "host.name": "ons5050.mail.test", + "host.name": "uipexe7153.api.corp", "input.type": "log", - "log.offset": 12269, + "log.offset": 16688, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "ons5050.mail.test" + "uipexe7153.api.corp" ], "related.ip": [ - "10.48.209.115" + "10.127.20.244" ], - "rsa.crypto.sig_type": "adm", - "rsa.db.index": "cta", + "rsa.db.index": "ptatems", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " Threat", - "rsa.misc.checksum": "sequat", - "rsa.misc.event_state": "ccaec", - "rsa.misc.event_type": "threat_quarantined", - "rsa.misc.node": "mquiad", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.checksum": "odi", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.node": "abori", "rsa.network.alias_host": [ - "ons5050.mail.test" + "uipexe7153.api.corp" ], - "rsa.web.reputation_num": 75.498, "service.type": "cylance", "source.ip": [ - "10.48.209.115" + "10.127.20.244" ], "tags": [ "cylance.protect", @@ -1692,75 +2322,64 @@ ] }, { - "event.action": "PolicyAdd", + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "1-Dec-2017 1:10:49 very-high trudex4443.www5.localhost lor <eseruntm 1T01:10:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau", + "event.original": "nde 2018-7-17T5:51:58.abillo undeom845.www5.example CylancePROTECT quaer eetdo [tlab] Event Type: ScriptControl, Event Name: LoginSuccess, Device Name: liq, File Path: seddoeiu, Interpreter: nse, Interpreter Version: 1.3421, Zone Names: quira, User Name: tassita", + "file.directory": "seddoeiu", "fileset.name": "protect", - "host.mac": "01:00:5e:e8:41:ae", - "host.name": "oloreeu7597.mail.home", + "host.name": "undeom845.www5.example", "input.type": "log", - "log.offset": 12834, + "log.offset": 17011, + "network.application": "nse", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "observer.version": "1.3421", "related.hosts": [ - "oloreeu7597.mail.home" - ], - "related.ip": [ - "10.7.99.47" + "undeom845.www5.example" ], "related.user": [ - "evolupta" + "tassita" ], - "rsa.db.index": "ditau", + "rsa.db.index": "quira", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.misc.OS": "teturadi", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.node": "nula", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.event_type": "LoginSuccess", + "rsa.misc.node": "liq", + "rsa.misc.version": "1.3421", "rsa.network.alias_host": [ - "oloreeu7597.mail.home" + "undeom845.www5.example" ], - "rsa.network.eth_host": "01:00:5e:e8:41:ae", "service.type": "cylance", - "source.ip": [ - "10.7.99.47" - ], "tags": [ "cylance.protect", "forwarded" ], - "user.name": "evolupta" + "user.name": "tassita" }, { - "event.action": "Device Updated", + "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "hend 2017-12-15T8:13:24.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai", + "event.original": "Aug 1 12:54:32 atis6201.internal.invalid CylancePROTECT Event Type:nisiut, Event Name:threat_changed, Message: Device:quirawas auto assigned to Zone:rror, User:tatema", "fileset.name": "protect", - "host.name": "ueip5847.api.test", "input.type": "log", - "log.offset": 13150, + "log.offset": 17274, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.hosts": [ - "ueip5847.api.test" - ], - "rsa.crypto.sig_type": "Nemoenim", + "rsa.identity.firstname": "tatema", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", - "rsa.investigations.event_vcat": "sed", - "rsa.misc.checksum": "labori", - "rsa.misc.event_type": "Device Updated", - "rsa.network.alias_host": [ - "ueip5847.api.test" - ], + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "nisiut", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "quira", + "rsa.network.zone": "rror", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1768,64 +2387,32 @@ ] }, { - "event.action": "SystemSecurity", + "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ostr 2017-12-29T3:15:58.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici", - "file.directory": "eufug", + "event.original": "15-August-2018 07:57:06 low tperspic7591.www.lan ict <tem 2018-8-15T7:57:06.mestq ura675.mail.localdomain CylancePROTECT eleumiu uei Nequepo Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: seddo, External Device Type: uam, External Device Vendor ID: orumSec, External Device Name: nisiuta, External Device Product ID: stiaecon, External Device Serial Number: dol, Zone Names: sumquiad", "fileset.name": "protect", - "host.name": "uid3520.www.home", + "host.name": "ura675.mail.localdomain", "input.type": "log", - "log.offset": 13355, - "network.application": "roquisq", + "log.offset": 17441, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.989", "related.hosts": [ - "uid3520.www.home" - ], - "related.user": [ - "ici" + "ura675.mail.localdomain" ], - "rsa.db.index": "civelits", + "rsa.db.index": "sumquiad", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "prehend", - "rsa.misc.version": "1.989", + "rsa.investigations.event_cat": 1804020000, + "rsa.investigations.event_cat_name": "Network.Devices.Removals", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "DeviceRemove", + "rsa.misc.node": "seddo", + "rsa.misc.serial_number": "dol", "rsa.network.alias_host": [ - "uid3520.www.home" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" + "ura675.mail.localdomain" ], - "user.name": "ici" - }, - { - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Jan 12 10:18:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 13623, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "nostrud", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "iduntu", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "inibusB", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1833,703 +2420,154 @@ ] }, { - "event.action": "SyslogSettingsSave", + "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jan 27 5:21:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat", + "event.original": "29-August-2018 14:59:40 high oeni179.api.localhost gna <lumqu 2018-8-29T2:59:40.onulamco ons5050.mail.test CylancePROTECT unt tass [tiumdol] Event Type: Threat, Event Name: threat_quarantined, Device Name: mquiad, IP Address: (10.48.209.115), File Name: psa, Path: nculpaq, Drive Type: reseosqu, SHA256: sequat, MD5: lor, Status: ccaec, Cylance Score: 75.498000, Found Date: ommo, File Type: iame, Is Running: laudanti, Auto Run: umiurer, Detected By: rere, Zone Names: cta, Is Malware: aevi, Is Unique To Cylance: uameiusm, Threat Classification: adm", + "file.directory": "nculpaq", + "file.name": "psa", + "file.type": "iame", "fileset.name": "protect", + "host.name": "ons5050.mail.test", "input.type": "log", - "log.offset": 13772, + "log.offset": 17854, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.identity.firstname": "ugiat", + "related.hosts": [ + "ons5050.mail.test" + ], + "related.ip": [ + "10.48.209.115" + ], + "rsa.crypto.sig_type": "adm", + "rsa.db.index": "cta", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "pariatur", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "imavenia", - "rsa.network.zone": "expli", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "sequat", + "rsa.misc.event_state": "ccaec", + "rsa.misc.event_type": "threat_quarantined", + "rsa.misc.node": "mquiad", + "rsa.network.alias_host": [ + "ons5050.mail.test" + ], + "rsa.web.reputation_num": 75.498, "service.type": "cylance", + "source.ip": [ + "10.48.209.115" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "event.action": "SystemSecurity", + "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "bore 2018-2-10T12:23:41.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad)", + "event.original": "12-September-2018 22:02:15 medium mnihilm1903.internal.host ditautf <ori 2018-9-12T10:02:15.uamqu olori4584.mail.domain CylancePROTECT sunt autfugit emUte Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: nturmag; Policy: tura; Value: osquirat, User: equat aliquid (usantiu)", "fileset.name": "protect", - "host.name": "teir7585.www5.localdomain", + "host.name": "olori4584.mail.domain", "input.type": "log", - "log.offset": 13945, + "log.offset": 18416, "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "teir7585.www5.localdomain" - ], - "rsa.identity.firstname": "scip", - "rsa.identity.lastname": "Finibus", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "Utenimad", - "rsa.misc.node": "oreverit", - "rsa.network.alias_host": [ - "teir7585.www5.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Feb 24 7:26:15 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse ", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 14144, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "ptate, Device Id: entsu, Policy Name: conse", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ali", - "rsa.misc.device_name": "itasp", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "quunt", - "rsa.misc.serial_number": "volup", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "Mar 11 2:28:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: nvo iamqui (tassita), Zone Names: colabori Device Id: imidestl", - "fileset.name": "protect", - "input.type": "log", - "log.offset": 14471, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "rsa.db.index": "colabori", - "rsa.identity.firstname": "nvo", - "rsa.identity.lastname": "iamqui", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "atura", - "rsa.misc.device_name": "oreeu", - "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "tassita", - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ZoneAddDevice", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2018-3-25T9:31:24.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: (ever)", - "fileset.name": "protect", - "host.name": "serrorsi1096.www5.localdomain", - "input.type": "log", - "log.offset": 14653, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "serrorsi1096.www5.localdomain" - ], - "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "AuditLog", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.node": "reetdo", - "rsa.network.alias_host": [ - "serrorsi1096.www5.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SystemSecurity", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "quiav 2018-4-8T4:33:58.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum", - "fileset.name": "protect", - "host.name": "prehen4807.mail.invalid", - "input.type": "log", - "log.offset": 14890, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "prehen4807.mail.invalid" - ], - "rsa.db.index": "meum", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " DeviceControl", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "remq", - "rsa.misc.serial_number": "ugia", - "rsa.network.alias_host": [ - "prehen4807.mail.invalid" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ZoneAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2018-4-22T11:36:32.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", - "fileset.name": "protect", - "host.name": "sit1400.www.lan", - "input.type": "log", - "log.offset": 15226, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "sit1400.www.lan" - ], - "rsa.db.index": "ntsunti", - "rsa.identity.firstname": "uid", - "rsa.identity.lastname": "idatat", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "onev", - "rsa.misc.policy_name": "borios", - "rsa.network.alias_host": [ - "sit1400.www.lan" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "Device Updated", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "hilmole 2018-5-7T6:39:06.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", - "fileset.name": "protect", - "host.name": "sectetu7182.localdomain", - "input.type": "log", - "log.offset": 15419, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "sectetu7182.localdomain" - ], - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1804010000, - "rsa.investigations.event_cat_name": "Network.Devices.Additions", - "rsa.investigations.event_vcat": "orissus", - "rsa.misc.event_type": "Device Updated", - "rsa.network.alias_host": [ - "sectetu7182.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "ZoneAdd", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2018-5-21T1:41:41.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad)", - "fileset.name": "protect", - "host.name": "officiad4982.www5.domain", - "input.type": "log", - "log.offset": 15567, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "officiad4982.www5.domain" - ], - "rsa.identity.firstname": "etdolore", - "rsa.identity.lastname": "magnaa", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ZoneAdd", - "rsa.misc.mail_id": "sumquiad", - "rsa.misc.node": "umtota", - "rsa.network.alias_host": [ - "officiad4982.www5.domain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "pechange", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2018-6-4T8:44:15.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun", - "fileset.name": "protect", - "host.name": "consequa1486.internal.localdomain", - "input.type": "log", - "log.offset": 15754, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "consequa1486.internal.localdomain" - ], - "rsa.crypto.sig_type": "quaeratv", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ptatemse", - "rsa.misc.checksum": "tobeata", - "rsa.misc.event_type": "pechange", - "rsa.network.alias_host": [ - "consequa1486.internal.localdomain" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "fullaccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2018-6-19T3:46:49.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui", - "fileset.name": "protect", - "host.mac": "01:00:5e:bc:c1:21", - "host.name": "its6443.mail.example", - "input.type": "log", - "log.offset": 15974, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "its6443.mail.example" - ], - "related.ip": [ - "10.139.80.71" - ], - "related.user": [ - "orem" - ], - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "miurere", - "rsa.misc.OS": "eniamqui", - "rsa.misc.event_type": "fullaccess", - "rsa.misc.node": "tlabo", - "rsa.network.alias_host": [ - "its6443.mail.example" - ], - "rsa.network.eth_host": "01:00:5e:bc:c1:21", - "service.type": "cylance", - "source.ip": [ - "10.139.80.71" - ], - "tags": [ - "cylance.protect", - "forwarded" - ], - "user.name": "orem" - }, - { - "event.action": "Alert", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "3-July-2018 10:49:23 low sumd3215.test aUtenima <taevi 2018-7-3T10:49:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati", - "file.directory": "ttenb", - "file.name": "itl", - "file.type": "oluptat", - "fileset.name": "protect", - "host.name": "tconsec7604.corp", - "input.type": "log", - "log.offset": 16248, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "tconsec7604.corp" - ], - "related.ip": [ - "10.223.246.244" - ], - "rsa.crypto.sig_type": "ercitati", - "rsa.db.index": "con", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": " Threat", - "rsa.misc.checksum": "quiav", - "rsa.misc.event_state": "Nem", - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "stiaecon", - "rsa.network.alias_host": [ - "tconsec7604.corp" - ], - "rsa.web.reputation_num": 105.845, - "service.type": "cylance", - "source.ip": [ - "10.223.246.244" - ], - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_found", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "17-July-2018 17:51:58 high taspe1205.mail.domain cti <nse 2018-7-17T5:51:58.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu)", - "fileset.name": "protect", - "host.name": "tuser2694.internal.invalid", - "input.type": "log", - "log.offset": 16788, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "tuser2694.internal.invalid" - ], - "rsa.identity.firstname": "natus", - "rsa.identity.lastname": "boreet", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "ugiatqu", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "luptasnu", - "rsa.misc.node": "turveli", - "rsa.misc.policy_name": "isciv", - "rsa.network.alias_host": [ - "tuser2694.internal.invalid" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "pechange", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "edqu 2018-8-1T12:54:32.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine", - "fileset.name": "protect", - "host.name": "gnaaliq5240.api.test", - "input.type": "log", - "log.offset": 17069, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "gnaaliq5240.api.test" - ], - "rsa.crypto.sig_type": "ratvo", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "esciun", - "rsa.misc.checksum": "volupt", - "rsa.misc.event_type": "pechange", - "rsa.network.alias_host": [ - "gnaaliq5240.api.test" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "LoginSuccess", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "15-Aug-2018 7:57:06 low ditaut33.mail.localhost iumdo <mea 15T07:57:06.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo", - "fileset.name": "protect", - "host.name": "illum2625.test", - "input.type": "log", - "log.offset": 17270, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "illum2625.test" - ], - "rsa.crypto.sig_type": "iaeconse", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.checksum": "nimadmin", - "rsa.misc.event_type": "LoginSuccess", - "rsa.network.alias_host": [ - "illum2625.test" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "29-August-2018 14:59:40 low iaturE3103.api.domain aturve <iatu 2018/08/29T14:59:40.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia", - "file.directory": "emporin", - "fileset.name": "protect", - "host.name": "nulamc5617.mail.host", - "input.type": "log", - "log.offset": 17480, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "nulamc5617.mail.host" - ], - "related.ip": [ - "10.134.137.205" - ], - "rsa.db.index": "etquasia", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.checksum": "oreseosq", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.node": "ntu", - "rsa.network.alias_host": [ - "nulamc5617.mail.host" - ], - "service.type": "cylance", - "source.ip": [ - "10.134.137.205" - ], - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "threat_found", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2018-9-12T10:02:15.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug)", - "fileset.name": "protect", - "host.name": "tatem4713.internal.host", - "input.type": "log", - "log.offset": 17827, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "tatem4713.internal.host" - ], - "rsa.db.index": "usci", - "rsa.identity.firstname": "lupta", - "rsa.identity.lastname": "ura", - "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "threat_found", - "rsa.misc.mail_id": "oreeufug", - "rsa.misc.policy_name": "unturmag", - "rsa.network.alias_host": [ - "tatem4713.internal.host" - ], - "service.type": "cylance", - "tags": [ - "cylance.protect", - "forwarded" - ] - }, - { - "event.action": "SyslogSettingsSave", - "event.code": "CylancePROTECT", - "event.dataset": "cylance.protect", - "event.module": "cylance", - "event.original": "2018-9-27T5:04:49.data ugits5961.www5.local CylancePROTECT uam quis [exe] Event Type: naa, Event Name: SyslogSettingsSave, Device Name: idolo, Agent Version: mqu, IP Address: (10.91.2.225, rcitat), MAC Address: (01:00:5e:42:41:00, ionofdeF), Logged On Users: (rsp), OS: imipsa Zone Names: nostrum", - "fileset.name": "protect", - "host.mac": "01:00:5e:42:41:00", - "host.name": "ugits5961.www5.local", - "input.type": "log", - "log.offset": 18043, - "observer.product": "Protect", - "observer.type": "Anti-Virus", - "observer.vendor": "Cylance", - "related.hosts": [ - "ugits5961.www5.local" - ], - "related.ip": [ - "10.91.2.225" - ], - "related.user": [ - "rsp" + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "olori4584.mail.domain" ], - "rsa.db.index": "nostrum", + "rsa.db.index": "nturmag", + "rsa.identity.firstname": "equat", + "rsa.identity.lastname": "aliquid", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "naa", - "rsa.misc.OS": "imipsa", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "idolo", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ThreatUpdated", + "rsa.misc.mail_id": "usantiu", + "rsa.misc.policy_name": "tura", "rsa.network.alias_host": [ - "ugits5961.www5.local" + "olori4584.mail.domain" ], - "rsa.network.eth_host": "01:00:5e:42:41:00", "service.type": "cylance", - "source.ip": [ - "10.91.2.225" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "rsp" + ] }, { - "event.action": "block", + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-10-11T12:07:23.onsecte prehende5460.mail.localdomain CylancePROTECT equatD uidol [inculpa] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: uido, IP Address: (10.191.99.14), Action: block, Process ID: 601, Process Name: nimadmi.exe, User Name: lapa, Violation Type: emoenimi, Zone Names: iquipex", + "event.original": "27-Sep-2018 5:04:49 very-high trudex4443.www5.localhost lor <eseruntm 27T05:04:49.lpaquiof oloreeu7597.mail.home CylancePROTECT Event Name:PolicyAdd, Device Name:nula, Agent Version:quiacons, IP Address: (10.7.99.47), MAC Address: (01:00:5e:e8:41:ae), Logged On Users: (evolupta), OS:teturadi, Zone Names:ditau", "fileset.name": "protect", - "host.name": "prehende5460.mail.localdomain", + "host.mac": "01:00:5e:e8:41:ae", + "host.name": "oloreeu7597.mail.home", "input.type": "log", - "log.offset": 18340, + "log.offset": 18714, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "nimadmi.exe", - "process.pid": 601, "related.hosts": [ - "prehende5460.mail.localdomain" + "oloreeu7597.mail.home" ], "related.ip": [ - "10.191.99.14" + "10.7.99.47" ], "related.user": [ - "lapa" + "evolupta" ], - "rsa.db.index": "iquipex", + "rsa.db.index": "ditau", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "uido", - "rsa.misc.policy_name": "emoenimi", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.misc.OS": "teturadi", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.node": "nula", "rsa.network.alias_host": [ - "prehende5460.mail.localdomain" + "oloreeu7597.mail.home" ], + "rsa.network.eth_host": "01:00:5e:e8:41:ae", "service.type": "cylance", "source.ip": [ - "10.191.99.14" + "10.7.99.47" ], "tags": [ "cylance.protect", "forwarded" ], - "user.name": "lapa" + "user.name": "evolupta" }, { - "event.action": "Device Policy Assigned", + "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "25-Oct-2018 7:09:57 high abill5290.lan mini <tionev 25T19:09:57.uasiarch velites1745.api.corp CylancePROTECT Event Name:Device Policy Assigned, Device Message: Device: psaqu Agent Self Protection Level Changed: 'nimides' to 'olorsit', User: naaliq plica (asiarc), Zone Names: lor Device Id: nvolupt", + "event.original": "hend 2018-10-11T12:07:23.eacommo ueip5847.api.test CylancePROTECT umd sciveli [dolorem] Event Type: sed, Event Name: Device Updated, Threat Class: Nemoenim, Threat Subclass: usm, SHA256: labori, MD5: porai", "fileset.name": "protect", - "host.name": "velites1745.api.corp", + "host.name": "ueip5847.api.test", "input.type": "log", - "log.offset": 18660, + "log.offset": 19032, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "velites1745.api.corp" + "ueip5847.api.test" ], - "rsa.db.index": "lor", - "rsa.identity.firstname": "naaliq", - "rsa.identity.lastname": "plica", + "rsa.crypto.sig_type": "Nemoenim", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.misc.change_new": "olorsit", - "rsa.misc.change_old": "nimides", - "rsa.misc.device_name": "psaqu", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.mail_id": "asiarc", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "sed", + "rsa.misc.checksum": "labori", + "rsa.misc.event_type": "Device Updated", "rsa.network.alias_host": [ - "velites1745.api.corp" + "ueip5847.api.test" ], "service.type": "cylance", "tags": [ @@ -2538,66 +2576,64 @@ ] }, { - "event.action": "LoginSuccess", + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "9-Nov-2018 2:12:32 high bori319.api.localdomain utf <dexe 9T02:12:32.nemul Duis583.api.local CylancePROTECT Event Name:LoginSuccess, Threat Class:dminim, Threat Subclass:ptatevel, SHA256:aperiame, MD5:stenat", + "event.original": "ostr 2018-10-25T7:09:57.sec uid3520.www.home CylancePROTECT eFini ectob [mrema] Event Type: ScriptControl, Event Name: SystemSecurity, Device Name: prehend, File Path: eufug, Interpreter: roquisq, Interpreter Version: 1.989 (est), Zone Names: civelits, User Name: ici", + "file.directory": "eufug", "fileset.name": "protect", - "host.name": "Duis583.api.local", + "host.name": "uid3520.www.home", "input.type": "log", - "log.offset": 18964, + "log.offset": 19238, + "network.application": "roquisq", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "observer.version": "1.989", "related.hosts": [ - "Duis583.api.local" + "uid3520.www.home" ], - "rsa.crypto.sig_type": "dminim", + "related.user": [ + "ici" + ], + "rsa.db.index": "civelits", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.misc.checksum": "aperiame", - "rsa.misc.event_type": "LoginSuccess", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " ScriptControl", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "prehend", + "rsa.misc.version": "1.989", "rsa.network.alias_host": [ - "Duis583.api.local" + "uid3520.www.home" ], "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "ici" }, { - "event.action": "DeviceEdit", + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "inrepreh 2018-11-23T9:15:06.rit velitess2401.www.lan CylancePROTECT vel ionevo [ntsun] Event Type: ScriptControl, Event Name: DeviceEdit, Device Name: volupta, File Path: umfu, Interpreter: utla, Interpreter Version: 1.2478 (tDuisaut), Zone Names: dolo", - "file.directory": "umfu", + "event.original": "Nov 9 2:12:32 miurerep3693.mail.localhost CylancePROTECT Event Type:iduntu, Event Name:SyslogSettingsSave, Device Name:inibusB, Zone Names:nostrud", "fileset.name": "protect", - "host.name": "velitess2401.www.lan", "input.type": "log", - "log.offset": 19179, - "network.application": "utla", + "log.offset": 19506, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.2478", - "related.hosts": [ - "velitess2401.www.lan" - ], - "rsa.db.index": "dolo", + "rsa.db.index": "nostrud", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ScriptControl", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "volupta", - "rsa.misc.version": "1.2478", - "rsa.network.alias_host": [ - "velitess2401.www.lan" - ], + "rsa.investigations.event_vcat": "iduntu", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "inibusB", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2605,35 +2641,25 @@ ] }, { - "event.action": "pechange", + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2018-12-7T4:17:40.quisnost sequines3991.mail.local CylancePROTECT illum ore [spici] Event Type: AuditLog, Event Name: pechange, Message: Policy: iquamqu; SHA256: eumfugia; Category: reeufugi, User: sequines minimve (texplica)", + "event.original": "Nov 23 9:15:06 esse3795.www.host CylancePROTECT Event Type:pariatur, Event Name:SyslogSettingsSave, Message: The Device:imaveniawas auto assigned to Zone:expli, User:ugiat", "fileset.name": "protect", - "host.name": "sequines3991.mail.local", "input.type": "log", - "log.offset": 19432, + "log.offset": 19653, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.hosts": [ - "sequines3991.mail.local" - ], - "rsa.identity.firstname": "sequines", - "rsa.identity.lastname": "minimve", + "rsa.identity.firstname": "ugiat", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "reeufugi", - "rsa.misc.checksum": "eumfugia", - "rsa.misc.event_type": "pechange", - "rsa.misc.mail_id": "texplica", - "rsa.misc.policy_name": "iquamqu", - "rsa.network.alias_host": [ - "sequines3991.mail.local" - ], + "rsa.investigations.event_vcat": "pariatur", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "imavenia", + "rsa.network.zone": "expli", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2641,72 +2667,61 @@ ] }, { - "event.action": "pechange", + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "21-December-2018 23:20:14 very-high olup3841.mail.invalid idolor <uira 2018-12-21T11:20:14.eosqui iatquo2815.mail.host CylancePROTECT aliqu sequine [utaliqui] Event Type: Threat, Event Name: pechange, Device Name: imveni, IP Address: (10.181.215.164), File Name: itationu, Path: setquas, Drive Type: nbyCi, SHA256: runtmoll, MD5: busBon, Status: norumetM, Cylance Score: 38.593000, Found Date: vitaedi, File Type: rna, Is Running: cons, Auto Run: Except, Detected By: lestiae, Zone Names: iav, Is Malware: umiure, Is Unique To Cylance: isiut, Threat Classification: tin", - "file.directory": "setquas", - "file.name": "itationu", - "file.type": "rna", + "event.original": "bore 2018-12-7T4:17:40.ptate teir7585.www5.localdomain CylancePROTECT quu xeac [llitanim] Event Type: AuditLog, Event Name: SystemSecurity, Message: Devices: oreverit, User: scip Finibus (Utenimad)", "fileset.name": "protect", - "host.name": "iatquo2815.mail.host", + "host.name": "teir7585.www5.localdomain", "input.type": "log", - "log.offset": 19658, + "log.offset": 19825, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "iatquo2815.mail.host" - ], - "related.ip": [ - "10.181.215.164" + "teir7585.www5.localdomain" ], - "rsa.crypto.sig_type": "tin", - "rsa.db.index": "iav", + "rsa.identity.firstname": "scip", + "rsa.identity.lastname": "Finibus", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " Threat", - "rsa.misc.checksum": "runtmoll", - "rsa.misc.event_state": "norumetM", - "rsa.misc.event_type": "pechange", - "rsa.misc.node": "imveni", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.mail_id": "Utenimad", + "rsa.misc.node": "oreverit", "rsa.network.alias_host": [ - "iatquo2815.mail.host" + "teir7585.www5.localdomain" ], - "rsa.web.reputation_num": 38.593, "service.type": "cylance", - "source.ip": [ - "10.181.215.164" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "event.action": "Device Policy Assigned", + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jan 5 6:22:49 reetdo6578.mail.domain CylancePROTECT Event Type:inBC, Event Name:Device Policy Assigned, Device Message: Device: atevelit; Zones Removed: ugitsed; Zones Added: dminimve, User: remips laboreet (uptate), Zone Names:tot Device Id: reme", + "event.original": "Dec 21 11:20:14 hen1901.example CylancePROTECT Event Type:ali, Event Name:SyslogSettingsSave, Device Name:quunt, External Device Type:itasp, External Device Vendor ID:qui, External Device Name:equeporr, External Device Product ID:met, External Device Serial Number:volup, Zone Names:ptate, Device Id: entsu, Policy Name: conse", "fileset.name": "protect", "input.type": "log", - "log.offset": 20234, + "log.offset": 20023, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "tot", - "rsa.identity.firstname": "remips", - "rsa.identity.lastname": "laboreet", + "rsa.db.index": "ptate", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "inBC", - "rsa.misc.device_name": "atevelit", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.mail_id": "uptate", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "ali", + "rsa.misc.device_name": "itasp", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.node": "quunt", + "rsa.misc.policy_name": "conse", + "rsa.misc.serial_number": "volup", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2714,35 +2729,27 @@ ] }, { - "event.action": "ZoneAddDevice", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "19-Jan-2019 1:25:23 very-high ide4421.api.localdomain isautem <gnamali 19T13:25:23.iumtota issusci7005.mail.host CylancePROTECT Event Name:ZoneAddDevice, Device Message: Device: ore Agent Self Protection Level Changed: 'lors' to 'saute', User: ecillumd iumto (sequatu), Zone Names: tiumtot Device Id: tate", + "event.original": "Jan 5 6:22:49 mag4267.www.test CylancePROTECT Event Type:atura, Event Name:Alert, Device Message: Device: oreeu User: ),nvo (iamqui tassita Zone Names: colabori Device Id: imidestl", "fileset.name": "protect", - "host.name": "issusci7005.mail.host", "input.type": "log", - "log.offset": 20482, + "log.offset": 20350, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.hosts": [ - "issusci7005.mail.host" - ], - "rsa.db.index": "tiumtot", - "rsa.identity.firstname": "ecillumd", - "rsa.identity.lastname": "iumto", + "rsa.db.index": "colabori", + "rsa.identity.firstname": "tassita", + "rsa.identity.lastname": "iamqui", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.change_new": "saute", - "rsa.misc.change_old": "lors", - "rsa.misc.device_name": "ore", - "rsa.misc.event_type": "ZoneAddDevice", - "rsa.misc.mail_id": "sequatu", - "rsa.network.alias_host": [ - "issusci7005.mail.host" - ], + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": "atura", + "rsa.misc.device_name": "oreeu", + "rsa.misc.event_type": "Alert", + "rsa.misc.mail_id": "nvo", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2750,70 +2757,65 @@ ] }, { - "event.action": "accept", + "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "inBCSed 2019/02/02T20:27:57.cteturad umq7428.invalid CylancePROTECT psum tate [dtempo] Event Type: AppControl, Event Name: SyslogSettingsSave, Device Name: iad, IP Address: (10.164.59.219), Action: accept, Action Type: billoi, File Path: reseo, SHA256: quam, Zone Names: ulpaquio", - "file.directory": "reseo", + "event.original": "2019-1-19T1:25:23.minimve serrorsi1096.www5.localdomain CylancePROTECT lamco cit [siar] Event Type: AuditLog, Event Name: ZoneAddDevice, Message: The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices, User: ()ever", "fileset.name": "protect", - "host.name": "umq7428.invalid", + "host.name": "serrorsi1096.www5.localdomain", "input.type": "log", - "log.offset": 20794, + "log.offset": 20531, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "umq7428.invalid" - ], - "related.ip": [ - "10.164.59.219" + "serrorsi1096.www5.localdomain" ], - "rsa.db.index": "ulpaquio", + "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "accept" - ], - "rsa.misc.checksum": "quam", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "iad", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAddDevice", + "rsa.misc.mail_id": "ever", + "rsa.misc.node": "reetdo", "rsa.network.alias_host": [ - "umq7428.invalid" + "serrorsi1096.www5.localdomain" ], "service.type": "cylance", - "source.ip": [ - "10.164.59.219" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "event.action": "PolicyAdd", + "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Feb 17 3:30:32 iconsequ5445.local CylancePROTECT Event Type:archite, Event Name:PolicyAdd, Device Message: Device: rem User: onorumet iscivel (rinci), Zone Names: eacomm Device Id: aboNem", + "event.original": "quiav 2019-2-2T8:27:57.mse prehen4807.mail.invalid CylancePROTECT liqua ariatur [labo] Event Type: DeviceControl, Event Name: SystemSecurity, Device Name: remq, External Device Type: unt, External Device Vendor ID: tla, External Device Name: arch, External Device Product ID: lite, External Device Serial Number: ugia, Zone Names: meum", "fileset.name": "protect", + "host.name": "prehen4807.mail.invalid", "input.type": "log", - "log.offset": 21074, + "log.offset": 20766, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "eacomm", - "rsa.identity.firstname": "onorumet", - "rsa.identity.lastname": "iscivel", + "related.hosts": [ + "prehen4807.mail.invalid" + ], + "rsa.db.index": "meum", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": "archite", - "rsa.misc.device_name": "rem", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "rinci", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "remq", + "rsa.misc.serial_number": "ugia", + "rsa.network.alias_host": [ + "prehen4807.mail.invalid" + ], "service.type": "cylance", "tags": [ "cylance.protect", @@ -2821,71 +2823,65 @@ ] }, { - "event.action": "block", + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "odit 2019/03/03T10:33:06.vol epteurs5503.www5.home CylancePROTECT modi cip [tla] Event Type: AppControl, Event Name: threat_found, Device Name: iscive, IP Address: (10.1.193.187), Action: block, Action Type: nproiden, File Path: ionem, SHA256: taevitae, Zone Names: dminimv", - "file.directory": "ionem", + "event.original": "Feb 17 3:30:32 nvolupta126.www.domain CylancePROTECT Event Type:quas, Event Name:threat_found, Device Name:orp, File Path:ender, Interpreter:dico, Interpreter Version:1.5848, Zone Names:Utenima, User Name: olore", + "file.name": "ender", "fileset.name": "protect", - "host.name": "epteurs5503.www5.home", "input.type": "log", - "log.offset": 21262, + "log.offset": 21102, + "network.application": "dico", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "related.hosts": [ - "epteurs5503.www5.home" - ], - "related.ip": [ - "10.1.193.187" + "observer.version": "1.5848", + "related.user": [ + "olore" ], - "rsa.db.index": "dminimv", + "rsa.db.index": "Utenima", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AppControl", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.checksum": "taevitae", + "rsa.investigations.event_vcat": "quas", "rsa.misc.event_type": "threat_found", - "rsa.misc.node": "iscive", - "rsa.network.alias_host": [ - "epteurs5503.www5.home" - ], + "rsa.misc.node": "orp", + "rsa.misc.version": "1.5848", "service.type": "cylance", - "source.ip": [ - "10.1.193.187" - ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "olore" }, { "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Mar 17 5:35:40 rep6417.internal.test CylancePROTECT Event Type:ipiscin, Event Name:DeviceRemove, Device Message: Device: orinr; Policy Changed: ineavol to 'umdo', User: tass ugi (riat), Zone Names:atvol, Device Id: emipsum", + "event.original": "3-March-2019 10:33:06 medium radip4253.www.corp gna <quamnih 2019-3-3T10:33:06.asnulap yCiceroi5998.mail.home CylancePROTECT inc tect uiad Event Type: DeviceControl, Event Name: DeviceRemove, Device Name: roinBCSe, External Device Type: maperiam, External Device Vendor ID: mSec, External Device Name: smoditem, External Device Product ID: tatisetq, External Device Serial Number: uidolo, Zone Names: umdolore", "fileset.name": "protect", + "host.name": "yCiceroi5998.mail.home", "input.type": "log", - "log.offset": 21536, + "log.offset": 21314, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "atvol", - "rsa.identity.firstname": "tass", - "rsa.identity.lastname": "ugi", + "related.hosts": [ + "yCiceroi5998.mail.home" + ], + "rsa.db.index": "umdolore", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804020000, "rsa.investigations.event_cat_name": "Network.Devices.Removals", - "rsa.investigations.event_vcat": "ipiscin", - "rsa.misc.device_name": "orinr", + "rsa.investigations.event_vcat": " DeviceControl", "rsa.misc.event_type": "DeviceRemove", - "rsa.misc.mail_id": "riat", - "rsa.misc.policy_name": "umdo", + "rsa.misc.node": "roinBCSe", + "rsa.misc.serial_number": "uidolo", + "rsa.network.alias_host": [ + "yCiceroi5998.mail.home" + ], "service.type": "cylance", "tags": [ "cylance.protect", @@ -2893,31 +2889,33 @@ ] }, { - "event.action": "DeviceEdit", + "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "1-Apr-2019 12:38:14 medium atDuisa4718.www.domain dolo <umexe 1T00:38:14.xce omnisis5339.www5.local CylancePROTECT Event Name:DeviceEdit, Device Name:stiaec, External Device Type:Cicero, External Device Vendor ID:ven, External Device Name:ipsaqua, External Device Product ID:uel, External Device Serial Number:mqui, Zone Names:deom, Device Id: tiumdo, Policy Name: rautod ", + "event.original": "2019-3-17T5:35:40.abori sit1400.www.lan CylancePROTECT ames amni [tatio] Event Type: AuditLog, Event Name: ZoneAdd, Message: Zone: ntsunti; Policy: borios; Value: ani, User: uid idatat (onev)", "fileset.name": "protect", - "host.name": "omnisis5339.www5.local", + "host.name": "sit1400.www.lan", "input.type": "log", - "log.offset": 21759, + "log.offset": 21729, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "omnisis5339.www5.local" + "sit1400.www.lan" ], - "rsa.db.index": "deom, Device Id: tiumdo, Policy Name: rautod", + "rsa.db.index": "ntsunti", + "rsa.identity.firstname": "uid", + "rsa.identity.lastname": "idatat", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "Cicero", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.node": "stiaec", - "rsa.misc.serial_number": "mqui", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "onev", + "rsa.misc.policy_name": "borios", "rsa.network.alias_host": [ - "omnisis5339.www5.local" + "sit1400.www.lan" ], "service.type": "cylance", "tags": [ @@ -2926,150 +2924,138 @@ ] }, { - "event.action": "SystemSecurity", + "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "15-April-2019 07:40:49 medium mvol3890.localhost reh <tcons 2019-4-15T7:40:49.squamest ction491.www5.local CylancePROTECT tamet ate [epteur] Event Type: AuditLog, Event Name: SystemSecurity, Message: Device: ill; User: imveniam sunte (exerc)", + "event.original": "iosamni 2019-4-1T12:38:14.idu sis3986.internal.lan CylancePROTECT tsedquia its umdolor Event Type: isiu, Event Name: Device Policy Assigned, Device Name: mmodi, Agent Version: snostr, IP Address: (10.232.90.3), MAC Address: (01:00:5e:e6:a6:a2), Logged On Users: (midestl), OS: nci", "fileset.name": "protect", - "host.name": "ction491.www5.local", + "host.mac": "01:00:5e:e6:a6:a2", + "host.name": "sis3986.internal.lan", "input.type": "log", - "log.offset": 22140, + "log.offset": 21921, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "ction491.www5.local" + "sis3986.internal.lan" + ], + "related.ip": [ + "10.232.90.3" + ], + "related.user": [ + "midestl" ], - "rsa.identity.firstname": "imveniam", - "rsa.identity.lastname": "sunte", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1600000000, - "rsa.investigations.event_cat_name": "System", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "SystemSecurity", - "rsa.misc.mail_id": "exerc", - "rsa.misc.node": "ill", + "rsa.investigations.event_cat": 1502000000, + "rsa.investigations.event_cat_name": "Policies.Rules", + "rsa.investigations.event_vcat": "isiu", + "rsa.misc.OS": "nci", + "rsa.misc.event_type": "Device Policy Assigned", + "rsa.misc.node": "mmodi", "rsa.network.alias_host": [ - "ction491.www5.local" + "sis3986.internal.lan" ], + "rsa.network.eth_host": "01:00:5e:e6:a6:a2", "service.type": "cylance", + "source.ip": [ + "10.232.90.3" + ], "tags": [ "cylance.protect", "forwarded" - ] + ], + "user.name": "midestl" }, { - "event.action": "Alert", + "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "isquames 2019-4-29T2:43:23.mvolupta undeom7847.api.corp CylancePROTECT orainci orese [aev] Event Type: uelaudan, Event Name: Alert, Device Name: teiru, Agent Version: mquamei, IP Address: (10.146.228.234, uradi), MAC Address: (01:00:5e:9a:f3:b9, iusmod), Logged On Users: (susc), OS: taed Zone Names: eatae", + "event.original": "hilmole 2019-4-15T7:40:49.sequ sectetu7182.localdomain CylancePROTECT dolor lorumwri [amnihil] Event Type: orissus, Event Name: Device Updated, uido", "fileset.name": "protect", - "host.mac": "01:00:5e:9a:f3:b9", - "host.name": "undeom7847.api.corp", + "host.name": "sectetu7182.localdomain", "input.type": "log", - "log.offset": 22391, + "log.offset": 22202, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "undeom7847.api.corp" - ], - "related.ip": [ - "10.146.228.234" - ], - "related.user": [ - "susc" + "sectetu7182.localdomain" ], - "rsa.db.index": "eatae", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "uelaudan", - "rsa.misc.OS": "taed", - "rsa.misc.event_type": "Alert", - "rsa.misc.node": "teiru", + "rsa.investigations.event_cat": 1804010000, + "rsa.investigations.event_cat_name": "Network.Devices.Additions", + "rsa.investigations.event_vcat": "orissus", + "rsa.misc.event_type": "Device Updated", "rsa.network.alias_host": [ - "undeom7847.api.corp" + "sectetu7182.localdomain" ], - "rsa.network.eth_host": "01:00:5e:9a:f3:b9", "service.type": "cylance", - "source.ip": [ - "10.146.228.234" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "susc" + ] }, { - "event.action": "ThreatUpdated", + "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-5-13T9:45:57.rcit dolo6230.mail.invalid CylancePROTECT evelite remquela [toreve] Event Type: AuditLog, Event Name: ThreatUpdated, Message: The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97, User: (niam)", + "event.original": "2019-4-29T2:43:23.itse officiad4982.www5.domain CylancePROTECT lumqui quiavolu [upta] Event Type: AuditLog, Event Name: ZoneAdd, Message: Device: umtota; User: etdolore magnaa (sumquiad)", "fileset.name": "protect", - "host.name": "dolo6230.mail.invalid", + "host.name": "officiad4982.www5.domain", "input.type": "log", - "log.offset": 22698, + "log.offset": 22351, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "dolo6230.mail.invalid" - ], - "related.ip": [ - "10.59.232.97" + "officiad4982.www5.domain" ], - "rsa.db.index": "The Device: dolor was auto assigned to the Zone: IP Address: 10.59.232.97", + "rsa.identity.firstname": "etdolore", + "rsa.identity.lastname": "magnaa", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "AuditLog", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "dolor", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "ZoneAdd", + "rsa.misc.mail_id": "sumquiad", + "rsa.misc.node": "umtota", "rsa.network.alias_host": [ - "dolo6230.mail.invalid" + "officiad4982.www5.domain" ], "service.type": "cylance", - "source.ip": [ - "10.59.232.97" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "event.action": "SyslogSettingsSave", + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "2019-5-28T4:48:31.uisaut nvolup6280.api.home CylancePROTECT eomn esse [nihi] Event Type: xeaco, Event Name: SyslogSettingsSave, Device Names: (uianonn), Policy Name: eavolupt, User: dantium ors (dqu)", + "event.original": "2019-5-13T9:45:57.Duisa consequa1486.internal.localdomain CylancePROTECT aevitaed byCic [leumiur] Event Type: ptatemse, Event Name: pechange, Threat Class: quaeratv, Threat Subclass: involu, SHA256: tobeata, MD5: nesciun", "fileset.name": "protect", - "host.name": "nvolup6280.api.home", + "host.name": "consequa1486.internal.localdomain", "input.type": "log", - "log.offset": 22932, + "log.offset": 22538, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "nvolup6280.api.home" + "consequa1486.internal.localdomain" ], - "rsa.identity.firstname": "dantium", - "rsa.identity.lastname": "ors", + "rsa.crypto.sig_type": "quaeratv", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "xeaco", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.mail_id": "dqu", - "rsa.misc.node": "uianonn", - "rsa.misc.policy_name": "eavolupt", + "rsa.investigations.event_vcat": "ptatemse", + "rsa.misc.checksum": "tobeata", + "rsa.misc.event_type": "pechange", "rsa.network.alias_host": [ - "nvolup6280.api.home" + "consequa1486.internal.localdomain" ], "service.type": "cylance", "tags": [ @@ -3078,33 +3064,31 @@ ] }, { - "event.action": "PolicyAdd", + "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "11-June-2019 11:51:06 high asia5842.localhost rit <iavol 2019-6-11T11:51:06.psumdol urautodi3892.www5.example CylancePROTECT edict nost [orisnis] Event Type: AuditLog, Event Name: PolicyAdd, Message: Zone: nibu; Policy: quatur; Value: isiutali, User: mdolo nof (usantiu)", + "event.original": "onorumet 2019-5-28T4:48:31.ptatema eavolup6981.www5.example CylancePROTECT psaquaea rchit psumq Event Type: DeviceControl, Event Name: threat_changed, Device Name: lum, External Device Type: xerc, External Device Vendor ID: ctetura, External Device Name: msequ, External Device Product ID: nvol, External Device Serial Number: enimadmi, Zone Names: tateveli", "fileset.name": "protect", - "host.name": "urautodi3892.www5.example", + "host.name": "eavolup6981.www5.example", "input.type": "log", - "log.offset": 23132, + "log.offset": 22759, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "urautodi3892.www5.example" + "eavolup6981.www5.example" ], - "rsa.db.index": "nibu", - "rsa.identity.firstname": "mdolo", - "rsa.identity.lastname": "nof", + "rsa.db.index": "tateveli", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502030000, - "rsa.investigations.event_cat_name": "Policies.Rules.Added", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "PolicyAdd", - "rsa.misc.mail_id": "usantiu", - "rsa.misc.policy_name": "quatur", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " DeviceControl", + "rsa.misc.event_type": "threat_changed", + "rsa.misc.node": "lum", + "rsa.misc.serial_number": "enimadmi", "rsa.network.alias_host": [ - "urautodi3892.www5.example" + "eavolup6981.www5.example" ], "service.type": "cylance", "tags": [ @@ -3113,121 +3097,143 @@ ] }, { - "event.action": "allow", + "event.action": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Jun 25 6:53:40 litess7754.www5.invalid CylancePROTECT Event Type:itempo, Event Name: Alert, Device Name: isciveli, IP Address: (10.36.18.24), Action: allow, Process ID: 452, Process Name: lab.exe, User Name: nsequ, Violation Type: ing, Zone Names:ollita", + "event.original": "2019-6-11T11:51:06.oremip its6443.mail.example CylancePROTECT natuserr ostrudex [nse] Event Type: miurere, Event Name: fullaccess, Device Name: tlabo, Agent Version: tatemse, IP Address: (10.139.80.71), MAC Address: (01:00:5e:bc:c1:21), Logged On Users: (orem), OS: eniamqui", "fileset.name": "protect", + "host.mac": "01:00:5e:bc:c1:21", + "host.name": "its6443.mail.example", "input.type": "log", - "log.offset": 23412, + "log.offset": 23117, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "lab.exe", - "process.pid": 452, + "related.hosts": [ + "its6443.mail.example" + ], "related.ip": [ - "10.36.18.24" + "10.139.80.71" ], "related.user": [ - "nsequ" + "orem" ], - "rsa.db.index": "ollita", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1609000000, - "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.investigations.event_vcat": "itempo", - "rsa.misc.action": [ - "allow" + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "miurere", + "rsa.misc.OS": "eniamqui", + "rsa.misc.event_type": "fullaccess", + "rsa.misc.node": "tlabo", + "rsa.network.alias_host": [ + "its6443.mail.example" ], - "rsa.misc.device_name": "isciveli", - "rsa.misc.event_type": "Alert", - "rsa.misc.policy_name": "ing", + "rsa.network.eth_host": "01:00:5e:bc:c1:21", "service.type": "cylance", "source.ip": [ - "10.36.18.24" + "10.139.80.71" ], "tags": [ "cylance.protect", "forwarded" ], - "user.name": "nsequ" + "user.name": "orem" }, { - "event.action": "block", + "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "10-July-2019 01:56:14 low ptat5268.www5.localdomain emq <untur 2019-7-10T1:56:14.nonnumqu uraut3756.www5.test CylancePROTECT rcita turad [sequamni] Event Type: ExploitAttempt, Event Name: LoginSuccess, Device Name: ollita, IP Address: (10.127.30.119), Action: block, Process ID: 4608, Process Name: oluptat.exe, User Name: stenatus, Violation Type: eabillo, Zone Names: iaecon", + "event.original": "25-June-2019 18:53:40 high tnulapa7580.www.domain adeser <doeiu 2019-6-25T6:53:40.onsectet dentsunt6061.www5.home CylancePROTECT tobeata imven onnumqua Event Type: quioff, Event Name: SyslogSettingsSave, Device Names: (upt), Policy Name: atatnonp, User: nvol dtemp (mquis)", "fileset.name": "protect", - "host.name": "uraut3756.www5.test", + "host.name": "dentsunt6061.www5.home", "input.type": "log", - "log.offset": 23666, + "log.offset": 23392, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "oluptat.exe", - "process.pid": 4608, "related.hosts": [ - "uraut3756.www5.test" + "dentsunt6061.www5.home" ], - "related.ip": [ - "10.127.30.119" + "rsa.identity.firstname": "nvol", + "rsa.identity.lastname": "dtemp", + "rsa.internal.messageid": "CylancePROTECT", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": "quioff", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "mquis", + "rsa.misc.node": "upt", + "rsa.misc.policy_name": "atatnonp", + "rsa.network.alias_host": [ + "dentsunt6061.www5.home" ], - "related.user": [ - "stenatus" + "service.type": "cylance", + "tags": [ + "cylance.protect", + "forwarded" + ] + }, + { + "event.action": "SyslogSettingsSave", + "event.code": "CylancePROTECT", + "event.dataset": "cylance.protect", + "event.module": "cylance", + "event.original": "10-July-2019 01:56:14 medium midest133.www5.example tocca <ntor 2019-7-10T1:56:14.oinBCSed oid218.api.invalid CylancePROTECT roquisqu ariat midestl Event Type: AuditLog, Event Name: SyslogSettingsSave, Message: mcorpori, User: mqu pteursi (orsitam)", + "fileset.name": "protect", + "host.name": "oid218.api.invalid", + "input.type": "log", + "log.offset": 23674, + "observer.product": "Protect", + "observer.type": "Anti-Virus", + "observer.vendor": "Cylance", + "related.hosts": [ + "oid218.api.invalid" ], - "rsa.db.index": "iaecon", + "rsa.db.index": "mcorpori", + "rsa.identity.firstname": "mqu", + "rsa.identity.lastname": "pteursi", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1401060000, - "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "block" - ], - "rsa.misc.event_type": "LoginSuccess", - "rsa.misc.node": "ollita", - "rsa.misc.policy_name": "eabillo", + "rsa.investigations.event_cat": 1901000000, + "rsa.investigations.event_cat_name": "Other.Default", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "SyslogSettingsSave", + "rsa.misc.mail_id": "orsitam", "rsa.network.alias_host": [ - "uraut3756.www5.test" + "oid218.api.invalid" ], "service.type": "cylance", - "source.ip": [ - "10.127.30.119" - ], "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "stenatus" + ] }, { "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "24-Jul-2019 8:58:48 very-high uiacon6640.api.localhost suntexpl <sBonoru 24T08:58:48.everi squ2213.www.test CylancePROTECT Event Name:Alert, Device Message: Device: ncididu; Zones Removed: itati; Zones Added: nostrude, User: rinc tno (meumf), Zone Names:rExce Device Id: quisquam", + "event.original": "totamre 2019-7-24T8:58:48.rpo velites4233.internal.home CylancePROTECT uisaute uun end Event Type: odocons, Event Name: Alert, Threat Class: asp, Threat Subclass: dexercit, SHA256: amn, MD5: itessequ", "fileset.name": "protect", - "host.name": "squ2213.www.test", + "host.name": "velites4233.internal.home", "input.type": "log", - "log.offset": 24048, + "log.offset": 23933, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "squ2213.www.test" + "velites4233.internal.home" ], - "rsa.db.index": "rExce", - "rsa.identity.firstname": "rinc", - "rsa.identity.lastname": "tno", + "rsa.crypto.sig_type": "asp", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1609000000, "rsa.investigations.event_cat_name": "System.Alerts", - "rsa.misc.device_name": "ncididu", + "rsa.investigations.event_vcat": "odocons", + "rsa.misc.checksum": "amn", "rsa.misc.event_type": "Alert", - "rsa.misc.mail_id": "meumf", "rsa.network.alias_host": [ - "squ2213.www.test" + "velites4233.internal.home" ], "service.type": "cylance", "tags": [ @@ -3236,148 +3242,150 @@ ] }, { - "event.action": "threat_changed", + "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Aug 7 4:01:23 ncu3839.www.localhost CylancePROTECT Event Type:snos, Event Name:threat_changed, Device Message: Device: utod; Zones Removed: ostr; Zones Added: amcorp, User: iadolo ecatcup (orinrep), Zone Names:uamnihil Device Id: nisi", + "event.original": "7-August-2019 16:01:23 low sumd3215.test aUtenima <taevi 2019-8-7T4:01:23.uames tconsec7604.corp CylancePROTECT laboree udantiu [itametco] Event Type: Threat, Event Name: Alert, Device Name: stiaecon, IP Address: (10.223.246.244), File Name: itl, Path: ttenb, Drive Type: olor, SHA256: quiav, MD5: gna, Status: Nem, Cylance Score: 105.845000, Found Date: lors, File Type: oluptat, Is Running: enimad, Auto Run: tis, Detected By: qua, Zone Names: con, Is Malware: tore, Is Unique To Cylance: sequatD, Threat Classification: ercitati", + "file.directory": "ttenb", + "file.name": "itl", + "file.type": "oluptat", "fileset.name": "protect", + "host.name": "tconsec7604.corp", "input.type": "log", - "log.offset": 24334, + "log.offset": 24133, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "uamnihil", - "rsa.identity.firstname": "iadolo", - "rsa.identity.lastname": "ecatcup", + "related.hosts": [ + "tconsec7604.corp" + ], + "related.ip": [ + "10.223.246.244" + ], + "rsa.crypto.sig_type": "ercitati", + "rsa.db.index": "con", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "snos", - "rsa.misc.device_name": "utod", - "rsa.misc.event_type": "threat_changed", - "rsa.misc.mail_id": "orinrep", + "rsa.investigations.event_cat": 1609000000, + "rsa.investigations.event_cat_name": "System.Alerts", + "rsa.investigations.event_vcat": " Threat", + "rsa.misc.checksum": "quiav", + "rsa.misc.event_state": "Nem", + "rsa.misc.event_type": "Alert", + "rsa.misc.node": "stiaecon", + "rsa.network.alias_host": [ + "tconsec7604.corp" + ], + "rsa.web.reputation_num": 105.845, "service.type": "cylance", + "source.ip": [ + "10.223.246.244" + ], "tags": [ "cylance.protect", "forwarded" ] }, { - "event.action": "deny", + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "21-August-2019 23:03:57 high mfugi4289.internal.home maveni <commod 2019-8-21T11:03:57.umqu umet5891.api.localdomain CylancePROTECT aliqua upt [giatquo] Event Type: ExploitAttempt, Event Name: ThreatUpdated, Device Name: dipisciv, IP Address: (10.8.150.213), Action: deny, Process ID: 4190, Process Name: ngelitse.exe, User Name: ugiatnul, Violation Type: mips, Zone Names: hil", + "event.original": "21-Aug-2019 11:03:57 high oeiusmo5035.api.local tconse <tseddoei 21T23:03:57.teursint etMa3452.www5.test CylancePROTECT Event Name:threat_found, Device Name:nturmag, File Path:uredol, Interpreter:maliqua, Interpreter Version:1.4613, Zone Names:mquia, User Name: omnisi, Device Id: etMalor, Policy Name: mco", + "file.name": "uredol", "fileset.name": "protect", - "host.name": "umet5891.api.localdomain", + "host.name": "etMa3452.www5.test", "input.type": "log", - "log.offset": 24569, + "log.offset": 24674, + "network.application": "maliqua", "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "process.name": "ngelitse.exe", - "process.pid": 4190, + "observer.version": "1.4613", "related.hosts": [ - "umet5891.api.localdomain" - ], - "related.ip": [ - "10.8.150.213" + "etMa3452.www5.test" ], "related.user": [ - "ugiatnul" + "omnisi" ], - "rsa.db.index": "hil", + "rsa.db.index": "mquia", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " ExploitAttempt", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "dipisciv", - "rsa.misc.policy_name": "mips", + "rsa.misc.event_type": "threat_found", + "rsa.misc.node": "nturmag", + "rsa.misc.policy_name": "mco", + "rsa.misc.version": "1.4613", "rsa.network.alias_host": [ - "umet5891.api.localdomain" + "etMa3452.www5.test" ], "service.type": "cylance", - "source.ip": [ - "10.8.150.213" - ], "tags": [ "cylance.protect", "forwarded" ], - "user.name": "ugiatnul" + "user.name": "omnisi" }, { - "event.action": "DeviceEdit", + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "5-Sep-2019 6:06:31 medium ncidid126.localhost aecatcu <eosqu 5T06:06:31.reetdolo umquam5574.internal.test CylancePROTECT Event Name:DeviceEdit, Message: Provider:itationu, Source IP:10.108.59.10, User: magnama reprehe (citatio)#015", + "event.original": "5-September-2019 06:06:31 high taspe1205.mail.domain cti <nse 2019-9-5T6:06:31.mveniam tuser2694.internal.invalid CylancePROTECT tlaboru aeabillo [ciad] Event Type: ugiatqu, Event Name: threat_found, Device Names: (turveli), Policy Name: isciv, User: natus boreet (luptasnu)", "fileset.name": "protect", - "host.name": "umquam5574.internal.test", + "host.name": "tuser2694.internal.invalid", "input.type": "log", - "log.offset": 24954, + "log.offset": 24986, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "umquam5574.internal.test" - ], - "related.ip": [ - "10.108.59.10" + "tuser2694.internal.invalid" ], - "rsa.identity.firstname": "magnama", - "rsa.identity.lastname": "reprehe", + "rsa.identity.firstname": "natus", + "rsa.identity.lastname": "boreet", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "DeviceEdit", - "rsa.misc.mail_id": "citatio", + "rsa.investigations.event_vcat": "ugiatqu", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "luptasnu", + "rsa.misc.node": "turveli", + "rsa.misc.policy_name": "isciv", "rsa.network.alias_host": [ - "umquam5574.internal.test" + "tuser2694.internal.invalid" ], "service.type": "cylance", - "source.ip": [ - "10.108.59.10" - ], "tags": [ "cylance.protect", "forwarded" ] }, { - "event.action": "ThreatUpdated", + "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "19-September-2019 13:09:05 medium ocons2813.mail.lan natu <acomm 2019-9-19T1:09:05.veleumi volupt6822.api.invalid CylancePROTECT ure userro [oree] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Device: xcepte; SHA256: gnaa; Category: tio, User: qui epteurs (did)", + "event.original": "edqu 2019-9-19T1:09:05.tationu gnaaliq5240.api.test CylancePROTECT nula ameaquei [gnama] Event Type: esciun, Event Name: pechange, Threat Class: ratvo, Threat Subclass: ntutl, SHA256: volupt, MD5: ine", "fileset.name": "protect", - "host.name": "volupt6822.api.invalid", + "host.name": "gnaaliq5240.api.test", "input.type": "log", - "log.offset": 25191, + "log.offset": 25270, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "volupt6822.api.invalid" + "gnaaliq5240.api.test" ], - "rsa.identity.firstname": "qui", - "rsa.identity.lastname": "epteurs", + "rsa.crypto.sig_type": "ratvo", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.category": "tio", - "rsa.misc.checksum": "gnaa", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "did", - "rsa.misc.node": "xcepte", + "rsa.investigations.event_vcat": "esciun", + "rsa.misc.checksum": "volupt", + "rsa.misc.event_type": "pechange", "rsa.network.alias_host": [ - "volupt6822.api.invalid" + "gnaaliq5240.api.test" ], "service.type": "cylance", "tags": [ @@ -3386,26 +3394,30 @@ ] }, { - "event.action": "Device Policy Assigned", + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Oct 3 8:11:40 tMalo1084.local CylancePROTECT Event Type:rauto, Event Name:Device Policy Assigned, Device Name:stl, External Device Type:rissusci, External Device Vendor ID:quaturve, External Device Name:ianonn, External Device Product ID:olore, External Device Serial Number:eumfugi, Zone Names:commod", + "event.original": "3-Oct-2019 8:11:40 low ditaut33.mail.localhost iumdo <mea 3T20:11:40.ssec illum2625.test CylancePROTECT Event Name:LoginSuccess, Threat Class:iaeconse, Threat Subclass:uisa, SHA256:nimadmin, MD5:tdolo", "fileset.name": "protect", + "host.name": "illum2625.test", "input.type": "log", "log.offset": 25471, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "commod", + "related.hosts": [ + "illum2625.test" + ], + "rsa.crypto.sig_type": "iaeconse", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "rauto", - "rsa.misc.device_name": "rissusci", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "stl", - "rsa.misc.serial_number": "eumfugi", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.misc.checksum": "nimadmin", + "rsa.misc.event_type": "LoginSuccess", + "rsa.network.alias_host": [ + "illum2625.test" + ], "service.type": "cylance", "tags": [ "cylance.protect", @@ -3413,26 +3425,33 @@ ] }, { - "event.action": "SyslogSettingsSave", + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "Oct 18 3:14:14 proiden7865.www.lan CylancePROTECT Event Type:incidi, Event Name:SyslogSettingsSave, Device Name:tutlabo, External Device Type:nto, External Device Vendor ID:sciv, External Device Name:tlabo, External Device Product ID:nsequun, External Device Serial Number:ateveli, Zone Names:aqua, Device Id: edquiac, Policy Name: sit ", + "event.original": "18-October-2019 03:14:14 high porissus1225.www5.corp ddoe <ured 2019-10-18T3:14:14.ctetu oreeu6419.www.corp CylancePROTECT cul iinea snos Event Type: AuditLog, Event Name: PolicyAdd, Message: Device: moenimip; User: uames tium (ianonn)", "fileset.name": "protect", + "host.name": "oreeu6419.www.corp", "input.type": "log", - "log.offset": 25773, + "log.offset": 25679, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "rsa.db.index": "aqua, Device Id: edquiac, Policy Name: sit", + "related.hosts": [ + "oreeu6419.www.corp" + ], + "rsa.identity.firstname": "uames", + "rsa.identity.lastname": "tium", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.investigations.event_vcat": "incidi", - "rsa.misc.device_name": "nto", - "rsa.misc.event_type": "SyslogSettingsSave", - "rsa.misc.node": "tutlabo", - "rsa.misc.serial_number": "ateveli", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": " AuditLog", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "ianonn", + "rsa.misc.node": "moenimip", + "rsa.network.alias_host": [ + "oreeu6419.www.corp" + ], "service.type": "cylance", "tags": [ "cylance.protect", @@ -3440,71 +3459,65 @@ ] }, { - "event.action": "ThreatUpdated", + "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "rinci 2019-11-1T10:16:48.ici amvol4075.mail.localhost CylancePROTECT edutpers ostru [etdolore] Event Type: ScriptControl, Event Name: ThreatUpdated, Device Name: onsequa, File Path: sunt, Interpreter: orumSe, Interpreter Version: 1.3237, Zone Names: psa, User Name: pta", - "file.directory": "sunt", + "event.original": "2019-11-1T10:16:48.tiset sci333.mail.home CylancePROTECT doloreeu lors eumfu Event Type: docons, Event Name: PolicyAdd, Device Names: (eumf), Policy Name: roquisq, User: uasi maveniam (uis)", "fileset.name": "protect", - "host.name": "amvol4075.mail.localhost", + "host.name": "sci333.mail.home", "input.type": "log", - "log.offset": 26110, - "network.application": "orumSe", + "log.offset": 25925, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", - "observer.version": "1.3237", "related.hosts": [ - "amvol4075.mail.localhost" - ], - "related.user": [ - "pta" + "sci333.mail.home" ], - "rsa.db.index": "psa", + "rsa.identity.firstname": "uasi", + "rsa.identity.lastname": "maveniam", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.node": "onsequa", - "rsa.misc.version": "1.3237", + "rsa.investigations.event_cat": 1502030000, + "rsa.investigations.event_cat_name": "Policies.Rules.Added", + "rsa.investigations.event_vcat": "docons", + "rsa.misc.event_type": "PolicyAdd", + "rsa.misc.mail_id": "uis", + "rsa.misc.node": "eumf", + "rsa.misc.policy_name": "roquisq", "rsa.network.alias_host": [ - "amvol4075.mail.localhost" + "sci333.mail.home" ], "service.type": "cylance", "tags": [ "cylance.protect", "forwarded" - ], - "user.name": "pta" + ] }, { - "event.action": "Registration", + "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "15-Nov-2019 5:19:22 low ntutlabo6923.localhost eacommo <tionevol 15T17:19:22.itvo asi4651.api.test CylancePROTECT Event Name:Registration, Device Message: Device: emp; Zones Removed: emoeni, User: officiad veniam (labo), Zone Names:ssecill Device Id: umquam", + "event.original": "imi 2019-11-15T5:19:22.animi edutpers6452.api.host CylancePROTECT ntiumt sumquia vento Event Type: sitv, Event Name: LoginSuccess, Threat Class: com, Threat Subclass: rep, SHA256: mveni, MD5: aquae", "fileset.name": "protect", - "host.name": "asi4651.api.test", + "host.name": "edutpers6452.api.host", "input.type": "log", - "log.offset": 26380, + "log.offset": 26115, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "asi4651.api.test" + "edutpers6452.api.host" ], - "rsa.db.index": "ssecill", - "rsa.identity.firstname": "officiad", - "rsa.identity.lastname": "veniam", + "rsa.crypto.sig_type": "com", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1901000000, - "rsa.investigations.event_cat_name": "Other.Default", - "rsa.misc.device_name": "emp", - "rsa.misc.event_type": "Registration", - "rsa.misc.mail_id": "labo", + "rsa.investigations.event_cat": 1401060000, + "rsa.investigations.event_cat_name": "User.Activity.Successful Logins", + "rsa.investigations.event_vcat": "sitv", + "rsa.misc.checksum": "mveni", + "rsa.misc.event_type": "LoginSuccess", "rsa.network.alias_host": [ - "asi4651.api.test" + "edutpers6452.api.host" ], "service.type": "cylance", "tags": [ @@ -3513,37 +3526,42 @@ ] }, { - "event.action": "Device Policy Assigned", + "event.action": "deny", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "ali 2019-11-30T12:21:57.ionu perna6751.internal.home CylancePROTECT ess ria [ationevo] Event Type: AuditLog, Event Name: Device Policy Assigned, Message: The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233, User: (orisnis)", + "event.original": "30-November-2019 00:21:57 low iaturE3103.api.domain aturve <iatu 2019/11/30T00:21:57.use nulamc5617.mail.host CylancePROTECT teturad ese [eddoei] Event Type: AppControl, Event Name: SystemSecurity, Device Name: ntu, IP Address: (10.134.137.205), Action: deny, Action Type: duntut, File Path: emporin, SHA256: oreseosq, Zone Names: etquasia", + "file.directory": "emporin", "fileset.name": "protect", - "host.name": "perna6751.internal.home", + "host.name": "nulamc5617.mail.host", "input.type": "log", - "log.offset": 26645, + "log.offset": 26313, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "perna6751.internal.home" + "nulamc5617.mail.host" ], "related.ip": [ - "10.138.85.233" + "10.134.137.205" ], - "rsa.db.index": "The Device: datatno was auto assigned to the Zone: IP Address: 10.138.85.233", + "rsa.db.index": "etquasia", "rsa.internal.messageid": "CylancePROTECT", - "rsa.investigations.event_cat": 1502000000, - "rsa.investigations.event_cat_name": "Policies.Rules", - "rsa.investigations.event_vcat": "AuditLog", - "rsa.misc.event_type": "Device Policy Assigned", - "rsa.misc.node": "datatno", + "rsa.investigations.event_cat": 1600000000, + "rsa.investigations.event_cat_name": "System", + "rsa.investigations.event_vcat": " AppControl", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.checksum": "oreseosq", + "rsa.misc.event_type": "SystemSecurity", + "rsa.misc.node": "ntu", "rsa.network.alias_host": [ - "perna6751.internal.home" + "nulamc5617.mail.host" ], "service.type": "cylance", "source.ip": [ - "10.138.85.233" + "10.134.137.205" ], "tags": [ "cylance.protect", @@ -3551,33 +3569,33 @@ ] }, { - "event.action": "ThreatUpdated", + "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", "event.module": "cylance", - "event.original": "14-December-2019 07:24:31 medium olor874.internal.lan mquis <samnisiu 2019-12-14T7:24:31.yCiceroi evolupta7790.internal.local CylancePROTECT equamnih isetqua [turExce] Event Type: AuditLog, Event Name: ThreatUpdated, Message: Zone: rehe; Policy: aper; Value: gnaa, User: tam deser (int)", + "event.original": "2019-12-14T7:24:31.cinge tatem4713.internal.host CylancePROTECT elites pariat [nimip] Event Type: AuditLog, Event Name: threat_found, Message: Zone: usci; Policy: unturmag; Value: dexeaco, User: lupta ura (oreeufug)", "fileset.name": "protect", - "host.name": "evolupta7790.internal.local", + "host.name": "tatem4713.internal.host", "input.type": "log", - "log.offset": 26895, + "log.offset": 26662, "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "related.hosts": [ - "evolupta7790.internal.local" + "tatem4713.internal.host" ], - "rsa.db.index": "rehe", - "rsa.identity.firstname": "tam", - "rsa.identity.lastname": "deser", + "rsa.db.index": "usci", + "rsa.identity.firstname": "lupta", + "rsa.identity.lastname": "ura", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.investigations.event_vcat": " AuditLog", - "rsa.misc.event_type": "ThreatUpdated", - "rsa.misc.mail_id": "int", - "rsa.misc.policy_name": "aper", + "rsa.misc.event_type": "threat_found", + "rsa.misc.mail_id": "oreeufug", + "rsa.misc.policy_name": "unturmag", "rsa.network.alias_host": [ - "evolupta7790.internal.local" + "tatem4713.internal.host" ], "service.type": "cylance", "tags": [ diff --git a/x-pack/filebeat/module/f5/bigipafm/config/input.yml b/x-pack/filebeat/module/f5/bigipafm/config/input.yml index f3685ac57007..28e46f847ab7 100644 --- a/x-pack/filebeat/module/f5/bigipafm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipafm/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/bigipafm/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml index 395794625931..1c939d65a22f 100644 --- a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/f5/bigipafm/manifest.yml b/x-pack/filebeat/module/f5/bigipafm/manifest.yml index 5c8ad517aa40..3c7c33838823 100644 --- a/x-pack/filebeat/module/f5/bigipafm/manifest.yml +++ b/x-pack/filebeat/module/f5/bigipafm/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9528 + default: 9544 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json index 13fe3560c057..fea485c71ced 100644 --- a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json @@ -24,10 +24,10 @@ "tatemac3541.api.corp" ], "related.ip": [ - "10.208.121.85", "10.165.201.71", - "10.11.196.142", - "10.228.193.207" + "10.228.193.207", + "10.208.121.85", + "10.11.196.142" ], "related.user": [ "billoi" @@ -92,10 +92,10 @@ "enatus2114.mail.home" ], "related.ip": [ - "10.51.132.10", - "10.92.202.200", + "10.162.9.235", "10.94.67.230", - "10.162.9.235" + "10.51.132.10", + "10.92.202.200" ], "related.user": [ "byC" @@ -227,10 +227,10 @@ "uid545.www5.localhost" ], "related.ip": [ - "10.12.44.169", "10.131.233.27", - "10.50.112.141", - "10.202.66.28" + "10.202.66.28", + "10.12.44.169", + "10.50.112.141" ], "related.user": [ "elits" @@ -295,10 +295,10 @@ "emquiavo452.internal.localhost" ], "related.ip": [ - "10.159.182.171", - "10.206.197.113", "10.151.111.38", - "10.96.35.212" + "10.96.35.212", + "10.206.197.113", + "10.159.182.171" ], "related.user": [ "mol" @@ -363,8 +363,8 @@ "sun1403.www.invalid" ], "related.ip": [ - "10.126.177.162", "10.213.113.28", + "10.126.177.162", "10.89.163.114", "10.169.144.147" ], @@ -431,9 +431,9 @@ ], "related.ip": [ "10.146.88.52", - "10.103.107.47", + "10.18.124.28", "10.101.223.43", - "10.18.124.28" + "10.103.107.47" ], "related.user": [ "rudexerc" @@ -498,10 +498,10 @@ "ume465.corp" ], "related.ip": [ + "10.110.99.17", "10.189.109.245", - "10.150.220.75", "10.69.57.206", - "10.110.99.17" + "10.150.220.75" ], "related.user": [ "onse" @@ -565,10 +565,10 @@ "iciatisu1463.www5.localdomain" ], "related.ip": [ - "10.121.219.204", "10.199.34.241", - "10.153.136.222", - "10.19.194.101" + "10.121.219.204", + "10.19.194.101", + "10.153.136.222" ], "related.user": [ "temveleu" @@ -633,8 +633,8 @@ ], "related.ip": [ "10.64.141.105", - "10.46.27.57", "10.57.103.192", + "10.46.27.57", "10.182.199.231" ], "related.user": [ @@ -699,10 +699,10 @@ "itame189.domain" ], "related.ip": [ + "10.32.67.231", "10.164.6.207", "10.160.210.31", - "10.3.134.237", - "10.32.67.231" + "10.3.134.237" ], "related.user": [ "pic" @@ -767,10 +767,10 @@ "tsedqu2456.www5.invalid" ], "related.ip": [ - "10.42.138.192", + "10.182.178.217", "10.235.101.253", "10.201.6.10", - "10.182.178.217" + "10.42.138.192" ], "related.user": [ "giatnu" @@ -903,10 +903,10 @@ "ecte4762.local" ], "related.ip": [ - "10.174.252.105", - "10.167.172.155", "10.107.168.60", - "10.204.35.15" + "10.167.172.155", + "10.204.35.15", + "10.174.252.105" ], "related.user": [ "mnisi" @@ -970,10 +970,10 @@ "smo7167.www.test" ], "related.ip": [ - "10.99.249.210", "10.214.249.164", - "10.182.191.174", - "10.81.26.208" + "10.99.249.210", + "10.81.26.208", + "10.182.191.174" ], "related.user": [ "upta" @@ -1037,9 +1037,9 @@ "sauteiru4554.api.domain" ], "related.ip": [ - "10.220.5.143", "10.88.101.53", "10.201.238.90", + "10.220.5.143", "10.101.226.128" ], "related.user": [ @@ -1104,10 +1104,10 @@ "untut4046.internal.domain" ], "related.ip": [ - "10.30.133.66", - "10.157.18.252", "10.243.218.215", - "10.217.150.196" + "10.217.150.196", + "10.157.18.252", + "10.30.133.66" ], "related.user": [ "evit" @@ -1171,9 +1171,9 @@ "quid3147.mail.home" ], "related.ip": [ + "10.66.181.6", "10.181.133.187", "10.148.161.250", - "10.66.181.6", "10.167.227.44" ], "related.user": [ @@ -1239,10 +1239,10 @@ "umdolo1029.mail.localhost" ], "related.ip": [ - "10.84.163.178", - "10.107.9.163", + "10.74.11.43", "10.54.17.32", - "10.74.11.43" + "10.84.163.178", + "10.107.9.163" ], "related.user": [ "mquisno" @@ -1306,10 +1306,10 @@ "lorsita2019.internal.home" ], "related.ip": [ - "10.230.129.252", "10.112.32.213", "10.192.229.221", - "10.184.73.211" + "10.184.73.211", + "10.230.129.252" ], "related.user": [ "odi" @@ -1374,10 +1374,10 @@ "paquioff624.mail.invalid" ], "related.ip": [ - "10.198.213.189", "10.199.216.143", + "10.7.200.140", "10.161.148.64", - "10.7.200.140" + "10.198.213.189" ], "related.user": [ "ccaeca" @@ -1441,8 +1441,8 @@ "mex2054.mail.corp" ], "related.ip": [ - "10.65.232.27", "10.206.96.56", + "10.65.232.27", "10.128.157.27", "10.22.187.69" ], @@ -1508,10 +1508,10 @@ "avolupt7576.api.corp" ], "related.ip": [ - "10.194.210.62", - "10.183.130.225", "10.71.114.14", - "10.68.253.120" + "10.68.253.120", + "10.194.210.62", + "10.183.130.225" ], "related.user": [ "admin" @@ -1576,10 +1576,10 @@ "loi7596.www5.home" ], "related.ip": [ - "10.107.45.175", + "10.45.253.103", "10.31.177.226", "10.47.255.237", - "10.45.253.103" + "10.107.45.175" ], "related.user": [ "remagn" @@ -1711,10 +1711,10 @@ "ectiono2241.lan" ], "related.ip": [ - "10.69.161.78", - "10.163.209.70", + "10.2.114.9", "10.255.74.136", - "10.2.114.9" + "10.69.161.78", + "10.163.209.70" ], "related.user": [ "olabor" @@ -1778,9 +1778,9 @@ "umetMal1664.mail.lan" ], "related.ip": [ - "10.184.59.148", "10.12.129.137", "10.46.115.216", + "10.184.59.148", "10.252.102.110" ], "related.user": [ @@ -1846,9 +1846,9 @@ "derit5270.mail.local" ], "related.ip": [ + "10.105.52.140", "10.81.184.7", "10.199.194.79", - "10.105.52.140", "10.155.204.243" ], "related.user": [ @@ -1914,10 +1914,10 @@ "orisni5238.mail.lan" ], "related.ip": [ + "10.18.226.72", "10.251.231.142", - "10.177.238.45", "10.110.2.166", - "10.18.226.72" + "10.177.238.45" ], "related.user": [ "taliqui" @@ -1982,10 +1982,10 @@ "iutali7297.www.domain" ], "related.ip": [ - "10.192.98.247", - "10.99.202.229", "10.190.122.27", - "10.100.199.226" + "10.100.199.226", + "10.192.98.247", + "10.99.202.229" ], "related.user": [ "lloinven" @@ -2051,9 +2051,9 @@ ], "related.ip": [ "10.172.154.97", - "10.248.111.207", + "10.162.97.197", "10.37.193.70", - "10.162.97.197" + "10.248.111.207" ], "related.user": [ "culpaq" @@ -2118,8 +2118,8 @@ ], "related.ip": [ "10.36.63.31", - "10.171.221.230", "10.222.165.250", + "10.171.221.230", "10.45.35.180" ], "related.user": [ @@ -2184,10 +2184,10 @@ "tnonproi195.api.home" ], "related.ip": [ - "10.83.238.145", "10.199.127.211", - "10.1.171.61", - "10.238.4.219" + "10.83.238.145", + "10.238.4.219", + "10.1.171.61" ], "related.user": [ "reetdolo" @@ -2251,10 +2251,10 @@ "edictasu5362.internal.localhost" ], "related.ip": [ - "10.170.252.219", - "10.44.226.104", "10.74.213.42", - "10.65.141.244" + "10.170.252.219", + "10.65.141.244", + "10.44.226.104" ], "related.user": [ "Nequepo" @@ -2318,10 +2318,10 @@ "uido492.www5.home" ], "related.ip": [ - "10.180.48.221", - "10.225.255.211", "10.183.223.149", - "10.225.141.172" + "10.225.255.211", + "10.225.141.172", + "10.180.48.221" ], "related.user": [ "nihil" @@ -2385,10 +2385,10 @@ "redo6311.api.invalid" ], "related.ip": [ - "10.169.123.103", + "10.176.64.28", "10.97.138.181", "10.205.174.181", - "10.176.64.28" + "10.169.123.103" ], "related.user": [ "eseruntm" @@ -2453,10 +2453,10 @@ "dolorem1698.www.domain" ], "related.ip": [ - "10.204.4.40", - "10.75.120.11", "10.53.101.131", - "10.169.101.161" + "10.169.101.161", + "10.75.120.11", + "10.204.4.40" ], "related.user": [ "tquo" @@ -2522,9 +2522,9 @@ ], "related.ip": [ "10.28.51.219", - "10.156.117.169", + "10.6.222.112", "10.87.120.87", - "10.6.222.112" + "10.156.117.169" ], "related.user": [ "onsequu" @@ -2588,10 +2588,10 @@ "arc2412.mail.lan" ], "related.ip": [ + "10.253.167.17", "10.247.44.59", - "10.4.126.103", "10.57.89.155", - "10.253.167.17" + "10.4.126.103" ], "related.user": [ "ntorever" @@ -2655,9 +2655,9 @@ "olorsi2746.internal.localhost" ], "related.ip": [ - "10.15.240.220", "10.143.183.208", "10.248.206.210", + "10.15.240.220", "10.36.69.125" ], "related.user": [ @@ -2723,9 +2723,9 @@ "edqu2208.www.localhost" ], "related.ip": [ - "10.69.170.107", - "10.34.133.2", "10.6.32.7", + "10.34.133.2", + "10.69.170.107", "10.142.186.43" ], "related.user": [ @@ -2791,10 +2791,10 @@ "ender5647.www5.example" ], "related.ip": [ - "10.121.153.197", "10.142.22.24", - "10.59.103.10", - "10.170.165.164" + "10.170.165.164", + "10.121.153.197", + "10.59.103.10" ], "related.user": [ "borumSec" @@ -2860,9 +2860,9 @@ ], "related.ip": [ "10.176.83.7", + "10.133.10.122", "10.247.114.30", - "10.19.99.129", - "10.133.10.122" + "10.19.99.129" ], "related.user": [ "quaeabil" @@ -2927,10 +2927,10 @@ "uatu2894.api.lan" ], "related.ip": [ - "10.64.139.17", - "10.70.7.23", + "10.40.177.138", "10.8.29.219", - "10.40.177.138" + "10.64.139.17", + "10.70.7.23" ], "related.user": [ "rep" @@ -2995,9 +2995,9 @@ ], "related.ip": [ "10.2.189.20", + "10.67.173.228", "10.67.221.220", - "10.180.62.222", - "10.67.173.228" + "10.180.62.222" ], "related.user": [ "uptasnul" @@ -3062,9 +3062,9 @@ "uian521.www.example" ], "related.ip": [ + "10.56.134.118", "10.196.176.243", "10.209.52.47", - "10.56.134.118", "10.147.127.181" ], "related.user": [ @@ -3129,8 +3129,8 @@ "taliq5213.api.corp" ], "related.ip": [ - "10.226.24.84", "10.85.13.237", + "10.226.24.84", "10.231.18.90", "10.248.140.59" ], @@ -3197,10 +3197,10 @@ "ntsunt4894.mail.domain" ], "related.ip": [ - "10.203.46.215", - "10.8.224.72", "10.207.183.204", - "10.59.215.207" + "10.8.224.72", + "10.59.215.207", + "10.203.46.215" ], "related.user": [ "eruntmo" @@ -3265,9 +3265,9 @@ "mexer3864.api.corp" ], "related.ip": [ - "10.73.84.95", "10.255.145.22", "10.230.38.148", + "10.73.84.95", "10.98.154.146" ], "related.user": [ @@ -3400,10 +3400,10 @@ "fugiatnu2498.www.localhost" ], "related.ip": [ + "10.195.139.25", "10.122.133.162", "10.220.202.102", - "10.182.213.195", - "10.195.139.25" + "10.182.213.195" ], "related.user": [ "aquae" @@ -3468,10 +3468,10 @@ "ptat3230.domain" ], "related.ip": [ - "10.33.143.163", + "10.53.72.161", "10.247.144.9", - "10.156.208.5", - "10.53.72.161" + "10.33.143.163", + "10.156.208.5" ], "related.user": [ "scip" @@ -3535,10 +3535,10 @@ "exer447.internal.localhost" ], "related.ip": [ - "10.21.58.162", - "10.35.190.164", "10.113.65.192", - "10.241.143.145" + "10.241.143.145", + "10.21.58.162", + "10.35.190.164" ], "related.user": [ "porin" @@ -3603,10 +3603,10 @@ "itanimi1934.home" ], "related.ip": [ - "10.129.16.166", - "10.75.113.240", + "10.53.27.253", "10.19.154.103", - "10.53.27.253" + "10.129.16.166", + "10.75.113.240" ], "related.user": [ "luptat" @@ -3671,10 +3671,10 @@ "pteurs1031.mail.corp" ], "related.ip": [ - "10.150.153.61", - "10.125.150.220", + "10.22.213.196", "10.120.50.13", - "10.22.213.196" + "10.150.153.61", + "10.125.150.220" ], "related.user": [ "inculpa" @@ -3739,10 +3739,10 @@ "edquiaco6562.api.lan" ], "related.ip": [ + "10.229.155.171", "10.113.2.13", "10.85.52.249", - "10.238.171.184", - "10.229.155.171" + "10.238.171.184" ], "related.user": [ "tatiset" @@ -3807,10 +3807,10 @@ "tatis7315.mail.home" ], "related.ip": [ - "10.249.174.35", "10.198.150.185", - "10.51.245.225", - "10.220.1.249" + "10.249.174.35", + "10.220.1.249", + "10.51.245.225" ], "related.user": [ "quela" @@ -3877,8 +3877,8 @@ "related.ip": [ "10.251.82.195", "10.38.185.31", - "10.190.96.181", - "10.152.157.32" + "10.152.157.32", + "10.190.96.181" ], "related.user": [ "olorese" @@ -3942,10 +3942,10 @@ "itaedict199.mail.corp" ], "related.ip": [ + "10.190.247.194", "10.230.112.179", "10.211.198.50", - "10.103.102.242", - "10.190.247.194" + "10.103.102.242" ], "related.user": [ "tDuisaut" @@ -4009,9 +4009,9 @@ "xeaco7887.www.localdomain" ], "related.ip": [ - "10.219.83.199", - "10.251.101.61", "10.47.223.155", + "10.251.101.61", + "10.219.83.199", "10.101.13.122" ], "related.user": [ @@ -4077,8 +4077,8 @@ "saute7421.www.invalid" ], "related.ip": [ - "10.83.136.233", "10.31.86.83", + "10.83.136.233", "10.21.80.157", "10.21.30.43" ], @@ -4145,10 +4145,10 @@ "oluptas1637.home" ], "related.ip": [ + "10.195.90.73", "10.45.152.205", "10.194.197.107", - "10.27.181.27", - "10.195.90.73" + "10.27.181.27" ], "related.user": [ "datatn" @@ -4213,10 +4213,10 @@ "ididu5505.api.localdomain" ], "related.ip": [ - "10.43.239.97", "10.129.161.18", "10.183.90.25", - "10.222.2.132" + "10.222.2.132", + "10.43.239.97" ], "related.user": [ "aedicta" @@ -4280,9 +4280,9 @@ "mqui1099.api.corp" ], "related.ip": [ - "10.248.156.138", - "10.67.129.100", "10.189.162.131", + "10.67.129.100", + "10.248.156.138", "10.231.167.171" ], "related.user": [ @@ -4348,9 +4348,9 @@ "siuta2155.lan" ], "related.ip": [ - "10.63.103.30", - "10.6.146.184", "10.185.107.27", + "10.6.146.184", + "10.63.103.30", "10.142.106.66" ], "related.user": [ @@ -4416,9 +4416,9 @@ ], "related.ip": [ "10.119.179.182", - "10.214.93.200", "10.0.202.9", - "10.93.39.237" + "10.93.39.237", + "10.214.93.200" ], "related.user": [ "tionofd" @@ -4484,8 +4484,8 @@ ], "related.ip": [ "10.28.145.163", - "10.123.154.140", "10.252.204.162", + "10.123.154.140", "10.30.189.166" ], "related.user": [ @@ -4550,10 +4550,10 @@ "idolo6535.internal.example" ], "related.ip": [ - "10.46.162.198", + "10.29.122.183", "10.145.128.250", - "10.79.49.3", - "10.29.122.183" + "10.46.162.198", + "10.79.49.3" ], "related.user": [ "eni" @@ -4620,8 +4620,8 @@ "related.ip": [ "10.142.235.217", "10.177.232.136", - "10.65.174.196", - "10.166.169.167" + "10.166.169.167", + "10.65.174.196" ], "related.user": [ "olors" @@ -4686,9 +4686,9 @@ "uptatem4446.internal.localhost" ], "related.ip": [ - "10.215.184.154", "10.191.78.86", "10.29.217.44", + "10.215.184.154", "10.53.188.140" ], "related.user": [ @@ -4754,9 +4754,9 @@ "emq2514.api.localhost" ], "related.ip": [ - "10.46.222.149", - "10.135.77.156", "10.76.148.147", + "10.135.77.156", + "10.46.222.149", "10.74.74.129" ], "related.user": [ @@ -4821,10 +4821,10 @@ "agna5654.www.corp" ], "related.ip": [ + "10.11.146.253", "10.130.203.37", - "10.96.200.223", "10.145.49.29", - "10.11.146.253" + "10.96.200.223" ], "related.user": [ "mvele" @@ -4890,8 +4890,8 @@ "related.ip": [ "10.162.78.48", "10.162.2.180", - "10.24.23.209", - "10.48.75.140" + "10.48.75.140", + "10.24.23.209" ], "related.user": [ "rumwr" @@ -4955,9 +4955,9 @@ "sequatD163.internal.example" ], "related.ip": [ + "10.151.206.38", "10.119.12.186", "10.97.105.115", - "10.151.206.38", "10.66.92.83" ], "related.user": [ @@ -5022,10 +5022,10 @@ "itamet1303.invalid" ], "related.ip": [ - "10.169.139.250", + "10.64.76.142", "10.12.148.73", - "10.201.132.114", - "10.64.76.142" + "10.169.139.250", + "10.201.132.114" ], "related.user": [ "borisnis" @@ -5091,9 +5091,9 @@ ], "related.ip": [ "10.35.38.185", - "10.200.116.191", "10.111.128.11", - "10.9.236.18" + "10.9.236.18", + "10.200.116.191" ], "related.user": [ "umfug" @@ -5159,8 +5159,8 @@ "related.ip": [ "10.191.27.182", "10.134.238.8", - "10.240.62.238", - "10.236.67.227" + "10.236.67.227", + "10.240.62.238" ], "related.user": [ "tlabo" @@ -5224,10 +5224,10 @@ "ididunt7607.mail.localhost" ], "related.ip": [ - "10.22.231.91", - "10.165.66.92", + "10.65.35.64", "10.109.14.142", - "10.65.35.64" + "10.165.66.92", + "10.22.231.91" ], "related.user": [ "perna" @@ -5291,9 +5291,9 @@ "inimav5557.www5.test" ], "related.ip": [ - "10.64.161.215", "10.29.230.203", "10.71.112.86", + "10.64.161.215", "10.89.221.90" ], "related.user": [ @@ -5358,10 +5358,10 @@ "nonn1650.www.test" ], "related.ip": [ - "10.140.118.182", - "10.79.208.135", + "10.88.226.76", "10.221.199.137", - "10.88.226.76" + "10.79.208.135", + "10.140.118.182" ], "related.user": [ "erspic" @@ -5427,8 +5427,8 @@ ], "related.ip": [ "10.133.48.55", - "10.35.73.208", "10.189.244.22", + "10.35.73.208", "10.126.61.230" ], "related.user": [ @@ -5493,10 +5493,10 @@ "suscipit587.www.localhost" ], "related.ip": [ - "10.239.194.105", "10.240.94.109", + "10.35.65.72", "10.81.154.115", - "10.35.65.72" + "10.239.194.105" ], "related.user": [ "reseo" @@ -5561,10 +5561,10 @@ "mnisiut6146.internal.local" ], "related.ip": [ - "10.150.56.227", + "10.38.253.213", "10.248.72.104", - "10.52.70.192", - "10.38.253.213" + "10.150.56.227", + "10.52.70.192" ], "related.user": [ "ionem" @@ -5629,10 +5629,10 @@ "borios1067.www5.home" ], "related.ip": [ - "10.73.172.186", - "10.203.193.134", + "10.62.218.239", "10.218.15.164", - "10.62.218.239" + "10.203.193.134", + "10.73.172.186" ], "related.user": [ "reh" @@ -5696,10 +5696,10 @@ "msequ323.www.example" ], "related.ip": [ + "10.136.211.234", "10.60.20.76", "10.10.46.43", - "10.131.127.113", - "10.136.211.234" + "10.131.127.113" ], "related.user": [ "nev" @@ -5764,10 +5764,10 @@ "tdolorem813.internal.host" ], "related.ip": [ - "10.50.177.151", + "10.233.181.250", "10.248.0.74", - "10.187.237.220", - "10.233.181.250" + "10.50.177.151", + "10.187.237.220" ], "related.user": [ "ugiatq" @@ -5832,9 +5832,9 @@ "volupt4626.internal.test" ], "related.ip": [ - "10.248.248.120", - "10.189.43.11", "10.80.129.81", + "10.189.43.11", + "10.248.248.120", "10.96.223.46" ], "related.user": [ @@ -5968,10 +5968,10 @@ "orpori3334.www.local" ], "related.ip": [ + "10.221.223.127", "10.159.155.88", - "10.0.175.17", "10.198.157.122", - "10.221.223.127" + "10.0.175.17" ], "related.user": [ "iquipex" @@ -6036,8 +6036,8 @@ ], "related.ip": [ "10.30.20.187", - "10.7.212.201", "10.189.70.237", + "10.7.212.201", "10.252.136.130" ], "related.user": [ @@ -6103,10 +6103,10 @@ "tse2979.internal.localhost" ], "related.ip": [ - "10.83.105.69", - "10.102.109.194", "10.60.224.93", - "10.242.121.165" + "10.83.105.69", + "10.242.121.165", + "10.102.109.194" ], "related.user": [ "mni" @@ -6171,10 +6171,10 @@ "uisnostr2390.mail.domain" ], "related.ip": [ - "10.17.20.93", - "10.219.174.45", + "10.181.134.69", "10.251.167.219", - "10.181.134.69" + "10.17.20.93", + "10.219.174.45" ], "related.user": [ "Uteni" @@ -6239,10 +6239,10 @@ "luptate4811.mail.example" ], "related.ip": [ - "10.223.99.90", + "10.28.233.253", "10.30.117.82", - "10.37.14.20", - "10.28.233.253" + "10.223.99.90", + "10.37.14.20" ], "related.user": [ "numqua" @@ -6308,9 +6308,9 @@ ], "related.ip": [ "10.125.20.22", + "10.8.32.17", "10.50.61.114", - "10.57.85.113", - "10.8.32.17" + "10.57.85.113" ], "related.user": [ "qua" @@ -6375,10 +6375,10 @@ "lorinrep7686.mail.corp" ], "related.ip": [ - "10.113.78.101", + "10.181.63.82", "10.215.224.27", "10.200.28.55", - "10.181.63.82" + "10.113.78.101" ], "related.user": [ "ficiade" @@ -6443,10 +6443,10 @@ "nderit6272.mail.example" ], "related.ip": [ - "10.169.95.128", - "10.177.14.106", "10.139.20.223", - "10.243.43.168" + "10.169.95.128", + "10.243.43.168", + "10.177.14.106" ], "related.user": [ "ofd" @@ -6513,8 +6513,8 @@ "related.ip": [ "10.92.168.198", "10.39.100.88", - "10.18.176.44", - "10.90.93.4" + "10.90.93.4", + "10.18.176.44" ], "related.user": [ "adminima" @@ -6579,10 +6579,10 @@ "essequam1161.domain" ], "related.ip": [ - "10.193.43.135", - "10.49.68.8", "10.163.203.191", - "10.173.13.179" + "10.173.13.179", + "10.49.68.8", + "10.193.43.135" ], "related.user": [ "tlab" @@ -6646,10 +6646,10 @@ "cipitl2184.localdomain" ], "related.ip": [ + "10.209.226.7", "10.240.47.113", "10.84.64.28", - "10.31.147.51", - "10.209.226.7" + "10.31.147.51" ], "related.user": [ "ull" @@ -6715,9 +6715,9 @@ ], "related.ip": [ "10.52.13.192", + "10.32.20.4", "10.225.189.229", - "10.86.1.244", - "10.32.20.4" + "10.86.1.244" ], "related.user": [ "odtemp" diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml index 9f3218ff5271..de1b11667744 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipapm/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js +++ b/x-pack/filebeat/module/f5/bigipapm/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js b/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js index 19fa80ecb62f..68bba49a400e 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js +++ b/x-pack/filebeat/module/f5/bigipapm/config/pipeline.js @@ -76,7 +76,7 @@ var dup20 = match("MESSAGE#67:014d0001:02", "nwparser.payload", "%{fld1->} %{fld dup2, ])); -var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid}: %{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -98,12 +98,12 @@ var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hdate->} %{htime->} constant("]: "), field("messageid"), constant(": "), - field("payload"), + field("p0"), ], }), ])); -var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: %{messageid}: %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: %{messageid}: %{p0}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", @@ -123,12 +123,12 @@ var hdr2 = match("HEADER#1:0002", "message", "%{hmonth->} %{hdate->} %{htime->} constant(": "), field("messageid"), constant(": "), - field("payload"), + field("p0"), ], }), ])); -var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: [%{messageid}]%{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}: [%{messageid}]%{p0}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -148,12 +148,12 @@ var hdr3 = match("HEADER#2:0003", "message", "%{hmonth->} %{hdate->} %{htime->} constant(": ["), field("messageid"), constant("]"), - field("payload"), + field("p0"), ], }), ])); -var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ setc("header_id","0004"), call({ dest: "nwparser.payload", @@ -173,12 +173,12 @@ var hdr4 = match("HEADER#3:0004", "message", "%{hmonth->} %{hdate->} %{htime->} constant("["), field("hfld3"), constant("]:"), - field("payload"), + field("p0"), ], }), ])); -var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}:%{payload}", processor_chain([ +var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid}:%{p0}", processor_chain([ setc("header_id","0005"), call({ dest: "nwparser.payload", @@ -196,12 +196,12 @@ var hdr5 = match("HEADER#4:0005", "message", "%{hmonth->} %{hdate->} %{htime->} constant(" "), field("messageid"), constant(":"), - field("payload"), + field("p0"), ], }), ])); -var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{payload}", processor_chain([ +var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{hfld3}[%{hfld4}]: %{messageid->} /%{p0}", processor_chain([ setc("header_id","0006"), call({ dest: "nwparser.payload", @@ -223,7 +223,7 @@ var hdr6 = match("HEADER#5:0006", "message", "%{hmonth->} %{hdate->} %{htime->} constant("]: "), field("messageid"), constant(" /"), - field("payload"), + field("p0"), ], }), ])); @@ -408,7 +408,7 @@ var part23 = match("MESSAGE#18:01490500/3_0", "nwparser.p0", "%{daddr->} Listene var part24 = match("MESSAGE#18:01490500/3_1", "nwparser.p0", "%{daddr->} Listener %{fld8}"); -var part25 = match("MESSAGE#18:01490500/3_2", "nwparser.p0", "%{daddr}"); +var part25 = match_copy("MESSAGE#18:01490500/3_2", "nwparser.p0", "daddr"); var select6 = linear_select([ part23, @@ -523,7 +523,7 @@ var select7 = linear_select([ part39, ]); -var part40 = match("MESSAGE#32:01490107:02/2", "nwparser.p0", "%{info}"); +var part40 = match_copy("MESSAGE#32:01490107:02/2", "nwparser.p0", "info"); var all3 = all_match({ processors: [ @@ -727,7 +727,7 @@ var select12 = linear_select([ part64, ]); -var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "%{}[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}"); +var part65 = match("MESSAGE#54:ssl_acc/2", "nwparser.p0", "[%{fld20->} %{timezone}] \"%{url}\" %{resultcode->} %{rbytes}"); var all4 = all_match({ processors: [ @@ -868,9 +868,9 @@ var msg69 = msg("014d0044", dup20); var part80 = match("MESSAGE#69:01490549/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3->} %{fld4->} %{severity->} %{fld5}[%{process_id}]: %{fld7}:%{fld6}: %{sessionid}: Assigned PPP Dynamic IPv4: %{stransaddr->} Tunnel Type: %{group->} %{fld8->} Resource: %{rulename->} Client IP: %{p0}"); -var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9->} "); +var part81 = match("MESSAGE#69:01490549/1_0", "nwparser.p0", "%{saddr->} - %{fld9}"); -var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", " %{saddr}"); +var part82 = match("MESSAGE#69:01490549/1_1", "nwparser.p0", "%{saddr}"); var select17 = linear_select([ part81, @@ -954,7 +954,7 @@ var part91 = match("MESSAGE#79:apmd:02/0", "nwparser.payload", "%{fld1->} %{fld2 var part92 = match("MESSAGE#79:apmd:02/1_0", "nwparser.p0", "%{fld6->} from host %{saddr}:%{sport->} %{fld7}"); -var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", " %{fld8}"); +var part93 = match("MESSAGE#79:apmd:02/1_1", "nwparser.p0", "%{fld8}"); var select18 = linear_select([ part92, diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml index 8dbd2e2e6cb0..895c0723f10d 100644 --- a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml @@ -55,9 +55,9 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{rsa.web.fqdn}}' + value: '{{host.name}}' allow_duplicates: false - if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/f5/bigipapm/manifest.yml b/x-pack/filebeat/module/f5/bigipapm/manifest.yml index f1b52ccede2a..6a527419285b 100644 --- a/x-pack/filebeat/module/f5/bigipapm/manifest.yml +++ b/x-pack/filebeat/module/f5/bigipapm/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9504 + default: 9526 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log b/x-pack/filebeat/module/f5/bigipapm/test/generated.log index 02f88d8e18b8..979e5ccffa4c 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log @@ -14,7 +14,7 @@ July 2016/07/18 18:40:50 lum high CROND[1675]: (sitvolup) CMD (cancel) August 2016/08/02 01:43:25 uipe very-high siarchi[2289]: 01490500: :aliqu: olupta:mipsumd:eFinib: New session from client IP 10.204.123.107 (ST=saute/CC=ercit/C=usmodt) at VIP 10.225.160.182 Listener mque August 2016/08/16 08:45:59 dol high quiratio[3386]: 01490511: :tisetq: tevelite: Initializing Access profile orporiss with max concurrent user sessions limit: 4739 August 2016/08/30 15:48:33 paquioff medium derit[4688]: 01490544: :hende: piscin: Received client info - https://mail.example.com/laboree/tfu.html?liqu=eporr#xeacomm -September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup +September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup September 2016/09/28 05:53:42 remag very-high abor[5983]: 01490103: :tquiin: tse: Retry Username 'tenimad' October 2016/10/12 12:56:16 niamqui low amcol[5625]: 01490113: :ipisci: gitsed: session.server.network.port is 4374 October 2016/10/26 19:58:50 nturma low cusant[4946]: 01490106: :etur: itecto: AD module: authentication with 'reetdol' failed: Preauthentication failed, principal name: totamre. success ercita @@ -39,7 +39,7 @@ July 2017/07/11 02:45:07 udan low essequam[3682]: 01490113: :urQuis: etcon: sess July 2017/07/25 09:47:41 gelitse very-high arc[2412]: 01490013: :radip: upta: AD agent: Retrieving AAA server: tetura August 2017/08/08 16:50:15 imavenia low mquido[5899]: 01490517: :rnat: rur: success August 2017/08/22 23:52:50 nonn high met[1580]: 01420002: : AUDIT - pid=2037 user=ptate folder=entsu module=conse status=failure cmd_data=ntut -September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem +September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem September 2017/09/20 13:57:58 reetdo medium lup[5051]: 01260009: :eos: Connection error:ipitlabo October 2017/10/04 21:00:32 reprehen very-high syslog-ng[6438]: imid October 2017/10/19 04:03:07 sunt very-high aturQu[7083]: 01490128: :tDuis: iqu: Webtop oriosamn assigned @@ -53,7 +53,7 @@ January 2018/01/27 05:21:06 itessequ low fdeFinib[2580]: 01490128: :sumd: sectet February 2018/02/10 12:23:41 quiav low rit: 0149016a: :eumfu: Initiating snapshot creation: lors for access profile: oluptat February 2018/02/24 19:26:15 oeiusmo very-high cusanti[5019]: 01420002: : AUDIT - pid=4996 user=rem folder=tseddoei module=teursint status=success cmd_data=remagnaa March 2018/03/11 02:28:49 ore low ovolupta: 0149016b: :volup: Completed snapshot creation: macc for access profile: ria -March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei +March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei April 2018/04/08 16:33:58 liq low mvolupta: syslog-ng: April 2018/04/22 23:36:32 exe high illum[2625]: 01490101: :emi: reprehen: Access profile: tvol configuration has been applied. Newly active generation count is: 5959 May 2018/05/07 06:39:06 iumt medium nulapari[1973]: 01490500: :tsunt: rnat:oremi:ectobeat: New session from client IP 10.187.64.126 (ST=uasiarch/CC=Malor/C=boriosa) at VIP 10.47.99.72 Listener upt (Reputation=oremipsu) @@ -93,7 +93,7 @@ August 2019/08/21 23:03:57 Nequepor low temseq[613]: 01490019: :ostrumex: suscip September 2019/09/05 06:06:31 ameaquei very-high uelaud[1306]: 01490544: :ameiu: utei: Received client info - https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia September 2019/09/19 13:09:05 psumqui high ncu: 01490079: :quaturve: ciad: Access policy 'diconseq' configuration has changed.Access profile 'utod' configuration changes need to be applied for the new configuration October 2019/10/03 20:11:40 giatquo low dipisciv[5944]: 01490013: :atquo: umetMa: AD agent: Retrieving AAA server: ngelitse -October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure*** +October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure*** November 2019/11/01 10:16:48 erc low tasnu: [syslog-ng] November 2019/11/15 17:19:22 ationevo very-high datatno[3538]: 01490019: :siar: orisnis: AD agent: Query: query with '(sAMAccountName=texp)' successful November 2019/11/30 00:21:57 pidat very-high sSMTP[6673]: ptateve diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index 81c2af5f702d..3d0b80597f35 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -439,7 +439,7 @@ "event.code": "014d0001", "event.dataset": "f5.bigipapm", "event.module": "f5", - "event.original": "September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup", + "event.original": "September 2016/09/13 22:51:07 fugiatnu high tobea[2364]: 014d0001: :tateve: ctx: itinvol, SERVER : eavolup", "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", @@ -448,7 +448,7 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 2364, - "rsa.db.index": "ctx: itinvol, SERVER : eavolup", + "rsa.db.index": "eavolup", "rsa.internal.messageid": "014d0001", "rsa.misc.severity": "high", "rsa.time.event_time": "2016-09-14T00:51:07.000Z", @@ -467,7 +467,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 1926, + "log.offset": 1925, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -495,7 +495,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 2033, + "log.offset": 2032, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -520,7 +520,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 2149, + "log.offset": 2148, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -549,7 +549,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 2342, + "log.offset": 2341, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -573,7 +573,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 2419, + "log.offset": 2418, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -598,7 +598,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 2506, + "log.offset": 2505, "network.application": "utaliqu", "observer.product": "Big-IP", "observer.type": "Access", @@ -623,7 +623,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 2634, + "log.offset": 2633, "network.application": "boNemoe", "observer.product": "Big-IP", "observer.type": "Access", @@ -648,7 +648,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 2736, + "log.offset": 2735, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -671,7 +671,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 2861, + "log.offset": 2860, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -693,7 +693,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 3012, + "log.offset": 3011, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -718,7 +718,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 3144, + "log.offset": 3143, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -750,7 +750,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 3347, + "log.offset": 3346, "network.protocol": "ipv6-icmp", "observer.product": "Big-IP", "observer.type": "Access", @@ -782,7 +782,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 3560, + "log.offset": 3559, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -807,7 +807,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 3621, + "log.offset": 3620, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -840,7 +840,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 3834, + "log.offset": 3833, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -873,7 +873,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 4061, + "log.offset": 4060, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -895,7 +895,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 4206, + "log.offset": 4205, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -919,7 +919,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 4328, + "log.offset": 4327, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -946,7 +946,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 4488, + "log.offset": 4487, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -977,7 +977,7 @@ "geo.region_name": "writte", "input.type": "log", "log.level": "low", - "log.offset": 4572, + "log.offset": 4571, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1008,7 +1008,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 4752, + "log.offset": 4751, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1033,7 +1033,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 4871, + "log.offset": 4870, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1057,7 +1057,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 4989, + "log.offset": 4988, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1083,7 +1083,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 5073, + "log.offset": 5072, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1110,20 +1110,18 @@ "event.code": "01490549", "event.dataset": "f5.bigipapm", "event.module": "f5", - "event.original": "September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem ", + "event.original": "September 2017/09/06 06:55:24 iconsequ high idunt[571]: 01490549: :siuta: atev: Assigned PPP Dynamic IPv4: 10.6.32.7 Tunnel Type: exerci inesciu Resource: quid Client IP: 10.198.70.58 - orem", "fileset.name": "bigipapm", "group.name": "exerci", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.level": "high", - "log.offset": 5216, + "log.offset": 5215, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", "process.pid": 571, "related.ip": [ + "10.198.70.58", "10.6.32.7" ], "rsa.internal.messageid": "01490549", @@ -1134,6 +1132,9 @@ "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "rule.name": "quid", "service.type": "f5", + "source.ip": [ + "10.198.70.58" + ], "source.nat.ip": "10.6.32.7", "tags": [ "f5.bigipapm", @@ -1149,7 +1150,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 5408, + "log.offset": 5406, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1173,7 +1174,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 5505, + "log.offset": 5503, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1198,7 +1199,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 5574, + "log.offset": 5572, "network.application": "oriosamn", "observer.product": "Big-IP", "observer.type": "Access", @@ -1223,7 +1224,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 5679, + "log.offset": 5677, "network.application": "sumquiad", "observer.product": "Big-IP", "observer.type": "Access", @@ -1248,7 +1249,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 5817, + "log.offset": 5815, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1271,7 +1272,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 5941, + "log.offset": 5939, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1298,7 +1299,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 6076, + "log.offset": 6074, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1321,7 +1322,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 6200, + "log.offset": 6198, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1343,7 +1344,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 6330, + "log.offset": 6328, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1367,7 +1368,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 6466, + "log.offset": 6464, "network.application": "edquian", "observer.product": "Big-IP", "observer.type": "Access", @@ -1392,7 +1393,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 6574, + "log.offset": 6572, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1415,7 +1416,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 6699, + "log.offset": 6697, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1446,7 +1447,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 6864, + "log.offset": 6862, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1464,21 +1465,19 @@ "event.code": "01490549", "event.dataset": "f5.bigipapm", "event.module": "f5", - "event.original": "March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei ", + "event.original": "March 2018/03/25 09:31:24 uisau high irat[2943]: 01490549: :emsequi: ueporroq: Assigned PPP Dynamic IPv4: 10.142.213.80 Tunnel Type: tationu gnaaliq Resource: olore Client IP: 10.16.181.60 - ameaquei", "fileset.name": "bigipapm", "group.name": "tationu", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.level": "high", - "log.offset": 6984, + "log.offset": 6982, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", "process.pid": 2943, "related.ip": [ - "10.142.213.80" + "10.142.213.80", + "10.16.181.60" ], "rsa.internal.messageid": "01490549", "rsa.misc.group": "tationu", @@ -1488,6 +1487,9 @@ "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "rule.name": "olore", "service.type": "f5", + "source.ip": [ + "10.16.181.60" + ], "source.nat.ip": "10.142.213.80", "tags": [ "f5.bigipapm", @@ -1503,7 +1505,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 7185, + "log.offset": 7182, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1527,7 +1529,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 7241, + "log.offset": 7238, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1559,14 +1561,14 @@ "geo.region_name": "uasiarch", "input.type": "log", "log.level": "medium", - "log.offset": 7407, + "log.offset": 7404, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.187.64.126", - "10.47.99.72" + "10.47.99.72", + "10.187.64.126" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", @@ -1591,7 +1593,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 7626, + "log.offset": 7623, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1616,7 +1618,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 7681, + "log.offset": 7678, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1641,7 +1643,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 7743, + "log.offset": 7740, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1665,7 +1667,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 7823, + "log.offset": 7820, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1689,7 +1691,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 7917, + "log.offset": 7914, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1714,7 +1716,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 7997, + "log.offset": 7994, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1737,7 +1739,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 8217, + "log.offset": 8214, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1759,7 +1761,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 8362, + "log.offset": 8359, "network.application": "cipitla", "observer.product": "Big-IP", "observer.type": "Access", @@ -1784,7 +1786,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 8476, + "log.offset": 8473, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1809,7 +1811,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 8584, + "log.offset": 8581, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1834,7 +1836,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 8709, + "log.offset": 8706, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1858,7 +1860,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 8833, + "log.offset": 8830, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1883,7 +1885,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 8950, + "log.offset": 8947, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1906,7 +1908,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 9158, + "log.offset": 9155, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1929,7 +1931,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 9279, + "log.offset": 9276, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1954,7 +1956,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 9403, + "log.offset": 9400, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -1979,7 +1981,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 9513, + "log.offset": 9510, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2005,7 +2007,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 9611, + "log.offset": 9608, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2036,7 +2038,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 9691, + "log.offset": 9688, "network.application": "did", "observer.product": "Big-IP", "observer.type": "Access", @@ -2061,7 +2063,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 9801, + "log.offset": 9798, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2083,7 +2085,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 9932, + "log.offset": 9929, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2108,7 +2110,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 10023, + "log.offset": 10020, "network.protocol": "rdp", "observer.product": "Big-IP", "observer.type": "Access", @@ -2140,7 +2142,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 10221, + "log.offset": 10218, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2165,7 +2167,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 10297, + "log.offset": 10294, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2191,7 +2193,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 10429, + "log.offset": 10426, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2222,7 +2224,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 10501, + "log.offset": 10498, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2244,7 +2246,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 10624, + "log.offset": 10621, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2273,7 +2275,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 10808, + "log.offset": 10805, "network.application": "imaven", "observer.product": "Big-IP", "observer.type": "Access", @@ -2298,7 +2300,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 10930, + "log.offset": 10927, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2324,7 +2326,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 11090, + "log.offset": 11087, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2348,7 +2350,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 11162, + "log.offset": 11159, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2375,7 +2377,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 11276, + "log.offset": 11273, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2400,7 +2402,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 11412, + "log.offset": 11409, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2430,7 +2432,7 @@ "http.request.referrer": "https://internal.example.net/lumquid/oluptat.jpg?equepor=iosamn#erspicia", "input.type": "log", "log.level": "very-high", - "log.offset": 11562, + "log.offset": 11559, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2454,7 +2456,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "high", - "log.offset": 11745, + "log.offset": 11742, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2477,7 +2479,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 11960, + "log.offset": 11957, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2498,11 +2500,11 @@ "event.code": "Rule", "event.dataset": "f5.bigipapm", "event.module": "f5", - "event.original": "October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure***", + "event.original": "October 2019/10/18 03:14:14 tem very-high giatnula[71]: Rule: enimadmi <: APM_EVENT=deny | aecon | sedq ***failure***", "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 12084, + "log.offset": 12081, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2536,7 +2538,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "low", - "log.offset": 12208, + "log.offset": 12204, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2560,7 +2562,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 12264, + "log.offset": 12260, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2589,7 +2591,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "very-high", - "log.offset": 12416, + "log.offset": 12412, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", @@ -2615,7 +2617,7 @@ "fileset.name": "bigipapm", "input.type": "log", "log.level": "medium", - "log.offset": 12482, + "log.offset": 12478, "observer.product": "Big-IP", "observer.type": "Access", "observer.vendor": "F5", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml index bd4606f0c136..b0d8c7684d80 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/pipeline.js b/x-pack/filebeat/module/fortinet/clientendpoint/config/pipeline.js index 713b1829de4d..d8b278558d57 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/pipeline.js +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/pipeline.js @@ -41,7 +41,7 @@ var dup9 = match("MESSAGE#2:ms-wbt-server", "nwparser.payload", "%{fld1->} %{fld dup8, ])); -var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} proto=%{hprotocol->} service=%{messageid->} status=%{haction->} src=%{hsaddr->} dst=%{hdaddr->} src_port=%{hsport->} dst_port=%{hdport->} %{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -69,12 +69,12 @@ var hdr1 = match("HEADER#0:0001", "message", "%{hmonth->} %{hday->} %{htime->} % constant(" dst_port="), field("hdport"), constant(" "), - field("payload"), + field("p0"), ], }), ])); -var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} (%{messageid->} %{hfld5->} times in last %{hfld6}) %{hfld7->} %{hfld8}::%{p0}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -98,12 +98,12 @@ var hdr2 = match("HEADER#1:0003", "message", "%{hmonth->} %{hday->} %{htime->} % constant(" "), field("hfld8"), constant("::"), - field("payload"), + field("p0"), ], }), ])); -var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} %{hhostname->} %{messageid->} %{hfld5}::%{p0}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", @@ -121,7 +121,7 @@ var hdr3 = match("HEADER#2:0002", "message", "%{hmonth->} %{hday->} %{htime->} % constant(" "), field("hfld5"), constant("::"), - field("payload"), + field("p0"), ], }), ])); diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml index 28bbbd0e58e2..28fa93a69a25 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml @@ -57,12 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' - - append: - field: related.hosts - value: '{{server.domain}}' - allow_duplicates: false - if: ctx?.server?.domain != null && ctx.server?.domain != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml b/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml index b070cd9c37e0..d51ef04d3323 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9510 + default: 9530 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 2633519ac68d..3331f3928b16 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -21,8 +21,8 @@ "observer.vendor": "Fortinet", "process.pid": 7880, "related.hosts": [ - "boNemoe4402.www.invalid", - "litesse6379.api.domain" + "litesse6379.api.domain", + "boNemoe4402.www.invalid" ], "related.ip": [ "10.102.123.34", @@ -47,6 +47,9 @@ "rsa.network.domain": "litesse6379.api.domain", "rsa.network.network_service": "http", "server.domain": "litesse6379.api.domain", + "server.registered_domain": "api.domain", + "server.subdomain": "litesse6379", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.150.92.220" @@ -80,8 +83,8 @@ "observer.vendor": "Fortinet", "process.pid": 4539, "related.hosts": [ - "olupt4880.api.home", - "gnaali6189.internal.localhost" + "gnaali6189.internal.localhost", + "olupt4880.api.home" ], "related.ip": [ "10.33.212.159", @@ -106,6 +109,9 @@ "rsa.network.domain": "gnaali6189.internal.localhost", "rsa.network.network_service": "https", "server.domain": "gnaali6189.internal.localhost", + "server.registered_domain": "internal.localhost", + "server.subdomain": "gnaali6189", + "server.top_level_domain": "localhost", "service.type": "fortinet", "source.ip": [ "10.33.212.159" @@ -139,8 +145,8 @@ "observer.vendor": "Fortinet", "process.pid": 445, "related.hosts": [ - "aqu1628.internal.domain", - "quis1130.internal.corp" + "quis1130.internal.corp", + "aqu1628.internal.domain" ], "related.ip": [ "10.173.116.41", @@ -165,6 +171,9 @@ "rsa.network.domain": "quis1130.internal.corp", "rsa.network.network_service": "smtp", "server.domain": "quis1130.internal.corp", + "server.registered_domain": "internal.corp", + "server.subdomain": "quis1130", + "server.top_level_domain": "corp", "service.type": "fortinet", "source.ip": [ "10.173.116.41" @@ -198,8 +207,8 @@ "observer.vendor": "Fortinet", "process.pid": 5712, "related.hosts": [ - "tinculp2940.internal.local", - "reprehe189.internal.home" + "reprehe189.internal.home", + "tinculp2940.internal.local" ], "related.ip": [ "10.134.137.177", @@ -224,6 +233,9 @@ "rsa.network.domain": "reprehe189.internal.home", "rsa.network.network_service": "https", "server.domain": "reprehe189.internal.home", + "server.registered_domain": "internal.home", + "server.subdomain": "reprehe189", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.134.137.177" @@ -257,8 +269,8 @@ "observer.vendor": "Fortinet", "process.pid": 6557, "related.hosts": [ - "rad2103.api.domain", - "enimad2283.internal.domain" + "enimad2283.internal.domain", + "rad2103.api.domain" ], "related.ip": [ "10.70.0.60", @@ -283,6 +295,9 @@ "rsa.network.domain": "enimad2283.internal.domain", "rsa.network.network_service": "pop3", "server.domain": "enimad2283.internal.domain", + "server.registered_domain": "internal.domain", + "server.subdomain": "enimad2283", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.245.142.250" @@ -316,8 +331,8 @@ "observer.vendor": "Fortinet", "process.pid": 2061, "related.hosts": [ - "enim5316.www5.local", - "doloreeu3553.www5.home" + "doloreeu3553.www5.home", + "enim5316.www5.local" ], "related.ip": [ "10.200.188.142", @@ -342,6 +357,9 @@ "rsa.network.domain": "doloreeu3553.www5.home", "rsa.network.network_service": "smtp", "server.domain": "doloreeu3553.www5.home", + "server.registered_domain": "www5.home", + "server.subdomain": "doloreeu3553", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.202.72.124" @@ -375,12 +393,12 @@ "observer.vendor": "Fortinet", "process.pid": 5722, "related.hosts": [ - "reetdolo2770.www5.local", - "iutal13.api.localdomain" + "iutal13.api.localdomain", + "reetdolo2770.www5.local" ], "related.ip": [ - "10.214.225.125", - "10.12.44.169" + "10.12.44.169", + "10.214.225.125" ], "related.user": [ "erep" @@ -401,6 +419,9 @@ "rsa.network.domain": "iutal13.api.localdomain", "rsa.network.network_service": "pop3", "server.domain": "iutal13.api.localdomain", + "server.registered_domain": "api.localdomain", + "server.subdomain": "iutal13", + "server.top_level_domain": "localdomain", "service.type": "fortinet", "source.ip": [ "10.12.44.169" @@ -434,12 +455,12 @@ "observer.vendor": "Fortinet", "process.pid": 5037, "related.hosts": [ - "isiu1114.internal.corp", - "uovol492.www.localhost" + "uovol492.www.localhost", + "isiu1114.internal.corp" ], "related.ip": [ - "10.66.108.11", - "10.198.136.50" + "10.198.136.50", + "10.66.108.11" ], "related.user": [ "uptatev" @@ -460,6 +481,9 @@ "rsa.network.domain": "uovol492.www.localhost", "rsa.network.network_service": "http", "server.domain": "uovol492.www.localhost", + "server.registered_domain": "www.localhost", + "server.subdomain": "uovol492", + "server.top_level_domain": "localhost", "service.type": "fortinet", "source.ip": [ "10.66.108.11" @@ -493,12 +517,12 @@ "observer.vendor": "Fortinet", "process.pid": 776, "related.hosts": [ - "usmodte1296.www.corp", - "osquir6997.corp" + "osquir6997.corp", + "usmodte1296.www.corp" ], "related.ip": [ - "10.69.20.77", - "10.178.244.31" + "10.178.244.31", + "10.69.20.77" ], "related.user": [ "umdolor" @@ -519,6 +543,8 @@ "rsa.network.domain": "osquir6997.corp", "rsa.network.network_service": "ms-wbt-server", "server.domain": "osquir6997.corp", + "server.registered_domain": "osquir6997.corp", + "server.top_level_domain": "corp", "service.type": "fortinet", "source.ip": [ "10.178.244.31" @@ -552,12 +578,12 @@ "observer.vendor": "Fortinet", "process.pid": 6096, "related.hosts": [ - "tatno4987.www5.localhost", - "eniam7007.api.invalid" + "eniam7007.api.invalid", + "tatno4987.www5.localhost" ], "related.ip": [ - "10.203.5.162", - "10.54.231.100" + "10.54.231.100", + "10.203.5.162" ], "related.user": [ "umdolore" @@ -578,6 +604,9 @@ "rsa.network.domain": "eniam7007.api.invalid", "rsa.network.network_service": "pop3", "server.domain": "eniam7007.api.invalid", + "server.registered_domain": "api.invalid", + "server.subdomain": "eniam7007", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.54.231.100" @@ -611,12 +640,12 @@ "observer.vendor": "Fortinet", "process.pid": 7307, "related.hosts": [ - "tatno6787.internal.localhost", - "snulapar3794.api.domain" + "snulapar3794.api.domain", + "tatno6787.internal.localhost" ], "related.ip": [ - "10.136.252.240", - "10.65.83.160" + "10.65.83.160", + "10.136.252.240" ], "related.user": [ "ender" @@ -637,6 +666,9 @@ "rsa.network.domain": "snulapar3794.api.domain", "rsa.network.network_service": "pop3", "server.domain": "snulapar3794.api.domain", + "server.registered_domain": "api.domain", + "server.subdomain": "snulapar3794", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.65.83.160" @@ -670,8 +702,8 @@ "observer.vendor": "Fortinet", "process.pid": 2703, "related.hosts": [ - "essecill2595.mail.local", - "liq5883.localdomain" + "liq5883.localdomain", + "essecill2595.mail.local" ], "related.ip": [ "10.57.40.29", @@ -696,6 +728,8 @@ "rsa.network.domain": "liq5883.localdomain", "rsa.network.network_service": "http", "server.domain": "liq5883.localdomain", + "server.registered_domain": "liq5883.localdomain", + "server.top_level_domain": "localdomain", "service.type": "fortinet", "source.ip": [ "10.57.40.29" @@ -729,8 +763,8 @@ "observer.vendor": "Fortinet", "process.pid": 5166, "related.hosts": [ - "ali6446.localhost", - "rsint7026.test" + "rsint7026.test", + "ali6446.localhost" ], "related.ip": [ "10.144.82.69", @@ -755,6 +789,8 @@ "rsa.network.domain": "rsint7026.test", "rsa.network.network_service": "smtp", "server.domain": "rsint7026.test", + "server.registered_domain": "rsint7026.test", + "server.top_level_domain": "test", "service.type": "fortinet", "source.ip": [ "10.144.82.69" @@ -788,12 +824,12 @@ "observer.vendor": "Fortinet", "process.pid": 7668, "related.hosts": [ - "torev7118.internal.domain", - "qua2945.www.local" + "qua2945.www.local", + "torev7118.internal.domain" ], "related.ip": [ - "10.109.232.112", - "10.72.58.135" + "10.72.58.135", + "10.109.232.112" ], "related.user": [ "xea" @@ -814,6 +850,9 @@ "rsa.network.domain": "qua2945.www.local", "rsa.network.network_service": "smtp", "server.domain": "qua2945.www.local", + "server.registered_domain": "www.local", + "server.subdomain": "qua2945", + "server.top_level_domain": "local", "service.type": "fortinet", "source.ip": [ "10.109.232.112" @@ -847,12 +886,12 @@ "observer.vendor": "Fortinet", "process.pid": 1044, "related.hosts": [ - "dolore6103.www5.example", - "luptat6494.www.example" + "luptat6494.www.example", + "dolore6103.www5.example" ], "related.ip": [ - "10.72.29.73", - "10.38.22.45" + "10.38.22.45", + "10.72.29.73" ], "related.user": [ "onproide" @@ -873,6 +912,9 @@ "rsa.network.domain": "luptat6494.www.example", "rsa.network.network_service": "http", "server.domain": "luptat6494.www.example", + "server.registered_domain": "www.example", + "server.subdomain": "luptat6494", + "server.top_level_domain": "example", "service.type": "fortinet", "source.ip": [ "10.38.22.45" @@ -906,12 +948,12 @@ "observer.vendor": "Fortinet", "process.pid": 7183, "related.hosts": [ - "errorsi6996.www.domain", - "moenimi6317.internal.invalid" + "moenimi6317.internal.invalid", + "errorsi6996.www.domain" ], "related.ip": [ - "10.70.95.74", - "10.76.72.111" + "10.76.72.111", + "10.70.95.74" ], "related.user": [ "ivelits" @@ -932,6 +974,9 @@ "rsa.network.domain": "moenimi6317.internal.invalid", "rsa.network.network_service": "smtp", "server.domain": "moenimi6317.internal.invalid", + "server.registered_domain": "internal.invalid", + "server.subdomain": "moenimi6317", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.70.95.74" @@ -965,8 +1010,8 @@ "observer.vendor": "Fortinet", "process.pid": 6907, "related.hosts": [ - "lumquido5839.api.corp", - "tion1761.home" + "tion1761.home", + "lumquido5839.api.corp" ], "related.ip": [ "10.19.201.13", @@ -991,6 +1036,8 @@ "rsa.network.domain": "tion1761.home", "rsa.network.network_service": "https", "server.domain": "tion1761.home", + "server.registered_domain": "tion1761.home", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.19.201.13" @@ -1024,12 +1071,12 @@ "observer.vendor": "Fortinet", "process.pid": 499, "related.hosts": [ - "aperia4409.www5.invalid", - "santium4235.api.local" + "santium4235.api.local", + "aperia4409.www5.invalid" ], "related.ip": [ - "10.78.151.178", - "10.84.105.75" + "10.84.105.75", + "10.78.151.178" ], "related.user": [ "iquaUten" @@ -1050,6 +1097,9 @@ "rsa.network.domain": "santium4235.api.local", "rsa.network.network_service": "ms-wbt-server", "server.domain": "santium4235.api.local", + "server.registered_domain": "api.local", + "server.subdomain": "santium4235", + "server.top_level_domain": "local", "service.type": "fortinet", "source.ip": [ "10.78.151.178" @@ -1083,12 +1133,12 @@ "observer.vendor": "Fortinet", "process.pid": 1531, "related.hosts": [ - "tem2496.api.lan", - "CSed2857.www5.example" + "CSed2857.www5.example", + "tem2496.api.lan" ], "related.ip": [ - "10.135.233.146", - "10.25.192.202" + "10.25.192.202", + "10.135.233.146" ], "related.user": [ "emeumfu" @@ -1109,6 +1159,9 @@ "rsa.network.domain": "CSed2857.www5.example", "rsa.network.network_service": "ms-wbt-server", "server.domain": "CSed2857.www5.example", + "server.registered_domain": "www5.example", + "server.subdomain": "CSed2857", + "server.top_level_domain": "example", "service.type": "fortinet", "source.ip": [ "10.135.233.146" @@ -1142,12 +1195,12 @@ "observer.vendor": "Fortinet", "process.pid": 6051, "related.hosts": [ - "eme6710.mail.invalid", - "equep5085.mail.domain" + "equep5085.mail.domain", + "eme6710.mail.invalid" ], "related.ip": [ - "10.121.219.204", - "10.104.134.200" + "10.104.134.200", + "10.121.219.204" ], "related.user": [ "uptat" @@ -1168,6 +1221,9 @@ "rsa.network.domain": "equep5085.mail.domain", "rsa.network.network_service": "https", "server.domain": "equep5085.mail.domain", + "server.registered_domain": "mail.domain", + "server.subdomain": "equep5085", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.121.219.204" @@ -1201,12 +1257,12 @@ "observer.vendor": "Fortinet", "process.pid": 6994, "related.hosts": [ - "ihilm1669.mail.invalid", - "conseq557.mail.lan" + "conseq557.mail.lan", + "ihilm1669.mail.invalid" ], "related.ip": [ - "10.191.105.82", - "10.225.160.182" + "10.225.160.182", + "10.191.105.82" ], "related.user": [ "eirure" @@ -1227,6 +1283,9 @@ "rsa.network.domain": "conseq557.mail.lan", "rsa.network.network_service": "https", "server.domain": "conseq557.mail.lan", + "server.registered_domain": "mail.lan", + "server.subdomain": "conseq557", + "server.top_level_domain": "lan", "service.type": "fortinet", "source.ip": [ "10.191.105.82" @@ -1260,12 +1319,12 @@ "observer.vendor": "Fortinet", "process.pid": 5200, "related.hosts": [ - "umexerci1284.internal.localdomain", - "ite2026.www.invalid" + "ite2026.www.invalid", + "umexerci1284.internal.localdomain" ], "related.ip": [ - "10.141.44.153", - "10.161.57.8" + "10.161.57.8", + "10.141.44.153" ], "related.user": [ "quisnos" @@ -1286,6 +1345,9 @@ "rsa.network.domain": "ite2026.www.invalid", "rsa.network.network_service": "smtp", "server.domain": "ite2026.www.invalid", + "server.registered_domain": "www.invalid", + "server.subdomain": "ite2026", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.141.44.153" @@ -1319,12 +1381,12 @@ "observer.vendor": "Fortinet", "process.pid": 3365, "related.hosts": [ - "adol485.example", - "lit5929.test" + "lit5929.test", + "adol485.example" ], "related.ip": [ - "10.6.167.7", - "10.153.111.103" + "10.153.111.103", + "10.6.167.7" ], "related.user": [ "eumfug" @@ -1345,6 +1407,8 @@ "rsa.network.domain": "lit5929.test", "rsa.network.network_service": "https", "server.domain": "lit5929.test", + "server.registered_domain": "lit5929.test", + "server.top_level_domain": "test", "service.type": "fortinet", "source.ip": [ "10.153.111.103" @@ -1378,12 +1442,12 @@ "observer.vendor": "Fortinet", "process.pid": 1835, "related.hosts": [ - "evita5008.www.localdomain", - "oru6938.invalid" + "oru6938.invalid", + "evita5008.www.localdomain" ], "related.ip": [ - "10.248.204.182", - "10.134.148.219" + "10.134.148.219", + "10.248.204.182" ], "related.user": [ "uioffi" @@ -1404,6 +1468,8 @@ "rsa.network.domain": "oru6938.invalid", "rsa.network.network_service": "pop3", "server.domain": "oru6938.invalid", + "server.registered_domain": "oru6938.invalid", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.248.204.182" @@ -1437,12 +1503,12 @@ "observer.vendor": "Fortinet", "process.pid": 2019, "related.hosts": [ - "tsedqu2456.www5.invalid", - "etdol5473.local" + "etdol5473.local", + "tsedqu2456.www5.invalid" ], "related.ip": [ - "10.163.5.243", - "10.178.77.231" + "10.178.77.231", + "10.163.5.243" ], "related.user": [ "liquide" @@ -1463,6 +1529,8 @@ "rsa.network.domain": "etdol5473.local", "rsa.network.network_service": "smtp", "server.domain": "etdol5473.local", + "server.registered_domain": "etdol5473.local", + "server.top_level_domain": "local", "service.type": "fortinet", "source.ip": [ "10.178.77.231" @@ -1496,12 +1564,12 @@ "observer.vendor": "Fortinet", "process.pid": 2493, "related.hosts": [ - "ris3314.mail.invalid", - "nimid893.mail.corp" + "nimid893.mail.corp", + "ris3314.mail.invalid" ], "related.ip": [ - "10.221.89.228", - "10.177.194.18" + "10.177.194.18", + "10.221.89.228" ], "related.user": [ "aliquam" @@ -1522,6 +1590,9 @@ "rsa.network.domain": "nimid893.mail.corp", "rsa.network.network_service": "smtp", "server.domain": "nimid893.mail.corp", + "server.registered_domain": "mail.corp", + "server.subdomain": "nimid893", + "server.top_level_domain": "corp", "service.type": "fortinet", "source.ip": [ "10.177.194.18" @@ -1555,8 +1626,8 @@ "observer.vendor": "Fortinet", "process.pid": 3022, "related.hosts": [ - "reme622.mail.example", - "rumwritt6003.host" + "rumwritt6003.host", + "reme622.mail.example" ], "related.ip": [ "10.32.239.1", @@ -1581,6 +1652,8 @@ "rsa.network.domain": "rumwritt6003.host", "rsa.network.network_service": "ms-wbt-server", "server.domain": "rumwritt6003.host", + "server.registered_domain": "rumwritt6003.host", + "server.top_level_domain": "host", "service.type": "fortinet", "source.ip": [ "10.241.65.49" @@ -1614,8 +1687,8 @@ "observer.vendor": "Fortinet", "process.pid": 2328, "related.hosts": [ - "non3341.mail.invalid", - "xeacomm6855.api.corp" + "xeacomm6855.api.corp", + "non3341.mail.invalid" ], "related.ip": [ "10.101.57.120", @@ -1640,6 +1713,9 @@ "rsa.network.domain": "xeacomm6855.api.corp", "rsa.network.network_service": "http", "server.domain": "xeacomm6855.api.corp", + "server.registered_domain": "api.corp", + "server.subdomain": "xeacomm6855", + "server.top_level_domain": "corp", "service.type": "fortinet", "source.ip": [ "10.168.90.81" @@ -1673,12 +1749,12 @@ "observer.vendor": "Fortinet", "process.pid": 1156, "related.hosts": [ - "ris727.api.local", - "icabo4125.mail.domain" + "icabo4125.mail.domain", + "ris727.api.local" ], "related.ip": [ - "10.130.14.60", - "10.14.211.43" + "10.14.211.43", + "10.130.14.60" ], "related.user": [ "litse" @@ -1699,6 +1775,9 @@ "rsa.network.domain": "icabo4125.mail.domain", "rsa.network.network_service": "ms-wbt-server", "server.domain": "icabo4125.mail.domain", + "server.registered_domain": "mail.domain", + "server.subdomain": "icabo4125", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.14.211.43" @@ -1732,12 +1811,12 @@ "observer.vendor": "Fortinet", "process.pid": 6003, "related.hosts": [ - "stquido5705.api.host", - "ionofdeF5643.www.localhost" + "ionofdeF5643.www.localhost", + "stquido5705.api.host" ], "related.ip": [ - "10.60.129.15", - "10.248.101.25" + "10.248.101.25", + "10.60.129.15" ], "related.user": [ "evolup" @@ -1758,6 +1837,9 @@ "rsa.network.domain": "ionofdeF5643.www.localhost", "rsa.network.network_service": "http", "server.domain": "ionofdeF5643.www.localhost", + "server.registered_domain": "www.localhost", + "server.subdomain": "ionofdeF5643", + "server.top_level_domain": "localhost", "service.type": "fortinet", "source.ip": [ "10.60.129.15" @@ -1791,8 +1873,8 @@ "observer.vendor": "Fortinet", "process.pid": 5651, "related.hosts": [ - "etcons7378.api.lan", - "orem6702.invalid" + "orem6702.invalid", + "etcons7378.api.lan" ], "related.ip": [ "10.111.187.12", @@ -1817,6 +1899,8 @@ "rsa.network.domain": "orem6702.invalid", "rsa.network.network_service": "https", "server.domain": "orem6702.invalid", + "server.registered_domain": "orem6702.invalid", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.72.93.28" @@ -1850,8 +1934,8 @@ "observer.vendor": "Fortinet", "process.pid": 3470, "related.hosts": [ - "vita2681.www5.local", - "oin6780.mail.domain" + "oin6780.mail.domain", + "vita2681.www5.local" ], "related.ip": [ "10.27.14.168", @@ -1876,6 +1960,9 @@ "rsa.network.domain": "oin6780.mail.domain", "rsa.network.network_service": "ms-wbt-server", "server.domain": "oin6780.mail.domain", + "server.registered_domain": "mail.domain", + "server.subdomain": "oin6780", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.27.14.168" @@ -1909,8 +1996,8 @@ "observer.vendor": "Fortinet", "process.pid": 6932, "related.hosts": [ - "tnulapa7592.www.local", - "eprehen3224.www5.localdomain" + "eprehen3224.www5.localdomain", + "tnulapa7592.www.local" ], "related.ip": [ "10.75.99.127", @@ -1935,6 +2022,9 @@ "rsa.network.domain": "eprehen3224.www5.localdomain", "rsa.network.network_service": "ms-wbt-server", "server.domain": "eprehen3224.www5.localdomain", + "server.registered_domain": "www5.localdomain", + "server.subdomain": "eprehen3224", + "server.top_level_domain": "localdomain", "service.type": "fortinet", "source.ip": [ "10.75.99.127" @@ -1968,8 +2058,8 @@ "observer.vendor": "Fortinet", "process.pid": 6945, "related.hosts": [ - "lup2134.www.localhost", - "ptasn6599.www.localhost" + "ptasn6599.www.localhost", + "lup2134.www.localhost" ], "related.ip": [ "10.245.104.182", @@ -1994,6 +2084,9 @@ "rsa.network.domain": "ptasn6599.www.localhost", "rsa.network.network_service": "pop3", "server.domain": "ptasn6599.www.localhost", + "server.registered_domain": "www.localhost", + "server.subdomain": "ptasn6599", + "server.top_level_domain": "localhost", "service.type": "fortinet", "source.ip": [ "10.201.238.90" @@ -2027,8 +2120,8 @@ "observer.vendor": "Fortinet", "process.pid": 853, "related.hosts": [ - "tanimid3337.mail.corp", - "nisist2752.home" + "nisist2752.home", + "tanimid3337.mail.corp" ], "related.ip": [ "10.217.150.196", @@ -2053,6 +2146,8 @@ "rsa.network.domain": "nisist2752.home", "rsa.network.network_service": "http", "server.domain": "nisist2752.home", + "server.registered_domain": "nisist2752.home", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.217.150.196" @@ -2086,8 +2181,8 @@ "observer.vendor": "Fortinet", "process.pid": 4153, "related.hosts": [ - "eumiu765.api.lan", - "gitsedqu2649.mail.lan" + "gitsedqu2649.mail.lan", + "eumiu765.api.lan" ], "related.ip": [ "10.4.157.1", @@ -2112,6 +2207,9 @@ "rsa.network.domain": "gitsedqu2649.mail.lan", "rsa.network.network_service": "https", "server.domain": "gitsedqu2649.mail.lan", + "server.registered_domain": "mail.lan", + "server.subdomain": "gitsedqu2649", + "server.top_level_domain": "lan", "service.type": "fortinet", "source.ip": [ "10.4.157.1" @@ -2145,8 +2243,8 @@ "observer.vendor": "Fortinet", "process.pid": 1693, "related.hosts": [ - "mquelau5326.mail.lan", - "entsunt3962.www.example" + "entsunt3962.www.example", + "mquelau5326.mail.lan" ], "related.ip": [ "10.113.95.59", @@ -2171,6 +2269,9 @@ "rsa.network.domain": "entsunt3962.www.example", "rsa.network.network_service": "https", "server.domain": "entsunt3962.www.example", + "server.registered_domain": "www.example", + "server.subdomain": "entsunt3962", + "server.top_level_domain": "example", "service.type": "fortinet", "source.ip": [ "10.255.39.252" @@ -2204,8 +2305,8 @@ "observer.vendor": "Fortinet", "process.pid": 337, "related.hosts": [ - "idestlab2631.www.lan", - "tut2703.www.host" + "tut2703.www.host", + "idestlab2631.www.lan" ], "related.ip": [ "10.83.177.2", @@ -2230,6 +2331,9 @@ "rsa.network.domain": "tut2703.www.host", "rsa.network.network_service": "http", "server.domain": "tut2703.www.host", + "server.registered_domain": "www.host", + "server.subdomain": "tut2703", + "server.top_level_domain": "host", "service.type": "fortinet", "source.ip": [ "10.27.16.118" @@ -2263,12 +2367,12 @@ "observer.vendor": "Fortinet", "process.pid": 7041, "related.hosts": [ - "inesci6789.test", - "entorev160.test" + "entorev160.test", + "inesci6789.test" ], "related.ip": [ - "10.167.227.44", - "10.38.54.72" + "10.38.54.72", + "10.167.227.44" ], "related.user": [ "riamea" @@ -2289,6 +2393,8 @@ "rsa.network.domain": "entorev160.test", "rsa.network.network_service": "http", "server.domain": "entorev160.test", + "server.registered_domain": "entorev160.test", + "server.top_level_domain": "test", "service.type": "fortinet", "source.ip": [ "10.38.54.72" @@ -2322,12 +2428,12 @@ "observer.vendor": "Fortinet", "process.pid": 3854, "related.hosts": [ - "ccaeca7077.internal.corp", - "proide3714.mail.localdomain" + "proide3714.mail.localdomain", + "ccaeca7077.internal.corp" ], "related.ip": [ - "10.215.205.216", - "10.216.54.184" + "10.216.54.184", + "10.215.205.216" ], "related.user": [ "ameiusm" @@ -2348,6 +2454,9 @@ "rsa.network.domain": "proide3714.mail.localdomain", "rsa.network.network_service": "http", "server.domain": "proide3714.mail.localdomain", + "server.registered_domain": "mail.localdomain", + "server.subdomain": "proide3714", + "server.top_level_domain": "localdomain", "service.type": "fortinet", "source.ip": [ "10.216.54.184" @@ -2381,12 +2490,12 @@ "observer.vendor": "Fortinet", "process.pid": 55, "related.hosts": [ - "ima2031.api.corp", - "tot5313.mail.invalid" + "tot5313.mail.invalid", + "ima2031.api.corp" ], "related.ip": [ - "10.9.12.248", - "10.9.18.237" + "10.9.18.237", + "10.9.12.248" ], "related.user": [ "uradi" @@ -2407,6 +2516,9 @@ "rsa.network.domain": "tot5313.mail.invalid", "rsa.network.network_service": "smtp", "server.domain": "tot5313.mail.invalid", + "server.registered_domain": "mail.invalid", + "server.subdomain": "tot5313", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.9.12.248" @@ -2440,12 +2552,12 @@ "observer.vendor": "Fortinet", "process.pid": 228, "related.hosts": [ - "ian867.internal.corp", - "rumet3801.internal.domain" + "rumet3801.internal.domain", + "ian867.internal.corp" ], "related.ip": [ - "10.83.130.226", - "10.41.123.102" + "10.41.123.102", + "10.83.130.226" ], "related.user": [ "tenim" @@ -2466,6 +2578,9 @@ "rsa.network.domain": "rumet3801.internal.domain", "rsa.network.network_service": "https", "server.domain": "rumet3801.internal.domain", + "server.registered_domain": "internal.domain", + "server.subdomain": "rumet3801", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.83.130.226" @@ -2499,12 +2614,12 @@ "observer.vendor": "Fortinet", "process.pid": 4253, "related.hosts": [ - "lorin4249.corp", - "liqua2834.www5.lan" + "liqua2834.www5.lan", + "lorin4249.corp" ], "related.ip": [ - "10.175.112.197", - "10.80.152.108" + "10.80.152.108", + "10.175.112.197" ], "related.user": [ "tametcon" @@ -2525,6 +2640,9 @@ "rsa.network.domain": "liqua2834.www5.lan", "rsa.network.network_service": "pop3", "server.domain": "liqua2834.www5.lan", + "server.registered_domain": "www5.lan", + "server.subdomain": "liqua2834", + "server.top_level_domain": "lan", "service.type": "fortinet", "source.ip": [ "10.175.112.197" @@ -2558,8 +2676,8 @@ "observer.vendor": "Fortinet", "process.pid": 2200, "related.hosts": [ - "gnaaliqu3935.api.test", - "sequat7273.api.host" + "sequat7273.api.host", + "gnaaliqu3935.api.test" ], "related.ip": [ "10.142.25.100", @@ -2584,6 +2702,9 @@ "rsa.network.domain": "sequat7273.api.host", "rsa.network.network_service": "smtp", "server.domain": "sequat7273.api.host", + "server.registered_domain": "api.host", + "server.subdomain": "sequat7273", + "server.top_level_domain": "host", "service.type": "fortinet", "source.ip": [ "10.134.18.114" @@ -2617,12 +2738,12 @@ "observer.vendor": "Fortinet", "process.pid": 5717, "related.hosts": [ - "nsequat1859.internal.localhost", - "uidol4575.localhost" + "uidol4575.localhost", + "nsequat1859.internal.localhost" ], "related.ip": [ - "10.223.119.218", - "10.28.118.160" + "10.28.118.160", + "10.223.119.218" ], "related.user": [ "ntsunt" @@ -2643,6 +2764,8 @@ "rsa.network.domain": "uidol4575.localhost", "rsa.network.network_service": "http", "server.domain": "uidol4575.localhost", + "server.registered_domain": "uidol4575.localhost", + "server.top_level_domain": "localhost", "service.type": "fortinet", "source.ip": [ "10.28.118.160" @@ -2676,8 +2799,8 @@ "observer.vendor": "Fortinet", "process.pid": 4469, "related.hosts": [ - "ritin2495.api.corp", - "oremq2000.api.corp" + "oremq2000.api.corp", + "ritin2495.api.corp" ], "related.ip": [ "10.47.28.48", @@ -2702,6 +2825,9 @@ "rsa.network.domain": "oremq2000.api.corp", "rsa.network.network_service": "https", "server.domain": "oremq2000.api.corp", + "server.registered_domain": "api.corp", + "server.subdomain": "oremq2000", + "server.top_level_domain": "corp", "service.type": "fortinet", "source.ip": [ "10.110.114.175" @@ -2735,8 +2861,8 @@ "observer.vendor": "Fortinet", "process.pid": 5524, "related.hosts": [ - "tetur2694.mail.local", - "oremi1485.api.localhost" + "oremi1485.api.localhost", + "tetur2694.mail.local" ], "related.ip": [ "10.40.251.202", @@ -2761,6 +2887,9 @@ "rsa.network.domain": "oremi1485.api.localhost", "rsa.network.network_service": "pop3", "server.domain": "oremi1485.api.localhost", + "server.registered_domain": "api.localhost", + "server.subdomain": "oremi1485", + "server.top_level_domain": "localhost", "service.type": "fortinet", "source.ip": [ "10.40.251.202" @@ -2794,12 +2923,12 @@ "observer.vendor": "Fortinet", "process.pid": 3624, "related.hosts": [ - "rem7043.localhost", - "sequatD5469.www5.lan" + "sequatD5469.www5.lan", + "rem7043.localhost" ], "related.ip": [ - "10.65.2.106", - "10.227.173.252" + "10.227.173.252", + "10.65.2.106" ], "related.user": [ "itation" @@ -2820,6 +2949,9 @@ "rsa.network.domain": "sequatD5469.www5.lan", "rsa.network.network_service": "ms-wbt-server", "server.domain": "sequatD5469.www5.lan", + "server.registered_domain": "www5.lan", + "server.subdomain": "sequatD5469", + "server.top_level_domain": "lan", "service.type": "fortinet", "source.ip": [ "10.65.2.106" @@ -2853,12 +2985,12 @@ "observer.vendor": "Fortinet", "process.pid": 1609, "related.hosts": [ - "emqu2846.internal.home", - "item2738.test" + "item2738.test", + "emqu2846.internal.home" ], "related.ip": [ - "10.28.84.106", - "10.193.233.229" + "10.193.233.229", + "10.28.84.106" ], "related.user": [ "tla" @@ -2879,6 +3011,8 @@ "rsa.network.domain": "item2738.test", "rsa.network.network_service": "https", "server.domain": "item2738.test", + "server.registered_domain": "item2738.test", + "server.top_level_domain": "test", "service.type": "fortinet", "source.ip": [ "10.193.233.229" @@ -2912,12 +3046,12 @@ "observer.vendor": "Fortinet", "process.pid": 6248, "related.hosts": [ - "dqu6144.api.localhost", - "iosamnis1047.internal.localdomain" + "iosamnis1047.internal.localdomain", + "dqu6144.api.localhost" ], "related.ip": [ - "10.150.245.88", - "10.210.89.183" + "10.210.89.183", + "10.150.245.88" ], "related.user": [ "sequa" @@ -2938,6 +3072,9 @@ "rsa.network.domain": "iosamnis1047.internal.localdomain", "rsa.network.network_service": "ms-wbt-server", "server.domain": "iosamnis1047.internal.localdomain", + "server.registered_domain": "internal.localdomain", + "server.subdomain": "iosamnis1047", + "server.top_level_domain": "localdomain", "service.type": "fortinet", "source.ip": [ "10.150.245.88" @@ -2971,12 +3108,12 @@ "observer.vendor": "Fortinet", "process.pid": 7224, "related.hosts": [ - "giatquov1918.internal.example", - "orroq6677.internal.example" + "orroq6677.internal.example", + "giatquov1918.internal.example" ], "related.ip": [ - "10.180.195.43", - "10.85.185.13" + "10.85.185.13", + "10.180.195.43" ], "related.user": [ "voluptas" @@ -2997,6 +3134,9 @@ "rsa.network.domain": "orroq6677.internal.example", "rsa.network.network_service": "ms-wbt-server", "server.domain": "orroq6677.internal.example", + "server.registered_domain": "internal.example", + "server.subdomain": "orroq6677", + "server.top_level_domain": "example", "service.type": "fortinet", "source.ip": [ "10.180.195.43" @@ -3030,8 +3170,8 @@ "observer.vendor": "Fortinet", "process.pid": 430, "related.hosts": [ - "estl5804.internal.local", - "onevo4326.internal.local" + "onevo4326.internal.local", + "estl5804.internal.local" ], "related.ip": [ "10.210.28.247", @@ -3056,6 +3196,9 @@ "rsa.network.domain": "onevo4326.internal.local", "rsa.network.network_service": "ms-wbt-server", "server.domain": "onevo4326.internal.local", + "server.registered_domain": "internal.local", + "server.subdomain": "onevo4326", + "server.top_level_domain": "local", "service.type": "fortinet", "source.ip": [ "10.207.211.230" @@ -3089,8 +3232,8 @@ "observer.vendor": "Fortinet", "process.pid": 3589, "related.hosts": [ - "Sedut1775.www.domain", - "itaedict7233.mail.localdomain" + "itaedict7233.mail.localdomain", + "Sedut1775.www.domain" ], "related.ip": [ "10.248.165.185", @@ -3115,6 +3258,9 @@ "rsa.network.domain": "itaedict7233.mail.localdomain", "rsa.network.network_service": "ms-wbt-server", "server.domain": "itaedict7233.mail.localdomain", + "server.registered_domain": "mail.localdomain", + "server.subdomain": "itaedict7233", + "server.top_level_domain": "localdomain", "service.type": "fortinet", "source.ip": [ "10.86.11.48" @@ -3148,12 +3294,12 @@ "observer.vendor": "Fortinet", "process.pid": 4814, "related.hosts": [ - "mac7484.www5.test", - "numquam5869.internal.example" + "numquam5869.internal.example", + "mac7484.www5.test" ], "related.ip": [ - "10.47.125.38", - "10.118.6.177" + "10.118.6.177", + "10.47.125.38" ], "related.user": [ "quunt" @@ -3174,6 +3320,9 @@ "rsa.network.domain": "numquam5869.internal.example", "rsa.network.network_service": "http", "server.domain": "numquam5869.internal.example", + "server.registered_domain": "internal.example", + "server.subdomain": "numquam5869", + "server.top_level_domain": "example", "service.type": "fortinet", "source.ip": [ "10.118.6.177" @@ -3207,12 +3356,12 @@ "observer.vendor": "Fortinet", "process.pid": 276, "related.hosts": [ - "oin1140.mail.localhost", - "onu6137.api.home" + "onu6137.api.home", + "oin1140.mail.localhost" ], "related.ip": [ - "10.50.233.155", - "10.60.142.127" + "10.60.142.127", + "10.50.233.155" ], "related.user": [ "atv" @@ -3233,6 +3382,9 @@ "rsa.network.domain": "onu6137.api.home", "rsa.network.network_service": "pop3", "server.domain": "onu6137.api.home", + "server.registered_domain": "api.home", + "server.subdomain": "onu6137", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.50.233.155" @@ -3266,8 +3418,8 @@ "observer.vendor": "Fortinet", "process.pid": 2452, "related.hosts": [ - "naaliq3710.api.local", - "aecatcup2241.www5.test" + "aecatcup2241.www5.test", + "naaliq3710.api.local" ], "related.ip": [ "10.120.10.211", @@ -3292,6 +3444,9 @@ "rsa.network.domain": "aecatcup2241.www5.test", "rsa.network.network_service": "http", "server.domain": "aecatcup2241.www5.test", + "server.registered_domain": "www5.test", + "server.subdomain": "aecatcup2241", + "server.top_level_domain": "test", "service.type": "fortinet", "source.ip": [ "10.28.82.189" @@ -3325,12 +3480,12 @@ "observer.vendor": "Fortinet", "process.pid": 3453, "related.hosts": [ - "volupta3552.internal.localhost", - "labor6360.mail.local" + "labor6360.mail.local", + "volupta3552.internal.localhost" ], "related.ip": [ - "10.31.237.225", - "10.6.38.163" + "10.6.38.163", + "10.31.237.225" ], "related.user": [ "olup" @@ -3351,6 +3506,9 @@ "rsa.network.domain": "labor6360.mail.local", "rsa.network.network_service": "pop3", "server.domain": "labor6360.mail.local", + "server.registered_domain": "mail.local", + "server.subdomain": "labor6360", + "server.top_level_domain": "local", "service.type": "fortinet", "source.ip": [ "10.31.237.225" @@ -3384,12 +3542,12 @@ "observer.vendor": "Fortinet", "process.pid": 2302, "related.hosts": [ - "onse380.internal.localdomain", - "mveleum4322.www5.host" + "mveleum4322.www5.host", + "onse380.internal.localdomain" ], "related.ip": [ - "10.125.165.144", - "10.226.5.189" + "10.226.5.189", + "10.125.165.144" ], "related.user": [ "mvolu" @@ -3410,6 +3568,9 @@ "rsa.network.domain": "mveleum4322.www5.host", "rsa.network.network_service": "https", "server.domain": "mveleum4322.www5.host", + "server.registered_domain": "www5.host", + "server.subdomain": "mveleum4322", + "server.top_level_domain": "host", "service.type": "fortinet", "source.ip": [ "10.226.5.189" @@ -3443,8 +3604,8 @@ "observer.vendor": "Fortinet", "process.pid": 7079, "related.hosts": [ - "queips4947.mail.example", - "archite1843.mail.home" + "archite1843.mail.home", + "queips4947.mail.example" ], "related.ip": [ "10.46.56.204", @@ -3469,6 +3630,9 @@ "rsa.network.domain": "archite1843.mail.home", "rsa.network.network_service": "smtp", "server.domain": "archite1843.mail.home", + "server.registered_domain": "mail.home", + "server.subdomain": "archite1843", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.97.149.97" @@ -3502,12 +3666,12 @@ "observer.vendor": "Fortinet", "process.pid": 5773, "related.hosts": [ - "oloreseo5039.test", - "itanim4024.api.example" + "itanim4024.api.example", + "oloreseo5039.test" ], "related.ip": [ - "10.28.105.124", - "10.218.0.197" + "10.218.0.197", + "10.28.105.124" ], "related.user": [ "ntNe" @@ -3528,6 +3692,9 @@ "rsa.network.domain": "itanim4024.api.example", "rsa.network.network_service": "https", "server.domain": "itanim4024.api.example", + "server.registered_domain": "api.example", + "server.subdomain": "itanim4024", + "server.top_level_domain": "example", "service.type": "fortinet", "source.ip": [ "10.218.0.197" @@ -3561,8 +3728,8 @@ "observer.vendor": "Fortinet", "process.pid": 1586, "related.hosts": [ - "minim459.mail.local", - "nreprehe715.api.home" + "nreprehe715.api.home", + "minim459.mail.local" ], "related.ip": [ "10.123.199.198", @@ -3587,6 +3754,9 @@ "rsa.network.domain": "nreprehe715.api.home", "rsa.network.network_service": "https", "server.domain": "nreprehe715.api.home", + "server.registered_domain": "api.home", + "server.subdomain": "nreprehe715", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.123.199.198" @@ -3620,8 +3790,8 @@ "observer.vendor": "Fortinet", "process.pid": 5137, "related.hosts": [ - "eratv211.api.host", - "unte893.internal.host" + "unte893.internal.host", + "eratv211.api.host" ], "related.ip": [ "10.115.68.40", @@ -3646,6 +3816,9 @@ "rsa.network.domain": "unte893.internal.host", "rsa.network.network_service": "https", "server.domain": "unte893.internal.host", + "server.registered_domain": "internal.host", + "server.subdomain": "unte893", + "server.top_level_domain": "host", "service.type": "fortinet", "source.ip": [ "10.38.86.177" @@ -3679,12 +3852,12 @@ "observer.vendor": "Fortinet", "process.pid": 5704, "related.hosts": [ - "aparia1179.www.localdomain", - "aspe951.mail.domain" + "aspe951.mail.domain", + "aparia1179.www.localdomain" ], "related.ip": [ - "10.115.174.107", - "10.193.118.163" + "10.193.118.163", + "10.115.174.107" ], "related.user": [ "exeacomm" @@ -3705,6 +3878,9 @@ "rsa.network.domain": "aspe951.mail.domain", "rsa.network.network_service": "https", "server.domain": "aspe951.mail.domain", + "server.registered_domain": "mail.domain", + "server.subdomain": "aspe951", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.193.118.163" @@ -3738,8 +3914,8 @@ "observer.vendor": "Fortinet", "process.pid": 2310, "related.hosts": [ - "iatqu6203.mail.corp", - "dipiscin4957.www.home" + "dipiscin4957.www.home", + "iatqu6203.mail.corp" ], "related.ip": [ "10.77.77.208", @@ -3764,6 +3940,9 @@ "rsa.network.domain": "dipiscin4957.www.home", "rsa.network.network_service": "http", "server.domain": "dipiscin4957.www.home", + "server.registered_domain": "www.home", + "server.subdomain": "dipiscin4957", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.37.128.49" @@ -3797,12 +3976,12 @@ "observer.vendor": "Fortinet", "process.pid": 5398, "related.hosts": [ - "ptasnula6576.api.invalid", - "econs2687.internal.localdomain" + "econs2687.internal.localdomain", + "ptasnula6576.api.invalid" ], "related.ip": [ - "10.54.73.158", - "10.1.96.93" + "10.1.96.93", + "10.54.73.158" ], "related.user": [ "lloinven" @@ -3823,6 +4002,9 @@ "rsa.network.domain": "econs2687.internal.localdomain", "rsa.network.network_service": "ms-wbt-server", "server.domain": "econs2687.internal.localdomain", + "server.registered_domain": "internal.localdomain", + "server.subdomain": "econs2687", + "server.top_level_domain": "localdomain", "service.type": "fortinet", "source.ip": [ "10.54.73.158" @@ -3856,12 +4038,12 @@ "observer.vendor": "Fortinet", "process.pid": 2465, "related.hosts": [ - "mag1506.internal.domain", - "tiumto5834.api.lan" + "tiumto5834.api.lan", + "mag1506.internal.domain" ], "related.ip": [ - "10.182.152.242", - "10.131.126.109" + "10.131.126.109", + "10.182.152.242" ], "related.user": [ "dolor" @@ -3882,6 +4064,9 @@ "rsa.network.domain": "tiumto5834.api.lan", "rsa.network.network_service": "smtp", "server.domain": "tiumto5834.api.lan", + "server.registered_domain": "api.lan", + "server.subdomain": "tiumto5834", + "server.top_level_domain": "lan", "service.type": "fortinet", "source.ip": [ "10.131.126.109" @@ -3915,12 +4100,12 @@ "observer.vendor": "Fortinet", "process.pid": 6064, "related.hosts": [ - "fugits1163.host", - "iutal6032.www.test" + "iutal6032.www.test", + "fugits1163.host" ], "related.ip": [ - "10.181.247.224", - "10.77.229.168" + "10.77.229.168", + "10.181.247.224" ], "related.user": [ "adol" @@ -3941,6 +4126,9 @@ "rsa.network.domain": "iutal6032.www.test", "rsa.network.network_service": "http", "server.domain": "iutal6032.www.test", + "server.registered_domain": "www.test", + "server.subdomain": "iutal6032", + "server.top_level_domain": "test", "service.type": "fortinet", "source.ip": [ "10.181.247.224" @@ -3974,8 +4162,8 @@ "observer.vendor": "Fortinet", "process.pid": 2861, "related.hosts": [ - "gitse2463.www5.invalid", - "inculp2078.host" + "inculp2078.host", + "gitse2463.www5.invalid" ], "related.ip": [ "10.235.116.121", @@ -4000,6 +4188,8 @@ "rsa.network.domain": "inculp2078.host", "rsa.network.network_service": "http", "server.domain": "inculp2078.host", + "server.registered_domain": "inculp2078.host", + "server.top_level_domain": "host", "service.type": "fortinet", "source.ip": [ "10.235.116.121" @@ -4033,8 +4223,8 @@ "observer.vendor": "Fortinet", "process.pid": 3559, "related.hosts": [ - "temse6953.www.example", - "mexerc2757.internal.home" + "mexerc2757.internal.home", + "temse6953.www.example" ], "related.ip": [ "10.28.124.236", @@ -4059,6 +4249,9 @@ "rsa.network.domain": "mexerc2757.internal.home", "rsa.network.network_service": "https", "server.domain": "mexerc2757.internal.home", + "server.registered_domain": "internal.home", + "server.subdomain": "mexerc2757", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.149.193.117" @@ -4092,8 +4285,8 @@ "observer.vendor": "Fortinet", "process.pid": 1710, "related.hosts": [ - "deriti6952.mail.domain", - "squira4455.api.domain" + "squira4455.api.domain", + "deriti6952.mail.domain" ], "related.ip": [ "10.34.131.224", @@ -4118,6 +4311,9 @@ "rsa.network.domain": "squira4455.api.domain", "rsa.network.network_service": "http", "server.domain": "squira4455.api.domain", + "server.registered_domain": "api.domain", + "server.subdomain": "squira4455", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.34.131.224" @@ -4151,8 +4347,8 @@ "observer.vendor": "Fortinet", "process.pid": 4984, "related.hosts": [ - "abor1370.www.domain", - "emveleum3661.localhost" + "emveleum3661.localhost", + "abor1370.www.domain" ], "related.ip": [ "10.97.236.123", @@ -4177,6 +4373,8 @@ "rsa.network.domain": "emveleum3661.localhost", "rsa.network.network_service": "https", "server.domain": "emveleum3661.localhost", + "server.registered_domain": "emveleum3661.localhost", + "server.top_level_domain": "localhost", "service.type": "fortinet", "source.ip": [ "10.97.236.123" @@ -4210,8 +4408,8 @@ "observer.vendor": "Fortinet", "process.pid": 3421, "related.hosts": [ - "emullamc5418.mail.test", - "sedquiac6517.internal.localhost" + "sedquiac6517.internal.localhost", + "emullamc5418.mail.test" ], "related.ip": [ "10.82.133.66", @@ -4236,6 +4434,9 @@ "rsa.network.domain": "sedquiac6517.internal.localhost", "rsa.network.network_service": "ms-wbt-server", "server.domain": "sedquiac6517.internal.localhost", + "server.registered_domain": "internal.localhost", + "server.subdomain": "sedquiac6517", + "server.top_level_domain": "localhost", "service.type": "fortinet", "source.ip": [ "10.82.133.66" @@ -4269,8 +4470,8 @@ "observer.vendor": "Fortinet", "process.pid": 4020, "related.hosts": [ - "squirati7050.www5.lan", - "veniam3148.www5.home" + "veniam3148.www5.home", + "squirati7050.www5.lan" ], "related.ip": [ "10.170.252.219", @@ -4295,6 +4496,9 @@ "rsa.network.domain": "veniam3148.www5.home", "rsa.network.network_service": "pop3", "server.domain": "veniam3148.www5.home", + "server.registered_domain": "www5.home", + "server.subdomain": "veniam3148", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.180.180.230" @@ -4328,12 +4532,12 @@ "observer.vendor": "Fortinet", "process.pid": 617, "related.hosts": [ - "venia2079.mail.example", - "unt3559.www.home" + "unt3559.www.home", + "venia2079.mail.example" ], "related.ip": [ - "10.5.11.205", - "10.65.144.51" + "10.65.144.51", + "10.5.11.205" ], "related.user": [ "uptat" @@ -4354,6 +4558,9 @@ "rsa.network.domain": "unt3559.www.home", "rsa.network.network_service": "http", "server.domain": "unt3559.www.home", + "server.registered_domain": "www.home", + "server.subdomain": "unt3559", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.5.11.205" @@ -4387,12 +4594,12 @@ "observer.vendor": "Fortinet", "process.pid": 487, "related.hosts": [ - "snostrum3450.www5.localhost", - "rere5274.mail.domain" + "rere5274.mail.domain", + "snostrum3450.www5.localhost" ], "related.ip": [ - "10.76.122.196", - "10.195.223.82" + "10.195.223.82", + "10.76.122.196" ], "related.user": [ "umiurer" @@ -4413,6 +4620,9 @@ "rsa.network.domain": "rere5274.mail.domain", "rsa.network.network_service": "smtp", "server.domain": "rere5274.mail.domain", + "server.registered_domain": "mail.domain", + "server.subdomain": "rere5274", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.195.223.82" @@ -4446,8 +4656,8 @@ "observer.vendor": "Fortinet", "process.pid": 2442, "related.hosts": [ - "gelitsed3249.corp", - "uaeabi3728.www5.invalid" + "uaeabi3728.www5.invalid", + "gelitsed3249.corp" ], "related.ip": [ "10.225.255.211", @@ -4472,6 +4682,9 @@ "rsa.network.domain": "uaeabi3728.www5.invalid", "rsa.network.network_service": "ms-wbt-server", "server.domain": "uaeabi3728.www5.invalid", + "server.registered_domain": "www5.invalid", + "server.subdomain": "uaeabi3728", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.138.210.116" @@ -4505,8 +4718,8 @@ "observer.vendor": "Fortinet", "process.pid": 6311, "related.hosts": [ - "dolor7082.internal.localhost", - "uamqu2804.test" + "uamqu2804.test", + "dolor7082.internal.localhost" ], "related.ip": [ "10.250.81.189", @@ -4531,6 +4744,8 @@ "rsa.network.domain": "uamqu2804.test", "rsa.network.network_service": "smtp", "server.domain": "uamqu2804.test", + "server.registered_domain": "uamqu2804.test", + "server.top_level_domain": "test", "service.type": "fortinet", "source.ip": [ "10.250.81.189" @@ -4564,8 +4779,8 @@ "observer.vendor": "Fortinet", "process.pid": 7128, "related.hosts": [ - "totam6886.api.localhost", - "olor5201.host" + "olor5201.host", + "totam6886.api.localhost" ], "related.ip": [ "10.54.23.133", @@ -4590,6 +4805,8 @@ "rsa.network.domain": "olor5201.host", "rsa.network.network_service": "https", "server.domain": "olor5201.host", + "server.registered_domain": "olor5201.host", + "server.top_level_domain": "host", "service.type": "fortinet", "source.ip": [ "10.54.23.133" @@ -4623,12 +4840,12 @@ "observer.vendor": "Fortinet", "process.pid": 2780, "related.hosts": [ - "laborum5749.www.example", - "eufug3348.www.lan" + "eufug3348.www.lan", + "laborum5749.www.example" ], "related.ip": [ - "10.189.42.62", - "10.36.110.69" + "10.36.110.69", + "10.189.42.62" ], "related.user": [ "eque" @@ -4649,6 +4866,9 @@ "rsa.network.domain": "eufug3348.www.lan", "rsa.network.network_service": "http", "server.domain": "eufug3348.www.lan", + "server.registered_domain": "www.lan", + "server.subdomain": "eufug3348", + "server.top_level_domain": "lan", "service.type": "fortinet", "source.ip": [ "10.36.110.69" @@ -4682,8 +4902,8 @@ "observer.vendor": "Fortinet", "process.pid": 3284, "related.hosts": [ - "lup3313.api.home", - "stquidol239.www5.invalid" + "stquidol239.www5.invalid", + "lup3313.api.home" ], "related.ip": [ "10.47.179.68", @@ -4708,6 +4928,9 @@ "rsa.network.domain": "stquidol239.www5.invalid", "rsa.network.network_service": "https", "server.domain": "stquidol239.www5.invalid", + "server.registered_domain": "www5.invalid", + "server.subdomain": "stquidol239", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.47.179.68" @@ -4741,12 +4964,12 @@ "observer.vendor": "Fortinet", "process.pid": 2314, "related.hosts": [ - "edq5397.www.test", - "gia6531.mail.invalid" + "gia6531.mail.invalid", + "edq5397.www.test" ], "related.ip": [ - "10.73.28.165", - "10.221.206.74" + "10.221.206.74", + "10.73.28.165" ], "related.user": [ "quas" @@ -4767,6 +4990,9 @@ "rsa.network.domain": "gia6531.mail.invalid", "rsa.network.network_service": "pop3", "server.domain": "gia6531.mail.invalid", + "server.registered_domain": "mail.invalid", + "server.subdomain": "gia6531", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.73.28.165" @@ -4800,8 +5026,8 @@ "observer.vendor": "Fortinet", "process.pid": 5284, "related.hosts": [ - "udan6536.www5.test", - "lamcola4879.www5.localdomain" + "lamcola4879.www5.localdomain", + "udan6536.www5.test" ], "related.ip": [ "10.85.104.146", @@ -4826,6 +5052,9 @@ "rsa.network.domain": "lamcola4879.www5.localdomain", "rsa.network.network_service": "ms-wbt-server", "server.domain": "lamcola4879.www5.localdomain", + "server.registered_domain": "www5.localdomain", + "server.subdomain": "lamcola4879", + "server.top_level_domain": "localdomain", "service.type": "fortinet", "source.ip": [ "10.85.104.146" @@ -4859,12 +5088,12 @@ "observer.vendor": "Fortinet", "process.pid": 3990, "related.hosts": [ - "rumet6923.www5.lan", - "edquian330.mail.local" + "edquian330.mail.local", + "rumet6923.www5.lan" ], "related.ip": [ - "10.30.246.132", - "10.208.18.210" + "10.208.18.210", + "10.30.246.132" ], "related.user": [ "veniam" @@ -4885,6 +5114,9 @@ "rsa.network.domain": "edquian330.mail.local", "rsa.network.network_service": "https", "server.domain": "edquian330.mail.local", + "server.registered_domain": "mail.local", + "server.subdomain": "edquian330", + "server.top_level_domain": "local", "service.type": "fortinet", "source.ip": [ "10.208.18.210" @@ -4918,12 +5150,12 @@ "observer.vendor": "Fortinet", "process.pid": 4337, "related.hosts": [ - "itse522.internal.localdomain", - "santi837.api.domain" + "santi837.api.domain", + "itse522.internal.localdomain" ], "related.ip": [ - "10.106.249.91", - "10.19.119.17" + "10.19.119.17", + "10.106.249.91" ], "related.user": [ "lit" @@ -4944,6 +5176,9 @@ "rsa.network.domain": "santi837.api.domain", "rsa.network.network_service": "pop3", "server.domain": "santi837.api.domain", + "server.registered_domain": "api.domain", + "server.subdomain": "santi837", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.106.249.91" @@ -4977,12 +5212,12 @@ "observer.vendor": "Fortinet", "process.pid": 5275, "related.hosts": [ - "amc3059.local", - "lpaquiof804.internal.invalid" + "lpaquiof804.internal.invalid", + "amc3059.local" ], "related.ip": [ - "10.29.109.126", - "10.181.41.154" + "10.181.41.154", + "10.29.109.126" ], "related.user": [ "labo" @@ -5003,6 +5238,9 @@ "rsa.network.domain": "lpaquiof804.internal.invalid", "rsa.network.network_service": "http", "server.domain": "lpaquiof804.internal.invalid", + "server.registered_domain": "internal.invalid", + "server.subdomain": "lpaquiof804", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.29.109.126" @@ -5036,12 +5274,12 @@ "observer.vendor": "Fortinet", "process.pid": 2286, "related.hosts": [ - "enbyCi3813.api.domain", - "nonn4478.host" + "nonn4478.host", + "enbyCi3813.api.domain" ], "related.ip": [ - "10.164.120.197", - "10.164.207.42" + "10.164.207.42", + "10.164.120.197" ], "related.user": [ "pta" @@ -5062,6 +5300,8 @@ "rsa.network.domain": "nonn4478.host", "rsa.network.network_service": "https", "server.domain": "nonn4478.host", + "server.registered_domain": "nonn4478.host", + "server.top_level_domain": "host", "service.type": "fortinet", "source.ip": [ "10.164.207.42" @@ -5095,12 +5335,12 @@ "observer.vendor": "Fortinet", "process.pid": 2990, "related.hosts": [ - "liquipex1155.mail.corp", - "amquaer3985.www5.example" + "amquaer3985.www5.example", + "liquipex1155.mail.corp" ], "related.ip": [ - "10.154.191.225", - "10.183.189.133" + "10.183.189.133", + "10.154.191.225" ], "related.user": [ "ita" @@ -5121,6 +5361,9 @@ "rsa.network.domain": "amquaer3985.www5.example", "rsa.network.network_service": "smtp", "server.domain": "amquaer3985.www5.example", + "server.registered_domain": "www5.example", + "server.subdomain": "amquaer3985", + "server.top_level_domain": "example", "service.type": "fortinet", "source.ip": [ "10.183.189.133" @@ -5154,8 +5397,8 @@ "observer.vendor": "Fortinet", "process.pid": 226, "related.hosts": [ - "isn3991.local", - "orem6317.local" + "orem6317.local", + "isn3991.local" ], "related.ip": [ "10.103.189.199", @@ -5180,6 +5423,8 @@ "rsa.network.domain": "orem6317.local", "rsa.network.network_service": "smtp", "server.domain": "orem6317.local", + "server.registered_domain": "orem6317.local", + "server.top_level_domain": "local", "service.type": "fortinet", "source.ip": [ "10.29.120.226" @@ -5213,8 +5458,8 @@ "observer.vendor": "Fortinet", "process.pid": 4691, "related.hosts": [ - "iumtotam1010.www5.corp", - "velill3230.www.corp" + "velill3230.www.corp", + "iumtotam1010.www5.corp" ], "related.ip": [ "10.133.254.23", @@ -5239,6 +5484,9 @@ "rsa.network.domain": "velill3230.www.corp", "rsa.network.network_service": "https", "server.domain": "velill3230.www.corp", + "server.registered_domain": "www.corp", + "server.subdomain": "velill3230", + "server.top_level_domain": "corp", "service.type": "fortinet", "source.ip": [ "10.133.254.23" @@ -5272,12 +5520,12 @@ "observer.vendor": "Fortinet", "process.pid": 5647, "related.hosts": [ - "onsecte91.www5.localdomain", - "orumS757.www5.corp" + "orumS757.www5.corp", + "onsecte91.www5.localdomain" ], "related.ip": [ - "10.126.245.73", - "10.91.2.135" + "10.91.2.135", + "10.126.245.73" ], "related.user": [ "olore" @@ -5298,6 +5546,9 @@ "rsa.network.domain": "orumS757.www5.corp", "rsa.network.network_service": "pop3", "server.domain": "orumS757.www5.corp", + "server.registered_domain": "www5.corp", + "server.subdomain": "orumS757", + "server.top_level_domain": "corp", "service.type": "fortinet", "source.ip": [ "10.126.245.73" @@ -5331,12 +5582,12 @@ "observer.vendor": "Fortinet", "process.pid": 2313, "related.hosts": [ - "abori7686.internal.host", - "emi4534.www.localdomain" + "emi4534.www.localdomain", + "abori7686.internal.host" ], "related.ip": [ - "10.183.243.246", - "10.137.85.123" + "10.137.85.123", + "10.183.243.246" ], "related.user": [ "cid" @@ -5357,6 +5608,9 @@ "rsa.network.domain": "emi4534.www.localdomain", "rsa.network.network_service": "https", "server.domain": "emi4534.www.localdomain", + "server.registered_domain": "www.localdomain", + "server.subdomain": "emi4534", + "server.top_level_domain": "localdomain", "service.type": "fortinet", "source.ip": [ "10.183.243.246" @@ -5390,12 +5644,12 @@ "observer.vendor": "Fortinet", "process.pid": 1585, "related.hosts": [ - "reprehen3513.test", - "inimav1576.mail.example" + "inimav1576.mail.example", + "reprehen3513.test" ], "related.ip": [ - "10.61.225.196", - "10.10.86.55" + "10.10.86.55", + "10.61.225.196" ], "related.user": [ "eniamqu" @@ -5416,6 +5670,9 @@ "rsa.network.domain": "inimav1576.mail.example", "rsa.network.network_service": "smtp", "server.domain": "inimav1576.mail.example", + "server.registered_domain": "mail.example", + "server.subdomain": "inimav1576", + "server.top_level_domain": "example", "service.type": "fortinet", "source.ip": [ "10.61.225.196" @@ -5449,12 +5706,12 @@ "observer.vendor": "Fortinet", "process.pid": 3141, "related.hosts": [ - "orroquis284.api.domain", - "aturQu7083.mail.host" + "aturQu7083.mail.host", + "orroquis284.api.domain" ], "related.ip": [ - "10.125.143.153", - "10.79.73.195" + "10.79.73.195", + "10.125.143.153" ], "related.user": [ "emip" @@ -5475,6 +5732,9 @@ "rsa.network.domain": "aturQu7083.mail.host", "rsa.network.network_service": "http", "server.domain": "aturQu7083.mail.host", + "server.registered_domain": "mail.host", + "server.subdomain": "aturQu7083", + "server.top_level_domain": "host", "service.type": "fortinet", "source.ip": [ "10.125.143.153" @@ -5508,8 +5768,8 @@ "observer.vendor": "Fortinet", "process.pid": 6331, "related.hosts": [ - "tionula2060.www5.localhost", - "lumqui7769.mail.local" + "lumqui7769.mail.local", + "tionula2060.www5.localhost" ], "related.ip": [ "10.64.139.17", @@ -5534,6 +5794,9 @@ "rsa.network.domain": "lumqui7769.mail.local", "rsa.network.network_service": "ms-wbt-server", "server.domain": "lumqui7769.mail.local", + "server.registered_domain": "mail.local", + "server.subdomain": "lumqui7769", + "server.top_level_domain": "local", "service.type": "fortinet", "source.ip": [ "10.240.216.85" @@ -5567,12 +5830,12 @@ "observer.vendor": "Fortinet", "process.pid": 4474, "related.hosts": [ - "rumSecti111.www5.domain", - "siarc6339.internal.corp" + "siarc6339.internal.corp", + "rumSecti111.www5.domain" ], "related.ip": [ - "10.87.90.49", - "10.222.245.80" + "10.222.245.80", + "10.87.90.49" ], "related.user": [ "ptatemse" @@ -5593,6 +5856,9 @@ "rsa.network.domain": "siarc6339.internal.corp", "rsa.network.network_service": "ms-wbt-server", "server.domain": "siarc6339.internal.corp", + "server.registered_domain": "internal.corp", + "server.subdomain": "siarc6339", + "server.top_level_domain": "corp", "service.type": "fortinet", "source.ip": [ "10.87.90.49" @@ -5626,12 +5892,12 @@ "observer.vendor": "Fortinet", "process.pid": 4855, "related.hosts": [ - "olores7881.local", - "ptatev6552.www.test" + "ptatev6552.www.test", + "olores7881.local" ], "related.ip": [ - "10.87.144.208", - "10.143.53.214" + "10.143.53.214", + "10.87.144.208" ], "related.user": [ "psumq" @@ -5652,6 +5918,9 @@ "rsa.network.domain": "ptatev6552.www.test", "rsa.network.network_service": "pop3", "server.domain": "ptatev6552.www.test", + "server.registered_domain": "www.test", + "server.subdomain": "ptatev6552", + "server.top_level_domain": "test", "service.type": "fortinet", "source.ip": [ "10.143.53.214" @@ -5685,12 +5954,12 @@ "observer.vendor": "Fortinet", "process.pid": 1729, "related.hosts": [ - "tDuis3281.www5.localdomain", - "byC5766.internal.home" + "byC5766.internal.home", + "tDuis3281.www5.localdomain" ], "related.ip": [ - "10.204.178.19", - "10.105.97.134" + "10.105.97.134", + "10.204.178.19" ], "related.user": [ "mexercit" @@ -5711,6 +5980,9 @@ "rsa.network.domain": "byC5766.internal.home", "rsa.network.network_service": "pop3", "server.domain": "byC5766.internal.home", + "server.registered_domain": "internal.home", + "server.subdomain": "byC5766", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.204.178.19" @@ -5744,8 +6016,8 @@ "observer.vendor": "Fortinet", "process.pid": 4493, "related.hosts": [ - "uptasnul2751.www5.corp", - "hender6628.local" + "hender6628.local", + "uptasnul2751.www5.corp" ], "related.ip": [ "10.194.67.223", @@ -5770,6 +6042,8 @@ "rsa.network.domain": "hender6628.local", "rsa.network.network_service": "smtp", "server.domain": "hender6628.local", + "server.registered_domain": "hender6628.local", + "server.top_level_domain": "local", "service.type": "fortinet", "source.ip": [ "10.161.64.168" @@ -5803,12 +6077,12 @@ "observer.vendor": "Fortinet", "process.pid": 6094, "related.hosts": [ - "upt6017.api.localdomain", - "xercit7649.www5.home" + "xercit7649.www5.home", + "upt6017.api.localdomain" ], "related.ip": [ - "10.120.148.241", - "10.100.154.220" + "10.100.154.220", + "10.120.148.241" ], "related.user": [ "rsitam" @@ -5829,6 +6103,9 @@ "rsa.network.domain": "xercit7649.www5.home", "rsa.network.network_service": "smtp", "server.domain": "xercit7649.www5.home", + "server.registered_domain": "www5.home", + "server.subdomain": "xercit7649", + "server.top_level_domain": "home", "service.type": "fortinet", "source.ip": [ "10.100.154.220" @@ -5862,8 +6139,8 @@ "observer.vendor": "Fortinet", "process.pid": 5012, "related.hosts": [ - "tpers2217.internal.lan", - "porissu1470.domain" + "porissu1470.domain", + "tpers2217.internal.lan" ], "related.ip": [ "10.116.153.19", @@ -5888,6 +6165,8 @@ "rsa.network.domain": "porissu1470.domain", "rsa.network.network_service": "ms-wbt-server", "server.domain": "porissu1470.domain", + "server.registered_domain": "porissu1470.domain", + "server.top_level_domain": "domain", "service.type": "fortinet", "source.ip": [ "10.116.153.19" diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml index 1c87670646a0..08b243e6a02f 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml +++ b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js b/x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js +++ b/x-pack/filebeat/module/fortinet/fortimail/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml index f142da3fcfb6..e4ed20982ec7 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml @@ -55,9 +55,9 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{server.domain}}' + value: '{{host.name}}' allow_duplicates: false - if: ctx?.server?.domain != null && ctx.server?.domain != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/fortimail/manifest.yml b/x-pack/filebeat/module/fortinet/fortimail/manifest.yml index 321a6ff308a4..d9782e4e6eab 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/manifest.yml +++ b/x-pack/filebeat/module/fortinet/fortimail/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9529 + default: 9545 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json index 0f8cf25378a0..6fafb0caaa17 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json @@ -44,6 +44,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "sperna884.internal.domain" + ], "related.ip": [ "10.165.201.71" ], @@ -283,6 +286,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "uradi7307.internal.corp" + ], "related.ip": [ "10.118.96.139" ], @@ -610,8 +616,10 @@ "rsa.misc.virusname": "ris", "rsa.network.domain": "lamcolab3252.www.invalid", "rsa.time.event_time": "2016-08-30T17:48:33.000Z", - "rsa.web.fqdn": "", "server.domain": "lamcolab3252.www.invalid", + "server.registered_domain": "www.invalid", + "server.subdomain": "lamcolab3252", + "server.top_level_domain": "invalid", "service.type": "fortinet", "source.ip": [ "10.179.124.125" @@ -789,6 +797,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "str976.internal.localhost" + ], "related.ip": [ "10.166.225.26" ], @@ -828,6 +839,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "molli4306.www5.home" + ], "related.ip": [ "10.218.243.47" ], @@ -993,6 +1007,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "lapariat7287.internal.host" + ], "related.ip": [ "10.140.7.83", "10.68.246.187" @@ -1245,7 +1262,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.hosts": [ - "atise3421.www5.localdomain" + "atise3421.www5.localdomain", + "estl5804.internal.local" ], "related.ip": [ "10.73.207.70", @@ -1270,6 +1288,9 @@ "rsa.time.event_time": "2017-04-16T10:29:41.000Z", "rsa.web.fqdn": "estl5804.internal.local", "server.domain": "atise3421.www5.localdomain", + "server.registered_domain": "www5.localdomain", + "server.subdomain": "atise3421", + "server.top_level_domain": "localdomain", "service.type": "fortinet", "source.ip": [ "10.73.207.70" @@ -1947,6 +1968,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "edolori3822.api.home" + ], "related.ip": [ "10.63.177.46" ], @@ -2145,6 +2169,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "magnam3267.corp" + ], "related.ip": [ "10.95.32.86" ], @@ -2437,6 +2464,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "orroquis5179.local" + ], "related.ip": [ "10.252.96.71" ], @@ -2477,6 +2507,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "luptasnu757.www.home" + ], "related.ip": [ "10.174.210.232" ], @@ -2647,11 +2680,12 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.hosts": [ + "taevit4968.mail.local", "mveni5084.internal.local" ], "related.ip": [ - "10.144.111.42", - "10.62.61.1" + "10.62.61.1", + "10.144.111.42" ], "rsa.email.email_dst": "com", "rsa.email.email_src": "lam", @@ -2672,6 +2706,9 @@ "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "rsa.web.fqdn": "taevit4968.mail.local", "server.domain": "mveni5084.internal.local", + "server.registered_domain": "internal.local", + "server.subdomain": "mveni5084", + "server.top_level_domain": "local", "service.type": "fortinet", "source.ip": [ "10.144.111.42" @@ -2953,6 +2990,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "olaboris3175.internal.home" + ], "related.ip": [ "10.250.94.95" ], @@ -3091,11 +3131,12 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.hosts": [ + "modi6930.internal.test", "taevitae6868.www.corp" ], "related.ip": [ - "10.161.1.146", - "10.60.164.100" + "10.60.164.100", + "10.161.1.146" ], "rsa.email.email_dst": "nproiden", "rsa.email.email_src": "etconse", @@ -3116,6 +3157,9 @@ "rsa.time.event_time": "2019-01-19T15:25:23.000Z", "rsa.web.fqdn": "modi6930.internal.test", "server.domain": "taevitae6868.www.corp", + "server.registered_domain": "www.corp", + "server.subdomain": "taevitae6868", + "server.top_level_domain": "corp", "service.type": "fortinet", "source.ip": [ "10.60.164.100" @@ -3191,7 +3235,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.hosts": [ - "tetura7106.www5.corp" + "tetura7106.www5.corp", + "uradip7802.mail.example" ], "related.ip": [ "10.44.35.57", @@ -3216,6 +3261,9 @@ "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "rsa.web.fqdn": "uradip7802.mail.example", "server.domain": "tetura7106.www5.corp", + "server.registered_domain": "www5.corp", + "server.subdomain": "tetura7106", + "server.top_level_domain": "corp", "service.type": "fortinet", "source.ip": [ "10.44.35.57" @@ -3793,6 +3841,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "ncu3839.www.localhost" + ], "related.ip": [ "10.201.105.58", "10.251.183.113" @@ -3838,8 +3889,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.132.139.98", - "10.209.203.156" + "10.209.203.156", + "10.132.139.98" ], "rsa.email.email_dst": "borisnis", "rsa.email.email_src": "pariat", @@ -3854,7 +3905,6 @@ "rsa.misc.severity": "low", "rsa.misc.virusname": "oremagn", "rsa.time.event_time": "2019-10-03T22:11:40.000Z", - "rsa.web.fqdn": "", "service.type": "fortinet", "source.ip": [ "10.209.203.156" @@ -3998,6 +4048,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "ion3339.www.localdomain" + ], "related.ip": [ "10.209.124.81" ], diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml index 64e69979251b..b20b230f1b61 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js b/x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js +++ b/x-pack/filebeat/module/fortinet/fortimanager/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml index 79b9a8856281..eda458f01ded 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/fortimanager/manifest.yml b/x-pack/filebeat/module/fortinet/fortimanager/manifest.yml index f5759fce05ed..97a401f008cf 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/manifest.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9530 + default: 9546 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json index ee8c3414d5e1..71214cb1352f 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json @@ -24,10 +24,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "modtempo" + ], "related.ip": [ - "10.44.173.44", "10.189.58.145", - "10.20.234.169" + "10.20.234.169", + "10.44.173.44" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -91,6 +94,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.410", "related.hosts": [ + "pisciv", + "mvolu", "aer445.host" ], "related.ip": [ @@ -179,10 +184,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "ccaecat" + ], "related.ip": [ - "10.94.103.117", "10.15.159.80", - "10.200.188.142" + "10.200.188.142", + "10.94.103.117" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -243,10 +251,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "lorem" + ], "related.ip": [ "10.27.88.95", - "10.131.233.27", - "10.50.112.141" + "10.50.112.141", + "10.131.233.27" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -311,11 +322,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.5670", "related.hosts": [ + "ntutl", + "roinBCSe", "olo7148.mail.home" ], "related.ip": [ - "10.157.213.15", - "10.87.212.179" + "10.87.212.179", + "10.157.213.15" ], "related.user": [ "rveli" @@ -325,8 +338,8 @@ "rsa.investigations.event_vcat": "aveniam", "rsa.misc.OS": "oll", "rsa.misc.action": [ - "ali", - "allow" + "allow", + "ali" ], "rsa.misc.category": "emeumfug", "rsa.misc.client": "caecatc", @@ -402,11 +415,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.152", "related.hosts": [ + "orain", + "onse", "agna7678.internal.host" ], "related.ip": [ - "10.114.150.67", - "10.76.73.140" + "10.76.73.140", + "10.114.150.67" ], "related.user": [ "aperia" @@ -493,11 +508,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.4059", "related.hosts": [ + "tatn", + "utla", "equep5085.mail.domain" ], "related.ip": [ - "10.95.64.124", - "10.195.36.51" + "10.195.36.51", + "10.95.64.124" ], "related.user": [ "nnum" @@ -507,8 +524,8 @@ "rsa.investigations.event_vcat": "quae", "rsa.misc.OS": "qui", "rsa.misc.action": [ - "iadese", - "accept" + "accept", + "iadese" ], "rsa.misc.category": "aturve", "rsa.misc.client": "utei", @@ -581,10 +598,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "labore" + ], "related.ip": [ "10.186.85.3", - "10.176.216.90", - "10.114.16.155" + "10.114.16.155", + "10.176.216.90" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -648,6 +668,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.3917", "related.hosts": [ + "sperna", + "gnido", "eturadi6608.mail.host" ], "related.ip": [ @@ -739,6 +761,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.2580", "related.hosts": [ + "tani", + "ecte", "ipsumdol4488.api.localdomain" ], "related.ip": [ @@ -753,8 +777,8 @@ "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.OS": "Nequepor", "rsa.misc.action": [ - "sno", - "deny" + "deny", + "sno" ], "rsa.misc.category": "idolo", "rsa.misc.client": "volu", @@ -827,10 +851,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "diconseq" + ], "related.ip": [ - "10.58.214.16", + "10.106.162.153", "10.238.164.74", - "10.106.162.153" + "10.58.214.16" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -891,10 +918,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "tenimad" + ], "related.ip": [ - "10.110.31.190", "10.217.150.196", - "10.225.141.20" + "10.225.141.20", + "10.110.31.190" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -958,11 +988,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.3319", "related.hosts": [ + "mestq", + "amc", "cusant4946.www.domain" ], "related.ip": [ - "10.69.103.176", - "10.137.56.173" + "10.137.56.173", + "10.69.103.176" ], "related.user": [ "proide" @@ -1046,10 +1078,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "onsecte" + ], "related.ip": [ "10.5.235.217", - "10.25.212.118", - "10.30.47.165" + "10.30.47.165", + "10.25.212.118" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1113,6 +1148,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.225", "related.hosts": [ + "equaturv", + "tvolu", "ccaeca5504.internal.example" ], "related.ip": [ @@ -1127,8 +1164,8 @@ "rsa.investigations.event_vcat": "psumqu", "rsa.misc.OS": "oraincid", "rsa.misc.action": [ - "deny", - "ritt" + "ritt", + "deny" ], "rsa.misc.category": "idunt", "rsa.misc.client": "siu", @@ -1201,10 +1238,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "xea" + ], "related.ip": [ - "10.51.213.42", "10.233.120.207", - "10.98.194.212" + "10.98.194.212", + "10.51.213.42" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1265,10 +1305,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "tla" + ], "related.ip": [ "10.245.187.229", - "10.67.132.242", - "10.241.132.176" + "10.241.132.176", + "10.67.132.242" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1332,6 +1375,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.1847", "related.hosts": [ + "uii", + "cingel", "tore7088.www.invalid" ], "related.ip": [ @@ -1423,11 +1468,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.760", "related.hosts": [ + "dolorsit", + "rcit", "mve1890.internal.home" ], "related.ip": [ - "10.46.56.204", - "10.234.165.130" + "10.234.165.130", + "10.46.56.204" ], "related.user": [ "orese" @@ -1437,8 +1484,8 @@ "rsa.investigations.event_vcat": "metcons", "rsa.misc.OS": "ehende", "rsa.misc.action": [ - "umf", - "deny" + "deny", + "umf" ], "rsa.misc.category": "emUte", "rsa.misc.client": "archite", @@ -1514,6 +1561,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.4450", "related.hosts": [ + "billoi", + "saquaea", "eturad6143.www.home" ], "related.ip": [ @@ -1528,8 +1577,8 @@ "rsa.investigations.event_vcat": "boNem", "rsa.misc.OS": "ntium", "rsa.misc.action": [ - "block", - "acommodi" + "acommodi", + "block" ], "rsa.misc.category": "inrepreh", "rsa.misc.client": "moles", @@ -1605,6 +1654,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.7544", "related.hosts": [ + "ntium", + "billoinv", "orinrep5386.www.corp" ], "related.ip": [ @@ -1696,6 +1747,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.1710", "related.hosts": [ + "edquia", + "Nemo", "henderi724.www5.home" ], "related.ip": [ @@ -1787,11 +1840,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.5380", "related.hosts": [ + "onse", + "uei", "reseosqu1629.mail.lan" ], "related.ip": [ - "10.106.85.174", - "10.94.242.80" + "10.94.242.80", + "10.106.85.174" ], "related.user": [ "lmo" @@ -1876,9 +1931,12 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "oluptat" + ], "related.ip": [ - "10.117.63.181", "10.168.20.20", + "10.117.63.181", "10.247.53.179" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -1944,11 +2002,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.2208", "related.hosts": [ + "duntut", + "lamcola", "tasnul4179.internal.host" ], "related.ip": [ - "10.53.168.187", - "10.141.156.217" + "10.141.156.217", + "10.53.168.187" ], "related.user": [ "amqu" @@ -2036,6 +2096,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.3402", "related.hosts": [ + "imavenia", + "tur", "bore5546.www.local" ], "related.ip": [ @@ -2050,8 +2112,8 @@ "rsa.investigations.event_vcat": "eturadip", "rsa.misc.OS": "turadip", "rsa.misc.action": [ - "odoc", - "accept" + "accept", + "odoc" ], "rsa.misc.category": "volup", "rsa.misc.client": "tur", @@ -2127,11 +2189,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.91", "related.hosts": [ + "Dui", + "amquisno", "Utenima260.mail.invalid" ], "related.ip": [ - "10.151.170.207", - "10.181.183.104" + "10.181.183.104", + "10.151.170.207" ], "related.user": [ "iosamni" @@ -2141,8 +2205,8 @@ "rsa.investigations.event_vcat": "eturadip", "rsa.misc.OS": "onsecte", "rsa.misc.action": [ - "cancel", - "amni" + "amni", + "cancel" ], "rsa.misc.category": "umdolore", "rsa.misc.client": "modoc", @@ -2218,6 +2282,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.7278", "related.hosts": [ + "liquaUte", + "ectetura", "uido2046.mail.lan" ], "related.ip": [ @@ -2306,10 +2372,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "uio" + ], "related.ip": [ + "10.17.209.252", "10.111.182.212", - "10.37.161.101", - "10.17.209.252" + "10.37.161.101" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2370,10 +2439,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "itautfu" + ], "related.ip": [ "10.153.166.133", - "10.158.175.98", - "10.170.196.181" + "10.170.196.181", + "10.158.175.98" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2437,6 +2509,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.5978", "related.hosts": [ + "tuser", + "porissu", "con6049.internal.lan" ], "related.ip": [ @@ -2525,10 +2599,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "iam" + ], "related.ip": [ - "10.38.168.190", + "10.174.17.46", "10.77.105.81", - "10.174.17.46" + "10.38.168.190" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2589,10 +2666,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "ons" + ], "related.ip": [ + "10.225.37.73", "10.166.142.198", - "10.36.99.207", - "10.225.37.73" + "10.36.99.207" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2653,9 +2733,12 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "eturadip" + ], "related.ip": [ - "10.66.90.225", "10.145.194.12", + "10.66.90.225", "10.214.156.161" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -2717,10 +2800,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "iutal" + ], "related.ip": [ - "10.156.208.5", "10.6.242.108", - "10.163.36.101" + "10.163.36.101", + "10.156.208.5" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2784,11 +2870,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.4713", "related.hosts": [ + "data", + "epteurs", "remeum2641.www5.corp" ], "related.ip": [ - "10.220.148.127", - "10.68.233.163" + "10.68.233.163", + "10.220.148.127" ], "related.user": [ "estiaec" @@ -2875,6 +2963,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.4481", "related.hosts": [ + "naaliq", + "trudex", "itaspe3216.localdomain" ], "related.ip": [ @@ -2889,8 +2979,8 @@ "rsa.investigations.event_vcat": "ihi", "rsa.misc.OS": "amquaera", "rsa.misc.action": [ - "nimides", - "allow" + "allow", + "nimides" ], "rsa.misc.category": "mve", "rsa.misc.client": "plica", @@ -2967,11 +3057,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.4442", "related.hosts": [ + "fugi", + "uae", "mea6298.api.example" ], "related.ip": [ - "10.115.121.243", - "10.113.152.241" + "10.113.152.241", + "10.115.121.243" ], "related.user": [ "norumetM" @@ -3058,11 +3150,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.3804", "related.hosts": [ + "nder", + "atcupi", "iqu7510.internal.corp" ], "related.ip": [ - "10.179.153.97", - "10.49.82.45" + "10.49.82.45", + "10.179.153.97" ], "related.user": [ "dictasun" @@ -3072,8 +3166,8 @@ "rsa.investigations.event_vcat": "tatemse", "rsa.misc.OS": "eturadi", "rsa.misc.action": [ - "accept", - "ade" + "ade", + "accept" ], "rsa.misc.category": "laboreet", "rsa.misc.client": "ano", @@ -3146,9 +3240,12 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "lors" + ], "related.ip": [ - "10.98.52.184", "10.205.83.138", + "10.98.52.184", "10.99.55.115" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3210,6 +3307,9 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "reprehe" + ], "related.ip": [ "10.228.11.50", "10.197.128.162", @@ -3263,6 +3363,10 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "moll", + "ntoccae2859.www.test" + ], "related.user": [ "cteturad" ], @@ -3282,6 +3386,9 @@ "rsa.network.domain": "ntoccae2859.www.test", "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "server.domain": "ntoccae2859.www.test", + "server.registered_domain": "www.test", + "server.subdomain": "ntoccae2859", + "server.top_level_domain": "test", "service.type": "fortinet", "tags": [ "fortinet.fortimanager", @@ -3317,11 +3424,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.7318", "related.hosts": [ + "umdol", + "ptat", "deFinibu3940.internal.lan" ], "related.ip": [ - "10.124.71.88", - "10.22.248.52" + "10.22.248.52", + "10.124.71.88" ], "related.user": [ "tcons" @@ -3408,6 +3517,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.4895", "related.hosts": [ + "ficiade", + "ipexeac", "tatiset4191.localdomain" ], "related.ip": [ @@ -3496,10 +3607,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "teni" + ], "related.ip": [ + "10.250.231.196", "10.200.12.126", - "10.14.145.107", - "10.250.231.196" + "10.14.145.107" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3560,10 +3674,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "atuse" + ], "related.ip": [ + "10.225.34.176", "10.21.203.112", - "10.103.36.192", - "10.225.34.176" + "10.103.36.192" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3624,6 +3741,9 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "usantiu" + ], "related.ip": [ "10.140.59.161", "10.118.111.183", @@ -3691,6 +3811,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.4493", "related.hosts": [ + "veleumiu", + "labor", "nimadmi4084.api.home" ], "related.ip": [ @@ -3705,8 +3827,8 @@ "rsa.investigations.event_vcat": "Loremips", "rsa.misc.OS": "eritquii", "rsa.misc.action": [ - "nostru", - "accept" + "accept", + "nostru" ], "rsa.misc.category": "amnisiu", "rsa.misc.client": "rcita", @@ -3782,6 +3904,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.6506", "related.hosts": [ + "ecillum", + "sedqui", "reprehe3525.www5.example" ], "related.ip": [ @@ -3796,8 +3920,8 @@ "rsa.investigations.event_vcat": "uep", "rsa.misc.OS": "iatisund", "rsa.misc.action": [ - "nvo", - "block" + "block", + "nvo" ], "rsa.misc.category": "tenima", "rsa.misc.client": "iuntNe", @@ -3870,10 +3994,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "sitv" + ], "related.ip": [ - "10.217.145.137", "10.22.149.132", - "10.251.183.113" + "10.251.183.113", + "10.217.145.137" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3934,10 +4061,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "nisi" + ], "related.ip": [ - "10.51.60.203", "10.203.66.175", - "10.183.16.252" + "10.183.16.252", + "10.51.60.203" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4001,6 +4131,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.409", "related.hosts": [ + "doei", + "magnama", "ursint411.www.lan" ], "related.ip": [ @@ -4092,6 +4224,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.5475", "related.hosts": [ + "antium", + "rcita", "ididunt7607.mail.localhost" ], "related.ip": [ @@ -4106,8 +4240,8 @@ "rsa.investigations.event_vcat": "psaqu", "rsa.misc.OS": "nevolu", "rsa.misc.action": [ - "datatno", - "allow" + "allow", + "datatno" ], "rsa.misc.category": "ionu", "rsa.misc.client": "ugiatn", @@ -4183,6 +4317,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.142", "related.hosts": [ + "rsita", + "ommodoco", "mco2906.domain" ], "related.ip": [ @@ -4274,6 +4410,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.1789", "related.hosts": [ + "dol", + "ono", "ntex5135.corp" ], "related.ip": [ @@ -4288,8 +4426,8 @@ "rsa.investigations.event_vcat": "uia", "rsa.misc.OS": "mquae", "rsa.misc.action": [ - "tenatus", - "deny" + "deny", + "tenatus" ], "rsa.misc.category": "abo", "rsa.misc.client": "umtota", @@ -4363,10 +4501,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "nonnumq" + ], "related.ip": [ - "10.107.168.208", "10.34.41.75", - "10.249.16.201" + "10.249.16.201", + "10.107.168.208" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4430,11 +4571,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.6905", "related.hosts": [ + "aaliq", + "rveli", "tat1845.internal.invalid" ], "related.ip": [ - "10.109.106.194", - "10.96.168.24" + "10.96.168.24", + "10.109.106.194" ], "related.user": [ "ommodoc" @@ -4444,8 +4587,8 @@ "rsa.investigations.event_vcat": "agnaaliq", "rsa.misc.OS": "itte", "rsa.misc.action": [ - "Sedut", - "allow" + "allow", + "Sedut" ], "rsa.misc.category": "aqueip", "rsa.misc.client": "serr", @@ -4521,6 +4664,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.1353", "related.hosts": [ + "nibusB", + "iatn", "ulamc767.internal.lan" ], "related.ip": [ @@ -4535,8 +4680,8 @@ "rsa.investigations.event_vcat": "eiusm", "rsa.misc.OS": "emag", "rsa.misc.action": [ - "deny", - "velillu" + "velillu", + "deny" ], "rsa.misc.category": "litseddo", "rsa.misc.client": "aturE", @@ -4609,10 +4754,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "metco" + ], "related.ip": [ "10.103.169.94", - "10.62.241.218", - "10.140.137.17" + "10.140.137.17", + "10.62.241.218" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4673,10 +4821,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "litsedq" + ], "related.ip": [ - "10.251.212.166", "10.77.105.160", - "10.90.229.92" + "10.90.229.92", + "10.251.212.166" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4740,11 +4891,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.4261", "related.hosts": [ + "ipsum", + "dutp", "spici5547.internal.test" ], "related.ip": [ - "10.216.49.112", - "10.112.242.68" + "10.112.242.68", + "10.216.49.112" ], "related.user": [ "urmag" @@ -4831,6 +4984,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.491", "related.hosts": [ + "edutpe", + "boru", "istenatu3686.invalid" ], "related.ip": [ @@ -4845,8 +5000,8 @@ "rsa.investigations.event_vcat": "uatDuisa", "rsa.misc.OS": "citation", "rsa.misc.action": [ - "utlabore", - "accept" + "accept", + "utlabore" ], "rsa.misc.category": "reeu", "rsa.misc.client": "ntut", @@ -4919,10 +5074,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "cons" + ], "related.ip": [ "10.228.61.5", - "10.157.22.21", - "10.246.41.77" + "10.246.41.77", + "10.157.22.21" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4983,10 +5141,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "llumdo" + ], "related.ip": [ + "10.239.231.168", "10.188.131.18", - "10.242.119.111", - "10.239.231.168" + "10.242.119.111" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5050,6 +5211,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.979", "related.hosts": [ + "lorem", + "iden", "tru3812.mail.lan" ], "related.ip": [ @@ -5064,8 +5227,8 @@ "rsa.investigations.event_vcat": "amnihil", "rsa.misc.OS": "tten", "rsa.misc.action": [ - "accept", - "inea" + "inea", + "accept" ], "rsa.misc.category": "quam", "rsa.misc.client": "oreseo", @@ -5127,6 +5290,10 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "etdol408.internal.home", + "mid" + ], "related.user": [ "rehe" ], @@ -5146,6 +5313,9 @@ "rsa.network.domain": "etdol408.internal.home", "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "server.domain": "etdol408.internal.home", + "server.registered_domain": "internal.home", + "server.subdomain": "etdol408", + "server.top_level_domain": "home", "service.type": "fortinet", "tags": [ "fortinet.fortimanager", @@ -5181,6 +5351,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.4342", "related.hosts": [ + "ten", + "onsequ", "riaturE1644.www5.example" ], "related.ip": [ @@ -5195,8 +5367,8 @@ "rsa.investigations.event_vcat": "empori", "rsa.misc.OS": "ostru", "rsa.misc.action": [ - "allow", - "quepor" + "quepor", + "allow" ], "rsa.misc.category": "cipitla", "rsa.misc.client": "exeacomm", @@ -5272,6 +5444,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.6452", "related.hosts": [ + "tem", + "cons", "mdolo7008.api.corp" ], "related.ip": [ @@ -5360,10 +5534,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "reseosqu" + ], "related.ip": [ - "10.51.106.43", + "10.75.198.93", "10.137.36.151", - "10.75.198.93" + "10.51.106.43" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5424,10 +5601,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "caecatcu" + ], "related.ip": [ "10.154.151.111", - "10.249.93.150", - "10.7.230.206" + "10.7.230.206", + "10.249.93.150" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5491,11 +5671,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.5718", "related.hosts": [ + "quirat", + "ptatem", "itse5466.api.example" ], "related.ip": [ - "10.217.209.221", - "10.26.4.3" + "10.26.4.3", + "10.217.209.221" ], "related.user": [ "ciduntut" @@ -5505,8 +5687,8 @@ "rsa.investigations.event_vcat": "santiumd", "rsa.misc.OS": "oris", "rsa.misc.action": [ - "rsitame", - "deny" + "deny", + "rsitame" ], "rsa.misc.category": "agnaal", "rsa.misc.client": "urmagn", @@ -5582,11 +5764,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.6603", "related.hosts": [ + "ssuscipi", + "eac", "dquiac6194.api.lan" ], "related.ip": [ - "10.180.162.174", - "10.241.140.241" + "10.241.140.241", + "10.180.162.174" ], "related.user": [ "nulapar" @@ -5596,8 +5780,8 @@ "rsa.investigations.event_vcat": "luptatev", "rsa.misc.OS": "emipsu", "rsa.misc.action": [ - "accept", - "ido" + "ido", + "accept" ], "rsa.misc.category": "litse", "rsa.misc.client": "evita", @@ -5673,11 +5857,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.2052", "related.hosts": [ + "asp", + "dat", "amco1592.mail.host" ], "related.ip": [ - "10.110.99.222", - "10.62.140.108" + "10.62.140.108", + "10.110.99.222" ], "related.user": [ "moenimi" @@ -5764,11 +5950,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.2691", "related.hosts": [ + "orroqu", + "ratio", "dicta7226.mail.example" ], "related.ip": [ - "10.4.244.115", - "10.53.50.77" + "10.53.50.77", + "10.4.244.115" ], "related.user": [ "idolo" @@ -5778,8 +5966,8 @@ "rsa.investigations.event_vcat": "cupidata", "rsa.misc.OS": "ficiade", "rsa.misc.action": [ - "lorem", - "accept" + "accept", + "lorem" ], "rsa.misc.category": "iac", "rsa.misc.client": "tlabo", @@ -5852,9 +6040,12 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "eleumiu" + ], "related.ip": [ - "10.120.212.78", "10.221.100.157", + "10.120.212.78", "10.236.211.111" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -5919,6 +6110,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.3052", "related.hosts": [ + "tenima", + "xeacom", "pidatatn2627.www.localdomain" ], "related.ip": [ @@ -5933,8 +6126,8 @@ "rsa.investigations.event_vcat": "lauda", "rsa.misc.OS": "enatuser", "rsa.misc.action": [ - "rios", - "accept" + "accept", + "rios" ], "rsa.misc.category": "aUte", "rsa.misc.client": "iusm", @@ -6007,6 +6200,9 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "nimides" + ], "related.ip": [ "10.123.59.69", "10.53.251.202", @@ -6071,10 +6267,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "edut" + ], "related.ip": [ "10.3.85.176", - "10.29.141.252", - "10.212.56.26" + "10.212.56.26", + "10.29.141.252" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6138,11 +6337,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.95", "related.hosts": [ + "Utenimad", + "inculp", "emveleu4029.api.local" ], "related.ip": [ - "10.126.11.186", - "10.236.175.163" + "10.236.175.163", + "10.126.11.186" ], "related.user": [ "udantiu" @@ -6226,9 +6427,12 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "mes" + ], "related.ip": [ - "10.83.98.220", "10.171.60.173", + "10.83.98.220", "10.11.150.136" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -6290,10 +6494,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "datatno" + ], "related.ip": [ "10.74.88.209", - "10.92.3.166", - "10.238.49.73" + "10.238.49.73", + "10.92.3.166" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6354,6 +6561,9 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "ptate" + ], "related.ip": [ "10.84.200.121", "10.119.248.36", @@ -6418,10 +6628,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "tasu" + ], "related.ip": [ + "10.135.213.17", "10.30.239.222", - "10.167.128.229", - "10.135.213.17" + "10.167.128.229" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6485,11 +6698,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.1028", "related.hosts": [ + "edi", + "orem", "rspic5637.api.local" ], "related.ip": [ - "10.115.166.48", - "10.169.133.219" + "10.169.133.219", + "10.115.166.48" ], "related.user": [ "emq" @@ -6576,11 +6791,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.4195", "related.hosts": [ + "aconse", + "Except", "rror3870.www5.local" ], "related.ip": [ - "10.226.39.82", - "10.146.255.40" + "10.146.255.40", + "10.226.39.82" ], "related.user": [ "caecatcu" @@ -6664,10 +6881,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "emaperi" + ], "related.ip": [ "10.53.82.96", - "10.224.212.88", - "10.35.240.70" + "10.35.240.70", + "10.224.212.88" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6728,6 +6948,9 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "oeius" + ], "related.ip": [ "10.186.253.240", "10.66.149.234", @@ -6792,10 +7015,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "irat" + ], "related.ip": [ - "10.46.11.114", "10.173.140.201", - "10.227.133.134" + "10.227.133.134", + "10.46.11.114" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6856,10 +7082,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "emp" + ], "related.ip": [ - "10.69.130.207", "10.170.236.123", - "10.205.18.11" + "10.205.18.11", + "10.69.130.207" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6923,11 +7152,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.2682", "related.hosts": [ + "rehend", + "ine", "velill3821.mail.invalid" ], "related.ip": [ - "10.124.34.251", - "10.97.254.192" + "10.97.254.192", + "10.124.34.251" ], "related.user": [ "epor" @@ -7011,6 +7242,9 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "ineavol" + ], "related.ip": [ "10.204.98.238", "10.81.58.91", @@ -7064,6 +7298,10 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "xplicabo4308.www.example", + "unti" + ], "related.user": [ "tiono" ], @@ -7083,6 +7321,9 @@ "rsa.network.domain": "xplicabo4308.www.example", "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "server.domain": "xplicabo4308.www.example", + "server.registered_domain": "www.example", + "server.subdomain": "xplicabo4308", + "server.top_level_domain": "example", "service.type": "fortinet", "tags": [ "fortinet.fortimanager", @@ -7115,10 +7356,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "uipex" + ], "related.ip": [ "10.35.84.125", - "10.37.120.29", - "10.212.208.70" + "10.212.208.70", + "10.37.120.29" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7179,10 +7423,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "aturvel" + ], "related.ip": [ + "10.199.201.26", "10.207.207.106", - "10.143.65.84", - "10.199.201.26" + "10.143.65.84" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7243,10 +7490,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "gni" + ], "related.ip": [ - "10.204.27.48", "10.41.61.88", - "10.163.236.253" + "10.163.236.253", + "10.204.27.48" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7307,10 +7557,13 @@ "observer.product": "FortiManager", "observer.type": "Configuration", "observer.vendor": "Fortinet", + "related.hosts": [ + "dents" + ], "related.ip": [ - "10.53.110.111", + "10.185.44.26", "10.246.81.164", - "10.185.44.26" + "10.53.110.111" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7375,6 +7628,8 @@ "observer.vendor": "Fortinet", "observer.version": "1.802", "related.hosts": [ + "lam", + "proid", "cupida6106.www5.local" ], "related.ip": [ @@ -7389,8 +7644,8 @@ "rsa.investigations.event_vcat": "lupt", "rsa.misc.OS": "etdolo", "rsa.misc.action": [ - "amnihilm", - "allow" + "allow", + "amnihilm" ], "rsa.misc.category": "ntin", "rsa.misc.client": "xcep", @@ -7466,11 +7721,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.2314", "related.hosts": [ + "umtotam", + "stenat", "unt2122.internal.local" ], "related.ip": [ - "10.38.18.72", - "10.202.250.141" + "10.202.250.141", + "10.38.18.72" ], "related.user": [ "maperia" @@ -7480,8 +7737,8 @@ "rsa.investigations.event_vcat": "rure", "rsa.misc.OS": "iquidexe", "rsa.misc.action": [ - "volu", - "allow" + "allow", + "volu" ], "rsa.misc.category": "ium", "rsa.misc.client": "liquip", @@ -7557,11 +7814,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.4674", "related.hosts": [ + "oremeu", + "ita", "luptat2613.internal.localhost" ], "related.ip": [ - "10.182.124.88", - "10.139.144.75" + "10.139.144.75", + "10.182.124.88" ], "related.user": [ "modo" @@ -7648,11 +7907,13 @@ "observer.vendor": "Fortinet", "observer.version": "1.1386", "related.hosts": [ + "amquisn", + "cab", "neavo4796.internal.domain" ], "related.ip": [ - "10.188.124.185", - "10.35.10.19" + "10.35.10.19", + "10.188.124.185" ], "related.user": [ "dolo" diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml index 311bf3ef6a86..d7c7e0ba749a 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/input.yml +++ b/x-pack/filebeat/module/imperva/securesphere/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js +++ b/x-pack/filebeat/module/imperva/securesphere/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml index a51475c05880..aab537751715 100644 --- a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml +++ b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml @@ -55,9 +55,9 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.hostname}}' + value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.hostname != null && ctx.host?.hostname != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/imperva/securesphere/manifest.yml b/x-pack/filebeat/module/imperva/securesphere/manifest.yml index 011afe2d7479..b93133950433 100644 --- a/x-pack/filebeat/module/imperva/securesphere/manifest.yml +++ b/x-pack/filebeat/module/imperva/securesphere/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9511 + default: 9531 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 9aee12937a0e..f76c63dfc7d0 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -23,13 +23,13 @@ "radipis5408.mail.local" ], "related.ip": [ - "10.81.122.126", - "10.70.155.35" + "10.70.155.35", + "10.81.122.126" ], "related.user": [ - "magn", "tatno", - "aqui" + "aqui", + "magn" ], "rsa.counters.dclass_c1": 5910, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -117,8 +117,8 @@ ], "related.user": [ "qua", - "uradi", - "temUten" + "temUten", + "uradi" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -170,13 +170,13 @@ "elaudant5931.internal.invalid" ], "related.ip": [ - "10.232.27.250", - "10.18.124.28" + "10.18.124.28", + "10.232.27.250" ], "related.user": [ - "mquidol", "lapariat", - "modocons" + "modocons", + "mquidol" ], "rsa.counters.dclass_c1": 6564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -234,12 +234,12 @@ "amest4147.mail.host" ], "related.ip": [ - "10.6.137.200", - "10.197.250.10" + "10.197.250.10", + "10.6.137.200" ], "related.user": [ - "oluptas", "intoc", + "oluptas", "occae" ], "rsa.counters.event_counter": 7243, @@ -247,8 +247,8 @@ "rsa.internal.event_desc": "snostrud", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "dol", - "cancel" + "cancel", + "dol" ], "rsa.misc.category": "nama", "rsa.misc.disposition": "quisnos", @@ -303,12 +303,12 @@ "eratv6205.internal.lan" ], "related.ip": [ - "10.179.124.125", - "10.36.194.106" + "10.36.194.106", + "10.179.124.125" ], "related.user": [ - "ncidid", "reme", + "ncidid", "acommod" ], "rsa.counters.event_counter": 2462, @@ -432,13 +432,13 @@ "pora6854.www5.home" ], "related.ip": [ - "10.112.250.193", - "10.214.191.180" + "10.214.191.180", + "10.112.250.193" ], "related.user": [ "ipsumdol", - "ide", - "Exc" + "Exc", + "ide" ], "rsa.counters.dclass_c1": 6852, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -493,13 +493,13 @@ "ptasn6599.www.localhost" ], "related.ip": [ - "10.251.20.13", - "10.192.34.76" + "10.192.34.76", + "10.251.20.13" ], "related.user": [ "tnonpro", - "iquipe", - "ovol" + "ovol", + "iquipe" ], "rsa.counters.dclass_c1": 3645, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -551,13 +551,13 @@ "ptasnu6684.mail.lan" ], "related.ip": [ - "10.74.105.218", - "10.59.138.212" + "10.59.138.212", + "10.74.105.218" ], "related.user": [ "idunt", - "boree", - "archite" + "archite", + "boree" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -613,13 +613,13 @@ "rinre2977.api.corp" ], "related.ip": [ - "10.230.173.4", - "10.168.159.13" + "10.168.159.13", + "10.230.173.4" ], "related.user": [ "inci", - "atemq", - "isnostr" + "isnostr", + "atemq" ], "rsa.counters.dclass_c1": 6135, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -679,9 +679,9 @@ "10.49.167.57" ], "related.user": [ - "tali", + "sau", "ccaeca", - "sau" + "tali" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -739,12 +739,12 @@ "itla658.api.localhost" ], "related.ip": [ - "10.62.147.186", - "10.216.125.252" + "10.216.125.252", + "10.62.147.186" ], "related.user": [ - "lorsita", "dolore", + "lorsita", "llamco" ], "rsa.counters.event_counter": 4603, @@ -752,8 +752,8 @@ "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "quasia", - "accept" + "accept", + "quasia" ], "rsa.misc.category": "boreetdo", "rsa.misc.disposition": "aturve", @@ -814,16 +814,16 @@ ], "related.user": [ "nci", - "paquioff", - "rum" + "rum", + "paquioff" ], "rsa.counters.event_counter": 332, "rsa.db.database": "isau", "rsa.internal.event_desc": "rumet", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "texpli", - "deny" + "deny", + "texpli" ], "rsa.misc.category": "verita", "rsa.misc.disposition": "sectet", @@ -875,13 +875,13 @@ "rationev6444.localhost" ], "related.ip": [ - "10.200.68.129", - "10.34.148.166" + "10.34.148.166", + "10.200.68.129" ], "related.user": [ - "icabo", "miu", - "untutlab" + "untutlab", + "icabo" ], "rsa.counters.dclass_c1": 5427, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -933,13 +933,13 @@ "ipi7727.www5.domain" ], "related.ip": [ - "10.134.5.40", - "10.226.101.180" + "10.226.101.180", + "10.134.5.40" ], "related.user": [ + "conse", "siu", - "licabo", - "conse" + "licabo" ], "rsa.counters.dclass_c1": 6356, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -999,9 +999,9 @@ "10.30.98.10" ], "related.user": [ - "velite", + "dipisci", "olori", - "dipisci" + "velite" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1151,9 +1151,9 @@ "10.100.98.56" ], "related.user": [ - "proident", + "boru", "ritati", - "boru" + "proident" ], "rsa.counters.dclass_c1": 5923, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1213,8 +1213,8 @@ "10.197.6.245" ], "related.user": [ - "dtempo", "aecatcup", + "dtempo", "oluptat" ], "rsa.counters.dclass_c1": 3071, @@ -1271,13 +1271,13 @@ "hitec2111.mail.corp" ], "related.ip": [ - "10.167.252.183", - "10.6.27.103" + "10.6.27.103", + "10.167.252.183" ], "related.user": [ + "asnu", "redol", - "ationul", - "asnu" + "ationul" ], "rsa.counters.dclass_c1": 6606, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1335,8 +1335,8 @@ "adminim2559.www5.invalid" ], "related.ip": [ - "10.81.184.7", - "10.88.45.111" + "10.88.45.111", + "10.81.184.7" ], "related.user": [ "undeomni", @@ -1348,8 +1348,8 @@ "rsa.internal.event_desc": "iae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "illu" + "illu", + "deny" ], "rsa.misc.category": "quido", "rsa.misc.disposition": "emip", @@ -1403,13 +1403,13 @@ "dolorem6882.api.local" ], "related.ip": [ - "10.29.119.245", - "10.214.3.140" + "10.214.3.140", + "10.29.119.245" ], "related.user": [ - "scipitl", + "taliqui", "edolorin", - "taliqui" + "scipitl" ], "rsa.counters.dclass_c1": 5140, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1467,8 +1467,8 @@ "temaccu5302.test" ], "related.ip": [ - "10.110.133.7", - "10.218.123.234" + "10.218.123.234", + "10.110.133.7" ], "related.user": [ "caboNem", @@ -1540,8 +1540,8 @@ ], "related.user": [ "doeiu", - "litan", - "mquisn" + "mquisn", + "litan" ], "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1599,8 +1599,8 @@ "idunt4633.internal.host" ], "related.ip": [ - "10.59.188.188", - "10.123.166.197" + "10.123.166.197", + "10.59.188.188" ], "related.user": [ "emUte", @@ -1612,8 +1612,8 @@ "rsa.internal.event_desc": "tautfug", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "itae" + "itae", + "block" ], "rsa.misc.category": "giatquov", "rsa.misc.disposition": "olu", @@ -1666,13 +1666,13 @@ "ectob4634.mail.localhost" ], "related.ip": [ - "10.201.168.116", - "10.72.75.207" + "10.72.75.207", + "10.201.168.116" ], "related.user": [ - "urau", + "eufug", "eFini", - "eufug" + "urau" ], "rsa.counters.dclass_c1": 3348, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1732,8 +1732,8 @@ "10.9.46.123" ], "related.user": [ - "nde", "oco", + "nde", "mfu" ], "rsa.counters.dclass_c1": 3795, @@ -1794,9 +1794,9 @@ "10.70.29.203" ], "related.user": [ - "veniamq", "mquisnos", - "pta" + "pta", + "veniamq" ], "rsa.counters.dclass_c1": 2358, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1852,8 +1852,8 @@ "lesti6939.api.local" ], "related.ip": [ - "10.137.85.123", - "10.165.182.111" + "10.165.182.111", + "10.137.85.123" ], "related.user": [ "Bonorum", @@ -1957,8 +1957,8 @@ "rsa.internal.event_desc": "orin", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "lamco", - "block" + "block", + "lamco" ], "rsa.misc.category": "enia", "rsa.misc.disposition": "iavol", @@ -2078,8 +2078,8 @@ "10.18.150.82" ], "related.user": [ - "mtota", "qua", + "mtota", "luptat" ], "rsa.counters.dclass_c1": 6112, @@ -2167,9 +2167,9 @@ "10.151.240.35" ], "related.user": [ - "lam", "ametcons", - "ama" + "ama", + "lam" ], "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2225,9 +2225,9 @@ "10.147.142.242" ], "related.user": [ + "quasi", "ese", - "quisn", - "quasi" + "quisn" ], "rsa.counters.dclass_c1": 3970, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2285,12 +2285,12 @@ "radipis3991.mail.invalid" ], "related.ip": [ - "10.213.165.165", - "10.254.10.98" + "10.254.10.98", + "10.213.165.165" ], "related.user": [ - "eufugia", "ttenb", + "eufugia", "civeli" ], "rsa.counters.event_counter": 7365, @@ -2298,8 +2298,8 @@ "rsa.internal.event_desc": "culpaq", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "uptasn", - "cancel" + "cancel", + "uptasn" ], "rsa.misc.category": "quamq", "rsa.misc.disposition": "usan", @@ -2387,9 +2387,9 @@ "10.169.28.157" ], "related.user": [ - "eturadip", + "reseo", "amco", - "reseo" + "eturadip" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "ons", @@ -2517,9 +2517,9 @@ "10.100.113.11" ], "related.user": [ - "itationu", "velillum", - "ptatev" + "ptatev", + "itationu" ], "rsa.counters.dclass_c1": 7245, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2607,9 +2607,9 @@ "10.208.33.55" ], "related.user": [ - "ulapari", + "inimv", "mremaper", - "inimv" + "ulapari" ], "rsa.counters.dclass_c1": 6433, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2669,9 +2669,9 @@ "10.109.230.216" ], "related.user": [ - "ectobea", + "ibus", "mporin", - "ibus" + "ectobea" ], "rsa.counters.dclass_c1": 547, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2727,13 +2727,13 @@ "idents7231.mail.home" ], "related.ip": [ - "10.151.203.60", - "10.117.81.75" + "10.117.81.75", + "10.151.203.60" ], "related.user": [ "dol", - "exeac", - "iconsequ" + "iconsequ", + "exeac" ], "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2793,8 +2793,8 @@ "10.45.152.205" ], "related.user": [ - "utlabo", "eriti", + "utlabo", "imav" ], "rsa.counters.dclass_c1": 922, @@ -2852,21 +2852,21 @@ "mips3283.corp" ], "related.ip": [ - "10.1.193.187", - "10.60.164.100" + "10.60.164.100", + "10.1.193.187" ], "related.user": [ - "adipis", "ugi", - "hite" + "hite", + "adipis" ], "rsa.counters.event_counter": 508, "rsa.db.database": "abo", "rsa.internal.event_desc": "epteurs", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "taevitae" + "taevitae", + "allow" ], "rsa.misc.category": "itse", "rsa.misc.disposition": "rever", @@ -2923,8 +2923,8 @@ "10.248.244.203" ], "related.user": [ - "mquamei", "sum", + "mquamei", "eiusm" ], "rsa.counters.dclass_c1": 3058, @@ -2977,12 +2977,12 @@ "fde7756.mail.corp" ], "related.ip": [ - "10.122.127.237", - "10.86.121.152" + "10.86.121.152", + "10.122.127.237" ], "related.user": [ - "consecte", "ine", + "consecte", "nimv" ], "rsa.counters.dclass_c1": 2771, @@ -3039,8 +3039,8 @@ "agnama5013.internal.example" ], "related.ip": [ - "10.204.223.184", - "10.201.223.119" + "10.201.223.119", + "10.204.223.184" ], "related.user": [ "tuserror", @@ -3101,12 +3101,12 @@ "edictas4693.home" ], "related.ip": [ - "10.223.56.33", - "10.200.12.126" + "10.200.12.126", + "10.223.56.33" ], "related.user": [ - "magnido", "elitsedd", + "magnido", "Nequepo" ], "rsa.counters.dclass_c1": 3243, @@ -3165,13 +3165,13 @@ "nibu2565.api.local" ], "related.ip": [ - "10.94.89.177", - "10.65.225.101" + "10.65.225.101", + "10.94.89.177" ], "related.user": [ - "citation", "emquel", - "tuserror" + "tuserror", + "citation" ], "rsa.counters.event_counter": 2513, "rsa.db.database": "rspiciat", @@ -3232,13 +3232,13 @@ "tsun7120.home" ], "related.ip": [ - "10.65.174.196", - "10.191.184.105" + "10.191.184.105", + "10.65.174.196" ], "related.user": [ + "tione", "uta", - "iin", - "tione" + "iin" ], "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3296,8 +3296,8 @@ "10.224.148.48" ], "related.user": [ - "niam", "equepor", + "niam", "iosamn" ], "rsa.counters.event_counter": 7468, @@ -3360,13 +3360,13 @@ "amcorp7299.api.example" ], "related.ip": [ - "10.21.61.134", - "10.21.208.103" + "10.21.208.103", + "10.21.61.134" ], "related.user": [ "imidest", - "ostr", - "mipsa" + "mipsa", + "ostr" ], "rsa.counters.dclass_c1": 7766, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3422,12 +3422,12 @@ "magnama868.api.local" ], "related.ip": [ - "10.23.6.216", - "10.221.192.116" + "10.221.192.116", + "10.23.6.216" ], "related.user": [ - "iamquisn", "iarchit", + "iamquisn", "tevelite" ], "rsa.counters.dclass_c1": 639, @@ -3490,17 +3490,17 @@ "10.191.142.143" ], "related.user": [ - "nofde", + "animide", "modtempo", - "animide" + "nofde" ], "rsa.counters.event_counter": 7580, "rsa.db.database": "Lore", "rsa.internal.event_desc": "nto", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "ali", - "cancel" + "cancel", + "ali" ], "rsa.misc.category": "sciv", "rsa.misc.disposition": "tlabo", @@ -3555,12 +3555,12 @@ "mquis319.api.local" ], "related.ip": [ - "10.111.22.134", - "10.178.79.217" + "10.178.79.217", + "10.111.22.134" ], "related.user": [ - "tqui", "inibusBo", + "tqui", "ccusan" ], "rsa.counters.event_counter": 3538, @@ -3568,8 +3568,8 @@ "rsa.internal.event_desc": "adeseru", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "orisnis", - "deny" + "deny", + "orisnis" ], "rsa.misc.category": "sitas", "rsa.misc.disposition": "eni", @@ -3626,8 +3626,8 @@ "10.161.225.172" ], "related.user": [ - "rcit", "meaqu", + "rcit", "xerc" ], "rsa.counters.dclass_c1": 7286, @@ -3744,9 +3744,9 @@ "10.254.198.47" ], "related.user": [ + "nimvenia", "ndeomnis", - "illoin", - "nimvenia" + "illoin" ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3798,13 +3798,13 @@ "reseo2067.api.localdomain" ], "related.ip": [ - "10.182.197.243", - "10.40.24.93" + "10.40.24.93", + "10.182.197.243" ], "related.user": [ - "orisnis", + "exerci", "mSecti", - "exerci" + "orisnis" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3864,9 +3864,9 @@ "10.249.13.159" ], "related.user": [ + "exeacomm", "colab", - "uisautei", - "exeacomm" + "uisautei" ], "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3928,8 +3928,8 @@ "10.39.244.49" ], "related.user": [ - "estiae", "iunt", + "estiae", "Sedut" ], "rsa.counters.event_counter": 7128, @@ -3937,8 +3937,8 @@ "rsa.internal.event_desc": "enimips", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "gna", - "cancel" + "cancel", + "gna" ], "rsa.misc.category": "Nequepor", "rsa.misc.disposition": "nisiu", @@ -4051,9 +4051,9 @@ "10.115.203.143" ], "related.user": [ - "utoditau", "involu", - "orpori" + "orpori", + "utoditau" ], "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4109,12 +4109,12 @@ "iamq2577.internal.corp" ], "related.ip": [ - "10.43.244.252", - "10.251.212.166" + "10.251.212.166", + "10.43.244.252" ], "related.user": [ - "uptat", "gnido", + "uptat", "inculp" ], "rsa.counters.dclass_c1": 6947, @@ -4204,8 +4204,8 @@ ], "related.user": [ "mqu", - "uatDuisa", - "tesseq" + "tesseq", + "uatDuisa" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4289,13 +4289,13 @@ "abor3266.mail.home" ], "related.ip": [ - "10.231.77.26", - "10.225.11.197" + "10.225.11.197", + "10.231.77.26" ], "related.user": [ + "volu", "rehe", - "ineavol", - "volu" + "ineavol" ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4407,13 +4407,13 @@ "destla2110.www5.localdomain" ], "related.ip": [ - "10.57.169.205", - "10.172.121.239" + "10.172.121.239", + "10.57.169.205" ], "related.user": [ - "ctas", "iuta", - "ipsu" + "ipsu", + "ctas" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4469,13 +4469,13 @@ "exerc3694.api.home" ], "related.ip": [ - "10.42.218.103", - "10.129.234.200" + "10.129.234.200", + "10.42.218.103" ], "related.user": [ + "tevelit", "tisundeo", - "dquia", - "tevelit" + "dquia" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4535,8 +4535,8 @@ "10.111.132.221" ], "related.user": [ - "ali", "scive", + "ali", "oloremi" ], "rsa.counters.dclass_c1": 6155, @@ -4598,8 +4598,8 @@ ], "related.user": [ "dolo", - "enimip", - "ota" + "ota", + "enimip" ], "rsa.counters.dclass_c1": 469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4659,9 +4659,9 @@ "10.173.13.179" ], "related.user": [ - "ptasn", "apar", - "isn" + "isn", + "ptasn" ], "rsa.counters.dclass_c1": 758, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4717,13 +4717,13 @@ "iatisund424.mail.localdomain" ], "related.ip": [ - "10.42.135.34", - "10.178.190.123" + "10.178.190.123", + "10.42.135.34" ], "related.user": [ + "tiset", "orsi", - "ore", - "tiset" + "ore" ], "rsa.counters.dclass_c1": 2290, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4807,13 +4807,13 @@ "uidolo7626.local" ], "related.ip": [ - "10.207.198.239", - "10.8.147.176" + "10.8.147.176", + "10.207.198.239" ], "related.user": [ + "aUteni", "incididu", - "Loremips", - "aUteni" + "Loremips" ], "rsa.counters.dclass_c1": 3043, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4868,8 +4868,8 @@ "dmini3435.internal.domain" ], "related.ip": [ - "10.116.26.185", - "10.206.221.180" + "10.206.221.180", + "10.116.26.185" ], "related.user": [ "nseq", @@ -4930,9 +4930,9 @@ "10.86.180.150" ], "related.user": [ - "etconsec", "itasper", - "mnisis" + "mnisis", + "etconsec" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4990,8 +4990,8 @@ "inv6528.www5.example" ], "related.ip": [ - "10.220.175.201", - "10.158.161.5" + "10.158.161.5", + "10.220.175.201" ], "related.user": [ "dolo", @@ -5088,8 +5088,8 @@ "10.150.27.144" ], "related.user": [ - "ditautf", "res", + "ditautf", "tuserror" ], "rsa.counters.dclass_c1": 4367, @@ -5146,13 +5146,13 @@ "tqui5172.www.local" ], "related.ip": [ - "10.146.131.76", - "10.173.19.140" + "10.173.19.140", + "10.146.131.76" ], "related.user": [ - "orsi", "olo", - "Except" + "Except", + "orsi" ], "rsa.counters.dclass_c1": 5844, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5207,13 +5207,13 @@ "intocca6708.mail.corp" ], "related.ip": [ - "10.171.175.165", - "10.69.5.227" + "10.69.5.227", + "10.171.175.165" ], "related.user": [ - "ntocc", + "rumw", "doloreme", - "rumw" + "ntocc" ], "rsa.counters.dclass_c1": 5201, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5269,9 +5269,9 @@ "10.253.175.129" ], "related.user": [ - "epteurs", + "ate", "nrep", - "ate" + "epteurs" ], "rsa.counters.dclass_c1": 6260, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5342,8 +5342,8 @@ "rsa.internal.event_desc": "loi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "atcupi" + "atcupi", + "block" ], "rsa.misc.category": "tation", "rsa.misc.disposition": "seddoe", @@ -5398,13 +5398,13 @@ "gitse6744.api.local" ], "related.ip": [ - "10.52.106.68", - "10.81.108.232" + "10.81.108.232", + "10.52.106.68" ], "related.user": [ + "aco", "uaturve", - "neavolup", - "aco" + "neavolup" ], "rsa.counters.event_counter": 5098, "rsa.db.database": "lapa", @@ -5468,21 +5468,21 @@ "par3605.internal.localdomain" ], "related.ip": [ - "10.230.48.97", - "10.223.10.28" + "10.223.10.28", + "10.230.48.97" ], "related.user": [ - "untex", "usmodte", - "erit" + "erit", + "untex" ], "rsa.counters.event_counter": 4029, "rsa.db.database": "ommodi", "rsa.internal.event_desc": "itatiset", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "tconse" + "tconse", + "deny" ], "rsa.misc.category": "uaerat", "rsa.misc.disposition": "met", @@ -5540,9 +5540,9 @@ "10.161.212.150" ], "related.user": [ + "res", "sequamn", - "tasnul", - "res" + "tasnul" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5604,9 +5604,9 @@ "10.226.75.20" ], "related.user": [ + "fugia", "tema", - "maccusan", - "fugia" + "maccusan" ], "rsa.counters.event_counter": 3711, "rsa.db.database": "psa", @@ -5667,13 +5667,13 @@ "itseddo2209.mail.domain" ], "related.ip": [ - "10.192.15.65", - "10.97.22.61" + "10.97.22.61", + "10.192.15.65" ], "related.user": [ - "rExcep", "nimides", - "illumd" + "illumd", + "rExcep" ], "rsa.counters.dclass_c1": 4173, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5727,13 +5727,13 @@ "duntutl3396.api.host" ], "related.ip": [ - "10.197.254.133", - "10.116.76.161" + "10.116.76.161", + "10.197.254.133" ], "related.user": [ - "trudex", "ide", - "idu" + "idu", + "trudex" ], "rsa.counters.event_counter": 2608, "rsa.db.database": "ncul", @@ -5798,9 +5798,9 @@ "10.28.77.79" ], "related.user": [ - "utlab", "rspic", - "upta" + "upta", + "utlab" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5855,13 +5855,13 @@ "tsunti1164.www.example" ], "related.ip": [ - "10.248.177.182", - "10.18.15.43" + "10.18.15.43", + "10.248.177.182" ], "related.user": [ "caecat", - "quaturve", - "quei" + "quei", + "quaturve" ], "rsa.counters.dclass_c1": 983, "rsa.counters.dclass_c1_str": "Affected Rows", diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml index 0ee823354b91..48403d0a09c1 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/input.yml +++ b/x-pack/filebeat/module/infoblox/nios/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js +++ b/x-pack/filebeat/module/infoblox/nios/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/infoblox/nios/config/pipeline.js b/x-pack/filebeat/module/infoblox/nios/config/pipeline.js index eb4ad71a8dd9..ddc4b8d5ea82 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/pipeline.js +++ b/x-pack/filebeat/module/infoblox/nios/config/pipeline.js @@ -15,19 +15,21 @@ function DeviceProcessor() { } } -var dup1 = setc("eventcategory","1401070000"); +var dup1 = match("HEADER#0:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}"); -var dup2 = setc("ec_theme","Authentication"); +var dup2 = setc("eventcategory","1401070000"); -var dup3 = setc("ec_subject","User"); +var dup3 = setc("ec_theme","Authentication"); -var dup4 = setc("ec_activity","Logoff"); +var dup4 = setc("ec_subject","User"); -var dup5 = setc("ec_outcome","Success"); +var dup5 = setc("ec_activity","Logoff"); -var dup6 = setf("msg","$MSG"); +var dup6 = setc("ec_outcome","Success"); -var dup7 = date_time({ +var dup7 = setf("msg","$MSG"); + +var dup8 = date_time({ dest: "event_time", args: ["fld1","fld2"], fmts: [ @@ -35,47 +37,45 @@ var dup7 = date_time({ ], }); -var dup8 = setf("event_source","hhostname"); - -var dup9 = setc("eventcategory","1401060000"); +var dup9 = setf("event_source","hhostname"); -var dup10 = setc("ec_activity","Logon"); +var dup10 = setc("eventcategory","1401060000"); -var dup11 = setc("eventcategory","1609000000"); +var dup11 = setc("ec_activity","Logon"); -var dup12 = setc("eventcategory","1605000000"); +var dup12 = setc("eventcategory","1609000000"); -var dup13 = setc("eventcategory","1401030000"); +var dup13 = setc("eventcategory","1605000000"); -var dup14 = setc("ec_outcome","Failure"); +var dup14 = setc("eventcategory","1401030000"); -var dup15 = setc("eventcategory","1603000000"); +var dup15 = setc("ec_outcome","Failure"); -var dup16 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); +var dup16 = setc("eventcategory","1603000000"); -var dup17 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); +var dup17 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); -var dup18 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); +var dup18 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); -var dup19 = setc("action","DHCPDECLINE"); +var dup19 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); -var dup20 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); +var dup20 = setc("action","DHCPDECLINE"); -var dup21 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); +var dup21 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "(%{dhost}) via %{p0}"); -var dup22 = setc("action","DHCPRELEASE"); +var dup22 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "via %{p0}"); -var dup23 = setc("action","DHCPDISCOVER"); +var dup23 = setc("action","DHCPRELEASE"); -var dup24 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}"); +var dup24 = setc("action","DHCPDISCOVER"); -var dup25 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); +var dup25 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{smacaddr->} %{p0}"); -var dup26 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}"); +var dup26 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "(%{shost}) via %{p0}"); var dup27 = setc("action","DHCPREQUEST"); -var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); +var dup28 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{interface}"); var dup29 = setc("event_description","unknown network segment"); @@ -87,13 +87,13 @@ var dup30 = date_time({ ], }); -var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}"); +var dup31 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{interface->} relay %{fld1->} lease-duration %{duration}"); var dup32 = setc("action","DHCPACK"); -var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); +var dup33 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved%{}"); -var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}"); +var dup34 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", "denied%{}"); var dup35 = setf("domain","zone"); @@ -113,39 +113,41 @@ var dup42 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} var dup43 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); -var dup44 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}"); +var dup44 = match_copy("MESSAGE#57:named:17/5_2", "nwparser.p0", "dns_querytype"); var dup45 = setc("event_description","updating zone"); -var dup46 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}"); +var dup46 = match_copy("MESSAGE#60:named:19/2", "nwparser.p0", "event_description"); var dup47 = setf("domain","hostname"); -var dup48 = setc("eventcategory","1801010000"); +var dup48 = match_copy("MESSAGE#66:named:25/1_1", "nwparser.p0", "result"); -var dup49 = setc("ec_activity","Request"); +var dup49 = setc("eventcategory","1801010000"); -var dup50 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); +var dup50 = setc("ec_activity","Request"); -var dup51 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}"); +var dup51 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); -var dup52 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}"); +var dup52 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{p0}"); -var dup53 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); +var dup53 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", "%{p0}"); -var dup54 = setc("action","Refused"); +var dup54 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); -var dup55 = setf("dns_querytype","event_description"); +var dup55 = setc("action","Refused"); -var dup56 = setc("eventcategory","1901000000"); +var dup56 = setf("dns_querytype","event_description"); -var dup57 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}"); +var dup57 = setc("eventcategory","1901000000"); -var dup58 = setc("eventcategory","1801000000"); +var dup58 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): %{p0}"); -var dup59 = setf("zone","domain"); +var dup59 = setc("eventcategory","1801000000"); -var dup60 = date_time({ +var dup60 = setf("zone","domain"); + +var dup61 = date_time({ dest: "event_time", args: ["month","day","time"], fmts: [ @@ -153,103 +155,101 @@ var dup60 = date_time({ ], }); -var dup61 = setf("info","hdata"); +var dup62 = setf("info","hdata"); -var dup62 = setc("eventcategory","1301000000"); +var dup63 = setc("eventcategory","1301000000"); -var dup63 = setc("eventcategory","1303000000"); +var dup64 = setc("eventcategory","1303000000"); -var dup64 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var dup65 = match_copy("MESSAGE#7:httpd:06", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, ])); -var dup65 = linear_select([ - dup17, +var dup66 = linear_select([ dup18, + dup19, ]); -var dup66 = linear_select([ - dup20, +var dup67 = linear_select([ dup21, + dup22, ]); -var dup67 = linear_select([ - dup25, +var dup68 = linear_select([ dup26, + dup22, ]); -var dup68 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var dup69 = match_copy("MESSAGE#204:dhcpd:37", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var dup69 = linear_select([ +var dup70 = linear_select([ dup33, dup34, ]); -var dup70 = linear_select([ +var dup71 = linear_select([ dup37, dup38, dup39, ]); -var dup71 = linear_select([ +var dup72 = linear_select([ dup42, dup43, dup44, ]); -var dup72 = linear_select([ - dup51, +var dup73 = linear_select([ dup52, + dup53, ]); -var dup73 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ - dup15, - dup6, - dup8, +var dup74 = match_copy("MESSAGE#118:validate_dhcpd", "nwparser.payload", "event_description", processor_chain([ + dup16, + dup7, + dup9, ])); -var dup74 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ - dup15, - dup6, - dup8, +var dup75 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, ])); -var dup75 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var dup76 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var dup76 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([ - dup12, - dup6, - dup8, - dup61, +var dup77 = match_copy("MESSAGE#225:syslog", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup62, ])); -var hdr1 = match("HEADER#0:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}"); +var part1 = match("HEADER#0:006/1_0", "nwparser.p0", "%{hhostip} %{messageid}[%{data}]: %{p0}"); -var part1 = match("HEADER#0:006/1_0", "nwparser.p0", "%{hhostip->} %{messageid}[%{data}]: %{p0}"); - -var part2 = match("HEADER#0:006/1_1", "nwparser.p0", "%{hhostip->} %{messageid}: %{p0}"); +var part2 = match("HEADER#0:006/1_1", "nwparser.p0", "%{hhostip} %{messageid}: %{p0}"); var select1 = linear_select([ part1, part2, ]); -var part3 = match("HEADER#0:006/2", "nwparser.p0", "%{payload}"); +var part3 = match_copy("HEADER#0:006/2", "nwparser.p0", "payload"); var all1 = all_match({ processors: [ - hdr1, + dup1, select1, part3, ], @@ -258,30 +258,28 @@ var all1 = all_match({ ]), }); -var hdr2 = match("HEADER#1:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([ +var hdr1 = match("HEADER#1:001", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{messageid}[%{data}]: %{payload}", processor_chain([ setc("header_id","001"), ])); -var hdr3 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([ +var hdr2 = match("HEADER#2:005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{hdata}: %{messageid->} %{payload}", processor_chain([ setc("header_id","005"), ])); -var hdr4 = match("HEADER#3:002/0", "message", "%{month->} %{day->} %{time->} %{p0}"); - -var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "%{hhostname->} -%{messageid}:%{p0}"); +var part4 = match("HEADER#3:002/1_0", "nwparser.p0", "-%{p0}"); -var part5 = match("HEADER#3:002/1_1", "nwparser.p0", "%{hhostname->} %{messageid}:%{p0}"); +var part5 = match_copy("HEADER#3:002/1_1", "nwparser.p0", "p0"); var select2 = linear_select([ part4, part5, ]); -var part6 = match("HEADER#3:002/2", "nwparser.p0", "%{} %{payload}"); +var part6 = match("HEADER#3:002/2", "nwparser.p0", ":%{messageid->} %{payload}"); var all2 = all_match({ processors: [ - hdr4, + dup1, select2, part6, ], @@ -290,30 +288,29 @@ var all2 = all_match({ ]), }); -var hdr5 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([ +var hdr3 = match("HEADER#4:0003", "message", "%{messageid}[%{data}]: %{payload}", processor_chain([ setc("header_id","0003"), ])); -var hdr6 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([ +var hdr4 = match("HEADER#5:0004", "message", "%{messageid}: %{payload}", processor_chain([ setc("header_id","0004"), ])); -var hdr7 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([ +var hdr5 = match("HEADER#6:0005", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{fld1->} |%{messageid->} |%{payload}", processor_chain([ setc("header_id","0005"), ])); var select3 = linear_select([ all1, + hdr1, hdr2, - hdr3, all2, + hdr3, + hdr4, hdr5, - hdr6, - hdr7, ]); var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Logout - - ip=%{saddr->} group=%{group->} trigger_event=%{event_description}", processor_chain([ - dup1, dup2, dup3, dup4, @@ -321,72 +318,73 @@ var part7 = match("MESSAGE#0:httpd", "nwparser.payload", "%{fld1->} %{fld2}.%{fl dup6, dup7, dup8, + dup9, ])); var msg1 = msg("httpd", part7); var part8 = match("MESSAGE#1:httpd:01", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{fld4->} ip=%{saddr->} auth=%{authmethod->} group=%{group->} apparently_via=%{info}", processor_chain([ - dup9, - dup2, - dup3, dup10, - dup5, + dup3, + dup4, + dup11, dup6, dup7, dup8, + dup9, ])); var msg2 = msg("httpd:01", part8); var part9 = match("MESSAGE#2:httpd:02", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{action->} message=%{info}", processor_chain([ - dup11, - dup6, + dup12, dup7, dup8, + dup9, ])); var msg3 = msg("httpd:02", part9); var part10 = match("MESSAGE#3:httpd:03", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Created HostAddress %{hostip}: Set address=\"%{saddr}\",configure_for_dhcp=%{fld10},match_option=\"%{info}\",parent=%{context}", processor_chain([ - dup11, - dup6, + dup12, dup7, dup8, + dup9, ])); var msg4 = msg("httpd:03", part10); var part11 = match("MESSAGE#4:httpd:04", "nwparser.payload", "%{shost}: %{fld1->} authentication for user %{username->} failed", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ])); var msg5 = msg("httpd:04", part11); var part12 = match("MESSAGE#5:httpd:05", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Called - %{event_description}", processor_chain([ - dup12, - dup6, + dup13, dup7, dup8, + dup9, ])); var msg6 = msg("httpd:05", part12); var part13 = match("MESSAGE#6:httpd:07", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Denied - - to=%{terminal->} ip=%{saddr->} info=%{info}", processor_chain([ - dup13, - dup2, - dup3, - dup10, dup14, - dup6, + dup3, + dup4, + dup11, + dup15, dup7, dup8, + dup9, ])); var msg7 = msg("httpd:07", part13); -var msg8 = msg("httpd:06", dup64); +var msg8 = msg("httpd:06", dup65); var select4 = linear_select([ msg1, @@ -400,18 +398,18 @@ var select4 = linear_select([ ]); var part14 = match("MESSAGE#8:in.tftpd:01", "nwparser.payload", "RRQ from %{saddr->} filename %{filename}", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description","RRQ from remote host"), ])); var msg9 = msg("in.tftpd:01", part14); var part15 = match("MESSAGE#9:in.tftpd:02", "nwparser.payload", "sending NAK (%{resultcode}, %{result}) to %{daddr}", processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, setc("event_description","sending NAK to remote host"), ])); @@ -419,8 +417,8 @@ var msg10 = msg("in.tftpd:02", part15); var part16 = match("MESSAGE#10:in.tftpd", "nwparser.payload", "connection refused from %{saddr}", processor_chain([ setc("eventcategory","1801030000"), - dup6, - dup8, + dup7, + dup9, ])); var msg11 = msg("in.tftpd", part16); @@ -442,7 +440,7 @@ var select6 = linear_select([ part19, ]); -var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "%{}seconds"); +var part20 = match("MESSAGE#11:dhcpd:12/2", "nwparser.p0", "seconds%{}"); var all3 = all_match({ processors: [ @@ -451,9 +449,9 @@ var all3 = all_match({ part20, ], on_success: processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, setc("event_description","received a REQUEST DHCP packet from relay-agent"), ]), }); @@ -461,98 +459,98 @@ var all3 = all_match({ var msg12 = msg("dhcpd:12", all3); var part21 = match("MESSAGE#12:dhcpd:21", "nwparser.payload", "bind update on %{hostip->} from %{hostname}(%{fld1}) rejected: %{result}", processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, setc("event_description","bind update rejected"), ])); var msg13 = msg("dhcpd:21", part21); var part22 = match("MESSAGE#13:dhcpd:10", "nwparser.payload", "Unable to add forward map from %{shost->} %{fld1}to %{daddr}: %{result}", processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, setc("event_description","Unable to add forward map"), ])); var msg14 = msg("dhcpd:10", part22); var part23 = match("MESSAGE#14:dhcpd:13", "nwparser.payload", "Average %{fld1->} dynamic DNS update latency: %{result->} micro seconds", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description","Average dynamic DNS update latency"), ])); var msg15 = msg("dhcpd:13", part23); var part24 = match("MESSAGE#15:dhcpd:15", "nwparser.payload", "Dynamic DNS update timeout count in last %{info->} minutes: %{result}", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description","Dynamic DNS update timeout count"), ])); var msg16 = msg("dhcpd:15", part24); var part25 = match("MESSAGE#16:dhcpd:22", "nwparser.payload", "Removed forward map from %{shost->} %{fld1}to %{daddr}", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description","Removed forward map"), ])); var msg17 = msg("dhcpd:22", part25); var part26 = match("MESSAGE#17:dhcpd:25", "nwparser.payload", "Removed reverse map on %{hostname}", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description","Removed reverse map"), ])); var msg18 = msg("dhcpd:25", part26); var part27 = match("MESSAGE#18:dhcpd:06", "nwparser.payload", "received shutdown -/-/ %{result}", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description","received shutdown"), ])); var msg19 = msg("dhcpd:06", part27); -var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "%{}new forward map from %{hostname->} %{space->} %{daddr}"); +var part28 = match("MESSAGE#19:dhcpd:18/2", "nwparser.p0", "new forward map from %{hostname->} %{space->} %{daddr}"); var all4 = all_match({ processors: [ - dup16, - dup65, + dup17, + dup66, part28, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description","Added new forward map"), ]), }); var msg20 = msg("dhcpd:18", all4); -var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "%{}reverse map from %{hostname->} %{space->} %{daddr}"); +var part29 = match("MESSAGE#20:dhcpd:19/2", "nwparser.p0", "reverse map from %{hostname->} %{space->} %{daddr}"); var all5 = all_match({ processors: [ - dup16, - dup65, + dup17, + dup66, part29, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description","added reverse map"), ]), }); @@ -560,66 +558,66 @@ var all5 = all_match({ var msg21 = msg("dhcpd:19", all5); var part30 = match("MESSAGE#21:dhcpd", "nwparser.payload", "Abandoning IP address %{hostip}: declined", processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, setc("event_description","Abandoning IP declined"), ])); var msg22 = msg("dhcpd", part30); var part31 = match("MESSAGE#22:dhcpd:30", "nwparser.payload", "Abandoning IP address %{hostip}: pinged before offer", processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, setc("event_description","Abandoning IP pinged before offer"), ])); var msg23 = msg("dhcpd:30", part31); var part32 = match("MESSAGE#23:dhcpd:01", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} (%{shost}) via %{interface}: %{info}", processor_chain([ - dup15, - dup6, - dup8, - dup19, + dup16, + dup7, + dup9, + dup20, ])); var msg24 = msg("dhcpd:01", part32); var part33 = match("MESSAGE#24:dhcpd:02", "nwparser.payload", "DHCPDECLINE of %{saddr->} from %{smacaddr->} via %{interface}: %{info}", processor_chain([ - dup15, - dup6, - dup8, - dup19, + dup16, + dup7, + dup9, + dup20, ])); var msg25 = msg("dhcpd:02", part33); -var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{p0}"); +var part34 = match("MESSAGE#25:dhcpd:03/0", "nwparser.payload", "DHCPRELEASE of %{saddr->} from %{dmacaddr->} %{p0}"); -var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{} %{interface->} (%{info})"); +var part35 = match("MESSAGE#25:dhcpd:03/2", "nwparser.p0", "%{interface->} (%{info})"); var all6 = all_match({ processors: [ part34, - dup66, + dup67, part35, ], on_success: processor_chain([ - dup12, - dup6, - dup8, - dup22, + dup13, + dup7, + dup9, + dup23, ]), }); var msg26 = msg("dhcpd:03", all6); var part36 = match("MESSAGE#26:dhcpd:04", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} via %{interface}: network %{mask}: %{info}", processor_chain([ - dup12, - dup6, - dup8, - dup23, + dup13, + dup7, + dup9, + dup24, ])); var msg27 = msg("dhcpd:04", part36); @@ -635,7 +633,7 @@ var select7 = linear_select([ part39, ]); -var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{} %{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})"); +var part40 = match("MESSAGE#27:dhcpd:07/2", "nwparser.p0", "%{smacaddr->} (%{hostname}) via %{interface}: ignored (%{result})"); var all7 = all_match({ processors: [ @@ -644,27 +642,27 @@ var all7 = all_match({ part40, ], on_success: processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, setc("action","DHCPREQUEST ignored"), ]), }); var msg28 = msg("dhcpd:07", all7); -var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{} %{interface}: wrong network"); +var part41 = match("MESSAGE#28:dhcpd:09/2", "nwparser.p0", "%{interface}: wrong network"); var all8 = all_match({ processors: [ - dup24, - dup67, + dup25, + dup68, part41, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup27, setc("result","wrong network"), ]), @@ -672,18 +670,18 @@ var all8 = all_match({ var msg29 = msg("dhcpd:09", all8); -var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{} %{interface}: lease %{hostip->} unavailable"); +var part42 = match("MESSAGE#29:dhcpd:26/2", "nwparser.p0", "%{interface}: lease %{hostip->} unavailable"); var all9 = all_match({ processors: [ - dup24, - dup67, + dup25, + dup68, part42, ], on_success: processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, dup27, setc("result","lease unavailable"), ]), @@ -692,9 +690,9 @@ var all9 = all_match({ var msg30 = msg("dhcpd:26", all9); var part43 = match("MESSAGE#30:dhcpd:08", "nwparser.payload", "DHCPREQUEST for %{saddr->} (%{shost}) from %{smacaddr->} (%{hostname}) via %{interface}", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup27, ])); @@ -702,14 +700,14 @@ var msg31 = msg("dhcpd:08", part43); var all10 = all_match({ processors: [ - dup24, - dup67, + dup25, + dup68, dup28, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup27, ]), }); @@ -717,19 +715,19 @@ var all10 = all_match({ var msg32 = msg("dhcpd:11", all10); var part44 = match("MESSAGE#32:dhcpd:31", "nwparser.payload", "DHCPRELEASE from %{smacaddr->} via %{saddr}: unknown network segment", processor_chain([ - dup12, - dup6, - dup8, - dup22, + dup13, + dup7, + dup9, + dup23, dup29, ])); var msg33 = msg("dhcpd:31", part44); var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from %{smacaddr->} via %{saddr}: %{event_description}", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("action","BOOTREQUEST"), dup30, ])); @@ -737,9 +735,9 @@ var part45 = match("MESSAGE#33:dhcpd:32", "nwparser.payload", "BOOTREQUEST from var msg34 = msg("dhcpd:32", part45); var part46 = match("MESSAGE#34:dhcpd:33", "nwparser.payload", "Reclaiming abandoned lease %{saddr}.", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description","Reclaiming abandoned lease"), ])); @@ -762,7 +760,7 @@ var part51 = match("MESSAGE#35:dhcpd:34/3_0", "nwparser.p0", "(+/-)%{fld7}(%{inf var part52 = match("MESSAGE#35:dhcpd:34/3_1", "nwparser.p0", "(+/-)%{fld7}"); -var part53 = match("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "%{fld7}"); +var part53 = match_copy("MESSAGE#35:dhcpd:34/3_2", "nwparser.p0", "fld7"); var select9 = linear_select([ part51, @@ -778,9 +776,9 @@ var all11 = all_match({ select9, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, ]), }); @@ -788,35 +786,35 @@ var all11 = all_match({ var msg36 = msg("dhcpd:34", all11); var part54 = match("MESSAGE#36:dhcpd:35", "nwparser.payload", "Unable to add reverse map from %{shost->} to %{dhost}: REFUSED", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description"," Unable to add reverse map"), ])); var msg37 = msg("dhcpd:35", part54); var part55 = match("MESSAGE#37:dhcpd:36", "nwparser.payload", "Forward map from %{shost->} %{fld2}to %{daddr->} FAILED: %{fld1}", processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description"," Forward map failed"), ])); var msg38 = msg("dhcpd:36", part55); -var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{p0}"); +var part56 = match("MESSAGE#38:dhcpd:14/0", "nwparser.payload", "DHCPACK on %{saddr->} to %{dmacaddr->} %{p0}"); var all12 = all_match({ processors: [ part56, - dup66, + dup67, dup31, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup32, ]), }); @@ -827,10 +825,14 @@ var part57 = match("MESSAGE#39:dhcpd:24/0", "nwparser.payload", "DHCPOFFER on %{ var part58 = match("MESSAGE#39:dhcpd:24/1_0", "nwparser.p0", "\"%{dmacaddr}\" (%{dhost}) via %{p0}"); +var part59 = match("MESSAGE#39:dhcpd:24/1_1", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); + +var part60 = match("MESSAGE#39:dhcpd:24/1_2", "nwparser.p0", "%{dmacaddr->} via %{p0}"); + var select10 = linear_select([ part58, - dup20, - dup21, + part59, + part60, ]); var all13 = all_match({ @@ -840,238 +842,241 @@ var all13 = all_match({ dup31, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("action","DHCPOFFER"), ]), }); var msg40 = msg("dhcpd:24", all13); -var part59 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([ - dup12, - dup6, - dup8, +var part61 = match("MESSAGE#40:dhcpd:17", "nwparser.payload", "DHCPNAK on %{saddr->} to %{dmacaddr->} via %{interface}", processor_chain([ + dup13, + dup7, + dup9, setc("action","DHCPNAK"), ])); -var msg41 = msg("dhcpd:17", part59); +var msg41 = msg("dhcpd:17", part61); -var part60 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{p0}"); +var part62 = match("MESSAGE#41:dhcpd:05/0", "nwparser.payload", "DHCPDISCOVER from %{smacaddr->} %{p0}"); var all14 = all_match({ processors: [ - part60, - dup67, + part62, + dup68, dup28, ], on_success: processor_chain([ - dup12, - dup6, - dup8, - dup23, + dup13, + dup7, + dup9, + dup24, ]), }); var msg42 = msg("dhcpd:05", all14); -var part61 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([ - dup12, - dup6, - dup8, +var part63 = match("MESSAGE#42:dhcpd:16", "nwparser.payload", "DHCPACK to %{daddr->} (%{dmacaddr}) via %{interface}", processor_chain([ + dup13, + dup7, + dup9, dup32, ])); -var msg43 = msg("dhcpd:16", part61); +var msg43 = msg("dhcpd:16", part63); -var part62 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([ - dup12, - dup6, - dup8, +var part64 = match("MESSAGE#43:dhcpd:20", "nwparser.payload", "DHCPINFORM from %{saddr->} via %{interface}", processor_chain([ + dup13, + dup7, + dup9, setc("action","DHCPINFORM"), ])); -var msg44 = msg("dhcpd:20", part62); +var msg44 = msg("dhcpd:20", part64); -var part63 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([ - dup12, - dup6, - dup8, +var part65 = match("MESSAGE#44:dhcpd:23", "nwparser.payload", "DHCPEXPIRE on %{saddr->} to %{dmacaddr}", processor_chain([ + dup13, + dup7, + dup9, setc("action","DHCPEXPIRE"), ])); -var msg45 = msg("dhcpd:23", part63); +var msg45 = msg("dhcpd:23", part65); -var part64 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([ - dup12, - dup6, - dup8, +var part66 = match("MESSAGE#45:dhcpd:28", "nwparser.payload", "uid lease %{hostip->} for client %{smacaddr->} is duplicate on %{mask}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg46 = msg("dhcpd:28", part64); +var msg46 = msg("dhcpd:28", part66); -var part65 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([ - dup12, - dup6, - dup8, +var part67 = match("MESSAGE#46:dhcpd:29", "nwparser.payload", "Attempt to add forward map \"%{shost}\" (and reverse map \"%{dhost}\") for %{saddr->} abandoned because of non-retryable failure: %{result}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg47 = msg("dhcpd:29", part65); +var msg47 = msg("dhcpd:29", part67); -var part66 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([ - dup12, - dup6, - dup8, +var part68 = match("MESSAGE#191:dhcpd:39", "nwparser.payload", "NOT FREE/BACKUP lease%{hostip}End Time%{fld1->} Bind-State %{change_old->} Next-Bind-State %{change_new}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg48 = msg("dhcpd:39", part66); +var msg48 = msg("dhcpd:39", part68); -var part67 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([ - dup12, - dup6, - dup8, +var part69 = match("MESSAGE#192:dhcpd:41", "nwparser.payload", "RELEASE on%{saddr}to%{dmacaddr}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg49 = msg("dhcpd:41", part67); +var msg49 = msg("dhcpd:41", part69); -var part68 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([ - dup12, - dup6, - dup8, +var part70 = match("MESSAGE#193:dhcpd:42", "nwparser.payload", "r-l-e:%{hostip},%{result},%{fld1},%{macaddr},%{fld3},%{fld4},%{fld5},%{info}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg50 = msg("dhcpd:42", part68); +var msg50 = msg("dhcpd:42", part70); -var part69 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([ - dup12, - dup6, - dup8, +var part71 = match("MESSAGE#194:dhcpd:43", "nwparser.payload", "failover peer%{fld1}:%{dclass_counter1}leases added to send queue from pool%{fld3->} %{hostip}/%{network_port}", processor_chain([ + dup13, + dup7, + dup9, setc("dclass_counter1_string","count of leases"), dup30, ])); -var msg51 = msg("dhcpd:43", part69); +var msg51 = msg("dhcpd:43", part71); -var part70 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([ - dup12, - dup6, - dup8, +var part72 = match("MESSAGE#195:dhcpd:44", "nwparser.payload", "DHCPDECLINE from%{macaddr}via%{hostip}: unknown network segment", processor_chain([ + dup13, + dup7, + dup9, dup30, dup29, ])); -var msg52 = msg("dhcpd:44", part70); +var msg52 = msg("dhcpd:44", part72); -var part71 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([ - dup12, - dup6, - dup8, +var part73 = match("MESSAGE#196:dhcpd:45", "nwparser.payload", "Reverse map update for%{hostip}abandoned because of non-retryable failure:%{disposition}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg53 = msg("dhcpd:45", part71); +var msg53 = msg("dhcpd:45", part73); -var part72 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([ - dup12, - dup6, - dup8, +var part74 = match("MESSAGE#197:dhcpd:46", "nwparser.payload", "Reclaiming REQUESTed abandoned IP address%{saddr}", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("event_description","Reclaiming REQUESTed abandoned IP address"), ])); -var msg54 = msg("dhcpd:46", part72); +var msg54 = msg("dhcpd:46", part74); -var part73 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}"); +var part75 = match("MESSAGE#198:dhcpd:47/0", "nwparser.payload", "%{hostip}: removing client association (%{action})%{p0}"); -var part74 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{macaddr}"); +var part76 = match("MESSAGE#198:dhcpd:47/1_0", "nwparser.p0", "uid=%{fld1}hw=%{p0}"); -var part75 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{macaddr}"); +var part77 = match("MESSAGE#198:dhcpd:47/1_1", "nwparser.p0", "hw=%{p0}"); var select11 = linear_select([ - part74, - part75, + part76, + part77, ]); +var part78 = match_copy("MESSAGE#198:dhcpd:47/2", "nwparser.p0", "macaddr"); + var all15 = all_match({ processors: [ - part73, + part75, select11, + part78, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, ]), }); var msg55 = msg("dhcpd:47", all15); -var part76 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([ - dup12, - dup6, - dup8, +var part79 = match("MESSAGE#199:dhcpd:48", "nwparser.payload", "Lease conflict at %{hostip}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg56 = msg("dhcpd:48", part76); +var msg56 = msg("dhcpd:48", part79); -var part77 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([ - dup12, - dup6, - dup8, +var part80 = match("MESSAGE#200:dhcpd:49", "nwparser.payload", "ICMP Echo reply while lease %{hostip->} valid.", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("protocol","ICMP"), ])); -var msg57 = msg("dhcpd:49", part77); +var msg57 = msg("dhcpd:49", part80); -var part78 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([ - dup12, - dup6, - dup8, +var part81 = match("MESSAGE#201:dhcpd:50", "nwparser.payload", "Lease state %{result}. Not abandoning %{hostip}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg58 = msg("dhcpd:50", part78); +var msg58 = msg("dhcpd:50", part81); -var part79 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}"); +var part82 = match("MESSAGE#202:dhcpd:51/0_0", "nwparser.payload", "Addition%{p0}"); -var part80 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}"); +var part83 = match("MESSAGE#202:dhcpd:51/0_1", "nwparser.payload", "Removal%{p0}"); var select12 = linear_select([ - part79, - part80, + part82, + part83, ]); -var part81 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}"); +var part84 = match("MESSAGE#202:dhcpd:51/1", "nwparser.p0", "%{}of %{p0}"); -var part82 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}"); +var part85 = match("MESSAGE#202:dhcpd:51/2_0", "nwparser.p0", "forward%{p0}"); -var part83 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}"); +var part86 = match("MESSAGE#202:dhcpd:51/2_1", "nwparser.p0", "reverse%{p0}"); var select13 = linear_select([ - part82, - part83, + part85, + part86, ]); -var part84 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred"); +var part87 = match("MESSAGE#202:dhcpd:51/3", "nwparser.p0", "%{}map for %{hostip->} deferred"); var all16 = all_match({ processors: [ select12, - part81, - select13, part84, + select13, + part87, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, setc("disposition","deferred"), ]), @@ -1079,16 +1084,16 @@ var all16 = all_match({ var msg59 = msg("dhcpd:51", all16); -var part85 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([ - dup12, - dup6, - dup8, +var part88 = match("MESSAGE#203:dhcpd:52", "nwparser.payload", "Hostname%{change_old}replaced by%{hostname}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg60 = msg("dhcpd:52", part85); +var msg60 = msg("dhcpd:52", part88); -var msg61 = msg("dhcpd:37", dup68); +var msg61 = msg("dhcpd:37", dup69); var select14 = linear_select([ msg12, @@ -1143,52 +1148,52 @@ var select14 = linear_select([ msg61, ]); -var part86 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([ - dup12, - dup6, - dup8, +var part89 = match("MESSAGE#47:ntpd:05", "nwparser.payload", "system event '%{event_type}' (%{fld1}) status '%{result}' (%{fld2})", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","system event status"), ])); -var msg62 = msg("ntpd:05", part86); +var msg62 = msg("ntpd:05", part89); -var part87 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([ - dup12, - dup6, - dup8, +var part90 = match("MESSAGE#48:ntpd:04", "nwparser.payload", "frequency initialized %{result->} from %{filename}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","frequency initialized from file"), ])); -var msg63 = msg("ntpd:04", part87); +var msg63 = msg("ntpd:04", part90); -var part88 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([ - dup12, - dup6, - dup8, +var part91 = match("MESSAGE#49:ntpd:03", "nwparser.payload", "ntpd exiting on signal %{dclass_counter1}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","ntpd exiting on signal"), ])); -var msg64 = msg("ntpd:03", part88); +var msg64 = msg("ntpd:03", part91); -var part89 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([ - dup12, - dup6, - dup8, +var part92 = match("MESSAGE#50:ntpd", "nwparser.payload", "time slew %{result}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","time slew duraion"), ])); -var msg65 = msg("ntpd", part89); +var msg65 = msg("ntpd", part92); -var part90 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([ - dup12, - dup6, - dup8, +var part93 = match("MESSAGE#51:ntpd:01", "nwparser.payload", "%{process}: signal %{dclass_counter1->} had flags %{result}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","signal had flags"), ])); -var msg66 = msg("ntpd:01", part90); +var msg66 = msg("ntpd:01", part93); -var msg67 = msg("ntpd:02", dup64); +var msg67 = msg("ntpd:02", dup65); var select15 = linear_select([ msg62, @@ -1199,113 +1204,113 @@ var select15 = linear_select([ msg67, ]); -var part91 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}"); +var part94 = match("MESSAGE#53:named:16/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: update '%{zone}' %{p0}"); var all17 = all_match({ processors: [ - part91, - dup69, + part94, + dup70, ], on_success: processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, ]), }); var msg68 = msg("named:16", all17); -var part92 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}"); +var part95 = match("MESSAGE#54:named/0", "nwparser.payload", "client %{saddr}#%{sport}: update '%{zone}/IN' %{p0}"); var all18 = all_match({ processors: [ - part92, - dup69, + part95, + dup70, ], on_success: processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, dup35, ]), }); var msg69 = msg("named", all18); -var part93 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}"); +var part96 = match("MESSAGE#55:named:12/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: signer \"%{owner}\" %{p0}"); var all19 = all_match({ processors: [ - part93, - dup69, + part96, + dup70, ], on_success: processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, ]), }); var msg70 = msg("named:12", all19); -var part94 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}"); +var part97 = match("MESSAGE#56:named:01/1_0", "nwparser.p0", "%{sport}/%{fld1}: signer \"%{p0}"); -var part95 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}"); +var part98 = match("MESSAGE#56:named:01/1_1", "nwparser.p0", "%{sport}: signer \"%{p0}"); var select16 = linear_select([ - part94, - part95, + part97, + part98, ]); -var part96 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}"); +var part99 = match("MESSAGE#56:named:01/2", "nwparser.p0", "%{owner}\" %{p0}"); var all20 = all_match({ processors: [ dup36, select16, - part96, - dup69, + part99, + dup70, ], on_success: processor_chain([ - dup15, - dup6, - dup8, + dup16, + dup7, + dup9, ]), }); var msg71 = msg("named:01", all20); -var part97 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}"); +var part100 = match("MESSAGE#57:named:17/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}/%{p0}"); -var part98 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}"); +var part101 = match("MESSAGE#57:named:17/2", "nwparser.p0", "': %{p0}"); -var part99 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}"); +var part102 = match("MESSAGE#57:named:17/3_0", "nwparser.p0", "%{fld2}: %{action->} at '%{p0}"); var select17 = linear_select([ - part99, + part102, dup40, ]); -var part100 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}"); +var part103 = match("MESSAGE#57:named:17/4_1", "nwparser.p0", "%{hostname}' %{p0}"); var select18 = linear_select([ dup41, - part100, + part103, ]); var all21 = all_match({ processors: [ - part97, - dup70, - part98, + part100, + dup71, + part101, select17, select18, - dup71, + dup72, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup45, dup35, ]), @@ -1313,65 +1318,65 @@ var all21 = all_match({ var msg72 = msg("named:17", all21); -var part101 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}"); +var part104 = match("MESSAGE#58:named:18/0", "nwparser.payload", "client %{saddr}#%{sport}:%{fld1}: updating zone '%{zone}': %{p0}"); -var part102 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}"); +var part105 = match("MESSAGE#58:named:18/1_0", "nwparser.p0", "adding %{p0}"); -var part103 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}"); +var part106 = match("MESSAGE#58:named:18/1_1", "nwparser.p0", "deleting%{p0}"); var select19 = linear_select([ - part102, - part103, + part105, + part106, ]); -var part104 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'"); +var part107 = match("MESSAGE#58:named:18/2", "nwparser.p0", "%{} %{info->} at '%{hostname}'"); var all22 = all_match({ processors: [ - part101, - select19, part104, + select19, + part107, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ]), }); var msg73 = msg("named:18", all22); -var part105 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}"); +var part108 = match("MESSAGE#59:named:02/0", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}/%{p0}"); -var part106 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}"); +var part109 = match("MESSAGE#59:named:02/2", "nwparser.p0", "':%{p0}"); -var part107 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}"); +var part110 = match("MESSAGE#59:named:02/3_0", "nwparser.p0", "%{fld1}: %{action->} at '%{p0}"); var select20 = linear_select([ - part107, + part110, dup40, ]); -var part108 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}"); +var part111 = match("MESSAGE#59:named:02/4_1", "nwparser.p0", "%{hostip}' %{p0}"); var select21 = linear_select([ dup41, - part108, + part111, ]); var all23 = all_match({ processors: [ - part105, - dup70, - part106, + part108, + dup71, + part109, select20, select21, - dup71, + dup72, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup45, dup35, ]), @@ -1379,96 +1384,94 @@ var all23 = all_match({ var msg74 = msg("named:02", all23); -var part109 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}"); +var part112 = match("MESSAGE#60:named:19/0", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': update %{disposition}: %{p0}"); -var part110 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}"); +var part113 = match("MESSAGE#60:named:19/1_0", "nwparser.p0", "%{hostname}/%{dns_querytype}: %{p0}"); -var part111 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}"); +var part114 = match("MESSAGE#60:named:19/1_1", "nwparser.p0", "%{hostname}: %{p0}"); var select22 = linear_select([ - part110, - part111, + part113, + part114, ]); var all24 = all_match({ processors: [ - part109, + part112, select22, dup46, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup47, ]), }); var msg75 = msg("named:19", all24); -var part112 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part115 = match("MESSAGE#61:named:03", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{hostname}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg76 = msg("named:03", part112); +var msg76 = msg("named:03", part115); -var part113 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([ - dup12, - dup6, - dup8, +var part116 = match("MESSAGE#62:named:11", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: zone is up to date", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","notify zone is up to date"), ])); -var msg77 = msg("named:11", part113); +var msg77 = msg("named:11", part116); -var part114 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part117 = match("MESSAGE#63:named:13", "nwparser.payload", "zone %{zone}: notify from %{saddr}#%{sport}: %{action}, %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg78 = msg("named:13", part114); +var msg78 = msg("named:13", part117); -var part115 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([ - dup12, - dup6, - dup8, +var part118 = match("MESSAGE#64:named:14", "nwparser.payload", "zone %{zone}: refresh: retry limit for master %{saddr}#%{sport->} exceeded (%{action})", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg79 = msg("named:14", part115); +var msg79 = msg("named:14", part118); -var part116 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([ - dup12, - dup6, - dup8, +var part119 = match("MESSAGE#65:named:15", "nwparser.payload", "zone %{zone}: refresh: failure trying master %{saddr}#%{sport->} (source ::#0): %{action}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg80 = msg("named:15", part116); +var msg80 = msg("named:15", part119); -var part117 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}"); +var part120 = match("MESSAGE#66:named:25/0", "nwparser.payload", "DNS format error from %{saddr}#%{sport->} resolving %{domain}/%{dns_querytype->} for client %{daddr}#%{dport}: %{p0}"); -var part118 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}"); - -var part119 = match("MESSAGE#66:named:25/1_1", "nwparser.p0", "%{result}"); +var part121 = match("MESSAGE#66:named:25/1_0", "nwparser.p0", "%{error}--%{result}"); var select23 = linear_select([ - part118, - part119, + part121, + dup48, ]); var all25 = all_match({ processors: [ - part117, + part120, select23, ], on_success: processor_chain([ - dup48, dup49, - dup14, - dup6, - dup8, + dup50, + dup15, + dup7, + dup9, setc("event_description","DNS format error"), dup30, ]), @@ -1476,81 +1479,82 @@ var all25 = all_match({ var msg81 = msg("named:25", all25); -var part120 = match("MESSAGE#67:named:63/2", "nwparser.p0", "%{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})"); +var part122 = match("MESSAGE#67:named:63/2", "nwparser.p0", "#%{saddr->} %{sport->} (#%{fld5}): query: %{domain->} %{fld4->} (%{daddr})"); var all26 = all_match({ processors: [ - dup50, - dup72, - part120, + dup51, + dup73, + part122, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, ]), }); var msg82 = msg("named:63", all26); -var part121 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}"); +var part123 = match("MESSAGE#68:named:72/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{fld1}): %{p0}"); -var part122 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}"); +var part124 = match("MESSAGE#68:named:72/1_0", "nwparser.p0", "view%{fld3}: query:%{p0}"); -var part123 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}"); +var part125 = match("MESSAGE#68:named:72/1_1", "nwparser.p0", "query:%{p0}"); var select24 = linear_select([ - part122, - part123, + part124, + part125, ]); -var part124 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})"); +var part126 = match("MESSAGE#68:named:72/2", "nwparser.p0", "%{} %{domain->} %{fld2->} %{dns_querytype->} %{context->} (%{daddr})"); var all27 = all_match({ processors: [ - part121, + part123, select24, - part124, + part126, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, ]), }); var msg83 = msg("named:72", all27); -var part125 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part127 = match("MESSAGE#69:named:28", "nwparser.payload", "%{action->} (%{saddr}#%{sport}) %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg84 = msg("named:28", part125); +var msg84 = msg("named:28", part127); -var part126 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}"); +var part128 = match("MESSAGE#70:named:71/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: failed %{p0}"); -var part127 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{result}"); +var part129 = match("MESSAGE#70:named:71/1_0", "nwparser.p0", "to connect: %{p0}"); -var part128 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{result}"); +var part130 = match("MESSAGE#70:named:71/1_1", "nwparser.p0", "while receiving responses: %{p0}"); var select25 = linear_select([ - part127, - part128, + part129, + part130, ]); var all28 = all_match({ processors: [ - part126, + part128, select25, + dup48, ], on_success: processor_chain([ - dup48, - dup6, - dup8, + dup49, + dup7, + dup9, dup30, setc("event_description","failed"), ]), @@ -1558,246 +1562,246 @@ var all28 = all_match({ var msg85 = msg("named:71", all28); -var part129 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}"); +var part131 = match("MESSAGE#71:named:70/0", "nwparser.payload", "transfer of '%{zone}' from %{saddr}#%{sport}: %{p0}"); -var part130 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}"); +var part132 = match("MESSAGE#71:named:70/1_0", "nwparser.p0", "connected using %{daddr}#%{dport}"); var select26 = linear_select([ - part130, + part132, dup46, ]); var all29 = all_match({ processors: [ - part129, + part131, select26, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, ]), }); var msg86 = msg("named:70", all29); -var part131 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}"); +var part133 = match("MESSAGE#72:named:40/0", "nwparser.payload", "%{fld1->} client %{saddr}#%{sport}: %{p0}"); -var part132 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}"); +var part134 = match("MESSAGE#72:named:40/1_0", "nwparser.p0", "view %{fld2}: %{protocol}: query: %{p0}"); -var part133 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}"); +var part135 = match("MESSAGE#72:named:40/1_1", "nwparser.p0", "%{protocol}: query: %{p0}"); var select27 = linear_select([ - part132, - part133, + part134, + part135, ]); -var part134 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}"); +var part136 = match("MESSAGE#72:named:40/2", "nwparser.p0", "%{domain->} %{fld3->} %{dns_querytype->} response:%{result->} %{p0}"); -var part135 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}"); +var part137 = match("MESSAGE#72:named:40/3_0", "nwparser.p0", "%{context->} %{dns.resptext}"); -var part136 = match("MESSAGE#72:named:40/3_1", "nwparser.p0", "%{context}"); +var part138 = match_copy("MESSAGE#72:named:40/3_1", "nwparser.p0", "context"); var select28 = linear_select([ - part135, - part136, + part137, + part138, ]); var all30 = all_match({ processors: [ - part131, + part133, select27, - part134, + part136, select28, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, ]), }); var msg87 = msg("named:40", all30); -var part137 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part139 = match("MESSAGE#73:named:05", "nwparser.payload", "zone '%{zone}' %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg88 = msg("named:05", part137); +var msg88 = msg("named:05", part139); -var part138 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}"); +var part140 = match("MESSAGE#74:named:10/1_0", "nwparser.p0", "%{sport->} %{fld22}/%{fld21}:%{p0}"); -var part139 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}"); +var part141 = match("MESSAGE#74:named:10/1_1", "nwparser.p0", "%{sport}/%{fld21}:%{p0}"); -var part140 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}"); +var part142 = match("MESSAGE#74:named:10/1_2", "nwparser.p0", "%{sport->} (%{fld21}): %{p0}"); var select29 = linear_select([ - part138, - part139, part140, - dup53, + part141, + part142, + dup54, ]); -var part141 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})"); +var part143 = match("MESSAGE#74:named:10/2", "nwparser.p0", "%{}query: %{domain->} %{info->} (%{daddr})"); var all31 = all_match({ processors: [ dup36, select29, - part141, + part143, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, setc("event_description","dns query"), ]), }); var msg89 = msg("named:10", all31); -var part142 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([ - dup12, - dup6, - dup8, +var part144 = match("MESSAGE#75:named:29", "nwparser.payload", "client %{saddr}#%{sport}: %{fld1}: received notify for zone '%{zone}'", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","received notify for zone"), ])); -var msg90 = msg("named:29", part142); +var msg90 = msg("named:29", part144); -var part143 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([ - dup12, - dup6, - dup8, +var part145 = match("MESSAGE#76:named:08", "nwparser.payload", "client %{saddr}#%{sport}: received notify for zone '%{zone}'", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","client received notify for zone"), ])); -var msg91 = msg("named:08", part143); +var msg91 = msg("named:08", part145); -var part144 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([ - dup15, - dup6, - dup8, +var part146 = match("MESSAGE#77:named:09", "nwparser.payload", "client %{saddr}#%{sport}: update forwarding '%{zone}' denied", processor_chain([ + dup16, + dup7, + dup9, setc("event_description","client update forwarding for zone denied"), ])); -var msg92 = msg("named:09", part144); +var msg92 = msg("named:09", part146); -var part145 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}"); +var part147 = match("MESSAGE#78:named:76/0", "nwparser.payload", "zone %{zone}: ZRQ appl%{p0}"); -var part146 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}"); +var part148 = match("MESSAGE#78:named:76/1_0", "nwparser.p0", "ied%{p0}"); -var part147 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}"); +var part149 = match("MESSAGE#78:named:76/1_1", "nwparser.p0", "ying%{p0}"); var select30 = linear_select([ - part146, - part147, + part148, + part149, ]); -var part148 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}"); +var part150 = match("MESSAGE#78:named:76/2", "nwparser.p0", "%{}transaction %{p0}"); -var part149 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}."); +var part151 = match("MESSAGE#78:named:76/3_0", "nwparser.p0", "%{operation_id->} with SOA serial %{serial_number}. Zone version is now %{version}."); -var part150 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}."); +var part152 = match("MESSAGE#78:named:76/3_1", "nwparser.p0", "%{fld1}."); var select31 = linear_select([ - part149, - part150, + part151, + part152, ]); var all32 = all_match({ processors: [ - part145, + part147, select30, - part148, + part150, select31, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, ]), }); var msg93 = msg("named:76", all32); -var part151 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ - dup12, - dup6, - dup8, +var part153 = match("MESSAGE#79:named:75", "nwparser.payload", "zone %{zone}: ZRQ applied %{action->} for '%{fld1}': %{fld2->} %{fld3->} %{dns_querytype->} %{info}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg94 = msg("named:75", part151); +var msg94 = msg("named:75", part153); -var part152 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}"); +var part154 = match("MESSAGE#80:named:06/0", "nwparser.payload", "zone%{p0}"); -var part153 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}"); +var part155 = match("MESSAGE#80:named:06/1_0", "nwparser.p0", "_%{fld1}: %{p0}"); -var part154 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}"); +var part156 = match("MESSAGE#80:named:06/1_1", "nwparser.p0", " %{zone}: %{p0}"); var select32 = linear_select([ - part153, - part154, + part155, + part156, ]); var all33 = all_match({ processors: [ - part152, + part154, select32, dup46, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, ]), }); var msg95 = msg("named:06", all33); -var part155 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ - dup12, - dup49, - dup14, - dup6, - dup8, - dup54, - dup30, +var part157 = match("MESSAGE#81:named:20", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup50, + dup15, + dup7, + dup9, dup55, + dup30, + dup56, ])); -var msg96 = msg("named:20", part155); +var msg96 = msg("named:20", part157); -var part156 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); +var part158 = match("MESSAGE#82:named:49/0", "nwparser.payload", "REFUSED unexpected RCODE resolving '%{zone}/%{dns_querytype}/IN': %{p0}"); -var part157 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); +var part159 = match("MESSAGE#82:named:49/1_0", "nwparser.p0", "%{daddr}#%{dport}"); -var part158 = match("MESSAGE#82:named:49/1_1", "nwparser.p0", "%{fld1}"); +var part160 = match_copy("MESSAGE#82:named:49/1_1", "nwparser.p0", "fld1"); var select33 = linear_select([ - part157, - part158, + part159, + part160, ]); var all34 = all_match({ processors: [ - part156, + part158, select33, ], on_success: processor_chain([ - dup56, - dup49, - dup14, - dup6, - dup8, - dup54, + dup57, + dup50, + dup15, + dup7, + dup9, + dup55, dup30, dup35, ]), @@ -1805,454 +1809,457 @@ var all34 = all_match({ var msg97 = msg("named:49", all34); -var part159 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{domain}): %{fld2}: zone transfer%{p0}"); +var part161 = match("MESSAGE#83:named:24/1_0", "nwparser.p0", "%{fld2}: zone transfer%{p0}"); -var part160 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "%{domain}): zone transfer%{p0}"); +var part162 = match("MESSAGE#83:named:24/1_1", "nwparser.p0", "zone transfer%{p0}"); var select34 = linear_select([ - part159, - part160, + part161, + part162, ]); -var part161 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); +var part163 = match("MESSAGE#83:named:24/2", "nwparser.p0", "%{}'%{zone}' %{action}"); var all35 = all_match({ processors: [ - dup57, + dup58, select34, - part161, + part163, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, ]), }); var msg98 = msg("named:24", all35); -var part162 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{domain}): %{fld2}: no more recursive clients %{p0}"); +var part164 = match("MESSAGE#84:named:26/1_0", "nwparser.p0", "%{fld2}: no more recursive clients %{p0}"); -var part163 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "%{domain}): no more recursive clients%{p0}"); +var part165 = match("MESSAGE#84:named:26/1_1", "nwparser.p0", "no more recursive clients%{p0}"); var select35 = linear_select([ - part162, - part163, + part164, + part165, ]); -var part164 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); +var part166 = match("MESSAGE#84:named:26/2", "nwparser.p0", "%{}(%{fld3}) %{info}"); var all36 = all_match({ processors: [ - dup57, + dup58, select35, - part164, + part166, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ]), }); var msg99 = msg("named:26", all36); -var part165 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{domain}): %{fld2->} : %{fld3->} response from Internet for %{p0}"); +var part167 = match("MESSAGE#85:named:27/1_0", "nwparser.p0", "%{fld2->} : %{fld3->} response from Internet for %{p0}"); -var part166 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{domain}): %{fld3->} response from Internet for %{p0}"); +var part168 = match("MESSAGE#85:named:27/1_1", "nwparser.p0", "%{fld3->} response from Internet for %{p0}"); var select36 = linear_select([ - part165, - part166, + part167, + part168, ]); -var part167 = match("MESSAGE#85:named:27/2", "nwparser.p0", "%{fld4}"); +var part169 = match_copy("MESSAGE#85:named:27/2", "nwparser.p0", "fld4"); var all37 = all_match({ processors: [ - dup57, + dup58, select36, - part167, + part169, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ]), }); var msg100 = msg("named:27", all37); -var part168 = match("MESSAGE#86:named:38/2_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); +var part170 = match("MESSAGE#86:named:38/2", "nwparser.p0", "#%{saddr->} %{p0}"); -var part169 = match("MESSAGE#86:named:38/2_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); +var part171 = match("MESSAGE#86:named:38/3_0", "nwparser.p0", "%{sport}#%{fld5->} (%{fld6}):%{p0}"); + +var part172 = match("MESSAGE#86:named:38/3_1", "nwparser.p0", "%{sport->} (%{fld5}):%{p0}"); var select37 = linear_select([ - part168, - part169, - dup53, + part171, + part172, + dup54, ]); -var part170 = match("MESSAGE#86:named:38/3", "nwparser.p0", "%{}query%{p0}"); +var part173 = match("MESSAGE#86:named:38/4", "nwparser.p0", "%{}query%{p0}"); -var part171 = match("MESSAGE#86:named:38/4_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}"); +var part174 = match("MESSAGE#86:named:38/5_0", "nwparser.p0", " (%{fld7}) '%{domain}/%{fld4}' %{result}"); -var part172 = match("MESSAGE#86:named:38/4_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})"); +var part175 = match("MESSAGE#86:named:38/5_1", "nwparser.p0", ": %{domain->} %{fld4->} (%{daddr})"); var select38 = linear_select([ - part171, - part172, + part174, + part175, ]); var all38 = all_match({ processors: [ - dup50, - dup72, - select37, + dup51, + dup73, part170, + select37, + part173, select38, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ]), }); var msg101 = msg("named:38", all38); -var part173 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ - dup12, - dup49, - dup14, - dup6, - dup8, - dup54, +var part176 = match("MESSAGE#87:named:39", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: error (%{result}) resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup50, + dup15, + dup7, + dup9, + dup55, ])); -var msg102 = msg("named:39", part173); +var msg102 = msg("named:39", part176); -var part174 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ - dup12, - dup6, - dup8, +var part177 = match("MESSAGE#88:named:46", "nwparser.payload", "%{event_description}: Authorization denied for the operation (%{fld4}): %{fld5->} (data=\"%{hostip}\", source=\"%{hostname}\")", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg103 = msg("named:46", part174); +var msg103 = msg("named:46", part177); -var part175 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ - dup12, - dup6, - dup8, +var part178 = match("MESSAGE#89:named:64", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg104 = msg("named:64", part175); +var msg104 = msg("named:64", part178); -var part176 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ - dup12, - dup6, - dup8, +var part179 = match("MESSAGE#90:named:45", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': deleting %{info->} at %{hostname->} %{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, dup47, ])); -var msg105 = msg("named:45", part176); +var msg105 = msg("named:45", part179); -var part177 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); +var part180 = match("MESSAGE#91:named:44/0", "nwparser.payload", "client %{saddr}#%{sport}/key dhcp_updater_default: updating zone '%{p0}"); -var part178 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); +var part181 = match("MESSAGE#91:named:44/1_0", "nwparser.p0", "%{domain}/IN'%{p0}"); -var part179 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); +var part182 = match("MESSAGE#91:named:44/1_1", "nwparser.p0", "%{domain}'%{p0}"); var select39 = linear_select([ - part178, - part179, + part181, + part182, ]); -var part180 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); +var part183 = match("MESSAGE#91:named:44/2", "nwparser.p0", ": %{p0}"); -var part181 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa "); +var part184 = match("MESSAGE#91:named:44/3_0", "nwparser.p0", "deleting an RR at %{daddr}.in-addr.arpa"); -var part182 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6->} "); +var part185 = match("MESSAGE#91:named:44/3_1", "nwparser.p0", "deleting an RR at %{daddr}.%{fld6}"); -var part183 = match("MESSAGE#91:named:44/3_2", "nwparser.p0", "%{fld5}"); +var part186 = match_copy("MESSAGE#91:named:44/3_2", "nwparser.p0", "fld5"); var select40 = linear_select([ - part181, - part182, - part183, + part184, + part185, + part186, ]); var all39 = all_match({ processors: [ - part177, - select39, part180, + select39, + part183, select40, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ]), }); var msg106 = msg("named:44", all39); -var part184 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ - dup12, - dup6, - dup8, +var part187 = match("MESSAGE#92:named:43", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query (%{fld3}) '%{fld4}/%{dns_querytype}/IN' %{result}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg107 = msg("named:43", part184); +var msg107 = msg("named:43", part187); -var part185 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ - dup12, - dup6, - dup8, - dup55, +var part188 = match("MESSAGE#93:named:42", "nwparser.payload", "%{result->} resolving '%{saddr}.in-addr.arpa/%{event_description}/IN': %{daddr}#%{dport}", processor_chain([ + dup13, + dup7, + dup9, + dup56, ])); -var msg108 = msg("named:42", part185); +var msg108 = msg("named:42", part188); -var part186 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ - dup12, - dup6, - dup8, +var part189 = match("MESSAGE#94:named:41", "nwparser.payload", "%{fld1}: unable to find root NS '%{domain}'", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg109 = msg("named:41", part186); +var msg109 = msg("named:41", part189); -var part187 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ +var part190 = match("MESSAGE#95:named:47", "nwparser.payload", "client %{saddr}#%{sport}: updating zone '%{zone}': update %{disposition}: %{event_description}", processor_chain([ setc("eventcategory","1502000000"), - dup6, - dup8, + dup7, + dup9, ])); -var msg110 = msg("named:47", part187); +var msg110 = msg("named:47", part190); -var part188 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ - dup56, - dup6, - dup8, +var part191 = match("MESSAGE#96:named:48", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): query '%{zone}' %{result}", processor_chain([ + dup57, + dup7, + dup9, dup30, ])); -var msg111 = msg("named:48", part188); +var msg111 = msg("named:48", part191); -var part189 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ - dup12, - dup6, - dup8, +var part192 = match("MESSAGE#97:named:62", "nwparser.payload", "client %{saddr}#%{sport}/%{fld1->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg112 = msg("named:62", part189); +var msg112 = msg("named:62", part192); -var part190 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ - dup12, - dup6, - dup8, +var part193 = match("MESSAGE#98:named:53", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): transfer of '%{zone}': %{info}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg113 = msg("named:53", part190); +var msg113 = msg("named:53", part193); -var part191 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([ - dup48, - dup6, - dup8, +var part194 = match("MESSAGE#99:named:77", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): query failed (%{error}) for %{fld1}/IN/%{dns_querytype->} at %{filename}:%{fld2}", processor_chain([ + dup49, + dup7, + dup9, setc("event_description"," query failed"), ])); -var msg114 = msg("named:77", part191); +var msg114 = msg("named:77", part194); -var part192 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ - dup58, - dup6, - dup8, +var part195 = match("MESSAGE#100:named:52", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): %{info}", processor_chain([ + dup59, + dup7, + dup9, dup47, ])); -var msg115 = msg("named:52", part192); +var msg115 = msg("named:52", part195); -var part193 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ - dup58, - dup6, - dup8, +var part196 = match("MESSAGE#101:named:50", "nwparser.payload", "%{fld1}: %{domain}/%{dns_querytype->} (%{saddr}) %{info}", processor_chain([ + dup59, + dup7, + dup9, ])); -var msg116 = msg("named:50", part193); +var msg116 = msg("named:50", part196); -var part194 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ - dup56, - dup6, - dup8, - dup49, - dup14, - dup54, +var part197 = match("MESSAGE#102:named:51", "nwparser.payload", "%{fld1}: %{fld2}: REFUSED", processor_chain([ + dup57, + dup7, + dup9, + dup50, + dup15, + dup55, ])); -var msg117 = msg("named:51", part194); +var msg117 = msg("named:51", part197); -var part195 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ - dup58, - dup6, - dup8, - dup2, - dup14, +var part198 = match("MESSAGE#103:named:54", "nwparser.payload", "%{hostip}#%{network_port}: GSS-TSIG authentication failed:%{event_description}", processor_chain([ + dup59, + dup7, + dup9, + dup3, + dup15, dup30, ])); -var msg118 = msg("named:54", part195); +var msg118 = msg("named:54", part198); -var part196 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); +var part199 = match("MESSAGE#104:named:55/0", "nwparser.payload", "success resolving '%{domain}/%{dns_querytype}' (in '%{fld1}'?) %{p0}"); -var part197 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); +var part200 = match("MESSAGE#104:named:55/1_0", "nwparser.p0", "after disabling EDNS%{}"); -var part198 = match("MESSAGE#104:named:55/1_1", "nwparser.p0", "%{fld2}"); +var part201 = match_copy("MESSAGE#104:named:55/1_1", "nwparser.p0", "fld2"); var select41 = linear_select([ - part197, - part198, + part200, + part201, ]); var all40 = all_match({ processors: [ - part196, + part199, select41, ], on_success: processor_chain([ - dup58, + dup59, + dup7, + dup9, dup6, - dup8, - dup5, dup30, - dup59, + dup60, ]), }); var msg119 = msg("named:55", all40); -var part199 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ - dup58, - dup6, - dup8, - dup49, - dup14, - dup30, +var part202 = match("MESSAGE#105:named:56", "nwparser.payload", "SERVFAIL unexpected RCODE resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ dup59, + dup7, + dup9, + dup50, + dup15, + dup30, + dup60, ])); -var msg120 = msg("named:56", part199); +var msg120 = msg("named:56", part202); -var part200 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ - dup58, - dup6, - dup8, +var part203 = match("MESSAGE#106:named:57", "nwparser.payload", "FORMERR resolving '%{domain}/%{dns_querytype}/IN':%{hostip}#%{network_port}", processor_chain([ + dup59, + dup7, + dup9, setc("ec_outcome","Error"), dup30, - dup59, + dup60, ])); -var msg121 = msg("named:57", part200); +var msg121 = msg("named:57", part203); -var part201 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); +var part204 = match("MESSAGE#107:named:04/0", "nwparser.payload", "%{action->} on %{p0}"); -var part202 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); +var part205 = match("MESSAGE#107:named:04/1_0", "nwparser.p0", "IPv4 interface %{sinterface}, %{saddr}#%{p0}"); -var part203 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); +var part206 = match("MESSAGE#107:named:04/1_1", "nwparser.p0", "%{saddr}#%{p0}"); var select42 = linear_select([ - part202, - part203, + part205, + part206, ]); -var part204 = match("MESSAGE#107:named:04/2", "nwparser.p0", "%{sport}"); +var part207 = match_copy("MESSAGE#107:named:04/2", "nwparser.p0", "sport"); var all41 = all_match({ processors: [ - part201, - select42, part204, + select42, + part207, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ]), }); var msg122 = msg("named:04", all41); -var part205 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ - dup58, - dup6, - dup8, - dup30, +var part208 = match("MESSAGE#108:named:58", "nwparser.payload", "lame server resolving '%{domain}' (in '%{fld2}'?):%{hostip}#%{network_port}", processor_chain([ dup59, + dup7, + dup9, + dup30, + dup60, ])); -var msg123 = msg("named:58", part205); +var msg123 = msg("named:58", part208); -var part206 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ - dup12, - dup6, - dup8, +var part209 = match("MESSAGE#109:named:59", "nwparser.payload", "exceeded max queries resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup13, + dup7, + dup9, dup30, - dup59, + dup60, ])); -var msg124 = msg("named:59", part206); +var msg124 = msg("named:59", part209); -var part207 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ - dup12, - dup6, - dup8, +var part210 = match("MESSAGE#110:named:60", "nwparser.payload", "skipping nameserver '%{hostname}' because it is a CNAME, while resolving '%{domain}/%{dns_querytype}'", processor_chain([ + dup13, + dup7, + dup9, dup30, - dup59, + dup60, setc("event_description","skipping nameserver because it is a CNAME"), ])); -var msg125 = msg("named:60", part207); +var msg125 = msg("named:60", part210); -var part208 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ - dup12, - dup6, - dup8, +var part211 = match("MESSAGE#111:named:61", "nwparser.payload", "loading configuration from '%{filename}'", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg126 = msg("named:61", part208); +var msg126 = msg("named:61", part211); -var part209 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ - dup12, - dup6, - dup8, +var part212 = match("MESSAGE#112:named:73", "nwparser.payload", "fetch: %{zone}/%{dns_querytype}", processor_chain([ + dup13, + dup7, + dup9, dup30, dup35, ])); -var msg127 = msg("named:73", part209); +var msg127 = msg("named:73", part212); -var part210 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ - dup12, - dup6, - dup8, +var part213 = match("MESSAGE#113:named:74", "nwparser.payload", "decrement_reference: delete from rbt: %{fld1->} %{domain}", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg128 = msg("named:74", part210); +var msg128 = msg("named:74", part213); -var part211 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); +var part214 = match("MESSAGE#114:named:07/0_0", "nwparser.payload", "client %{saddr}#%{sport->} (%{hostname}): view %{fld2}: query: %{web_query}"); -var part212 = match("MESSAGE#114:named:07/0_1", "nwparser.payload", "%{event_description}"); +var part215 = match_copy("MESSAGE#114:named:07/0_1", "nwparser.payload", "event_description"); var select43 = linear_select([ - part211, - part212, + part214, + part215, ]); var all42 = all_match({ @@ -2260,9 +2267,9 @@ var all42 = all_match({ select43, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, dup30, ]), }); @@ -2334,121 +2341,121 @@ var select44 = linear_select([ msg129, ]); -var part213 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ - dup15, - dup6, - dup8, +var part216 = match("MESSAGE#115:pidof:01", "nwparser.payload", "can't read sid from %{agent}", processor_chain([ + dup16, + dup7, + dup9, setc("event_description","can't read sid"), ])); -var msg130 = msg("pidof:01", part213); +var msg130 = msg("pidof:01", part216); -var part214 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ - dup15, - dup6, - dup8, +var part217 = match("MESSAGE#116:pidof", "nwparser.payload", "can't get program name from %{agent}", processor_chain([ + dup16, + dup7, + dup9, ])); -var msg131 = msg("pidof", part214); +var msg131 = msg("pidof", part217); var select45 = linear_select([ msg130, msg131, ]); -var part215 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ - dup15, - dup6, - dup8, +var part218 = match("MESSAGE#117:validate_dhcpd:01", "nwparser.payload", "Configured local-address not available as source address for DNS updates. %{result}", processor_chain([ + dup16, + dup7, + dup9, setc("event_description","Configured local-address not available as source address for DNS updates"), ])); -var msg132 = msg("validate_dhcpd:01", part215); +var msg132 = msg("validate_dhcpd:01", part218); -var msg133 = msg("validate_dhcpd", dup73); +var msg133 = msg("validate_dhcpd", dup74); var select46 = linear_select([ msg132, msg133, ]); -var msg134 = msg("syslog-ng", dup64); +var msg134 = msg("syslog-ng", dup65); -var part216 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ - dup12, - dup6, - dup8, +var part219 = match("MESSAGE#120:kernel", "nwparser.payload", "Linux version %{version->} (%{from}) (%{fld1}) %{fld2}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg135 = msg("kernel", part216); +var msg135 = msg("kernel", part219); -var msg136 = msg("kernel:01", dup64); +var msg136 = msg("kernel:01", dup65); var select47 = linear_select([ msg135, msg136, ]); -var msg137 = msg("radiusd", dup64); +var msg137 = msg("radiusd", dup65); -var part217 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ - dup12, - dup6, - dup8, +var part220 = match("MESSAGE#123:rc", "nwparser.payload", "executing %{agent->} start", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg138 = msg("rc", part217); +var msg138 = msg("rc", part220); -var msg139 = msg("rc3", dup64); +var msg139 = msg("rc3", dup65); -var part218 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ - dup12, - dup6, - dup8, +var part221 = match("MESSAGE#125:rcsysinit", "nwparser.payload", "fsck from %{version}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg140 = msg("rcsysinit", part218); +var msg140 = msg("rcsysinit", part221); -var msg141 = msg("rcsysinit:01", dup64); +var msg141 = msg("rcsysinit:01", dup65); var select48 = linear_select([ msg140, msg141, ]); -var part219 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ - dup12, - dup6, - dup8, +var part222 = match("MESSAGE#126:watchdog", "nwparser.payload", "opened %{filename}, with timeout = %{duration->} secs", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg142 = msg("watchdog", part219); +var msg142 = msg("watchdog", part222); -var part220 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ - dup12, - dup6, - dup8, +var part223 = match("MESSAGE#127:watchdog:01", "nwparser.payload", "%{action}, pid = %{process_id}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg143 = msg("watchdog:01", part220); +var msg143 = msg("watchdog:01", part223); -var part221 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ - dup12, - dup6, - dup8, +var part224 = match("MESSAGE#128:watchdog:02", "nwparser.payload", "received %{fld1}, cancelling softdog and exiting...", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg144 = msg("watchdog:02", part221); +var msg144 = msg("watchdog:02", part224); -var part222 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ - dup15, - dup6, - dup8, +var part225 = match("MESSAGE#129:watchdog:03", "nwparser.payload", "%{filename->} could not be opened, errno = %{resultcode}", processor_chain([ + dup16, + dup7, + dup9, ])); -var msg145 = msg("watchdog:03", part222); +var msg145 = msg("watchdog:03", part225); -var msg146 = msg("watchdog:04", dup64); +var msg146 = msg("watchdog:04", dup65); var select49 = linear_select([ msg142, @@ -2458,52 +2465,52 @@ var select49 = linear_select([ msg146, ]); -var msg147 = msg("init", dup64); +var msg147 = msg("init", dup65); -var part223 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ - dup12, - dup6, - dup8, +var part226 = match("MESSAGE#131:logger", "nwparser.payload", "%{action}: %{saddr}/%{mask->} to %{interface}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg148 = msg("logger", part223); +var msg148 = msg("logger", part226); -var msg149 = msg("logger:01", dup64); +var msg149 = msg("logger:01", dup65); var select50 = linear_select([ msg148, msg149, ]); -var part224 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ - dup15, - dup6, - dup8, +var part227 = match("MESSAGE#133:openvpn-member", "nwparser.payload", "read %{protocol->} [%{info}] %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, ])); -var msg150 = msg("openvpn-member", part224); +var msg150 = msg("openvpn-member", part227); -var msg151 = msg("openvpn-member:01", dup74); +var msg151 = msg("openvpn-member:01", dup75); -var part225 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ - dup15, - dup6, - dup8, +var part228 = match("MESSAGE#135:openvpn-member:02", "nwparser.payload", "Options error: %{event_description}", processor_chain([ + dup16, + dup7, + dup9, ])); -var msg152 = msg("openvpn-member:02", part225); +var msg152 = msg("openvpn-member:02", part228); -var part226 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ - dup12, - dup6, - dup8, +var part229 = match("MESSAGE#136:openvpn-member:03", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld2}] %{info}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg153 = msg("openvpn-member:03", part226); +var msg153 = msg("openvpn-member:03", part229); -var msg154 = msg("openvpn-member:04", dup75); +var msg154 = msg("openvpn-member:04", dup76); -var msg155 = msg("openvpn-member:05", dup64); +var msg155 = msg("openvpn-member:05", dup65); var select51 = linear_select([ msg150, @@ -2514,125 +2521,125 @@ var select51 = linear_select([ msg155, ]); -var part227 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ - dup12, - dup6, - dup8, +var part230 = match("MESSAGE#139:sshd", "nwparser.payload", "Server listening on %{hostip->} port %{network_port}.", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg156 = msg("sshd", part227); +var msg156 = msg("sshd", part230); -var part228 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); +var part231 = match("MESSAGE#140:sshd:01/0", "nwparser.payload", "Accepted password for %{p0}"); -var part229 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); +var part232 = match("MESSAGE#140:sshd:01/1_0", "nwparser.p0", "root from %{p0}"); -var part230 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); +var part233 = match("MESSAGE#140:sshd:01/1_1", "nwparser.p0", "%{username->} from %{p0}"); var select52 = linear_select([ - part229, - part230, + part232, + part233, ]); -var part231 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); +var part234 = match("MESSAGE#140:sshd:01/2", "nwparser.p0", "%{saddr->} port %{sport->} %{protocol}"); var all43 = all_match({ processors: [ - part228, - select52, part231, + select52, + part234, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ]), }); var msg157 = msg("sshd:01", all43); -var part232 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ - dup12, - dup6, - dup8, +var part235 = match("MESSAGE#141:sshd:02", "nwparser.payload", "Connection closed by %{hostip}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg158 = msg("sshd:02", part232); +var msg158 = msg("sshd:02", part235); -var part233 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ - dup15, - dup6, - dup8, +var part236 = match("MESSAGE#142:sshd:03", "nwparser.payload", "%{severity}: Bind to port %{network_port->} on %{hostip->} %{result}: %{event_description}", processor_chain([ + dup16, + dup7, + dup9, ])); -var msg159 = msg("sshd:03", part233); +var msg159 = msg("sshd:03", part236); -var part234 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ +var part237 = match("MESSAGE#143:sshd:04", "nwparser.payload", "%{severity}: Cannot bind any address.", processor_chain([ setc("eventcategory","1601000000"), - dup6, - dup8, + dup7, + dup9, ])); -var msg160 = msg("sshd:04", part234); +var msg160 = msg("sshd:04", part237); -var part235 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([ - dup1, +var part238 = match("MESSAGE#144:sshd:05", "nwparser.payload", "%{action}: logout() %{result}", processor_chain([ dup2, - dup4, - dup14, - dup6, - dup8, + dup3, + dup5, + dup15, + dup7, + dup9, setc("event_description","logout"), ])); -var msg161 = msg("sshd:05", part235); +var msg161 = msg("sshd:05", part238); -var part236 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([ - dup15, - dup6, +var part239 = match("MESSAGE#145:sshd:06", "nwparser.payload", "Did not receive identification string from %{saddr}", processor_chain([ + dup16, + dup7, setc("result","no identification string"), setc("event_description","Did not receive identification string from peer"), ])); -var msg162 = msg("sshd:06", part236); +var msg162 = msg("sshd:06", part239); -var part237 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ - dup12, - dup6, +var part240 = match("MESSAGE#146:sshd:07", "nwparser.payload", "Sleep 60 seconds for slowing down ssh login%{}", processor_chain([ + dup13, + dup7, setc("result","slowing down ssh login"), setc("event_description","Sleep 60 seconds"), ])); -var msg163 = msg("sshd:07", part237); +var msg163 = msg("sshd:07", part240); -var part238 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ +var part241 = match("MESSAGE#147:sshd:08", "nwparser.payload", "%{authmethod->} authentication succeeded for user %{username}", processor_chain([ setc("eventcategory","1302010300"), - dup6, + dup7, setc("event_description","authentication succeeded"), - dup8, - dup60, + dup9, + dup61, ])); -var msg164 = msg("sshd:08", part238); +var msg164 = msg("sshd:08", part241); -var part239 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ - dup12, - dup6, - dup8, +var part242 = match("MESSAGE#148:sshd:09", "nwparser.payload", "User group = %{group}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","User group"), - dup60, + dup61, ])); -var msg165 = msg("sshd:09", part239); +var msg165 = msg("sshd:09", part242); -var part240 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ - dup12, - dup6, - dup8, +var part243 = match("MESSAGE#149:sshd:10", "nwparser.payload", "Bad protocol version identification '%{protocol_detail}' from %{saddr}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","Bad protocol version identification"), - dup60, + dup61, ])); -var msg166 = msg("sshd:10", part240); +var msg166 = msg("sshd:10", part243); var select53 = linear_select([ msg156, @@ -2648,51 +2655,51 @@ var select53 = linear_select([ msg166, ]); -var part241 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ - dup12, - dup6, - dup8, +var part244 = match("MESSAGE#150:openvpn-master", "nwparser.payload", "OpenVPN %{version->} [%{protocol}] [%{fld1}] %{info}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg167 = msg("openvpn-master", part241); +var msg167 = msg("openvpn-master", part244); -var part242 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ - dup15, - dup6, - dup8, +var part245 = match("MESSAGE#151:openvpn-master:01", "nwparser.payload", "read %{protocol->} [%{info}]: %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, ])); -var msg168 = msg("openvpn-master:01", part242); +var msg168 = msg("openvpn-master:01", part245); -var msg169 = msg("openvpn-master:02", dup74); +var msg169 = msg("openvpn-master:02", dup75); -var part243 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ - dup15, - dup6, - dup8, +var part246 = match("MESSAGE#153:openvpn-master:03", "nwparser.payload", "%{saddr}:%{sport->} TLS Error: TLS handshake failed", processor_chain([ + dup16, + dup7, + dup9, ])); -var msg170 = msg("openvpn-master:03", part243); +var msg170 = msg("openvpn-master:03", part246); -var part244 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part247 = match("MESSAGE#154:openvpn-master:04", "nwparser.payload", "%{fld1}/%{saddr}:%{sport->} [%{fld2}] %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg171 = msg("openvpn-master:04", part244); +var msg171 = msg("openvpn-master:04", part247); -var part245 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part248 = match("MESSAGE#155:openvpn-master:05", "nwparser.payload", "%{saddr}:%{sport->} [%{fld1}] %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg172 = msg("openvpn-master:05", part245); +var msg172 = msg("openvpn-master:05", part248); -var msg173 = msg("openvpn-master:06", dup75); +var msg173 = msg("openvpn-master:06", dup76); -var msg174 = msg("openvpn-master:07", dup64); +var msg174 = msg("openvpn-master:07", dup65); var select54 = linear_select([ msg167, @@ -2705,55 +2712,55 @@ var select54 = linear_select([ msg174, ]); -var part246 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part249 = match("MESSAGE#158:INFOBLOX-Grid", "nwparser.payload", "Grid member at %{saddr->} %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg175 = msg("INFOBLOX-Grid", part246); +var msg175 = msg("INFOBLOX-Grid", part249); -var part247 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); +var part250 = match("MESSAGE#159:INFOBLOX-Grid:02/0_0", "nwparser.payload", "Started%{p0}"); -var part248 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); +var part251 = match("MESSAGE#159:INFOBLOX-Grid:02/0_1", "nwparser.payload", "Completed%{p0}"); var select55 = linear_select([ - part247, - part248, + part250, + part251, ]); -var part249 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); +var part252 = match("MESSAGE#159:INFOBLOX-Grid:02/1", "nwparser.p0", "%{}distribution on member with IP address %{saddr}"); var all44 = all_match({ processors: [ select55, - part249, + part252, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ]), }); var msg176 = msg("INFOBLOX-Grid:02", all44); -var part250 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ - dup12, - dup6, - dup8, +var part253 = match("MESSAGE#160:INFOBLOX-Grid:03", "nwparser.payload", "Upgrade Complete%{}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","Upgrade Complete"), ])); -var msg177 = msg("INFOBLOX-Grid:03", part250); +var msg177 = msg("INFOBLOX-Grid:03", part253); -var part251 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ - dup12, - dup6, - dup8, +var part254 = match("MESSAGE#161:INFOBLOX-Grid:04", "nwparser.payload", "Upgrade to %{fld1}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg178 = msg("INFOBLOX-Grid:04", part251); +var msg178 = msg("INFOBLOX-Grid:04", part254); var select56 = linear_select([ msg175, @@ -2762,46 +2769,46 @@ var select56 = linear_select([ msg178, ]); -var part252 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ - dup12, - dup6, - dup8, +var part255 = match("MESSAGE#162:db_jnld", "nwparser.payload", "Grid member at %{saddr->} is online.", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg179 = msg("db_jnld", part252); +var msg179 = msg("db_jnld", part255); -var part253 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); +var part256 = match("MESSAGE#219:db_jnld:01/0", "nwparser.payload", "Resolved conflict for replicated delete of %{p0}"); -var part254 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); +var part257 = match("MESSAGE#219:db_jnld:01/1_0", "nwparser.p0", "PTR %{p0}"); -var part255 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); +var part258 = match("MESSAGE#219:db_jnld:01/1_1", "nwparser.p0", "TXT %{p0}"); -var part256 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); +var part259 = match("MESSAGE#219:db_jnld:01/1_2", "nwparser.p0", "A %{p0}"); -var part257 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); +var part260 = match("MESSAGE#219:db_jnld:01/1_3", "nwparser.p0", "CNAME %{p0}"); -var part258 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); +var part261 = match("MESSAGE#219:db_jnld:01/1_4", "nwparser.p0", "SRV %{p0}"); var select57 = linear_select([ - part254, - part255, - part256, part257, part258, + part259, + part260, + part261, ]); -var part259 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "%{}\"%{fld1}\" in zone \"%{zone}\""); +var part262 = match("MESSAGE#219:db_jnld:01/2", "nwparser.p0", "\"%{fld1}\" in zone \"%{zone}\""); var all45 = all_match({ processors: [ - part253, + part256, select57, - part259, + part262, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ]), }); @@ -2812,48 +2819,48 @@ var select58 = linear_select([ msg180, ]); -var part260 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); +var part263 = match("MESSAGE#163:sSMTP/0", "nwparser.payload", "Sent mail for %{to->} (%{fld1}) %{p0}"); -var part261 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes->} "); +var part264 = match("MESSAGE#163:sSMTP/1_0", "nwparser.p0", "uid=%{uid->} username=%{username->} outbytes=%{sbytes}"); -var part262 = match("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "%{space->} "); +var part265 = match_copy("MESSAGE#163:sSMTP/1_1", "nwparser.p0", "space"); var select59 = linear_select([ - part261, - part262, + part264, + part265, ]); var all46 = all_match({ processors: [ - part260, + part263, select59, ], on_success: processor_chain([ - dup12, - dup6, - dup8, + dup13, + dup7, + dup9, ]), }); var msg181 = msg("sSMTP", all46); -var part263 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ - dup15, - dup6, - dup8, +var part266 = match("MESSAGE#164:sSMTP:02", "nwparser.payload", "Cannot open %{hostname}:%{network_port}", processor_chain([ + dup16, + dup7, + dup9, ])); -var msg182 = msg("sSMTP:02", part263); +var msg182 = msg("sSMTP:02", part266); -var part264 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ - dup15, - dup6, - dup8, +var part267 = match("MESSAGE#165:sSMTP:03", "nwparser.payload", "Unable to locate %{hostname}.", processor_chain([ + dup16, + dup7, + dup9, ])); -var msg183 = msg("sSMTP:03", part264); +var msg183 = msg("sSMTP:03", part267); -var msg184 = msg("sSMTP:04", dup73); +var msg184 = msg("sSMTP:04", dup74); var select60 = linear_select([ msg181, @@ -2862,95 +2869,95 @@ var select60 = linear_select([ msg184, ]); -var part265 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ - dup12, - dup6, - dup8, +var part268 = match("MESSAGE#167:scheduled_backups", "nwparser.payload", "Backup to %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg185 = msg("scheduled_backups", part265); +var msg185 = msg("scheduled_backups", part268); -var part266 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ - dup12, - dup6, - dup8, +var part269 = match("MESSAGE#168:scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","Scheduled backup to the FTP server was successful"), ])); -var msg186 = msg("scheduled_ftp_backups", part266); +var msg186 = msg("scheduled_ftp_backups", part269); -var part267 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ - dup15, - dup6, - dup8, +var part270 = match("MESSAGE#169:failed_scheduled_ftp_backups", "nwparser.payload", "Scheduled backup to the %{device->} failed - %{result}.", processor_chain([ + dup16, + dup7, + dup9, setc("event_description","Scheduled backup to the FTP server failed"), ])); -var msg187 = msg("failed_scheduled_ftp_backups", part267); +var msg187 = msg("failed_scheduled_ftp_backups", part270); var select61 = linear_select([ msg186, msg187, ]); -var part268 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ - dup12, - dup6, - dup8, +var part271 = match("MESSAGE#170:scheduled_scp_backups", "nwparser.payload", "Scheduled backup to the %{device->} was successful - Backup file %{filename}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","Scheduled backup to the SCP server was successful"), ])); -var msg188 = msg("scheduled_scp_backups", part268); +var msg188 = msg("scheduled_scp_backups", part271); -var part269 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ - dup12, - dup6, - dup8, +var part272 = match("MESSAGE#171:python", "nwparser.payload", "%{action->} even though zone '%{zone}' in view '%{fld1}' is locked.", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg189 = msg("python", part269); +var msg189 = msg("python", part272); -var part270 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ - dup12, - dup6, - dup8, +var part273 = match("MESSAGE#172:python:01", "nwparser.payload", "%{action->} (algorithm=%{fld1}, key tag=%{fld2}, key size=%{fld3}): '%{hostname}' in view '%{fld4}'.", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg190 = msg("python:01", part270); +var msg190 = msg("python:01", part273); -var part271 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ - dup12, - dup6, - dup8, +var part274 = match("MESSAGE#173:python:02", "nwparser.payload", "%{action}: '%{hostname}' in view '%{fld1}'.", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg191 = msg("python:02", part271); +var msg191 = msg("python:02", part274); -var part272 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ - dup12, - dup6, - dup8, -])); +var part275 = match("MESSAGE#174:python:03", "nwparser.payload", "%{action}: FQDN='%{domain}', ADDRESS='%{saddr}', View='%{fld1}'", processor_chain([ + dup13, + dup7, + dup9, +])); -var msg192 = msg("python:03", part272); +var msg192 = msg("python:03", part275); -var part273 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ - dup12, - dup6, - dup8, +var part276 = match("MESSAGE#175:python:04", "nwparser.payload", "%{action}: FQDN='%{domain}', View='%{fld1}'", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg193 = msg("python:04", part273); +var msg193 = msg("python:04", part276); -var part274 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ - dup12, - dup6, - dup8, +var part277 = match("MESSAGE#176:python:05", "nwparser.payload", "%{fld1}: %{fld2}.%{fld3->} [%{username}]: Populated %{zone->} %{hostname->} DnsView=%{fld4}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg194 = msg("python:05", part274); +var msg194 = msg("python:05", part277); -var msg195 = msg("python:06", dup64); +var msg195 = msg("python:06", dup65); var select62 = linear_select([ msg189, @@ -2962,31 +2969,31 @@ var select62 = linear_select([ msg195, ]); -var part275 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ - dup11, - dup6, - dup8, +var part278 = match("MESSAGE#178:monitor", "nwparser.payload", "Type: %{protocol}, State: %{event_state}, Event: %{event_description}.", processor_chain([ + dup12, + dup7, + dup9, ])); -var msg196 = msg("monitor", part275); +var msg196 = msg("monitor", part278); -var part276 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part279 = match("MESSAGE#179:snmptrapd", "nwparser.payload", "NET-SNMP version %{version->} %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg197 = msg("snmptrapd", part276); +var msg197 = msg("snmptrapd", part279); -var part277 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ - dup12, - dup6, - dup8, +var part280 = match("MESSAGE#180:snmptrapd:01", "nwparser.payload", "lock in %{fld1->} sleeps more than %{duration->} milliseconds in %{fld2}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg198 = msg("snmptrapd:01", part277); +var msg198 = msg("snmptrapd:01", part280); -var msg199 = msg("snmptrapd:02", dup64); +var msg199 = msg("snmptrapd:02", dup65); var select63 = linear_select([ msg197, @@ -2994,38 +3001,38 @@ var select63 = linear_select([ msg199, ]); -var part278 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ - dup12, - dup6, - dup8, +var part281 = match("MESSAGE#182:ntpdate", "nwparser.payload", "adjust time server %{saddr->} offset %{duration->} sec", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg200 = msg("ntpdate", part278); +var msg200 = msg("ntpdate", part281); -var msg201 = msg("ntpdate:01", dup73); +var msg201 = msg("ntpdate:01", dup74); var select64 = linear_select([ msg200, msg201, ]); -var msg202 = msg("phonehome", dup64); +var msg202 = msg("phonehome", dup65); -var part279 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ - dup12, - dup6, - dup8, +var part282 = match("MESSAGE#185:purge_scheduled_tasks", "nwparser.payload", "Scheduled tasks have been purged%{}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg203 = msg("purge_scheduled_tasks", part279); +var msg203 = msg("purge_scheduled_tasks", part282); -var part280 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ - dup13, - dup2, - dup3, - dup10, +var part283 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld20->} %{fld21}.%{fld22->} [%{domain}]: Login_Denied - - to=%{terminal->} apparently_via=%{info->} ip=%{saddr->} error=%{result}", processor_chain([ dup14, - dup6, + dup3, + dup4, + dup11, + dup15, + dup7, date_time({ dest: "event_time", args: ["fld20","fld21"], @@ -3033,77 +3040,77 @@ var part280 = match("MESSAGE#186:serial_console:04", "nwparser.payload", "%{fld2 [dW,dc("-"),dG,dc("-"),dF,dN,dc(":"),dU,dc(":"),dO], ], }), - dup8, + dup9, setc("event_description","Login Denied"), ])); -var msg204 = msg("serial_console:04", part280); +var msg204 = msg("serial_console:04", part283); -var part281 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ - dup13, - dup2, - dup3, - dup10, +var part284 = match("MESSAGE#187:serial_console:03", "nwparser.payload", "No authentication methods succeeded for user %{username}", processor_chain([ dup14, - dup6, - dup8, + dup3, + dup4, + dup11, + dup15, + dup7, + dup9, setc("event_description","No authentication methods succeeded for user"), ])); -var msg205 = msg("serial_console:03", part281); +var msg205 = msg("serial_console:03", part284); -var part282 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ - dup9, - dup2, - dup3, +var part285 = match("MESSAGE#188:serial_console", "nwparser.payload", "%{fld1->} %{fld2}.%{fld3->} [%{username}]: Login_Allowed - - to=%{terminal->} apparently_via=%{info->} auth=%{authmethod->} group=%{group}", processor_chain([ dup10, - dup5, + dup3, + dup4, + dup11, dup6, dup7, dup8, + dup9, ])); -var msg206 = msg("serial_console", part282); +var msg206 = msg("serial_console", part285); -var part283 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ +var part286 = match("MESSAGE#189:serial_console:01", "nwparser.payload", "RADIUS authentication succeeded for user %{username}", processor_chain([ setc("eventcategory","1302010100"), - dup2, dup3, - dup10, - dup5, + dup4, + dup11, dup6, - dup8, + dup7, + dup9, setc("event_description","RADIUS authentication succeeded for user"), ])); -var msg207 = msg("serial_console:01", part283); +var msg207 = msg("serial_console:01", part286); -var part284 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ - dup12, - dup6, - dup8, +var part287 = match("MESSAGE#190:serial_console:02", "nwparser.payload", "User group = %{group}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","User group identification"), ])); -var msg208 = msg("serial_console:02", part284); +var msg208 = msg("serial_console:02", part287); -var part285 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ - dup12, - dup6, - dup8, +var part288 = match("MESSAGE#205:serial_console:05", "nwparser.payload", "%{fld1->} [%{username}]: rebooted the system", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","system reboot"), ])); -var msg209 = msg("serial_console:05", part285); +var msg209 = msg("serial_console:05", part288); -var part286 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ - dup12, - dup6, - dup8, +var part289 = match("MESSAGE#214:serial_console:06", "nwparser.payload", "Local authentication succeeded for user %{username}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","Local authentication succeeded for user"), ])); -var msg210 = msg("serial_console:06", part286); +var msg210 = msg("serial_console:06", part289); var select65 = linear_select([ msg204, @@ -3115,105 +3122,105 @@ var select65 = linear_select([ msg210, ]); -var msg211 = msg("rc6", dup64); +var msg211 = msg("rc6", dup65); -var msg212 = msg("acpid", dup64); +var msg212 = msg("acpid", dup65); -var msg213 = msg("diskcheck", dup64); +var msg213 = msg("diskcheck", dup65); -var part287 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part290 = match("MESSAGE#210:debug_mount", "nwparser.payload", "mount %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg214 = msg("debug_mount", part287); +var msg214 = msg("debug_mount", part290); -var msg215 = msg("smart_check_io", dup64); +var msg215 = msg("smart_check_io", dup65); -var msg216 = msg("speedstep_control", dup64); +var msg216 = msg("speedstep_control", dup65); -var part288 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ - dup12, - dup6, - dup8, +var part291 = match("MESSAGE#215:controld", "nwparser.payload", "Distribution Started%{}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","Distribution Started"), ])); -var msg217 = msg("controld", part288); +var msg217 = msg("controld", part291); -var part289 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ - dup12, - dup6, - dup8, +var part292 = match("MESSAGE#216:controld:02", "nwparser.payload", "Distribution Complete%{}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","Distribution Complete"), ])); -var msg218 = msg("controld:02", part289); +var msg218 = msg("controld:02", part292); var select66 = linear_select([ msg217, msg218, ]); -var part290 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ - dup12, - dup6, - dup8, +var part293 = match("MESSAGE#217:shutdown", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","shutting down for system reboot"), ])); -var msg219 = msg("shutdown", part290); +var msg219 = msg("shutdown", part293); -var part291 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ - dup12, - dup6, - dup8, +var part294 = match("MESSAGE#218:ntpd_initres", "nwparser.payload", "ntpd exiting on signal 15%{}", processor_chain([ + dup13, + dup7, + dup9, setc("event_description","ntpd exiting"), ])); -var msg220 = msg("ntpd_initres", part291); +var msg220 = msg("ntpd_initres", part294); -var part292 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ - dup12, - dup6, - dup8, +var part295 = match("MESSAGE#220:rsyncd", "nwparser.payload", "name lookup failed for %{saddr}: %{info}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg221 = msg("rsyncd", part292); +var msg221 = msg("rsyncd", part295); -var part293 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ - dup12, - dup6, - dup8, +var part296 = match("MESSAGE#221:rsyncd:01", "nwparser.payload", "connect from %{shost->} (%{saddr})", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg222 = msg("rsyncd:01", part293); +var msg222 = msg("rsyncd:01", part296); -var part294 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ - dup12, - dup6, - dup8, +var part297 = match("MESSAGE#222:rsyncd:02", "nwparser.payload", "rsync on %{filename->} from %{shost->} (%{saddr})", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg223 = msg("rsyncd:02", part294); +var msg223 = msg("rsyncd:02", part297); -var part295 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ - dup12, - dup6, - dup8, +var part298 = match("MESSAGE#223:rsyncd:03", "nwparser.payload", "sent %{sbytes->} bytes received %{rbytes->} bytes total size %{fld1}", processor_chain([ + dup13, + dup7, + dup9, ])); -var msg224 = msg("rsyncd:03", part295); +var msg224 = msg("rsyncd:03", part298); -var part296 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ - dup12, - dup6, +var part299 = match("MESSAGE#224:rsyncd:04", "nwparser.payload", "building file list%{}", processor_chain([ + dup13, + dup7, setc("event_description","building file list"), - dup8, + dup9, ])); -var msg225 = msg("rsyncd:04", part296); +var msg225 = msg("rsyncd:04", part299); var select67 = linear_select([ msg221, @@ -3223,56 +3230,56 @@ var select67 = linear_select([ msg225, ]); -var msg226 = msg("syslog", dup76); +var msg226 = msg("syslog", dup77); -var msg227 = msg("restarting", dup76); +var msg227 = msg("restarting", dup77); -var part297 = match("MESSAGE#227:ipmievd", "nwparser.payload", "%{fld1}", processor_chain([ - dup12, - dup6, - dup8, - dup61, +var part300 = match_copy("MESSAGE#227:ipmievd", "nwparser.payload", "fld1", processor_chain([ + dup13, + dup7, + dup9, + dup62, ])); -var msg228 = msg("ipmievd", part297); +var msg228 = msg("ipmievd", part300); -var part298 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ - dup58, - dup6, - dup8, - dup60, +var part301 = match("MESSAGE#228:netauto_discovery", "nwparser.payload", "%{agent}: Processing path%{fld1}, vnid [%{fld2}]", processor_chain([ + dup59, + dup7, + dup9, + dup61, ])); -var msg229 = msg("netauto_discovery", part298); +var msg229 = msg("netauto_discovery", part301); -var part299 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ - dup58, - dup6, - dup8, - dup60, +var part302 = match("MESSAGE#229:netauto_discovery:01", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}:%{product}ver%{version->} device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll", processor_chain([ + dup59, + dup7, + dup9, + dup61, setc("event_description","device does not answer to lldpRem OID requests, skipping LLDP Neighbors poll"), ])); -var msg230 = msg("netauto_discovery:01", part299); +var msg230 = msg("netauto_discovery:01", part302); -var part300 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ - dup58, - dup6, - dup8, - dup60, +var part303 = match("MESSAGE#230:netauto_discovery:02", "nwparser.payload", "%{agent}:%{space}Static address already set with IP:%{hostip}, Processing%{fld1}", processor_chain([ + dup59, + dup7, + dup9, + dup61, ])); -var msg231 = msg("netauto_discovery:02", part300); +var msg231 = msg("netauto_discovery:02", part303); -var part301 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ - dup62, - dup6, - dup8, - dup60, - dup14, +var part304 = match("MESSAGE#231:netauto_discovery:03", "nwparser.payload", "%{agent}:%{fld1}(%{fld2})%{hostip}/%{fld3}: SNMP Credentials: Failed to authenticate", processor_chain([ + dup63, + dup7, + dup9, + dup61, + dup15, ])); -var msg232 = msg("netauto_discovery:03", part301); +var msg232 = msg("netauto_discovery:03", part304); var select68 = linear_select([ msg229, @@ -3281,100 +3288,100 @@ var select68 = linear_select([ msg232, ]); -var part302 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ - dup58, - dup6, - dup8, - dup60, +var part305 = match("MESSAGE#232:netauto_core:01", "nwparser.payload", "%{agent}: Attempting CLI on device%{device}with interface not in table, ip%{hostip}", processor_chain([ + dup59, + dup7, + dup9, + dup61, ])); -var msg233 = msg("netauto_core:01", part302); +var msg233 = msg("netauto_core:01", part305); -var part303 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ - dup58, - dup6, - dup8, - dup60, +var part306 = match("MESSAGE#233:netauto_core", "nwparser.payload", "netautoctl:%{event_description}", processor_chain([ + dup59, + dup7, + dup9, + dup61, ])); -var msg234 = msg("netauto_core", part303); +var msg234 = msg("netauto_core", part306); var select69 = linear_select([ msg233, msg234, ]); -var part304 = match("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "%{event_description}", processor_chain([ - dup48, - dup6, - dup8, - dup60, - dup14, +var part307 = match_copy("MESSAGE#234:captured_dns_uploader", "nwparser.payload", "event_description", processor_chain([ + dup49, + dup7, + dup9, + dup61, + dup15, ])); -var msg235 = msg("captured_dns_uploader", part304); +var msg235 = msg("captured_dns_uploader", part307); -var part305 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ - dup62, - dup6, - dup8, - dup60, - dup10, - dup14, +var part308 = match("MESSAGE#235:DIS", "nwparser.payload", "%{fld1}:%{fld2}: Device%{device}/%{hostip}login failure%{result}", processor_chain([ + dup63, + dup7, + dup9, + dup61, + dup11, + dup15, ])); -var msg236 = msg("DIS", part305); +var msg236 = msg("DIS", part308); -var part306 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ - dup58, - dup6, - dup8, - dup60, +var part309 = match("MESSAGE#236:DIS:01", "nwparser.payload", "%{fld2}: %{fld3}: Attempting discover-now for %{hostip->} on %{fld4}, using session ID", processor_chain([ + dup59, + dup7, + dup9, + dup61, ])); -var msg237 = msg("DIS:01", part306); +var msg237 = msg("DIS:01", part309); var select70 = linear_select([ msg236, msg237, ]); -var part307 = match("MESSAGE#237:ErrorMsg", "nwparser.payload", "%{result}", processor_chain([ - dup63, - dup6, - dup8, - dup60, +var part310 = match_copy("MESSAGE#237:ErrorMsg", "nwparser.payload", "result", processor_chain([ + dup64, + dup7, + dup9, + dup61, ])); -var msg238 = msg("ErrorMsg", part307); +var msg238 = msg("ErrorMsg", part310); -var part308 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ - dup12, - dup6, - dup8, - dup60, +var part311 = match("MESSAGE#238:tacacs_acct", "nwparser.payload", "%{fld1}: Server %{daddr->} port %{dport}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, + dup61, ])); -var msg239 = msg("tacacs_acct", part308); +var msg239 = msg("tacacs_acct", part311); -var part309 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ - dup63, - dup6, - dup8, - dup60, +var part312 = match("MESSAGE#239:tacacs_acct:01", "nwparser.payload", "%{fld1}: Accounting request failed. %{fld2}Server is %{daddr}, port is %{dport}.", processor_chain([ + dup64, + dup7, + dup9, + dup61, setc("event_description","Accounting request failed."), ])); -var msg240 = msg("tacacs_acct:01", part309); +var msg240 = msg("tacacs_acct:01", part312); -var part310 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ - dup12, - dup6, - dup8, - dup60, +var part313 = match("MESSAGE#240:tacacs_acct:02", "nwparser.payload", "%{fld1}: Read %{fld2->} bytes from server %{daddr->} port %{dport}, expecting %{fld3}", processor_chain([ + dup13, + dup7, + dup9, + dup61, ])); -var msg241 = msg("tacacs_acct:02", part310); +var msg241 = msg("tacacs_acct:02", part313); var select71 = linear_select([ msg239, @@ -3382,96 +3389,96 @@ var select71 = linear_select([ msg241, ]); -var part311 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ - dup12, - dup6, - dup8, +var part314 = match("MESSAGE#241:dhcpdv6", "nwparser.payload", "Relay-forward message from %{saddr_v6->} port %{sport}, link address %{fld1}, peer address %{daddr_v6}", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("event_description","Relay-forward message"), ])); -var msg242 = msg("dhcpdv6", part311); +var msg242 = msg("dhcpdv6", part314); -var part312 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ - dup12, - dup6, - dup8, +var part315 = match("MESSAGE#242:dhcpdv6:01", "nwparser.payload", "Encapsulated Solicit message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("event_description","Encapsulated Solicit message"), ])); -var msg243 = msg("dhcpdv6:01", part312); +var msg243 = msg("dhcpdv6:01", part315); -var part313 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ - dup12, - dup6, - dup8, +var part316 = match("MESSAGE#243:dhcpdv6:02", "nwparser.payload", "Client %{fld1}, IP '%{fld2}': No addresses available for this interface", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("event_description","IP unknown - No addresses available for this interface"), ])); -var msg244 = msg("dhcpdv6:02", part313); +var msg244 = msg("dhcpdv6:02", part316); -var part314 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ - dup12, - dup6, - dup8, +var part317 = match("MESSAGE#244:dhcpdv6:03", "nwparser.payload", "Encapsulating Advertise message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("event_description","Encapsulating Advertise message"), ])); -var msg245 = msg("dhcpdv6:03", part314); +var msg245 = msg("dhcpdv6:03", part317); -var part315 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ - dup12, - dup6, - dup8, +var part318 = match("MESSAGE#245:dhcpdv6:04", "nwparser.payload", "Sending Relay-reply message to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("event_description","Sending Relay-reply message"), ])); -var msg246 = msg("dhcpdv6:04", part315); +var msg246 = msg("dhcpdv6:04", part318); -var part316 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ - dup12, - dup6, - dup8, +var part319 = match("MESSAGE#246:dhcpdv6:05", "nwparser.payload", "Encapsulated Information-request message from %{saddr_v6->} port %{sport}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("event_description","Encapsulated Information-request message"), ])); -var msg247 = msg("dhcpdv6:05", part316); +var msg247 = msg("dhcpdv6:05", part319); -var part317 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ - dup12, - dup6, - dup8, +var part320 = match("MESSAGE#247:dhcpdv6:06", "nwparser.payload", "Encapsulating Reply message to send to %{saddr_v6->} port %{sport}", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("event_description","Encapsulating Reply message"), ])); -var msg248 = msg("dhcpdv6:06", part317); +var msg248 = msg("dhcpdv6:06", part320); -var part318 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ - dup12, - dup6, - dup8, +var part321 = match("MESSAGE#248:dhcpdv6:07", "nwparser.payload", "Encapsulated Renew message from %{saddr_v6->} port %{sport->} from client DUID %{fld1}, transaction ID %{id}", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("event_description","Encapsulated Renew message"), ])); -var msg249 = msg("dhcpdv6:07", part318); +var msg249 = msg("dhcpdv6:07", part321); -var part319 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ - dup12, - dup6, - dup8, +var part322 = match("MESSAGE#249:dhcpdv6:08", "nwparser.payload", "Reply NA: address %{saddr_v6->} to client with duid %{fld1->} iaid = %{fld2->} static", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); -var msg250 = msg("dhcpdv6:08", part319); +var msg250 = msg("dhcpdv6:08", part322); -var msg251 = msg("dhcpdv6:09", dup68); +var msg251 = msg("dhcpdv6:09", dup69); var select72 = linear_select([ msg242, @@ -3486,17 +3493,17 @@ var select72 = linear_select([ msg251, ]); -var msg252 = msg("debug", dup68); +var msg252 = msg("debug", dup69); -var part320 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ - dup12, - dup6, - dup8, +var part323 = match("MESSAGE#252:cloud_api", "nwparser.payload", "proxying request to %{hostname}(%{hostip}) %{web_method->} %{url->} %{protocol->} %{info}", processor_chain([ + dup13, + dup7, + dup9, dup30, setc("event_description","proxying request"), ])); -var msg253 = msg("cloud_api", part320); +var msg253 = msg("cloud_api", part323); var chain1 = processor_chain([ select3, @@ -3558,85 +3565,87 @@ var chain1 = processor_chain([ }), ]); -var part321 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); +var hdr6 = match("HEADER#0:006/0", "message", "%{month->} %{day->} %{time->} %{hhostname->} %{p0}"); -var part322 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); +var part324 = match("MESSAGE#19:dhcpd:18/0", "nwparser.payload", "%{} %{p0}"); -var part323 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); +var part325 = match("MESSAGE#19:dhcpd:18/1_0", "nwparser.p0", "Added %{p0}"); -var part324 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "%{dmacaddr->} (%{dhost}) via %{p0}"); +var part326 = match("MESSAGE#19:dhcpd:18/1_1", "nwparser.p0", "added %{p0}"); -var part325 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "%{dmacaddr->} via %{p0}"); +var part327 = match("MESSAGE#25:dhcpd:03/1_0", "nwparser.p0", "(%{dhost}) via %{p0}"); -var part326 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{p0}"); +var part328 = match("MESSAGE#25:dhcpd:03/1_1", "nwparser.p0", "via %{p0}"); -var part327 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "%{smacaddr->} (%{shost}) via %{p0}"); +var part329 = match("MESSAGE#28:dhcpd:09/0", "nwparser.payload", "DHCPREQUEST for %{saddr->} from %{smacaddr->} %{p0}"); -var part328 = match("MESSAGE#28:dhcpd:09/1_1", "nwparser.p0", "%{smacaddr->} via %{p0}"); +var part330 = match("MESSAGE#28:dhcpd:09/1_0", "nwparser.p0", "(%{shost}) via %{p0}"); -var part329 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{} %{interface}"); +var part331 = match("MESSAGE#31:dhcpd:11/2", "nwparser.p0", "%{interface}"); -var part330 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{} %{interface->} relay %{fld1->} lease-duration %{duration}"); +var part332 = match("MESSAGE#38:dhcpd:14/2", "nwparser.p0", "%{interface->} relay %{fld1->} lease-duration %{duration}"); -var part331 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved %{}"); +var part333 = match("MESSAGE#53:named:16/1_0", "nwparser.p0", "approved%{}"); -var part332 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", " denied%{}"); +var part334 = match("MESSAGE#53:named:16/1_1", "nwparser.p0", "denied%{}"); -var part333 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); +var part335 = match("MESSAGE#56:named:01/0", "nwparser.payload", "client %{saddr}#%{p0}"); -var part334 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); +var part336 = match("MESSAGE#57:named:17/1_0", "nwparser.p0", "IN%{p0}"); -var part335 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); +var part337 = match("MESSAGE#57:named:17/1_1", "nwparser.p0", "CH%{p0}"); -var part336 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); +var part338 = match("MESSAGE#57:named:17/1_2", "nwparser.p0", "HS%{p0}"); -var part337 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); +var part339 = match("MESSAGE#57:named:17/3_1", "nwparser.p0", "%{action->} at '%{p0}"); -var part338 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); +var part340 = match("MESSAGE#57:named:17/4_0", "nwparser.p0", "%{hostip}.in-addr.arpa' %{p0}"); -var part339 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); +var part341 = match("MESSAGE#57:named:17/5_0", "nwparser.p0", "%{dns_querytype->} \"%{fld3}\""); -var part340 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); +var part342 = match("MESSAGE#57:named:17/5_1", "nwparser.p0", "%{dns_querytype->} %{hostip}"); -var part341 = match("MESSAGE#57:named:17/5_2", "nwparser.p0", "%{dns_querytype}"); +var part343 = match_copy("MESSAGE#57:named:17/5_2", "nwparser.p0", "dns_querytype"); -var part342 = match("MESSAGE#60:named:19/2", "nwparser.p0", "%{event_description}"); +var part344 = match_copy("MESSAGE#60:named:19/2", "nwparser.p0", "event_description"); -var part343 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); +var part345 = match_copy("MESSAGE#66:named:25/1_1", "nwparser.p0", "result"); -var part344 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{saddr}#%{p0}"); +var part346 = match("MESSAGE#67:named:63/0", "nwparser.payload", "%{fld1->} %{fld2->} %{fld3}: %{severity}: client %{p0}"); -var part345 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", " %{saddr}#%{p0}"); +var part347 = match("MESSAGE#67:named:63/1_0", "nwparser.p0", "%{fld9->} %{p0}"); -var part346 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); +var part348 = match("MESSAGE#67:named:63/1_1", "nwparser.p0", "%{p0}"); -var part347 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{p0}"); +var part349 = match("MESSAGE#74:named:10/1_3", "nwparser.p0", "%{sport}:%{p0}"); -var part348 = match("MESSAGE#7:httpd:06", "nwparser.payload", "%{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part350 = match("MESSAGE#83:named:24/0", "nwparser.payload", "client %{saddr}#%{sport->} (%{domain}): %{p0}"); + +var part351 = match_copy("MESSAGE#7:httpd:06", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, ])); var select73 = linear_select([ - dup17, dup18, + dup19, ]); var select74 = linear_select([ - dup20, dup21, + dup22, ]); var select75 = linear_select([ - dup25, dup26, + dup22, ]); -var part349 = match("MESSAGE#204:dhcpd:37", "nwparser.payload", "%{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part352 = match_copy("MESSAGE#204:dhcpd:37", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, dup30, ])); @@ -3658,31 +3667,31 @@ var select78 = linear_select([ ]); var select79 = linear_select([ - dup51, dup52, + dup53, ]); -var part350 = match("MESSAGE#118:validate_dhcpd", "nwparser.payload", "%{event_description}", processor_chain([ - dup15, - dup6, - dup8, +var part353 = match_copy("MESSAGE#118:validate_dhcpd", "nwparser.payload", "event_description", processor_chain([ + dup16, + dup7, + dup9, ])); -var part351 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ - dup15, - dup6, - dup8, +var part354 = match("MESSAGE#134:openvpn-member:01", "nwparser.payload", "%{action->} : %{event_description->} (code=%{resultcode})", processor_chain([ + dup16, + dup7, + dup9, ])); -var part352 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ - dup12, - dup6, - dup8, +var part355 = match("MESSAGE#137:openvpn-member:04", "nwparser.payload", "%{severity}: %{event_description}", processor_chain([ + dup13, + dup7, + dup9, ])); -var part353 = match("MESSAGE#225:syslog", "nwparser.payload", "%{event_description}", processor_chain([ - dup12, - dup6, - dup8, - dup61, +var part356 = match_copy("MESSAGE#225:syslog", "nwparser.payload", "event_description", processor_chain([ + dup13, + dup7, + dup9, + dup62, ])); diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml index dd46c730477b..6c5490c8ce3f 100644 --- a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml +++ b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml @@ -57,12 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' - - append: - field: related.hosts - value: '{{rsa.misc.event_source}}' - allow_duplicates: false - if: ctx?.rsa?.misc?.event_source != null && ctx.rsa?.misc?.event_source != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/infoblox/nios/manifest.yml b/x-pack/filebeat/module/infoblox/nios/manifest.yml index 4f6b364c6e78..8ed9975c2d5b 100644 --- a/x-pack/filebeat/module/infoblox/nios/manifest.yml +++ b/x-pack/filebeat/module/infoblox/nios/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9512 + default: 9532 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log b/x-pack/filebeat/module/infoblox/nios/test/generated.log index 293140fb6379..5cd6f5e5f5ec 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log @@ -1,100 +1,100 @@ January 29 06:09:59 volup208.invalid eosquir: openvpn-master OpenVPN 1.5191 [igmp] [nulapari] mwritten Feb 12 13:12:33 com1060.api.example 10.14.94.160 cloud_api[tur]: proxying request to atio5608.www5.localhost(10.202.204.154) eFini https://www.example.org/exe/iatu.jpg?orsitame=reprehe#rsitam ggp issusci Feb 26 20:15:08 ptass3168.www5.example 10.62.40.126 netauto_core[taliqu]: ommod: Attempting CLI on devicescivelwith interface not in table, ip10.13.70.213 -March 12 03:17:42 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia -March 26 10:20:16 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo) -April 9 17:22:51 obeataev7086.mail.invalid autfu: speedstep_control natura -Apr 24 00:25:25 nibusBon7400.localhost isiu: ErrorMsg success -May 8 07:27:59 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15 -May 22 14:30:33 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec -June 5 21:33:08 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo -June 20 04:35:42 enim2780.www.lan rc6[eriame]: lorema -July 4 11:38:16 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu -July 18 18:40:50 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot -August 2 01:43:25 fugit7668.www5.invalid -ntpd_initres: ntpd exiting on signal 15 -August 16 08:45:59 itaut7095.invalid 10.103.107.47 rc: executing ritatis start -August 30 15:48:33 colabor1552.www5.local untut: phonehome lorumw -September 13 22:51:07 inima5444.www5.lan validate_dhcpd[nihi]: Lor -September 28 05:53:42 erc3217.internal.lan debug_mount[olupt]: mount modoco -October 12 12:56:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463 -October 26 19:58:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299 -November 10 03:01:24 Loremip6417.mail.test emoeni: syslog oenimips -November 24 10:03:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) -December 8 17:06:33 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm -December 23 00:09:07 ercit2385.internal.home rsyncd[run]: building file list -January 6 07:11:41 quisnos4590.mail.domain nnum: httpd eritqu -January 20 14:14:16 wri2784.api.domain hitect: restarting dol -February 3 21:16:50 asun1250.api.localdomain rc3[oluptate]: onseq -February 18 04:19:24 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat -March 4 11:21:59 ento4488.www5.localhost eriamea: rc6 amre -March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete -April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos -April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME "etdol" in zone "uela" -April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor) -May 14 22:34:50 onsecte7184.mail.domain uptasn: syslog-ng reme -May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non -Jun 12 12:39:58 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis -June 26 19:42:33 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons -July 11 02:45:07 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav -July 25 09:47:41 adm7744.mail.domain 10.26.87.161 rcsysinit: isc -August 8 16:50:15 ios6980.example 10.246.64.161 watchdog: deny, pid = 845 -August 22 23:52:50 osquira6030.internal.corp diskcheck[com]: tnulapa -September 6 06:55:24 squirati63.mail.lan watchdog[nbyCic]: utlabor -September 20 13:57:58 lup2134.www.localhost rc[upida]: executing tvolupt start -October 4 21:00:32 umdo4017.www.local snmptrapd[ati]: uine -October 19 04:03:07 loreme853.www5.localdomain ven: snmptrapd con -November 2 11:05:41 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli) -November 16 18:08:15 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe -December 1 01:10:49 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97 -December 15 08:13:24 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt -December 29 15:15:58 tali7803.www.localdomain its: httpd ender -January 12 22:18:32 uradi6198.test tiaec: ntpd frequency initialized success from psum -January 27 05:21:06 umSe1918.local itau: ntpd ntpd exiting on signal 2836 -February 10 12:23:41 odoconse228.mail.localdomain veli: syslog-ng tenim -February 24 19:26:15 cteturad4074.mail.host nreprehe: validate_dhcpd tetu -March 11 02:28:49 itation6137.home osqui: debug_mount mount sequat +March 12 03:17:42 estqui6557.www.localhost -:syslog-ng equuntu +March 26 10:20:16 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia +Apr 9 17:22:51 tempo7542.api.host :debug tempor +April 24 00:25:25 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo) +May 8 07:27:59 obeataev7086.mail.invalid autfu: speedstep_control natura +May 22 14:30:33 nibusBon7400.localhost isiu: ErrorMsg success +June 5 21:33:08 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15 +June 20 04:35:42 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec +July 4 11:38:16 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo +July 18 18:40:50 enim2780.www.lan rc6[eriame]: lorema +August 2 01:43:25 atuse2703.localhost -:INFOBLOX-Grid Upgrade Complete +Aug 16 08:45:59 llumquid3933.internal.corp :ErrorMsg failure +August 30 15:48:33 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu +September 13 22:51:07 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot +September 28 05:53:42 fugit7668.www5.invalid -:ntpd_initres ntpd exiting on signal 15 +October 12 12:56:16 lpa4844.www.home :ipmievd rudexerc +October 26 19:58:50 itaut7095.invalid 10.103.107.47 rc: executing ritatis start +November 10 03:01:24 icab4668.local :syslog-ng isaute +November 24 10:03:59 colabor1552.www5.local untut: phonehome lorumw +December 8 17:06:33 inima5444.www5.lan validate_dhcpd[nihi]: Lor +December 23 00:09:07 erc3217.internal.lan debug_mount[olupt]: mount modoco +January 6 07:11:41 giatquov383.domain :rcsysinit riat +January 20 14:14:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463 +February 3 21:16:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299 +February 18 04:19:24 Loremip6417.mail.test emoeni: syslog oenimips +March 4 11:21:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) +March 18 18:24:33 reetd6051.www.example -:db_jnld Resolved conflict for replicated delete of CNAME "maccusa" in zone "uptat" +April 2 01:27:07 xerci0.mail.example :init olorema +April 16 08:29:41 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm +April 30 15:32:16 ercit2385.internal.home rsyncd[run]: building file list +May 14 22:34:50 quisnos4590.mail.domain nnum: httpd eritqu +May 29 05:37:24 wri2784.api.domain hitect: restarting dol +June 12 12:39:58 asun1250.api.localdomain rc3[oluptate]: onseq +June 26 19:42:33 emoe6540.www.domain -:diskcheck itanimi +July 11 02:45:07 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat +July 25 09:47:41 ento4488.www5.localhost eriamea: rc6 amre +August 8 16:50:15 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete +August 22 23:52:50 temqu3331.api.host ipi: phonehome reseos +September 6 06:55:24 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME "etdol" in zone "uela" +September 20 13:57:58 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor) +October 4 21:00:32 quaturve2798.internal.localdomain :scheduled_backups Backup to sin was successful - Backup file rvel +October 19 04:03:07 onsecte7184.mail.domain uptasn: syslog-ng reme +November 2 11:05:41 eveli265.www5.localdomain nse: ipmievd non +Nov 16 18:08:15 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis +December 1 01:10:49 llumdolo4824.internal.lan -:shutdown shutting down for system reboot +December 15 08:13:24 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons +December 29 15:15:58 tur90.www.home :rsyncd connect from ariatu4198.example (10.81.202.38) +January 12 22:18:32 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav +January 27 05:21:06 adm7744.mail.domain 10.26.87.161 rcsysinit: isc +February 10 12:23:41 ios6980.example 10.246.64.161 watchdog: deny, pid = 845 +February 24 19:26:15 osquira6030.internal.corp diskcheck[com]: tnulapa +March 11 02:28:49 squirati63.mail.lan watchdog[nbyCic]: utlabor +March 25 09:31:24 lup2134.www.localhost rc[upida]: executing tvolupt start +April 8 16:33:58 umdo4017.www.local snmptrapd[ati]: uine +April 22 23:36:32 loreme853.www5.localdomain ven: snmptrapd con +May 7 06:39:06 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli) +May 21 13:41:41 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe +June 4 20:44:15 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97 +June 19 03:46:49 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt +July 3 10:49:23 tali7803.www.localdomain its: httpd ender +July 17 17:51:58 orumSe1495.www5.local :init dutp +August 1 00:54:32 veli2530.www.host -:init eumiure +August 15 07:57:06 uradi6198.test tiaec: ntpd frequency initialized success from psum +August 29 14:59:40 umSe1918.local itau: ntpd ntpd exiting on signal 2836 +September 12 22:02:15 nBCSedut1502.www5.example :dhcpd received shutdown -/-/ failure +September 27 05:04:49 odoconse228.mail.localdomain veli: syslog-ng tenim +October 11 12:07:23 miurerep1152.internal.domain -:pidof can't read sid from utlab +October 25 19:09:57 cteturad4074.mail.host nreprehe: validate_dhcpd tetu +November 9 02:12:32 itation6137.home osqui: debug_mount mount sequat sshd: Sleep 60 seconds for slowing down ssh login -April 8 16:33:58 dun1276.api.localdomain inimveni: ntpd time slew failure -April 22 23:36:32 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd -May 07 06:39:06 preh2690.api.localdomain captured_dns_uploader[mac]: qui -May 21 13:41:41 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips -June 4 20:44:15 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv -June 19 03:46:49 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi -July 3 10:49:23 tame4953.mail.localhost prehen: restarting ntutlabo -July 17 17:51:58 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima -Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown -August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15 -August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown. -September 12 22:02:15 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun -September 27 05:04:49 agnaaliq1829.mail.test ntpd_initres: ntpd exiting on signal 15 -October 11 12:07:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 -October 25 19:09:57 mipsamvo4282.api.home reetdo: init oreveri -Nov 9 02:12:32 umq1309.api.test uae: debug mve -November 23 09:15:06 ugit5828.www5.test rc[asnu]: executing hitec start -December 7 16:17:40 ntexplic4824.internal.localhost ntpd_initres: ntpd exiting on signal 15 -December 21 23:20:14 archite1843.mail.home isqua: radiusd uta -January 5 06:22:49 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl -January 19 13:25:23 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec +December 7 16:17:40 dun1276.api.localdomain inimveni: ntpd time slew failure +December 21 23:20:14 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd +January 5 06:22:49 moenimi2558.mail.domain :radiusd gna +Jan 19 13:25:23 preh2690.api.localdomain captured_dns_uploader[mac]: qui +February 2 20:27:57 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips +February 17 03:30:32 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv +March 3 10:33:06 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi +March 17 17:35:40 niamqui7678.invalid -:scheduled_scp_backups Scheduled backup to the pid was successful - Backup file rExc +April 1 00:38:14 tame4953.mail.localhost prehen: restarting ntutlabo +April 15 07:40:49 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima +Apr 29 14:43:23 mmodoc4947.internal.test ErrorMsg[atu]: unknown +May 13 21:45:57 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15 +May 28 04:48:31 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown. +June 11 11:51:06 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun +June 25 18:53:40 ectiono2241.lan -:rcsysinit fsck from 1.1674 +Jul 10 01:56:14 alorum4439.corp :captured_dns_uploader atDu +July 24 08:58:48 agnaaliq1829.mail.test :ntpd_initres ntpd exiting on signal 15 +August 7 16:01:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 +August 21 23:03:57 mipsamvo4282.api.home reetdo: init oreveri +September 5 06:06:31 Except6889.www.corp -:rc3 umetMal +Sep 19 13:09:05 umq1309.api.test uae: debug mve +October 3 20:11:40 ugit5828.www5.test rc[asnu]: executing hitec start +October 18 03:14:14 ntexplic4824.internal.localhost :ntpd_initres ntpd exiting on signal 15 +November 1 10:16:48 archite1843.mail.home isqua: radiusd uta +November 15 17:19:22 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl +November 30 00:21:57 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec sshd[saquaea]: Did not receive identification string from 10.222.251.114 -February 17 03:30:32 ataevi1984.internal.host plic: in.tftpd connection refused from 10.17.87.79 -March 3 10:33:06 tionula1586.host ntpd_initres[idolor]: ntpd exiting on signal 15 -March 17 17:35:40 llam1884.www.corp quasiarc: ntpd time slew success -April 1 00:38:14 ore5643.api.lan 10.126.163.125 acpid[edolorin]: dolorem -April 15 07:40:49 exeacomm79.api.corp rc3[mides]: ciun -April 29 14:43:23 lorsita6602.mail.local uat: watchdog lupta could not be opened, errno = npr -May 13 21:45:57 ratv2649.www.host speedstep_control[tali]: BCS -May 28 04:48:31 abor4353.www5.host ame: python tesseq -June 11 11:51:06 rerepre6748.internal.domain 10.47.31.181 openvpn-member[tdolore]: OpenVPN 1.388 [icmp] [red] sinto -June 25 18:53:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start -July 10 01:56:14 der7349.invalid 10.133.146.125 monitor: Type: igmp, State: diduntu, Event: eiusmod. -July 24 08:58:48 veleum3833.internal.test henderi: diskcheck iusmodt -August 7 16:01:23 aquio6685.internal.test 10.17.193.123 rc6[aquio]: riatu -Aug 21 23:03:57 tanimid4871.internal.domain debug[abor]: nBCSe -September 5 06:06:31 icta82.internal.lan 10.252.116.137 pidof[uei]: can't read sid from Nequepo -September 19 13:09:05 dol6197.mail.localdomain speedstep_control[inBCSe]: otamrem -October 3 20:11:40 lumqu617.www.test 10.39.172.93 ntpd: time slew success -October 18 03:14:14 uido492.www5.home pidof[uid]: can't get program name from snostrum -November 1 10:16:48 reseosqu1629.mail.lan 10.36.166.81 snmptrapd: NET-SNMP version 1.6198 ommo -November 15 17:19:22 itseddoe5595.internal.localhost 10.228.102.170 smart_check_io[ehende]: tutla -November 30 00:21:57 olu5333.www.domain orumSe: diskcheck dolor -December 14 07:24:31 dtemp1362.internal.example mips: init itae diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 9d1e178db5ad..3337afcc559e 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -42,8 +42,8 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "atio5608.www5.localhost", - "com1060.api.example" + "com1060.api.example", + "atio5608.www5.localhost" ], "related.ip": [ "10.202.204.154" @@ -100,16 +100,41 @@ ] }, { - "event.code": "acpid", + "event.code": "syslog-ng", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 12 03:17:42 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia", + "event.original": "March 12 03:17:42 estqui6557.www.localhost -:syslog-ng equuntu", "fileset.name": "nios", "input.type": "log", "log.offset": 462, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "estqui6557.www.localhost" + ], + "rsa.internal.event_desc": "equuntu", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.event_source": "estqui6557.www.localhost", + "rsa.time.day": "12", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "acpid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 26 10:20:16 mcolabor1656.www5.corp 10.56.250.70 acpid[veleumi]: tia", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 525, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", "related.hosts": [ "mcolabor1656.www5.corp" ], @@ -117,7 +142,7 @@ "rsa.internal.event_desc": "tia", "rsa.internal.messageid": "acpid", "rsa.misc.event_source": "mcolabor1656.www5.corp", - "rsa.time.day": "12", + "rsa.time.day": "26", "rsa.time.month": "March", "service.type": "infoblox", "tags": [ @@ -125,14 +150,39 @@ "forwarded" ] }, + { + "event.code": "debug", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Apr 9 17:22:51 tempo7542.api.host :debug tempor", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 599, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "tempo7542.api.host" + ], + "rsa.internal.event_desc": "tempor", + "rsa.internal.messageid": "debug", + "rsa.misc.event_source": "tempo7542.api.host", + "rsa.time.day": "9", + "rsa.time.month": "Apr", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, { "event.code": "openvpn-member", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 26 10:20:16 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo)", + "event.original": "April 24 00:25:25 Cice513.api.local 10.143.220.51 openvpn-member: read igmp [occ] ect (code=reetdolo)", "fileset.name": "nios", "input.type": "log", - "log.offset": 536, + "log.offset": 647, "network.protocol": "igmp", "observer.product": "Network", "observer.type": "IPAM", @@ -145,8 +195,8 @@ "rsa.internal.messageid": "openvpn-member", "rsa.misc.event_source": "Cice513.api.local", "rsa.misc.result_code": "reetdolo", - "rsa.time.day": "26", - "rsa.time.month": "March", + "rsa.time.day": "24", + "rsa.time.month": "April", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -157,10 +207,10 @@ "event.code": "speedstep_control", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 9 17:22:51 obeataev7086.mail.invalid autfu: speedstep_control natura", + "event.original": "May 8 07:27:59 obeataev7086.mail.invalid autfu: speedstep_control natura", "fileset.name": "nios", "input.type": "log", - "log.offset": 638, + "log.offset": 749, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -170,8 +220,8 @@ "rsa.internal.event_desc": "natura", "rsa.internal.messageid": "speedstep_control", "rsa.misc.event_source": "obeataev7086.mail.invalid", - "rsa.time.day": "9", - "rsa.time.month": "April", + "rsa.time.day": "8", + "rsa.time.month": "May", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -182,10 +232,10 @@ "event.code": "ErrorMsg", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Apr 24 00:25:25 nibusBon7400.localhost isiu: ErrorMsg success", + "event.original": "May 22 14:30:33 nibusBon7400.localhost isiu: ErrorMsg success", "fileset.name": "nios", "input.type": "log", - "log.offset": 713, + "log.offset": 822, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -195,8 +245,8 @@ "rsa.internal.messageid": "ErrorMsg", "rsa.misc.event_source": "nibusBon7400.localhost", "rsa.misc.result": "success", - "rsa.time.day": "24", - "rsa.time.month": "Apr", + "rsa.time.day": "22", + "rsa.time.month": "May", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -207,10 +257,10 @@ "event.code": "ntpd_initres", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 8 07:27:59 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15", + "event.original": "June 5 21:33:08 iat1852.api.localdomain 10.64.155.245 ntpd_initres: ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 775, + "log.offset": 884, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -220,8 +270,8 @@ "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "iat1852.api.localdomain", - "rsa.time.day": "8", - "rsa.time.month": "May", + "rsa.time.day": "5", + "rsa.time.month": "June", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -232,10 +282,10 @@ "event.code": "ntpdate", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 22 14:30:33 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec", + "event.original": "June 20 04:35:42 mquisnos5771.example ntpdate[etconsec]: adjust time server 10.104.111.129 offset 61.614000 sec", "fileset.name": "nios", "input.type": "log", - "log.offset": 868, + "log.offset": 978, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -248,9 +298,9 @@ "rsa.internal.data": "etconsec", "rsa.internal.messageid": "ntpdate", "rsa.misc.event_source": "mquisnos5771.example", - "rsa.time.day": "22", + "rsa.time.day": "20", "rsa.time.duration_time": 61.614, - "rsa.time.month": "May", + "rsa.time.month": "June", "service.type": "infoblox", "source.ip": [ "10.104.111.129" @@ -264,10 +314,10 @@ "event.code": "kernel", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 5 21:33:08 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo", + "event.original": "July 4 11:38:16 ite996.host kernel[umdo]: Linux version 1.3162 (umdolore) (eniam) reetdolo", "fileset.name": "nios", "input.type": "log", - "log.offset": 979, + "log.offset": 1090, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -280,8 +330,8 @@ "rsa.internal.messageid": "kernel", "rsa.misc.event_source": "ite996.host", "rsa.misc.version": "1.3162", - "rsa.time.day": "5", - "rsa.time.month": "June", + "rsa.time.day": "4", + "rsa.time.month": "July", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -292,10 +342,10 @@ "event.code": "rc6", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 20 04:35:42 enim2780.www.lan rc6[eriame]: lorema", + "event.original": "July 18 18:40:50 enim2780.www.lan rc6[eriame]: lorema", "fileset.name": "nios", "input.type": "log", - "log.offset": 1070, + "log.offset": 1181, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -306,8 +356,58 @@ "rsa.internal.event_desc": "lorema", "rsa.internal.messageid": "rc6", "rsa.misc.event_source": "enim2780.www.lan", - "rsa.time.day": "20", - "rsa.time.month": "June", + "rsa.time.day": "18", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "INFOBLOX-Grid", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 2 01:43:25 atuse2703.localhost -:INFOBLOX-Grid Upgrade Complete", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1235, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "atuse2703.localhost" + ], + "rsa.internal.event_desc": "Upgrade Complete", + "rsa.internal.messageid": "INFOBLOX-Grid", + "rsa.misc.event_source": "atuse2703.localhost", + "rsa.time.day": "2", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ErrorMsg", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "Aug 16 08:45:59 llumquid3933.internal.corp :ErrorMsg failure", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1306, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "llumquid3933.internal.corp" + ], + "rsa.internal.messageid": "ErrorMsg", + "rsa.misc.event_source": "llumquid3933.internal.corp", + "rsa.misc.result": "failure", + "rsa.time.day": "16", + "rsa.time.month": "Aug", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -318,11 +418,11 @@ "event.code": "watchdog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 4 11:38:16 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu", + "event.original": "August 30 15:48:33 emporinc5075.internal.host watchdog[atcu]: oremagna could not be opened, errno = ationu", "file.name": "oremagna", "fileset.name": "nios", "input.type": "log", - "log.offset": 1124, + "log.offset": 1367, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -333,8 +433,8 @@ "rsa.internal.messageid": "watchdog", "rsa.misc.event_source": "emporinc5075.internal.host", "rsa.misc.result_code": "ationu", - "rsa.time.day": "4", - "rsa.time.month": "July", + "rsa.time.day": "30", + "rsa.time.month": "August", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -345,10 +445,10 @@ "event.code": "shutdown", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 18 18:40:50 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot", + "event.original": "September 13 22:51:07 strude910.internal.local 10.27.72.147 shutdown: shutting down for system reboot", "fileset.name": "nios", "input.type": "log", - "log.offset": 1228, + "log.offset": 1474, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -358,8 +458,8 @@ "rsa.internal.event_desc": "shutting down for system reboot", "rsa.internal.messageid": "shutdown", "rsa.misc.event_source": "strude910.internal.local", - "rsa.time.day": "18", - "rsa.time.month": "July", + "rsa.time.day": "13", + "rsa.time.month": "September", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -367,19 +467,48 @@ ] }, { - "event.code": "", + "event.code": "ntpd_initres", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 2 01:43:25 fugit7668.www5.invalid -ntpd_initres: ntpd exiting on signal 15", + "event.original": "September 28 05:53:42 fugit7668.www5.invalid -:ntpd_initres ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 1325, + "log.offset": 1576, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.messageid": "", - "rsa.time.day": "2", - "rsa.time.month": "August", + "related.hosts": [ + "fugit7668.www5.invalid" + ], + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "fugit7668.www5.invalid", + "rsa.time.day": "28", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ipmievd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 12 12:56:16 lpa4844.www.home :ipmievd rudexerc", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1662, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "lpa4844.www.home" + ], + "rsa.internal.messageid": "ipmievd", + "rsa.misc.event_source": "lpa4844.www.home", + "rsa.time.day": "12", + "rsa.time.month": "October", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -390,10 +519,10 @@ "event.code": "rc", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 16 08:45:59 itaut7095.invalid 10.103.107.47 rc: executing ritatis start", + "event.original": "October 26 19:58:50 itaut7095.invalid 10.103.107.47 rc: executing ritatis start", "fileset.name": "nios", "input.type": "log", - "log.offset": 1408, + "log.offset": 1717, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -403,8 +532,33 @@ "rsa.internal.messageid": "rc", "rsa.misc.client": "ritatis", "rsa.misc.event_source": "itaut7095.invalid", - "rsa.time.day": "16", - "rsa.time.month": "August", + "rsa.time.day": "26", + "rsa.time.month": "October", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "syslog-ng", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "November 10 03:01:24 icab4668.local :syslog-ng isaute", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 1797, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "icab4668.local" + ], + "rsa.internal.event_desc": "isaute", + "rsa.internal.messageid": "syslog-ng", + "rsa.misc.event_source": "icab4668.local", + "rsa.time.day": "10", + "rsa.time.month": "November", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -415,10 +569,10 @@ "event.code": "phonehome", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 30 15:48:33 colabor1552.www5.local untut: phonehome lorumw", + "event.original": "November 24 10:03:59 colabor1552.www5.local untut: phonehome lorumw", "fileset.name": "nios", "input.type": "log", - "log.offset": 1487, + "log.offset": 1851, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -428,8 +582,8 @@ "rsa.internal.event_desc": "lorumw", "rsa.internal.messageid": "phonehome", "rsa.misc.event_source": "colabor1552.www5.local", - "rsa.time.day": "30", - "rsa.time.month": "August", + "rsa.time.day": "24", + "rsa.time.month": "November", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -440,10 +594,10 @@ "event.code": "validate_dhcpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 13 22:51:07 inima5444.www5.lan validate_dhcpd[nihi]: Lor", + "event.original": "December 8 17:06:33 inima5444.www5.lan validate_dhcpd[nihi]: Lor", "fileset.name": "nios", "input.type": "log", - "log.offset": 1553, + "log.offset": 1919, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -454,8 +608,8 @@ "rsa.internal.event_desc": "Lor", "rsa.internal.messageid": "validate_dhcpd", "rsa.misc.event_source": "inima5444.www5.lan", - "rsa.time.day": "13", - "rsa.time.month": "September", + "rsa.time.day": "8", + "rsa.time.month": "December", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -466,10 +620,10 @@ "event.code": "debug_mount", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 28 05:53:42 erc3217.internal.lan debug_mount[olupt]: mount modoco", + "event.original": "December 23 00:09:07 erc3217.internal.lan debug_mount[olupt]: mount modoco", "fileset.name": "nios", "input.type": "log", - "log.offset": 1620, + "log.offset": 1984, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -480,8 +634,33 @@ "rsa.internal.event_desc": "modoco", "rsa.internal.messageid": "debug_mount", "rsa.misc.event_source": "erc3217.internal.lan", - "rsa.time.day": "28", - "rsa.time.month": "September", + "rsa.time.day": "23", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rcsysinit", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 6 07:11:41 giatquov383.domain :rcsysinit riat", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2059, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "giatquov383.domain" + ], + "rsa.internal.event_desc": "riat", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "giatquov383.domain", + "rsa.time.day": "6", + "rsa.time.month": "January", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -493,10 +672,10 @@ "event.code": "named", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 12 12:56:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463", + "event.original": "January 20 14:14:16 uames499.internal.host isnostru: named accept on IPv4 interface lo1132, 10.45.25.68#1463", "fileset.name": "nios", "input.type": "log", - "log.offset": 1696, + "log.offset": 2113, "observer.ingress.interface.name": "lo1132", "observer.product": "Network", "observer.type": "IPAM", @@ -513,8 +692,8 @@ ], "rsa.misc.event_source": "uames499.internal.host", "rsa.network.sinterface": "lo1132", - "rsa.time.day": "12", - "rsa.time.month": "October", + "rsa.time.day": "20", + "rsa.time.month": "January", "service.type": "infoblox", "source.ip": [ "10.45.25.68" @@ -529,10 +708,10 @@ "event.code": "rcsysinit", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 26 19:58:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299", + "event.original": "February 3 21:16:50 iineavo951.internal.test 10.25.192.202 rcsysinit[intoccae]: fsck from 1.2299", "fileset.name": "nios", "input.type": "log", - "log.offset": 1805, + "log.offset": 2222, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -544,8 +723,8 @@ "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "iineavo951.internal.test", "rsa.misc.version": "1.2299", - "rsa.time.day": "26", - "rsa.time.month": "October", + "rsa.time.day": "3", + "rsa.time.month": "February", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -556,10 +735,10 @@ "event.code": "syslog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 10 03:01:24 Loremip6417.mail.test emoeni: syslog oenimips", + "event.original": "February 18 04:19:24 Loremip6417.mail.test emoeni: syslog oenimips", "fileset.name": "nios", "input.type": "log", - "log.offset": 1902, + "log.offset": 2319, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -570,8 +749,8 @@ "rsa.internal.event_desc": "oenimips", "rsa.internal.messageid": "syslog", "rsa.misc.event_source": "Loremip6417.mail.test", - "rsa.time.day": "10", - "rsa.time.month": "November", + "rsa.time.day": "18", + "rsa.time.month": "February", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -582,10 +761,10 @@ "event.code": "sSMTP", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 24 10:03:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) ", + "event.original": "March 4 11:21:59 mnisist2347.mail.host 10.142.139.20 sSMTP[temveleu]: Sent mail for colabo (eme) ", "fileset.name": "nios", "input.type": "log", - "log.offset": 1969, + "log.offset": 2386, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -596,8 +775,8 @@ "rsa.internal.event_desc": "Sent mail for colabo (eme)", "rsa.internal.messageid": "sSMTP", "rsa.misc.event_source": "mnisist2347.mail.host", - "rsa.time.day": "24", - "rsa.time.month": "November", + "rsa.time.day": "4", + "rsa.time.month": "March", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -605,26 +784,24 @@ ] }, { - "event.code": "snmptrapd", + "event.code": "db_jnld", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 8 17:06:33 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm", + "event.original": "March 18 18:24:33 reetd6051.www.example -:db_jnld Resolved conflict for replicated delete of CNAME \"maccusa\" in zone \"uptat\"", "fileset.name": "nios", "input.type": "log", - "log.offset": 2076, + "log.offset": 2484, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "observer.version": "1.2807", "related.hosts": [ - "datatn5076.internal.example" + "reetd6051.www.example" ], - "rsa.internal.event_desc": "ihilm", - "rsa.internal.messageid": "snmptrapd", - "rsa.misc.event_source": "datatn5076.internal.example", - "rsa.misc.version": "1.2807", - "rsa.time.day": "8", - "rsa.time.month": "December", + "rsa.internal.messageid": "db_jnld", + "rsa.misc.event_source": "reetd6051.www.example", + "rsa.network.zone": "uptat", + "rsa.time.day": "18", + "rsa.time.month": "March", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -632,25 +809,24 @@ ] }, { - "event.code": "rsyncd", + "event.code": "init", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 23 00:09:07 ercit2385.internal.home rsyncd[run]: building file list", + "event.original": "April 2 01:27:07 xerci0.mail.example :init olorema", "fileset.name": "nios", "input.type": "log", - "log.offset": 2178, + "log.offset": 2609, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "ercit2385.internal.home" + "xerci0.mail.example" ], - "rsa.internal.data": "run", - "rsa.internal.event_desc": "building file list", - "rsa.internal.messageid": "rsyncd", - "rsa.misc.event_source": "ercit2385.internal.home", - "rsa.time.day": "23", - "rsa.time.month": "December", + "rsa.internal.event_desc": "olorema", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "xerci0.mail.example", + "rsa.time.day": "2", + "rsa.time.month": "April", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -658,24 +834,77 @@ ] }, { - "event.code": "httpd", + "event.code": "snmptrapd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "January 6 07:11:41 quisnos4590.mail.domain nnum: httpd eritqu", + "event.original": "April 16 08:29:41 datatn5076.internal.example 10.122.46.71 snmptrapd: NET-SNMP version 1.2807 ihilm", "fileset.name": "nios", "input.type": "log", - "log.offset": 2255, + "log.offset": 2660, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "observer.version": "1.2807", "related.hosts": [ - "quisnos4590.mail.domain" + "datatn5076.internal.example" ], - "rsa.internal.event_desc": "eritqu", - "rsa.internal.messageid": "httpd", - "rsa.misc.event_source": "quisnos4590.mail.domain", - "rsa.time.day": "6", - "rsa.time.month": "January", + "rsa.internal.event_desc": "ihilm", + "rsa.internal.messageid": "snmptrapd", + "rsa.misc.event_source": "datatn5076.internal.example", + "rsa.misc.version": "1.2807", + "rsa.time.day": "16", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rsyncd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "April 30 15:32:16 ercit2385.internal.home rsyncd[run]: building file list", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2760, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "ercit2385.internal.home" + ], + "rsa.internal.data": "run", + "rsa.internal.event_desc": "building file list", + "rsa.internal.messageid": "rsyncd", + "rsa.misc.event_source": "ercit2385.internal.home", + "rsa.time.day": "30", + "rsa.time.month": "April", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "httpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "May 14 22:34:50 quisnos4590.mail.domain nnum: httpd eritqu", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 2834, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "quisnos4590.mail.domain" + ], + "rsa.internal.event_desc": "eritqu", + "rsa.internal.messageid": "httpd", + "rsa.misc.event_source": "quisnos4590.mail.domain", + "rsa.time.day": "14", + "rsa.time.month": "May", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -686,10 +915,10 @@ "event.code": "restarting", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "January 20 14:14:16 wri2784.api.domain hitect: restarting dol", + "event.original": "May 29 05:37:24 wri2784.api.domain hitect: restarting dol", "fileset.name": "nios", "input.type": "log", - "log.offset": 2317, + "log.offset": 2893, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -700,8 +929,8 @@ "rsa.internal.event_desc": "dol", "rsa.internal.messageid": "restarting", "rsa.misc.event_source": "wri2784.api.domain", - "rsa.time.day": "20", - "rsa.time.month": "January", + "rsa.time.day": "29", + "rsa.time.month": "May", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -712,10 +941,10 @@ "event.code": "rc3", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 3 21:16:50 asun1250.api.localdomain rc3[oluptate]: onseq", + "event.original": "June 12 12:39:58 asun1250.api.localdomain rc3[oluptate]: onseq", "fileset.name": "nios", "input.type": "log", - "log.offset": 2379, + "log.offset": 2951, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -726,8 +955,33 @@ "rsa.internal.event_desc": "onseq", "rsa.internal.messageid": "rc3", "rsa.misc.event_source": "asun1250.api.localdomain", - "rsa.time.day": "3", - "rsa.time.month": "February", + "rsa.time.day": "12", + "rsa.time.month": "June", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "diskcheck", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "June 26 19:42:33 emoe6540.www.domain -:diskcheck itanimi", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3014, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "emoe6540.www.domain" + ], + "rsa.internal.event_desc": "itanimi", + "rsa.internal.messageid": "diskcheck", + "rsa.misc.event_source": "emoe6540.www.domain", + "rsa.time.day": "26", + "rsa.time.month": "June", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -738,11 +992,11 @@ "event.code": "scheduled_backups", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 18 04:19:24 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat", + "event.original": "July 11 02:45:07 intoc2428.domain scheduled_backups[dantiumt]: Backup to luptasn was successful - Backup file equat", "file.name": "equat", "fileset.name": "nios", "input.type": "log", - "log.offset": 2445, + "log.offset": 3071, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -753,8 +1007,8 @@ "rsa.internal.messageid": "scheduled_backups", "rsa.misc.device_name": "luptasn", "rsa.misc.event_source": "intoc2428.domain", - "rsa.time.day": "18", - "rsa.time.month": "February", + "rsa.time.day": "11", + "rsa.time.month": "July", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -765,10 +1019,10 @@ "event.code": "rc6", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 4 11:21:59 ento4488.www5.localhost eriamea: rc6 amre", + "event.original": "July 25 09:47:41 ento4488.www5.localhost eriamea: rc6 amre", "fileset.name": "nios", "input.type": "log", - "log.offset": 2565, + "log.offset": 3187, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -778,8 +1032,8 @@ "rsa.internal.event_desc": "amre", "rsa.internal.messageid": "rc6", "rsa.misc.event_source": "ento4488.www5.localhost", - "rsa.time.day": "4", - "rsa.time.month": "March", + "rsa.time.day": "25", + "rsa.time.month": "July", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -790,10 +1044,10 @@ "event.code": "controld", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 18 18:24:33 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete", + "event.original": "August 8 16:50:15 boris5916.www5.example 10.2.53.125 controld[uioffi]: Distribution Complete", "fileset.name": "nios", "input.type": "log", - "log.offset": 2624, + "log.offset": 3246, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -804,8 +1058,8 @@ "rsa.internal.event_desc": "Distribution Complete", "rsa.internal.messageid": "controld", "rsa.misc.event_source": "boris5916.www5.example", - "rsa.time.day": "18", - "rsa.time.month": "March", + "rsa.time.day": "8", + "rsa.time.month": "August", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -816,10 +1070,10 @@ "event.code": "phonehome", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 2 01:27:07 temqu3331.api.host ipi: phonehome reseos", + "event.original": "August 22 23:52:50 temqu3331.api.host ipi: phonehome reseos", "fileset.name": "nios", "input.type": "log", - "log.offset": 2717, + "log.offset": 3339, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -829,8 +1083,8 @@ "rsa.internal.event_desc": "reseos", "rsa.internal.messageid": "phonehome", "rsa.misc.event_source": "temqu3331.api.host", - "rsa.time.day": "2", - "rsa.time.month": "April", + "rsa.time.day": "22", + "rsa.time.month": "August", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -841,20 +1095,22 @@ "event.code": "db_jnld", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 16 08:29:41 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME \"etdol\" in zone \"uela\"", + "event.original": "September 6 06:55:24 iutali2138.www.localdomain db_jnld[liquide]: Resolved conflict for replicated delete of CNAME \"etdol\" in zone \"uela\"", "fileset.name": "nios", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 2775, + "log.offset": 3399, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "iutali2138.www.localdomain" + ], "rsa.internal.data": "liquide", "rsa.internal.messageid": "db_jnld", - "rsa.time.day": "16", - "rsa.time.month": "April", + "rsa.misc.event_source": "iutali2138.www.localdomain", + "rsa.network.zone": "uela", + "rsa.time.day": "6", + "rsa.time.month": "September", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -865,10 +1121,10 @@ "event.code": "openvpn-member", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 30 15:32:16 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor)", + "event.original": "September 20 13:57:58 radi1512.mail.example 10.101.74.101 openvpn-member: read rdp [ris] uamqu (code=lor)", "fileset.name": "nios", "input.type": "log", - "log.offset": 2912, + "log.offset": 3537, "network.protocol": "rdp", "observer.product": "Network", "observer.type": "IPAM", @@ -881,8 +1137,34 @@ "rsa.internal.messageid": "openvpn-member", "rsa.misc.event_source": "radi1512.mail.example", "rsa.misc.result_code": "lor", - "rsa.time.day": "30", - "rsa.time.month": "April", + "rsa.time.day": "20", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 4 21:00:32 quaturve2798.internal.localdomain :scheduled_backups Backup to sin was successful - Backup file rvel", + "file.name": "rvel", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 3643, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "quaturve2798.internal.localdomain" + ], + "rsa.internal.messageid": "scheduled_backups", + "rsa.misc.device_name": "sin", + "rsa.misc.event_source": "quaturve2798.internal.localdomain", + "rsa.time.day": "4", + "rsa.time.month": "October", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -893,10 +1175,10 @@ "event.code": "syslog-ng", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 14 22:34:50 onsecte7184.mail.domain uptasn: syslog-ng reme", + "event.original": "October 19 04:03:07 onsecte7184.mail.domain uptasn: syslog-ng reme", "fileset.name": "nios", "input.type": "log", - "log.offset": 3014, + "log.offset": 3763, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -906,8 +1188,8 @@ "rsa.internal.event_desc": "reme", "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "onsecte7184.mail.domain", - "rsa.time.day": "14", - "rsa.time.month": "May", + "rsa.time.day": "19", + "rsa.time.month": "October", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -918,10 +1200,10 @@ "event.code": "ipmievd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 29 05:37:24 eveli265.www5.localdomain nse: ipmievd non", + "event.original": "November 2 11:05:41 eveli265.www5.localdomain nse: ipmievd non", "fileset.name": "nios", "input.type": "log", - "log.offset": 3077, + "log.offset": 3830, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -931,8 +1213,8 @@ "rsa.db.index": "nse", "rsa.internal.messageid": "ipmievd", "rsa.misc.event_source": "eveli265.www5.localdomain", - "rsa.time.day": "29", - "rsa.time.month": "May", + "rsa.time.day": "2", + "rsa.time.month": "November", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -943,19 +1225,19 @@ "event.code": "cloud_api", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Jun 12 12:39:58 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis", + "event.original": "Nov 16 18:08:15 derit4688.mail.localhost 10.57.42.152 cloud_api[didunt]: proxying request to uptatema6843.www.host(10.74.104.215) xeacomm https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta tcp rroquis", "fileset.name": "nios", "host.ip": "10.74.104.215", "host.name": "uptatema6843.www.host", "input.type": "log", - "log.offset": 3136, + "log.offset": 3893, "network.protocol": "tcp", "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "uptatema6843.www.host", - "derit4688.mail.localhost" + "derit4688.mail.localhost", + "uptatema6843.www.host" ], "related.ip": [ "10.74.104.215" @@ -971,8 +1253,8 @@ "rsa.network.alias_host": [ "uptatema6843.www.host" ], - "rsa.time.day": "12", - "rsa.time.month": "Jun", + "rsa.time.day": "16", + "rsa.time.month": "Nov", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -980,14 +1262,39 @@ ], "url.original": "https://internal.example.net/nofdeFin/sequam.txt?idex=mfugiat#nisiuta" }, + { + "event.code": "shutdown", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 1 01:10:49 llumdolo4824.internal.lan -:shutdown shutting down for system reboot", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 4113, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "llumdolo4824.internal.lan" + ], + "rsa.internal.event_desc": "shutting down for system reboot", + "rsa.internal.messageid": "shutdown", + "rsa.misc.event_source": "llumdolo4824.internal.lan", + "rsa.time.day": "1", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, { "event.code": "INFOBLOX-Grid", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 26 19:42:33 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons", + "event.original": "December 15 08:13:24 evolup4403.local 10.121.203.60 INFOBLOX-Grid[smo]: Upgrade to etcons", "fileset.name": "nios", "input.type": "log", - "log.offset": 3356, + "log.offset": 4202, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -997,9 +1304,42 @@ "rsa.internal.data": "smo", "rsa.internal.messageid": "INFOBLOX-Grid", "rsa.misc.event_source": "evolup4403.local", - "rsa.time.day": "26", - "rsa.time.month": "June", + "rsa.time.day": "15", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "rsyncd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "December 29 15:15:58 tur90.www.home :rsyncd connect from ariatu4198.example (10.81.202.38)", + "fileset.name": "nios", + "host.hostname": "ariatu4198.example", + "input.type": "log", + "log.offset": 4292, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "tur90.www.home", + "ariatu4198.example" + ], + "related.ip": [ + "10.81.202.38" + ], + "rsa.internal.messageid": "rsyncd", + "rsa.misc.event_source": "tur90.www.home", + "rsa.time.day": "29", + "rsa.time.month": "December", "service.type": "infoblox", + "source.address": "ariatu4198.example", + "source.ip": [ + "10.81.202.38" + ], "tags": [ "infoblox.nios", "forwarded" @@ -1009,10 +1349,10 @@ "event.code": "smart_check_io", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 11 02:45:07 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav", + "event.original": "January 12 22:18:32 nonn839.api.corp 10.35.99.92 smart_check_io: temquiav", "fileset.name": "nios", "input.type": "log", - "log.offset": 3442, + "log.offset": 4383, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1022,8 +1362,8 @@ "rsa.internal.event_desc": "temquiav", "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "nonn839.api.corp", - "rsa.time.day": "11", - "rsa.time.month": "July", + "rsa.time.day": "12", + "rsa.time.month": "January", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1034,10 +1374,10 @@ "event.code": "rcsysinit", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 25 09:47:41 adm7744.mail.domain 10.26.87.161 rcsysinit: isc", + "event.original": "January 27 05:21:06 adm7744.mail.domain 10.26.87.161 rcsysinit: isc", "fileset.name": "nios", "input.type": "log", - "log.offset": 3513, + "log.offset": 4457, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1047,8 +1387,8 @@ "rsa.internal.event_desc": "isc", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "adm7744.mail.domain", - "rsa.time.day": "25", - "rsa.time.month": "July", + "rsa.time.day": "27", + "rsa.time.month": "January", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1060,10 +1400,10 @@ "event.code": "watchdog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 8 16:50:15 ios6980.example 10.246.64.161 watchdog: deny, pid = 845", + "event.original": "February 10 12:23:41 ios6980.example 10.246.64.161 watchdog: deny, pid = 845", "fileset.name": "nios", "input.type": "log", - "log.offset": 3578, + "log.offset": 4525, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1076,8 +1416,8 @@ "deny" ], "rsa.misc.event_source": "ios6980.example", - "rsa.time.day": "8", - "rsa.time.month": "August", + "rsa.time.day": "10", + "rsa.time.month": "February", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1088,10 +1428,10 @@ "event.code": "diskcheck", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 22 23:52:50 osquira6030.internal.corp diskcheck[com]: tnulapa", + "event.original": "February 24 19:26:15 osquira6030.internal.corp diskcheck[com]: tnulapa", "fileset.name": "nios", "input.type": "log", - "log.offset": 3652, + "log.offset": 4602, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1102,8 +1442,8 @@ "rsa.internal.event_desc": "tnulapa", "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "osquira6030.internal.corp", - "rsa.time.day": "22", - "rsa.time.month": "August", + "rsa.time.day": "24", + "rsa.time.month": "February", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1114,10 +1454,10 @@ "event.code": "watchdog", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 6 06:55:24 squirati63.mail.lan watchdog[nbyCic]: utlabor", + "event.original": "March 11 02:28:49 squirati63.mail.lan watchdog[nbyCic]: utlabor", "fileset.name": "nios", "input.type": "log", - "log.offset": 3721, + "log.offset": 4673, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1128,8 +1468,8 @@ "rsa.internal.event_desc": "utlabor", "rsa.internal.messageid": "watchdog", "rsa.misc.event_source": "squirati63.mail.lan", - "rsa.time.day": "6", - "rsa.time.month": "September", + "rsa.time.day": "11", + "rsa.time.month": "March", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1140,10 +1480,10 @@ "event.code": "rc", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 20 13:57:58 lup2134.www.localhost rc[upida]: executing tvolupt start", + "event.original": "March 25 09:31:24 lup2134.www.localhost rc[upida]: executing tvolupt start", "fileset.name": "nios", "input.type": "log", - "log.offset": 3788, + "log.offset": 4737, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1154,8 +1494,8 @@ "rsa.internal.messageid": "rc", "rsa.misc.client": "tvolupt", "rsa.misc.event_source": "lup2134.www.localhost", - "rsa.time.day": "20", - "rsa.time.month": "September", + "rsa.time.day": "25", + "rsa.time.month": "March", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1166,10 +1506,10 @@ "event.code": "snmptrapd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 4 21:00:32 umdo4017.www.local snmptrapd[ati]: uine", + "event.original": "April 8 16:33:58 umdo4017.www.local snmptrapd[ati]: uine", "fileset.name": "nios", "input.type": "log", - "log.offset": 3867, + "log.offset": 4812, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1180,8 +1520,8 @@ "rsa.internal.event_desc": "uine", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "umdo4017.www.local", - "rsa.time.day": "4", - "rsa.time.month": "October", + "rsa.time.day": "8", + "rsa.time.month": "April", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1192,10 +1532,10 @@ "event.code": "snmptrapd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 19 04:03:07 loreme853.www5.localdomain ven: snmptrapd con", + "event.original": "April 22 23:36:32 loreme853.www5.localdomain ven: snmptrapd con", "fileset.name": "nios", "input.type": "log", - "log.offset": 3926, + "log.offset": 4869, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1205,8 +1545,8 @@ "rsa.internal.event_desc": "con", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "loreme853.www5.localdomain", - "rsa.time.day": "19", - "rsa.time.month": "October", + "rsa.time.day": "22", + "rsa.time.month": "April", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1217,10 +1557,10 @@ "event.code": "openvpn-master", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 2 11:05:41 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli)", + "event.original": "May 7 06:39:06 orumSe728.internal.test 10.157.18.252 openvpn-master[itess]: read icmp [evit]: runtm (code=molli)", "fileset.name": "nios", "input.type": "log", - "log.offset": 3992, + "log.offset": 4933, "network.protocol": "icmp", "observer.product": "Network", "observer.type": "IPAM", @@ -1234,8 +1574,8 @@ "rsa.internal.messageid": "openvpn-master", "rsa.misc.event_source": "orumSe728.internal.test", "rsa.misc.result_code": "molli", - "rsa.time.day": "2", - "rsa.time.month": "November", + "rsa.time.day": "7", + "rsa.time.month": "May", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1246,10 +1586,10 @@ "event.code": "acpid", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 16 18:08:15 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe", + "event.original": "May 21 13:41:41 oremi7400.www.local 10.219.233.80 acpid[ineavo]: pexe", "fileset.name": "nios", "input.type": "log", - "log.offset": 4110, + "log.offset": 5046, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1260,8 +1600,8 @@ "rsa.internal.event_desc": "pexe", "rsa.internal.messageid": "acpid", "rsa.misc.event_source": "oremi7400.www.local", - "rsa.time.day": "16", - "rsa.time.month": "November", + "rsa.time.day": "21", + "rsa.time.month": "May", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1272,10 +1612,10 @@ "event.code": "in.tftpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 1 01:10:49 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97", + "event.original": "June 4 20:44:15 ess651.test 10.95.66.217 in.tftpd[reprehen]: connection refused from 10.143.187.97", "fileset.name": "nios", "input.type": "log", - "log.offset": 4185, + "log.offset": 5116, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1288,8 +1628,8 @@ "rsa.internal.data": "reprehen", "rsa.internal.messageid": "in.tftpd", "rsa.misc.event_source": "ess651.test", - "rsa.time.day": "1", - "rsa.time.month": "December", + "rsa.time.day": "4", + "rsa.time.month": "June", "service.type": "infoblox", "source.ip": [ "10.143.187.97" @@ -1303,11 +1643,11 @@ "event.code": "serial_console", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 15 08:13:24 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt", + "event.original": "June 19 03:46:49 epre6970.www.example 10.53.43.139 serial_console[atatn]: RADIUS authentication succeeded for user temUt", "event.outcome": "success", "fileset.name": "nios", "input.type": "log", - "log.offset": 4288, + "log.offset": 5215, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1325,8 +1665,8 @@ "rsa.investigations.ec_subject": "User", "rsa.investigations.ec_theme": "Authentication", "rsa.misc.event_source": "epre6970.www.example", - "rsa.time.day": "15", - "rsa.time.month": "December", + "rsa.time.day": "19", + "rsa.time.month": "June", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1338,10 +1678,10 @@ "event.code": "httpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 29 15:15:58 tali7803.www.localdomain its: httpd ender", + "event.original": "July 3 10:49:23 tali7803.www.localdomain its: httpd ender", "fileset.name": "nios", "input.type": "log", - "log.offset": 4413, + "log.offset": 5336, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1351,8 +1691,8 @@ "rsa.internal.event_desc": "ender", "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "tali7803.www.localdomain", - "rsa.time.day": "29", - "rsa.time.month": "December", + "rsa.time.day": "3", + "rsa.time.month": "July", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1360,27 +1700,77 @@ ] }, { - "event.code": "ntpd", + "event.code": "init", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "January 12 22:18:32 uradi6198.test tiaec: ntpd frequency initialized success from psum", - "file.name": "psum", + "event.original": "July 17 17:51:58 orumSe1495.www5.local :init dutp", "fileset.name": "nios", "input.type": "log", - "log.offset": 4476, + "log.offset": 5394, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "uradi6198.test" + "orumSe1495.www5.local" ], - "rsa.internal.event_desc": "frequency initialized from file", - "rsa.internal.messageid": "ntpd", - "rsa.misc.event_source": "uradi6198.test", - "rsa.misc.result": "success", - "rsa.time.day": "12", - "rsa.time.month": "January", - "service.type": "infoblox", + "rsa.internal.event_desc": "dutp", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "orumSe1495.www5.local", + "rsa.time.day": "17", + "rsa.time.month": "July", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "init", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 1 00:54:32 veli2530.www.host -:init eumiure", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5444, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "veli2530.www.host" + ], + "rsa.internal.event_desc": "eumiure", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "veli2530.www.host", + "rsa.time.day": "1", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "ntpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "August 15 07:57:06 uradi6198.test tiaec: ntpd frequency initialized success from psum", + "file.name": "psum", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5495, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "uradi6198.test" + ], + "rsa.internal.event_desc": "frequency initialized from file", + "rsa.internal.messageid": "ntpd", + "rsa.misc.event_source": "uradi6198.test", + "rsa.misc.result": "success", + "rsa.time.day": "15", + "rsa.time.month": "August", + "service.type": "infoblox", "tags": [ "infoblox.nios", "forwarded" @@ -1390,10 +1780,10 @@ "event.code": "ntpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "January 27 05:21:06 umSe1918.local itau: ntpd ntpd exiting on signal 2836", + "event.original": "August 29 14:59:40 umSe1918.local itau: ntpd ntpd exiting on signal 2836", "fileset.name": "nios", "input.type": "log", - "log.offset": 4563, + "log.offset": 5581, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1404,8 +1794,34 @@ "rsa.internal.event_desc": "ntpd exiting on signal", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "umSe1918.local", - "rsa.time.day": "27", - "rsa.time.month": "January", + "rsa.time.day": "29", + "rsa.time.month": "August", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "dhcpd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "September 12 22:02:15 nBCSedut1502.www5.example :dhcpd received shutdown -/-/ failure", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5654, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "nBCSedut1502.www5.example" + ], + "rsa.internal.event_desc": "received shutdown", + "rsa.internal.messageid": "dhcpd", + "rsa.misc.event_source": "nBCSedut1502.www5.example", + "rsa.misc.result": "failure", + "rsa.time.day": "12", + "rsa.time.month": "September", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1416,10 +1832,10 @@ "event.code": "syslog-ng", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 10 12:23:41 odoconse228.mail.localdomain veli: syslog-ng tenim", + "event.original": "September 27 05:04:49 odoconse228.mail.localdomain veli: syslog-ng tenim", "fileset.name": "nios", "input.type": "log", - "log.offset": 4637, + "log.offset": 5740, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1429,8 +1845,34 @@ "rsa.internal.event_desc": "tenim", "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "odoconse228.mail.localdomain", - "rsa.time.day": "10", - "rsa.time.month": "February", + "rsa.time.day": "27", + "rsa.time.month": "September", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "pidof", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "October 11 12:07:23 miurerep1152.internal.domain -:pidof can't read sid from utlab", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 5813, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "miurerep1152.internal.domain" + ], + "rsa.internal.event_desc": "can't read sid", + "rsa.internal.messageid": "pidof", + "rsa.misc.client": "utlab", + "rsa.misc.event_source": "miurerep1152.internal.domain", + "rsa.time.day": "11", + "rsa.time.month": "October", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1441,10 +1883,10 @@ "event.code": "validate_dhcpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "February 24 19:26:15 cteturad4074.mail.host nreprehe: validate_dhcpd tetu", + "event.original": "October 25 19:09:57 cteturad4074.mail.host nreprehe: validate_dhcpd tetu", "fileset.name": "nios", "input.type": "log", - "log.offset": 4709, + "log.offset": 5896, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1454,8 +1896,8 @@ "rsa.internal.event_desc": "tetu", "rsa.internal.messageid": "validate_dhcpd", "rsa.misc.event_source": "cteturad4074.mail.host", - "rsa.time.day": "24", - "rsa.time.month": "February", + "rsa.time.day": "25", + "rsa.time.month": "October", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1466,10 +1908,10 @@ "event.code": "debug_mount", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "March 11 02:28:49 itation6137.home osqui: debug_mount mount sequat", + "event.original": "November 9 02:12:32 itation6137.home osqui: debug_mount mount sequat", "fileset.name": "nios", "input.type": "log", - "log.offset": 4783, + "log.offset": 5969, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1479,8 +1921,8 @@ "rsa.internal.event_desc": "sequat", "rsa.internal.messageid": "debug_mount", "rsa.misc.event_source": "itation6137.home", - "rsa.time.day": "11", - "rsa.time.month": "March", + "rsa.time.day": "9", + "rsa.time.month": "November", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1494,7 +1936,7 @@ "event.original": "sshd: Sleep 60 seconds for slowing down ssh login", "fileset.name": "nios", "input.type": "log", - "log.offset": 4850, + "log.offset": 6038, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1513,10 +1955,10 @@ "event.code": "ntpd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 8 16:33:58 dun1276.api.localdomain inimveni: ntpd time slew failure", + "event.original": "December 7 16:17:40 dun1276.api.localdomain inimveni: ntpd time slew failure", "fileset.name": "nios", "input.type": "log", - "log.offset": 4900, + "log.offset": 6088, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1527,8 +1969,8 @@ "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "dun1276.api.localdomain", "rsa.misc.result": "failure", - "rsa.time.day": "8", - "rsa.time.month": "April", + "rsa.time.day": "7", + "rsa.time.month": "December", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1539,10 +1981,10 @@ "event.code": "smart_check_io", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 22 23:36:32 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd", + "event.original": "December 21 23:20:14 iquidexe304.mail.test 10.195.64.5 smart_check_io: oreetd", "fileset.name": "nios", "input.type": "log", - "log.offset": 4974, + "log.offset": 6165, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1552,8 +1994,33 @@ "rsa.internal.event_desc": "oreetd", "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "iquidexe304.mail.test", - "rsa.time.day": "22", - "rsa.time.month": "April", + "rsa.time.day": "21", + "rsa.time.month": "December", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "radiusd", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "January 5 06:22:49 moenimi2558.mail.domain :radiusd gna", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6243, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "moenimi2558.mail.domain" + ], + "rsa.internal.event_desc": "gna", + "rsa.internal.messageid": "radiusd", + "rsa.misc.event_source": "moenimi2558.mail.domain", + "rsa.time.day": "5", + "rsa.time.month": "January", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1564,11 +2031,11 @@ "event.code": "captured_dns_uploader", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 07 06:39:06 preh2690.api.localdomain captured_dns_uploader[mac]: qui", + "event.original": "Jan 19 13:25:23 preh2690.api.localdomain captured_dns_uploader[mac]: qui", "event.outcome": "failure", "fileset.name": "nios", "input.type": "log", - "log.offset": 5049, + "log.offset": 6299, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1580,8 +2047,8 @@ "rsa.internal.messageid": "captured_dns_uploader", "rsa.investigations.ec_outcome": "Failure", "rsa.misc.event_source": "preh2690.api.localdomain", - "rsa.time.day": "07", - "rsa.time.month": "May", + "rsa.time.day": "19", + "rsa.time.month": "Jan", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1592,10 +2059,10 @@ "event.code": "kernel", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "May 21 13:41:41 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips", + "event.original": "February 2 20:27:57 rem3032.mail.domain 10.203.65.161 kernel: Linux version 1.7214 (ica) (lillum) remips", "fileset.name": "nios", "input.type": "log", - "log.offset": 5122, + "log.offset": 6372, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1607,8 +2074,8 @@ "rsa.internal.messageid": "kernel", "rsa.misc.event_source": "rem3032.mail.domain", "rsa.misc.version": "1.7214", - "rsa.time.day": "21", - "rsa.time.month": "May", + "rsa.time.day": "2", + "rsa.time.month": "February", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1619,10 +2086,10 @@ "event.code": "openvpn-member", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 4 20:44:15 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv", + "event.original": "February 17 03:30:32 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv", "fileset.name": "nios", "input.type": "log", - "log.offset": 5223, + "log.offset": 6477, "network.protocol": "ipv6-icmp", "observer.product": "Network", "observer.type": "IPAM", @@ -1635,8 +2102,8 @@ "rsa.internal.messageid": "openvpn-member", "rsa.misc.event_source": "tetur2694.mail.local", "rsa.misc.version": "1.7727", - "rsa.time.day": "4", - "rsa.time.month": "June", + "rsa.time.day": "17", + "rsa.time.month": "February", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1647,10 +2114,10 @@ "event.code": "pidof", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "June 19 03:46:49 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi", + "event.original": "March 3 10:33:06 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi", "fileset.name": "nios", "input.type": "log", - "log.offset": 5321, + "log.offset": 6580, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1661,8 +2128,35 @@ "rsa.internal.messageid": "pidof", "rsa.misc.client": "oremi", "rsa.misc.event_source": "utaliqu6138.mail.localhost", - "rsa.time.day": "19", - "rsa.time.month": "June", + "rsa.time.day": "3", + "rsa.time.month": "March", + "service.type": "infoblox", + "tags": [ + "infoblox.nios", + "forwarded" + ] + }, + { + "event.code": "scheduled_scp_backups", + "event.dataset": "infoblox.nios", + "event.module": "infoblox", + "event.original": "March 17 17:35:40 niamqui7678.invalid -:scheduled_scp_backups Scheduled backup to the pid was successful - Backup file rExc", + "file.name": "rExc", + "fileset.name": "nios", + "input.type": "log", + "log.offset": 6665, + "observer.product": "Network", + "observer.type": "IPAM", + "observer.vendor": "Infoblox", + "related.hosts": [ + "niamqui7678.invalid" + ], + "rsa.internal.event_desc": "Scheduled backup to the SCP server was successful", + "rsa.internal.messageid": "scheduled_scp_backups", + "rsa.misc.device_name": "pid", + "rsa.misc.event_source": "niamqui7678.invalid", + "rsa.time.day": "17", + "rsa.time.month": "March", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1673,10 +2167,10 @@ "event.code": "restarting", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 3 10:49:23 tame4953.mail.localhost prehen: restarting ntutlabo", + "event.original": "April 1 00:38:14 tame4953.mail.localhost prehen: restarting ntutlabo", "fileset.name": "nios", "input.type": "log", - "log.offset": 5406, + "log.offset": 6789, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1687,8 +2181,8 @@ "rsa.internal.event_desc": "ntutlabo", "rsa.internal.messageid": "restarting", "rsa.misc.event_source": "tame4953.mail.localhost", - "rsa.time.day": "3", - "rsa.time.month": "July", + "rsa.time.day": "1", + "rsa.time.month": "April", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1699,11 +2193,11 @@ "event.code": "scheduled_backups", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "July 17 17:51:58 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima", + "event.original": "April 15 07:40:49 loi7596.www5.home 10.31.177.226 scheduled_backups[deserun]: Backup to esseq was successful - Backup file adminima", "file.name": "adminima", "fileset.name": "nios", "input.type": "log", - "log.offset": 5474, + "log.offset": 6858, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1714,8 +2208,8 @@ "rsa.internal.messageid": "scheduled_backups", "rsa.misc.device_name": "esseq", "rsa.misc.event_source": "loi7596.www5.home", - "rsa.time.day": "17", - "rsa.time.month": "July", + "rsa.time.day": "15", + "rsa.time.month": "April", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1726,10 +2220,10 @@ "event.code": "ErrorMsg", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Aug 01 00:54:32 mmodoc4947.internal.test ErrorMsg[atu]: unknown", + "event.original": "Apr 29 14:43:23 mmodoc4947.internal.test ErrorMsg[atu]: unknown", "fileset.name": "nios", "input.type": "log", - "log.offset": 5605, + "log.offset": 6990, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1740,8 +2234,8 @@ "rsa.internal.messageid": "ErrorMsg", "rsa.misc.event_source": "mmodoc4947.internal.test", "rsa.misc.result": "unknown", - "rsa.time.day": "01", - "rsa.time.month": "Aug", + "rsa.time.day": "29", + "rsa.time.month": "Apr", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1752,10 +2246,10 @@ "event.code": "ntpd_initres", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 15 07:57:06 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15", + "event.original": "May 13 21:45:57 olorem2760.www5.test quunt: ntpd_initres ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 5669, + "log.offset": 7054, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1765,8 +2259,8 @@ "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "olorem2760.www5.test", - "rsa.time.day": "15", - "rsa.time.month": "August", + "rsa.time.day": "13", + "rsa.time.month": "May", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1777,10 +2271,10 @@ "event.code": "scheduled_ftp_backups", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "August 29 14:59:40 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown.", + "event.original": "May 28 04:48:31 dol3346.www.lan scheduled_ftp_backups[olorese]: Scheduled backup to the ori failed - unknown.", "fileset.name": "nios", "input.type": "log", - "log.offset": 5755, + "log.offset": 7137, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1793,8 +2287,8 @@ "rsa.misc.device_name": "ori", "rsa.misc.event_source": "dol3346.www.lan", "rsa.misc.result": "unknown", - "rsa.time.day": "29", - "rsa.time.month": "August", + "rsa.time.day": "28", + "rsa.time.month": "May", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1805,11 +2299,11 @@ "event.code": "scheduled_scp_backups", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 12 22:02:15 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun", + "event.original": "June 11 11:51:06 ercit6496.api.local ugiatn: scheduled_scp_backups Scheduled backup to the midestl was successful - Backup file dictasun", "file.name": "dictasun", "fileset.name": "nios", "input.type": "log", - "log.offset": 5868, + "log.offset": 7247, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", @@ -1820,8 +2314,8 @@ "rsa.internal.messageid": "scheduled_scp_backups", "rsa.misc.device_name": "midestl", "rsa.misc.event_source": "ercit6496.api.local", - "rsa.time.day": "12", - "rsa.time.month": "September", + "rsa.time.day": "11", + "rsa.time.month": "June", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1829,19 +2323,25 @@ ] }, { - "event.code": "", + "event.code": "rcsysinit", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 27 05:04:49 agnaaliq1829.mail.test ntpd_initres: ntpd exiting on signal 15", + "event.original": "June 25 18:53:40 ectiono2241.lan -:rcsysinit fsck from 1.1674", "fileset.name": "nios", "input.type": "log", - "log.offset": 6010, + "log.offset": 7384, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "rsa.internal.messageid": "", - "rsa.time.day": "27", - "rsa.time.month": "September", + "observer.version": "1.1674", + "related.hosts": [ + "ectiono2241.lan" + ], + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "ectiono2241.lan", + "rsa.misc.version": "1.1674", + "rsa.time.day": "25", + "rsa.time.month": "June", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1849,25 +2349,26 @@ ] }, { - "event.code": "sSMTP", + "event.code": "captured_dns_uploader", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 11 12:07:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 ", + "event.original": "Jul 10 01:56:14 alorum4439.corp :captured_dns_uploader atDu", + "event.outcome": "failure", "fileset.name": "nios", "input.type": "log", - "log.offset": 6096, + "log.offset": 7446, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "col3570.www.invalid" + "alorum4439.corp" ], - "rsa.email.email_dst": "tsed", - "rsa.internal.messageid": "sSMTP", - "rsa.misc.event_source": "col3570.www.invalid", - "rsa.misc.space": "", - "rsa.time.day": "11", - "rsa.time.month": "October", + "rsa.internal.event_desc": "atDu", + "rsa.internal.messageid": "captured_dns_uploader", + "rsa.investigations.ec_outcome": "Failure", + "rsa.misc.event_source": "alorum4439.corp", + "rsa.time.day": "10", + "rsa.time.month": "Jul", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1875,24 +2376,24 @@ ] }, { - "event.code": "init", + "event.code": "ntpd_initres", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 25 19:09:57 mipsamvo4282.api.home reetdo: init oreveri", + "event.original": "July 24 08:58:48 agnaaliq1829.mail.test :ntpd_initres ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 6216, + "log.offset": 7506, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "mipsamvo4282.api.home" + "agnaaliq1829.mail.test" ], - "rsa.internal.event_desc": "oreveri", - "rsa.internal.messageid": "init", - "rsa.misc.event_source": "mipsamvo4282.api.home", - "rsa.time.day": "25", - "rsa.time.month": "October", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "agnaaliq1829.mail.test", + "rsa.time.day": "24", + "rsa.time.month": "July", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -1900,288 +2401,55 @@ ] }, { - "event.code": "debug", + "event.code": "sSMTP", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "Nov 9 02:12:32 umq1309.api.test uae: debug mve", + "event.original": "August 7 16:01:23 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807", "fileset.name": "nios", "input.type": "log", - "log.offset": 6279, + "log.offset": 7586, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "umq1309.api.test" + "col3570.www.invalid" ], - "rsa.internal.event_desc": "mve", - "rsa.internal.messageid": "debug", - "rsa.misc.event_source": "umq1309.api.test", - "rsa.time.day": "9", - "rsa.time.month": "Nov", + "related.user": [ + "rcit", + "rroq" + ], + "rsa.email.email_dst": "tsed", + "rsa.internal.messageid": "sSMTP", + "rsa.misc.event_source": "col3570.www.invalid", + "rsa.time.day": "7", + "rsa.time.month": "August", "service.type": "infoblox", + "source.bytes": 2807, "tags": [ "infoblox.nios", "forwarded" - ] + ], + "user.name": "rcit" }, { - "event.code": "rc", + "event.code": "init", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 23 09:15:06 ugit5828.www5.test rc[asnu]: executing hitec start", + "event.original": "August 21 23:03:57 mipsamvo4282.api.home reetdo: init oreveri", "fileset.name": "nios", "input.type": "log", - "log.offset": 6326, + "log.offset": 7702, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "ugit5828.www5.test" + "mipsamvo4282.api.home" ], - "rsa.internal.data": "asnu", - "rsa.internal.messageid": "rc", - "rsa.misc.client": "hitec", - "rsa.misc.event_source": "ugit5828.www5.test", - "rsa.time.day": "23", - "rsa.time.month": "November", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "December 7 16:17:40 ntexplic4824.internal.localhost ntpd_initres: ntpd exiting on signal 15", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6398, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "rsa.internal.messageid": "", - "rsa.time.day": "7", - "rsa.time.month": "December", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "radiusd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "December 21 23:20:14 archite1843.mail.home isqua: radiusd uta", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6491, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "archite1843.mail.home" - ], - "rsa.internal.event_desc": "uta", - "rsa.internal.messageid": "radiusd", - "rsa.misc.event_source": "archite1843.mail.home", - "rsa.time.day": "21", - "rsa.time.month": "December", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "rcsysinit", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "January 5 06:22:49 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6553, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "derit5270.mail.local" - ], - "rsa.internal.event_desc": "ntexpl", - "rsa.internal.messageid": "rcsysinit", - "rsa.misc.event_source": "derit5270.mail.local", - "rsa.time.day": "5", - "rsa.time.month": "January", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "ntpdate", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "January 19 13:25:23 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6625, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "itanim4024.api.example" - ], - "related.ip": [ - "10.156.34.19" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.misc.event_source": "itanim4024.api.example", - "rsa.time.day": "19", - "rsa.time.duration_time": 98.036, - "rsa.time.month": "January", - "service.type": "infoblox", - "source.ip": [ - "10.156.34.19" - ], - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "sshd[saquaea]: Did not receive identification string from 10.222.251.114", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6745, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.ip": [ - "10.222.251.114" - ], - "rsa.internal.data": "saquaea", - "rsa.internal.event_desc": "Did not receive identification string from peer", - "rsa.internal.messageid": "sshd", - "rsa.misc.result": "no identification string", - "rsa.time.day": "Did", - "rsa.time.month": "sshd[saquaea]:", - "service.type": "infoblox", - "source.ip": [ - "10.222.251.114" - ], - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "in.tftpd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "February 17 03:30:32 ataevi1984.internal.host plic: in.tftpd connection refused from 10.17.87.79", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6818, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "ataevi1984.internal.host" - ], - "related.ip": [ - "10.17.87.79" - ], - "rsa.internal.messageid": "in.tftpd", - "rsa.misc.event_source": "ataevi1984.internal.host", - "rsa.time.day": "17", - "rsa.time.month": "February", - "service.type": "infoblox", - "source.ip": [ - "10.17.87.79" - ], - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "ntpd_initres", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "March 3 10:33:06 tionula1586.host ntpd_initres[idolor]: ntpd exiting on signal 15", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6915, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tionula1586.host" - ], - "rsa.internal.data": "idolor", - "rsa.internal.event_desc": "ntpd exiting", - "rsa.internal.messageid": "ntpd_initres", - "rsa.misc.event_source": "tionula1586.host", - "rsa.time.day": "3", - "rsa.time.month": "March", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "March 17 17:35:40 llam1884.www.corp quasiarc: ntpd time slew success", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 6997, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "llam1884.www.corp" - ], - "rsa.internal.event_desc": "time slew duraion", - "rsa.internal.messageid": "ntpd", - "rsa.misc.event_source": "llam1884.www.corp", - "rsa.misc.result": "success", - "rsa.time.day": "17", - "rsa.time.month": "March", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "acpid", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "April 1 00:38:14 ore5643.api.lan 10.126.163.125 acpid[edolorin]: dolorem", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7066, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "ore5643.api.lan" - ], - "rsa.internal.data": "edolorin", - "rsa.internal.event_desc": "dolorem", - "rsa.internal.messageid": "acpid", - "rsa.misc.event_source": "ore5643.api.lan", - "rsa.time.day": "1", - "rsa.time.month": "April", + "rsa.internal.event_desc": "oreveri", + "rsa.internal.messageid": "init", + "rsa.misc.event_source": "mipsamvo4282.api.home", + "rsa.time.day": "21", + "rsa.time.month": "August", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -2192,282 +2460,19 @@ "event.code": "rc3", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "April 15 07:40:49 exeacomm79.api.corp rc3[mides]: ciun", + "event.original": "September 5 06:06:31 Except6889.www.corp -:rc3 umetMal", "fileset.name": "nios", "input.type": "log", - "log.offset": 7139, + "log.offset": 7764, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "exeacomm79.api.corp" + "Except6889.www.corp" ], - "rsa.internal.data": "mides", - "rsa.internal.event_desc": "ciun", + "rsa.internal.event_desc": "umetMal", "rsa.internal.messageid": "rc3", - "rsa.misc.event_source": "exeacomm79.api.corp", - "rsa.time.day": "15", - "rsa.time.month": "April", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "watchdog", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "April 29 14:43:23 lorsita6602.mail.local uat: watchdog lupta could not be opened, errno = npr", - "file.name": "lupta", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7194, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "lorsita6602.mail.local" - ], - "rsa.internal.messageid": "watchdog", - "rsa.misc.event_source": "lorsita6602.mail.local", - "rsa.misc.result_code": "npr", - "rsa.time.day": "29", - "rsa.time.month": "April", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "speedstep_control", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "May 13 21:45:57 ratv2649.www.host speedstep_control[tali]: BCS", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7288, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "ratv2649.www.host" - ], - "rsa.internal.data": "tali", - "rsa.internal.event_desc": "BCS", - "rsa.internal.messageid": "speedstep_control", - "rsa.misc.event_source": "ratv2649.www.host", - "rsa.time.day": "13", - "rsa.time.month": "May", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "python", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "May 28 04:48:31 abor4353.www5.host ame: python tesseq", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7351, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "abor4353.www5.host" - ], - "rsa.internal.event_desc": "tesseq", - "rsa.internal.messageid": "python", - "rsa.misc.event_source": "abor4353.www5.host", - "rsa.time.day": "28", - "rsa.time.month": "May", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "openvpn-member", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "June 11 11:51:06 rerepre6748.internal.domain 10.47.31.181 openvpn-member[tdolore]: OpenVPN 1.388 [icmp] [red] sinto", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7405, - "network.protocol": "icmp", - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "observer.version": "1.388", - "related.hosts": [ - "rerepre6748.internal.domain" - ], - "rsa.db.index": "sinto", - "rsa.internal.data": "tdolore", - "rsa.internal.messageid": "openvpn-member", - "rsa.misc.event_source": "rerepre6748.internal.domain", - "rsa.misc.version": "1.388", - "rsa.time.day": "11", - "rsa.time.month": "June", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "rc", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "June 25 18:53:40 qui3176.internal.example 10.165.6.51 rc: executing amvolu start", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7521, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "qui3176.internal.example" - ], - "rsa.internal.messageid": "rc", - "rsa.misc.client": "amvolu", - "rsa.misc.event_source": "qui3176.internal.example", - "rsa.time.day": "25", - "rsa.time.month": "June", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "monitor", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 10 01:56:14 der7349.invalid 10.133.146.125 monitor: Type: igmp, State: diduntu, Event: eiusmod.", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7602, - "network.protocol": "igmp", - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "der7349.invalid" - ], - "rsa.internal.event_desc": "eiusmod", - "rsa.internal.messageid": "monitor", - "rsa.misc.event_source": "der7349.invalid", - "rsa.misc.event_state": "diduntu", - "rsa.time.day": "10", - "rsa.time.month": "July", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "diskcheck", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "July 24 08:58:48 veleum3833.internal.test henderi: diskcheck iusmodt", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7703, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "veleum3833.internal.test" - ], - "rsa.internal.event_desc": "iusmodt", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "veleum3833.internal.test", - "rsa.time.day": "24", - "rsa.time.month": "July", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "rc6", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "August 7 16:01:23 aquio6685.internal.test 10.17.193.123 rc6[aquio]: riatu", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7772, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "aquio6685.internal.test" - ], - "rsa.internal.data": "aquio", - "rsa.internal.event_desc": "riatu", - "rsa.internal.messageid": "rc6", - "rsa.misc.event_source": "aquio6685.internal.test", - "rsa.time.day": "7", - "rsa.time.month": "August", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "debug", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "Aug 21 23:03:57 tanimid4871.internal.domain debug[abor]: nBCSe", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7846, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "tanimid4871.internal.domain" - ], - "rsa.internal.data": "abor", - "rsa.internal.event_desc": "nBCSe", - "rsa.internal.messageid": "debug", - "rsa.misc.event_source": "tanimid4871.internal.domain", - "rsa.time.day": "21", - "rsa.time.month": "Aug", - "service.type": "infoblox", - "tags": [ - "infoblox.nios", - "forwarded" - ] - }, - { - "event.code": "pidof", - "event.dataset": "infoblox.nios", - "event.module": "infoblox", - "event.original": "September 5 06:06:31 icta82.internal.lan 10.252.116.137 pidof[uei]: can't read sid from Nequepo", - "fileset.name": "nios", - "input.type": "log", - "log.offset": 7909, - "observer.product": "Network", - "observer.type": "IPAM", - "observer.vendor": "Infoblox", - "related.hosts": [ - "icta82.internal.lan" - ], - "rsa.internal.data": "uei", - "rsa.internal.event_desc": "can't read sid", - "rsa.internal.messageid": "pidof", - "rsa.misc.client": "Nequepo", - "rsa.misc.event_source": "icta82.internal.lan", + "rsa.misc.event_source": "Except6889.www.corp", "rsa.time.day": "5", "rsa.time.month": "September", "service.type": "infoblox", @@ -2477,25 +2482,24 @@ ] }, { - "event.code": "speedstep_control", + "event.code": "debug", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "September 19 13:09:05 dol6197.mail.localdomain speedstep_control[inBCSe]: otamrem", + "event.original": "Sep 19 13:09:05 umq1309.api.test uae: debug mve", "fileset.name": "nios", "input.type": "log", - "log.offset": 8005, + "log.offset": 7819, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "dol6197.mail.localdomain" + "umq1309.api.test" ], - "rsa.internal.data": "inBCSe", - "rsa.internal.event_desc": "otamrem", - "rsa.internal.messageid": "speedstep_control", - "rsa.misc.event_source": "dol6197.mail.localdomain", + "rsa.internal.event_desc": "mve", + "rsa.internal.messageid": "debug", + "rsa.misc.event_source": "umq1309.api.test", "rsa.time.day": "19", - "rsa.time.month": "September", + "rsa.time.month": "Sep", "service.type": "infoblox", "tags": [ "infoblox.nios", @@ -2503,23 +2507,23 @@ ] }, { - "event.code": "ntpd", + "event.code": "rc", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 3 20:11:40 lumqu617.www.test 10.39.172.93 ntpd: time slew success", + "event.original": "October 3 20:11:40 ugit5828.www5.test rc[asnu]: executing hitec start", "fileset.name": "nios", "input.type": "log", - "log.offset": 8087, + "log.offset": 7867, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "lumqu617.www.test" + "ugit5828.www5.test" ], - "rsa.internal.event_desc": "time slew duraion", - "rsa.internal.messageid": "ntpd", - "rsa.misc.event_source": "lumqu617.www.test", - "rsa.misc.result": "success", + "rsa.internal.data": "asnu", + "rsa.internal.messageid": "rc", + "rsa.misc.client": "hitec", + "rsa.misc.event_source": "ugit5828.www5.test", "rsa.time.day": "3", "rsa.time.month": "October", "service.type": "infoblox", @@ -2529,23 +2533,22 @@ ] }, { - "event.code": "pidof", + "event.code": "ntpd_initres", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "October 18 03:14:14 uido492.www5.home pidof[uid]: can't get program name from snostrum", + "event.original": "October 18 03:14:14 ntexplic4824.internal.localhost :ntpd_initres ntpd exiting on signal 15", "fileset.name": "nios", "input.type": "log", - "log.offset": 8161, + "log.offset": 7937, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "uido492.www5.home" + "ntexplic4824.internal.localhost" ], - "rsa.internal.data": "uid", - "rsa.internal.messageid": "pidof", - "rsa.misc.client": "snostrum", - "rsa.misc.event_source": "uido492.www5.home", + "rsa.internal.event_desc": "ntpd exiting", + "rsa.internal.messageid": "ntpd_initres", + "rsa.misc.event_source": "ntexplic4824.internal.localhost", "rsa.time.day": "18", "rsa.time.month": "October", "service.type": "infoblox", @@ -2555,24 +2558,22 @@ ] }, { - "event.code": "snmptrapd", + "event.code": "radiusd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 1 10:16:48 reseosqu1629.mail.lan 10.36.166.81 snmptrapd: NET-SNMP version 1.6198 ommo", + "event.original": "November 1 10:16:48 archite1843.mail.home isqua: radiusd uta", "fileset.name": "nios", "input.type": "log", - "log.offset": 8248, + "log.offset": 8029, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "observer.version": "1.6198", "related.hosts": [ - "reseosqu1629.mail.lan" + "archite1843.mail.home" ], - "rsa.internal.event_desc": "ommo", - "rsa.internal.messageid": "snmptrapd", - "rsa.misc.event_source": "reseosqu1629.mail.lan", - "rsa.misc.version": "1.6198", + "rsa.internal.event_desc": "uta", + "rsa.internal.messageid": "radiusd", + "rsa.misc.event_source": "archite1843.mail.home", "rsa.time.day": "1", "rsa.time.month": "November", "service.type": "infoblox", @@ -2582,23 +2583,22 @@ ] }, { - "event.code": "smart_check_io", + "event.code": "rcsysinit", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 15 17:19:22 itseddoe5595.internal.localhost 10.228.102.170 smart_check_io[ehende]: tutla", + "event.original": "November 15 17:19:22 derit5270.mail.local 10.105.52.140 rcsysinit: ntexpl", "fileset.name": "nios", "input.type": "log", - "log.offset": 8343, + "log.offset": 8090, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "itseddoe5595.internal.localhost" + "derit5270.mail.local" ], - "rsa.internal.data": "ehende", - "rsa.internal.event_desc": "tutla", - "rsa.internal.messageid": "smart_check_io", - "rsa.misc.event_source": "itseddoe5595.internal.localhost", + "rsa.internal.event_desc": "ntexpl", + "rsa.internal.messageid": "rcsysinit", + "rsa.misc.event_source": "derit5270.mail.local", "rsa.time.day": "15", "rsa.time.month": "November", "service.type": "infoblox", @@ -2608,50 +2608,60 @@ ] }, { - "event.code": "diskcheck", + "event.code": "ntpdate", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "November 30 00:21:57 olu5333.www.domain orumSe: diskcheck dolor", + "event.original": "November 30 00:21:57 itanim4024.api.example 10.180.101.232 ntpdate: adjust time server 10.156.34.19 offset 98.036000 sec", "fileset.name": "nios", "input.type": "log", - "log.offset": 8441, + "log.offset": 8164, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", "related.hosts": [ - "olu5333.www.domain" + "itanim4024.api.example" ], - "rsa.internal.event_desc": "dolor", - "rsa.internal.messageid": "diskcheck", - "rsa.misc.event_source": "olu5333.www.domain", + "related.ip": [ + "10.156.34.19" + ], + "rsa.internal.messageid": "ntpdate", + "rsa.misc.event_source": "itanim4024.api.example", "rsa.time.day": "30", + "rsa.time.duration_time": 98.036, "rsa.time.month": "November", "service.type": "infoblox", + "source.ip": [ + "10.156.34.19" + ], "tags": [ "infoblox.nios", "forwarded" ] }, { - "event.code": "init", + "event.code": "sshd", "event.dataset": "infoblox.nios", "event.module": "infoblox", - "event.original": "December 14 07:24:31 dtemp1362.internal.example mips: init itae", + "event.original": "sshd[saquaea]: Did not receive identification string from 10.222.251.114", "fileset.name": "nios", "input.type": "log", - "log.offset": 8505, + "log.offset": 8285, "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", - "related.hosts": [ - "dtemp1362.internal.example" + "related.ip": [ + "10.222.251.114" ], - "rsa.internal.event_desc": "itae", - "rsa.internal.messageid": "init", - "rsa.misc.event_source": "dtemp1362.internal.example", - "rsa.time.day": "14", - "rsa.time.month": "December", + "rsa.internal.data": "saquaea", + "rsa.internal.event_desc": "Did not receive identification string from peer", + "rsa.internal.messageid": "sshd", + "rsa.misc.result": "no identification string", + "rsa.time.day": "Did", + "rsa.time.month": "sshd[saquaea]:", "service.type": "infoblox", + "source.ip": [ + "10.222.251.114" + ], "tags": [ "infoblox.nios", "forwarded" diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml index 3907b711d8b5..088629b28ba2 100644 --- a/x-pack/filebeat/module/juniper/junos/config/input.yml +++ b/x-pack/filebeat/module/juniper/junos/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/juniper/junos/config/liblogparser.js +++ b/x-pack/filebeat/module/juniper/junos/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/juniper/junos/config/pipeline.js b/x-pack/filebeat/module/juniper/junos/config/pipeline.js index 82d7b9ed9ab9..eb7120498949 100644 --- a/x-pack/filebeat/module/juniper/junos/config/pipeline.js +++ b/x-pack/filebeat/module/juniper/junos/config/pipeline.js @@ -32,6 +32,26 @@ var dup7 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); var dup8 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); var dup9 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(": "), + field("p0"), + ], +}); + +var dup10 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("messageid"), + constant(" "), + field("p0"), + ], +}); + +var dup11 = call({ dest: "nwparser.payload", fn: STRCAT, args: [ @@ -39,11 +59,11 @@ var dup9 = call({ constant(" "), field("messageid"), constant(": "), - field("payload"), + field("p0"), ], }); -var dup10 = call({ +var dup12 = call({ dest: "nwparser.payload", fn: STRCAT, args: [ @@ -53,33 +73,31 @@ var dup10 = call({ constant("]: "), field("messageid"), constant(": "), - field("payload"), + field("p0"), ], }); -var dup11 = call({ +var dup13 = call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("messageid"), - constant(": "), - field("payload"), + constant(" ["), + field("p0"), ], }); -var dup12 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); - -var dup13 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); +var dup14 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); -var dup14 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); +var dup15 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); -var dup15 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); +var dup16 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); -var dup16 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}"); +var dup17 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); -var dup17 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); +var dup18 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); -var dup18 = call({ +var dup19 = call({ dest: "nwparser.payload", fn: STRCAT, args: [ @@ -87,17 +105,17 @@ var dup18 = call({ constant("["), field("pid"), constant("]: "), - field("payload"), + field("p0"), ], }); -var dup19 = setc("messageid","JUNOSROUTER_GENERIC"); +var dup20 = setc("messageid","JUNOSROUTER_GENERIC"); -var dup20 = setc("eventcategory","1605000000"); +var dup21 = setc("eventcategory","1605000000"); -var dup21 = setf("msg","$MSG"); +var dup22 = setf("msg","$MSG"); -var dup22 = date_time({ +var dup23 = date_time({ dest: "event_time", args: ["month","day","time"], fmts: [ @@ -105,63 +123,63 @@ var dup22 = date_time({ ], }); -var dup23 = setf("hostname","hhost"); +var dup24 = setf("hostname","hhost"); -var dup24 = setc("event_description","AUDIT"); +var dup25 = setc("event_description","AUDIT"); -var dup25 = setc("event_description","CRON command"); +var dup26 = setc("event_description","CRON command"); -var dup26 = setc("eventcategory","1801030000"); +var dup27 = setc("eventcategory","1801030000"); -var dup27 = setc("eventcategory","1801020000"); +var dup28 = setc("eventcategory","1801020000"); -var dup28 = setc("eventcategory","1605010000"); +var dup29 = setc("eventcategory","1605010000"); -var dup29 = setc("eventcategory","1603000000"); +var dup30 = setc("eventcategory","1603000000"); -var dup30 = setc("event_description","Process mode"); +var dup31 = setc("event_description","Process mode"); -var dup31 = setc("event_description","NTP Server Unreachable"); +var dup32 = setc("event_description","NTP Server Unreachable"); -var dup32 = setc("eventcategory","1401060000"); +var dup33 = setc("eventcategory","1401060000"); -var dup33 = setc("ec_theme","Authentication"); +var dup34 = setc("ec_theme","Authentication"); -var dup34 = setc("ec_subject","User"); +var dup35 = setc("ec_subject","User"); -var dup35 = setc("ec_activity","Logon"); +var dup36 = setc("ec_activity","Logon"); -var dup36 = setc("ec_outcome","Success"); +var dup37 = setc("ec_outcome","Success"); -var dup37 = setc("event_description","rpd proceeding"); +var dup38 = setc("event_description","rpd proceeding"); -var dup38 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); +var dup39 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); -var dup39 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); +var dup40 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); -var dup40 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); +var dup41 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); -var dup41 = setc("eventcategory","1701010000"); +var dup42 = setc("eventcategory","1701010000"); -var dup42 = setc("ec_outcome","Failure"); +var dup43 = setc("ec_outcome","Failure"); -var dup43 = setc("eventcategory","1401030000"); +var dup44 = setc("eventcategory","1401030000"); -var dup44 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}"); +var dup45 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); -var dup45 = setc("eventcategory","1803000000"); +var dup46 = setc("eventcategory","1803000000"); -var dup46 = setc("event_type","VPN"); +var dup47 = setc("event_type","VPN"); -var dup47 = setc("eventcategory","1605020000"); +var dup48 = setc("eventcategory","1605020000"); -var dup48 = setc("eventcategory","1602020000"); +var dup49 = setc("eventcategory","1602020000"); -var dup49 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); +var dup50 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); -var dup50 = setc("eventcategory","1603020000"); +var dup51 = setc("eventcategory","1603020000"); -var dup51 = date_time({ +var dup52 = date_time({ dest: "event_time", args: ["hfld32"], fmts: [ @@ -169,25 +187,25 @@ var dup51 = date_time({ ], }); -var dup52 = setc("ec_subject","NetworkComm"); +var dup53 = setc("ec_subject","NetworkComm"); -var dup53 = setc("ec_activity","Create"); +var dup54 = setc("ec_activity","Create"); -var dup54 = setc("ec_activity","Stop"); +var dup55 = setc("ec_activity","Stop"); -var dup55 = setc("event_description","Trap state change"); +var dup56 = setc("event_description","Trap state change"); -var dup56 = setc("event_description","peer NLRI mismatch"); +var dup57 = setc("event_description","peer NLRI mismatch"); -var dup57 = setc("eventcategory","1605030000"); +var dup58 = setc("eventcategory","1605030000"); -var dup58 = setc("eventcategory","1603010000"); +var dup59 = setc("eventcategory","1603010000"); -var dup59 = setc("eventcategory","1606000000"); +var dup60 = setc("eventcategory","1606000000"); -var dup60 = setf("hostname","hhostname"); +var dup61 = setf("hostname","hhostname"); -var dup61 = date_time({ +var dup62 = date_time({ dest: "event_time", args: ["hfld6"], fmts: [ @@ -195,65 +213,63 @@ var dup61 = date_time({ ], }); -var dup62 = setc("eventcategory","1401050200"); +var dup63 = setc("eventcategory","1401050200"); -var dup63 = setc("event_description","Memory allocation failed during initialization for configuration load"); +var dup64 = setc("event_description","Memory allocation failed during initialization for configuration load"); -var dup64 = setc("event_description","unable to run in the background as a daemon"); +var dup65 = setc("event_description","unable to run in the background as a daemon"); -var dup65 = setc("event_description","Another copy of this program is running"); +var dup66 = setc("event_description","Another copy of this program is running"); -var dup66 = setc("event_description","Unable to lock PID file"); +var dup67 = setc("event_description","Unable to lock PID file"); -var dup67 = setc("event_description","Unable to update process PID file"); +var dup68 = setc("event_description","Unable to update process PID file"); -var dup68 = setc("eventcategory","1301000000"); +var dup69 = setc("eventcategory","1301000000"); -var dup69 = setc("event_description","Command stopped"); +var dup70 = setc("event_description","Command stopped"); -var dup70 = setc("event_description","Unable to create pipes for command"); +var dup71 = setc("event_description","Unable to create pipes for command"); -var dup71 = setc("event_description","Command exited"); +var dup72 = setc("event_description","Command exited"); -var dup72 = setc("eventcategory","1603050000"); +var dup73 = setc("eventcategory","1603050000"); -var dup73 = setc("eventcategory","1801010000"); +var dup74 = setc("eventcategory","1801010000"); -var dup74 = setc("event_description","Login failure"); +var dup75 = setc("event_description","Login failure"); -var dup75 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); +var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); -var dup76 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); +var dup77 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); -var dup77 = setc("event_description","Unable to open file"); +var dup78 = setc("event_description","Unable to open file"); -var dup78 = setc("event_description","SNMP index assigned changed"); +var dup79 = setc("event_description","SNMP index assigned changed"); -var dup79 = setc("eventcategory","1302000000"); +var dup80 = setc("eventcategory","1302000000"); -var dup80 = setc("eventcategory","1001020300"); +var dup81 = setc("eventcategory","1001020300"); -var dup81 = setc("event_description","PFE FW SYSLOG_IP"); +var dup82 = setc("event_description","PFE FW SYSLOG_IP"); -var dup82 = setc("event_description","process_mode"); +var dup83 = setc("event_description","process_mode"); -var dup83 = setc("event_description","Logical interface collision"); +var dup84 = setc("event_description","Logical interface collision"); -var dup84 = setc("event_description","excessive runtime time during action of module"); +var dup85 = setc("event_description","excessive runtime time during action of module"); -var dup85 = setc("event_description","Reinitializing"); +var dup86 = setc("event_description","Reinitializing"); -var dup86 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); +var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); -var dup87 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); +var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); -var dup88 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}"); +var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); -var dup89 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); +var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); -var dup90 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}"); - -var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}"); +var dup91 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); var dup92 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); @@ -261,232 +277,240 @@ var dup93 = setc("eventcategory","1803010000"); var dup94 = setc("ec_activity","Deny"); -var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}"); +var dup95 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); -var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); +var dup96 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); var dup97 = setc("event_description","session denied"); -var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); +var dup98 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); -var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); +var dup99 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); var dup100 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); -var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}"); +var dup101 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); -var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}"); +var dup102 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); -var dup103 = setc("dclass_counter1_string","No.of packets from client"); +var dup103 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); -var dup104 = setc("event_description","SNMPD AUTH FAILURE"); +var dup104 = setc("dclass_counter1_string","No.of packets from client"); -var dup105 = setc("event_description","send send-type (index1) failure"); +var dup105 = setc("event_description","SNMPD AUTH FAILURE"); -var dup106 = setc("event_description","SNMP trap error"); +var dup106 = setc("event_description","send send-type (index1) failure"); -var dup107 = setc("event_description","SNMP TRAP LINK DOWN"); +var dup107 = setc("event_description","SNMP trap error"); -var dup108 = setc("event_description","SNMP TRAP LINK UP"); +var dup108 = setc("event_description","SNMP TRAP LINK DOWN"); -var dup109 = setc("event_description","Login Failure"); +var dup109 = setc("event_description","SNMP TRAP LINK UP"); -var dup110 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); +var dup110 = setc("event_description","Login Failure"); -var dup111 = setc("eventcategory","1701020000"); +var dup111 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); -var dup112 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); +var dup112 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); -var dup113 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); +var dup113 = setc("eventcategory","1701020000"); -var dup114 = setc("event_description","User set command"); +var dup114 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); -var dup115 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); +var dup115 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); -var dup116 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); +var dup116 = setc("event_description","User set command"); -var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); +var dup117 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); -var dup118 = setc("event_description","User set groups to secret"); +var dup118 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); -var dup119 = setc("event_description","UI CMDLINE READ LINE"); +var dup119 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); -var dup120 = setc("event_description","User commit"); +var dup120 = setc("event_description","User set groups to secret"); -var dup121 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); +var dup121 = setc("event_description","UI CMDLINE READ LINE"); -var dup122 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); +var dup122 = setc("event_description","User commit"); -var dup123 = setc("eventcategory","1401070000"); +var dup123 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); -var dup124 = setc("ec_activity","Logoff"); +var dup124 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); -var dup125 = setc("event_description","Successful login"); +var dup125 = setc("eventcategory","1401070000"); -var dup126 = setf("hostname","hostip"); +var dup126 = setc("ec_activity","Logoff"); -var dup127 = setc("event_description","TACACS+ failure"); +var dup127 = setc("event_description","Successful login"); -var dup128 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); +var dup128 = setf("hostname","hostip"); -var dup129 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); +var dup129 = setc("event_description","TACACS+ failure"); -var dup130 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); +var dup130 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); -var dup131 = setc("eventcategory","1003010000"); +var dup131 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); -var dup132 = setc("eventcategory","1901000000"); +var dup132 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); -var dup133 = linear_select([ - dup12, - dup13, +var dup133 = setc("eventcategory","1003010000"); + +var dup134 = setc("eventcategory","1901000000"); + +var dup135 = linear_select([ dup14, dup15, + dup16, + dup17, ]); -var dup134 = linear_select([ - dup39, +var dup136 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ + dup13, +])); + +var dup137 = linear_select([ dup40, + dup41, ]); -var dup135 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup20, +var dup138 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ dup21, - dup55, dup22, + dup56, + dup23, ])); -var dup136 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup50, - dup21, - dup63, +var dup139 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup51, dup22, + dup64, + dup23, ])); -var dup137 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup29, - dup21, - dup64, +var dup140 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup30, dup22, + dup65, + dup23, ])); -var dup138 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup29, - dup21, - dup65, +var dup141 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup30, dup22, + dup66, + dup23, ])); -var dup139 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup29, - dup21, - dup66, +var dup142 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup30, dup22, + dup67, + dup23, ])); -var dup140 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup29, - dup21, - dup67, +var dup143 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup30, dup22, + dup68, + dup23, ])); -var dup141 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup29, - dup21, - dup70, +var dup144 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup30, dup22, + dup71, + dup23, ])); -var dup142 = linear_select([ - dup75, +var dup145 = linear_select([ dup76, + dup77, ]); -var dup143 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup29, - dup21, - dup78, +var dup146 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup30, dup22, + dup79, + dup23, ])); -var dup144 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup29, - dup21, - dup83, +var dup147 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup30, dup22, + dup84, + dup23, ])); -var dup145 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup29, - dup21, - dup84, +var dup148 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup30, dup22, + dup85, + dup23, ])); -var dup146 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup20, +var dup149 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ dup21, - dup85, dup22, + dup86, + dup23, ])); -var dup147 = linear_select([ - dup87, +var dup150 = linear_select([ dup88, + dup89, ]); -var dup148 = linear_select([ - dup89, +var dup151 = linear_select([ dup90, + dup45, ]); -var dup149 = linear_select([ +var dup152 = linear_select([ dup95, dup96, ]); -var dup150 = linear_select([ +var dup153 = linear_select([ dup101, - dup102, + dup91, ]); -var dup151 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup29, - dup21, - dup51, +var dup154 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, ])); -var dup152 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup26, - dup21, - dup51, +var dup155 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup27, + dup22, + dup52, ])); -var dup153 = linear_select([ - dup116, - dup117, +var dup156 = linear_select([ + dup118, + dup119, ]); -var dup154 = linear_select([ - dup121, - dup122, +var dup157 = linear_select([ + dup123, + dup124, ]); -var dup155 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup29, - dup21, - dup51, +var dup158 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup30, + dup22, + dup52, ])); -var dup156 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ +var dup159 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ + dup48, dup47, - dup46, + dup23, dup22, - dup21, ])); -var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{messageid}: restart %{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -494,12 +518,12 @@ var hdr1 = match("HEADER#0:0001", "message", "%{month->} %{day->} %{time->} %{me args: [ field("messageid"), constant(": restart "), - field("payload"), + field("p0"), ], }), ])); -var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{messageid->} message repeated %{p0}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", @@ -507,12 +531,12 @@ var hdr2 = match("HEADER#1:0002", "message", "%{month->} %{day->} %{time->} %{me args: [ field("messageid"), constant(" message repeated "), - field("payload"), + field("p0"), ], }), ])); -var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb %{messageid}(%{hfld1}): %{p0}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -522,7 +546,7 @@ var hdr3 = match("HEADER#2:0003", "message", "%{month->} %{day->} %{time->} ssb constant("("), field("hfld1"), constant("): "), - field("payload"), + field("p0"), ], }), ])); @@ -552,7 +576,9 @@ var select1 = linear_select([ dup8, ]); -var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{payload}"); +var part6 = match("HEADER#3:0004/2", "nwparser.p0", "%{} %{messageid}: %{p0}", processor_chain([ + dup9, +])); var all1 = all_match({ processors: [ @@ -575,7 +601,9 @@ var select2 = linear_select([ dup8, ]); -var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{payload}"); +var part7 = match("HEADER#4:0005/2", "nwparser.p0", "%{} %{messageid->} %{p0}", processor_chain([ + dup10, +])); var all2 = all_match({ processors: [ @@ -588,7 +616,7 @@ var all2 = all_match({ ]), }); -var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{payload}", processor_chain([ +var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2}[%{hpid}]: %{messageid}: %{p0}", processor_chain([ setc("header_id","0007"), call({ dest: "nwparser.payload", @@ -600,12 +628,12 @@ var hdr4 = match("HEADER#5:0007", "message", "%{month->} %{day->} %{time->} %{hf constant("]: "), field("messageid"), constant(": "), - field("payload"), + field("p0"), ], }), ])); -var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{payload}", processor_chain([ +var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}[%{hpid}]: %{p0}", processor_chain([ setc("header_id","0008"), call({ dest: "nwparser.payload", @@ -615,12 +643,12 @@ var hdr5 = match("HEADER#6:0008", "message", "%{month->} %{day->} %{time->} %{hf constant("["), field("hpid"), constant("]: "), - field("payload"), + field("p0"), ], }), ])); -var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{payload}", processor_chain([ +var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} IFP trace> %{messageid}: %{p0}", processor_chain([ setc("header_id","0009"), call({ dest: "nwparser.payload", @@ -630,52 +658,44 @@ var hdr6 = match("HEADER#7:0009", "message", "%{month->} %{day->} %{time->} %{hf constant(" IFP trace> "), field("messageid"), constant(": "), - field("payload"), + field("p0"), ], }), ])); -var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{payload}", processor_chain([ +var hdr7 = match("HEADER#8:0010", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{hfld2->} %{messageid}: %{p0}", processor_chain([ setc("header_id","0010"), - dup9, + dup11, ])); -var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([ +var hdr8 = match("HEADER#9:0029", "message", "%{month->} %{day->} %{time->} %{hostip->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ setc("header_id","0029"), - dup10, + dup12, ])); -var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{payload}", processor_chain([ +var hdr9 = match("HEADER#10:0015", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}: %{p0}", processor_chain([ setc("header_id","0015"), - dup10, + dup12, ])); -var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{payload}", processor_chain([ +var hdr10 = match("HEADER#11:0011", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{messageid}: %{p0}", processor_chain([ setc("header_id","0011"), - dup9, + dup11, ])); -var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{payload}", processor_chain([ +var hdr11 = match("HEADER#12:0027", "message", "%{month->} %{day->} %{time->} %{hhostname->} RT_FLOW: %{messageid}: %{p0}", processor_chain([ setc("header_id","0027"), - dup11, + dup9, ])); -var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{payload}", processor_chain([ +var hdr12 = match("HEADER#13:0012", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhost}: %{messageid}: %{p0}", processor_chain([ setc("header_id","0012"), - dup11, + dup9, ])); -var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{payload}", processor_chain([ +var hdr13 = match("HEADER#14:0013", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hfld32->} %{hhostname->} RT_FLOW - %{messageid->} [%{p0}", processor_chain([ setc("header_id","0013"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" ["), - field("payload"), - ], - }), + dup13, ])); var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time->} %{hfld32->} %{hhostname->} %{p0}"); @@ -683,8 +703,8 @@ var hdr14 = match("HEADER#15:0026.upd.a/0", "message", "%{hfld1->} %{event_time- var all3 = all_match({ processors: [ hdr14, - dup133, - dup16, + dup135, + dup136, ], on_success: processor_chain([ setc("header_id","0026.upd.a"), @@ -693,9 +713,9 @@ var all3 = all_match({ var all4 = all_match({ processors: [ - dup17, - dup133, - dup16, + dup18, + dup135, + dup136, ], on_success: processor_chain([ setc("header_id","0026.upd.b"), @@ -704,16 +724,16 @@ var all4 = all_match({ var all5 = all_match({ processors: [ - dup17, - dup133, - dup16, + dup18, + dup135, + dup136, ], on_success: processor_chain([ setc("header_id","0026"), ]), }); -var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{payload}", processor_chain([ +var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid}[%{hpid}]: %{p0}", processor_chain([ setc("header_id","0014"), call({ dest: "nwparser.payload", @@ -727,12 +747,12 @@ var hdr15 = match("HEADER#18:0014", "message", "%{month->} %{day->} %{time->} %{ constant("["), field("hpid"), constant("]: "), - field("payload"), + field("p0"), ], }), ])); -var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{payload}", processor_chain([ +var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{hfld1}: %{messageid}: %{p0}", processor_chain([ setc("header_id","0016"), call({ dest: "nwparser.payload", @@ -742,12 +762,12 @@ var hdr16 = match("HEADER#19:0016", "message", "%{month->} %{day->} %{time->} %{ constant(": "), field("messageid"), constant(": "), - field("payload"), + field("p0"), ], }), ])); -var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{payload}", processor_chain([ +var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{hfld1}[%{pid}]: %{messageid->} %{p0}", processor_chain([ setc("header_id","0017"), call({ dest: "nwparser.payload", @@ -759,52 +779,52 @@ var hdr17 = match("HEADER#20:0017", "message", "%{month->} %{day->} %{time->} %{ constant("]: "), field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }), ])); -var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{payload}", processor_chain([ +var hdr18 = match("HEADER#21:0018", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}[%{pid}]: %{p0}", processor_chain([ setc("header_id","0018"), - dup18, + dup19, ])); -var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{payload}", processor_chain([ +var hdr19 = match("HEADER#22:0028", "message", "%{month->} %{day->} %{time->} %{hhost->} %{messageid}[%{pid}]: %{p0}", processor_chain([ setc("header_id","0028"), - dup18, + dup19, ])); -var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{payload}", processor_chain([ +var hdr20 = match("HEADER#23:0019", "message", "%{month->} %{day->} %{time->} %{hhost}: %{messageid}: %{p0}", processor_chain([ setc("header_id","0019"), - dup11, + dup9, ])); -var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{payload}", processor_chain([ +var hdr21 = match("HEADER#24:0020", "message", "%{month->} %{day->} %{time->} %{messageid}[%{pid}]: %{p0}", processor_chain([ setc("header_id","0020"), - dup18, + dup19, ])); -var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{payload}", processor_chain([ +var hdr22 = match("HEADER#25:0021", "message", "%{month->} %{day->} %{time->} /%{messageid}: %{p0}", processor_chain([ setc("header_id","0021"), - dup11, + dup9, ])); -var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{payload}", processor_chain([ +var hdr23 = match("HEADER#26:0022", "message", "%{month->} %{day->} %{time->} %{messageid}: %{p0}", processor_chain([ setc("header_id","0022"), - dup11, + dup9, ])); -var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{payload}", processor_chain([ +var hdr24 = match("HEADER#27:0023", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}[%{pid}]: %{p0}", processor_chain([ setc("header_id","0023"), - dup18, + dup19, ])); -var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{payload}", processor_chain([ +var hdr25 = match("HEADER#28:0024", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid}: %{p0}", processor_chain([ setc("header_id","0024"), - dup11, + dup9, ])); -var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{payload}", processor_chain([ +var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{hfld2->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0025"), call({ dest: "nwparser.payload", @@ -814,30 +834,22 @@ var hdr26 = match("HEADER#29:0025", "message", "%{month->} %{day->} %{time->} %{ constant(" "), field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }), ])); -var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{payload}", processor_chain([ +var hdr27 = match("HEADER#30:0031", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname}: %{messageid->} %{p0}", processor_chain([ setc("header_id","0031"), - call({ - dest: "nwparser.payload", - fn: STRCAT, - args: [ - field("messageid"), - constant(" "), - field("payload"), - ], - }), + dup10, ])); -var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{payload}", processor_chain([ +var hdr28 = match("HEADER#31:0032", "message", "%{month->} %{day->} %{time->} %{hostip->} (%{hfld1}) %{hfld2->} %{messageid}[%{pid}]: %{p0}", processor_chain([ setc("header_id","0032"), - dup18, + dup19, ])); -var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{payload}", processor_chain([ +var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{hfld1->} %{hhostname->} %{messageid}: %{p0}", processor_chain([ setc("header_id","0033"), call({ dest: "nwparser.payload", @@ -849,7 +861,7 @@ var hdr29 = match("HEADER#32:0033", "message", "%{month->} %{day->} %{time->} %{ constant(" "), field("messageid"), constant(": "), - field("payload"), + field("p0"), ], }), ])); @@ -866,7 +878,7 @@ var hdr32 = match("HEADER#35:3337", "message", "%{month->} %{day->} %{time->} %{ setc("header_id","3337"), ])); -var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{payload}", processor_chain([ +var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostname->} %{hfld2->} %{hfld3->} %{messageid->} %{p0}", processor_chain([ setc("header_id","3341"), call({ dest: "nwparser.payload", @@ -878,7 +890,7 @@ var hdr33 = match("HEADER#36:3341", "message", "%{hfld1->} %{hfld6->} %{hhostnam constant(" "), field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }), ])); @@ -887,18 +899,30 @@ var hdr34 = match("HEADER#37:3338", "message", "%{month->} %{day->} %{time->} %{ setc("header_id","3338"), ])); -var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{p0}"); +var hdr35 = match("HEADER#38:3340/0", "message", "%{month->} %{day->} %{time->} %{hhost->} node%{hfld1}.fpc%{p0}", processor_chain([ + call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hhost"), + constant(" node"), + field("hfld1"), + constant(".fpc"), + field("p0"), + ], + }), +])); -var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld1}.fpc%{hfld2}.pic%{hfld3->} %{p0}"); +var part8 = match("HEADER#38:3340/1_0", "nwparser.p0", "%{hfld2}.pic%{hfld3->} %{p0}"); -var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld1}.fpc%{hfld2->} %{p0}"); +var part9 = match("HEADER#38:3340/1_1", "nwparser.p0", "%{hfld2->} %{p0}"); var select3 = linear_select([ part8, part9, ]); -var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{payload}"); +var part10 = match("HEADER#38:3340/2", "nwparser.p0", "%{} %{p0}"); var all6 = all_match({ processors: [ @@ -933,11 +957,11 @@ var all7 = all_match({ ], on_success: processor_chain([ setc("header_id","9997"), - dup19, + dup20, ]), }); -var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{payload}", processor_chain([ +var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{hhost->} %{hfld1->} %{hfld2->} %{messageid}[%{hfld3}]:%{p0}", processor_chain([ setc("header_id","9995"), call({ dest: "nwparser.payload", @@ -947,12 +971,12 @@ var hdr39 = match("HEADER#40:9995", "message", "%{month->} %{day->} %{time->} %{ constant("["), field("hfld3"), constant("]:"), - field("payload"), + field("p0"), ], }), ])); -var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{payload}", processor_chain([ +var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{hfld1->} qsfp %{p0}", processor_chain([ setc("header_id","9994"), setc("messageid","qsfp"), call({ @@ -963,28 +987,28 @@ var hdr40 = match("HEADER#41:9994", "message", "%{month->} %{day->} %{time->} %{ constant(" "), field("hfld1"), constant(" qsfp "), - field("payload"), + field("p0"), ], }), ])); -var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{payload}", processor_chain([ +var hdr41 = match("HEADER#42:9999", "message", "%{month->} %{day->} %{time->} %{hhost->} %{process}[%{process_id}]: %{hevent_type}: %{p0}", processor_chain([ setc("header_id","9999"), - dup19, + dup20, call({ dest: "nwparser.payload", fn: STRCAT, args: [ field("hevent_type"), constant(": "), - field("payload"), + field("p0"), ], }), ])); -var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{payload}", processor_chain([ +var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{hfld2->} %{process}: %{p0}", processor_chain([ setc("header_id","9998"), - dup19, + dup20, call({ dest: "nwparser.payload", fn: STRCAT, @@ -993,7 +1017,7 @@ var hdr42 = match("HEADER#43:9998", "message", "%{month->} %{day->} %{time->} %{ constant(" "), field("process"), constant(": "), - field("payload"), + field("p0"), ], }), ])); @@ -1046,46 +1070,46 @@ var select5 = linear_select([ ]); var part12 = match("MESSAGE#0:/usr/sbin/sshd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup20, dup21, - setc("event_description","sshd exit status"), dup22, + setc("event_description","sshd exit status"), + dup23, ])); var msg1 = msg("/usr/sbin/sshd", part12); var part13 = match("MESSAGE#1:/usr/libexec/telnetd", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exit status %{result}", processor_chain([ - dup20, dup21, - setc("event_description","telnetd exit status"), dup22, + setc("event_description","telnetd exit status"), + dup23, ])); var msg2 = msg("/usr/libexec/telnetd", part13); var part14 = match("MESSAGE#2:alarmd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License color=%{severity}, class=%{device}, reason=%{result}", processor_chain([ - dup20, dup21, - setc("event_description","Alarm Set or Cleared"), dup22, + setc("event_description","Alarm Set or Cleared"), + dup23, ])); var msg3 = msg("alarmd", part14); var part15 = match("MESSAGE#3:bigd", "nwparser.payload", "%{process}: Node detected UP for %{node}", processor_chain([ - dup20, dup21, - setc("event_description","Node detected UP"), dup22, + setc("event_description","Node detected UP"), + dup23, ])); var msg4 = msg("bigd", part15); var part16 = match("MESSAGE#4:bigd:01", "nwparser.payload", "%{process}: Monitor template id is %{id}", processor_chain([ - dup20, dup21, - setc("event_description","Monitor template id"), dup22, + setc("event_description","Monitor template id"), + dup23, ])); var msg5 = msg("bigd:01", part16); @@ -1096,28 +1120,28 @@ var select6 = linear_select([ ]); var part17 = match("MESSAGE#5:bigpipe", "nwparser.payload", "%{process}: Loading the configuration file %{filename}", processor_chain([ - dup20, dup21, - setc("event_description","Loading configuration file"), dup22, + setc("event_description","Loading configuration file"), + dup23, ])); var msg6 = msg("bigpipe", part17); var part18 = match("MESSAGE#6:bigpipe:01", "nwparser.payload", "%{process}: Begin config install operation %{action}", processor_chain([ - dup20, dup21, - setc("event_description","Begin config install operation"), dup22, + setc("event_description","Begin config install operation"), + dup23, ])); var msg7 = msg("bigpipe:01", part18); var part19 = match("MESSAGE#7:bigpipe:02", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup20, dup21, - setc("event_description","Audit"), dup22, + setc("event_description","Audit"), + dup23, ])); var msg8 = msg("bigpipe:02", part19); @@ -1129,46 +1153,46 @@ var select7 = linear_select([ ]); var part20 = match("MESSAGE#8:bigstart", "nwparser.payload", "%{process}: shutdown %{service}", processor_chain([ - dup20, dup21, - setc("event_description","portal shutdown"), dup22, + setc("event_description","portal shutdown"), + dup23, ])); var msg9 = msg("bigstart", part20); var part21 = match("MESSAGE#9:cgatool", "nwparser.payload", "%{process}: %{event_type}: generated address is %{result}", processor_chain([ - dup20, dup21, - setc("event_description","cga address genration"), dup22, + setc("event_description","cga address genration"), + dup23, ])); var msg10 = msg("cgatool", part21); var part22 = match("MESSAGE#10:chassisd:01", "nwparser.payload", "%{process}[%{process_id}]:%{fld12}", processor_chain([ - dup20, dup21, dup22, dup23, + dup24, ])); var msg11 = msg("chassisd:01", part22); var part23 = match("MESSAGE#11:checkd", "nwparser.payload", "%{process}: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup20, dup21, - dup24, dup22, + dup25, + dup23, ])); var msg12 = msg("checkd", part23); var part24 = match("MESSAGE#12:checkd:01", "nwparser.payload", "%{process}: exiting", processor_chain([ - dup20, dup21, - setc("event_description","checkd exiting"), dup22, + setc("event_description","checkd exiting"), + dup23, ])); var msg13 = msg("checkd:01", part24); @@ -1179,28 +1203,28 @@ var select8 = linear_select([ ]); var part25 = match("MESSAGE#13:cosd", "nwparser.payload", "%{process}[%{process_id}]: link protection %{dclass_counter1->} for intf %{interface}", processor_chain([ - dup20, dup21, - setc("event_description","link protection for interface"), dup22, + setc("event_description","link protection for interface"), + dup23, ])); var msg14 = msg("cosd", part25); var part26 = match("MESSAGE#14:craftd", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}, %{result}", processor_chain([ - dup20, dup21, - setc("event_description","License expiration warning"), dup22, + setc("event_description","License expiration warning"), + dup23, ])); var msg15 = msg("craftd", part26); var part27 = match("MESSAGE#15:CRON/0", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{p0}"); -var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result}) "); +var part28 = match("MESSAGE#15:CRON/1_0", "nwparser.p0", "CMD (%{result})"); -var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}' "); +var part29 = match("MESSAGE#15:CRON/1_1", "nwparser.p0", "cmd='%{result}'"); var select9 = linear_select([ part28, @@ -1213,10 +1237,10 @@ var all8 = all_match({ select9, ], on_success: processor_chain([ - dup20, dup21, - dup25, dup22, + dup26, + dup23, ]), }); @@ -1224,7 +1248,7 @@ var msg16 = msg("CRON", all8); var part30 = match("MESSAGE#16:Cmerror/0_0", "nwparser.payload", "%{hostname->} %{node}Cmerror: Level%{level}count increment %{dclass_counter1->} %{fld1}"); -var part31 = match("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "%{fld2}"); +var part31 = match_copy("MESSAGE#16:Cmerror/0_1", "nwparser.payload", "fld2"); var select10 = linear_select([ part30, @@ -1236,37 +1260,37 @@ var all9 = all_match({ select10, ], on_success: processor_chain([ - dup20, - dup22, dup21, + dup23, + dup22, ]), }); var msg17 = msg("Cmerror", all9); var part32 = match("MESSAGE#17:cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) %{action->} (%{filename})", processor_chain([ - dup20, dup21, - setc("event_description","cron RELOAD"), dup22, + setc("event_description","cron RELOAD"), + dup23, ])); var msg18 = msg("cron", part32); var part33 = match("MESSAGE#18:CROND", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD (%{action})", processor_chain([ - dup20, dup21, dup22, dup23, + dup24, ])); var msg19 = msg("CROND", part33); var part34 = match("MESSAGE#20:CROND:02", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session closed for user %{username}", processor_chain([ - dup26, - dup21, + dup27, dup22, dup23, + dup24, ])); var msg20 = msg("CROND:02", part34); @@ -1277,101 +1301,104 @@ var select11 = linear_select([ ]); var part35 = match("MESSAGE#19:crond:01", "nwparser.payload", "%{process}[%{process_id}]: pam_unix(crond:session): session opened for user %{username->} by (uid=%{uid})", processor_chain([ - dup27, - dup21, + dup28, dup22, dup23, + dup24, ])); var msg21 = msg("crond:01", part35); var part36 = match("MESSAGE#21:dcd", "nwparser.payload", "%{process}[%{process_id}]: %{result->} Setting ignored, %{info}", processor_chain([ - dup20, dup21, - setc("event_description","Setting ignored"), dup22, + setc("event_description","Setting ignored"), + dup23, ])); var msg22 = msg("dcd", part36); var part37 = match("MESSAGE#22:EVENT/0", "nwparser.payload", "%{process}[%{process_id}]: EVENT %{event_type->} %{interface->} index %{resultcode->} %{p0}"); -var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{result}> "); +var part38 = match("MESSAGE#22:EVENT/1_0", "nwparser.p0", "%{saddr->} -> %{daddr->} \u003c\u003c%{p0}"); -var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{result}> "); +var part39 = match("MESSAGE#22:EVENT/1_1", "nwparser.p0", "\u003c\u003c%{p0}"); var select12 = linear_select([ part38, part39, ]); +var part40 = match("MESSAGE#22:EVENT/2", "nwparser.p0", ">%{result}"); + var all10 = all_match({ processors: [ part37, select12, + part40, ], on_success: processor_chain([ - dup20, dup21, - setc("event_description","EVENT"), dup22, + setc("event_description","EVENT"), + dup23, ]), }); var msg23 = msg("EVENT", all10); -var part40 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ +var part41 = match("MESSAGE#23:ftpd", "nwparser.payload", "%{process}[%{process_id}]: connection from %{saddr->} (%{shost})", processor_chain([ setc("eventcategory","1802000000"), - dup21, - setc("event_description","ftpd connection"), dup22, + setc("event_description","ftpd connection"), + dup23, ])); -var msg24 = msg("ftpd", part40); +var msg24 = msg("ftpd", part41); -var part41 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ - dup28, +var part42 = match("MESSAGE#24:ha_rto_stats_handler", "nwparser.payload", "%{hostname->} %{node}ha_rto_stats_handler:%{fld12}", processor_chain([ + dup29, + dup23, dup22, - dup21, ])); -var msg25 = msg("ha_rto_stats_handler", part41); +var msg25 = msg("ha_rto_stats_handler", part42); -var part42 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ - dup20, +var part43 = match("MESSAGE#25:hostinit", "nwparser.payload", "%{process}: %{obj_name->} -- LDAP Connection not bound correctly. %{info}", processor_chain([ dup21, - setc("event_description","LDAP Connection not bound correctly"), dup22, + setc("event_description","LDAP Connection not bound correctly"), + dup23, ])); -var msg26 = msg("hostinit", part42); +var msg26 = msg("hostinit", part43); -var part43 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ - dup20, +var part44 = match("MESSAGE#26:ifinfo", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Added entry - %{info}", processor_chain([ dup21, - setc("event_description","PIC_INFO debug - Added entry"), dup22, + setc("event_description","PIC_INFO debug - Added entry"), + dup23, ])); -var msg27 = msg("ifinfo", part43); +var msg27 = msg("ifinfo", part44); -var part44 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ - dup20, +var part45 = match("MESSAGE#27:ifinfo:01", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> Initializing spu listtype %{resultcode}", processor_chain([ dup21, - setc("event_description","PIC_INFO debug Initializing spu"), dup22, + setc("event_description","PIC_INFO debug Initializing spu"), + dup23, ])); -var msg28 = msg("ifinfo:01", part44); +var msg28 = msg("ifinfo:01", part45); -var part45 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ - dup20, +var part46 = match("MESSAGE#28:ifinfo:02", "nwparser.payload", "%{process}: %{service}: PIC_INFO debug> %{info}", processor_chain([ dup21, - setc("event_description","PIC_INFO debug delete from list"), dup22, + setc("event_description","PIC_INFO debug delete from list"), + dup23, ])); -var msg29 = msg("ifinfo:02", part45); +var msg29 = msg("ifinfo:02", part46); var select13 = linear_select([ msg27, @@ -1379,100 +1406,100 @@ var select13 = linear_select([ msg29, ]); -var part46 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ - dup20, +var part47 = match("MESSAGE#29:ifp_ifl_anydown_change_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL anydown change event: \"%{event_type}\"", processor_chain([ dup21, - setc("event_description","IFL anydown change event"), dup22, + setc("event_description","IFL anydown change event"), + dup23, ])); -var msg30 = msg("ifp_ifl_anydown_change_event", part46); +var msg30 = msg("ifp_ifl_anydown_change_event", part47); -var part47 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ - dup20, +var part48 = match("MESSAGE#30:ifp_ifl_config_event", "nwparser.payload", "%{node->} %{action}> %{process}: IFL config: \"%{filename}\"", processor_chain([ dup21, - setc("event_description","ifp ifl config_event"), dup22, + setc("event_description","ifp ifl config_event"), + dup23, ])); -var msg31 = msg("ifp_ifl_config_event", part47); +var msg31 = msg("ifp_ifl_config_event", part48); -var part48 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ - dup20, +var part49 = match("MESSAGE#31:ifp_ifl_ext_chg", "nwparser.payload", "%{node->} %{process}: ifp ext piid %{parent_pid->} zone_id %{zone}", processor_chain([ dup21, - setc("event_description","ifp_ifl_ext_chg"), dup22, + setc("event_description","ifp_ifl_ext_chg"), + dup23, ])); -var msg32 = msg("ifp_ifl_ext_chg", part48); +var msg32 = msg("ifp_ifl_ext_chg", part49); -var part49 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ - dup29, - dup21, - setc("event_description","connection exceeded count limit"), +var part50 = match("MESSAGE#32:inetd", "nwparser.payload", "%{process}[%{process_id}]: %{protocol->} from %{saddr->} exceeded counts/min (%{result})", processor_chain([ + dup30, dup22, + setc("event_description","connection exceeded count limit"), + dup23, ])); -var msg33 = msg("inetd", part49); +var msg33 = msg("inetd", part50); -var part50 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","exited"), +var part51 = match("MESSAGE#33:inetd:01", "nwparser.payload", "%{process}[%{process_id}]: %{agent}[%{id}]: exited, status %{result}", processor_chain([ + dup30, dup22, + setc("event_description","exited"), + dup23, ])); -var msg34 = msg("inetd:01", part50); +var msg34 = msg("inetd:01", part51); var select14 = linear_select([ msg33, msg34, ]); -var part51 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup20, +var part52 = match("MESSAGE#34:init:04", "nwparser.payload", "%{process}: %{event_type->} current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ dup21, - dup30, dup22, + dup31, + dup23, ])); -var msg35 = msg("init:04", part51); +var msg35 = msg("init:04", part52); -var part52 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ - dup20, +var part53 = match("MESSAGE#35:init", "nwparser.payload", "%{process}: %{event_type->} mode=%{protocol->} cmd=%{action->} master_mode=%{result}", processor_chain([ dup21, - dup30, dup22, + dup31, + dup23, ])); -var msg36 = msg("init", part52); +var msg36 = msg("init", part53); -var part53 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ - dup20, +var part54 = match("MESSAGE#36:init:01", "nwparser.payload", "%{process}: failure target for routing set to %{result}", processor_chain([ dup21, - setc("event_description","failure target for routing set"), dup22, + setc("event_description","failure target for routing set"), + dup23, ])); -var msg37 = msg("init:01", part53); +var msg37 = msg("init:01", part54); -var part54 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ - dup20, +var part55 = match("MESSAGE#37:init:02", "nwparser.payload", "%{process}: ntp (PID %{child_pid}) started", processor_chain([ dup21, - setc("event_description","ntp started"), dup22, + setc("event_description","ntp started"), + dup23, ])); -var msg38 = msg("init:02", part54); +var msg38 = msg("init:02", part55); -var part55 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ - dup20, +var part56 = match("MESSAGE#38:init:03", "nwparser.payload", "%{process}: product mask %{info->} model %{dclass_counter1}", processor_chain([ dup21, - setc("event_description","product mask and model info"), dup22, + setc("event_description","product mask and model info"), + dup23, ])); -var msg39 = msg("init:03", part55); +var msg39 = msg("init:03", part56); var select15 = linear_select([ msg35, @@ -1482,112 +1509,112 @@ var select15 = linear_select([ msg39, ]); -var part56 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","IPC message exceeds MTU"), +var part57 = match("MESSAGE#39:ipc_msg_write", "nwparser.payload", "%{node->} %{process}: IPC message type: %{event_type}, subtype: %{resultcode->} exceeds MTU, mtu %{dclass_counter1}, length %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","IPC message exceeds MTU"), + dup23, ])); -var msg40 = msg("ipc_msg_write", part56); +var msg40 = msg("ipc_msg_write", part57); -var part57 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ - dup27, - dup21, - setc("event_description","listener connection established"), +var part58 = match("MESSAGE#40:connection_established", "nwparser.payload", "%{process}: %{service}: conn established: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}", processor_chain([ + dup28, dup22, + setc("event_description","listener connection established"), + dup23, ])); -var msg41 = msg("connection_established", part57); +var msg41 = msg("connection_established", part58); -var part58 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); +var part59 = match("MESSAGE#41:connection_dropped/0", "nwparser.payload", "%{process}: %{p0}"); -var part59 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport->} "); +var part60 = match("MESSAGE#41:connection_dropped/1_0", "nwparser.p0", "%{result}, connection dropped - src %{saddr}:%{sport->} dest %{daddr}:%{dport}"); -var part60 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2->} "); +var part61 = match("MESSAGE#41:connection_dropped/1_1", "nwparser.p0", "%{result}: conn dropped: listener idx=%{dclass_counter1->} tnpaddr=%{dclass_counter2}"); var select16 = linear_select([ - part59, part60, + part61, ]); var all11 = all_match({ processors: [ - part58, + part59, select16, ], on_success: processor_chain([ - dup26, - dup21, - setc("event_description","connection dropped"), + dup27, dup22, + setc("event_description","connection dropped"), + dup23, ]), }); var msg42 = msg("connection_dropped", all11); -var part61 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ - dup20, +var part62 = match("MESSAGE#42:kernel", "nwparser.payload", "%{process}: %{interface}: Asserting SONET alarm(s) %{info}", processor_chain([ dup21, - setc("event_description","Asserting SONET alarm(s)"), dup22, + setc("event_description","Asserting SONET alarm(s)"), + dup23, ])); -var msg43 = msg("kernel", part61); +var msg43 = msg("kernel", part62); -var part62 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ - dup20, +var part63 = match("MESSAGE#43:kernel:01", "nwparser.payload", "%{process}: %{interface->} down: %{result}.", processor_chain([ dup21, - setc("event_description","interface down"), dup22, + setc("event_description","interface down"), + dup23, ])); -var msg44 = msg("kernel:01", part62); +var msg44 = msg("kernel:01", part63); -var part63 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ - dup20, +var part64 = match("MESSAGE#44:kernel:02", "nwparser.payload", "%{process}: %{interface}: loopback suspected; %{result}", processor_chain([ dup21, - setc("event_description","loopback suspected om interface"), dup22, + setc("event_description","loopback suspected om interface"), + dup23, ])); -var msg45 = msg("kernel:02", part63); +var msg45 = msg("kernel:02", part64); -var part64 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","soreceive error"), +var part65 = match("MESSAGE#45:kernel:03", "nwparser.payload", "%{process}: %{service}: soreceive() error %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","soreceive error"), + dup23, ])); -var msg46 = msg("kernel:03", part64); +var msg46 = msg("kernel:03", part65); -var part65 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ - dup20, +var part66 = match("MESSAGE#46:kernel:04", "nwparser.payload", "%{process}: %{service->} !VALID(state 4)->%{result}", processor_chain([ dup21, - setc("event_description","pfe_peer_alloc state 4"), dup22, + setc("event_description","pfe_peer_alloc state 4"), + dup23, ])); -var msg47 = msg("kernel:04", part65); +var msg47 = msg("kernel:04", part66); -var part66 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup20, +var part67 = match("MESSAGE#47:kernel:05", "nwparser.payload", "%{fld1->} %{hostip->} (%{fld2}) %{fld3->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ dup21, - dup31, dup22, + dup32, + dup23, ])); -var msg48 = msg("kernel:05", part66); +var msg48 = msg("kernel:05", part67); -var part67 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup20, +var part68 = match("MESSAGE#48:kernel:06", "nwparser.payload", "%{fld1->} %{hostip->} %{process}[%{process_id}]: NTP Server %{result}", processor_chain([ dup21, - dup31, dup22, + dup32, + dup23, ])); -var msg49 = msg("kernel:06", part67); +var msg49 = msg("kernel:06", part68); var select17 = linear_select([ msg41, @@ -1601,41 +1628,41 @@ var select17 = linear_select([ msg49, ]); -var part68 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ - dup32, +var part69 = match("MESSAGE#49:successful_login", "nwparser.payload", "%{process}: login from %{saddr->} on %{interface->} as %{username}", processor_chain([ dup33, dup34, dup35, dup36, - dup21, - setc("event_description","successful user login"), + dup37, dup22, + setc("event_description","successful user login"), + dup23, ])); -var msg50 = msg("successful_login", part68); +var msg50 = msg("successful_login", part69); -var part69 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ - dup32, +var part70 = match("MESSAGE#50:login_attempt", "nwparser.payload", "%{process}: Login attempt for user %{username->} from host %{hostip}", processor_chain([ dup33, dup34, dup35, - dup21, - setc("event_description","user login attempt"), + dup36, dup22, + setc("event_description","user login attempt"), + dup23, ])); -var msg51 = msg("login_attempt", part69); +var msg51 = msg("login_attempt", part70); -var part70 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ - dup32, +var part71 = match("MESSAGE#51:login", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ dup33, - dup36, - dup21, - setc("event_description","PAM module return from login"), + dup34, + dup37, dup22, + setc("event_description","PAM module return from login"), + dup23, ])); -var msg52 = msg("login", part70); +var msg52 = msg("login", part71); var select18 = linear_select([ msg50, @@ -1643,76 +1670,76 @@ var select18 = linear_select([ msg52, ]); -var part71 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ - dup20, +var part72 = match("MESSAGE#52:lsys_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing lsys root-logical-system %{info}", processor_chain([ dup21, - setc("event_description","processing lsys root-logical-system"), dup22, + setc("event_description","processing lsys root-logical-system"), + dup23, ])); -var msg53 = msg("lsys_ssam_handler", part71); +var msg53 = msg("lsys_ssam_handler", part72); -var part72 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ - dup20, +var part73 = match("MESSAGE#53:mcsn", "nwparser.payload", "%{process}[%{process_id}]: Removing mif from group [%{group}] %{space->} %{result}", processor_chain([ dup21, - setc("event_description","Removing mif from group"), dup22, + setc("event_description","Removing mif from group"), + dup23, ])); -var msg54 = msg("mcsn", part72); +var msg54 = msg("mcsn", part73); -var part73 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ - dup29, - dup21, - setc("event_description","Firewall rows could not be redirected on device"), +var part74 = match("MESSAGE#54:mrvl_dfw_log_effuse_status", "nwparser.payload", "%{process}: Firewall rows could not be redirected on device %{device}.", processor_chain([ + dup30, dup22, + setc("event_description","Firewall rows could not be redirected on device"), + dup23, ])); -var msg55 = msg("mrvl_dfw_log_effuse_status", part73); +var msg55 = msg("mrvl_dfw_log_effuse_status", part74); -var part74 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ - dup29, - dup21, - setc("event_description","mfilter already exists for add"), +var part75 = match("MESSAGE#55:MRVL-L2", "nwparser.payload", "%{process}:%{action}(),%{process_id}:MFilter (%{filter}) already exists", processor_chain([ + dup30, dup22, + setc("event_description","mfilter already exists for add"), + dup23, ])); -var msg56 = msg("MRVL-L2", part74); +var msg56 = msg("MRVL-L2", part75); -var part75 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ - dup20, +var part76 = match("MESSAGE#56:profile_ssam_handler", "nwparser.payload", "%{node->} %{process}: processing profile SP-root %{info}", processor_chain([ dup21, - setc("event_description","processing profile SP-root"), dup22, + setc("event_description","processing profile SP-root"), + dup23, ])); -var msg57 = msg("profile_ssam_handler", part75); +var msg57 = msg("profile_ssam_handler", part76); -var part76 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","can't get resource bucket"), +var part77 = match("MESSAGE#57:pst_nat_binding_set_profile", "nwparser.payload", "%{node->} %{process}: %{event_source}: can't get resource bucket %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","can't get resource bucket"), + dup23, ])); -var msg58 = msg("pst_nat_binding_set_profile", part76); +var msg58 = msg("pst_nat_binding_set_profile", part77); -var part77 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ - dup20, +var part78 = match("MESSAGE#58:task_reconfigure", "nwparser.payload", "%{process}[%{process_id}]: task_reconfigure %{action}", processor_chain([ dup21, - setc("event_description","reinitializing done"), dup22, + setc("event_description","reinitializing done"), + dup23, ])); -var msg59 = msg("task_reconfigure", part77); +var msg59 = msg("task_reconfigure", part78); -var part78 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode->} "); +var part79 = match("MESSAGE#59:tnetd/0_0", "nwparser.payload", "%{process}[%{process_id}]:%{service}[%{fld1}]: exit status%{resultcode}"); -var part79 = match("MESSAGE#59:tnetd/0_1", "nwparser.payload", "%{fld3}"); +var part80 = match_copy("MESSAGE#59:tnetd/0_1", "nwparser.payload", "fld3"); var select19 = linear_select([ - part78, part79, + part80, ]); var all12 = all_match({ @@ -1720,95 +1747,95 @@ var all12 = all_match({ select19, ], on_success: processor_chain([ - dup20, dup21, dup22, dup23, + dup24, ]), }); var msg60 = msg("tnetd", all12); -var part80 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ - dup20, +var part81 = match("MESSAGE#60:PFEMAN", "nwparser.payload", "%{process}: Session manager active", processor_chain([ dup21, - setc("event_description","Session manager active"), dup22, + setc("event_description","Session manager active"), + dup23, ])); -var msg61 = msg("PFEMAN", part80); +var msg61 = msg("PFEMAN", part81); -var part81 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ - dup29, - dup21, - setc("event_description","Could not send message to service"), +var part82 = match("MESSAGE#61:mgd", "nwparser.payload", "%{process}[%{process_id}]: Could not send message to %{service}", processor_chain([ + dup30, dup22, + setc("event_description","Could not send message to service"), + dup23, ])); -var msg62 = msg("mgd", part81); +var msg62 = msg("mgd", part82); -var part82 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ - dup20, +var part83 = match("MESSAGE#62:Resolve", "nwparser.payload", "Resolve request came for an address matching on Wrong nh nh:%{result}, %{info}", processor_chain([ dup21, - setc("event_description","Resolve request came for an address matching on Wrong nh"), dup22, + setc("event_description","Resolve request came for an address matching on Wrong nh"), + dup23, ])); -var msg63 = msg("Resolve", part82); +var msg63 = msg("Resolve", part83); -var part83 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ - dup20, +var part84 = match("MESSAGE#63:respawn", "nwparser.payload", "%{process}: %{service->} exited with status = %{resultcode}", processor_chain([ dup21, - setc("event_description","service exited with status"), dup22, + setc("event_description","service exited with status"), + dup23, ])); -var msg64 = msg("respawn", part83); +var msg64 = msg("respawn", part84); -var part84 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ - dup29, - dup21, - setc("event_description","system does not have 3-DNS or Link Controller enabled"), +var part85 = match("MESSAGE#64:root", "nwparser.payload", "%{process}: %{node}: This system does not have 3-DNS or Link Controller enabled", processor_chain([ + dup30, dup22, + setc("event_description","system does not have 3-DNS or Link Controller enabled"), + dup23, ])); -var msg65 = msg("root", part84); +var msg65 = msg("root", part85); -var part85 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ - dup20, +var part86 = match("MESSAGE#65:rpd", "nwparser.payload", "%{process}[%{process_id}]: Received %{result->} for intf device %{interface}; mc_ae_id %{dclass_counter1}, status %{resultcode}", processor_chain([ dup21, - setc("event_description","Received data for interface"), dup22, + setc("event_description","Received data for interface"), + dup23, ])); -var msg66 = msg("rpd", part85); +var msg66 = msg("rpd", part86); -var part86 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ - dup20, +var part87 = match("MESSAGE#66:rpd:01", "nwparser.payload", "%{process}[%{process_id}]: RSVP neighbor %{daddr->} up on interface %{interface}", processor_chain([ dup21, - setc("event_description","RSVP neighbor up on interface "), dup22, + setc("event_description","RSVP neighbor up on interface "), + dup23, ])); -var msg67 = msg("rpd:01", part86); +var msg67 = msg("rpd:01", part87); -var part87 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ - dup20, +var part88 = match("MESSAGE#67:rpd:02", "nwparser.payload", "%{process}[%{process_id}]: %{saddr->} (%{shost}): reseting pending active connection", processor_chain([ dup21, - setc("event_description","reseting pending active connection"), dup22, + setc("event_description","reseting pending active connection"), + dup23, ])); -var msg68 = msg("rpd:02", part87); +var msg68 = msg("rpd:02", part88); -var part88 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ - dup20, +var part89 = match("MESSAGE#68:rpd_proceeding", "nwparser.payload", "%{process}: proceeding. %{param}", processor_chain([ dup21, - dup37, dup22, + dup38, + dup23, ])); -var msg69 = msg("rpd_proceeding", part88); +var msg69 = msg("rpd_proceeding", part89); var select20 = linear_select([ msg66, @@ -1817,201 +1844,201 @@ var select20 = linear_select([ msg69, ]); -var part89 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ - dup20, +var part90 = match("MESSAGE#69:rshd", "nwparser.payload", "%{process}[%{process_id}]: %{username->} as root: cmd='%{action}'", processor_chain([ dup21, - setc("event_description","user issuing command as root"), dup22, + setc("event_description","user issuing command as root"), + dup23, ])); -var msg70 = msg("rshd", part89); +var msg70 = msg("rshd", part90); -var part90 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ - dup20, +var part91 = match("MESSAGE#70:sfd", "nwparser.payload", "%{process}: Waiting on accept", processor_chain([ dup21, - setc("event_description","sfd waiting on accept"), dup22, + setc("event_description","sfd waiting on accept"), + dup23, ])); -var msg71 = msg("sfd", part90); +var msg71 = msg("sfd", part91); -var part91 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ - dup32, +var part92 = match("MESSAGE#71:sshd", "nwparser.payload", "%{process}[%{process_id}]: Accepted password for %{username->} from %{saddr->} port %{sport->} %{protocol}", processor_chain([ dup33, dup34, dup35, dup36, - dup21, - setc("event_description","Accepted password"), + dup37, dup22, + setc("event_description","Accepted password"), + dup23, ])); -var msg72 = msg("sshd", part91); +var msg72 = msg("sshd", part92); -var part92 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ - dup26, - dup21, - setc("event_description","Received disconnect"), +var part93 = match("MESSAGE#73:sshd:02", "nwparser.payload", "%{process}[%{process_id}]: Received disconnect from %{shost}: %{fld1}: %{result}", processor_chain([ + dup27, dup22, + setc("event_description","Received disconnect"), + dup23, ])); -var msg73 = msg("sshd:02", part92); +var msg73 = msg("sshd:02", part93); -var part93 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ - dup29, - dup21, +var part94 = match("MESSAGE#74:sshd:03", "nwparser.payload", "%{process}[%{process_id}]: Did not receive identification string from %{saddr}", processor_chain([ + dup30, + dup22, setc("result","no identification string"), setc("event_description","Did not receive identification string from peer"), - dup22, + dup23, ])); -var msg74 = msg("sshd:03", part93); +var msg74 = msg("sshd:03", part94); -var part94 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ - dup29, - dup21, - setc("event_description","Could not write ident string"), +var part95 = match("MESSAGE#75:sshd:04", "nwparser.payload", "%{process}[%{process_id}]: Could not write ident string to %{dhost}", processor_chain([ + dup30, dup22, + setc("event_description","Could not write ident string"), + dup23, ])); -var msg75 = msg("sshd:04", part94); +var msg75 = msg("sshd:04", part95); -var part95 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ - dup20, +var part96 = match("MESSAGE#76:sshd:05", "nwparser.payload", "%{process}[%{process_id}]: subsystem request for netconf", processor_chain([ dup21, - setc("event_description","subsystem request for netconf"), dup22, + setc("event_description","subsystem request for netconf"), + dup23, ])); -var msg76 = msg("sshd:05", part95); +var msg76 = msg("sshd:05", part96); -var part96 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "%{}sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); +var part97 = match("MESSAGE#77:sshd:06/2", "nwparser.p0", "sendmsg to %{saddr}(%{shost}).%{sport}: %{info}"); var all13 = all_match({ processors: [ - dup38, - dup134, - part96, + dup39, + dup137, + part97, ], on_success: processor_chain([ - dup28, - dup21, - setc("event_description","send message stats"), + dup29, dup22, + setc("event_description","send message stats"), + dup23, ]), }); var msg77 = msg("sshd:06", all13); -var part97 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "%{}Added radius server %{saddr}(%{shost})"); +var part98 = match("MESSAGE#78:sshd:07/2", "nwparser.p0", "Added radius server %{saddr}(%{shost})"); var all14 = all_match({ processors: [ - dup38, - dup134, - part97, + dup39, + dup137, + part98, ], on_success: processor_chain([ - dup41, + dup42, setc("ec_theme","Configuration"), setc("ec_activity","Modify"), - dup36, - dup21, - setc("event_description","Added radius server"), + dup37, dup22, + setc("event_description","Added radius server"), + dup23, ]), }); var msg78 = msg("sshd:07", all14); -var part98 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ +var part99 = match("MESSAGE#79:sshd:08", "nwparser.payload", "%{process}[%{process_id}]: %{result}: %{space->} [%{resultcode}]authentication error", processor_chain([ setc("eventcategory","1301020000"), - dup33, - dup42, - dup21, - setc("event_description","authentication error"), + dup34, + dup43, dup22, + setc("event_description","authentication error"), + dup23, ])); -var msg79 = msg("sshd:08", part98); +var msg79 = msg("sshd:08", part99); -var part99 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ - dup29, - dup21, - setc("event_description","unrecognized attribute in policy"), +var part100 = match("MESSAGE#80:sshd:09", "nwparser.payload", "%{process}[%{process_id}]: unrecognized attribute in %{policyname}: %{change_attribute}", processor_chain([ + dup30, dup22, + setc("event_description","unrecognized attribute in policy"), + dup23, ])); -var msg80 = msg("sshd:09", part99); +var msg80 = msg("sshd:09", part100); -var part100 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ +var part101 = match("MESSAGE#81:sshd:10", "nwparser.payload", "%{process}: PAM module %{dclass_counter1->} returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup44, + dup34, dup43, - dup33, - dup42, - dup21, - setc("event_description","PAM module return from sshd"), dup22, + setc("event_description","PAM module return from sshd"), + dup23, ])); -var msg81 = msg("sshd:10", part100); +var msg81 = msg("sshd:10", part101); -var part101 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ +var part102 = match("MESSAGE#82:sshd:11", "nwparser.payload", "%{process}: PAM authentication chain returned: %{space}[%{resultcode}]%{result}", processor_chain([ + dup44, + dup34, dup43, - dup33, - dup42, - dup21, - setc("event_description","PAM authentication chain return"), dup22, + setc("event_description","PAM authentication chain return"), + dup23, ])); -var msg82 = msg("sshd:11", part101); +var msg82 = msg("sshd:11", part102); -var part102 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","can't get client address"), +var part103 = match("MESSAGE#83:sshd:12", "nwparser.payload", "%{process}: %{severity}: can't get client address: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","can't get client address"), + dup23, ])); -var msg83 = msg("sshd:12", part102); +var msg83 = msg("sshd:12", part103); -var part103 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ - dup29, - dup21, - setc("event_description","auth server unresponsive"), +var part104 = match("MESSAGE#84:sshd:13", "nwparser.payload", "%{process}: auth server unresponsive", processor_chain([ + dup30, dup22, + setc("event_description","auth server unresponsive"), + dup23, ])); -var msg84 = msg("sshd:13", part103); +var msg84 = msg("sshd:13", part104); -var part104 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ - dup29, - dup21, - setc("event_description","No valid RADIUS responses received"), +var part105 = match("MESSAGE#85:sshd:14", "nwparser.payload", "%{process}: %{service}: No valid RADIUS responses received", processor_chain([ + dup30, dup22, + setc("event_description","No valid RADIUS responses received"), + dup23, ])); -var msg85 = msg("sshd:14", part104); +var msg85 = msg("sshd:14", part105); -var part105 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ - dup20, +var part106 = match("MESSAGE#86:sshd:15", "nwparser.payload", "%{process}: Moving to next server: %{saddr}(%{shost}).%{sport}", processor_chain([ dup21, - setc("event_description","Moving to next server"), dup22, + setc("event_description","Moving to next server"), + dup23, ])); -var msg86 = msg("sshd:15", part105); +var msg86 = msg("sshd:15", part106); -var part106 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ +var part107 = match("MESSAGE#87:sshd:16", "nwparser.payload", "%{fld1->} sshd: SSHD_LOGIN_FAILED: Login failed for user '%{username}' from host '%{hostip}'.", processor_chain([ + dup44, + dup34, dup43, - dup33, - dup42, - dup21, - setc("event_description","Login failed for user"), dup22, + setc("event_description","Login failed for user"), + dup23, ])); -var msg87 = msg("sshd:16", part106); +var msg87 = msg("sshd:16", part107); var select21 = linear_select([ msg72, @@ -2032,84 +2059,84 @@ var select21 = linear_select([ msg87, ]); -var part107 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); +var part108 = match("MESSAGE#72:Failed:05/0", "nwparser.payload", "%{process}[%{process_id}]: Failed password for %{p0}"); -var part108 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); +var part109 = match("MESSAGE#72:Failed:05/1_0", "nwparser.p0", "illegal user %{p0}"); -var part109 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); +var part110 = match("MESSAGE#72:Failed:05/1_1", "nwparser.p0", "invalid user %{p0}"); var select22 = linear_select([ - part108, part109, - dup44, + part110, + dup45, ]); -var part110 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{} %{username->} from %{saddr->} port %{sport->} %{protocol}"); +var part111 = match("MESSAGE#72:Failed:05/2", "nwparser.p0", "%{username->} from %{saddr->} port %{sport->} %{protocol}"); var all15 = all_match({ processors: [ - part107, + part108, select22, - part110, + part111, ], on_success: processor_chain([ - dup43, - dup33, + dup44, dup34, dup35, - dup42, - dup21, - setc("event_description","authentication failure"), + dup36, + dup43, dup22, + setc("event_description","authentication failure"), + dup23, ]), }); var msg88 = msg("Failed:05", all15); -var part111 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); +var part112 = match("MESSAGE#746:Failed/0", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: Failed to resolve ipv%{p0}"); -var part112 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); +var part113 = match("MESSAGE#746:Failed/1_0", "nwparser.p0", "4%{p0}"); -var part113 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); +var part114 = match("MESSAGE#746:Failed/1_1", "nwparser.p0", "6%{p0}"); var select23 = linear_select([ - part112, part113, + part114, ]); -var part114 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); +var part115 = match("MESSAGE#746:Failed/2", "nwparser.p0", "%{}addresses for domain name %{sdomain}"); var all16 = all_match({ processors: [ - part111, + part112, select23, - part114, + part115, ], on_success: processor_chain([ - dup45, dup46, + dup47, + dup23, dup22, - dup21, ]), }); var msg89 = msg("Failed", all16); -var part115 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ - dup45, +var part116 = match("MESSAGE#767:Failed:01", "nwparser.payload", "%{hostname->} %{process}[%{process_id}]: %{fld1}", processor_chain([ + dup46, + dup23, dup22, - dup21, ])); -var msg90 = msg("Failed:01", part115); +var msg90 = msg("Failed:01", part116); -var part116 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice "); +var part117 = match("MESSAGE#768:Failed:02/0_0", "nwparser.payload", "%{fld1->} to create a route if table for Multiservice"); -var part117 = match("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "%{fld10}"); +var part118 = match_copy("MESSAGE#768:Failed:02/0_1", "nwparser.payload", "fld10"); var select24 = linear_select([ - part116, part117, + part118, ]); var all17 = all_match({ @@ -2117,9 +2144,9 @@ var all17 = all_match({ select24, ], on_success: processor_chain([ - dup45, + dup46, + dup23, dup22, - dup21, setf("hostname","hfld1"), ]), }); @@ -2133,118 +2160,118 @@ var select25 = linear_select([ msg91, ]); -var part118 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ - dup20, +var part119 = match("MESSAGE#88:syslogd", "nwparser.payload", "%{process}: restart", processor_chain([ dup21, - setc("event_description","syslog daemon restart"), dup22, + setc("event_description","syslog daemon restart"), + dup23, ])); -var msg92 = msg("syslogd", part118); +var msg92 = msg("syslogd", part119); -var part119 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ - dup20, +var part120 = match("MESSAGE#89:ucd-snmp", "nwparser.payload", "%{process}[%{process_id}]: AUDIT -- Action %{action->} User: %{username}", processor_chain([ dup21, - dup24, dup22, + dup25, + dup23, ])); -var msg93 = msg("ucd-snmp", part119); +var msg93 = msg("ucd-snmp", part120); -var part120 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ - dup20, +var part121 = match("MESSAGE#90:ucd-snmp:01", "nwparser.payload", "%{process}[%{process_id}]: Received TERM or STOP signal %{space->} %{result}.", processor_chain([ dup21, - setc("event_description","Received TERM or STOP signal"), dup22, + setc("event_description","Received TERM or STOP signal"), + dup23, ])); -var msg94 = msg("ucd-snmp:01", part120); +var msg94 = msg("ucd-snmp:01", part121); var select26 = linear_select([ msg93, msg94, ]); -var part121 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ - dup26, - dup21, - setc("event_description","failed to connect to the server"), +var part122 = match("MESSAGE#91:usp_ipc_client_reconnect", "nwparser.payload", "%{node->} %{process}: failed to connect to the server: %{result->} (%{resultcode})", processor_chain([ + dup27, dup22, + setc("event_description","failed to connect to the server"), + dup23, ])); -var msg95 = msg("usp_ipc_client_reconnect", part121); +var msg95 = msg("usp_ipc_client_reconnect", part122); -var part122 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ - dup26, - dup21, - setc("event_description","Trace client disconnected"), +var part123 = match("MESSAGE#92:usp_trace_ipc_disconnect", "nwparser.payload", "%{node->} %{process}:Trace client disconnected. %{result}", processor_chain([ + dup27, dup22, + setc("event_description","Trace client disconnected"), + dup23, ])); -var msg96 = msg("usp_trace_ipc_disconnect", part122); +var msg96 = msg("usp_trace_ipc_disconnect", part123); -var part123 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ - dup29, - dup21, - setc("event_description","USP trace client cannot reconnect to server"), +var part124 = match("MESSAGE#93:usp_trace_ipc_reconnect", "nwparser.payload", "%{node->} %{process}:USP trace client cannot reconnect to server", processor_chain([ + dup30, dup22, + setc("event_description","USP trace client cannot reconnect to server"), + dup23, ])); -var msg97 = msg("usp_trace_ipc_reconnect", part123); +var msg97 = msg("usp_trace_ipc_reconnect", part124); -var part124 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ - dup20, +var part125 = match("MESSAGE#94:uspinfo", "nwparser.payload", "%{process}: flow_print_session_summary_output received %{info}", processor_chain([ dup21, - setc("event_description","flow_print_session_summary_output received"), dup22, + setc("event_description","flow_print_session_summary_output received"), + dup23, ])); -var msg98 = msg("uspinfo", part124); +var msg98 = msg("uspinfo", part125); -var part125 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ - dup20, +var part126 = match("MESSAGE#95:Version", "nwparser.payload", "Version %{version->} by builder on %{event_time_string}", processor_chain([ dup21, - setc("event_description","Version build date"), dup22, + setc("event_description","Version build date"), + dup23, ])); -var msg99 = msg("Version", part125); +var msg99 = msg("Version", part126); -var part126 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ - dup20, +var part127 = match("MESSAGE#96:xntpd", "nwparser.payload", "%{process}[%{process_id}]: frequency initialized %{result->} from %{filename}", processor_chain([ dup21, - setc("event_description","frequency initialized from file"), dup22, + setc("event_description","frequency initialized from file"), + dup23, ])); -var msg100 = msg("xntpd", part126); +var msg100 = msg("xntpd", part127); -var part127 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ - dup20, +var part128 = match("MESSAGE#97:xntpd:01", "nwparser.payload", "%{process}[%{process_id}]: ntpd %{version->} %{event_time_string->} (%{resultcode})", processor_chain([ dup21, - setc("event_description","nptd version build"), dup22, + setc("event_description","nptd version build"), + dup23, ])); -var msg101 = msg("xntpd:01", part127); +var msg101 = msg("xntpd:01", part128); -var part128 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ - dup20, +var part129 = match("MESSAGE#98:xntpd:02", "nwparser.payload", "%{process}: kernel time sync enabled %{result}", processor_chain([ dup21, - setc("event_description","kernel time sync enabled"), dup22, + setc("event_description","kernel time sync enabled"), + dup23, ])); -var msg102 = msg("xntpd:02", part128); +var msg102 = msg("xntpd:02", part129); -var part129 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ - dup20, +var part130 = match("MESSAGE#99:xntpd:03", "nwparser.payload", "%{process}[%{process_id}]: NTP Server %{result}", processor_chain([ dup21, - dup31, dup22, + dup32, + dup23, ])); -var msg103 = msg("xntpd:03", part129); +var msg103 = msg("xntpd:03", part130); var select27 = linear_select([ msg100, @@ -2253,3665 +2280,3659 @@ var select27 = linear_select([ msg103, ]); -var part130 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ - dup20, +var part131 = match("MESSAGE#100:last", "nwparser.payload", "last message repeated %{dclass_counter1->} times", processor_chain([ dup21, - setc("event_description","last message repeated"), dup22, + setc("event_description","last message repeated"), + dup23, ])); -var msg104 = msg("last", part130); +var msg104 = msg("last", part131); -var part131 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ +var part132 = match("MESSAGE#739:last:01", "nwparser.payload", "message repeated %{dclass_counter1->} times", processor_chain([ + dup48, dup47, - dup46, - dup22, - dup21, dup23, + dup22, + dup24, ])); -var msg105 = msg("last:01", part131); +var msg105 = msg("last:01", part132); var select28 = linear_select([ msg104, msg105, ]); -var part132 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ - dup29, - dup21, - setc("event_description","cannot write ucode mask reg"), +var part133 = match("MESSAGE#101:BCHIP", "nwparser.payload", "%{process->} %{device}: cannot write ucode mask reg", processor_chain([ + dup30, dup22, + setc("event_description","cannot write ucode mask reg"), + dup23, ])); -var msg106 = msg("BCHIP", part132); +var msg106 = msg("BCHIP", part133); -var part133 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ - dup20, +var part134 = match("MESSAGE#102:CM", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}: On-line", processor_chain([ dup21, - setc("event_description","Slot on-line"), dup22, + setc("event_description","Slot on-line"), + dup23, ])); -var msg107 = msg("CM", part133); +var msg107 = msg("CM", part134); -var part134 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ - dup20, +var part135 = match("MESSAGE#103:COS", "nwparser.payload", "%{process}: Received FC->Q map, %{info}", processor_chain([ dup21, - setc("event_description","Received FC Q map"), dup22, + setc("event_description","Received FC Q map"), + dup23, ])); -var msg108 = msg("COS", part134); +var msg108 = msg("COS", part135); -var part135 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ - dup20, +var part136 = match("MESSAGE#104:COSFPC", "nwparser.payload", "%{process}: ifd %{resultcode}: %{result}", processor_chain([ dup21, - setc("event_description","ifd error"), dup22, + setc("event_description","ifd error"), + dup23, ])); -var msg109 = msg("COSFPC", part135); +var msg109 = msg("COSFPC", part136); -var part136 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ - dup20, +var part137 = match("MESSAGE#105:COSMAN", "nwparser.payload", "%{process}: %{service}: delete class_to_ifl table %{dclass_counter1}, ifl %{dclass_counter2}", processor_chain([ dup21, - setc("event_description","delete class to ifl link"), dup22, + setc("event_description","delete class to ifl link"), + dup23, ])); -var msg110 = msg("COSMAN", part136); +var msg110 = msg("COSMAN", part137); -var part137 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ - dup29, - dup21, - setc("event_description","Keepalive timeout"), +var part138 = match("MESSAGE#106:RDP", "nwparser.payload", "%{process}: Keepalive timeout for rdp.(%{interface}).(%{device}) (%{result})", processor_chain([ + dup30, dup22, + setc("event_description","Keepalive timeout"), + dup23, ])); -var msg111 = msg("RDP", part137); +var msg111 = msg("RDP", part138); -var part138 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ - dup29, - dup21, - setc("event_description","Initial time of day set"), +var part139 = match("MESSAGE#107:SNTPD", "nwparser.payload", "%{process}: Initial time of day set", processor_chain([ + dup30, dup22, + setc("event_description","Initial time of day set"), + dup23, ])); -var msg112 = msg("SNTPD", part138); +var msg112 = msg("SNTPD", part139); -var part139 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ - dup20, +var part140 = match("MESSAGE#108:SSB", "nwparser.payload", "%{process}(%{fld1}): Slot %{device}, serial number S/N %{serial_number}.", processor_chain([ dup21, - setc("event_description","Slot serial number"), dup22, + setc("event_description","Slot serial number"), + dup23, ])); -var msg113 = msg("SSB", part139); +var msg113 = msg("SSB", part140); -var part140 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ - dup29, - dup21, - setc("event_description","Unexpected error"), +var part141 = match("MESSAGE#109:ACCT_ACCOUNTING_FERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error %{result->} from file %{filename}", processor_chain([ + dup30, dup22, + setc("event_description","Unexpected error"), + dup23, ])); -var msg114 = msg("ACCT_ACCOUNTING_FERROR", part140); +var msg114 = msg("ACCT_ACCOUNTING_FERROR", part141); -var part141 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Failed to open file"), +var part142 = match("MESSAGE#110:ACCT_ACCOUNTING_FOPEN_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to open file %{filename}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Failed to open file"), + dup23, ])); -var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part141); +var msg115 = msg("ACCT_ACCOUNTING_FOPEN_ERROR", part142); -var part142 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ - dup48, - dup21, - setc("event_description","File size mismatch"), +var part143 = match("MESSAGE#111:ACCT_ACCOUNTING_SMALL_FILE_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File %{filename->} size (%{dclass_counter1}) is smaller than record size (%{dclass_counter2})", processor_chain([ + dup49, dup22, + setc("event_description","File size mismatch"), + dup23, ])); -var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part142); +var msg116 = msg("ACCT_ACCOUNTING_SMALL_FILE_SIZE", part143); -var part143 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ - dup48, - dup21, - setc("event_description","Invalid statistics record"), +var part144 = match("MESSAGE#112:ACCT_BAD_RECORD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid statistics record: %{result}", processor_chain([ + dup49, dup22, + setc("event_description","Invalid statistics record"), + dup23, ])); -var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part143); +var msg117 = msg("ACCT_BAD_RECORD_FORMAT", part144); -var part144 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ - dup48, - dup21, - setc("event_description","Class usage statistics error for interface"), +var part145 = match("MESSAGE#113:ACCT_CU_RTSLIB_error", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} getting class usage statistics for interface %{interface}: %{result}", processor_chain([ + dup49, dup22, + setc("event_description","Class usage statistics error for interface"), + dup23, ])); -var msg118 = msg("ACCT_CU_RTSLIB_error", part144); +var msg118 = msg("ACCT_CU_RTSLIB_error", part145); -var part145 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); +var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_0", "nwparser.p0", "Error %{resultcode->} trying %{p0}"); -var part146 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); +var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/1_1", "nwparser.p0", "trying %{p0}"); var select29 = linear_select([ - part145, part146, + part147, ]); -var part147 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "%{}to get hostname"); +var part148 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/2", "nwparser.p0", "to get hostname%{}"); var all18 = all_match({ processors: [ - dup49, + dup50, select29, - part147, + part148, ], on_success: processor_chain([ - dup48, - dup21, - setc("event_description","error trying to get hostname"), + dup49, dup22, + setc("event_description","error trying to get hostname"), + dup23, ]), }); var msg119 = msg("ACCT_GETHOSTNAME_error", all18); -var part148 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ - dup50, - dup21, - setc("event_description","Memory allocation failure"), +var part149 = match("MESSAGE#115:ACCT_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed while reallocating %{obj_name}", processor_chain([ + dup51, dup22, + setc("event_description","Memory allocation failure"), + dup23, ])); -var msg120 = msg("ACCT_MALLOC_FAILURE", part148); +var msg120 = msg("ACCT_MALLOC_FAILURE", part149); -var part149 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ - dup29, - dup21, - setc("event_description","Accounting profile counter not defined in firewall"), +var part150 = match("MESSAGE#116:ACCT_UNDEFINED_COUNTER_NAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} in accounting profile %{dclass_counter1->} is not defined in a firewall using this filter profile", processor_chain([ + dup30, dup22, + setc("event_description","Accounting profile counter not defined in firewall"), + dup23, ])); -var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part149); +var msg121 = msg("ACCT_UNDEFINED_COUNTER_NAME", part150); -var part150 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ - dup29, - dup21, - setc("event_description","ACCT_XFER_FAILED"), +var part151 = match("MESSAGE#117:ACCT_XFER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: %{disposition}", processor_chain([ + dup30, dup22, + setc("event_description","ACCT_XFER_FAILED"), + dup23, ])); -var msg122 = msg("ACCT_XFER_FAILED", part150); +var msg122 = msg("ACCT_XFER_FAILED", part151); -var part151 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ - dup29, - dup21, - setc("event_description","POPEN FAIL invoking command command to transfer file"), +var part152 = match("MESSAGE#118:ACCT_XFER_POPEN_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{result}: in invoking command command to transfer file %{filename}", processor_chain([ + dup30, dup22, + setc("event_description","POPEN FAIL invoking command command to transfer file"), + dup23, ])); -var msg123 = msg("ACCT_XFER_POPEN_FAIL", part151); +var msg123 = msg("ACCT_XFER_POPEN_FAIL", part152); -var part152 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ - dup27, - dup21, - dup51, +var part153 = match("MESSAGE#119:APPQOS_LOG_EVENT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} timestamp=\"%{result}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" application-name=\"%{application}\" rule-set-name=\"%{rule_group}\" rule-name=\"%{rulename}\" action=\"%{action}\" argument=\"%{fld2}\" argument1=\"%{fld3}\"]", processor_chain([ + dup28, + dup22, + dup52, ])); -var msg124 = msg("APPQOS_LOG_EVENT", part152); +var msg124 = msg("APPQOS_LOG_EVENT", part153); -var part153 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ - dup27, - dup52, +var part154 = match("MESSAGE#120:APPTRACK_SESSION_CREATE", "nwparser.payload", "%{event_type}: AppTrack session created %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username->} %{fld10}", processor_chain([ + dup28, dup53, - dup21, - setc("result","AppTrack session created"), + dup54, dup22, + setc("result","AppTrack session created"), + dup23, ])); -var msg125 = msg("APPTRACK_SESSION_CREATE", part153); +var msg125 = msg("APPTRACK_SESSION_CREATE", part154); -var part154 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup27, +var part155 = match("MESSAGE#121:APPTRACK_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup28, + dup53, + dup55, + dup22, dup52, - dup54, - dup21, - dup51, ])); -var msg126 = msg("APPTRACK_SESSION_CLOSE", part154); +var msg126 = msg("APPTRACK_SESSION_CLOSE", part155); -var part155 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup27, - dup52, - dup54, - dup21, +var part156 = match("MESSAGE#122:APPTRACK_SESSION_CLOSE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, + dup55, dup22, + dup23, ])); -var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part155); +var msg127 = msg("APPTRACK_SESSION_CLOSE:01", part156); var select30 = linear_select([ msg126, msg127, ]); -var part156 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup27, +var part157 = match("MESSAGE#123:APPTRACK_SESSION_VOL_UPDATE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-name=\"%{rule_template}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup28, + dup53, + dup22, dup52, - dup21, - dup51, ])); -var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part156); +var msg128 = msg("APPTRACK_SESSION_VOL_UPDATE", part157); -var part157 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ - dup27, - dup52, - dup21, +var part158 = match("MESSAGE#124:APPTRACK_SESSION_VOL_UPDATE:01", "nwparser.payload", "%{event_type}: %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{service->} %{protocol->} %{fld11->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{rulename->} %{rule_template->} %{fld12->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{packets}(%{rbytes}) %{dclass_counter1}(%{sbytes}) %{duration->} %{username->} %{fld10}", processor_chain([ + dup28, + dup53, dup22, + dup23, ])); -var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part157); +var msg129 = msg("APPTRACK_SESSION_VOL_UPDATE:01", part158); var select31 = linear_select([ msg128, msg129, ]); -var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup135); +var msg130 = msg("BFDD_TRAP_STATE_DOWN", dup138); -var msg131 = msg("BFDD_TRAP_STATE_UP", dup135); +var msg131 = msg("BFDD_TRAP_STATE_UP", dup138); -var part158 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ - dup20, +var part159 = match("MESSAGE#127:bgp_connect_start", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect %{saddr->} (%{shost}): %{result}", processor_chain([ dup21, - setc("event_description","bgp connect error"), dup22, + setc("event_description","bgp connect error"), + dup23, ])); -var msg132 = msg("bgp_connect_start", part158); +var msg132 = msg("bgp_connect_start", part159); -var part159 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ - dup20, +var part160 = match("MESSAGE#128:bgp_event", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) old state %{change_old->} event %{action->} new state %{change_new}", processor_chain([ dup21, - setc("event_description","bgp peer state change"), dup22, + setc("event_description","bgp peer state change"), + dup23, ])); -var msg133 = msg("bgp_event", part159); +var msg133 = msg("bgp_event", part160); -var part160 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Connection attempt from unconfigured neighbor"), +var part161 = match("MESSAGE#129:bgp_listen_accept", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection attempt from unconfigured neighbor: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Connection attempt from unconfigured neighbor"), + dup23, ])); -var msg134 = msg("bgp_listen_accept", part160); +var msg134 = msg("bgp_listen_accept", part161); -var part161 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ - dup20, +var part162 = match("MESSAGE#130:bgp_listen_reset", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}", processor_chain([ dup21, - setc("event_description","bgp reset"), dup22, + setc("event_description","bgp reset"), + dup23, ])); -var msg135 = msg("bgp_listen_reset", part161); +var msg135 = msg("bgp_listen_reset", part162); -var part162 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ - dup20, +var part163 = match("MESSAGE#131:bgp_nexthop_sanity", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}) next hop %{saddr->} local, %{result}", processor_chain([ dup21, - setc("event_description","peer next hop local"), dup22, + setc("event_description","peer next hop local"), + dup23, ])); -var msg136 = msg("bgp_nexthop_sanity", part162); +var msg136 = msg("bgp_nexthop_sanity", part163); -var part163 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ - dup29, - dup21, - setc("event_description","code RED error NOTIFICATION sent"), +var part164 = match("MESSAGE#132:bgp_process_caps", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{severity->} (%{action}) subcode %{version->} (%{result}) value %{disposition}", processor_chain([ + dup30, dup22, + setc("event_description","code RED error NOTIFICATION sent"), + dup23, ])); -var msg137 = msg("bgp_process_caps", part163); +var msg137 = msg("bgp_process_caps", part164); -var part164 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup29, - dup21, - dup56, +var part165 = match("MESSAGE#133:bgp_process_caps:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup30, dup22, + dup57, + dup23, ])); -var msg138 = msg("bgp_process_caps:01", part164); +var msg138 = msg("bgp_process_caps:01", part165); var select32 = linear_select([ msg137, msg138, ]); -var part165 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ - dup29, - dup21, +var part166 = match("MESSAGE#134:bgp_pp_recv", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: dropping %{daddr->} (%{dhost}), %{info->} (%{protocol})", processor_chain([ + dup30, + dup22, setc("event_description","connection collision"), setc("result","dropping connection to peer"), - dup22, + dup23, ])); -var msg139 = msg("bgp_pp_recv", part165); +var msg139 = msg("bgp_pp_recv", part166); -var part166 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ - dup29, - dup21, - setc("event_description","peer received unexpected EOF"), +var part167 = match("MESSAGE#135:bgp_pp_recv:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer %{daddr->} (%{dhost}): received unexpected EOF", processor_chain([ + dup30, dup22, + setc("event_description","peer received unexpected EOF"), + dup23, ])); -var msg140 = msg("bgp_pp_recv:01", part166); +var msg140 = msg("bgp_pp_recv:01", part167); var select33 = linear_select([ msg139, msg140, ]); -var part167 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","bgp send blocked error"), +var part168 = match("MESSAGE#136:bgp_send", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sending %{sbytes->} bytes to %{daddr->} (%{dhost}) blocked (%{disposition}): %{result}", processor_chain([ + dup30, dup22, + setc("event_description","bgp send blocked error"), + dup23, ])); -var msg141 = msg("bgp_send", part167); +var msg141 = msg("bgp_send", part168); -var part168 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","bgp timeout NOTIFICATION sent"), +var part169 = match("MESSAGE#137:bgp_traffic_timeout", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","bgp timeout NOTIFICATION sent"), + dup23, ])); -var msg142 = msg("bgp_traffic_timeout", part168); +var msg142 = msg("bgp_traffic_timeout", part169); -var part169 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","boot argument error"), +var part170 = match("MESSAGE#138:BOOTPD_ARG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring unknown option %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","boot argument error"), + dup23, ])); -var msg143 = msg("BOOTPD_ARG_ERR", part169); +var msg143 = msg("BOOTPD_ARG_ERR", part170); -var part170 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","boot unexpected Id value"), +var part171 = match("MESSAGE#139:BOOTPD_BAD_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","boot unexpected Id value"), + dup23, ])); -var msg144 = msg("BOOTPD_BAD_ID", part170); +var msg144 = msg("BOOTPD_BAD_ID", part171); -var part171 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ - dup20, +var part172 = match("MESSAGE#140:BOOTPD_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Boot string: %{filename}", processor_chain([ dup21, - setc("event_description","Invalid boot string"), dup22, + setc("event_description","Invalid boot string"), + dup23, ])); -var msg145 = msg("BOOTPD_BOOTSTRING", part171); +var msg145 = msg("BOOTPD_BOOTSTRING", part172); -var part172 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","configuration file error"), +var part173 = match("MESSAGE#141:BOOTPD_CONFIG_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file '%{filename}', %{result}", processor_chain([ + dup30, dup22, + setc("event_description","configuration file error"), + dup23, ])); -var msg146 = msg("BOOTPD_CONFIG_ERR", part172); +var msg146 = msg("BOOTPD_CONFIG_ERR", part173); -var part173 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to open configuration file"), +var part174 = match("MESSAGE#142:BOOTPD_CONF_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open configuration file '%{filename}'", processor_chain([ + dup30, dup22, + setc("event_description","Unable to open configuration file"), + dup23, ])); -var msg147 = msg("BOOTPD_CONF_OPEN", part173); +var msg147 = msg("BOOTPD_CONF_OPEN", part174); -var part174 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ - dup29, - dup21, - setc("event_description","boot - Duplicate revision"), +var part175 = match("MESSAGE#143:BOOTPD_DUP_REV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate revision: %{version}", processor_chain([ + dup30, dup22, + setc("event_description","boot - Duplicate revision"), + dup23, ])); -var msg148 = msg("BOOTPD_DUP_REV", part174); +var msg148 = msg("BOOTPD_DUP_REV", part175); -var part175 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ - dup29, - dup21, - setc("event_description","boot - duplicate slot"), +var part176 = match("MESSAGE#144:BOOTPD_DUP_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate slot default: %{ssid}", processor_chain([ + dup30, dup22, + setc("event_description","boot - duplicate slot"), + dup23, ])); -var msg149 = msg("BOOTPD_DUP_SLOT", part175); +var msg149 = msg("BOOTPD_DUP_SLOT", part176); -var part176 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","Unexpected ID for model"), +var part177 = match("MESSAGE#145:BOOTPD_MODEL_CHK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected ID %{id->} for model %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","Unexpected ID for model"), + dup23, ])); -var msg150 = msg("BOOTPD_MODEL_CHK", part176); +var msg150 = msg("BOOTPD_MODEL_CHK", part177); -var part177 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unsupported model"), +var part178 = match("MESSAGE#146:BOOTPD_MODEL_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unsupported model %{dclass_counter1}, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unsupported model"), + dup23, ])); -var msg151 = msg("BOOTPD_MODEL_ERR", part177); +var msg151 = msg("BOOTPD_MODEL_ERR", part178); -var part178 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ - dup20, +var part179 = match("MESSAGE#147:BOOTPD_NEW_CONF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: New configuration installed", processor_chain([ dup21, - setc("event_description","New configuration installed"), dup22, + setc("event_description","New configuration installed"), + dup23, ])); -var msg152 = msg("BOOTPD_NEW_CONF", part178); +var msg152 = msg("BOOTPD_NEW_CONF", part179); -var part179 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ - dup29, - dup21, - setc("event_description","No boot string found"), +var part180 = match("MESSAGE#148:BOOTPD_NO_BOOTSTRING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No boot string found for type %{filename}", processor_chain([ + dup30, dup22, + setc("event_description","No boot string found"), + dup23, ])); -var msg153 = msg("BOOTPD_NO_BOOTSTRING", part179); +var msg153 = msg("BOOTPD_NO_BOOTSTRING", part180); -var part180 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","No configuration file found"), +var part181 = match("MESSAGE#149:BOOTPD_NO_CONFIG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No configuration file '%{filename}', %{result}", processor_chain([ + dup30, dup22, + setc("event_description","No configuration file found"), + dup23, ])); -var msg154 = msg("BOOTPD_NO_CONFIG", part180); +var msg154 = msg("BOOTPD_NO_CONFIG", part181); -var part181 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ - dup29, - dup21, - setc("event_description","parse errors on SIGHUP"), +var part182 = match("MESSAGE#150:BOOTPD_PARSE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: number parse errors on SIGHUP", processor_chain([ + dup30, dup22, + setc("event_description","parse errors on SIGHUP"), + dup23, ])); -var msg155 = msg("BOOTPD_PARSE_ERR", part181); +var msg155 = msg("BOOTPD_PARSE_ERR", part182); -var part182 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ - dup20, +var part183 = match("MESSAGE#151:BOOTPD_REPARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reparsing configuration file '%{filename}'", processor_chain([ dup21, - setc("event_description","Reparsing configuration file"), dup22, + setc("event_description","Reparsing configuration file"), + dup23, ])); -var msg156 = msg("BOOTPD_REPARSE", part182); +var msg156 = msg("BOOTPD_REPARSE", part183); -var part183 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","select error"), +var part184 = match("MESSAGE#152:BOOTPD_SELECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","select error"), + dup23, ])); -var msg157 = msg("BOOTPD_SELECT_ERR", part183); +var msg157 = msg("BOOTPD_SELECT_ERR", part184); -var part184 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ - dup29, - dup21, - setc("event_description","timeout unreasonable"), +var part185 = match("MESSAGE#153:BOOTPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout %{result->} unreasonable", processor_chain([ + dup30, dup22, + setc("event_description","timeout unreasonable"), + dup23, ])); -var msg158 = msg("BOOTPD_TIMEOUT", part184); +var msg158 = msg("BOOTPD_TIMEOUT", part185); -var part185 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ - dup20, +var part186 = match("MESSAGE#154:BOOTPD_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version: %{version->} built by builder on %{event_time_string}", processor_chain([ dup21, - setc("event_description","boot version built"), dup22, + setc("event_description","boot version built"), + dup23, ])); -var msg159 = msg("BOOTPD_VERSION", part185); +var msg159 = msg("BOOTPD_VERSION", part186); -var part186 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ - dup57, - dup21, - setc("event_description","CHASSISD release built"), +var part187 = match("MESSAGE#155:CHASSISD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} %{version->} built by builder on %{event_time_string}", processor_chain([ + dup58, dup22, + setc("event_description","CHASSISD release built"), + dup23, ])); -var msg160 = msg("CHASSISD", part186); +var msg160 = msg("CHASSISD", part187); -var part187 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","CHASSISD Unknown option"), +var part188 = match("MESSAGE#156:CHASSISD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown option %{result}", processor_chain([ + dup30, dup22, + setc("event_description","CHASSISD Unknown option"), + dup23, ])); -var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part187); +var msg161 = msg("CHASSISD_ARGUMENT_ERROR", part188); -var part188 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ - dup20, +var part189 = match("MESSAGE#157:CHASSISD_BLOWERS_SPEED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers are now running at normal speed", processor_chain([ dup21, - setc("event_description","Fans and impellers are now running at normal speed"), dup22, + setc("event_description","Fans and impellers are now running at normal speed"), + dup23, ])); -var msg162 = msg("CHASSISD_BLOWERS_SPEED", part188); +var msg162 = msg("CHASSISD_BLOWERS_SPEED", part189); -var part189 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ - dup20, +var part190 = match("MESSAGE#158:CHASSISD_BLOWERS_SPEED_FULL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fans and impellers being set to full speed [%{result}]", processor_chain([ dup21, - setc("event_description","Fans and impellers being set to full speed"), dup22, + setc("event_description","Fans and impellers being set to full speed"), + dup23, ])); -var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part189); +var msg163 = msg("CHASSISD_BLOWERS_SPEED_FULL", part190); -var part190 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ - dup20, +var part191 = match("MESSAGE#159:CHASSISD_CB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading midplane ID EEPROM, %{dclass_counter1->} %{dclass_counter2}", processor_chain([ dup21, - setc("event_description","reading midplane ID EEPROM"), dup22, + setc("event_description","reading midplane ID EEPROM"), + dup23, ])); -var msg164 = msg("CHASSISD_CB_READ", part190); +var msg164 = msg("CHASSISD_CB_READ", part191); -var part191 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ - dup29, - dup21, - setc("event_description","CHASSISD COMMAND ACK ERROR"), +var part192 = match("MESSAGE#160:CHASSISD_COMMAND_ACK_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} online ack code %{dclass_counter1->} - - %{result}, %{interface}", processor_chain([ + dup30, dup22, + setc("event_description","CHASSISD COMMAND ACK ERROR"), + dup23, ])); -var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part191); +var msg165 = msg("CHASSISD_COMMAND_ACK_ERROR", part192); -var part192 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","CHASSISD COMMAND ACK SF ERROR"), +var part193 = match("MESSAGE#161:CHASSISD_COMMAND_ACK_SF_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{disposition->} - %{result}, code %{resultcode}, SFM %{dclass_counter1}, FPC %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","CHASSISD COMMAND ACK SF ERROR"), + dup23, ])); -var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part192); +var msg166 = msg("CHASSISD_COMMAND_ACK_SF_ERROR", part193); -var part193 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","Cannot set no-concatenated mode for FPC"), +var part194 = match("MESSAGE#162:CHASSISD_CONCAT_MODE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cannot set no-concatenated mode for FPC %{dclass_counter2->} PIC %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","Cannot set no-concatenated mode for FPC"), + dup23, ])); -var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part193); +var msg167 = msg("CHASSISD_CONCAT_MODE_ERROR", part194); -var part194 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","CONFIG File Problem"), +var part195 = match("MESSAGE#163:CHASSISD_CONFIG_INIT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Problems with configuration file %{filename}; %{result}", processor_chain([ + dup30, dup22, + setc("event_description","CONFIG File Problem"), + dup23, ])); -var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part194); +var msg168 = msg("CHASSISD_CONFIG_INIT_ERROR", part195); -var part195 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","CHASSISD CONFIG WARNING"), +var part196 = match("MESSAGE#164:CHASSISD_CONFIG_WARNING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename}: %{result}, FPC %{dclass_counter2->} %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","CHASSISD CONFIG WARNING"), + dup23, ])); -var msg169 = msg("CHASSISD_CONFIG_WARNING", part195); +var msg169 = msg("CHASSISD_CONFIG_WARNING", part196); -var part196 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","chassisd already running"), +var part197 = match("MESSAGE#165:CHASSISD_EXISTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd already running; %{result}", processor_chain([ + dup30, dup22, + setc("event_description","chassisd already running"), + dup23, ])); -var msg170 = msg("CHASSISD_EXISTS", part196); +var msg170 = msg("CHASSISD_EXISTS", part197); -var part197 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ - dup20, +var part198 = match("MESSAGE#166:CHASSISD_EXISTS_TERM_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Killing existing chassisd and exiting", processor_chain([ dup21, - setc("event_description","Killing existing chassisd and exiting"), dup22, + setc("event_description","Killing existing chassisd and exiting"), + dup23, ])); -var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part197); +var msg171 = msg("CHASSISD_EXISTS_TERM_OTHER", part198); -var part198 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","file open error"), +var part199 = match("MESSAGE#167:CHASSISD_FILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File open: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","file open error"), + dup23, ])); -var msg172 = msg("CHASSISD_FILE_OPEN", part198); +var msg172 = msg("CHASSISD_FILE_OPEN", part199); -var part199 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","CHASSISD file statistics error"), +var part200 = match("MESSAGE#168:CHASSISD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File stat: %{filename}, error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","CHASSISD file statistics error"), + dup23, ])); -var msg173 = msg("CHASSISD_FILE_STAT", part199); +var msg173 = msg("CHASSISD_FILE_STAT", part200); -var part200 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","CHASSISD received restart EVENT"), +var part201 = match("MESSAGE#169:CHASSISD_FRU_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","CHASSISD received restart EVENT"), + dup23, ])); -var msg174 = msg("CHASSISD_FRU_EVENT", part200); +var msg174 = msg("CHASSISD_FRU_EVENT", part201); -var part201 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","CHASSISD restart WRITE_ERROR"), +var part202 = match("MESSAGE#170:CHASSISD_FRU_IPC_WRITE_ERROR_EXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} FRU %{filename}#%{resultcode}, %{result->} %{dclass_counter1}, %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","CHASSISD restart WRITE_ERROR"), + dup23, ])); -var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part201); +var msg175 = msg("CHASSISD_FRU_IPC_WRITE_ERROR_EXT", part202); -var part202 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","CHASSISD FRU STEP ERROR"), +var part203 = match("MESSAGE#171:CHASSISD_FRU_STEP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{filename->} %{resultcode->} at step %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","CHASSISD FRU STEP ERROR"), + dup23, ])); -var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part202); +var msg176 = msg("CHASSISD_FRU_STEP_ERROR", part203); -var part203 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","Unexpected error from gettimeofday"), +var part204 = match("MESSAGE#172:CHASSISD_GETTIMEOFDAY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected error from gettimeofday: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","Unexpected error from gettimeofday"), + dup23, ])); -var msg177 = msg("CHASSISD_GETTIMEOFDAY", part203); +var msg177 = msg("CHASSISD_GETTIMEOFDAY", part204); -var part204 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ - dup20, +var part205 = match("MESSAGE#173:CHASSISD_HOST_TEMP_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result->} reading host temperature sensor", processor_chain([ dup21, - setc("event_description","reading host temperature sensor"), dup22, + setc("event_description","reading host temperature sensor"), + dup23, ])); -var msg178 = msg("CHASSISD_HOST_TEMP_READ", part204); +var msg178 = msg("CHASSISD_HOST_TEMP_READ", part205); -var part205 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup20, +var part206 = match("MESSAGE#174:CHASSISD_IFDEV_DETACH_ALL_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ dup21, - setc("event_description","detaching all pseudo devices"), dup22, + setc("event_description","detaching all pseudo devices"), + dup23, ])); -var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part205); +var msg179 = msg("CHASSISD_IFDEV_DETACH_ALL_PSEUDO", part206); -var part206 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup20, +var part207 = match("MESSAGE#175:CHASSISD_IFDEV_DETACH_FPC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ dup21, - setc("event_description","CHASSISD IFDEV DETACH FPC"), dup22, + setc("event_description","CHASSISD IFDEV DETACH FPC"), + dup23, ])); -var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part206); +var msg180 = msg("CHASSISD_IFDEV_DETACH_FPC", part207); -var part207 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ - dup20, +var part208 = match("MESSAGE#176:CHASSISD_IFDEV_DETACH_PIC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{resultcode})", processor_chain([ dup21, - setc("event_description","CHASSISD IFDEV DETACH PIC"), dup22, + setc("event_description","CHASSISD IFDEV DETACH PIC"), + dup23, ])); -var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part207); +var msg181 = msg("CHASSISD_IFDEV_DETACH_PIC", part208); -var part208 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ - dup20, +var part209 = match("MESSAGE#177:CHASSISD_IFDEV_DETACH_PSEUDO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}(%{disposition})", processor_chain([ dup21, - setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), dup22, + setc("event_description","CHASSISD IFDEV DETACH PSEUDO"), + dup23, ])); -var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part208); +var msg182 = msg("CHASSISD_IFDEV_DETACH_PSEUDO", part209); -var part209 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), +var part210 = match("MESSAGE#178:CHASSISD_IFDEV_DETACH_TLV_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","CHASSISD IFDEV DETACH TLV ERROR"), + dup23, ])); -var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part209); +var msg183 = msg("CHASSISD_IFDEV_DETACH_TLV_ERROR", part210); -var part210 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","rtslib_ifdm_get_by_index failed"), +var part211 = match("MESSAGE#179:CHASSISD_IFDEV_GET_BY_INDEX_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: rtslib_ifdm_get_by_index failed: %{resultcode->} - %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","rtslib_ifdm_get_by_index failed"), + dup23, ])); -var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part210); +var msg184 = msg("CHASSISD_IFDEV_GET_BY_INDEX_FAIL", part211); -var part211 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","Message Queue full"), +var part212 = match("MESSAGE#180:CHASSISD_IPC_MSG_QFULL_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","Message Queue full"), + dup23, ])); -var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part211); +var msg185 = msg("CHASSISD_IPC_MSG_QFULL_ERROR", part212); -var part212 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","Received unexpected message"), +var part213 = match("MESSAGE#181:CHASSISD_IPC_UNEXPECTED_RECV", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received unexpected message from %{service}: type = %{dclass_counter1}, subtype = %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","Received unexpected message"), + dup23, ])); -var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part212); +var msg186 = msg("CHASSISD_IPC_UNEXPECTED_RECV", part213); -var part213 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","FRU has no connection pipe"), +var part214 = match("MESSAGE#182:CHASSISD_IPC_WRITE_ERR_NO_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection pipe %{result}", processor_chain([ + dup30, dup22, + setc("event_description","FRU has no connection pipe"), + dup23, ])); -var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part213); +var msg187 = msg("CHASSISD_IPC_WRITE_ERR_NO_PIPE", part214); -var part214 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","FRU has no connection arguments"), +var part215 = match("MESSAGE#183:CHASSISD_IPC_WRITE_ERR_NULL_ARGS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FRU has no connection arguments %{result}", processor_chain([ + dup30, dup22, + setc("event_description","FRU has no connection arguments"), + dup23, ])); -var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part214); +var msg188 = msg("CHASSISD_IPC_WRITE_ERR_NULL_ARGS", part215); -var part215 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ - dup29, - dup21, - setc("event_description","chassisd MAC address allocation error"), +var part216 = match("MESSAGE#184:CHASSISD_MAC_ADDRESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: chassisd MAC address allocation error", processor_chain([ + dup30, dup22, + setc("event_description","chassisd MAC address allocation error"), + dup23, ])); -var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part215); +var msg189 = msg("CHASSISD_MAC_ADDRESS_ERROR", part216); -var part216 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ - dup20, +var part217 = match("MESSAGE#185:CHASSISD_MAC_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using default MAC address base", processor_chain([ dup21, - setc("event_description","Using default MAC address base"), dup22, + setc("event_description","Using default MAC address base"), + dup23, ])); -var msg190 = msg("CHASSISD_MAC_DEFAULT", part216); +var msg190 = msg("CHASSISD_MAC_DEFAULT", part217); -var part217 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ - dup29, - dup21, - setc("event_description","management bus failed sanity test"), +var part218 = match("MESSAGE#186:CHASSISD_MBUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} %{resultcode}: management bus failed sanity test", processor_chain([ + dup30, dup22, + setc("event_description","management bus failed sanity test"), + dup23, ])); -var msg191 = msg("CHASSISD_MBUS_ERROR", part217); +var msg191 = msg("CHASSISD_MBUS_ERROR", part218); -var part218 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ - dup20, +var part219 = match("MESSAGE#187:CHASSISD_PARSE_COMPLETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using new configuration", processor_chain([ dup21, - setc("event_description","Using new configuration"), dup22, + setc("event_description","Using new configuration"), + dup23, ])); -var msg192 = msg("CHASSISD_PARSE_COMPLETE", part218); +var msg192 = msg("CHASSISD_PARSE_COMPLETE", part219); -var part219 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","CHASSISD PARSE ERROR"), +var part220 = match("MESSAGE#188:CHASSISD_PARSE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{resultcode->} %{result}", processor_chain([ + dup30, dup22, + setc("event_description","CHASSISD PARSE ERROR"), + dup23, ])); -var msg193 = msg("CHASSISD_PARSE_ERROR", part219); +var msg193 = msg("CHASSISD_PARSE_ERROR", part220); -var part220 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ - dup20, +var part221 = match("MESSAGE#189:CHASSISD_PARSE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Parsing configuration file '%{filename}'", processor_chain([ dup21, - setc("event_description","Parsing configuration file"), dup22, + setc("event_description","Parsing configuration file"), + dup23, ])); -var msg194 = msg("CHASSISD_PARSE_INIT", part220); +var msg194 = msg("CHASSISD_PARSE_INIT", part221); -var part221 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to open PID file"), +var part222 = match("MESSAGE#190:CHASSISD_PIDFILE_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open PID file '%{filename}': %{result->} %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to open PID file"), + dup23, ])); -var msg195 = msg("CHASSISD_PIDFILE_OPEN", part221); +var msg195 = msg("CHASSISD_PIDFILE_OPEN", part222); -var part222 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","Pipe error"), +var part223 = match("MESSAGE#191:CHASSISD_PIPE_WRITE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Pipe error: %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","Pipe error"), + dup23, ])); -var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part222); +var msg196 = msg("CHASSISD_PIPE_WRITE_ERROR", part223); -var part223 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ - dup58, - dup21, - setc("event_description","device not powering up"), +var part224 = match("MESSAGE#192:CHASSISD_POWER_CHECK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{device->} %{dclass_counter1->} not powering up", processor_chain([ + dup59, dup22, + setc("event_description","device not powering up"), + dup23, ])); -var msg197 = msg("CHASSISD_POWER_CHECK", part223); +var msg197 = msg("CHASSISD_POWER_CHECK", part224); -var part224 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ - dup20, +var part225 = match("MESSAGE#193:CHASSISD_RECONNECT_SUCCESSFUL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Successfully reconnected on soft restart", processor_chain([ dup21, - setc("event_description","Successful reconnect on soft restart"), dup22, + setc("event_description","Successful reconnect on soft restart"), + dup23, ])); -var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part224); +var msg198 = msg("CHASSISD_RECONNECT_SUCCESSFUL", part225); -var part225 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ - dup20, +var part226 = match("MESSAGE#194:CHASSISD_RELEASE_MASTERSHIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Release mastership notification", processor_chain([ dup21, - setc("event_description","Release mastership notification"), dup22, + setc("event_description","Release mastership notification"), + dup23, ])); -var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part225); +var msg199 = msg("CHASSISD_RELEASE_MASTERSHIP", part226); -var part226 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","re_init Invalid RE slot"), +var part227 = match("MESSAGE#195:CHASSISD_RE_INIT_INVALID_RE_SLOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: re_init: re %{resultcode}, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","re_init Invalid RE slot"), + dup23, ])); -var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part226); +var msg200 = msg("CHASSISD_RE_INIT_INVALID_RE_SLOT", part227); -var part227 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to determine mount point for root directory"), +var part228 = match("MESSAGE#196:CHASSISD_ROOT_MOUNT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine the mount point for root directory: %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to determine mount point for root directory"), + dup23, ])); -var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part227); +var msg201 = msg("CHASSISD_ROOT_MOUNT_ERROR", part228); -var part228 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","ifmsg sequence gap"), +var part229 = match("MESSAGE#197:CHASSISD_RTS_SEQ_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifmsg sequence gap %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","ifmsg sequence gap"), + dup23, ])); -var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part228); +var msg202 = msg("CHASSISD_RTS_SEQ_ERROR", part229); -var part229 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ +var part230 = match("MESSAGE#198:CHASSISD_SBOARD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ setc("eventcategory","1603040000"), - dup21, - setc("event_description","Version mismatch"), dup22, + setc("event_description","Version mismatch"), + dup23, ])); -var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part229); +var msg203 = msg("CHASSISD_SBOARD_VERSION_MISMATCH", part230); -var part230 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","Serial ID read error"), +var part231 = match("MESSAGE#199:CHASSISD_SERIAL_ID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Serial ID read error: %{resultcode->} - - %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","Serial ID read error"), + dup23, ])); -var msg204 = msg("CHASSISD_SERIAL_ID", part230); +var msg204 = msg("CHASSISD_SERIAL_ID", part231); -var part231 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","fpga download not complete"), +var part232 = match("MESSAGE#200:CHASSISD_SMB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: fpga download not complete: val %{resultcode}, %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","fpga download not complete"), + dup23, ])); -var msg205 = msg("CHASSISD_SMB_ERROR", part231); +var msg205 = msg("CHASSISD_SMB_ERROR", part232); -var part232 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ - dup57, - dup21, - setc("event_description","SNMP Trap6 generated"), +var part233 = match("MESSAGE#201:CHASSISD_SNMP_TRAP6", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap generated: %{result->} (%{info})", processor_chain([ + dup58, dup22, + setc("event_description","SNMP Trap6 generated"), + dup23, ])); -var msg206 = msg("CHASSISD_SNMP_TRAP6", part232); +var msg206 = msg("CHASSISD_SNMP_TRAP6", part233); -var part233 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMP Trap7 generated"), +var part234 = match("MESSAGE#202:CHASSISD_SNMP_TRAP7", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ + dup30, dup22, + setc("event_description","SNMP Trap7 generated"), + dup23, ])); -var msg207 = msg("CHASSISD_SNMP_TRAP7", part233); +var msg207 = msg("CHASSISD_SNMP_TRAP7", part234); -var part234 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ - dup20, +var part235 = match("MESSAGE#203:CHASSISD_SNMP_TRAP10", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP trap: %{result}: %{info}", processor_chain([ dup21, - setc("event_description","SNMP trap - FRU power on"), dup22, + setc("event_description","SNMP trap - FRU power on"), + dup23, ])); -var msg208 = msg("CHASSISD_SNMP_TRAP10", part234); +var msg208 = msg("CHASSISD_SNMP_TRAP10", part235); -var part235 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ - dup59, - dup21, - setc("event_description","Received SIGTERM request"), +var part236 = match("MESSAGE#204:CHASSISD_TERM_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received SIGTERM request, %{result}", processor_chain([ + dup60, dup22, + setc("event_description","Received SIGTERM request"), + dup23, ])); -var msg209 = msg("CHASSISD_TERM_SIGNAL", part235); +var msg209 = msg("CHASSISD_TERM_SIGNAL", part236); -var part236 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ - dup20, +var part237 = match("MESSAGE#205:CHASSISD_TRACE_PIC_OFFLINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Taking PIC offline - - FPC slot %{dclass_counter1}, PIC slot %{dclass_counter2}", processor_chain([ dup21, - setc("event_description","Taking PIC offline"), dup22, + setc("event_description","Taking PIC offline"), + dup23, ])); -var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part236); +var msg210 = msg("CHASSISD_TRACE_PIC_OFFLINE", part237); -var part237 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","UNEXPECTED EXIT"), +var part238 = match("MESSAGE#206:CHASSISD_UNEXPECTED_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} returned %{resultcode}: %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","UNEXPECTED EXIT"), + dup23, ])); -var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part237); +var msg211 = msg("CHASSISD_UNEXPECTED_EXIT", part238); -var part238 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ - dup58, - dup21, - setc("event_description","Model number unsupported with this version of chassisd"), +var part239 = match("MESSAGE#207:CHASSISD_UNSUPPORTED_MODEL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Model %{dclass_counter1->} unsupported with this version of chassisd", processor_chain([ + dup59, dup22, + setc("event_description","Model number unsupported with this version of chassisd"), + dup23, ])); -var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part238); +var msg212 = msg("CHASSISD_UNSUPPORTED_MODEL", part239); -var part239 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ - dup58, - dup21, - setc("event_description","Chassisd Version mismatch"), +var part240 = match("MESSAGE#208:CHASSISD_VERSION_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Version mismatch: %{info}", processor_chain([ + dup59, dup22, + setc("event_description","Chassisd Version mismatch"), + dup23, ])); -var msg213 = msg("CHASSISD_VERSION_MISMATCH", part239); +var msg213 = msg("CHASSISD_VERSION_MISMATCH", part240); -var part240 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ - dup58, - dup21, +var part241 = match("MESSAGE#209:CHASSISD_HIGH_TEMP_CONDITION", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} temperature=\"%{fld2}\" message=\"%{info}\"]", processor_chain([ + dup59, + dup22, setc("event_description","CHASSISD HIGH TEMP CONDITION"), - dup60, dup61, + dup62, ])); -var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part240); +var msg214 = msg("CHASSISD_HIGH_TEMP_CONDITION", part241); -var part241 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ - dup20, +var part242 = match("MESSAGE#210:clean_process", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: process %{agent->} RESTART mode %{event_state->} new master=%{obj_name->} old failover=%{change_old->} new failover = %{change_new}", processor_chain([ dup21, - setc("event_description","process RESTART mode"), dup22, + setc("event_description","process RESTART mode"), + dup23, ])); -var msg215 = msg("clean_process", part241); +var msg215 = msg("clean_process", part242); -var part242 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ - dup20, +var part243 = match("MESSAGE#211:CM_JAVA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Chassis %{group->} Linklocal MAC:%{macaddr}", processor_chain([ dup21, - setc("event_description","Chassis Linklocal to MAC"), dup22, + setc("event_description","Chassis Linklocal to MAC"), + dup23, ])); -var msg216 = msg("CM_JAVA", part242); +var msg216 = msg("CM_JAVA", part243); -var part243 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup62, - dup21, - setc("event_description","DCD must be run as root"), +var part244 = match("MESSAGE#212:DCD_AS_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, dup22, + setc("event_description","DCD must be run as root"), + dup23, ])); -var msg217 = msg("DCD_AS_ROOT", part243); +var msg217 = msg("DCD_AS_ROOT", part244); -var part244 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ - dup29, - dup21, - setc("event_description","Filter library initialization failed"), +var part245 = match("MESSAGE#213:DCD_FILTER_LIB_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Filter library initialization failed", processor_chain([ + dup30, dup22, + setc("event_description","Filter library initialization failed"), + dup23, ])); -var msg218 = msg("DCD_FILTER_LIB_ERROR", part244); +var msg218 = msg("DCD_FILTER_LIB_ERROR", part245); -var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup136); +var msg219 = msg("DCD_MALLOC_FAILED_INIT", dup139); -var part245 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ - dup29, - dup21, - setc("event_description","errors while parsing configuration file"), +var part246 = match("MESSAGE#215:DCD_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration file", processor_chain([ + dup30, dup22, + setc("event_description","errors while parsing configuration file"), + dup23, ])); -var msg220 = msg("DCD_PARSE_EMERGENCY", part245); +var msg220 = msg("DCD_PARSE_EMERGENCY", part246); -var part246 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ - dup29, - dup21, - setc("event_description","errors while parsing filter index file"), +var part247 = match("MESSAGE#216:DCD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing filter index file", processor_chain([ + dup30, dup22, + setc("event_description","errors while parsing filter index file"), + dup23, ])); -var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part246); +var msg221 = msg("DCD_PARSE_FILTER_EMERGENCY", part247); -var part247 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ - dup29, - dup21, - setc("event_description","errors while parsing configuration overlay"), +var part248 = match("MESSAGE#217:DCD_PARSE_MINI_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing configuration overlay", processor_chain([ + dup30, dup22, + setc("event_description","errors while parsing configuration overlay"), + dup23, ])); -var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part247); +var msg222 = msg("DCD_PARSE_MINI_EMERGENCY", part248); -var part248 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ - dup29, - dup21, - setc("event_description","unhandled state was encountered during interface parsing"), +var part249 = match("MESSAGE#218:DCD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: An unhandled state was encountered during interface parsing", processor_chain([ + dup30, dup22, + setc("event_description","unhandled state was encountered during interface parsing"), + dup23, ])); -var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part248); +var msg223 = msg("DCD_PARSE_STATE_EMERGENCY", part249); -var part249 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ - dup29, - dup21, - setc("event_description","errors while parsing policer indexfile"), +var part250 = match("MESSAGE#219:DCD_POLICER_PARSE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: errors while parsing policer indexfile", processor_chain([ + dup30, dup22, + setc("event_description","errors while parsing policer indexfile"), + dup23, ])); -var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part249); +var msg224 = msg("DCD_POLICER_PARSE_EMERGENCY", part250); -var part250 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","Failed to pull file"), +var part251 = match("MESSAGE#220:DCD_PULL_LOG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to pull file %{filename->} after %{dclass_counter1->} retries last error=%{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","Failed to pull file"), + dup23, ])); -var msg225 = msg("DCD_PULL_LOG_FAILURE", part250); +var msg225 = msg("DCD_PULL_LOG_FAILURE", part251); -var part251 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","DFWD ARGUMENT ERROR"), +var part252 = match("MESSAGE#221:DFWD_ARGUMENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","DFWD ARGUMENT ERROR"), + dup23, ])); -var msg226 = msg("DFWD_ARGUMENT_ERROR", part251); +var msg226 = msg("DFWD_ARGUMENT_ERROR", part252); -var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup136); +var msg227 = msg("DFWD_MALLOC_FAILED_INIT", dup139); -var part252 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ - dup29, - dup21, - setc("event_description","errors encountered while parsing filter index file"), +var part253 = match("MESSAGE#223:DFWD_PARSE_FILTER_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered errors while parsing filter index file", processor_chain([ + dup30, dup22, + setc("event_description","errors encountered while parsing filter index file"), + dup23, ])); -var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part252); +var msg228 = msg("DFWD_PARSE_FILTER_EMERGENCY", part253); -var part253 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ - dup29, - dup21, - setc("event_description","encountered unhandled state while parsing interface"), +var part254 = match("MESSAGE#224:DFWD_PARSE_STATE_EMERGENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} encountered unhandled state while parsing interface", processor_chain([ + dup30, dup22, + setc("event_description","encountered unhandled state while parsing interface"), + dup23, ])); -var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part253); +var msg229 = msg("DFWD_PARSE_STATE_EMERGENCY", part254); -var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup137); +var msg230 = msg("ECCD_DAEMONIZE_FAILED", dup140); -var msg231 = msg("ECCD_DUPLICATE", dup138); +var msg231 = msg("ECCD_DUPLICATE", dup141); -var part254 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","ECCD LOOP EXIT FAILURE"), +var part255 = match("MESSAGE#227:ECCD_LOOP_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MainLoop return value: %{disposition}, error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","ECCD LOOP EXIT FAILURE"), + dup23, ])); -var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part254); +var msg232 = msg("ECCD_LOOP_EXIT_FAILURE", part255); -var part255 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup62, - dup21, - setc("event_description","ECCD Must be run as root"), +var part256 = match("MESSAGE#228:ECCD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, dup22, + setc("event_description","ECCD Must be run as root"), + dup23, ])); -var msg233 = msg("ECCD_NOT_ROOT", part255); +var msg233 = msg("ECCD_NOT_ROOT", part256); -var part256 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","ECCD PCI FILE OPEN FAILED"), +var part257 = match("MESSAGE#229:ECCD_PCI_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: open() failed: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","ECCD PCI FILE OPEN FAILED"), + dup23, ])); -var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part256); +var msg234 = msg("ECCD_PCI_FILE_OPEN_FAILED", part257); -var part257 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","PCI read failure"), +var part258 = match("MESSAGE#230:ECCD_PCI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","PCI read failure"), + dup23, ])); -var msg235 = msg("ECCD_PCI_READ_FAILED", part257); +var msg235 = msg("ECCD_PCI_READ_FAILED", part258); -var part258 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","PCI write failure"), +var part259 = match("MESSAGE#231:ECCD_PCI_WRITE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","PCI write failure"), + dup23, ])); -var msg236 = msg("ECCD_PCI_WRITE_FAILED", part258); +var msg236 = msg("ECCD_PCI_WRITE_FAILED", part259); -var msg237 = msg("ECCD_PID_FILE_LOCK", dup139); +var msg237 = msg("ECCD_PID_FILE_LOCK", dup142); -var msg238 = msg("ECCD_PID_FILE_UPDATE", dup140); +var msg238 = msg("ECCD_PID_FILE_UPDATE", dup143); -var part259 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","ECCD TRACE FILE OPEN FAILURE"), +var part260 = match("MESSAGE#234:ECCD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","ECCD TRACE FILE OPEN FAILURE"), + dup23, ])); -var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part259); +var msg239 = msg("ECCD_TRACE_FILE_OPEN_FAILED", part260); -var part260 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup20, +var part261 = match("MESSAGE#235:ECCD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ dup21, - setc("event_description","ECCD Usage"), dup22, + setc("event_description","ECCD Usage"), + dup23, ])); -var msg240 = msg("ECCD_usage", part260); +var msg240 = msg("ECCD_usage", part261); -var part261 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ - dup20, +var part262 = match("MESSAGE#236:EVENTD_AUDIT_SHOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} viewed security audit log with arguments: %{param}", processor_chain([ dup21, - setc("event_description","User viewed security audit log with arguments"), dup22, + setc("event_description","User viewed security audit log with arguments"), + dup23, ])); -var msg241 = msg("EVENTD_AUDIT_SHOW", part261); +var msg241 = msg("EVENTD_AUDIT_SHOW", part262); -var part262 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ - dup20, +var part263 = match("MESSAGE#237:FLOW_REASSEMBLE_SUCCEED", "nwparser.payload", "%{event_type}: Packet merged source %{saddr->} destination %{daddr->} ipid %{fld11->} succeed", processor_chain([ dup21, dup22, + dup23, ])); -var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part262); +var msg242 = msg("FLOW_REASSEMBLE_SUCCEED", part263); -var part263 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to change owner of file"), +var part264 = match("MESSAGE#238:FSAD_CHANGE_FILE_OWNER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to change owner of file `%{filename}' to user %{username}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to change owner of file"), + dup23, ])); -var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part263); +var msg243 = msg("FSAD_CHANGE_FILE_OWNER", part264); -var part264 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","FSAD CONFIG ERROR"), +var part265 = match("MESSAGE#239:FSAD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","FSAD CONFIG ERROR"), + dup23, ])); -var msg244 = msg("FSAD_CONFIG_ERROR", part264); +var msg244 = msg("FSAD_CONFIG_ERROR", part265); -var part265 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ - dup29, - dup21, - setc("event_description","Connection timed out to client"), +var part266 = match("MESSAGE#240:FSAD_CONNTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection timed out to the client (%{shost}, %{saddr}) having request type %{obj_type}", processor_chain([ + dup30, dup22, + setc("event_description","Connection timed out to client"), + dup23, ])); -var msg245 = msg("FSAD_CONNTIMEDOUT", part265); +var msg245 = msg("FSAD_CONNTIMEDOUT", part266); -var part266 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","FSAD_FAILED"), +var part267 = match("MESSAGE#241:FSAD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","FSAD_FAILED"), + dup23, ])); -var msg246 = msg("FSAD_FAILED", part266); +var msg246 = msg("FSAD_FAILED", part267); -var part267 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ - dup29, - dup21, - setc("event_description","Fetch to server to get file timed out"), +var part268 = match("MESSAGE#242:FSAD_FETCHTIMEDOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Fetch to server %{hostname->} for file `%{filename}' timed out", processor_chain([ + dup30, dup22, + setc("event_description","Fetch to server to get file timed out"), + dup23, ])); -var msg247 = msg("FSAD_FETCHTIMEDOUT", part267); +var msg247 = msg("FSAD_FETCHTIMEDOUT", part268); -var part268 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","fn failed for file"), +var part269 = match("MESSAGE#243:FSAD_FILE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: fn failed for file `%{filename}' with error message %{result}", processor_chain([ + dup30, dup22, + setc("event_description","fn failed for file"), + dup23, ])); -var msg248 = msg("FSAD_FILE_FAILED", part268); +var msg248 = msg("FSAD_FILE_FAILED", part269); -var part269 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to remove file"), +var part270 = match("MESSAGE#244:FSAD_FILE_REMOVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to remove file `%{filename}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to remove file"), + dup23, ])); -var msg249 = msg("FSAD_FILE_REMOVE", part269); +var msg249 = msg("FSAD_FILE_REMOVE", part270); -var part270 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to rename file"), +var part271 = match("MESSAGE#245:FSAD_FILE_RENAME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to rename file `%{filename}' to `%{resultcode}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to rename file"), + dup23, ])); -var msg250 = msg("FSAD_FILE_RENAME", part270); +var msg250 = msg("FSAD_FILE_RENAME", part271); -var part271 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","stat failed for file"), +var part272 = match("MESSAGE#246:FSAD_FILE_STAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed for file pathname %{filename}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","stat failed for file"), + dup23, ])); -var msg251 = msg("FSAD_FILE_STAT", part271); +var msg251 = msg("FSAD_FILE_STAT", part272); -var part272 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to sync file"), +var part273 = match("MESSAGE#247:FSAD_FILE_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to sync file %{filename}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to sync file"), + dup23, ])); -var msg252 = msg("FSAD_FILE_SYNC", part272); +var msg252 = msg("FSAD_FILE_SYNC", part273); -var part273 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ - dup29, - dup21, - setc("event_description","Upper limit reached in fsad"), +var part274 = match("MESSAGE#248:FSAD_MAXCONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Upper limit reached in fsad for handling connections", processor_chain([ + dup30, dup22, + setc("event_description","Upper limit reached in fsad"), + dup23, ])); -var msg253 = msg("FSAD_MAXCONN", part273); +var msg253 = msg("FSAD_MAXCONN", part274); -var part274 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ - dup50, - dup21, - setc("event_description","FSAD MEMORYALLOC FAILED"), +var part275 = match("MESSAGE#249:FSAD_MEMORYALLOC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service->} failed in the function %{action->} (%{resultcode})", processor_chain([ + dup51, dup22, + setc("event_description","FSAD MEMORYALLOC FAILED"), + dup23, ])); -var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part274); +var msg254 = msg("FSAD_MEMORYALLOC_FAILED", part275); -var part275 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup62, - dup21, - setc("event_description","FSAD must be run as root"), +var part276 = match("MESSAGE#250:FSAD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, dup22, + setc("event_description","FSAD must be run as root"), + dup23, ])); -var msg255 = msg("FSAD_NOT_ROOT", part275); +var msg255 = msg("FSAD_NOT_ROOT", part276); -var part276 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","invalid directory"), +var part277 = match("MESSAGE#251:FSAD_PARENT_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: invalid directory: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","invalid directory"), + dup23, ])); -var msg256 = msg("FSAD_PARENT_DIRECTORY", part276); +var msg256 = msg("FSAD_PARENT_DIRECTORY", part277); -var part277 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ - dup29, - dup21, - setc("event_description","File path cannot be a directory"), +var part278 = match("MESSAGE#252:FSAD_PATH_IS_DIRECTORY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: File path cannot be a directory (%{filename})", processor_chain([ + dup30, dup22, + setc("event_description","File path cannot be a directory"), + dup23, ])); -var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part277); +var msg257 = msg("FSAD_PATH_IS_DIRECTORY", part278); -var part278 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ - dup29, - dup21, - setc("event_description","Not a regular file"), +var part279 = match("MESSAGE#253:FSAD_PATH_IS_SPECIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Not a regular file (%{filename})", processor_chain([ + dup30, dup22, + setc("event_description","Not a regular file"), + dup23, ])); -var msg258 = msg("FSAD_PATH_IS_SPECIAL", part278); +var msg258 = msg("FSAD_PATH_IS_SPECIAL", part279); -var part279 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ - dup29, - dup21, - setc("event_description","fsad received error message from client"), +var part280 = match("MESSAGE#254:FSAD_RECVERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fsad received error message from client having request type %{obj_type->} at (%{saddr}, %{sport})", processor_chain([ + dup30, dup22, + setc("event_description","fsad received error message from client"), + dup23, ])); -var msg259 = msg("FSAD_RECVERROR", part279); +var msg259 = msg("FSAD_RECVERROR", part280); -var part280 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ - dup26, - dup21, - setc("event_description","FSAD TERMINATED CONNECTION"), +var part281 = match("MESSAGE#255:FSAD_TERMINATED_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open file %{filename}` closed due to %{result}", processor_chain([ + dup27, dup22, + setc("event_description","FSAD TERMINATED CONNECTION"), + dup23, ])); -var msg260 = msg("FSAD_TERMINATED_CONNECTION", part280); +var msg260 = msg("FSAD_TERMINATED_CONNECTION", part281); -var part281 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ - dup20, +var part282 = match("MESSAGE#256:FSAD_TERMINATING_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received terminating %{resultcode}; %{result}", processor_chain([ dup21, - setc("event_description","Received terminating signal"), dup22, + setc("event_description","Received terminating signal"), + dup23, ])); -var msg261 = msg("FSAD_TERMINATING_SIGNAL", part281); +var msg261 = msg("FSAD_TERMINATING_SIGNAL", part282); -var part282 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Open operation on trace file failed"), +var part283 = match("MESSAGE#257:FSAD_TRACEOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Open operation on trace file `%{filename}' returned error %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Open operation on trace file failed"), + dup23, ])); -var msg262 = msg("FSAD_TRACEOPEN_FAILED", part282); +var msg262 = msg("FSAD_TRACEOPEN_FAILED", part283); -var part283 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ - dup20, +var part284 = match("MESSAGE#258:FSAD_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage, %{info}", processor_chain([ dup21, - setc("event_description","Incorrect FSAD usage"), dup22, + setc("event_description","Incorrect FSAD usage"), + dup23, ])); -var msg263 = msg("FSAD_USAGE", part283); +var msg263 = msg("FSAD_USAGE", part284); -var part284 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","GGSN ALARM TRAP FAILED"), +var part285 = match("MESSAGE#259:GGSN_ALARM_TRAP_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","GGSN ALARM TRAP FAILED"), + dup23, ])); -var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part284); +var msg264 = msg("GGSN_ALARM_TRAP_FAILED", part285); -var part285 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","GGSN ALARM TRAP SEND FAILED"), +var part286 = match("MESSAGE#260:GGSN_ALARM_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","GGSN ALARM TRAP SEND FAILED"), + dup23, ])); -var msg265 = msg("GGSN_ALARM_TRAP_SEND", part285); +var msg265 = msg("GGSN_ALARM_TRAP_SEND", part286); -var part286 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ - dup29, - dup21, - setc("event_description","Unknown trap request type"), +var part287 = match("MESSAGE#261:GGSN_TRAP_SEND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown trap request type %{obj_type}", processor_chain([ + dup30, dup22, + setc("event_description","Unknown trap request type"), + dup23, ])); -var msg266 = msg("GGSN_TRAP_SEND", part286); +var msg266 = msg("GGSN_TRAP_SEND", part287); -var part287 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ - dup68, - dup33, +var part288 = match("MESSAGE#262:JADE_AUTH_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authorization failed: %{result}", processor_chain([ + dup69, + dup34, setc("ec_subject","Service"), - dup42, - dup21, - setc("event_description","Authorization failed"), + dup43, dup22, + setc("event_description","Authorization failed"), + dup23, ])); -var msg267 = msg("JADE_AUTH_ERROR", part287); +var msg267 = msg("JADE_AUTH_ERROR", part288); -var part288 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","JADE EXEC ERROR"), +var part289 = match("MESSAGE#263:JADE_EXEC_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: CLI %{resultcode->} %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","JADE EXEC ERROR"), + dup23, ])); -var msg268 = msg("JADE_EXEC_ERROR", part288); +var msg268 = msg("JADE_EXEC_ERROR", part289); -var part289 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ - dup29, - dup21, - setc("event_description","Local user does not exist"), +var part290 = match("MESSAGE#264:JADE_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local user %{username->} does not exist", processor_chain([ + dup30, dup22, + setc("event_description","Local user does not exist"), + dup23, ])); -var msg269 = msg("JADE_NO_LOCAL_USER", part289); +var msg269 = msg("JADE_NO_LOCAL_USER", part290); -var part290 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","JADE PAM error"), +var part291 = match("MESSAGE#265:JADE_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","JADE PAM error"), + dup23, ])); -var msg270 = msg("JADE_PAM_ERROR", part290); +var msg270 = msg("JADE_PAM_ERROR", part291); -var part291 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to get local username from PAM"), +var part292 = match("MESSAGE#266:JADE_PAM_NO_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get local username from PAM: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to get local username from PAM"), + dup23, ])); -var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part291); +var msg271 = msg("JADE_PAM_NO_LOCAL_USER", part292); -var part292 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ - dup29, - dup21, - setc("event_description","arp info overwritten"), +var part293 = match("MESSAGE#267:KERN_ARP_ADDR_CHANGE", "nwparser.payload", "%{process}: %{event_type}: arp info overwritten for %{saddr->} from %{smacaddr->} to %{dmacaddr}", processor_chain([ + dup30, dup22, + setc("event_description","arp info overwritten"), + dup23, ])); -var msg272 = msg("KERN_ARP_ADDR_CHANGE", part292); +var msg272 = msg("KERN_ARP_ADDR_CHANGE", part293); -var part293 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ - dup29, - dup21, - setc("event_description","security association has been established"), +var part294 = match("MESSAGE#268:KMD_PM_SA_ESTABLISHED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Local gateway: %{gateway}, Remote gateway: %{fld1}, Local ID:%{fld2}, Remote ID:%{fld3}, Direction:%{fld4}, SPI:%{fld5}", processor_chain([ + dup30, dup22, + setc("event_description","security association has been established"), + dup23, ])); -var msg273 = msg("KMD_PM_SA_ESTABLISHED", part293); +var msg273 = msg("KMD_PM_SA_ESTABLISHED", part294); -var part294 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ - dup20, +var part295 = match("MESSAGE#269:L2CPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialized", processor_chain([ dup21, - setc("event_description","Task Reinitialized"), - dup60, dup22, + setc("event_description","Task Reinitialized"), + dup61, + dup23, ])); -var msg274 = msg("L2CPD_TASK_REINIT", part294); +var msg274 = msg("L2CPD_TASK_REINIT", part295); -var part295 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ - dup20, +var part296 = match("MESSAGE#270:LIBJNX_EXEC_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal='%{obj_type}' %{result}, command '%{action}'", processor_chain([ dup21, - dup69, dup22, + dup70, + dup23, ])); -var msg275 = msg("LIBJNX_EXEC_EXITED", part295); +var msg275 = msg("LIBJNX_EXEC_EXITED", part296); -var part296 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Child exec failed for command"), +var part297 = match("MESSAGE#271:LIBJNX_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Child exec failed for command"), + dup23, ])); -var msg276 = msg("LIBJNX_EXEC_FAILED", part296); +var msg276 = msg("LIBJNX_EXEC_FAILED", part297); -var msg277 = msg("LIBJNX_EXEC_PIPE", dup141); +var msg277 = msg("LIBJNX_EXEC_PIPE", dup144); -var part297 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ - dup29, - dup21, - setc("event_description","Command received signal"), +var part298 = match("MESSAGE#273:LIBJNX_EXEC_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command received signal: PID %{child_pid}, signal %{result}, command '%{action}'", processor_chain([ + dup30, dup22, + setc("event_description","Command received signal"), + dup23, ])); -var msg278 = msg("LIBJNX_EXEC_SIGNALED", part297); +var msg278 = msg("LIBJNX_EXEC_SIGNALED", part298); -var part298 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup20, +var part299 = match("MESSAGE#274:LIBJNX_EXEC_WEXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ dup21, - dup71, dup22, + dup72, + dup23, ])); -var msg279 = msg("LIBJNX_EXEC_WEXIT", part298); +var msg279 = msg("LIBJNX_EXEC_WEXIT", part299); -var part299 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ - dup72, - dup21, - setc("event_description","copy_file_to_transfer_dir failed to copy"), +var part300 = match("MESSAGE#275:LIBJNX_FILE_COPY_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: copy_file_to_transfer_dir failed to copy from source to destination", processor_chain([ + dup73, dup22, + setc("event_description","copy_file_to_transfer_dir failed to copy"), + dup23, ])); -var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part299); +var msg280 = msg("LIBJNX_FILE_COPY_FAILED", part300); -var part300 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ - dup72, - dup21, - setc("event_description","Unable to lower privilege level"), +var part301 = match("MESSAGE#276:LIBJNX_PRIV_LOWER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lower privilege level: %{result}", processor_chain([ + dup73, dup22, + setc("event_description","Unable to lower privilege level"), + dup23, ])); -var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part300); +var msg281 = msg("LIBJNX_PRIV_LOWER_FAILED", part301); -var part301 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ - dup72, - dup21, - setc("event_description","Unable to raise privilege level"), +var part302 = match("MESSAGE#277:LIBJNX_PRIV_RAISE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to raise privilege level: %{result}", processor_chain([ + dup73, dup22, + setc("event_description","Unable to raise privilege level"), + dup23, ])); -var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part301); +var msg282 = msg("LIBJNX_PRIV_RAISE_FAILED", part302); -var part302 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup72, - dup21, - setc("event_description","rcp failed"), +var part303 = match("MESSAGE#278:LIBJNX_REPLICATE_RCP_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup73, dup22, + setc("event_description","rcp failed"), + dup23, ])); -var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part302); +var msg283 = msg("LIBJNX_REPLICATE_RCP_EXEC_FAILED", part303); -var part303 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ - dup72, - dup21, - setc("event_description","ROTATE COMPRESS EXEC FAILED"), +var part304 = match("MESSAGE#279:LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode->} %{dclass_counter1->} -f %{action}: %{result}", processor_chain([ + dup73, dup22, + setc("event_description","ROTATE COMPRESS EXEC FAILED"), + dup23, ])); -var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part303); +var msg284 = msg("LIBJNX_ROTATE_COMPRESS_EXEC_FAILED", part304); -var part304 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ - dup73, - dup21, - setc("event_description","Client connection error"), +var part305 = match("MESSAGE#280:LIBSERVICED_CLIENT_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client connection error: %{result}", processor_chain([ + dup74, dup22, + setc("event_description","Client connection error"), + dup23, ])); -var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part304); +var msg285 = msg("LIBSERVICED_CLIENT_CONNECTION", part305); -var part305 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ - dup72, - dup21, - setc("event_description","Outbound request failed for command"), +var part306 = match("MESSAGE#281:LIBSERVICED_OUTBOUND_REQUEST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Outbound request failed for command [%{action}]: %{result}", processor_chain([ + dup73, dup22, + setc("event_description","Outbound request failed for command"), + dup23, ])); -var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part305); +var msg286 = msg("LIBSERVICED_OUTBOUND_REQUEST", part306); -var part306 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ - dup26, - dup21, - setc("event_description","Connection closed while receiving from client"), +var part307 = match("MESSAGE#282:LIBSERVICED_SNMP_LOST_CONNECTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Connection closed while receiving from client %{dclass_counter1}", processor_chain([ + dup27, dup22, + setc("event_description","Connection closed while receiving from client"), + dup23, ])); -var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part306); +var msg287 = msg("LIBSERVICED_SNMP_LOST_CONNECTION", part307); -var part307 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","unable to bind socket"), +var part308 = match("MESSAGE#283:LIBSERVICED_SOCKET_BIND", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: unable to bind socket %{ssid}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","unable to bind socket"), + dup23, ])); -var msg288 = msg("LIBSERVICED_SOCKET_BIND", part307); +var msg288 = msg("LIBSERVICED_SOCKET_BIND", part308); -var part308 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to attach socket to management routing instance"), +var part309 = match("MESSAGE#284:LIBSERVICED_SOCKET_PRIVATIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to attach socket %{ssid->} to management routing instance: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to attach socket to management routing instance"), + dup23, ])); -var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part308); +var msg289 = msg("LIBSERVICED_SOCKET_PRIVATIZE", part309); -var part309 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","LICENSE EXPIRED"), +var part310 = match("MESSAGE#285:LICENSE_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","LICENSE EXPIRED"), + dup23, ])); -var msg290 = msg("LICENSE_EXPIRED", part309); +var msg290 = msg("LICENSE_EXPIRED", part310); -var part310 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ - dup20, +var part311 = match("MESSAGE#286:LICENSE_EXPIRED_KEY_DELETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License key \"%{filename}\" has expired.", processor_chain([ dup21, - setc("event_description","License key has expired"), dup22, + setc("event_description","License key has expired"), + dup23, ])); -var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part310); +var msg291 = msg("LICENSE_EXPIRED_KEY_DELETED", part311); -var part311 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ - dup20, +var part312 = match("MESSAGE#287:LICENSE_NEARING_EXPIRY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: License for feature %{disposition->} %{result}", processor_chain([ dup21, - setc("event_description","License key expiration soon"), dup22, + setc("event_description","License key expiration soon"), + dup23, ])); -var msg292 = msg("LICENSE_NEARING_EXPIRY", part311); +var msg292 = msg("LICENSE_NEARING_EXPIRY", part312); -var part312 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ - dup29, - dup21, - setc("event_description","client aborted login"), +var part313 = match("MESSAGE#288:LOGIN_ABORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Client aborted login", processor_chain([ + dup30, dup22, + setc("event_description","client aborted login"), + dup23, ])); -var msg293 = msg("LOGIN_ABORTED", part312); +var msg293 = msg("LOGIN_ABORTED", part313); -var part313 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ - dup43, - dup33, +var part314 = match("MESSAGE#289:LOGIN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login failed for user %{username->} from host %{dhost}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, + dup36, + dup43, dup22, + dup75, + dup23, ])); -var msg294 = msg("LOGIN_FAILED", part313); +var msg294 = msg("LOGIN_FAILED", part314); -var part314 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ - dup43, - dup33, +var part315 = match("MESSAGE#290:LOGIN_FAILED_INCORRECT_PASSWORD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect password for user %{username}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","Incorrect password for user"), + dup36, + dup43, dup22, + dup75, + setc("result","Incorrect password for user"), + dup23, ])); -var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part314); +var msg295 = msg("LOGIN_FAILED_INCORRECT_PASSWORD", part315); -var part315 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ - dup43, - dup33, +var part316 = match("MESSAGE#291:LOGIN_FAILED_SET_CONTEXT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set context for user %{username}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","Failed to set context for user"), + dup36, + dup43, dup22, + dup75, + setc("result","Failed to set context for user"), + dup23, ])); -var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part315); +var msg296 = msg("LOGIN_FAILED_SET_CONTEXT", part316); -var part316 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ - dup43, - dup33, +var part317 = match("MESSAGE#292:LOGIN_FAILED_SET_LOGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to set login ID for user %{username}: %{dhost}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","Failed to set login ID for user"), + dup36, + dup43, dup22, + dup75, + setc("result","Failed to set login ID for user"), + dup23, ])); -var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part316); +var msg297 = msg("LOGIN_FAILED_SET_LOGIN", part317); -var part317 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ - dup43, - dup33, +var part318 = match("MESSAGE#293:LOGIN_HOSTNAME_UNRESOLVED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to resolve hostname %{dhost}: %{info}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","Unable to resolve hostname"), + dup36, + dup43, dup22, + dup75, + setc("result","Unable to resolve hostname"), + dup23, ])); -var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part317); +var msg298 = msg("LOGIN_HOSTNAME_UNRESOLVED", part318); -var part318 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{} %{event_type}: %{p0}"); +var part319 = match("MESSAGE#294:LOGIN_INFORMATION/2", "nwparser.p0", "%{event_type}: %{p0}"); -var part319 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{} %{username->} logged in from host %{dhost->} on %{p0}"); +var part320 = match("MESSAGE#294:LOGIN_INFORMATION/4", "nwparser.p0", "%{username->} logged in from host %{dhost->} on %{p0}"); -var part320 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); +var part321 = match("MESSAGE#294:LOGIN_INFORMATION/5_0", "nwparser.p0", "device %{p0}"); var select34 = linear_select([ - part320, - dup44, + part321, + dup45, ]); -var part321 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{} %{terminal}"); +var part322 = match("MESSAGE#294:LOGIN_INFORMATION/6", "nwparser.p0", "%{terminal}"); var all19 = all_match({ processors: [ - dup38, - dup134, - part318, - dup142, + dup39, + dup137, part319, + dup145, + part320, select34, - part321, + part322, ], on_success: processor_chain([ - dup32, dup33, dup34, dup35, dup36, - dup21, - setc("event_description","Successful Login"), + dup37, dup22, + setc("event_description","Successful Login"), + dup23, ]), }); var msg299 = msg("LOGIN_INFORMATION", all19); -var part322 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ - dup43, - dup33, +var part323 = match("MESSAGE#295:LOGIN_INVALID_LOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No entry in local password file for user %{username}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","No entry in local password file for user"), + dup36, + dup43, dup22, + dup75, + setc("result","No entry in local password file for user"), + dup23, ])); -var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part322); +var msg300 = msg("LOGIN_INVALID_LOCAL_USER", part323); -var part323 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ - dup43, - dup33, +var part324 = match("MESSAGE#296:LOGIN_MALFORMED_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid username: %{username}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","Invalid username"), + dup36, + dup43, dup22, + dup75, + setc("result","Invalid username"), + dup23, ])); -var msg301 = msg("LOGIN_MALFORMED_USER", part323); +var msg301 = msg("LOGIN_MALFORMED_USER", part324); -var part324 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); +var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_0", "nwparser.p0", "PAM authentication error for user %{p0}"); -var part325 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); +var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/1_1", "nwparser.p0", "Failed password for user %{p0}"); var select35 = linear_select([ - part324, part325, + part326, ]); -var part326 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{} %{username}"); +var part327 = match("MESSAGE#297:LOGIN_PAM_AUTHENTICATION_ERROR/2", "nwparser.p0", "%{username}"); var all20 = all_match({ processors: [ - dup49, + dup50, select35, - part326, + part327, ], on_success: processor_chain([ - dup43, - dup33, + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","PAM authentication error for user"), + dup36, + dup43, dup22, + dup75, + setc("result","PAM authentication error for user"), + dup23, ]), }); var msg302 = msg("LOGIN_PAM_AUTHENTICATION_ERROR", all20); -var part327 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ - dup43, - dup33, +var part328 = match("MESSAGE#298:LOGIN_PAM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failure while authenticating user %{username}: %{dhost}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, + dup36, + dup43, + dup22, setc("event_description","PAM authentication failure"), setc("result","Failure while authenticating user"), - dup22, + dup23, ])); -var msg303 = msg("LOGIN_PAM_ERROR", part327); +var msg303 = msg("LOGIN_PAM_ERROR", part328); -var part328 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ - dup43, - dup33, +var part329 = match("MESSAGE#299:LOGIN_PAM_MAX_RETRIES", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many retries while authenticating user %{username}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","Too many retries while authenticating user"), + dup36, + dup43, dup22, + dup75, + setc("result","Too many retries while authenticating user"), + dup23, ])); -var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part328); +var msg304 = msg("LOGIN_PAM_MAX_RETRIES", part329); -var part329 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ - dup43, - dup33, +var part330 = match("MESSAGE#300:LOGIN_PAM_NONLOCAL_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} authenticated but has no local login ID", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","User authenticated but has no local login ID"), + dup36, + dup43, dup22, + dup75, + setc("result","User authenticated but has no local login ID"), + dup23, ])); -var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part329); +var msg305 = msg("LOGIN_PAM_NONLOCAL_USER", part330); -var part330 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ +var part331 = match("MESSAGE#301:LOGIN_PAM_STOP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to end PAM session: %{info}", processor_chain([ setc("eventcategory","1303000000"), - dup33, - dup42, - dup21, - setc("event_description","Failed to end PAM session"), + dup34, + dup43, dup22, + setc("event_description","Failed to end PAM session"), + dup23, ])); -var msg306 = msg("LOGIN_PAM_STOP", part330); +var msg306 = msg("LOGIN_PAM_STOP", part331); -var part331 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ - dup43, - dup33, +var part332 = match("MESSAGE#302:LOGIN_PAM_USER_UNKNOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Attempt to authenticate unknown user %{username}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","Attempt to authenticate unknown user"), + dup36, + dup43, dup22, + dup75, + setc("result","Attempt to authenticate unknown user"), + dup23, ])); -var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part331); +var msg307 = msg("LOGIN_PAM_USER_UNKNOWN", part332); -var part332 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ - dup43, - dup33, +var part333 = match("MESSAGE#303:LOGIN_PASSWORD_EXPIRED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Forcing change of expired password for user %{username}>", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","Forcing change of expired password for user"), + dup36, + dup43, dup22, + dup75, + setc("result","Forcing change of expired password for user"), + dup23, ])); -var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part332); +var msg308 = msg("LOGIN_PASSWORD_EXPIRED", part333); -var part333 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ - dup43, - dup33, +var part334 = match("MESSAGE#304:LOGIN_REFUSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login of user %{username->} from host %{shost->} on %{terminal->} was refused: %{info}", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup74, - setc("result","Login of user refused"), + dup36, + dup43, dup22, + dup75, + setc("result","Login of user refused"), + dup23, ])); -var msg309 = msg("LOGIN_REFUSED", part333); +var msg309 = msg("LOGIN_REFUSED", part334); -var part334 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ - dup32, +var part335 = match("MESSAGE#305:LOGIN_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} logged in as root from host %{shost->} on %{terminal}", processor_chain([ dup33, dup34, dup35, dup36, - dup21, + dup37, + dup22, setc("event_description","successful login as root"), setc("result","User logged in as root"), - dup22, + dup23, ])); -var msg310 = msg("LOGIN_ROOT", part334); +var msg310 = msg("LOGIN_ROOT", part335); -var part335 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ +var part336 = match("MESSAGE#306:LOGIN_TIMED_OUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Login attempt timed out after %{dclass_counter1->} seconds", processor_chain([ + dup44, + dup34, + dup36, dup43, - dup33, - dup35, - dup42, - dup21, - dup74, - setc("result","Login attempt timed out"), dup22, + dup75, + setc("result","Login attempt timed out"), + dup23, ])); -var msg311 = msg("LOGIN_TIMED_OUT", part335); +var msg311 = msg("LOGIN_TIMED_OUT", part336); -var part336 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","MIB2D ATM ERROR"), +var part337 = match("MESSAGE#307:MIB2D_ATM_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","MIB2D ATM ERROR"), + dup23, ])); -var msg312 = msg("MIB2D_ATM_ERROR", part336); +var msg312 = msg("MIB2D_ATM_ERROR", part337); -var part337 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","CONFIG CHECK FAILED"), +var part338 = match("MESSAGE#308:MIB2D_CONFIG_CHECK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","CONFIG CHECK FAILED"), + dup23, ])); -var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part337); +var msg313 = msg("MIB2D_CONFIG_CHECK_FAILED", part338); -var part338 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ - dup29, - dup21, - dup77, +var part339 = match("MESSAGE#309:MIB2D_FILE_OPEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}': %{result}", processor_chain([ + dup30, dup22, + dup78, + dup23, ])); -var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part338); +var msg314 = msg("MIB2D_FILE_OPEN_FAILURE", part339); -var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup143); +var msg315 = msg("MIB2D_IFD_IFINDEX_FAILURE", dup146); -var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup143); +var msg316 = msg("MIB2D_IFL_IFINDEX_FAILURE", dup146); -var part339 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","mib2d initialization failure"), +var part340 = match("MESSAGE#312:MIB2D_INIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: mib2d initialization failure: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","mib2d initialization failure"), + dup23, ])); -var msg317 = msg("MIB2D_INIT_FAILURE", part339); +var msg317 = msg("MIB2D_INIT_FAILURE", part340); -var part340 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","MIB2D KVM FAILURE"), +var part341 = match("MESSAGE#313:MIB2D_KVM_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","MIB2D KVM FAILURE"), + dup23, ])); -var msg318 = msg("MIB2D_KVM_FAILURE", part340); +var msg318 = msg("MIB2D_KVM_FAILURE", part341); -var part341 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ - dup29, - dup21, - setc("event_description","MIB2D RTSLIB READ FAILURE"), +var part342 = match("MESSAGE#314:MIB2D_RTSLIB_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: failed in %{dclass_counter1->} %{dclass_counter2->} index (%{result})", processor_chain([ + dup30, dup22, + setc("event_description","MIB2D RTSLIB READ FAILURE"), + dup23, ])); -var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part341); +var msg319 = msg("MIB2D_RTSLIB_READ_FAILURE", part342); -var part342 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ - dup29, - dup21, - setc("event_description","RTSLIB sequence mismatch"), +var part343 = match("MESSAGE#315:MIB2D_RTSLIB_SEQ_MISMATCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: sequence mismatch (%{result}), %{action}", processor_chain([ + dup30, dup22, + setc("event_description","RTSLIB sequence mismatch"), + dup23, ])); -var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part342); +var msg320 = msg("MIB2D_RTSLIB_SEQ_MISMATCH", part343); -var part343 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","MIB2D SYSCTL FAILURE"), +var part344 = match("MESSAGE#316:MIB2D_SYSCTL_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","MIB2D SYSCTL FAILURE"), + dup23, ])); -var msg321 = msg("MIB2D_SYSCTL_FAILURE", part343); +var msg321 = msg("MIB2D_SYSCTL_FAILURE", part344); -var part344 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ - dup29, - dup21, - setc("event_description","trap_request_header failed"), +var part345 = match("MESSAGE#317:MIB2D_TRAP_HEADER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: trap_request_header failed", processor_chain([ + dup30, dup22, + setc("event_description","trap_request_header failed"), + dup23, ])); -var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part344); +var msg322 = msg("MIB2D_TRAP_HEADER_FAILURE", part345); -var part345 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","MIB2D TRAP SEND FAILURE"), +var part346 = match("MESSAGE#318:MIB2D_TRAP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{service}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","MIB2D TRAP SEND FAILURE"), + dup23, ])); -var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part345); +var msg323 = msg("MIB2D_TRAP_SEND_FAILURE", part346); -var part346 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ - dup20, +var part347 = match("MESSAGE#319:Multiuser", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: old requested_transition==%{change_new->} sighupped=%{result}", processor_chain([ dup21, - setc("event_description","user sighupped"), dup22, + setc("event_description","user sighupped"), + dup23, ])); -var msg324 = msg("Multiuser", part346); +var msg324 = msg("Multiuser", part347); -var part347 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to allocate authentication handle"), +var part348 = match("MESSAGE#320:NASD_AUTHENTICATION_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate authentication handle: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to allocate authentication handle"), + dup23, ])); -var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part347); +var msg325 = msg("NASD_AUTHENTICATION_CREATE_FAILED", part348); -var part348 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ - dup79, - dup33, - dup42, - dup21, - setc("event_description","authentication already in progress"), +var part349 = match("MESSAGE#321:NASD_CHAP_AUTHENTICATION_IN_PROGRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}, authentication already in progress", processor_chain([ + dup80, + dup34, + dup43, dup22, + setc("event_description","authentication already in progress"), + dup23, ])); -var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part348); +var msg326 = msg("NASD_CHAP_AUTHENTICATION_IN_PROGRESS", part349); -var part349 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","unable to obtain hostname for outgoing CHAP message"), +var part350 = match("MESSAGE#322:NASD_CHAP_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: unable to obtain hostname for outgoing CHAP message: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","unable to obtain hostname for outgoing CHAP message"), + dup23, ])); -var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part349); +var msg327 = msg("NASD_CHAP_GETHOSTNAME_FAILED", part350); -var part350 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), +var part351 = match("MESSAGE#323:NASD_CHAP_INVALID_CHAP_IDENTIFIER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename->} expected CHAP ID: %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","CHAP INVALID_CHAP IDENTIFIER"), + dup23, ])); -var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part350); +var msg328 = msg("NASD_CHAP_INVALID_CHAP_IDENTIFIER", part351); -var part351 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","CHAP INVALID OPCODE"), +var part352 = match("MESSAGE#324:NASD_CHAP_INVALID_OPCODE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}.%{dclass_counter1}: invalid operation code received %{filename}, CHAP ID: %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","CHAP INVALID OPCODE"), + dup23, ])); -var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part351); +var msg329 = msg("NASD_CHAP_INVALID_OPCODE", part352); -var part352 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to determine value for username in outgoing CHAP packet"), +var part353 = match("MESSAGE#325:NASD_CHAP_LOCAL_NAME_UNAVAILABLE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine value for '%{username}' in outgoing CHAP packet", processor_chain([ + dup30, dup22, + setc("event_description","Unable to determine value for username in outgoing CHAP packet"), + dup23, ])); -var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part352); +var msg330 = msg("NASD_CHAP_LOCAL_NAME_UNAVAILABLE", part353); -var part353 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ - dup29, - dup21, - setc("event_description","CHAP MESSAGE UNEXPECTED"), +var part354 = match("MESSAGE#326:NASD_CHAP_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{interface}: received %{filename}", processor_chain([ + dup30, dup22, + setc("event_description","CHAP MESSAGE UNEXPECTED"), + dup23, ])); -var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part353); +var msg331 = msg("NASD_CHAP_MESSAGE_UNEXPECTED", part354); -var part354 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ - dup80, - dup21, - setc("event_description","CHAP REPLAY ATTACK DETECTED"), +var part355 = match("MESSAGE#327:NASD_CHAP_REPLAY_ATTACK_DETECTED", "nwparser.payload", "%{process}[%{ssid}]: %{event_type}: %{interface}.%{dclass_counter1}: received %{filename->} %{result}.%{info}", processor_chain([ + dup81, dup22, + setc("event_description","CHAP REPLAY ATTACK DETECTED"), + dup23, ])); -var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part354); +var msg332 = msg("NASD_CHAP_REPLAY_ATTACK_DETECTED", part355); -var part355 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to determine last modified time of JUNOS configuration database"), +var part356 = match("MESSAGE#328:NASD_CONFIG_GET_LAST_MODIFIED_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to determine last modified time of JUNOS configuration database: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to determine last modified time of JUNOS configuration database"), + dup23, ])); -var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part355); +var msg333 = msg("NASD_CONFIG_GET_LAST_MODIFIED_FAILED", part356); -var msg334 = msg("NASD_DAEMONIZE_FAILED", dup137); +var msg334 = msg("NASD_DAEMONIZE_FAILED", dup140); -var part356 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to allocate database object"), +var part357 = match("MESSAGE#330:NASD_DB_ALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate database object: %{filename}, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to allocate database object"), + dup23, ])); -var msg335 = msg("NASD_DB_ALLOC_FAILURE", part356); +var msg335 = msg("NASD_DB_ALLOC_FAILURE", part357); -var part357 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","DB TABLE CREATE FAILURE"), +var part358 = match("MESSAGE#331:NASD_DB_TABLE_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{filename}, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","DB TABLE CREATE FAILURE"), + dup23, ])); -var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part357); +var msg336 = msg("NASD_DB_TABLE_CREATE_FAILURE", part358); -var msg337 = msg("NASD_DUPLICATE", dup138); +var msg337 = msg("NASD_DUPLICATE", dup141); -var part358 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","EVLIB CREATE FAILURE"), +var part359 = match("MESSAGE#333:NASD_EVLIB_CREATE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} with: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","EVLIB CREATE FAILURE"), + dup23, ])); -var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part358); +var msg338 = msg("NASD_EVLIB_CREATE_FAILURE", part359); -var part359 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","EVLIB EXIT FAILURE"), +var part360 = match("MESSAGE#334:NASD_EVLIB_EXIT_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} value: %{result}, error: %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","EVLIB EXIT FAILURE"), + dup23, ])); -var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part359); +var msg339 = msg("NASD_EVLIB_EXIT_FAILURE", part360); -var part360 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to allocate LOCAL module handle"), +var part361 = match("MESSAGE#335:NASD_LOCAL_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate LOCAL module handle: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to allocate LOCAL module handle"), + dup23, ])); -var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part360); +var msg340 = msg("NASD_LOCAL_CREATE_FAILED", part361); -var part361 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup62, - dup21, - setc("event_description","NASD must be run as root"), +var part362 = match("MESSAGE#336:NASD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, dup22, + setc("event_description","NASD must be run as root"), + dup23, ])); -var msg341 = msg("NASD_NOT_ROOT", part361); +var msg341 = msg("NASD_NOT_ROOT", part362); -var msg342 = msg("NASD_PID_FILE_LOCK", dup139); +var msg342 = msg("NASD_PID_FILE_LOCK", dup142); -var msg343 = msg("NASD_PID_FILE_UPDATE", dup140); +var msg343 = msg("NASD_PID_FILE_UPDATE", dup143); -var part362 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","POST CONFIGURE EVENT FAILED"), +var part363 = match("MESSAGE#339:NASD_POST_CONFIGURE_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","POST CONFIGURE EVENT FAILED"), + dup23, ])); -var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part362); +var msg344 = msg("NASD_POST_CONFIGURE_EVENT_FAILED", part363); -var part363 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","PPP READ FAILURE"), +var part364 = match("MESSAGE#340:NASD_PPP_READ_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","PPP READ FAILURE"), + dup23, ])); -var msg345 = msg("NASD_PPP_READ_FAILURE", part363); +var msg345 = msg("NASD_PPP_READ_FAILURE", part364); -var part364 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to send message"), +var part365 = match("MESSAGE#341:NASD_PPP_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send message: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to send message"), + dup23, ])); -var msg346 = msg("NASD_PPP_SEND_FAILURE", part364); +var msg346 = msg("NASD_PPP_SEND_FAILURE", part365); -var part365 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to send all of message"), +var part366 = match("MESSAGE#342:NASD_PPP_SEND_PARTIAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to send all of message: %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to send all of message"), + dup23, ])); -var msg347 = msg("NASD_PPP_SEND_PARTIAL", part365); +var msg347 = msg("NASD_PPP_SEND_PARTIAL", part366); -var part366 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ - dup29, - dup21, - setc("event_description","Unrecognized authentication protocol"), +var part367 = match("MESSAGE#343:NASD_PPP_UNRECOGNIZED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unrecognized authentication protocol: %{protocol}", processor_chain([ + dup30, dup22, + setc("event_description","Unrecognized authentication protocol"), + dup23, ])); -var msg348 = msg("NASD_PPP_UNRECOGNIZED", part366); +var msg348 = msg("NASD_PPP_UNRECOGNIZED", part367); -var part367 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RADIUS password allocation failure"), +var part368 = match("MESSAGE#344:NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} when allocating password for RADIUS: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RADIUS password allocation failure"), + dup23, ])); -var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part367); +var msg349 = msg("NASD_RADIUS_ALLOCATE_PASSWORD_FAILED", part368); -var part368 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RADIUS CONFIG FAILED"), +var part369 = match("MESSAGE#345:NASD_RADIUS_CONFIG_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RADIUS CONFIG FAILED"), + dup23, ])); -var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part368); +var msg350 = msg("NASD_RADIUS_CONFIG_FAILED", part369); -var part369 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to allocate RADIUS module handle"), +var part370 = match("MESSAGE#346:NASD_RADIUS_CREATE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to allocate RADIUS module handle: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to allocate RADIUS module handle"), + dup23, ])); -var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part369); +var msg351 = msg("NASD_RADIUS_CREATE_FAILED", part370); -var part370 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RADIUS CREATE REQUEST FAILED"), +var part371 = match("MESSAGE#347:NASD_RADIUS_CREATE_REQUEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RADIUS CREATE REQUEST FAILED"), + dup23, ])); -var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part370); +var msg352 = msg("NASD_RADIUS_CREATE_REQUEST_FAILED", part371); -var part371 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), +var part372 = match("MESSAGE#348:NASD_RADIUS_GETHOSTNAME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain hostname for outgoing RADIUS message: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to obtain hostname for outgoing RADIUS message"), + dup23, ])); -var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part371); +var msg353 = msg("NASD_RADIUS_GETHOSTNAME_FAILED", part372); -var part372 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unknown response from RADIUS server"), +var part373 = match("MESSAGE#349:NASD_RADIUS_MESSAGE_UNEXPECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown response from RADIUS server: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unknown response from RADIUS server"), + dup23, ])); -var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part372); +var msg354 = msg("NASD_RADIUS_MESSAGE_UNEXPECTED", part373); -var part373 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RADIUS OPEN FAILED"), +var part374 = match("MESSAGE#350:NASD_RADIUS_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RADIUS OPEN FAILED"), + dup23, ])); -var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part373); +var msg355 = msg("NASD_RADIUS_OPEN_FAILED", part374); -var part374 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RADIUS SELECT FAILED"), +var part375 = match("MESSAGE#351:NASD_RADIUS_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RADIUS SELECT FAILED"), + dup23, ])); -var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part374); +var msg356 = msg("NASD_RADIUS_SELECT_FAILED", part375); -var part375 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RADIUS SET TIMER FAILED"), +var part376 = match("MESSAGE#352:NASD_RADIUS_SET_TIMER_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RADIUS SET TIMER FAILED"), + dup23, ])); -var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part375); +var msg357 = msg("NASD_RADIUS_SET_TIMER_FAILED", part376); -var part376 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TRACE FILE OPEN FAILED"), +var part377 = match("MESSAGE#353:NASD_TRACE_FILE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TRACE FILE OPEN FAILED"), + dup23, ])); -var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part376); +var msg358 = msg("NASD_TRACE_FILE_OPEN_FAILED", part377); -var part377 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup20, +var part378 = match("MESSAGE#354:NASD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ dup21, - setc("event_description","NASD Usage"), dup22, + setc("event_description","NASD Usage"), + dup23, ])); -var msg359 = msg("NASD_usage", part377); +var msg359 = msg("NASD_usage", part378); -var part378 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ - dup20, +var part379 = match("MESSAGE#355:NOTICE", "nwparser.payload", "%{agent}: %{event_type}:%{action}: %{event_description}: The %{result}", processor_chain([ dup21, dup22, + dup23, ])); -var msg360 = msg("NOTICE", part378); +var msg360 = msg("NOTICE", part379); -var part379 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup20, +var part380 = match("MESSAGE#356:PFE_FW_SYSLOG_IP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ dup21, - dup81, dup22, + dup82, + dup23, ])); -var msg361 = msg("PFE_FW_SYSLOG_IP", part379); +var msg361 = msg("PFE_FW_SYSLOG_IP", part380); -var part380 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ - dup20, +var part381 = match("MESSAGE#357:PFE_FW_SYSLOG_IP:01", "nwparser.payload", "%{hostip->} %{hostname->} %{event_type}: FW: %{smacaddr->} %{fld10->} %{protocol->} %{saddr->} %{daddr->} %{sport->} %{dport->} (%{packets->} packets)", processor_chain([ dup21, - dup81, dup22, + dup82, + dup23, ])); -var msg362 = msg("PFE_FW_SYSLOG_IP:01", part380); +var msg362 = msg("PFE_FW_SYSLOG_IP:01", part381); var select36 = linear_select([ msg361, msg362, ]); -var part381 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup20, +var part382 = match("MESSAGE#358:PFE_NH_RESOLVE_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ dup21, - setc("event_description","Next-hop resolution requests throttled"), dup22, + setc("event_description","Next-hop resolution requests throttled"), + dup23, ])); -var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part381); +var msg363 = msg("PFE_NH_RESOLVE_THROTTLED", part382); -var part382 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup20, +var part383 = match("MESSAGE#359:PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ dup21, - setc("event_description","PING TEST COMPLETED"), dup22, + setc("event_description","PING TEST COMPLETED"), + dup23, ])); -var msg364 = msg("PING_TEST_COMPLETED", part382); +var msg364 = msg("PING_TEST_COMPLETED", part383); -var part383 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup20, +var part384 = match("MESSAGE#360:PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ dup21, - setc("event_description","PING TEST FAILED"), dup22, + setc("event_description","PING TEST FAILED"), + dup23, ])); -var msg365 = msg("PING_TEST_FAILED", part383); +var msg365 = msg("PING_TEST_FAILED", part384); -var part384 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{} %{p0}"); +var part385 = match("MESSAGE#361:process_mode/2", "nwparser.p0", "%{p0}"); -var part385 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); +var part386 = match("MESSAGE#361:process_mode/3_0", "nwparser.p0", "%{event_type}: %{p0}"); -var part386 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); +var part387 = match("MESSAGE#361:process_mode/3_1", "nwparser.p0", "%{event_type->} %{p0}"); var select37 = linear_select([ - part385, part386, + part387, ]); -var part387 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "%{}mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); +var part388 = match("MESSAGE#361:process_mode/4", "nwparser.p0", "mode=%{protocol->} cmd=%{action->} master_mode=%{result}"); var all21 = all_match({ processors: [ - dup38, - dup134, - part384, + dup39, + dup137, + part385, select37, - part387, + part388, ], on_success: processor_chain([ - dup20, dup21, - dup82, dup22, + dup83, + dup23, ]), }); var msg366 = msg("process_mode", all21); -var part388 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ - dup20, +var part389 = match("MESSAGE#362:process_mode:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: current_mode=%{protocol}, requested_mode=%{result}, cmd=%{action}", processor_chain([ dup21, - dup82, dup22, + dup83, + dup23, ])); -var msg367 = msg("process_mode:01", part388); +var msg367 = msg("process_mode:01", part389); var select38 = linear_select([ msg366, msg367, ]); -var part389 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ - dup20, +var part390 = match("MESSAGE#363:PWC_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} exiting with status %{result}", processor_chain([ dup21, - setc("event_description","process exit with status"), dup22, + setc("event_description","process exit with status"), + dup23, ])); -var msg368 = msg("PWC_EXIT", part389); +var msg368 = msg("PWC_EXIT", part390); -var part390 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ - dup20, +var part391 = match("MESSAGE#364:PWC_HOLD_RELEASE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} released child %{child_pid->} from %{dclass_counter1->} state", processor_chain([ dup21, - setc("event_description","Process released child from state"), dup22, + setc("event_description","Process released child from state"), + dup23, ])); -var msg369 = msg("PWC_HOLD_RELEASE", part390); +var msg369 = msg("PWC_HOLD_RELEASE", part391); -var part391 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ - dup20, +var part392 = match("MESSAGE#365:PWC_INVALID_RUNS_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}, not %{resultcode}", processor_chain([ dup21, - setc("event_description","invalid runs argument"), dup22, + setc("event_description","invalid runs argument"), + dup23, ])); -var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part391); +var msg370 = msg("PWC_INVALID_RUNS_ARGUMENT", part392); -var part392 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","INVALID TIMEOUT ARGUMENT"), +var part393 = match("MESSAGE#366:PWC_INVALID_TIMEOUT_ARGUMENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","INVALID TIMEOUT ARGUMENT"), + dup23, ])); -var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part392); +var msg371 = msg("PWC_INVALID_TIMEOUT_ARGUMENT", part393); -var part393 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ - dup20, +var part394 = match("MESSAGE#367:PWC_KILLED_BY_SIGNAL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} received terminating signal", processor_chain([ dup21, - setc("event_description","pwc process received terminating signal"), dup22, + setc("event_description","pwc process received terminating signal"), + dup23, ])); -var msg372 = msg("PWC_KILLED_BY_SIGNAL", part393); +var msg372 = msg("PWC_KILLED_BY_SIGNAL", part394); -var part394 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ - dup29, - dup21, - setc("event_description","pwc is sending kill event to child"), +var part395 = match("MESSAGE#368:PWC_KILL_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc is sending %{resultcode->} to child %{child_pid}", processor_chain([ + dup30, dup22, + setc("event_description","pwc is sending kill event to child"), + dup23, ])); -var msg373 = msg("PWC_KILL_EVENT", part394); +var msg373 = msg("PWC_KILL_EVENT", part395); -var part395 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to kill process"), +var part396 = match("MESSAGE#369:PWC_KILL_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to kill process %{child_pid}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to kill process"), + dup23, ])); -var msg374 = msg("PWC_KILL_FAILED", part395); +var msg374 = msg("PWC_KILL_FAILED", part396); -var part396 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","kevent failed"), +var part397 = match("MESSAGE#370:PWC_KQUEUE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: kevent failed: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","kevent failed"), + dup23, ])); -var msg375 = msg("PWC_KQUEUE_ERROR", part396); +var msg375 = msg("PWC_KQUEUE_ERROR", part397); -var part397 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to create kqueue"), +var part398 = match("MESSAGE#371:PWC_KQUEUE_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create kqueue: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to create kqueue"), + dup23, ])); -var msg376 = msg("PWC_KQUEUE_INIT", part397); +var msg376 = msg("PWC_KQUEUE_INIT", part398); -var part398 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Failed to register kqueue filter"), +var part399 = match("MESSAGE#372:PWC_KQUEUE_REGISTER_FILTER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to register kqueue filter: %{agent->} for purpose: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Failed to register kqueue filter"), + dup23, ])); -var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part398); +var msg377 = msg("PWC_KQUEUE_REGISTER_FILTER", part399); -var part399 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ - dup29, - dup21, - setc("event_description","PID lock file has bad format"), +var part400 = match("MESSAGE#373:PWC_LOCKFILE_BAD_FORMAT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file has bad format: %{agent}", processor_chain([ + dup30, dup22, + setc("event_description","PID lock file has bad format"), + dup23, ])); -var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part399); +var msg378 = msg("PWC_LOCKFILE_BAD_FORMAT", part400); -var part400 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","PID lock file error"), +var part401 = match("MESSAGE#374:PWC_LOCKFILE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file had error: %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","PID lock file error"), + dup23, ])); -var msg379 = msg("PWC_LOCKFILE_ERROR", part400); +var msg379 = msg("PWC_LOCKFILE_ERROR", part401); -var part401 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ - dup29, - dup21, - setc("event_description","PID lock file not found"), +var part402 = match("MESSAGE#375:PWC_LOCKFILE_MISSING", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not found: %{agent}", processor_chain([ + dup30, dup22, + setc("event_description","PID lock file not found"), + dup23, ])); -var msg380 = msg("PWC_LOCKFILE_MISSING", part401); +var msg380 = msg("PWC_LOCKFILE_MISSING", part402); -var part402 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ - dup29, - dup21, - setc("event_description","PID lock file not locked"), +var part403 = match("MESSAGE#376:PWC_LOCKFILE_NOT_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PID lock file not locked: %{agent}", processor_chain([ + dup30, dup22, + setc("event_description","PID lock file not locked"), + dup23, ])); -var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part402); +var msg381 = msg("PWC_LOCKFILE_NOT_LOCKED", part403); -var part403 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ - dup29, - dup21, - setc("event_description","No process specified for PWC"), +var part404 = match("MESSAGE#377:PWC_NO_PROCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No process specified", processor_chain([ + dup30, dup22, + setc("event_description","No process specified for PWC"), + dup23, ])); -var msg382 = msg("PWC_NO_PROCESS", part403); +var msg382 = msg("PWC_NO_PROCESS", part404); -var part404 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ - dup20, +var part405 = match("MESSAGE#378:PWC_PROCESS_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pwc process %{agent->} child %{child_pid->} exited with status %{result}", processor_chain([ dup21, - setc("event_description","pwc process exited with status"), dup22, + setc("event_description","pwc process exited with status"), + dup23, ])); -var msg383 = msg("PWC_PROCESS_EXIT", part404); +var msg383 = msg("PWC_PROCESS_EXIT", part405); -var part405 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ - dup20, +var part406 = match("MESSAGE#379:PWC_PROCESS_FORCED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} forcing hold down of child %{child_pid->} until signal", processor_chain([ dup21, - setc("event_description","Process forcing hold down of child until signalled"), dup22, + setc("event_description","Process forcing hold down of child until signalled"), + dup23, ])); -var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part405); +var msg384 = msg("PWC_PROCESS_FORCED_HOLD", part406); -var part406 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ - dup20, +var part407 = match("MESSAGE#380:PWC_PROCESS_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} until signal", processor_chain([ dup21, - setc("event_description","Process holding down child until signalled"), dup22, + setc("event_description","Process holding down child until signalled"), + dup23, ])); -var msg385 = msg("PWC_PROCESS_HOLD", part406); +var msg385 = msg("PWC_PROCESS_HOLD", part407); -var part407 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Process not holding down child"), +var part408 = match("MESSAGE#381:PWC_PROCESS_HOLD_SKIPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} will not down child %{child_pid->} because of %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Process not holding down child"), + dup23, ])); -var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part407); +var msg386 = msg("PWC_PROCESS_HOLD_SKIPPED", part408); -var part408 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Failed to create child process with pidpopen"), +var part409 = match("MESSAGE#382:PWC_PROCESS_OPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create child process with pidpopen: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Failed to create child process with pidpopen"), + dup23, ])); -var msg387 = msg("PWC_PROCESS_OPEN", part408); +var msg387 = msg("PWC_PROCESS_OPEN", part409); -var part409 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ - dup20, +var part410 = match("MESSAGE#383:PWC_PROCESS_TIMED_HOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process %{agent->} holding down child %{child_pid->} %{result}", processor_chain([ dup21, - setc("event_description","Process holding down child"), dup22, + setc("event_description","Process holding down child"), + dup23, ])); -var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part409); +var msg388 = msg("PWC_PROCESS_TIMED_HOLD", part410); -var part410 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ - dup20, +var part411 = match("MESSAGE#384:PWC_PROCESS_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child timed out %{result}", processor_chain([ dup21, - setc("event_description","Child process timed out"), dup22, + setc("event_description","Child process timed out"), + dup23, ])); -var msg389 = msg("PWC_PROCESS_TIMEOUT", part410); +var msg389 = msg("PWC_PROCESS_TIMEOUT", part411); -var part411 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","signal failure"), +var part412 = match("MESSAGE#385:PWC_SIGNAL_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: signal(%{agent}) failed: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","signal failure"), + dup23, ])); -var msg390 = msg("PWC_SIGNAL_INIT", part411); +var msg390 = msg("PWC_SIGNAL_INIT", part412); -var part412 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to connect socket to service"), +var part413 = match("MESSAGE#386:PWC_SOCKET_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to connect socket to %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to connect socket to service"), + dup23, ])); -var msg391 = msg("PWC_SOCKET_CONNECT", part412); +var msg391 = msg("PWC_SOCKET_CONNECT", part413); -var part413 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Failed to create socket"), +var part414 = match("MESSAGE#387:PWC_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Failed to create socket: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Failed to create socket"), + dup23, ])); -var msg392 = msg("PWC_SOCKET_CREATE", part413); +var msg392 = msg("PWC_SOCKET_CREATE", part414); -var part414 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to set socket option"), +var part415 = match("MESSAGE#388:PWC_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to set socket option %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to set socket option"), + dup23, ])); -var msg393 = msg("PWC_SOCKET_OPTION", part414); +var msg393 = msg("PWC_SOCKET_OPTION", part415); -var part415 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Write to stdout failed"), +var part416 = match("MESSAGE#389:PWC_STDOUT_WRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Write to stdout failed: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Write to stdout failed"), + dup23, ])); -var msg394 = msg("PWC_STDOUT_WRITE", part415); +var msg394 = msg("PWC_STDOUT_WRITE", part416); -var part416 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup20, +var part417 = match("MESSAGE#390:PWC_SYSTEM_CALL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ dup21, - setc("event_description","PWC SYSTEM CALL"), dup22, + setc("event_description","PWC SYSTEM CALL"), + dup23, ])); -var msg395 = msg("PWC_SYSTEM_CALL", part416); +var msg395 = msg("PWC_SYSTEM_CALL", part417); -var part417 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ - dup29, - dup21, - setc("event_description","Unknown kill option"), +var part418 = match("MESSAGE#391:PWC_UNKNOWN_KILL_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unknown kill option [%{agent}]", processor_chain([ + dup30, dup22, + setc("event_description","Unknown kill option"), + dup23, ])); -var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part417); +var msg396 = msg("PWC_UNKNOWN_KILL_OPTION", part418); -var part418 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ - dup29, - dup21, - setc("event_description","Multicast address not allowed"), +var part419 = match("MESSAGE#392:RMOPD_ADDRESS_MULTICAST_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Multicast address is not allowed", processor_chain([ + dup30, dup22, + setc("event_description","Multicast address not allowed"), + dup23, ])); -var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part418); +var msg397 = msg("RMOPD_ADDRESS_MULTICAST_INVALID", part419); -var part419 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RMOPD ADDRESS SOURCE INVALID"), +var part420 = match("MESSAGE#393:RMOPD_ADDRESS_SOURCE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Source address invalid: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RMOPD ADDRESS SOURCE INVALID"), + dup23, ])); -var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part419); +var msg398 = msg("RMOPD_ADDRESS_SOURCE_INVALID", part420); -var part420 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to convert numeric address to string"), +var part421 = match("MESSAGE#394:RMOPD_ADDRESS_STRING_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to convert numeric address to string: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to convert numeric address to string"), + dup23, ])); -var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part420); +var msg399 = msg("RMOPD_ADDRESS_STRING_FAILURE", part421); -var part421 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","rmop_util_set_address status message invalid"), +var part422 = match("MESSAGE#395:RMOPD_ADDRESS_TARGET_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rmop_util_set_address status message: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","rmop_util_set_address status message invalid"), + dup23, ])); -var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part421); +var msg400 = msg("RMOPD_ADDRESS_TARGET_INVALID", part422); -var msg401 = msg("RMOPD_DUPLICATE", dup138); +var msg401 = msg("RMOPD_DUPLICATE", dup141); -var part422 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ - dup29, - dup21, - setc("event_description","Only IPv4 source address is supported"), +var part423 = match("MESSAGE#397:RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Only IPv4 source address is supported", processor_chain([ + dup30, dup22, + setc("event_description","Only IPv4 source address is supported"), + dup23, ])); -var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part422); +var msg402 = msg("RMOPD_ICMP_ADDRESS_TYPE_UNSUPPORTED", part423); -var part423 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ - dup29, - dup21, - setc("event_description","No route to host"), +var part424 = match("MESSAGE#398:RMOPD_ICMP_SENDMSG_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{fld1}: No route to host", processor_chain([ + dup30, dup22, + setc("event_description","No route to host"), + dup23, ])); -var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part423); +var msg403 = msg("RMOPD_ICMP_SENDMSG_FAILURE", part424); -var part424 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ - dup29, - dup21, - setc("event_description","IFINDEX NOT ACTIVE"), +var part425 = match("MESSAGE#399:RMOPD_IFINDEX_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifindex: %{interface}", processor_chain([ + dup30, dup22, + setc("event_description","IFINDEX NOT ACTIVE"), + dup23, ])); -var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part424); +var msg404 = msg("RMOPD_IFINDEX_NOT_ACTIVE", part425); -var part425 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","IFINDEX NO INFO"), +var part426 = match("MESSAGE#400:RMOPD_IFINDEX_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","IFINDEX NO INFO"), + dup23, ])); -var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part425); +var msg405 = msg("RMOPD_IFINDEX_NO_INFO", part426); -var part426 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ - dup29, - dup21, - setc("event_description","RMOPD IFNAME NOT ACTIVE"), +var part427 = match("MESSAGE#401:RMOPD_IFNAME_NOT_ACTIVE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifname: %{interface}", processor_chain([ + dup30, dup22, + setc("event_description","RMOPD IFNAME NOT ACTIVE"), + dup23, ])); -var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part426); +var msg406 = msg("RMOPD_IFNAME_NOT_ACTIVE", part427); -var part427 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","IFNAME NO INFO"), +var part428 = match("MESSAGE#402:RMOPD_IFNAME_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for %{interface}, message: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","IFNAME NO INFO"), + dup23, ])); -var msg407 = msg("RMOPD_IFNAME_NO_INFO", part427); +var msg407 = msg("RMOPD_IFNAME_NO_INFO", part428); -var part428 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup62, - dup21, - setc("event_description","RMOPD Must be run as root"), +var part429 = match("MESSAGE#403:RMOPD_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, dup22, + setc("event_description","RMOPD Must be run as root"), + dup23, ])); -var msg408 = msg("RMOPD_NOT_ROOT", part428); +var msg408 = msg("RMOPD_NOT_ROOT", part429); -var part429 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","No information for routing instance"), +var part430 = match("MESSAGE#404:RMOPD_ROUTING_INSTANCE_NO_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No information for routing instance %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","No information for routing instance"), + dup23, ])); -var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part429); +var msg409 = msg("RMOPD_ROUTING_INSTANCE_NO_INFO", part430); -var part430 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TRACEROUTE ERROR"), +var part431 = match("MESSAGE#405:RMOPD_TRACEROUTE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TRACEROUTE ERROR"), + dup23, ])); -var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part430); +var msg410 = msg("RMOPD_TRACEROUTE_ERROR", part431); -var part431 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ - dup20, +var part432 = match("MESSAGE#406:RMOPD_usage", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}: %{info}", processor_chain([ dup21, - setc("event_description","RMOPD usage"), dup22, + setc("event_description","RMOPD usage"), + dup23, ])); -var msg411 = msg("RMOPD_usage", part431); +var msg411 = msg("RMOPD_usage", part432); -var part432 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RPD ABORT"), +var part433 = match("MESSAGE#407:RPD_ABORT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RPD ABORT"), + dup23, ])); -var msg412 = msg("RPD_ABORT", part432); +var msg412 = msg("RPD_ABORT", part433); -var part433 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ - dup29, - dup21, - setc("event_description","RPD exiting with active tasks"), +var part434 = match("MESSAGE#408:RPD_ACTIVE_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Exiting with active tasks: %{agent}", processor_chain([ + dup30, dup22, + setc("event_description","RPD exiting with active tasks"), + dup23, ])); -var msg413 = msg("RPD_ACTIVE_TERMINATE", part433); +var msg413 = msg("RPD_ACTIVE_TERMINATE", part434); -var part434 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","RPD Assertion failed"), +var part435 = match("MESSAGE#409:RPD_ASSERT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","RPD Assertion failed"), + dup23, ])); -var msg414 = msg("RPD_ASSERT", part434); +var msg414 = msg("RPD_ASSERT", part435); -var part435 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","RPD Soft assertion failed"), +var part436 = match("MESSAGE#410:RPD_ASSERT_SOFT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Soft assertion failed %{resultcode}: file \"%{filename}\", line %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","RPD Soft assertion failed"), + dup23, ])); -var msg415 = msg("RPD_ASSERT_SOFT", part435); +var msg415 = msg("RPD_ASSERT_SOFT", part436); -var part436 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ - dup20, +var part437 = match("MESSAGE#411:RPD_EXIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} version built by builder on %{dclass_counter1}", processor_chain([ dup21, - setc("event_description","RPD EXIT"), dup22, + setc("event_description","RPD EXIT"), + dup23, ])); -var msg416 = msg("RPD_EXIT", part436); +var msg416 = msg("RPD_EXIT", part437); -var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup144); +var msg417 = msg("RPD_IFL_INDEXCOLLISION", dup147); -var msg418 = msg("RPD_IFL_NAMECOLLISION", dup144); +var msg418 = msg("RPD_IFL_NAMECOLLISION", dup147); -var part437 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","IS-IS lost adjacency"), +var part438 = match("MESSAGE#414:RPD_ISIS_ADJDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS lost %{dclass_counter1->} adjacency to %{dclass_counter2->} on %{interface}, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","IS-IS lost adjacency"), + dup23, ])); -var msg419 = msg("RPD_ISIS_ADJDOWN", part437); +var msg419 = msg("RPD_ISIS_ADJDOWN", part438); -var part438 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ - dup20, +var part439 = match("MESSAGE#415:RPD_ISIS_ADJUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface}", processor_chain([ dup21, - setc("event_description","IS-IS new adjacency"), dup22, + setc("event_description","IS-IS new adjacency"), + dup23, ])); -var msg420 = msg("RPD_ISIS_ADJUP", part438); +var msg420 = msg("RPD_ISIS_ADJUP", part439); -var part439 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ - dup29, - dup21, - setc("event_description","IS-IS new adjacency without an address"), +var part440 = match("MESSAGE#416:RPD_ISIS_ADJUPNOIP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS new %{dclass_counter1->} adjacency to %{dclass_counter2->} %{interface->} without an address", processor_chain([ + dup30, dup22, + setc("event_description","IS-IS new adjacency without an address"), + dup23, ])); -var msg421 = msg("RPD_ISIS_ADJUPNOIP", part439); +var msg421 = msg("RPD_ISIS_ADJUPNOIP", part440); -var part440 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ - dup29, - dup21, - setc("event_description","IS-IS LSP checksum error on iterface"), +var part441 = match("MESSAGE#417:RPD_ISIS_LSPCKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS %{dclass_counter1->} LSP checksum error, interface %{interface}, LSP id %{id}, sequence %{dclass_counter2}, checksum %{resultcode}, lifetime %{fld2}", processor_chain([ + dup30, dup22, + setc("event_description","IS-IS LSP checksum error on iterface"), + dup23, ])); -var msg422 = msg("RPD_ISIS_LSPCKSUM", part440); +var msg422 = msg("RPD_ISIS_LSPCKSUM", part441); -var part441 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ - dup29, - dup21, - setc("event_description","IS-IS database overload"), +var part442 = match("MESSAGE#418:RPD_ISIS_OVERLOAD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: IS-IS database overload", processor_chain([ + dup30, dup22, + setc("event_description","IS-IS database overload"), + dup23, ])); -var msg423 = msg("RPD_ISIS_OVERLOAD", part441); +var msg423 = msg("RPD_ISIS_OVERLOAD", part442); -var part442 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","message with unsupported address family received"), +var part443 = match("MESSAGE#419:RPD_KRT_AFUNSUPRT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{resultcode}: received %{agent->} message with unsupported address family %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","message with unsupported address family received"), + dup23, ])); -var msg424 = msg("RPD_KRT_AFUNSUPRT", part442); +var msg424 = msg("RPD_KRT_AFUNSUPRT", part443); -var part443 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ - dup29, - dup21, - setc("event_description","RPD KRT CCC IFL MODIFY"), +var part444 = match("MESSAGE#420:RPD_KRT_CCC_IFL_MODIFY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, error", processor_chain([ + dup30, dup22, + setc("event_description","RPD KRT CCC IFL MODIFY"), + dup23, ])); -var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part443); +var msg425 = msg("RPD_KRT_CCC_IFL_MODIFY", part444); -var part444 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","received deleted routing table from kernel"), +var part445 = match("MESSAGE#421:RPD_KRT_DELETED_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received deleted routing table from the kernel for family %{dclass_counter1->} table ID %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","received deleted routing table from kernel"), + dup23, ])); -var msg426 = msg("RPD_KRT_DELETED_RTT", part444); +var msg426 = msg("RPD_KRT_DELETED_RTT", part445); -var part445 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","ifa generation mismatch"), +var part446 = match("MESSAGE#422:RPD_KRT_IFA_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifa generation mismatch -- %{result}", processor_chain([ + dup30, dup22, + setc("event_description","ifa generation mismatch"), + dup23, ])); -var msg427 = msg("RPD_KRT_IFA_GENERATION", part445); +var msg427 = msg("RPD_KRT_IFA_GENERATION", part446); -var part446 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup29, - dup21, - setc("event_description","CHANGE for ifd failed"), +var part447 = match("MESSAGE#423:RPD_KRT_IFDCHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} CHANGE for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup30, dup22, + setc("event_description","CHANGE for ifd failed"), + dup23, ])); -var msg428 = msg("RPD_KRT_IFDCHANGE", part446); +var msg428 = msg("RPD_KRT_IFDCHANGE", part447); -var part447 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ - dup29, - dup21, - setc("event_description","GET SERVICE failure on interface"), +var part448 = match("MESSAGE#424:RPD_KRT_IFDEST_GET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type->} SERVICE: %{service->} for ifd %{interface->} failed, error \"%{result}\"", processor_chain([ + dup30, dup22, + setc("event_description","GET SERVICE failure on interface"), + dup23, ])); -var msg429 = msg("RPD_KRT_IFDEST_GET", part447); +var msg429 = msg("RPD_KRT_IFDEST_GET", part448); -var part448 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ - dup29, - dup21, - setc("event_description","GET index for ifd interface failed"), +var part449 = match("MESSAGE#425:RPD_KRT_IFDGET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} GET index for ifd interface failed, error \"%{result}\"", processor_chain([ + dup30, dup22, + setc("event_description","GET index for ifd interface failed"), + dup23, ])); -var msg430 = msg("RPD_KRT_IFDGET", part448); +var msg430 = msg("RPD_KRT_IFDGET", part449); -var part449 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","ifd generation mismatch"), +var part450 = match("MESSAGE#426:RPD_KRT_IFD_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifd %{dclass_counter1->} generation mismatch -- %{result}", processor_chain([ + dup30, dup22, + setc("event_description","ifd generation mismatch"), + dup23, ])); -var msg431 = msg("RPD_KRT_IFD_GENERATION", part449); +var msg431 = msg("RPD_KRT_IFD_GENERATION", part450); -var part450 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","KRT IFL CELL RELAY MODE INVALID"), +var part451 = match("MESSAGE#427:RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","KRT IFL CELL RELAY MODE INVALID"), + dup23, ])); -var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part450); +var msg432 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", part451); -var part451 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), +var part452 = match("MESSAGE#428:RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl : %{agent}, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","KRT IFL CELL RELAY MODE UNSPECIFIED"), + dup23, ])); -var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part451); +var msg433 = msg("RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", part452); -var part452 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","ifl generation mismatch"), +var part453 = match("MESSAGE#429:RPD_KRT_IFL_GENERATION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifl %{interface->} generation mismatch -- %{result}", processor_chain([ + dup30, dup22, + setc("event_description","ifl generation mismatch"), + dup23, ])); -var msg434 = msg("RPD_KRT_IFL_GENERATION", part452); +var msg434 = msg("RPD_KRT_IFL_GENERATION", part453); -var part453 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","lost interface for route"), +var part454 = match("MESSAGE#430:RPD_KRT_KERNEL_BAD_ROUTE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: lost %{interface->} %{dclass_counter1->} for route %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","lost interface for route"), + dup23, ])); -var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part453); +var msg435 = msg("RPD_KRT_KERNEL_BAD_ROUTE", part454); -var part454 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","number of next hops exceeded the maximum"), +var part455 = match("MESSAGE#431:RPD_KRT_NEXTHOP_OVERFLOW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: number of next hops (%{dclass_counter1}) exceeded the maximum allowed (%{dclass_counter2}) -- %{result}", processor_chain([ + dup30, dup22, + setc("event_description","number of next hops exceeded the maximum"), + dup23, ])); -var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part454); +var msg436 = msg("RPD_KRT_NEXTHOP_OVERFLOW", part455); -var part455 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ - dup29, - dup21, - setc("event_description","No device for interface"), +var part456 = match("MESSAGE#432:RPD_KRT_NOIFD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No device %{dclass_counter1->} for interface %{interface}", processor_chain([ + dup30, dup22, + setc("event_description","No device for interface"), + dup23, ])); -var msg437 = msg("RPD_KRT_NOIFD", part455); +var msg437 = msg("RPD_KRT_NOIFD", part456); -var part456 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","received routing table message for unknown table"), +var part457 = match("MESSAGE#433:RPD_KRT_UNKNOWN_RTT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: received routing table message for unknown table with kernel ID %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","received routing table message for unknown table"), + dup23, ])); -var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part456); +var msg438 = msg("RPD_KRT_UNKNOWN_RTT", part457); -var part457 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Routing socket version mismatch"), +var part458 = match("MESSAGE#434:RPD_KRT_VERSION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket version mismatch (%{info}) -- %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Routing socket version mismatch"), + dup23, ])); -var msg439 = msg("RPD_KRT_VERSION", part457); +var msg439 = msg("RPD_KRT_VERSION", part458); -var part458 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Routing socket message type not supported by kernel"), +var part459 = match("MESSAGE#435:RPD_KRT_VERSIONNONE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is not supported by kernel, %{info->} -- %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Routing socket message type not supported by kernel"), + dup23, ])); -var msg440 = msg("RPD_KRT_VERSIONNONE", part458); +var msg440 = msg("RPD_KRT_VERSIONNONE", part459); -var part459 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Routing socket message type version is older than expected"), +var part460 = match("MESSAGE#436:RPD_KRT_VERSIONOLD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Routing socket message type %{agent}'s version is older than expected (%{info}) -- %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Routing socket message type version is older than expected"), + dup23, ])); -var msg441 = msg("RPD_KRT_VERSIONOLD", part459); +var msg441 = msg("RPD_KRT_VERSIONOLD", part460); -var part460 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Duplicate session ID detected"), +var part461 = match("MESSAGE#437:RPD_LDP_INTF_BLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Duplicate session ID detected from %{daddr}, interface %{interface}, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Duplicate session ID detected"), + dup23, ])); -var msg442 = msg("RPD_LDP_INTF_BLOCKED", part460); +var msg442 = msg("RPD_LDP_INTF_BLOCKED", part461); -var part461 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ - dup20, +var part462 = match("MESSAGE#438:RPD_LDP_INTF_UNBLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP interface %{interface->} is now %{result}", processor_chain([ dup21, - setc("event_description","LDP interface now unblocked"), dup22, + setc("event_description","LDP interface now unblocked"), + dup23, ])); -var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part461); +var msg443 = msg("RPD_LDP_INTF_UNBLOCKED", part462); -var part462 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ +var part463 = match("MESSAGE#439:RPD_LDP_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ setc("eventcategory","1603030000"), - dup21, - setc("event_description","LDP neighbor down"), dup22, + setc("event_description","LDP neighbor down"), + dup23, ])); -var msg444 = msg("RPD_LDP_NBRDOWN", part462); +var msg444 = msg("RPD_LDP_NBRDOWN", part463); -var part463 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ - dup20, +var part464 = match("MESSAGE#440:RPD_LDP_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP neighbor %{daddr->} (%{interface}) is %{result}", processor_chain([ dup21, - setc("event_description","LDP neighbor up"), dup22, + setc("event_description","LDP neighbor up"), + dup23, ])); -var msg445 = msg("RPD_LDP_NBRUP", part463); +var msg445 = msg("RPD_LDP_NBRUP", part464); -var part464 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","LDP session down"), +var part465 = match("MESSAGE#441:RPD_LDP_SESSIONDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is down, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","LDP session down"), + dup23, ])); -var msg446 = msg("RPD_LDP_SESSIONDOWN", part464); +var msg446 = msg("RPD_LDP_SESSIONDOWN", part465); -var part465 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ - dup20, +var part466 = match("MESSAGE#442:RPD_LDP_SESSIONUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: LDP session %{daddr->} is up", processor_chain([ dup21, - setc("event_description","LDP session up"), dup22, + setc("event_description","LDP session up"), + dup23, ])); -var msg447 = msg("RPD_LDP_SESSIONUP", part465); +var msg447 = msg("RPD_LDP_SESSIONUP", part466); -var part466 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to obtain a lock"), +var part467 = match("MESSAGE#443:RPD_LOCK_FLOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to obtain a lock"), + dup23, ])); -var msg448 = msg("RPD_LOCK_FLOCKED", part466); +var msg448 = msg("RPD_LOCK_FLOCKED", part467); -var part467 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to obtain service lock"), +var part468 = match("MESSAGE#444:RPD_LOCK_LOCKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to obtain a lock on %{agent}, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to obtain service lock"), + dup23, ])); -var msg449 = msg("RPD_LOCK_LOCKED", part467); +var msg449 = msg("RPD_LOCK_LOCKED", part468); -var part468 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup20, +var part469 = match("MESSAGE#445:RPD_MPLS_LSP_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ dup21, - setc("event_description","MPLS LSP CHANGE"), dup22, + setc("event_description","MPLS LSP CHANGE"), + dup23, ])); -var msg450 = msg("RPD_MPLS_LSP_CHANGE", part468); +var msg450 = msg("RPD_MPLS_LSP_CHANGE", part469); -var part469 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","MPLS LSP DOWN"), +var part470 = match("MESSAGE#446:RPD_MPLS_LSP_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}", processor_chain([ + dup30, dup22, + setc("event_description","MPLS LSP DOWN"), + dup23, ])); -var msg451 = msg("RPD_MPLS_LSP_DOWN", part469); +var msg451 = msg("RPD_MPLS_LSP_DOWN", part470); -var part470 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ - dup20, +var part471 = match("MESSAGE#447:RPD_MPLS_LSP_SWITCH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result}, Route %{info}", processor_chain([ dup21, - setc("event_description","MPLS LSP SWITCH"), dup22, + setc("event_description","MPLS LSP SWITCH"), + dup23, ])); -var msg452 = msg("RPD_MPLS_LSP_SWITCH", part470); +var msg452 = msg("RPD_MPLS_LSP_SWITCH", part471); -var part471 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ - dup20, +var part472 = match("MESSAGE#448:RPD_MPLS_LSP_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MPLS LSP %{interface->} %{result->} Route %{info}", processor_chain([ dup21, - setc("event_description","MPLS LSP UP"), dup22, + setc("event_description","MPLS LSP UP"), + dup23, ])); -var msg453 = msg("RPD_MPLS_LSP_UP", part471); +var msg453 = msg("RPD_MPLS_LSP_UP", part472); -var part472 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","MSDP PEER DOWN"), +var part473 = match("MESSAGE#449:RPD_MSDP_PEER_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ + dup30, dup22, + setc("event_description","MSDP PEER DOWN"), + dup23, ])); -var msg454 = msg("RPD_MSDP_PEER_DOWN", part472); +var msg454 = msg("RPD_MSDP_PEER_DOWN", part473); -var part473 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ - dup20, +var part474 = match("MESSAGE#450:RPD_MSDP_PEER_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: MSDP peer %{group->} %{result}", processor_chain([ dup21, - setc("event_description","MSDP PEER UP"), dup22, + setc("event_description","MSDP PEER UP"), + dup23, ])); -var msg455 = msg("RPD_MSDP_PEER_UP", part473); +var msg455 = msg("RPD_MSDP_PEER_UP", part474); -var part474 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","OSPF neighbor down"), +var part475 = match("MESSAGE#451:RPD_OSPF_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ + dup30, dup22, + setc("event_description","OSPF neighbor down"), + dup23, ])); -var msg456 = msg("RPD_OSPF_NBRDOWN", part474); +var msg456 = msg("RPD_OSPF_NBRDOWN", part475); -var part475 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ - dup20, +var part476 = match("MESSAGE#452:RPD_OSPF_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: OSPF neighbor %{daddr->} (%{interface}) %{disposition->} due to %{result}", processor_chain([ dup21, - setc("event_description","OSPF neighbor up"), dup22, + setc("event_description","OSPF neighbor up"), + dup23, ])); -var msg457 = msg("RPD_OSPF_NBRUP", part475); +var msg457 = msg("RPD_OSPF_NBRUP", part476); -var part476 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ - dup50, - dup21, - setc("event_description","OS MEMHIGH"), +var part477 = match("MESSAGE#453:RPD_OS_MEMHIGH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Using %{dclass_counter1->} KB of memory, %{info}", processor_chain([ + dup51, dup22, + setc("event_description","OS MEMHIGH"), + dup23, ])); -var msg458 = msg("RPD_OS_MEMHIGH", part476); +var msg458 = msg("RPD_OS_MEMHIGH", part477); -var part477 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ - dup29, - dup21, +var part478 = match("MESSAGE#454:RPD_PIM_NBRDOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM neighbor %{daddr->} timeout interface %{interface}", processor_chain([ + dup30, + dup22, setc("event_description","PIM neighbor down"), setc("result","timeout"), - dup22, + dup23, ])); -var msg459 = msg("RPD_PIM_NBRDOWN", part477); +var msg459 = msg("RPD_PIM_NBRDOWN", part478); -var part478 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ - dup20, +var part479 = match("MESSAGE#455:RPD_PIM_NBRUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: PIM new neighbor %{daddr->} interface %{interface}", processor_chain([ dup21, - setc("event_description","PIM neighbor up"), dup22, + setc("event_description","PIM neighbor up"), + dup23, ])); -var msg460 = msg("RPD_PIM_NBRUP", part478); +var msg460 = msg("RPD_PIM_NBRUP", part479); -var part479 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup29, - dup21, - setc("event_description","Bad checksum for router solicitation"), +var part480 = match("MESSAGE#456:RPD_RDISC_CKSUM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Bad checksum for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, dup22, + setc("event_description","Bad checksum for router solicitation"), + dup23, ])); -var msg461 = msg("RPD_RDISC_CKSUM", part479); +var msg461 = msg("RPD_RDISC_CKSUM", part480); -var part480 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Ignoring interface"), +var part481 = match("MESSAGE#457:RPD_RDISC_NOMULTI", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Ignoring interface %{dclass_counter1->} on %{interface->} -- %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Ignoring interface"), + dup23, ])); -var msg462 = msg("RPD_RDISC_NOMULTI", part480); +var msg462 = msg("RPD_RDISC_NOMULTI", part481); -var part481 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to locate interface for router"), +var part482 = match("MESSAGE#458:RPD_RDISC_NORECVIF", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to locate interface for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to locate interface for router"), + dup23, ])); -var msg463 = msg("RPD_RDISC_NORECVIF", part481); +var msg463 = msg("RPD_RDISC_NORECVIF", part482); -var part482 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup29, - dup21, - setc("event_description","Expected multicast for router solicitation"), +var part483 = match("MESSAGE#459:RPD_RDISC_SOLICITADDR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Expected multicast (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, dup22, + setc("event_description","Expected multicast for router solicitation"), + dup23, ])); -var msg464 = msg("RPD_RDISC_SOLICITADDR", part482); +var msg464 = msg("RPD_RDISC_SOLICITADDR", part483); -var part483 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup29, - dup21, - setc("event_description","Nonzero ICMP code for router solicitation"), +var part484 = match("MESSAGE#460:RPD_RDISC_SOLICITICMP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Nonzero ICMP code (%{resultcode}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, dup22, + setc("event_description","Nonzero ICMP code for router solicitation"), + dup23, ])); -var msg465 = msg("RPD_RDISC_SOLICITICMP", part483); +var msg465 = msg("RPD_RDISC_SOLICITICMP", part484); -var part484 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ - dup29, - dup21, - setc("event_description","Insufficient length for router solicitation"), +var part485 = match("MESSAGE#461:RPD_RDISC_SOLICITLEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Insufficient length (%{dclass_counter1}) for router solicitation from %{saddr->} to %{daddr}", processor_chain([ + dup30, dup22, + setc("event_description","Insufficient length for router solicitation"), + dup23, ])); -var msg466 = msg("RPD_RDISC_SOLICITLEN", part484); +var msg466 = msg("RPD_RDISC_SOLICITLEN", part485); -var part485 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ - dup29, - dup21, - setc("event_description","RIP update with invalid authentication"), +var part486 = match("MESSAGE#462:RPD_RIP_AUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Update with invalid authentication from %{saddr->} (%{interface})", processor_chain([ + dup30, dup22, + setc("event_description","RIP update with invalid authentication"), + dup23, ])); -var msg467 = msg("RPD_RIP_AUTH", part485); +var msg467 = msg("RPD_RIP_AUTH", part486); -var part486 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RIP - unable to get broadcast address"), +var part487 = match("MESSAGE#463:RPD_RIP_JOIN_BROADCAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to get broadcast address %{interface}; %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RIP - unable to get broadcast address"), + dup23, ])); -var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part486); +var msg468 = msg("RPD_RIP_JOIN_BROADCAST", part487); -var part487 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RIP - Unable to join multicast group"), +var part488 = match("MESSAGE#464:RPD_RIP_JOIN_MULTICAST", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to join multicast group %{interface}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RIP - Unable to join multicast group"), + dup23, ])); -var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part487); +var msg469 = msg("RPD_RIP_JOIN_MULTICAST", part488); -var part488 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ - dup20, +var part489 = match("MESSAGE#465:RPD_RT_IFUP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: UP route for interface %{interface->} index %{dclass_counter1->} %{saddr}/%{dclass_counter2}", processor_chain([ dup21, - setc("event_description","RIP interface up"), dup22, + setc("event_description","RIP interface up"), + dup23, ])); -var msg470 = msg("RPD_RT_IFUP", part488); +var msg470 = msg("RPD_RT_IFUP", part489); -var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup145); +var msg471 = msg("RPD_SCHED_CALLBACK_LONGRUNTIME", dup148); -var part489 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ - dup29, - dup21, - setc("event_description","excessive runtime after action of module"), +var part490 = match("MESSAGE#467:RPD_SCHED_CUMULATIVE_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime (%{result}) after action of module", processor_chain([ + dup30, dup22, + setc("event_description","excessive runtime after action of module"), + dup23, ])); -var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part489); +var msg472 = msg("RPD_SCHED_CUMULATIVE_LONGRUNTIME", part490); -var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup145); +var msg473 = msg("RPD_SCHED_MODULE_LONGRUNTIME", dup148); -var part490 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ - dup29, - dup21, - setc("event_description","task extended runtime"), +var part491 = match("MESSAGE#469:RPD_SCHED_TASK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} ran for %{dclass_counter1}(%{dclass_counter2})", processor_chain([ + dup30, dup22, + setc("event_description","task extended runtime"), + dup23, ])); -var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part490); +var msg474 = msg("RPD_SCHED_TASK_LONGRUNTIME", part491); -var part491 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ - dup29, - dup21, - setc("event_description","termination signal received for service"), +var part492 = match("MESSAGE#470:RPD_SIGNAL_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} termination signal received", processor_chain([ + dup30, dup22, + setc("event_description","termination signal received for service"), + dup23, ])); -var msg475 = msg("RPD_SIGNAL_TERMINATE", part491); +var msg475 = msg("RPD_SIGNAL_TERMINATE", part492); -var part492 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ - dup20, +var part493 = match("MESSAGE#471:RPD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Start %{dclass_counter1->} version version built %{dclass_counter2}", processor_chain([ dup21, - setc("event_description","version built"), dup22, + setc("event_description","version built"), + dup23, ])); -var msg476 = msg("RPD_START", part492); +var msg476 = msg("RPD_START", part493); -var part493 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ - dup20, +var part494 = match("MESSAGE#472:RPD_SYSTEM", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: detail: %{action}", processor_chain([ dup21, - setc("event_description","system command"), dup22, + setc("event_description","system command"), + dup23, ])); -var msg477 = msg("RPD_SYSTEM", part493); +var msg477 = msg("RPD_SYSTEM", part494); -var part494 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ - dup20, +var part495 = match("MESSAGE#473:RPD_TASK_BEGIN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commencing routing updates, version %{dclass_counter1}, built %{dclass_counter2->} by builder", processor_chain([ dup21, - setc("event_description","Commencing routing updates"), dup22, + setc("event_description","Commencing routing updates"), + dup23, ])); -var msg478 = msg("RPD_TASK_BEGIN", part494); +var msg478 = msg("RPD_TASK_BEGIN", part495); -var part495 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup20, +var part496 = match("MESSAGE#474:RPD_TASK_CHILDKILLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ dup21, - setc("event_description","task killed by signal"), dup22, + setc("event_description","task killed by signal"), + dup23, ])); -var msg479 = msg("RPD_TASK_CHILDKILLED", part495); +var msg479 = msg("RPD_TASK_CHILDKILLED", part496); -var part496 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ - dup20, +var part497 = match("MESSAGE#475:RPD_TASK_CHILDSTOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2->} %{result}", processor_chain([ dup21, - setc("event_description","task stopped by signal"), dup22, + setc("event_description","task stopped by signal"), + dup23, ])); -var msg480 = msg("RPD_TASK_CHILDSTOPPED", part496); +var msg480 = msg("RPD_TASK_CHILDSTOPPED", part497); -var part497 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to fork task"), +var part498 = match("MESSAGE#476:RPD_TASK_FORK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork task: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to fork task"), + dup23, ])); -var msg481 = msg("RPD_TASK_FORK", part497); +var msg481 = msg("RPD_TASK_FORK", part498); -var part498 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ - dup20, +var part499 = match("MESSAGE#477:RPD_TASK_GETWD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: getwd: %{action}", processor_chain([ dup21, - setc("event_description","RPD TASK GETWD"), dup22, + setc("event_description","RPD TASK GETWD"), + dup23, ])); -var msg482 = msg("RPD_TASK_GETWD", part498); +var msg482 = msg("RPD_TASK_GETWD", part499); -var part499 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ - dup29, - dup21, - setc("event_description","Reinitialization not possible"), +var part500 = match("MESSAGE#478:RPD_TASK_NOREINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitialization not possible", processor_chain([ + dup30, dup22, + setc("event_description","Reinitialization not possible"), + dup23, ])); -var msg483 = msg("RPD_TASK_NOREINIT", part499); +var msg483 = msg("RPD_TASK_NOREINIT", part500); -var part500 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to close and remove task"), +var part501 = match("MESSAGE#479:RPD_TASK_PIDCLOSED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to close and remove %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to close and remove task"), + dup23, ])); -var msg484 = msg("RPD_TASK_PIDCLOSED", part500); +var msg484 = msg("RPD_TASK_PIDCLOSED", part501); -var part501 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RPD TASK PIDFLOCK"), +var part502 = match("MESSAGE#480:RPD_TASK_PIDFLOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: flock(%{agent}, %{action}): %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RPD TASK PIDFLOCK"), + dup23, ])); -var msg485 = msg("RPD_TASK_PIDFLOCK", part501); +var msg485 = msg("RPD_TASK_PIDFLOCK", part502); -var part502 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to write"), +var part503 = match("MESSAGE#481:RPD_TASK_PIDWRITE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to write %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to write"), + dup23, ])); -var msg486 = msg("RPD_TASK_PIDWRITE", part502); +var msg486 = msg("RPD_TASK_PIDWRITE", part503); -var msg487 = msg("RPD_TASK_REINIT", dup146); +var msg487 = msg("RPD_TASK_REINIT", dup149); -var part503 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ - dup20, +var part504 = match("MESSAGE#483:RPD_TASK_SIGNALIGNORE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: sigaction(%{result}): %{resultcode}", processor_chain([ dup21, - setc("event_description","ignoring task signal"), dup22, + setc("event_description","ignoring task signal"), + dup23, ])); -var msg488 = msg("RPD_TASK_SIGNALIGNORE", part503); +var msg488 = msg("RPD_TASK_SIGNALIGNORE", part504); -var part504 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ - dup29, - dup21, - setc("event_description","COS IPC op failed"), +var part505 = match("MESSAGE#484:RT_COS", "nwparser.payload", "%{process}: %{event_type}: COS IPC op %{dclass_counter1->} (%{agent}) failed, err %{resultcode->} (%{result})", processor_chain([ + dup30, dup22, + setc("event_description","COS IPC op failed"), + dup23, ])); -var msg489 = msg("RT_COS", part504); +var msg489 = msg("RT_COS", part505); -var part505 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); +var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/2", "nwparser.p0", "%{fld5}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); -var part506 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); +var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{fld10}\" dst-nat-rule-%{p0}"); -var part507 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{fld11}\"%{p0}"); - -var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{fld11}\"%{p0}"); +var part508 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_0", "nwparser.p0", "type=%{fld21->} dst-nat-rule-name=\"%{p0}"); var select39 = linear_select([ - part507, part508, + dup91, ]); -var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{p0}"); +var part509 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/6", "nwparser.p0", "\"%{fld11->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{fld13}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); -var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", "%{dinterface}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); +var part510 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" encrypted=%{fld8->} %{p0}"); var select40 = linear_select([ part510, - dup91, + dup45, ]); var all22 = all_match({ processors: [ - dup86, - dup147, - part505, - dup148, + dup87, + dup150, part506, + dup151, + part507, select39, part509, select40, dup92, ], on_success: processor_chain([ - dup27, - dup52, + dup28, dup53, - dup21, - dup51, + dup54, + dup22, + dup52, ]), }); var msg490 = msg("RT_FLOW_SESSION_CREATE:02", all22); -var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", "%{dport}\" service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); - -var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_1", "nwparser.p0", "%{dport}\"%{p0}"); +var part511 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/1_0", "nwparser.p0", " service-name=\"%{service}\" nat-source-address=\"%{stransaddr}\" nat-source-port=\"%{stransport}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" src-nat-rule-type=\"%{fld20}\" src-nat-rule-name=\"%{rulename}\" dst-nat-rule-type=\"%{fld10}\" dst-nat-rule-name=\"%{rule_template}\"%{p0}"); var select41 = linear_select([ part511, - part512, + dup45, ]); -var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{p0}"); +var part512 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/2", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\"%{p0}"); -var part514 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", "%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); - -var part515 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_1", "nwparser.p0", "%{policyname}\"%{p0}"); +var part513 = match("MESSAGE#486:RT_FLOW_SESSION_CREATE/3_0", "nwparser.p0", " source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" username=\"%{username}\" roles=\"%{fld50}\" packet-incoming-interface=\"%{dinterface}\" application=\"%{application}\" nested-application=\"%{fld7}\" encrypted=\"%{fld8}\"%{p0}"); var select42 = linear_select([ - part514, - part515, + part513, + dup45, ]); var all23 = all_match({ processors: [ - dup86, + dup87, select41, - part513, + part512, select42, dup92, ], on_success: processor_chain([ - dup27, - dup52, + dup28, dup53, - dup21, - dup51, + dup54, + dup22, + dup52, ]), }); var msg491 = msg("RT_FLOW_SESSION_CREATE", all23); -var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created%{p0}"); +var part514 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_0", "nwparser.payload", "%{process}: %{event_type}: session created %{p0}"); -var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created%{p0}"); +var part515 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/0_1", "nwparser.payload", "%{event_type}: session created %{p0}"); var select43 = linear_select([ - part516, - part517, + part514, + part515, ]); -var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); +var part516 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{p0}"); -var part519 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN "); +var part517 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_0", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{protocol->} %{fld15->} UNKNOWN UNKNOWN"); -var part520 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15->} "); +var part518 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_1", "nwparser.p0", "%{rulename->} %{rule_template->} %{fld12->} %{fld13->} %{fld14->} %{policyname->} %{src_zone->} %{dst_zone->} %{sessionid->} %{username}(%{fld10}) %{interface->} %{fld15}"); -var part521 = match("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "%{info->} "); +var part519 = match_copy("MESSAGE#487:RT_FLOW_SESSION_CREATE:01/2_2", "nwparser.p0", "info"); var select44 = linear_select([ + part517, + part518, part519, - part520, - part521, ]); var all24 = all_match({ processors: [ select43, - part518, + part516, select44, ], on_success: processor_chain([ - dup27, - dup52, + dup28, dup53, - dup21, - setc("event_description","session created"), + dup54, dup22, + setc("event_description","session created"), + dup23, ]), }); @@ -5923,80 +5944,80 @@ var select45 = linear_select([ msg492, ]); -var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{p0}"); +var part520 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/2", "nwparser.p0", "%{fld5}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\"%{p0}"); -var part523 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", "%{dinterface}\" encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); +var part521 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_0", "nwparser.p0", " encrypted=\"%{fld16}\" reason=\"%{result}\" src-vrf-grp=\"%{fld99}\" dst-vrf-grp=\"%{fld98}\"%{p0}"); -var part524 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", "%{dinterface}\" encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); +var part522 = match("MESSAGE#488:RT_FLOW_SESSION_DENY:02/3_1", "nwparser.p0", " encrypted=%{fld16->} reason=\"%{result}\"%{p0}"); var select46 = linear_select([ - part523, - part524, - dup91, + part521, + part522, + dup45, ]); var all25 = all_match({ processors: [ - dup86, - dup147, - part522, + dup87, + dup150, + part520, select46, dup92, ], on_success: processor_chain([ dup93, - dup52, + dup53, dup94, - dup21, - dup51, + dup22, + dup52, ]), }); var msg493 = msg("RT_FLOW_SESSION_DENY:02", all25); -var part525 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ +var part523 = match("MESSAGE#489:RT_FLOW_SESSION_DENY", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" icmp-type=\"%{obj_type}\" policy-name=\"%{policyname}\"]", processor_chain([ dup93, - dup52, + dup53, dup94, - dup21, - dup51, + dup22, + dup52, ])); -var msg494 = msg("RT_FLOW_SESSION_DENY", part525); +var msg494 = msg("RT_FLOW_SESSION_DENY", part523); -var part526 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); +var part524 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone->} HTTP %{info}"); var all26 = all_match({ processors: [ - dup149, - part526, + dup152, + part524, ], on_success: processor_chain([ - dup26, - dup52, + dup27, + dup53, dup94, - dup21, - dup97, dup22, + dup97, + dup23, ]), }); var msg495 = msg("RT_FLOW_SESSION_DENY:03", all26); -var part527 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{} %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); +var part525 = match("MESSAGE#491:RT_FLOW_SESSION_DENY:01/1", "nwparser.p0", "%{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{fld1->} %{result->} %{src_zone->} %{dst_zone}"); var all27 = all_match({ processors: [ - dup149, - part527, + dup152, + part525, ], on_success: processor_chain([ - dup26, - dup52, + dup27, + dup53, dup94, - dup21, - dup97, dup22, + dup97, + dup23, ]), }); @@ -6009,115 +6030,103 @@ var select47 = linear_select([ msg496, ]); -var part528 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{p0}"); - -var part529 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", "%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - -var part530 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_1", "nwparser.p0", "%{duration}\"%{p0}"); - var select48 = linear_select([ - part529, - part530, + dup103, + dup45, ]); var all28 = all_match({ processors: [ dup98, - dup147, + dup150, dup99, - dup148, + dup151, dup100, - dup150, - part528, + dup153, + dup102, select48, dup92, ], on_success: processor_chain([ - dup26, + dup27, + dup53, + dup55, + dup104, + dup22, dup52, - dup54, - dup103, - dup21, - dup51, ]), }); var msg497 = msg("RT_FLOW_SESSION_CLOSE:01", all28); -var part531 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ - dup26, +var part526 = match("MESSAGE#493:RT_FLOW_SESSION_CLOSE", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" inbound-packets=\"%{packets}\" inbound-bytes=\"%{rbytes}\" outbound-packets=\"%{dclass_counter1}\" outbound-bytes=\"%{sbytes}\" elapsed-time=\"%{duration}\"]", processor_chain([ + dup27, + dup53, + dup55, + dup22, dup52, - dup54, - dup21, - dup51, ])); -var msg498 = msg("RT_FLOW_SESSION_CLOSE", part531); +var msg498 = msg("RT_FLOW_SESSION_CLOSE", part526); -var part532 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed%{p0}"); +var part527 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_0", "nwparser.payload", "%{process}: %{event_type}: session closed %{p0}"); -var part533 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed%{p0}"); +var part528 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/0_1", "nwparser.payload", "%{event_type}: session closed %{p0}"); var select49 = linear_select([ - part532, - part533, + part527, + part528, ]); -var part534 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{} %{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); +var part529 = match("MESSAGE#494:RT_FLOW_SESSION_CLOSE:02/1", "nwparser.p0", "%{result}: %{saddr}/%{sport}->%{daddr}/%{dport->} %{fld20->} %{hostip}/%{network_port}->%{dtransaddr}/%{dtransport->} %{info}"); var all29 = all_match({ processors: [ select49, - part534, + part529, ], on_success: processor_chain([ - dup26, - dup52, - dup54, - dup21, - setc("event_description","session closed"), + dup27, + dup53, + dup55, dup22, + setc("event_description","session closed"), + dup23, ]), }); var msg499 = msg("RT_FLOW_SESSION_CLOSE:02", all29); -var part535 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/6", "nwparser.p0", "%{}protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" %{p0}"); - -var part536 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_0", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); - -var part537 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " elapsed-time=\"%{duration}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); - -var part538 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_2", "nwparser.p0", "elapsed-time=\"%{duration}\"%{p0}"); +var part530 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/7_1", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{user_role}\" packet-incoming-interface=\"%{dinterface}\" %{p0}"); var select50 = linear_select([ - part536, - part537, - part538, + dup103, + part530, + dup45, ]); -var part539 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); +var part531 = match("MESSAGE#495:RT_FLOW_SESSION_CLOSE:03/8", "nwparser.p0", "] session closed %{fld60}: %{fld51}/%{fld52}->%{fld53}/%{fld54->} %{fld55->} %{fld56}/%{fld57}->%{fld58}/%{fld59->} %{info}"); var all30 = all_match({ processors: [ dup98, - dup147, + dup150, dup99, - dup148, + dup151, dup100, - dup150, - part535, + dup153, + dup102, select50, - part539, + part531, ], on_success: processor_chain([ - dup26, + dup27, + dup53, + dup55, + dup104, + dup22, dup52, - dup54, - dup103, - dup21, - dup51, - dup60, + dup61, ]), }); @@ -6130,327 +6139,327 @@ var select51 = linear_select([ msg500, ]); -var part540 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ - dup29, - dup21, - setc("event_description","Fragmented traffic"), +var part532 = match("MESSAGE#496:RT_SCREEN_IP", "nwparser.payload", "%{process}: %{event_type}: Fragmented traffic! source:%{saddr}, destination: %{daddr}, protocol-id: %{protocol}, zone name: %{zone}, interface name: %{interface}", processor_chain([ + dup30, dup22, + setc("event_description","Fragmented traffic"), + dup23, ])); -var msg501 = msg("RT_SCREEN_IP", part540); +var msg501 = msg("RT_SCREEN_IP", part532); -var part541 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup29, - dup21, - dup51, +var part533 = match("MESSAGE#497:RT_SCREEN_IP:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" protocol-id=\"%{protocol}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, ])); -var msg502 = msg("RT_SCREEN_IP:01", part541); +var msg502 = msg("RT_SCREEN_IP:01", part533); var select52 = linear_select([ msg501, msg502, ]); -var msg503 = msg("RT_SCREEN_TCP", dup151); +var msg503 = msg("RT_SCREEN_TCP", dup154); -var part542 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup29, - dup21, - dup51, +var part534 = match("MESSAGE#499:RT_SCREEN_SESSION_LIMIT", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" message=\"%{info}\" ip-address=\"%{hostip}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, ])); -var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part542); +var msg504 = msg("RT_SCREEN_SESSION_LIMIT", part534); -var msg505 = msg("RT_SCREEN_UDP", dup151); +var msg505 = msg("RT_SCREEN_UDP", dup154); -var part543 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ - dup26, - dup21, - setc("event_description","attempt to connect to interface failed"), +var part535 = match("MESSAGE#501:SERVICED_CLIENT_CONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: attempt to connect to interface failed with error: %{result}", processor_chain([ + dup27, dup22, + setc("event_description","attempt to connect to interface failed"), + dup23, ])); -var msg506 = msg("SERVICED_CLIENT_CONNECT", part543); +var msg506 = msg("SERVICED_CLIENT_CONNECT", part535); -var part544 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ - dup26, - dup21, - setc("event_description","unexpected termination of connection"), +var part536 = match("MESSAGE#502:SERVICED_CLIENT_DISCONNECTED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unexpected termination of connection to interface", processor_chain([ + dup27, dup22, + setc("event_description","unexpected termination of connection"), + dup23, ])); -var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part544); +var msg507 = msg("SERVICED_CLIENT_DISCONNECTED", part536); -var part545 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","client interface connection failure"), +var part537 = match("MESSAGE#503:SERVICED_CLIENT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: client interface connection failure: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","client interface connection failure"), + dup23, ])); -var msg508 = msg("SERVICED_CLIENT_ERROR", part545); +var msg508 = msg("SERVICED_CLIENT_ERROR", part537); -var part546 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","remote command execution failed"), +var part538 = match("MESSAGE#504:SERVICED_COMMAND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: remote command execution failed with error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","remote command execution failed"), + dup23, ])); -var msg509 = msg("SERVICED_COMMAND_FAILED", part546); +var msg509 = msg("SERVICED_COMMAND_FAILED", part538); -var part547 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","client commit configuration failed"), +var part539 = match("MESSAGE#505:SERVICED_COMMIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: client failed to commit configuration with error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","client commit configuration failed"), + dup23, ])); -var msg510 = msg("SERVICED_COMMIT_FAILED", part547); +var msg510 = msg("SERVICED_COMMIT_FAILED", part539); -var part548 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","configuration process failed"), +var part540 = match("MESSAGE#506:SERVICED_CONFIGURATION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: configuration process failed with error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","configuration process failed"), + dup23, ])); -var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part548); +var msg511 = msg("SERVICED_CONFIGURATION_FAILED", part540); -var part549 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SERVICED CONFIG ERROR"), +var part541 = match("MESSAGE#507:SERVICED_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SERVICED CONFIG ERROR"), + dup23, ])); -var msg512 = msg("SERVICED_CONFIG_ERROR", part549); +var msg512 = msg("SERVICED_CONFIG_ERROR", part541); -var part550 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","service failed to read path"), +var part542 = match("MESSAGE#508:SERVICED_CONFIG_FILE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} failed to read path with error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","service failed to read path"), + dup23, ])); -var msg513 = msg("SERVICED_CONFIG_FILE", part550); +var msg513 = msg("SERVICED_CONFIG_FILE", part542); -var part551 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SERVICED CONNECTION ERROR"), +var part543 = match("MESSAGE#509:SERVICED_CONNECTION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SERVICED CONNECTION ERROR"), + dup23, ])); -var msg514 = msg("SERVICED_CONNECTION_ERROR", part551); +var msg514 = msg("SERVICED_CONNECTION_ERROR", part543); -var part552 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ - dup20, +var part544 = match("MESSAGE#510:SERVICED_DISABLED_GGSN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: GGSN services disabled: object: %{result}", processor_chain([ dup21, - setc("event_description","GGSN services disabled"), dup22, + setc("event_description","GGSN services disabled"), + dup23, ])); -var msg515 = msg("SERVICED_DISABLED_GGSN", part552); +var msg515 = msg("SERVICED_DISABLED_GGSN", part544); -var msg516 = msg("SERVICED_DUPLICATE", dup138); +var msg516 = msg("SERVICED_DUPLICATE", dup141); -var part553 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","event function failed"), +var part545 = match("MESSAGE#512:SERVICED_EVENT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: event function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","event function failed"), + dup23, ])); -var msg517 = msg("SERVICED_EVENT_FAILED", part553); +var msg517 = msg("SERVICED_EVENT_FAILED", part545); -var part554 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","service initialization failed"), +var part546 = match("MESSAGE#513:SERVICED_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: initialization failed with error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","service initialization failed"), + dup23, ])); -var msg518 = msg("SERVICED_INIT_FAILED", part554); +var msg518 = msg("SERVICED_INIT_FAILED", part546); -var part555 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","memory allocation failure"), +var part547 = match("MESSAGE#514:SERVICED_MALLOC_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed to allocate [%{dclass_counter2}] object [%{dclass_counter1->} bytes %{bytes}]: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","memory allocation failure"), + dup23, ])); -var msg519 = msg("SERVICED_MALLOC_FAILURE", part555); +var msg519 = msg("SERVICED_MALLOC_FAILURE", part547); -var part556 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","NETWORK FAILURE"), +var part548 = match("MESSAGE#515:SERVICED_NETWORK_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","NETWORK FAILURE"), + dup23, ])); -var msg520 = msg("SERVICED_NETWORK_FAILURE", part556); - -var part557 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ - dup62, - dup21, - setc("event_description","SERVICED must be run as root"), +var msg520 = msg("SERVICED_NETWORK_FAILURE", part548); + +var part549 = match("MESSAGE#516:SERVICED_NOT_ROOT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Must be run as root", processor_chain([ + dup63, dup22, + setc("event_description","SERVICED must be run as root"), + dup23, ])); -var msg521 = msg("SERVICED_NOT_ROOT", part557); +var msg521 = msg("SERVICED_NOT_ROOT", part549); -var msg522 = msg("SERVICED_PID_FILE_LOCK", dup139); +var msg522 = msg("SERVICED_PID_FILE_LOCK", dup142); -var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup140); +var msg523 = msg("SERVICED_PID_FILE_UPDATE", dup143); -var part558 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","routing socket sequence error"), +var part550 = match("MESSAGE#519:SERVICED_RTSOCK_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: routing socket sequence error, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","routing socket sequence error"), + dup23, ])); -var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part558); +var msg524 = msg("SERVICED_RTSOCK_SEQUENCE", part550); -var part559 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","set up of signal name handler failed"), +var part551 = match("MESSAGE#520:SERVICED_SIGNAL_HANDLER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: set up of signal name handler failed with error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","set up of signal name handler failed"), + dup23, ])); -var msg525 = msg("SERVICED_SIGNAL_HANDLER", part559); +var msg525 = msg("SERVICED_SIGNAL_HANDLER", part551); -var part560 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","socket create failed with error"), +var part552 = match("MESSAGE#521:SERVICED_SOCKET_CREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket create failed with error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","socket create failed with error"), + dup23, ])); -var msg526 = msg("SERVICED_SOCKET_CREATE", part560); +var msg526 = msg("SERVICED_SOCKET_CREATE", part552); -var part561 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","socket function failed"), +var part553 = match("MESSAGE#522:SERVICED_SOCKET_IO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket function %{dclass_counter2->} failed with error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","socket function failed"), + dup23, ])); -var msg527 = msg("SERVICED_SOCKET_IO", part561); +var msg527 = msg("SERVICED_SOCKET_IO", part553); -var part562 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","unable to set socket option"), +var part554 = match("MESSAGE#523:SERVICED_SOCKET_OPTION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unable to set socket option %{dclass_counter2}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","unable to set socket option"), + dup23, ])); -var msg528 = msg("SERVICED_SOCKET_OPTION", part562); +var msg528 = msg("SERVICED_SOCKET_OPTION", part554); -var part563 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","STDLIB FAILURE"), +var part555 = match("MESSAGE#524:SERVICED_STDLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{dclass_counter2->} had error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","STDLIB FAILURE"), + dup23, ])); -var msg529 = msg("SERVICED_STDLIB_FAILURE", part563); +var msg529 = msg("SERVICED_STDLIB_FAILURE", part555); -var part564 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Incorrect service usage"), +var part556 = match("MESSAGE#525:SERVICED_USAGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Incorrect usage: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Incorrect service usage"), + dup23, ])); -var msg530 = msg("SERVICED_USAGE", part564); +var msg530 = msg("SERVICED_USAGE", part556); -var part565 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","object has unexpected value"), +var part557 = match("MESSAGE#526:SERVICED_WORK_INCONSISTENCY", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: object has unexpected value %{result}", processor_chain([ + dup30, dup22, + setc("event_description","object has unexpected value"), + dup23, ])); -var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part565); +var msg531 = msg("SERVICED_WORK_INCONSISTENCY", part557); -var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup152); +var msg532 = msg("SSL_PROXY_SSL_SESSION_ALLOW", dup155); -var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup152); +var msg533 = msg("SSL_PROXY_SSL_SESSION_DROP", dup155); -var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup152); +var msg534 = msg("SSL_PROXY_SESSION_IGNORE", dup155); -var part566 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ - dup20, +var part558 = match("MESSAGE#530:SNMP_NS_LOG_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: NET-SNMP version %{version->} AgentX subagent connected", processor_chain([ dup21, - setc("event_description","AgentX subagent connected"), - dup60, dup22, + setc("event_description","AgentX subagent connected"), + dup61, + dup23, ])); -var msg535 = msg("SNMP_NS_LOG_INFO", part566); +var msg535 = msg("SNMP_NS_LOG_INFO", part558); -var part567 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ - dup20, +var part559 = match("MESSAGE#531:SNMP_SUBAGENT_IPC_REG_ROWS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ns_subagent_register_mibs: registering %{dclass_counter1->} rows", processor_chain([ dup21, - setc("event_description","ns_subagent registering rows"), - dup60, dup22, + setc("event_description","ns_subagent registering rows"), + dup61, + dup23, ])); -var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part567); +var msg536 = msg("SNMP_SUBAGENT_IPC_REG_ROWS", part559); -var part568 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD ACCESS GROUP ERROR"), +var part560 = match("MESSAGE#532:SNMPD_ACCESS_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} access group %{group}", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD ACCESS GROUP ERROR"), + dup23, ])); -var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part568); +var msg537 = msg("SNMPD_ACCESS_GROUP_ERROR", part560); -var part569 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ - dup29, - dup21, - dup104, - setc("result","unauthorized SNMP community to unknown community name"), +var part561 = match("MESSAGE#533:SNMPD_AUTH_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to unknown community name (%{pool_name})", processor_chain([ + dup30, dup22, + dup105, + setc("result","unauthorized SNMP community to unknown community name"), + dup23, ])); -var msg538 = msg("SNMPD_AUTH_FAILURE", part569); +var msg538 = msg("SNMPD_AUTH_FAILURE", part561); -var part570 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ - dup29, - dup21, - dup104, - setc("result","failed input interface authorization to unknown"), +var part562 = match("MESSAGE#534:SNMPD_AUTH_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: failed input interface authorization from %{daddr->} to unknown (%{pool_name})", processor_chain([ + dup30, dup22, + dup105, + setc("result","failed input interface authorization to unknown"), + dup23, ])); -var msg539 = msg("SNMPD_AUTH_FAILURE:01", part570); +var msg539 = msg("SNMPD_AUTH_FAILURE:01", part562); -var part571 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ - dup29, - dup21, - dup104, - setc("result","unauthorized SNMP community "), +var part563 = match("MESSAGE#535:SNMPD_AUTH_FAILURE:02", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unauthorized SNMP community from %{daddr->} to %{saddr->} (%{pool_name})", processor_chain([ + dup30, dup22, + dup105, + setc("result","unauthorized SNMP community "), + dup23, ])); -var msg540 = msg("SNMPD_AUTH_FAILURE:02", part571); +var msg540 = msg("SNMPD_AUTH_FAILURE:02", part563); -var part572 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ - dup29, - dup21, - dup104, - dup60, +var part564 = match("MESSAGE#595:SNMPD_AUTH_FAILURE:03", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} function-name=\"%{fld1}\" message=\"%{info}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" index1=\"%{fld4}\"]", processor_chain([ + dup30, + dup22, + dup105, dup61, + dup62, ])); -var msg541 = msg("SNMPD_AUTH_FAILURE:03", part572); +var msg541 = msg("SNMPD_AUTH_FAILURE:03", part564); var select53 = linear_select([ msg538, @@ -6459,775 +6468,775 @@ var select53 = linear_select([ msg541, ]); -var part573 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ - dup29, - dup21, - setc("event_description","SNMP request exceeded community privileges"), +var part565 = match("MESSAGE#536:SNMPD_AUTH_PRIVILEGES_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: request exceeded community privileges", processor_chain([ + dup30, dup22, + setc("event_description","SNMP request exceeded community privileges"), + dup23, ])); -var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part573); +var msg542 = msg("SNMPD_AUTH_PRIVILEGES_EXCEEDED", part565); -var part574 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ - dup47, - dup21, +var part566 = match("MESSAGE#537:SNMPD_AUTH_RESTRICTED_ADDRESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: request from address %{daddr->} not allowed", processor_chain([ + dup48, + dup22, setc("event_description","SNMPD AUTH RESTRICTED ADDRESS"), setc("result","request not allowed"), - dup22, + dup23, ])); -var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part574); +var msg543 = msg("SNMPD_AUTH_RESTRICTED_ADDRESS", part566); -var part575 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","unauthorized SNMP PDU type"), +var part567 = match("MESSAGE#538:SNMPD_AUTH_WRONG_PDU_TYPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{saddr}: unauthorized SNMP PDU type: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","unauthorized SNMP PDU type"), + dup23, ])); -var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part575); +var msg544 = msg("SNMPD_AUTH_WRONG_PDU_TYPE", part567); -var part576 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ - dup29, - dup21, - setc("event_description","Configuration database has errors"), +var part568 = match("MESSAGE#539:SNMPD_CONFIG_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration database has errors", processor_chain([ + dup30, dup22, + setc("event_description","Configuration database has errors"), + dup23, ])); -var msg545 = msg("SNMPD_CONFIG_ERROR", part576); +var msg545 = msg("SNMPD_CONFIG_ERROR", part568); -var part577 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD CONTEXT ERROR"), +var part569 = match("MESSAGE#540:SNMPD_CONTEXT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} context %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD CONTEXT ERROR"), + dup23, ])); -var msg546 = msg("SNMPD_CONTEXT_ERROR", part577); +var msg546 = msg("SNMPD_CONTEXT_ERROR", part569); -var part578 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD ENGINE FILE FAILURE"), +var part570 = match("MESSAGE#541:SNMPD_ENGINE_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD ENGINE FILE FAILURE"), + dup23, ])); -var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part578); +var msg547 = msg("SNMPD_ENGINE_FILE_FAILURE", part570); -var part579 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ - dup29, - dup21, - setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), +var part571 = match("MESSAGE#542:SNMPD_ENGINE_PROCESS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: from-path: undecodable/unmatched subagent response", processor_chain([ + dup30, dup22, + setc("event_description"," from-path - SNMP undecodable/unmatched subagent response"), + dup23, ])); -var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part579); +var msg548 = msg("SNMPD_ENGINE_PROCESS_ERROR", part571); -var part580 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD FILE FAILURE"), +var part572 = match("MESSAGE#543:SNMPD_FILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: fopen %{dclass_counter2}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD FILE FAILURE"), + dup23, ])); -var msg549 = msg("SNMPD_FILE_FAILURE", part580); +var msg549 = msg("SNMPD_FILE_FAILURE", part572); -var part581 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD GROUP ERROR"), +var part573 = match("MESSAGE#544:SNMPD_GROUP_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} group: '%{group}' user '%{username}' model '%{version}'", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD GROUP ERROR"), + dup23, ])); -var msg550 = msg("SNMPD_GROUP_ERROR", part581); +var msg550 = msg("SNMPD_GROUP_ERROR", part573); -var part582 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","snmpd initialization failure"), +var part574 = match("MESSAGE#545:SNMPD_INIT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: snmpd initialization failure: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","snmpd initialization failure"), + dup23, ])); -var msg551 = msg("SNMPD_INIT_FAILED", part582); +var msg551 = msg("SNMPD_INIT_FAILED", part574); -var part583 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","LIBJUNIPER FAILURE"), +var part575 = match("MESSAGE#546:SNMPD_LIBJUNIPER_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system_default_inaddr: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","LIBJUNIPER FAILURE"), + dup23, ])); -var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part583); +var msg552 = msg("SNMPD_LIBJUNIPER_FAILURE", part575); -var part584 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","LOOPBACK ADDR ERROR"), +var part576 = match("MESSAGE#547:SNMPD_LOOPBACK_ADDR_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","LOOPBACK ADDR ERROR"), + dup23, ])); -var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part584); +var msg553 = msg("SNMPD_LOOPBACK_ADDR_ERROR", part576); -var part585 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ - dup29, - dup21, - setc("event_description","duplicate memory free"), +var part577 = match("MESSAGE#548:SNMPD_MEMORY_FREED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: called for freed - already freed", processor_chain([ + dup30, dup22, + setc("event_description","duplicate memory free"), + dup23, ])); -var msg554 = msg("SNMPD_MEMORY_FREED", part585); +var msg554 = msg("SNMPD_MEMORY_FREED", part577); -var part586 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","radix_add failed"), +var part578 = match("MESSAGE#549:SNMPD_RADIX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: radix_add failed: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","radix_add failed"), + dup23, ])); -var msg555 = msg("SNMPD_RADIX_FAILURE", part586); +var msg555 = msg("SNMPD_RADIX_FAILURE", part578); -var part587 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD RECEIVE FAILURE"), +var part579 = match("MESSAGE#550:SNMPD_RECEIVE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: receive %{dclass_counter1->} failure: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD RECEIVE FAILURE"), + dup23, ])); -var msg556 = msg("SNMPD_RECEIVE_FAILURE", part587); +var msg556 = msg("SNMPD_RECEIVE_FAILURE", part579); -var part588 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","RMONFILE FAILURE"), +var part580 = match("MESSAGE#551:SNMPD_RMONFILE_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{dclass_counter2}: operation: %{dclass_counter1->} %{agent}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","RMONFILE FAILURE"), + dup23, ])); -var msg557 = msg("SNMPD_RMONFILE_FAILURE", part588); +var msg557 = msg("SNMPD_RMONFILE_FAILURE", part580); -var part589 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ - dup29, - dup21, - setc("event_description","Null cookie"), +var part581 = match("MESSAGE#552:SNMPD_RMON_COOKIE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Null cookie", processor_chain([ + dup30, dup22, + setc("event_description","Null cookie"), + dup23, ])); -var msg558 = msg("SNMPD_RMON_COOKIE", part589); +var msg558 = msg("SNMPD_RMON_COOKIE", part581); -var part590 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ - dup20, +var part582 = match("MESSAGE#553:SNMPD_RMON_EVENTLOG", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result}", processor_chain([ dup21, - setc("event_description","RMON EVENTLOG"), dup22, + setc("event_description","RMON EVENTLOG"), + dup23, ])); -var msg559 = msg("SNMPD_RMON_EVENTLOG", part590); +var msg559 = msg("SNMPD_RMON_EVENTLOG", part582); -var part591 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Received io error"), +var part583 = match("MESSAGE#554:SNMPD_RMON_IOERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: Received io error, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Received io error"), + dup23, ])); -var msg560 = msg("SNMPD_RMON_IOERROR", part591); +var msg560 = msg("SNMPD_RMON_IOERROR", part583); -var part592 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","internal Get request error"), +var part584 = match("MESSAGE#555:SNMPD_RMON_MIBERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: internal Get request error: description, %{result}", processor_chain([ + dup30, dup22, + setc("event_description","internal Get request error"), + dup23, ])); -var msg561 = msg("SNMPD_RMON_MIBERROR", part592); +var msg561 = msg("SNMPD_RMON_MIBERROR", part584); -var part593 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","sequence mismatch"), +var part585 = match("MESSAGE#556:SNMPD_RTSLIB_ASYNC_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: sequence mismatch %{result}", processor_chain([ + dup30, dup22, + setc("event_description","sequence mismatch"), + dup23, ])); -var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part593); +var msg562 = msg("SNMPD_RTSLIB_ASYNC_EVENT", part585); -var part594 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ - dup29, - dup21, - dup105, +var part586 = match("MESSAGE#557:SNMPD_SEND_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send send-type (index1) failure: %{result}", processor_chain([ + dup30, dup22, + dup106, + dup23, ])); -var msg563 = msg("SNMPD_SEND_FAILURE", part594); +var msg563 = msg("SNMPD_SEND_FAILURE", part586); -var part595 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ - dup29, - dup21, - dup105, +var part587 = match("MESSAGE#558:SNMPD_SEND_FAILURE:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: send to (%{saddr}) failure: %{result}", processor_chain([ + dup30, dup22, + dup106, + dup23, ])); -var msg564 = msg("SNMPD_SEND_FAILURE:01", part595); +var msg564 = msg("SNMPD_SEND_FAILURE:01", part587); var select54 = linear_select([ msg563, msg564, ]); -var part596 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD SOCKET FAILURE"), +var part588 = match("MESSAGE#559:SNMPD_SOCKET_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: socket failure: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD SOCKET FAILURE"), + dup23, ])); -var msg565 = msg("SNMPD_SOCKET_FAILURE", part596); +var msg565 = msg("SNMPD_SOCKET_FAILURE", part588); -var part597 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ - dup29, - dup21, - setc("event_description","No buffers available for subagent"), +var part589 = match("MESSAGE#560:SNMPD_SUBAGENT_NO_BUFFERS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: No buffers available for subagent (%{agent})", processor_chain([ + dup30, dup22, + setc("event_description","No buffers available for subagent"), + dup23, ])); -var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part597); +var msg566 = msg("SNMPD_SUBAGENT_NO_BUFFERS", part589); -var part598 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Send to subagent failed"), +var part590 = match("MESSAGE#561:SNMPD_SUBAGENT_SEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Send to subagent failed (%{agent}): %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Send to subagent failed"), + dup23, ])); -var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part598); - -var part599 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","system function failed"), +var msg567 = msg("SNMPD_SUBAGENT_SEND_FAILED", part590); + +var part591 = match("MESSAGE#562:SNMPD_SYSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: system function '%{dclass_counter1}' failed: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","system function failed"), + dup23, ])); -var msg568 = msg("SNMPD_SYSLIB_FAILURE", part599); +var msg568 = msg("SNMPD_SYSLIB_FAILURE", part591); -var part600 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ - dup20, +var part592 = match("MESSAGE#563:SNMPD_THROTTLE_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: cleared all throttled traps", processor_chain([ dup21, - setc("event_description","cleared all throttled traps"), dup22, + setc("event_description","cleared all throttled traps"), + dup23, ])); -var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part600); +var msg569 = msg("SNMPD_THROTTLE_QUEUE_DRAINED", part592); -var part601 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ - dup20, +var part593 = match("MESSAGE#564:SNMPD_TRAP_COLD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: cold start", processor_chain([ dup21, - setc("event_description","SNMP trap: cold start"), dup22, + setc("event_description","SNMP trap: cold start"), + dup23, ])); -var msg570 = msg("SNMPD_TRAP_COLD_START", part601); +var msg570 = msg("SNMPD_TRAP_COLD_START", part593); -var part602 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ - dup29, - dup21, - dup106, +var part594 = match("MESSAGE#565:SNMPD_TRAP_GEN_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{resultcode->} (%{result})", processor_chain([ + dup30, dup22, + dup107, + dup23, ])); -var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part602); +var msg571 = msg("SNMPD_TRAP_GEN_FAILURE", part594); -var part603 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ - dup29, - dup21, - dup106, +var part595 = match("MESSAGE#566:SNMPD_TRAP_GEN_FAILURE2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{dclass_counter2->} %{result}", processor_chain([ + dup30, dup22, + dup107, + dup23, ])); -var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part603); +var msg572 = msg("SNMPD_TRAP_GEN_FAILURE2", part595); -var part604 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD TRAP INVALID DATA"), +var part596 = match("MESSAGE#567:SNMPD_TRAP_INVALID_DATA", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{result->} (%{dclass_counter2}) received", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD TRAP INVALID DATA"), + dup23, ])); -var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part604); +var msg573 = msg("SNMPD_TRAP_INVALID_DATA", part596); -var part605 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD TRAP ERROR"), +var part597 = match("MESSAGE#568:SNMPD_TRAP_NOT_ENOUGH_VARBINDS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: %{info->} (%{result})", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD TRAP ERROR"), + dup23, ])); -var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part605); +var msg574 = msg("SNMPD_TRAP_NOT_ENOUGH_VARBINDS", part597); -var part606 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ - dup20, +var part598 = match("MESSAGE#569:SNMPD_TRAP_QUEUED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Adding trap to %{dclass_counter2->} to %{obj_name->} queue, %{dclass_counter1->} traps in queue", processor_chain([ dup21, - setc("event_description","Adding trap to queue"), dup22, + setc("event_description","Adding trap to queue"), + dup23, ])); -var msg575 = msg("SNMPD_TRAP_QUEUED", part606); +var msg575 = msg("SNMPD_TRAP_QUEUED", part598); -var part607 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ - dup20, +var part599 = match("MESSAGE#570:SNMPD_TRAP_QUEUE_DRAINED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps queued to %{obj_name->} sent successfully", processor_chain([ dup21, - setc("event_description","traps queued - sent successfully"), dup22, + setc("event_description","traps queued - sent successfully"), + dup23, ])); -var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part607); +var msg576 = msg("SNMPD_TRAP_QUEUE_DRAINED", part599); -var part608 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), +var part600 = match("MESSAGE#571:SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: after %{dclass_counter1->} attempts, deleting %{dclass_counter2->} traps queued to %{obj_name}", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps"), + dup23, ])); -var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part608); +var msg577 = msg("SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", part600); -var part609 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ - dup20, +var part601 = match("MESSAGE#572:SNMPD_TRAP_QUEUE_MAX_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: maximum queue size exceeded (%{dclass_counter1}), discarding trap to %{dclass_counter2->} from %{obj_name->} queue", processor_chain([ dup21, - setc("event_description","SNMP TRAP maximum queue size exceeded"), dup22, + setc("event_description","SNMP TRAP maximum queue size exceeded"), + dup23, ])); -var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part609); +var msg578 = msg("SNMPD_TRAP_QUEUE_MAX_SIZE", part601); -var part610 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ - dup20, +var part602 = match("MESSAGE#573:SNMPD_TRAP_THROTTLED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: traps throttled after %{dclass_counter1->} traps", processor_chain([ dup21, - setc("event_description","SNMP traps throttled"), dup22, + setc("event_description","SNMP traps throttled"), + dup23, ])); -var msg579 = msg("SNMPD_TRAP_THROTTLED", part610); +var msg579 = msg("SNMPD_TRAP_THROTTLED", part602); -var part611 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ - dup29, - dup21, - setc("event_description","unknown SNMP trap type requested"), +var part603 = match("MESSAGE#574:SNMPD_TRAP_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: unknown trap type requested (%{obj_type->} )", processor_chain([ + dup30, dup22, + setc("event_description","unknown SNMP trap type requested"), + dup23, ])); -var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part611); +var msg580 = msg("SNMPD_TRAP_TYPE_ERROR", part603); -var part612 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), +var part604 = match("MESSAGE#575:SNMPD_TRAP_VARBIND_TYPE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: expecting %{dclass_counter1->} varbind to be VT_NUMBER (%{resultcode->} )", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD TRAP VARBIND TYPE ERROR"), + dup23, ])); -var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part612); +var msg581 = msg("SNMPD_TRAP_VARBIND_TYPE_ERROR", part604); -var part613 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD TRAP ERROR - invalid version signature"), +var part605 = match("MESSAGE#576:SNMPD_TRAP_VERSION_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap error: invalid version signature (%{result})", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD TRAP ERROR - invalid version signature"), + dup23, ])); -var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part613); +var msg582 = msg("SNMPD_TRAP_VERSION_ERROR", part605); -var part614 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ - dup20, +var part606 = match("MESSAGE#577:SNMPD_TRAP_WARM_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: SNMP trap: warm start", processor_chain([ dup21, - setc("event_description","SNMPD TRAP WARM START"), dup22, + setc("event_description","SNMPD TRAP WARM START"), + dup23, ])); -var msg583 = msg("SNMPD_TRAP_WARM_START", part614); +var msg583 = msg("SNMPD_TRAP_WARM_START", part606); -var part615 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMPD USER ERROR"), +var part607 = match("MESSAGE#578:SNMPD_USER_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} in %{dclass_counter1->} user '%{username}' %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","SNMPD USER ERROR"), + dup23, ])); -var msg584 = msg("SNMPD_USER_ERROR", part615); +var msg584 = msg("SNMPD_USER_ERROR", part607); -var part616 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ - dup20, +var part608 = match("MESSAGE#579:SNMPD_VIEW_DELETE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: deleting view %{dclass_counter2->} %{result}", processor_chain([ dup21, - setc("event_description","SNMP deleting view"), dup22, + setc("event_description","SNMP deleting view"), + dup23, ])); -var msg585 = msg("SNMPD_VIEW_DELETE", part616); +var msg585 = msg("SNMPD_VIEW_DELETE", part608); -var part617 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ - dup20, +var part609 = match("MESSAGE#580:SNMPD_VIEW_INSTALL_DEFAULT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: %{result->} installing default %{dclass_counter1->} view %{dclass_counter2}", processor_chain([ dup21, - setc("event_description","installing default SNMP view"), dup22, + setc("event_description","installing default SNMP view"), + dup23, ])); -var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part617); +var msg586 = msg("SNMPD_VIEW_INSTALL_DEFAULT", part609); -var part618 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","oid parsing failed for SNMP view"), +var part610 = match("MESSAGE#581:SNMPD_VIEW_OID_PARSE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: oid parsing failed for view %{dclass_counter2->} oid %{result}", processor_chain([ + dup30, dup22, + setc("event_description","oid parsing failed for SNMP view"), + dup23, ])); -var msg587 = msg("SNMPD_VIEW_OID_PARSE", part618); +var msg587 = msg("SNMPD_VIEW_OID_PARSE", part610); -var part619 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMP_GET_ERROR 1"), +var part611 = match("MESSAGE#582:SNMP_GET_ERROR1", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SNMP_GET_ERROR 1"), + dup23, ])); -var msg588 = msg("SNMP_GET_ERROR1", part619); +var msg588 = msg("SNMP_GET_ERROR1", part611); -var part620 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMP GET ERROR 2"), +var part612 = match("MESSAGE#583:SNMP_GET_ERROR2", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SNMP GET ERROR 2"), + dup23, ])); -var msg589 = msg("SNMP_GET_ERROR2", part620); +var msg589 = msg("SNMP_GET_ERROR2", part612); -var part621 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMP GET ERROR 3"), +var part613 = match("MESSAGE#584:SNMP_GET_ERROR3", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SNMP GET ERROR 3"), + dup23, ])); -var msg590 = msg("SNMP_GET_ERROR3", part621); +var msg590 = msg("SNMP_GET_ERROR3", part613); -var part622 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMP GET ERROR 4"), +var part614 = match("MESSAGE#585:SNMP_GET_ERROR4", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent->} %{dclass_counter1->} failed for %{dclass_counter2->} : %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SNMP GET ERROR 4"), + dup23, ])); -var msg591 = msg("SNMP_GET_ERROR4", part622); +var msg591 = msg("SNMP_GET_ERROR4", part614); -var part623 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMP RTSLIB FAILURE"), +var part615 = match("MESSAGE#586:SNMP_RTSLIB_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: rtslib-error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","SNMP RTSLIB FAILURE"), + dup23, ])); -var msg592 = msg("SNMP_RTSLIB_FAILURE", part623); +var msg592 = msg("SNMP_RTSLIB_FAILURE", part615); -var part624 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup29, - dup21, - dup107, +var part616 = match("MESSAGE#587:SNMP_TRAP_LINK_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ + dup30, dup22, + dup108, + dup23, ])); -var msg593 = msg("SNMP_TRAP_LINK_DOWN", part624); +var msg593 = msg("SNMP_TRAP_LINK_DOWN", part616); -var part625 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ - dup29, - dup21, - dup107, - dup60, +var part617 = match("MESSAGE#596:SNMP_TRAP_LINK_DOWN:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{fld2}\" interface-name=\"%{interface}\"]", processor_chain([ + dup30, + dup22, + dup108, dup61, + dup62, ])); -var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part625); +var msg594 = msg("SNMP_TRAP_LINK_DOWN:01", part617); var select55 = linear_select([ msg593, msg594, ]); -var part626 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ - dup20, +var part618 = match("MESSAGE#588:SNMP_TRAP_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: ifIndex %{dclass_counter1}, ifAdminStatus %{resultcode}, ifOperStatus %{result}, ifName %{interface}", processor_chain([ dup21, - dup108, dup22, + dup109, + dup23, ])); -var msg595 = msg("SNMP_TRAP_LINK_UP", part626); +var msg595 = msg("SNMP_TRAP_LINK_UP", part618); -var part627 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ - dup20, +var part619 = match("MESSAGE#597:SNMP_TRAP_LINK_UP:01", "nwparser.payload", "%{process->} %{process_id->} %{event_type->} [junos@%{obj_name->} snmp-interface-index=\"%{fld1}\" admin-status=\"%{fld3}\" operational-status=\"%{event_state}\" interface-name=\"%{interface}\"]", processor_chain([ dup21, - dup108, - dup60, + dup22, + dup109, dup61, + dup62, ])); -var msg596 = msg("SNMP_TRAP_LINK_UP:01", part627); +var msg596 = msg("SNMP_TRAP_LINK_UP:01", part619); var select56 = linear_select([ msg595, msg596, ]); -var part628 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMP TRAP PING PROBE FAILED"), +var part620 = match("MESSAGE#589:SNMP_TRAP_PING_PROBE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup30, dup22, + setc("event_description","SNMP TRAP PING PROBE FAILED"), + dup23, ])); -var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part628); +var msg597 = msg("SNMP_TRAP_PING_PROBE_FAILED", part620); -var part629 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup20, +var part621 = match("MESSAGE#590:SNMP_TRAP_PING_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ dup21, - setc("event_description","SNMP TRAP PING TEST COMPLETED"), dup22, + setc("event_description","SNMP TRAP PING TEST COMPLETED"), + dup23, ])); -var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part629); +var msg598 = msg("SNMP_TRAP_PING_TEST_COMPLETED", part621); -var part630 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMP TRAP PING TEST FAILED"), +var part622 = match("MESSAGE#591:SNMP_TRAP_PING_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: pingCtlOwnerIndex = %{dclass_counter1}, pingCtlTestName = %{obj_name}", processor_chain([ + dup30, dup22, + setc("event_description","SNMP TRAP PING TEST FAILED"), + dup23, ])); -var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part630); +var msg599 = msg("SNMP_TRAP_PING_TEST_FAILED", part622); -var part631 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup20, +var part623 = match("MESSAGE#592:SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ dup21, - setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), dup22, + setc("event_description","SNMP TRAP TRACE ROUTE PATH CHANGE"), + dup23, ])); -var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part631); +var msg600 = msg("SNMP_TRAP_TRACE_ROUTE_PATH_CHANGE", part623); -var part632 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup20, +var part624 = match("MESSAGE#593:SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ dup21, - setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), dup22, + setc("event_description","SNMP TRAP TRACE ROUTE TEST COMPLETED"), + dup23, ])); -var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part632); +var msg601 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_COMPLETED", part624); -var part633 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ - dup29, - dup21, - setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), +var part625 = match("MESSAGE#594:SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: traceRouteCtlOwnerIndex = %{dclass_counter1}, traceRouteCtlTestName = %{obj_name}", processor_chain([ + dup30, dup22, + setc("event_description","SNMP TRAP TRACE ROUTE TEST FAILED"), + dup23, ])); -var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part633); +var msg602 = msg("SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", part625); -var part634 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ - dup43, - dup33, +var part626 = match("MESSAGE#598:SSHD_LOGIN_FAILED", "nwparser.payload", "%{process}: %{event_type}: Login failed for user '%{username}' from host '%{saddr}'", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup109, + dup36, + dup43, dup22, + dup110, + dup23, ])); -var msg603 = msg("SSHD_LOGIN_FAILED", part634); +var msg603 = msg("SSHD_LOGIN_FAILED", part626); -var part635 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ - dup43, - dup33, +var part627 = match("MESSAGE#599:SSHD_LOGIN_FAILED:01", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} username=\"%{username}\" source-address=\"%{saddr}\"]", processor_chain([ + dup44, dup34, dup35, - dup42, - dup21, - dup109, - dup60, - dup51, + dup36, + dup43, + dup22, + dup110, + dup61, + dup52, setf("process","hfld33"), ])); -var msg604 = msg("SSHD_LOGIN_FAILED:01", part635); +var msg604 = msg("SSHD_LOGIN_FAILED:01", part627); var select57 = linear_select([ msg603, msg604, ]); -var part636 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","task connect failure"), +var part628 = match("MESSAGE#600:task_connect", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: task %{agent->} addr %{daddr}+%{dport}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","task connect failure"), + dup23, ])); -var msg605 = msg("task_connect", part636); +var msg605 = msg("task_connect", part628); -var msg606 = msg("TASK_TASK_REINIT", dup146); +var msg606 = msg("TASK_TASK_REINIT", dup149); -var part637 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","Unexpected address family"), +var part629 = match("MESSAGE#602:TFTPD_AF_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unexpected address family %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","Unexpected address family"), + dup23, ])); -var msg607 = msg("TFTPD_AF_ERR", part637); +var msg607 = msg("TFTPD_AF_ERR", part629); -var part638 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD BIND ERROR"), +var part630 = match("MESSAGE#603:TFTPD_BIND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: bind: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD BIND ERROR"), + dup23, ])); -var msg608 = msg("TFTPD_BIND_ERR", part638); +var msg608 = msg("TFTPD_BIND_ERR", part630); -var part639 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD CONNECT ERROR"), +var part631 = match("MESSAGE#604:TFTPD_CONNECT_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: connect: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD CONNECT ERROR"), + dup23, ])); -var msg609 = msg("TFTPD_CONNECT_ERR", part639); +var msg609 = msg("TFTPD_CONNECT_ERR", part631); -var part640 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ - dup20, +var part632 = match("MESSAGE#605:TFTPD_CONNECT_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TFTP %{protocol->} from address %{daddr->} port %{dport->} file %{filename}", processor_chain([ dup21, - setc("event_description","TFTPD CONNECT INFO"), dup22, + setc("event_description","TFTPD CONNECT INFO"), + dup23, ])); -var msg610 = msg("TFTPD_CONNECT_INFO", part640); +var msg610 = msg("TFTPD_CONNECT_INFO", part632); -var part641 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD CREATE ERROR"), +var part633 = match("MESSAGE#606:TFTPD_CREATE_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: check_space %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD CREATE ERROR"), + dup23, ])); -var msg611 = msg("TFTPD_CREATE_ERR", part641); +var msg611 = msg("TFTPD_CREATE_ERR", part633); -var part642 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD FIO ERR"), +var part634 = match("MESSAGE#607:TFTPD_FIO_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD FIO ERR"), + dup23, ])); -var msg612 = msg("TFTPD_FIO_ERR", part642); +var msg612 = msg("TFTPD_FIO_ERR", part634); -var part643 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD FORK ERROR"), +var part635 = match("MESSAGE#608:TFTPD_FORK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: fork: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD FORK ERROR"), + dup23, ])); -var msg613 = msg("TFTPD_FORK_ERR", part643); +var msg613 = msg("TFTPD_FORK_ERR", part635); -var part644 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD NAK ERROR"), +var part636 = match("MESSAGE#609:TFTPD_NAK_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: nak error %{resultcode}, %{dclass_counter1}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD NAK ERROR"), + dup23, ])); -var msg614 = msg("TFTPD_NAK_ERR", part644); +var msg614 = msg("TFTPD_NAK_ERR", part636); -var part645 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ - dup29, - dup21, - dup77, +var part637 = match("MESSAGE#610:TFTPD_OPEN_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to open file '%{filename}', error: %{result}", processor_chain([ + dup30, dup22, + dup78, + dup23, ])); -var msg615 = msg("TFTPD_OPEN_ERR", part645); +var msg615 = msg("TFTPD_OPEN_ERR", part637); -var part646 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ - dup20, +var part638 = match("MESSAGE#611:TFTPD_RECVCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received %{dclass_counter1->} blocks of %{dclass_counter2->} size for file '%{filename}'", processor_chain([ dup21, - setc("event_description","TFTPD RECVCOMPLETE INFO"), dup22, + setc("event_description","TFTPD RECVCOMPLETE INFO"), + dup23, ])); -var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part646); +var msg616 = msg("TFTPD_RECVCOMPLETE_INFO", part638); -var part647 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD RECVFROM ERROR"), +var part639 = match("MESSAGE#612:TFTPD_RECVFROM_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recvfrom: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD RECVFROM ERROR"), + dup23, ])); -var msg617 = msg("TFTPD_RECVFROM_ERR", part647); +var msg617 = msg("TFTPD_RECVFROM_ERR", part639); -var part648 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD RECV ERROR"), +var part640 = match("MESSAGE#613:TFTPD_RECV_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: recv: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD RECV ERROR"), + dup23, ])); -var msg618 = msg("TFTPD_RECV_ERR", part648); +var msg618 = msg("TFTPD_RECV_ERR", part640); -var part649 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ - dup20, +var part641 = match("MESSAGE#614:TFTPD_SENDCOMPLETE_INFO", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Sent %{dclass_counter1->} blocks of %{dclass_counter2->} and %{info->} for file '%{filename}'", processor_chain([ dup21, - setc("event_description","TFTPD SENDCOMPLETE INFO"), dup22, + setc("event_description","TFTPD SENDCOMPLETE INFO"), + dup23, ])); -var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part649); +var msg619 = msg("TFTPD_SENDCOMPLETE_INFO", part641); -var part650 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD SEND ERROR"), +var part642 = match("MESSAGE#615:TFTPD_SEND_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: send: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD SEND ERROR"), + dup23, ])); -var msg620 = msg("TFTPD_SEND_ERR", part650); +var msg620 = msg("TFTPD_SEND_ERR", part642); -var part651 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD SOCKET ERROR"), +var part643 = match("MESSAGE#616:TFTPD_SOCKET_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: socket: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD SOCKET ERROR"), + dup23, ])); -var msg621 = msg("TFTPD_SOCKET_ERR", part651); +var msg621 = msg("TFTPD_SOCKET_ERR", part643); -var part652 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","TFTPD STATFS ERROR"), +var part644 = match("MESSAGE#617:TFTPD_STATFS_ERR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: statfs %{agent}, error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","TFTPD STATFS ERROR"), + dup23, ])); -var msg622 = msg("TFTPD_STATFS_ERR", part652); +var msg622 = msg("TFTPD_STATFS_ERR", part644); -var part653 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ - dup20, +var part645 = match("MESSAGE#618:TNP", "nwparser.payload", "%{process}: %{event_type}: adding neighbor %{dclass_counter1->} to interface %{interface}", processor_chain([ dup21, - setc("event_description","adding neighbor to interface"), dup22, + setc("event_description","adding neighbor to interface"), + dup23, ])); -var msg623 = msg("TNP", part653); +var msg623 = msg("TNP", part645); -var part654 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ - dup20, +var part646 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: tracing to %{fld33->} started", processor_chain([ dup21, - setc("event_description","tracing to file"), dup22, + setc("event_description","tracing to file"), + dup23, call({ dest: "nwparser.filename", fn: RMQ, @@ -7237,160 +7246,158 @@ var part654 = match("MESSAGE#619:trace_on", "nwparser.payload", "%{process}[%{pr }), ])); -var msg624 = msg("trace_on", part654); +var msg624 = msg("trace_on", part646); -var part655 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ - dup20, +var part647 = match("MESSAGE#620:trace_rotate", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: rotating %{filename}", processor_chain([ dup21, - setc("event_description","trace rotating file"), dup22, + setc("event_description","trace rotating file"), + dup23, ])); -var msg625 = msg("trace_rotate", part655); +var msg625 = msg("trace_rotate", part647); -var part656 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ - dup20, +var part648 = match("MESSAGE#621:transfer-file", "nwparser.payload", "%{process}: %{event_type}: Transferred %{filename}", processor_chain([ dup21, - setc("event_description","transfered file"), dup22, + setc("event_description","transfered file"), + dup23, ])); -var msg626 = msg("transfer-file", part656); +var msg626 = msg("transfer-file", part648); -var part657 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ - dup29, - dup21, - setc("event_description","ttloop - peer died"), +var part649 = match("MESSAGE#622:ttloop", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: peer died: %{result}: %{resultcode}", processor_chain([ + dup30, dup22, + setc("event_description","ttloop - peer died"), + dup23, ])); -var msg627 = msg("ttloop", part657); +var msg627 = msg("ttloop", part649); -var part658 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ - dup79, - dup33, +var part650 = match("MESSAGE#623:UI_AUTH_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated user '%{username}' at permission level '%{privilege}'", processor_chain([ + dup80, dup34, - dup36, - dup21, - setc("event_description","Authenticated user"), + dup35, + dup37, dup22, + setc("event_description","Authenticated user"), + dup23, ])); -var msg628 = msg("UI_AUTH_EVENT", part658); +var msg628 = msg("UI_AUTH_EVENT", part650); -var part659 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ - dup29, - dup21, - setc("event_description","Received invalid authentication challenge for user response"), +var part651 = match("MESSAGE#624:UI_AUTH_INVALID_CHALLENGE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Received invalid authentication challenge for user '%{username}': response", processor_chain([ + dup30, dup22, + setc("event_description","Received invalid authentication challenge for user response"), + dup23, ])); -var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part659); +var msg629 = msg("UI_AUTH_INVALID_CHALLENGE", part651); -var part660 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to fetch boot time"), +var part652 = match("MESSAGE#625:UI_BOOTTIME_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch boot time: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to fetch boot time"), + dup23, ])); -var msg630 = msg("UI_BOOTTIME_FAILED", part660); +var msg630 = msg("UI_BOOTTIME_FAILED", part652); -var part661 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ - dup29, - dup21, - setc("event_description","user path unknown"), +var part653 = match("MESSAGE#626:UI_CFG_AUDIT_NEW", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} path unknown", processor_chain([ + dup30, dup22, + setc("event_description","user path unknown"), + dup23, ])); -var msg631 = msg("UI_CFG_AUDIT_NEW", part661); +var msg631 = msg("UI_CFG_AUDIT_NEW", part653); -var part662 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ - dup41, - dup21, - setc("event_description"," user Inserted Security Policies in config"), +var part654 = match("MESSAGE#627:UI_CFG_AUDIT_NEW:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' insert: [edit-config config %{filename->} security policies %{policyname}] %{info}", processor_chain([ + dup42, dup22, + setc("event_description"," user Inserted Security Policies in config"), + dup23, ])); -var msg632 = msg("UI_CFG_AUDIT_NEW:01", part662); +var msg632 = msg("UI_CFG_AUDIT_NEW:01", part654); var select58 = linear_select([ msg631, msg632, ]); -var part663 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ - dup20, +var part655 = match("MESSAGE#628:UI_CFG_AUDIT_OTHER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' delete: [%{filename}]", processor_chain([ dup21, + dup22, setc("event_description","User deleted file"), setc("action","delete"), - dup22, + dup23, ])); -var msg633 = msg("UI_CFG_AUDIT_OTHER", part663); +var msg633 = msg("UI_CFG_AUDIT_OTHER", part655); -var part664 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ - dup20, +var part656 = match("MESSAGE#629:UI_CFG_AUDIT_OTHER:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' rollback: %{filename}", processor_chain([ dup21, - setc("event_description","User rollback file"), dup22, + setc("event_description","User rollback file"), + dup23, ])); -var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part664); +var msg634 = msg("UI_CFG_AUDIT_OTHER:01", part656); -var part665 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\" "); - -var part666 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "%{space->} "); +var part657 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_0", "nwparser.p0", "\"%{info}\""); var select59 = linear_select([ - part665, - part666, + part657, + dup112, ]); var all31 = all_match({ processors: [ - dup110, + dup111, select59, ], on_success: processor_chain([ - dup20, dup21, - setc("event_description","User set"), dup22, + setc("event_description","User set"), + dup23, ]), }); var msg635 = msg("UI_CFG_AUDIT_OTHER:02", all31); -var part667 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ - dup20, +var part658 = match("MESSAGE#631:UI_CFG_AUDIT_OTHER:03", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}]", processor_chain([ dup21, + dup22, setc("event_description","User config replace"), setc("action","replace"), - dup22, + dup23, ])); -var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part667); +var msg636 = msg("UI_CFG_AUDIT_OTHER:03", part658); -var part668 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ +var part659 = match("MESSAGE#632:UI_CFG_AUDIT_OTHER:04", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' deactivate: [groups %{info}]", processor_chain([ setc("eventcategory","1701070000"), - dup21, + dup22, setc("event_description","User deactivating group(s)"), setc("action","deactivate"), - dup22, + dup23, ])); -var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part668); +var msg637 = msg("UI_CFG_AUDIT_OTHER:04", part659); -var part669 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ - dup111, - dup21, +var part660 = match("MESSAGE#633:UI_CFG_AUDIT_OTHER:05", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' update: %{filename}", processor_chain([ + dup113, + dup22, setc("event_description","User updates config file"), setc("action","update"), - dup22, + dup23, ])); -var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part669); +var msg638 = msg("UI_CFG_AUDIT_OTHER:05", part660); var select60 = linear_select([ msg633, @@ -7401,60 +7408,60 @@ var select60 = linear_select([ msg638, ]); -var part670 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); +var part661 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_0", "nwparser.p0", "\"%{change_old}\" %{p0}"); var select61 = linear_select([ - part670, - dup112, + part661, + dup114, ]); var all32 = all_match({ processors: [ - dup110, + dup111, select61, - dup113, + dup115, ], on_success: processor_chain([ - dup20, dup21, - dup114, dup22, + dup116, + dup23, ]), }); var msg639 = msg("UI_CFG_AUDIT_SET:01", all32); -var part671 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); +var part662 = match("MESSAGE#635:UI_CFG_AUDIT_SET:02/1_0", "nwparser.p0", "\"%{change_old->} %{p0}"); var select62 = linear_select([ - part671, - dup112, + part662, + dup114, ]); var all33 = all_match({ processors: [ - dup110, + dup111, select62, - dup113, + dup115, ], on_success: processor_chain([ - dup20, dup21, - dup114, dup22, + dup116, + dup23, ]), }); var msg640 = msg("UI_CFG_AUDIT_SET:02", all33); -var part672 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ - dup20, +var part663 = match("MESSAGE#636:UI_CFG_AUDIT_SET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' replace: [edit-config config %{filename->} applications %{info}] \u003c\u003c%{disposition}> -> \"%{agent}\"", processor_chain([ dup21, - setc("event_description","User replace config application(s)"), dup22, + setc("event_description","User replace config application(s)"), + dup23, ])); -var msg641 = msg("UI_CFG_AUDIT_SET", part672); +var msg641 = msg("UI_CFG_AUDIT_SET", part663); var select63 = linear_select([ msg639, @@ -7462,50 +7469,50 @@ var select63 = linear_select([ msg641, ]); -var part673 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); +var part664 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/2", "nwparser.p0", ": [groups %{info->} secret]"); var all34 = all_match({ processors: [ - dup115, - dup153, - part673, + dup117, + dup156, + part664, ], on_success: processor_chain([ - dup111, - dup21, - dup118, + dup113, dup22, + dup120, + dup23, ]), }); var msg642 = msg("UI_CFG_AUDIT_SET_SECRET:01", all34); -var part674 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); +var part665 = match("MESSAGE#638:UI_CFG_AUDIT_SET_SECRET:02/2", "nwparser.p0", ": [%{info}]"); var all35 = all_match({ processors: [ - dup115, - dup153, - part674, + dup117, + dup156, + part665, ], on_success: processor_chain([ - dup111, - dup21, - dup118, + dup113, dup22, + dup120, + dup23, ]), }); var msg643 = msg("UI_CFG_AUDIT_SET_SECRET:02", all35); -var part675 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ - dup20, +var part666 = match("MESSAGE#639:UI_CFG_AUDIT_SET_SECRET", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' %{dclass_counter2->} %{directory}", processor_chain([ dup21, - setc("event_description","UI CFG AUDIT SET SECRET"), dup22, + setc("event_description","UI CFG AUDIT SET SECRET"), + dup23, ])); -var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part675); +var msg644 = msg("UI_CFG_AUDIT_SET_SECRET", part666); var select64 = linear_select([ msg642, @@ -7513,997 +7520,995 @@ var select64 = linear_select([ msg644, ]); -var part676 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ - dup29, - dup21, - setc("event_description","Too many arguments for child process"), +var part667 = match("MESSAGE#640:UI_CHILD_ARGS_EXCEEDED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Too many arguments for child process '%{agent}'", processor_chain([ + dup30, dup22, + setc("event_description","Too many arguments for child process"), + dup23, ])); -var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part676); +var msg645 = msg("UI_CHILD_ARGS_EXCEEDED", part667); -var part677 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to switch to local user"), +var part668 = match("MESSAGE#641:UI_CHILD_CHANGE_USER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to switch to local user: %{username}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to switch to local user"), + dup23, ])); -var msg646 = msg("UI_CHILD_CHANGE_USER", part677); +var msg646 = msg("UI_CHILD_CHANGE_USER", part668); -var part678 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Child exec failed"), +var part669 = match("MESSAGE#642:UI_CHILD_EXEC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exec failed for command '%{action}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Child exec failed"), + dup23, ])); -var msg647 = msg("UI_CHILD_EXEC", part678); +var msg647 = msg("UI_CHILD_EXEC", part669); -var part679 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ - dup29, - dup21, - setc("event_description","Child exited"), +var part670 = match("MESSAGE#643:UI_CHILD_EXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child exited: PID %{child_pid}, status %{result}, command '%{action}'", processor_chain([ + dup30, dup22, + setc("event_description","Child exited"), + dup23, ])); -var msg648 = msg("UI_CHILD_EXITED", part679); +var msg648 = msg("UI_CHILD_EXITED", part670); -var part680 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to append to log"), +var part671 = match("MESSAGE#644:UI_CHILD_FOPEN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to append to log '%{filename}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to append to log"), + dup23, ])); -var msg649 = msg("UI_CHILD_FOPEN", part680); +var msg649 = msg("UI_CHILD_FOPEN", part671); -var part681 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to create pipe for command"), +var part672 = match("MESSAGE#645:UI_CHILD_PIPE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipe for command '%{action}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to create pipe for command"), + dup23, ])); -var msg650 = msg("UI_CHILD_PIPE_FAILED", part681); +var msg650 = msg("UI_CHILD_PIPE_FAILED", part672); -var part682 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ - dup20, +var part673 = match("MESSAGE#646:UI_CHILD_SIGNALED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child received signal: PID %{child_pid}, signal %{result}: %{resultcode}, command='%{action}'", processor_chain([ dup21, - dup60, - setc("event_description","Child received signal"), dup22, + dup61, + setc("event_description","Child received signal"), + dup23, ])); -var msg651 = msg("UI_CHILD_SIGNALED", part682); +var msg651 = msg("UI_CHILD_SIGNALED", part673); -var part683 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ - dup20, +var part674 = match("MESSAGE#647:UI_CHILD_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Child stopped: PID %{child_pid}, signal=%{resultcode->} command='%{action}')", processor_chain([ dup21, - setc("event_description","Child stopped"), dup22, + setc("event_description","Child stopped"), + dup23, ])); -var msg652 = msg("UI_CHILD_STOPPED", part683); +var msg652 = msg("UI_CHILD_STOPPED", part674); -var part684 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ - dup20, +var part675 = match("MESSAGE#648:UI_CHILD_START", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Starting child '%{agent}'", processor_chain([ dup21, - setc("event_description","Starting child"), dup22, + setc("event_description","Starting child"), + dup23, ])); -var msg653 = msg("UI_CHILD_START", part684); +var msg653 = msg("UI_CHILD_START", part675); -var part685 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ - dup20, +var part676 = match("MESSAGE#649:UI_CHILD_STATUS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Cleanup child '%{agent}', PID %{child_pid}, status %{result}", processor_chain([ dup21, - setc("event_description","Cleanup child"), dup22, + setc("event_description","Cleanup child"), + dup23, ])); -var msg654 = msg("UI_CHILD_STATUS", part685); +var msg654 = msg("UI_CHILD_STATUS", part676); -var part686 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","waitpid failed"), +var part677 = match("MESSAGE#650:UI_CHILD_WAITPID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: waitpid failed: PID %{child_pid}, rc %{dclass_counter2}, status %{resultcode}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","waitpid failed"), + dup23, ])); -var msg655 = msg("UI_CHILD_WAITPID", part686); +var msg655 = msg("UI_CHILD_WAITPID", part677); -var part687 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Idle timeout for user exceeded"), +var part678 = match("MESSAGE#651:UI_CLI_IDLE_TIMEOUT", "nwparser.payload", "%{event_type}: Idle timeout for user '%{username}' exceeded and %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Idle timeout for user exceeded"), + dup23, ])); -var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part687); +var msg656 = msg("UI_CLI_IDLE_TIMEOUT", part678); -var part688 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup20, +var part679 = match("MESSAGE#652:UI_CMDLINE_READ_LINE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}', command '%{action}'", processor_chain([ dup21, - dup119, dup22, + dup121, + dup23, ])); -var msg657 = msg("UI_CMDLINE_READ_LINE", part688); +var msg657 = msg("UI_CMDLINE_READ_LINE", part679); -var part689 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Command execution failed"), +var part680 = match("MESSAGE#653:UI_CMDSET_EXEC_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command execution failed for '%{agent}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Command execution failed"), + dup23, ])); -var msg658 = msg("UI_CMDSET_EXEC_FAILED", part689); +var msg658 = msg("UI_CMDSET_EXEC_FAILED", part680); -var part690 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to fork command"), +var part681 = match("MESSAGE#654:UI_CMDSET_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fork command '%{agent}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to fork command"), + dup23, ])); -var msg659 = msg("UI_CMDSET_FORK_FAILED", part690); +var msg659 = msg("UI_CMDSET_FORK_FAILED", part681); -var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup141); +var msg660 = msg("UI_CMDSET_PIPE_FAILED", dup144); -var part691 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ - dup29, - dup21, - dup69, +var part682 = match("MESSAGE#656:UI_CMDSET_STOPPED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command stopped: PID %{child_pid}, signal '%{resultcode}, command '%{action}'", processor_chain([ + dup30, dup22, + dup70, + dup23, ])); - -var msg661 = msg("UI_CMDSET_STOPPED", part691); - -var part692 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ - dup29, - dup21, - dup71, + +var msg661 = msg("UI_CMDSET_STOPPED", part682); + +var part683 = match("MESSAGE#657:UI_CMDSET_WEXITED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Command exited: PID %{child_pid}, status %{resultcode}, command '%{action}'", processor_chain([ + dup30, dup22, + dup72, + dup23, ])); -var msg662 = msg("UI_CMDSET_WEXITED", part692); +var msg662 = msg("UI_CMDSET_WEXITED", part683); -var part693 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Invalid regexp command"), +var part684 = match("MESSAGE#658:UI_CMD_AUTH_REGEX_INVALID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Invalid '%{action}' command authorization regular expression '%{agent}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Invalid regexp command"), + dup23, ])); -var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part693); +var msg663 = msg("UI_CMD_AUTH_REGEX_INVALID", part684); -var part694 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info}) "); +var part685 = match("MESSAGE#659:UI_COMMIT/1_0", "nwparser.p0", "requested '%{action}' operation (comment:%{info})"); -var part695 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action->} "); +var part686 = match("MESSAGE#659:UI_COMMIT/1_1", "nwparser.p0", "performed %{action}"); var select65 = linear_select([ - part694, - part695, + part685, + part686, ]); var all36 = all_match({ processors: [ - dup115, + dup117, select65, ], on_success: processor_chain([ - dup20, dup21, - dup120, dup22, + dup122, + dup23, ]), }); var msg664 = msg("UI_COMMIT", all36); -var part696 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ - dup20, +var part687 = match("MESSAGE#660:UI_COMMIT_AT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{result}", processor_chain([ dup21, - dup120, dup22, + dup122, + dup23, ])); -var msg665 = msg("UI_COMMIT_AT", part696); +var msg665 = msg("UI_COMMIT_AT", part687); -var part697 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ - dup20, +var part688 = match("MESSAGE#661:UI_COMMIT_AT_COMPLETED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{agent}' was successful", processor_chain([ dup21, - setc("event_description","User commit successful"), dup22, + setc("event_description","User commit successful"), + dup23, ])); -var msg666 = msg("UI_COMMIT_AT_COMPLETED", part697); +var msg666 = msg("UI_COMMIT_AT_COMPLETED", part688); -var part698 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ - dup29, - dup21, - setc("event_description","User commit failed"), +var part689 = match("MESSAGE#662:UI_COMMIT_AT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{result}, %{info}", processor_chain([ + dup30, dup22, + setc("event_description","User commit failed"), + dup23, ])); -var msg667 = msg("UI_COMMIT_AT_FAILED", part698); +var msg667 = msg("UI_COMMIT_AT_FAILED", part689); -var part699 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to compress file"), +var part690 = match("MESSAGE#663:UI_COMMIT_COMPRESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to compress file %{filename}'", processor_chain([ + dup30, dup22, + setc("event_description","Unable to compress file"), + dup23, ])); -var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part699); +var msg668 = msg("UI_COMMIT_COMPRESS_FAILED", part690); -var part700 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ - dup20, +var part691 = match("MESSAGE#664:UI_COMMIT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed '%{action}'", processor_chain([ dup21, - setc("event_description","UI COMMIT CONFIRMED"), dup22, + setc("event_description","UI COMMIT CONFIRMED"), + dup23, ])); -var msg669 = msg("UI_COMMIT_CONFIRMED", part700); +var msg669 = msg("UI_COMMIT_CONFIRMED", part691); -var part701 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); +var part692 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: '%{action}' must be confirmed within %{p0}"); -var part702 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1->} "); +var part693 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_0", "nwparser.p0", "minutes %{dclass_counter1}"); -var part703 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes "); +var part694 = match("MESSAGE#665:UI_COMMIT_CONFIRMED_REMINDER/1_1", "nwparser.p0", "%{dclass_counter1->} minutes"); var select66 = linear_select([ - part702, - part703, + part693, + part694, ]); var all37 = all_match({ processors: [ - part701, + part692, select66, ], on_success: processor_chain([ - dup20, dup21, - setc("event_description","COMMIT must be confirmed within # minutes"), dup22, + setc("event_description","COMMIT must be confirmed within # minutes"), + dup23, ]), }); var msg670 = msg("UI_COMMIT_CONFIRMED_REMINDER", all37); -var part704 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "%{}'%{username}' performed '%{action}'"); +var part695 = match("MESSAGE#666:UI_COMMIT_CONFIRMED_TIMED/2", "nwparser.p0", "'%{username}' performed '%{action}'"); var all38 = all_match({ processors: [ - dup49, - dup142, - part704, + dup50, + dup145, + part695, ], on_success: processor_chain([ - dup20, dup21, - setc("event_description","user performed commit confirm"), dup22, + setc("event_description","user performed commit confirm"), + dup23, ]), }); var msg671 = msg("UI_COMMIT_CONFIRMED_TIMED", all38); -var part705 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ - dup20, +var part696 = match("MESSAGE#667:UI_COMMIT_EMPTY_CONTAINER", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Skipped empty object %{result}", processor_chain([ dup21, - setc("event_description","Skipped empty object"), dup22, + setc("event_description","Skipped empty object"), + dup23, ])); -var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part705); +var msg672 = msg("UI_COMMIT_EMPTY_CONTAINER", part696); -var part706 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","COMMIT NOT CONFIRMED"), +var part697 = match("MESSAGE#668:UI_COMMIT_NOT_CONFIRMED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Commit was not confirmed; %{result}", processor_chain([ + dup30, dup22, + setc("event_description","COMMIT NOT CONFIRMED"), + dup23, ])); -var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part706); +var msg673 = msg("UI_COMMIT_NOT_CONFIRMED", part697); -var part707 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); +var part698 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_0", "nwparser.p0", "commit %{p0}"); -var part708 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); +var part699 = match("MESSAGE#669:UI_COMMIT_PROGRESS/1_1", "nwparser.p0", "Commit operation in progress %{p0}"); var select67 = linear_select([ - part707, - part708, + part698, + part699, ]); -var part709 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); +var part700 = match("MESSAGE#669:UI_COMMIT_PROGRESS/2", "nwparser.p0", ": %{action}"); var all39 = all_match({ processors: [ - dup49, + dup50, select67, - part709, + part700, ], on_success: processor_chain([ - dup20, dup21, - setc("event_description","Commit operation in progress"), dup22, + setc("event_description","Commit operation in progress"), + dup23, ]), }); var msg674 = msg("UI_COMMIT_PROGRESS", all39); -var part710 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup20, +var part701 = match("MESSAGE#670:UI_COMMIT_QUIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ dup21, - setc("event_description","COMMIT QUIT"), dup22, + setc("event_description","COMMIT QUIT"), + dup23, ])); -var msg675 = msg("UI_COMMIT_QUIT", part710); +var msg675 = msg("UI_COMMIT_QUIT", part701); -var part711 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ - dup29, - dup21, - setc("event_description","Automatic rollback failed"), +var part702 = match("MESSAGE#671:UI_COMMIT_ROLLBACK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rollback failed", processor_chain([ + dup30, dup22, + setc("event_description","Automatic rollback failed"), + dup23, ])); -var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part711); +var msg676 = msg("UI_COMMIT_ROLLBACK_FAILED", part702); -var part712 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ - dup20, +var part703 = match("MESSAGE#672:UI_COMMIT_SYNC", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' performed %{action}", processor_chain([ dup21, - setc("event_description","COMMIT SYNC"), dup22, + setc("event_description","COMMIT SYNC"), + dup23, ])); -var msg677 = msg("UI_COMMIT_SYNC", part712); +var msg677 = msg("UI_COMMIT_SYNC", part703); -var part713 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ - dup20, +var part704 = match("MESSAGE#673:UI_COMMIT_SYNC_FORCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: All logins to local configuration database were terminated because %{result}", processor_chain([ dup21, - setc("event_description","All logins to local configuration database were terminated"), dup22, + setc("event_description","All logins to local configuration database were terminated"), + dup23, ])); -var msg678 = msg("UI_COMMIT_SYNC_FORCE", part713); +var msg678 = msg("UI_COMMIT_SYNC_FORCE", part704); -var part714 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); +var part705 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Process: %{agent}, path: %{p0}"); -var part715 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); +var part706 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_0", "nwparser.p0", "[%{filename}], %{p0}"); -var part716 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); +var part707 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/1_1", "nwparser.p0", "%{filename}, %{p0}"); var select68 = linear_select([ - part715, - part716, + part706, + part707, ]); -var part717 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "%{}statement: %{info->} %{p0}"); +var part708 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/2", "nwparser.p0", "statement: %{info->} %{p0}"); -var part718 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); - -var part719 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_1", "nwparser.p0", "%{space}"); +var part709 = match("MESSAGE#674:UI_CONFIGURATION_ERROR/3_0", "nwparser.p0", ", error: %{result->} "); var select69 = linear_select([ - part718, - part719, + part709, + dup112, ]); var all40 = all_match({ processors: [ - part714, + part705, select68, - part717, + part708, select69, ], on_success: processor_chain([ - dup29, - dup21, - setc("event_description","CONFIGURATION ERROR"), + dup30, dup22, + setc("event_description","CONFIGURATION ERROR"), + dup23, ]), }); var msg679 = msg("UI_CONFIGURATION_ERROR", all40); -var part720 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "%{}socket connection accept failed: %{result}"); +var part710 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/2", "nwparser.p0", "socket connection accept failed: %{result}"); var all41 = all_match({ processors: [ - dup49, - dup154, - part720, + dup50, + dup157, + part710, ], on_success: processor_chain([ - dup29, - dup21, - setc("event_description","socket connection accept failed"), + dup30, dup22, + setc("event_description","socket connection accept failed"), + dup23, ]), }); var msg680 = msg("UI_DAEMON_ACCEPT_FAILED", all41); -var part721 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to create session child"), +var part711 = match("MESSAGE#676:UI_DAEMON_FORK_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create session child: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to create session child"), + dup23, ])); -var msg681 = msg("UI_DAEMON_FORK_FAILED", part721); +var msg681 = msg("UI_DAEMON_FORK_FAILED", part711); -var part722 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","DAEMON SELECT FAILED"), +var part712 = match("MESSAGE#677:UI_DAEMON_SELECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: select failed: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","DAEMON SELECT FAILED"), + dup23, ])); -var msg682 = msg("UI_DAEMON_SELECT_FAILED", part722); +var msg682 = msg("UI_DAEMON_SELECT_FAILED", part712); -var part723 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "%{}socket create failed: %{result}"); +var part713 = match("MESSAGE#678:UI_DAEMON_SOCKET_FAILED/2", "nwparser.p0", "socket create failed: %{result}"); var all42 = all_match({ processors: [ - dup49, - dup154, - part723, + dup50, + dup157, + part713, ], on_success: processor_chain([ - dup29, - dup21, - setc("event_description","socket create failed"), + dup30, dup22, + setc("event_description","socket create failed"), + dup23, ]), }); var msg683 = msg("UI_DAEMON_SOCKET_FAILED", all42); -var part724 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to reaccess database file"), +var part714 = match("MESSAGE#679:UI_DBASE_ACCESS_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to reaccess database file '%{filename}', address %{interface}, size %{dclass_counter1}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to reaccess database file"), + dup23, ])); -var msg684 = msg("UI_DBASE_ACCESS_FAILED", part724); +var msg684 = msg("UI_DBASE_ACCESS_FAILED", part714); -var part725 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ - dup29, - dup21, - setc("event_description","Database is out of data"), +var part715 = match("MESSAGE#680:UI_DBASE_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database '%{filename}' is out of data and needs to be rebuilt", processor_chain([ + dup30, dup22, + setc("event_description","Database is out of data"), + dup23, ])); -var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part725); +var msg685 = msg("UI_DBASE_CHECKOUT_FAILED", part715); -var part726 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to extend database file"), +var part716 = match("MESSAGE#681:UI_DBASE_EXTEND_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to extend database file '%{filename}' to size %{dclass_counter1}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to extend database file"), + dup23, ])); -var msg686 = msg("UI_DBASE_EXTEND_FAILED", part726); +var msg686 = msg("UI_DBASE_EXTEND_FAILED", part716); -var part727 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ - dup32, +var part717 = match("MESSAGE#682:UI_DBASE_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' entering configuration mode", processor_chain([ dup33, dup34, dup35, dup36, - dup21, - setc("event_description","User entering configuration mode"), + dup37, dup22, + setc("event_description","User entering configuration mode"), + dup23, ])); -var msg687 = msg("UI_DBASE_LOGIN_EVENT", part727); +var msg687 = msg("UI_DBASE_LOGIN_EVENT", part717); -var part728 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ - dup123, - dup33, +var part718 = match("MESSAGE#683:UI_DBASE_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{event_description}", processor_chain([ + dup125, dup34, - dup124, - dup36, - dup21, - setc("event_description","User exiting configuration mode"), + dup35, + dup126, + dup37, dup22, + setc("event_description","User exiting configuration mode"), + dup23, ])); -var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part728); +var msg688 = msg("UI_DBASE_LOGOUT_EVENT", part718); -var part729 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","Database header extent mismatch"), +var part719 = match("MESSAGE#684:UI_DBASE_MISMATCH_EXTENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header extent mismatch for file '%{agent}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","Database header extent mismatch"), + dup23, ])); -var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part729); +var msg689 = msg("UI_DBASE_MISMATCH_EXTENT", part719); -var part730 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","Database header major version number mismatch"), +var part720 = match("MESSAGE#685:UI_DBASE_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header major version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","Database header major version number mismatch"), + dup23, ])); -var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part730); +var msg690 = msg("UI_DBASE_MISMATCH_MAJOR", part720); -var part731 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","Database header minor version number mismatch"), +var part721 = match("MESSAGE#686:UI_DBASE_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header minor version number mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","Database header minor version number mismatch"), + dup23, ])); -var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part731); +var msg691 = msg("UI_DBASE_MISMATCH_MINOR", part721); -var part732 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ - dup29, - dup21, - setc("event_description","Database header sequence numbers mismatch"), +var part722 = match("MESSAGE#687:UI_DBASE_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header sequence numbers mismatch for file '%{filename}'", processor_chain([ + dup30, dup22, + setc("event_description","Database header sequence numbers mismatch"), + dup23, ])); -var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part732); +var msg692 = msg("UI_DBASE_MISMATCH_SEQUENCE", part722); -var part733 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ - dup29, - dup21, - setc("event_description","Database header size mismatch"), +var part723 = match("MESSAGE#688:UI_DBASE_MISMATCH_SIZE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database header size mismatch for file '%{filename}': expecting %{dclass_counter1}, got %{dclass_counter2}", processor_chain([ + dup30, dup22, + setc("event_description","Database header size mismatch"), + dup23, ])); -var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part733); +var msg693 = msg("UI_DBASE_MISMATCH_SIZE", part723); -var part734 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Database open failed"), +var part724 = match("MESSAGE#689:UI_DBASE_OPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Database open failed for file '%{filename}': %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Database open failed"), + dup23, ])); -var msg694 = msg("UI_DBASE_OPEN_FAILED", part734); +var msg694 = msg("UI_DBASE_OPEN_FAILED", part724); -var part735 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ - dup29, - dup21, - setc("event_description","DBASE REBUILD FAILED"), +var part725 = match("MESSAGE#690:UI_DBASE_REBUILD_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User %{username->} Automatic rebuild of the database '%{filename}' failed", processor_chain([ + dup30, dup22, + setc("event_description","DBASE REBUILD FAILED"), + dup23, ])); -var msg695 = msg("UI_DBASE_REBUILD_FAILED", part735); +var msg695 = msg("UI_DBASE_REBUILD_FAILED", part725); -var part736 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ - dup29, - dup21, - setc("event_description","Automatic rebuild of the database failed"), +var part726 = match("MESSAGE#691:UI_DBASE_REBUILD_SCHEMA_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Automatic rebuild of the database failed", processor_chain([ + dup30, dup22, + setc("event_description","Automatic rebuild of the database failed"), + dup23, ])); -var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part736); +var msg696 = msg("UI_DBASE_REBUILD_SCHEMA_FAILED", part726); -var part737 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); +var part727 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/1_1", "nwparser.p0", "Automatic %{p0}"); var select70 = linear_select([ - dup75, - part737, + dup76, + part727, ]); -var part738 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{} %{username->} rebuild/rollback of the database '%{filename}' started"); +var part728 = match("MESSAGE#692:UI_DBASE_REBUILD_STARTED/2", "nwparser.p0", "%{username->} rebuild/rollback of the database '%{filename}' started"); var all43 = all_match({ processors: [ - dup49, + dup50, select70, - part738, + part728, ], on_success: processor_chain([ - dup20, dup21, - setc("event_description","DBASE REBUILD STARTED"), dup22, + setc("event_description","DBASE REBUILD STARTED"), + dup23, ]), }); var msg697 = msg("UI_DBASE_REBUILD_STARTED", all43); -var part739 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ - dup20, +var part729 = match("MESSAGE#693:UI_DBASE_RECREATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' attempting database re-creation", processor_chain([ dup21, - setc("event_description","user attempting database re-creation"), dup22, + setc("event_description","user attempting database re-creation"), + dup23, ])); -var msg698 = msg("UI_DBASE_RECREATE", part739); +var msg698 = msg("UI_DBASE_RECREATE", part729); -var part740 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ - dup29, - dup21, - setc("event_description","Reopen of the database failed"), +var part730 = match("MESSAGE#694:UI_DBASE_REOPEN_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reopen of the database failed", processor_chain([ + dup30, dup22, + setc("event_description","Reopen of the database failed"), + dup23, ])); -var msg699 = msg("UI_DBASE_REOPEN_FAILED", part740); +var msg699 = msg("UI_DBASE_REOPEN_FAILED", part730); -var part741 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ - dup29, - dup21, - setc("event_description","Users have the same UID"), +var part731 = match("MESSAGE#695:UI_DUPLICATE_UID", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Users %{username->} have the same UID %{uid}", processor_chain([ + dup30, dup22, + setc("event_description","Users have the same UID"), + dup23, ])); -var msg700 = msg("UI_DUPLICATE_UID", part741); +var msg700 = msg("UI_DUPLICATE_UID", part731); -var part742 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ +var part732 = match("MESSAGE#696:UI_JUNOSCRIPT_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used JUNOScript client to run command '%{action}'", processor_chain([ setc("eventcategory","1401050100"), - dup21, - setc("event_description","User used JUNOScript client to run command"), dup22, + setc("event_description","User used JUNOScript client to run command"), + dup23, ])); -var msg701 = msg("UI_JUNOSCRIPT_CMD", part742); +var msg701 = msg("UI_JUNOSCRIPT_CMD", part732); -var part743 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","JUNOScript error"), +var part733 = match("MESSAGE#697:UI_JUNOSCRIPT_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: JUNOScript error: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","JUNOScript error"), + dup23, ])); -var msg702 = msg("UI_JUNOSCRIPT_ERROR", part743); +var msg702 = msg("UI_JUNOSCRIPT_ERROR", part733); -var part744 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ - dup20, +var part734 = match("MESSAGE#698:UI_LOAD_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' is performing a '%{action}'", processor_chain([ dup21, - setc("event_description","User command"), dup22, + setc("event_description","User command"), + dup23, ])); -var msg703 = msg("UI_LOAD_EVENT", part744); +var msg703 = msg("UI_LOAD_EVENT", part734); -var part745 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ +var part735 = match("MESSAGE#699:UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Loading the default config from %{filename}", processor_chain([ setc("eventcategory","1701040000"), - dup21, - setc("event_description","Loading default config from file"), dup22, + setc("event_description","Loading default config from file"), + dup23, ])); -var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part745); +var msg704 = msg("UI_LOAD_JUNOS_DEFAULT_FILE_EVENT", part735); -var part746 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ - dup32, +var part736 = match("MESSAGE#700:UI_LOGIN_EVENT:01", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' [%{fld01}], %{info->} '%{saddr->} %{sport->} %{daddr->} %{dport}', client-mode '%{fld02}'", processor_chain([ dup33, dup34, dup35, dup36, - dup21, - dup125, - dup126, + dup37, dup22, + dup127, + dup128, + dup23, ])); -var msg705 = msg("UI_LOGIN_EVENT:01", part746); +var msg705 = msg("UI_LOGIN_EVENT:01", part736); -var part747 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ - dup32, +var part737 = match("MESSAGE#701:UI_LOGIN_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' login, class '%{group}' %{info}", processor_chain([ dup33, dup34, dup35, dup36, - dup21, - dup125, + dup37, dup22, + dup127, + dup23, ])); -var msg706 = msg("UI_LOGIN_EVENT", part747); +var msg706 = msg("UI_LOGIN_EVENT", part737); var select71 = linear_select([ msg705, msg706, ]); - -var part748 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ - dup123, - dup33, + +var part738 = match("MESSAGE#702:UI_LOGOUT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' logout", processor_chain([ + dup125, dup34, - dup124, - dup36, - dup21, - setc("event_description","User logout"), + dup35, + dup126, + dup37, dup22, + setc("event_description","User logout"), + dup23, ])); -var msg707 = msg("UI_LOGOUT_EVENT", part748); +var msg707 = msg("UI_LOGOUT_EVENT", part738); -var part749 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ - dup29, - dup21, - setc("event_description","Lost connection to daemon"), +var part739 = match("MESSAGE#703:UI_LOST_CONN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Lost connection to daemon %{agent}", processor_chain([ + dup30, dup22, + setc("event_description","Lost connection to daemon"), + dup23, ])); -var msg708 = msg("UI_LOST_CONN", part749); +var msg708 = msg("UI_LOST_CONN", part739); -var part750 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ - dup20, +var part740 = match("MESSAGE#704:UI_MASTERSHIP_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action->} by '%{username}'", processor_chain([ dup21, - setc("event_description","MASTERSHIP EVENT"), dup22, + setc("event_description","MASTERSHIP EVENT"), + dup23, ])); -var msg709 = msg("UI_MASTERSHIP_EVENT", part750); +var msg709 = msg("UI_MASTERSHIP_EVENT", part740); -var part751 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ - dup20, +var part741 = match("MESSAGE#705:UI_MGD_TERMINATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Terminating operation: exit status %{resultcode}", processor_chain([ dup21, - setc("event_description","Terminating operation"), dup22, + setc("event_description","Terminating operation"), + dup23, ])); -var msg710 = msg("UI_MGD_TERMINATE", part751); +var msg710 = msg("UI_MGD_TERMINATE", part741); -var part752 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ - dup28, - dup21, - setc("event_description","User used NETCONF client to run command"), +var part742 = match("MESSAGE#706:UI_NETCONF_CMD", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' used NETCONF client to run command '%{action}'", processor_chain([ + dup29, dup22, + setc("event_description","User used NETCONF client to run command"), + dup23, ])); -var msg711 = msg("UI_NETCONF_CMD", part752); +var msg711 = msg("UI_NETCONF_CMD", part742); -var part753 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","read failed for peer"), +var part743 = match("MESSAGE#707:UI_READ_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: read failed for peer %{hostname}: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","read failed for peer"), + dup23, ])); -var msg712 = msg("UI_READ_FAILED", part753); +var msg712 = msg("UI_READ_FAILED", part743); -var part754 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ - dup29, - dup21, - setc("event_description","Timeout on read of peer"), +var part744 = match("MESSAGE#708:UI_READ_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Timeout on read of peer %{hostname}", processor_chain([ + dup30, dup22, + setc("event_description","Timeout on read of peer"), + dup23, ])); -var msg713 = msg("UI_READ_TIMEOUT", part754); +var msg713 = msg("UI_READ_TIMEOUT", part744); -var part755 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ - dup59, - dup21, - setc("event_description","System reboot or halt"), +var part745 = match("MESSAGE#709:UI_REBOOT_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: System %{action->} by '%{username}'", processor_chain([ + dup60, dup22, + setc("event_description","System reboot or halt"), + dup23, ])); -var msg714 = msg("UI_REBOOT_EVENT", part755); +var msg714 = msg("UI_REBOOT_EVENT", part745); -var part756 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ - dup28, - dup21, - setc("event_description","user restarting daemon"), +var part746 = match("MESSAGE#710:UI_RESTART_EVENT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: user '%{username}' restarting daemon %{service}", processor_chain([ + dup29, dup22, + setc("event_description","user restarting daemon"), + dup23, ])); -var msg715 = msg("UI_RESTART_EVENT", part756); +var msg715 = msg("UI_RESTART_EVENT", part746); -var part757 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Schema is out of date"), +var part747 = match("MESSAGE#711:UI_SCHEMA_CHECKOUT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema is out of date and %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Schema is out of date"), + dup23, ])); -var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part757); +var msg716 = msg("UI_SCHEMA_CHECKOUT_FAILED", part747); -var part758 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Schema major version mismatch"), +var part748 = match("MESSAGE#712:UI_SCHEMA_MISMATCH_MAJOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema major version mismatch for package %{filename->} %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Schema major version mismatch"), + dup23, ])); -var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part758); +var msg717 = msg("UI_SCHEMA_MISMATCH_MAJOR", part748); -var part759 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Schema minor version mismatch"), +var part749 = match("MESSAGE#713:UI_SCHEMA_MISMATCH_MINOR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema minor version mismatch for package %{filename->} %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Schema minor version mismatch"), + dup23, ])); -var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part759); +var msg718 = msg("UI_SCHEMA_MISMATCH_MINOR", part749); -var part760 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ - dup29, - dup21, - setc("event_description","Schema header sequence numbers mismatch"), +var part750 = match("MESSAGE#714:UI_SCHEMA_MISMATCH_SEQUENCE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema header sequence numbers mismatch for package %{filename}", processor_chain([ + dup30, dup22, + setc("event_description","Schema header sequence numbers mismatch"), + dup23, ])); -var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part760); +var msg719 = msg("UI_SCHEMA_MISMATCH_SEQUENCE", part750); -var part761 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ - dup29, - dup21, - setc("event_description","Schema sequence number mismatch"), +var part751 = match("MESSAGE#715:UI_SCHEMA_SEQUENCE_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Schema sequence number mismatch", processor_chain([ + dup30, dup22, + setc("event_description","Schema sequence number mismatch"), + dup23, ])); -var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part761); +var msg720 = msg("UI_SCHEMA_SEQUENCE_ERROR", part751); -var part762 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ - dup20, +var part752 = match("MESSAGE#716:UI_SYNC_OTHER_RE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Configuration synchronization with remote Routing Engine %{result}", processor_chain([ dup21, - setc("event_description","Configuration synchronization with remote Routing Engine"), dup22, + setc("event_description","Configuration synchronization with remote Routing Engine"), + dup23, ])); -var msg721 = msg("UI_SYNC_OTHER_RE", part762); +var msg721 = msg("UI_SYNC_OTHER_RE", part752); -var part763 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup29, - dup21, - dup127, +var part753 = match("MESSAGE#717:UI_TACPLUS_ERROR", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup30, dup22, + dup129, + dup23, ])); -var msg722 = msg("UI_TACPLUS_ERROR", part763); +var msg722 = msg("UI_TACPLUS_ERROR", part753); -var part764 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ - dup29, - dup21, - setc("event_description","Unable to fetch system version"), +var part754 = match("MESSAGE#718:UI_VERSION_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to fetch system version: %{result}", processor_chain([ + dup30, dup22, + setc("event_description","Unable to fetch system version"), + dup23, ])); -var msg723 = msg("UI_VERSION_FAILED", part764); +var msg723 = msg("UI_VERSION_FAILED", part754); -var part765 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ - dup20, +var part755 = match("MESSAGE#719:UI_WRITE_RECONNECT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Re-establishing connection to peer %{hostname}", processor_chain([ dup21, - setc("event_description","Re-establishing connection to peer"), dup22, + setc("event_description","Re-establishing connection to peer"), + dup23, ])); -var msg724 = msg("UI_WRITE_RECONNECT", part765); +var msg724 = msg("UI_WRITE_RECONNECT", part755); -var part766 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ - dup20, +var part756 = match("MESSAGE#720:VRRPD_NEWMASTER_TRAP", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Interface %{interface->} (local addr: %{saddr}) is now master for %{username}", processor_chain([ dup21, - setc("event_description","Interface new master for User"), dup22, + setc("event_description","Interface new master for User"), + dup23, ])); -var msg725 = msg("VRRPD_NEWMASTER_TRAP", part766); +var msg725 = msg("VRRPD_NEWMASTER_TRAP", part756); -var part767 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ - dup68, - dup33, +var part757 = match("MESSAGE#721:WEB_AUTH_FAIL", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to authenticate %{obj_name->} (username %{c_username})", processor_chain([ + dup69, dup34, - dup42, - dup21, - setc("event_description","Unable to authenticate client"), + dup35, + dup43, dup22, + setc("event_description","Unable to authenticate client"), + dup23, ])); -var msg726 = msg("WEB_AUTH_FAIL", part767); +var msg726 = msg("WEB_AUTH_FAIL", part757); -var part768 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ - dup79, - dup33, +var part758 = match("MESSAGE#722:WEB_AUTH_SUCCESS", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Authenticated %{agent->} client (username %{c_username})", processor_chain([ + dup80, dup34, - dup36, - dup21, - setc("event_description","Authenticated client"), + dup35, + dup37, dup22, + setc("event_description","Authenticated client"), + dup23, ])); -var msg727 = msg("WEB_AUTH_SUCCESS", part768); +var msg727 = msg("WEB_AUTH_SUCCESS", part758); -var part769 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ +var part759 = match("MESSAGE#723:WEB_INTERFACE_UNAUTH", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Web services request received from unauthorized interface %{interface}", processor_chain([ setc("eventcategory","1001030300"), - dup21, - setc("event_description","web request from unauthorized interface"), dup22, + setc("event_description","web request from unauthorized interface"), + dup23, ])); -var msg728 = msg("WEB_INTERFACE_UNAUTH", part769); +var msg728 = msg("WEB_INTERFACE_UNAUTH", part759); -var part770 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ - dup73, - dup21, - setc("event_description","Unable to read from client"), +var part760 = match("MESSAGE#724:WEB_READ", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to read from client: %{result}", processor_chain([ + dup74, dup22, + setc("event_description","Unable to read from client"), + dup23, ])); -var msg729 = msg("WEB_READ", part770); +var msg729 = msg("WEB_READ", part760); -var part771 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ +var part761 = match("MESSAGE#725:WEBFILTER_REQUEST_NOT_CHECKED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Error encountered: %{result}, failed to check request %{url}", processor_chain([ setc("eventcategory","1204020100"), - dup21, - setc("event_description","failed to check web request"), dup22, + setc("event_description","failed to check web request"), + dup23, ])); -var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part771); +var msg730 = msg("WEBFILTER_REQUEST_NOT_CHECKED", part761); -var part772 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ - dup73, +var part762 = match("MESSAGE#726:FLOW_REASSEMBLE_FAIL", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" destination-address=\"%{daddr}\" assembly-id=\"%{fld1}\"]", processor_chain([ + dup74, + dup53, + dup43, + dup22, dup52, - dup42, - dup21, - dup51, ])); -var msg731 = msg("FLOW_REASSEMBLE_FAIL", part772); +var msg731 = msg("FLOW_REASSEMBLE_FAIL", part762); -var part773 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ - dup28, - dup21, - setc("event_description","Bridge Address"), +var part763 = match("MESSAGE#727:eswd", "nwparser.payload", "%{process}[%{process_id}]: Bridge Address: add %{macaddr}", processor_chain([ + dup29, dup22, + setc("event_description","Bridge Address"), + dup23, ])); -var msg732 = msg("eswd", part773); +var msg732 = msg("eswd", part763); -var part774 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ - dup28, - dup21, - setc("event_description","ESWD STP State Change Info"), +var part764 = match("MESSAGE#728:eswd:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: STP state for interface %{interface->} context id %{id->} changed from %{fld3}", processor_chain([ + dup29, dup22, + setc("event_description","ESWD STP State Change Info"), + dup23, ])); -var msg733 = msg("eswd:01", part774); +var msg733 = msg("eswd:01", part764); var select72 = linear_select([ msg732, msg733, ]); -var part775 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ - dup28, - dup21, - dup25, +var part765 = match("MESSAGE#729:/usr/sbin/cron", "nwparser.payload", "%{process}[%{process_id}]: (%{username}) CMD ( %{action})", processor_chain([ + dup29, dup22, + dup26, + dup23, ])); -var msg734 = msg("/usr/sbin/cron", part775); +var msg734 = msg("/usr/sbin/cron", part765); -var part776 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ - dup28, - dup21, - setc("event_description","Link status change event"), +var part766 = match("MESSAGE#730:chassism:02", "nwparser.payload", "%{process}[%{process_id}]: %{info}: ifd %{interface->} %{action}", processor_chain([ + dup29, dup22, + setc("event_description","Link status change event"), + dup23, ])); -var msg735 = msg("chassism:02", part776); +var msg735 = msg("chassism:02", part766); -var part777 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ - dup28, - dup21, - setc("event_description","ifd process flaps"), +var part767 = match("MESSAGE#731:chassism:01", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{interface}, %{action}", processor_chain([ + dup29, dup22, + setc("event_description","ifd process flaps"), + dup23, ])); -var msg736 = msg("chassism:01", part777); +var msg736 = msg("chassism:01", part767); -var part778 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ - dup28, - dup21, - setc("event_description","IFCM "), +var part768 = match("MESSAGE#732:chassism", "nwparser.payload", "%{process}[%{process_id}]: %{info}: %{action}", processor_chain([ + dup29, dup22, + setc("event_description","IFCM "), + dup23, ])); -var msg737 = msg("chassism", part778); +var msg737 = msg("chassism", part768); var select73 = linear_select([ msg735, @@ -8511,31 +8516,31 @@ var select73 = linear_select([ msg737, ]); -var msg738 = msg("WEBFILTER_URL_PERMITTED", dup155); +var msg738 = msg("WEBFILTER_URL_PERMITTED", dup158); -var part779 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ - dup29, - dup21, - dup51, +var part769 = match("MESSAGE#734:WEBFILTER_URL_PERMITTED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7}", processor_chain([ + dup30, + dup22, + dup52, ])); -var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part779); +var msg739 = msg("WEBFILTER_URL_PERMITTED:01", part769); -var part780 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ - dup29, - dup21, - dup51, +var part770 = match("MESSAGE#735:WEBFILTER_URL_PERMITTED:03", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=%{fld4}", processor_chain([ + dup30, + dup22, + dup52, ])); -var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part780); +var msg740 = msg("WEBFILTER_URL_PERMITTED:03", part770); -var part781 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ - dup29, - dup21, - dup51, +var part771 = match("MESSAGE#736:WEBFILTER_URL_PERMITTED:02", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=%{url}", processor_chain([ + dup30, + dup22, + dup52, ])); -var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part781); +var msg741 = msg("WEBFILTER_URL_PERMITTED:02", part771); var select74 = linear_select([ msg738, @@ -8544,196 +8549,196 @@ var select74 = linear_select([ msg741, ]); -var msg742 = msg("WEBFILTER_URL_BLOCKED", dup155); +var msg742 = msg("WEBFILTER_URL_BLOCKED", dup158); -var part782 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ - dup29, - dup21, - dup51, +var part772 = match("MESSAGE#738:WEBFILTER_URL_BLOCKED:01", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url}", processor_chain([ + dup30, + dup22, + dup52, ])); -var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part782); +var msg743 = msg("WEBFILTER_URL_BLOCKED:01", part772); var select75 = linear_select([ msg742, msg743, ]); -var part783 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ - dup45, +var part773 = match("MESSAGE#740:SECINTEL_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access url %{url->} on port %{network_port->} failed\u003c\u003c%{result}>.", processor_chain([ dup46, + dup47, + dup23, dup22, - dup21, - dup126, + dup128, ])); -var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part783); +var msg744 = msg("SECINTEL_NETWORK_CONNECT_FAILED", part773); -var part784 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ - dup45, +var part774 = match("MESSAGE#741:AAMWD_NETWORK_CONNECT_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> Access host %{hostname->} on ip %{hostip->} port %{network_port->} %{result}.", processor_chain([ dup46, - dup22, + dup47, + dup23, ])); -var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part784); +var msg745 = msg("AAMWD_NETWORK_CONNECT_FAILED", part774); -var part785 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ - dup45, +var part775 = match("MESSAGE#742:PKID_UNABLE_TO_GET_CRL", "nwparser.payload", "%{process}[%{process_id}]: %{id}: Failed to retrieve CRL from received file for %{node}", processor_chain([ dup46, + dup47, + dup23, dup22, - dup21, - dup126, + dup128, ])); -var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part785); +var msg746 = msg("PKID_UNABLE_TO_GET_CRL", part775); -var part786 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ - dup45, +var part776 = match("MESSAGE#743:SECINTEL_ERROR_OTHERS", "nwparser.payload", "%{process}[%{process_id}]: %{id}: \u003c\u003c%{fld12}> %{result}", processor_chain([ dup46, + dup47, + dup23, dup22, - dup21, - dup126, + dup128, ])); -var msg747 = msg("SECINTEL_ERROR_OTHERS", part786); +var msg747 = msg("SECINTEL_ERROR_OTHERS", part776); -var part787 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ +var part777 = match("MESSAGE#744:JSRPD_HA_CONTROL_LINK_UP", "nwparser.payload", "%{process}[%{process_id}]: %{id}: HA control link monitor status is marked up", processor_chain([ + dup48, dup47, - dup46, + dup23, dup22, - dup21, - dup126, + dup128, ])); -var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part787); +var msg748 = msg("JSRPD_HA_CONTROL_LINK_UP", part777); -var part788 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ - dup45, +var part778 = match("MESSAGE#745:LACPD_TIMEOUT", "nwparser.payload", "%{process}[%{process_id}]: LACPD_TIMEOUT: %{sinterface}: %{event_description}", processor_chain([ dup46, + dup47, + dup23, dup22, - dup21, - dup126, + dup128, ])); -var msg749 = msg("LACPD_TIMEOUT", part788); +var msg749 = msg("LACPD_TIMEOUT", part778); -var msg750 = msg("cli", dup156); +var msg750 = msg("cli", dup159); -var msg751 = msg("pfed", dup156); +var msg751 = msg("pfed", dup159); -var msg752 = msg("idpinfo", dup156); +var msg752 = msg("idpinfo", dup159); -var msg753 = msg("kmd", dup156); +var msg753 = msg("kmd", dup159); -var part789 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ - dup20, - dup22, +var part779 = match("MESSAGE#751:node:01", "nwparser.payload", "%{hostname->} %{node->} Next-hop resolution requests from interface %{interface->} throttled", processor_chain([ dup21, + dup23, + dup22, ])); -var msg754 = msg("node:01", part789); +var msg754 = msg("node:01", part779); -var part790 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup20, - dup22, +var part780 = match("MESSAGE#752:node:02", "nwparser.payload", "%{hostname->} %{node->} %{process}: Trying peer connection, status %{resultcode}, attempt %{fld1}", processor_chain([ dup21, + dup23, + dup22, ])); -var msg755 = msg("node:02", part790); +var msg755 = msg("node:02", part780); -var part791 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ - dup20, - dup22, +var part781 = match("MESSAGE#753:node:03", "nwparser.payload", "%{hostname->} %{node->} %{process}: trying master connection, status %{resultcode}, attempt %{fld1}", processor_chain([ dup21, + dup23, + dup22, ])); -var msg756 = msg("node:03", part791); +var msg756 = msg("node:03", part781); -var part792 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ - dup20, - dup22, +var part782 = match("MESSAGE#754:node:04", "nwparser.payload", "%{hostname->} %{node->} %{fld1->} key %{fld2->} %{fld3->} port priority %{fld6->} %{fld4->} port %{portname->} %{fld5->} state %{resultcode}", processor_chain([ dup21, + dup23, + dup22, ])); -var msg757 = msg("node:04", part792); +var msg757 = msg("node:04", part782); var select76 = linear_select([ - dup129, - dup130, + dup131, + dup132, ]); -var part793 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); +var part783 = match("MESSAGE#755:node:05/2", "nwparser.p0", "%{}sys priority %{fld4->} %{p0}"); var select77 = linear_select([ - dup130, - dup129, + dup132, + dup131, ]); -var part794 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); +var part784 = match("MESSAGE#755:node:05/4", "nwparser.p0", "%{}sys %{interface}"); var all44 = all_match({ processors: [ - dup128, + dup130, select76, - part793, + part783, select77, - part794, + part784, ], on_success: processor_chain([ - dup20, - dup22, dup21, + dup23, + dup22, ]), }); var msg758 = msg("node:05", all44); -var part795 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); +var part785 = match("MESSAGE#756:node:06/1_0", "nwparser.p0", "dst mac %{dinterface}"); -var part796 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); +var part786 = match("MESSAGE#756:node:06/1_1", "nwparser.p0", "src mac %{sinterface->} ether type %{fld1}"); var select78 = linear_select([ - part795, - part796, + part785, + part786, ]); var all45 = all_match({ processors: [ - dup128, + dup130, select78, ], on_success: processor_chain([ - dup20, - dup22, dup21, + dup23, + dup22, ]), }); var msg759 = msg("node:06", all45); -var part797 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ - dup20, - dup22, +var part787 = match("MESSAGE#757:node:07", "nwparser.payload", "%{hostname->} %{node->} %{process}: interface %{interface->} trigger reth_scan", processor_chain([ dup21, + dup23, + dup22, ])); -var msg760 = msg("node:07", part797); +var msg760 = msg("node:07", part787); -var part798 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ - dup20, - dup22, +var part788 = match("MESSAGE#758:node:08", "nwparser.payload", "%{hostname->} %{node->} %{process}: %{info}", processor_chain([ dup21, + dup23, + dup22, ])); -var msg761 = msg("node:08", part798); +var msg761 = msg("node:08", part788); -var part799 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ - dup20, - dup22, +var part789 = match("MESSAGE#759:node:09", "nwparser.payload", "%{hostname->} %{node->} %{fld1}", processor_chain([ dup21, + dup23, + dup22, ])); -var msg762 = msg("node:09", part799); +var msg762 = msg("node:09", part789); var select79 = linear_select([ msg754, @@ -8747,79 +8752,79 @@ var select79 = linear_select([ msg762, ]); -var part800 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ - dup20, - dup22, +var part790 = match("MESSAGE#760:(FPC:01", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: deleting active remote neighbor entry %{fld2->} from interface %{interface}.", processor_chain([ dup21, dup23, + dup22, + dup24, ])); -var msg763 = msg("(FPC:01", part800); +var msg763 = msg("(FPC:01", part790); -var part801 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ - dup20, - dup22, +var part791 = match("MESSAGE#761:(FPC:02", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type->} deleting nb %{fld2->} on ifd %{interface->} for cid %{fld3->} from active neighbor table", processor_chain([ dup21, dup23, + dup22, + dup24, ])); -var msg764 = msg("(FPC:02", part801); +var msg764 = msg("(FPC:02", part791); -var part802 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); +var part792 = match("MESSAGE#762:(FPC:03/0", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: M%{p0}"); -var part803 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); +var part793 = match("MESSAGE#762:(FPC:03/1_0", "nwparser.p0", "DOWN %{p0}"); -var part804 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); +var part794 = match("MESSAGE#762:(FPC:03/1_1", "nwparser.p0", "UP %{p0}"); var select80 = linear_select([ - part803, - part804, + part793, + part794, ]); -var part805 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "%{}received for interface %{interface}, member of %{fld4}"); +var part795 = match("MESSAGE#762:(FPC:03/2", "nwparser.p0", "received for interface %{interface}, member of %{fld4}"); var all46 = all_match({ processors: [ - part802, + part792, select80, - part805, + part795, ], on_success: processor_chain([ - dup20, - dup22, dup21, dup23, + dup22, + dup24, ]), }); var msg765 = msg("(FPC:03", all46); -var part806 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ - dup20, - dup22, +var part796 = match("MESSAGE#763:(FPC:04", "nwparser.payload", "%{fld1}) %{node->} kernel: %{event_type}: ifd=%{interface}, ifd flags=%{fld2}", processor_chain([ dup21, dup23, + dup22, + dup24, ])); -var msg766 = msg("(FPC:04", part806); +var msg766 = msg("(FPC:04", part796); -var part807 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ - dup20, - dup22, +var part797 = match("MESSAGE#764:(FPC:05", "nwparser.payload", "%{fld1}) %{node->} kernel: rdp keepalive expired, connection dropped - src %{fld3}:%{fld2->} dest %{fld4}:%{fld5}", processor_chain([ dup21, dup23, + dup22, + dup24, ])); -var msg767 = msg("(FPC:05", part807); +var msg767 = msg("(FPC:05", part797); -var part808 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ - dup20, - dup22, +var part798 = match("MESSAGE#765:(FPC", "nwparser.payload", "%{fld1}) %{node->} %{fld10}", processor_chain([ dup21, dup23, + dup22, + dup24, ])); -var msg768 = msg("(FPC", part808); +var msg768 = msg("(FPC", part798); var select81 = linear_select([ msg763, @@ -8830,207 +8835,207 @@ var select81 = linear_select([ msg768, ]); -var part809 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ - dup47, - dup22, - dup21, +var part799 = match("MESSAGE#766:tnp.bootpd", "nwparser.payload", "%{process}[%{process_id}]:%{fld1}", processor_chain([ + dup48, dup23, + dup22, + dup24, ])); -var msg769 = msg("tnp.bootpd", part809); +var msg769 = msg("tnp.bootpd", part799); -var part810 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ - dup47, - dup51, - dup21, - dup60, +var part800 = match("MESSAGE#769:AAMW_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} hostname=\"%{hostname}\" file-category=\"%{fld9}\" verdict-number=\"%{fld10}\" action=\"%{action}\" list-hit=\"%{fld19}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld6}\" nested-application=\"%{fld7}\" policy-name=\"%{policyname}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" url=\"%{url}\"] %{fld27}", processor_chain([ + dup48, + dup52, + dup22, + dup61, ])); -var msg770 = msg("AAMW_ACTION_LOG", part810); +var msg770 = msg("AAMW_ACTION_LOG", part800); -var part811 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ - dup131, - dup51, - dup21, - dup60, +var part801 = match("MESSAGE#770:AAMW_HOST_INFECTED_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" client-ip-str=\"%{hostip}\" hostname=\"%{hostname}\" status=\"%{fld13}\" policy-name=\"%{policyname}\" verdict-number=\"%{fld15}\" state=\"%{fld16}\" reason=\"%{result}\" message=\"%{info}\" %{fld3}", processor_chain([ + dup133, + dup52, + dup22, + dup61, ])); -var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part811); +var msg771 = msg("AAMW_HOST_INFECTED_EVENT_LOG", part801); -var part812 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ - dup131, - dup51, - dup21, +var part802 = match("MESSAGE#771:AAMW_MALWARE_EVENT_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} timestamp=\"%{fld30}\" tenant-id=\"%{fld1}\" sample-sha256=\"%{checksum}\" client-ip-str=\"%{hostip}\" verdict-number=\"%{fld26}\" malware-info=\"%{threat_name}\" username=\"%{username}\" hostname=\"%{hostname}\" %{fld3}", processor_chain([ + dup133, + dup52, + dup22, ])); -var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part812); +var msg772 = msg("AAMW_MALWARE_EVENT_LOG", part802); -var part813 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ - dup80, - dup51, - dup21, - dup60, +var part803 = match("MESSAGE#772:IDP_ATTACK_LOG_EVENT", "nwparser.payload", "%{event_type}[junos@%{fld32->} epoch-time=\"%{fld1}\" message-type=\"%{info}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-name=\"%{protocol}\" service-name=\"%{service}\" application-name=\"%{application}\" rule-name=\"%{fld5}\" rulebase-name=\"%{rulename}\" policy-name=\"%{policyname}\" export-id=\"%{fld6}\" repeat-count=\"%{fld7}\" action=\"%{action}\" threat-severity=\"%{severity}\" attack-name=\"%{threat_name}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" elapsed-time=%{fld8->} inbound-bytes=\"%{rbytes}\" outbound-bytes=\"%{sbytes}\" inbound-packets=\"%{packets}\" outbound-packets=\"%{dclass_counter1}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" packet-log-id=\"%{fld9}\" alert=\"%{fld19}\" username=\"%{username}\" roles=\"%{fld15}\" message=\"%{fld28}\" %{fld3}", processor_chain([ + dup81, + dup52, + dup22, + dup61, ])); -var msg773 = msg("IDP_ATTACK_LOG_EVENT", part813); +var msg773 = msg("IDP_ATTACK_LOG_EVENT", part803); -var part814 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ - dup80, - dup51, - dup21, - dup60, +var part804 = match("MESSAGE#773:RT_SCREEN_ICMP", "nwparser.payload", "%{event_type}[junos@%{fld32->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" destination-address=\"%{daddr}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"] %{fld23}", processor_chain([ + dup81, + dup52, + dup22, + dup61, ])); -var msg774 = msg("RT_SCREEN_ICMP", part814); +var msg774 = msg("RT_SCREEN_ICMP", part804); -var part815 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ - dup45, - dup51, - dup21, - dup60, +var part805 = match("MESSAGE#774:SECINTEL_ACTION_LOG", "nwparser.payload", "%{event_type}[junos@%{fld32->} category=\"%{fld1}\" sub-category=\"%{fld2}\" action=\"%{action}\" action-detail=\"%{fld4}\" http-host=\"%{fld17}\" threat-severity=\"%{severity}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" protocol-id=\"%{protocol}\" application=\"%{fld5}\" nested-application=\"%{fld6}\" feed-name=\"%{fld18}\" policy-name=\"%{policyname}\" profile-name=\"%{rulename}\" username=\"%{username}\" roles=\"%{user_role}\" session-id-32=\"%{sessionid}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\"]%{fld10}", processor_chain([ + dup46, + dup52, + dup22, + dup61, ])); -var msg775 = msg("SECINTEL_ACTION_LOG", part815); +var msg775 = msg("SECINTEL_ACTION_LOG", part805); -var part816 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{p0}"); +var part806 = match("MESSAGE#775:qsfp/0", "nwparser.payload", "%{hostname->} %{fld2->} %{p0}"); -var part817 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld2->} %{fld3->} %{process}: qsfp-%{interface->} Chan# %{p0}"); +var part807 = match("MESSAGE#775:qsfp/1_0", "nwparser.p0", "%{fld3->} %{process}: qsfp-%{p0}"); -var part818 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "%{fld2->} qsfp-%{interface->} Chan# %{p0}"); +var part808 = match("MESSAGE#775:qsfp/1_1", "nwparser.p0", "qsfp-%{p0}"); var select82 = linear_select([ - part817, - part818, + part807, + part808, ]); -var part819 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{fld5}:%{event_description}"); +var part809 = match("MESSAGE#775:qsfp/2", "nwparser.p0", "%{}Chan# %{interface->} %{fld5}:%{event_description}"); var all47 = all_match({ processors: [ - part816, + part806, select82, - part819, + part809, ], on_success: processor_chain([ - dup20, dup21, dup22, + dup23, ]), }); var msg776 = msg("qsfp", all47); -var part820 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ - dup20, +var part810 = match("MESSAGE#776:JUNOSROUTER_GENERIC:03", "nwparser.payload", "%{event_type}: User '%{username}', command '%{action}'", processor_chain([ dup21, - dup119, dup22, + dup121, + dup23, ])); -var msg777 = msg("JUNOSROUTER_GENERIC:03", part820); +var msg777 = msg("JUNOSROUTER_GENERIC:03", part810); -var part821 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ - dup123, - dup33, +var part811 = match("MESSAGE#777:JUNOSROUTER_GENERIC:04", "nwparser.payload", "%{event_type}: User '%{username}' %{fld1}", processor_chain([ + dup125, dup34, - dup124, - dup36, - dup21, - setc("event_description","LOGOUT"), + dup35, + dup126, + dup37, dup22, + setc("event_description","LOGOUT"), + dup23, ])); -var msg778 = msg("JUNOSROUTER_GENERIC:04", part821); +var msg778 = msg("JUNOSROUTER_GENERIC:04", part811); -var part822 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ - dup29, - dup21, - dup127, +var part812 = match("MESSAGE#778:JUNOSROUTER_GENERIC:05", "nwparser.payload", "%{event_type}: TACACS+ failure: %{result}", processor_chain([ + dup30, dup22, + dup129, + dup23, ])); -var msg779 = msg("JUNOSROUTER_GENERIC:05", part822); +var msg779 = msg("JUNOSROUTER_GENERIC:05", part812); -var part823 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ - dup29, - dup21, - dup56, +var part813 = match("MESSAGE#779:JUNOSROUTER_GENERIC:06", "nwparser.payload", "%{event_type}: mismatch NLRI with %{hostip->} (%{hostname}): peer: %{daddr->} us: %{saddr}", processor_chain([ + dup30, dup22, + dup57, + dup23, ])); -var msg780 = msg("JUNOSROUTER_GENERIC:06", part823); +var msg780 = msg("JUNOSROUTER_GENERIC:06", part813); -var part824 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ - dup20, +var part814 = match("MESSAGE#780:JUNOSROUTER_GENERIC:07", "nwparser.payload", "%{event_type}: NOTIFICATION sent to %{daddr->} (%{dhost}): code %{resultcode->} (%{action}), Reason: %{result}", processor_chain([ dup21, - dup37, dup22, + dup38, + dup23, ])); -var msg781 = msg("JUNOSROUTER_GENERIC:07", part824); +var msg781 = msg("JUNOSROUTER_GENERIC:07", part814); -var part825 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{p0}"); +var part815 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/0", "nwparser.payload", "%{event_type}: NOTIFICATION received from %{daddr->} (%{dhost}): code %{resultcode->} (%{action})%{p0}"); -var part826 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action}), socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); +var part816 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_0", "nwparser.p0", ", socket buffer sndcc: %{fld1->} rcvcc: %{fld2->} TCP state: %{event_state}, snd_una: %{fld3->} snd_nxt: %{fld4->} snd_wnd: %{fld5->} rcv_nxt: %{fld6->} rcv_adv: %{fld7}, hold timer %{fld8}"); -var part827 = match("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", "%{daddr->} (%{dhost}): code %{resultcode->} (%{action})"); +var part817 = match_copy("MESSAGE#781:JUNOSROUTER_GENERIC:08/1_1", "nwparser.p0", ""); var select83 = linear_select([ - part826, - part827, + part816, + part817, ]); var all48 = all_match({ processors: [ - part825, + part815, select83, ], on_success: processor_chain([ - dup20, dup21, - dup37, dup22, + dup38, + dup23, ]), }); var msg782 = msg("JUNOSROUTER_GENERIC:08", all48); -var part828 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ - dup20, +var part818 = match("MESSAGE#782:JUNOSROUTER_GENERIC:09", "nwparser.payload", "%{event_type}: [edit interfaces%{interface}unit%{fld1}family inet address%{hostip}/%{network_port}] :%{event_description}:%{info}", processor_chain([ dup21, dup22, + dup23, ])); -var msg783 = msg("JUNOSROUTER_GENERIC:09", part828); +var msg783 = msg("JUNOSROUTER_GENERIC:09", part818); -var part829 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ - dup132, +var part819 = match("MESSAGE#783:JUNOSROUTER_GENERIC:01", "nwparser.payload", "%{event_type->} Interface Monitor failed %{fld1}", processor_chain([ + dup134, + dup23, dup22, - dup21, setc("event_description","Interface Monitor failed "), - dup23, + dup24, ])); -var msg784 = msg("JUNOSROUTER_GENERIC:01", part829); +var msg784 = msg("JUNOSROUTER_GENERIC:01", part819); -var part830 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ - dup132, +var part820 = match("MESSAGE#784:JUNOSROUTER_GENERIC:02", "nwparser.payload", "%{event_type->} Interface Monitor failure recovered %{fld1}", processor_chain([ + dup134, + dup23, dup22, - dup21, setc("event_description","Interface Monitor failure recovered"), - dup23, + dup24, ])); -var msg785 = msg("JUNOSROUTER_GENERIC:02", part830); +var msg785 = msg("JUNOSROUTER_GENERIC:02", part820); -var part831 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ - dup132, - dup22, - dup21, +var part821 = match("MESSAGE#785:JUNOSROUTER_GENERIC", "nwparser.payload", "%{event_type->} %{fld1}", processor_chain([ + dup134, dup23, + dup22, + dup24, ])); -var msg786 = msg("JUNOSROUTER_GENERIC", part831); +var msg786 = msg("JUNOSROUTER_GENERIC", part821); var select84 = linear_select([ msg777, @@ -9729,198 +9734,202 @@ var chain1 = processor_chain([ var hdr43 = match("HEADER#3:0004/0", "message", "%{month->} %{day->} %{time->} %{p0}"); -var part832 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); - -var part833 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); +var part822 = match("HEADER#3:0004/1_0", "nwparser.p0", "fpc0 %{p0}"); -var part834 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); +var part823 = match("HEADER#3:0004/1_1", "nwparser.p0", "fpc1 %{p0}"); -var part835 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); +var part824 = match("HEADER#3:0004/1_2", "nwparser.p0", "fpc2 %{p0}"); -var part836 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); +var part825 = match("HEADER#3:0004/1_3", "nwparser.p0", "fpc3 %{p0}"); -var part837 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); +var part826 = match("HEADER#3:0004/1_4", "nwparser.p0", "fpc4 %{p0}"); -var part838 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); +var part827 = match("HEADER#3:0004/1_5", "nwparser.p0", "fpc5 %{p0}"); -var part839 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); +var part828 = match("HEADER#3:0004/1_11", "nwparser.p0", "ssb %{p0}"); -var part840 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); +var part829 = match("HEADER#15:0026.upd.a/1_0", "nwparser.p0", "RT_FLOW - %{p0}"); -var part841 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); +var part830 = match("HEADER#15:0026.upd.a/1_1", "nwparser.p0", "junos-ssl-proxy - %{p0}"); -var part842 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); +var part831 = match("HEADER#15:0026.upd.a/1_2", "nwparser.p0", "RT_APPQOS - %{p0}"); -var part843 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{payload}"); +var part832 = match("HEADER#15:0026.upd.a/1_3", "nwparser.p0", "%{hfld33->} - %{p0}"); var hdr44 = match("HEADER#16:0026.upd.b/0", "message", "%{event_time->} %{hfld32->} %{hhostname->} %{p0}"); -var part844 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); +var part833 = match("MESSAGE#77:sshd:06/0", "nwparser.payload", "%{} %{p0}"); -var part845 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); +var part834 = match("MESSAGE#77:sshd:06/1_0", "nwparser.p0", "%{process}[%{process_id}]: %{p0}"); -var part846 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); +var part835 = match("MESSAGE#77:sshd:06/1_1", "nwparser.p0", "%{process}: %{p0}"); -var part847 = match("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "%{p0}"); +var part836 = match_copy("MESSAGE#72:Failed:05/1_2", "nwparser.p0", "p0"); -var part848 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); +var part837 = match("MESSAGE#114:ACCT_GETHOSTNAME_error/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{p0}"); -var part849 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); +var part838 = match("MESSAGE#294:LOGIN_INFORMATION/3_0", "nwparser.p0", "User %{p0}"); -var part850 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); +var part839 = match("MESSAGE#294:LOGIN_INFORMATION/3_1", "nwparser.p0", "user %{p0}"); -var part851 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); +var part840 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); -var part852 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", "%{dport}\" connection-tag=%{fld20->} service-name=\"%{p0}"); +var part841 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_0", "nwparser.p0", " connection-tag=%{fld20->} service-name=\"%{p0}"); -var part853 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", "%{dport}\" service-name=\"%{p0}"); +var part842 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/1_1", "nwparser.p0", " service-name=\"%{p0}"); -var part854 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", "%{dtransport}\" nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); +var part843 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_0", "nwparser.p0", " nat-connection-tag=%{fld6->} src-nat-rule-type=%{fld20->} %{p0}"); -var part855 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/3_1", "nwparser.p0", "%{dtransport}\"%{p0}"); +var part844 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/5_1", "nwparser.p0", "name=\"%{p0}"); -var part856 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/7_1", "nwparser.p0", "%{dinterface}\"%{p0}"); +var part845 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); -var part857 = match("MESSAGE#485:RT_FLOW_SESSION_CREATE:02/8", "nwparser.p0", "]%{}"); +var part846 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied %{p0}"); -var part858 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_0", "nwparser.payload", "%{process}: %{event_type}: session denied%{p0}"); +var part847 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied %{p0}"); -var part859 = match("MESSAGE#490:RT_FLOW_SESSION_DENY:03/0_1", "nwparser.payload", "%{event_type}: session denied%{p0}"); +var part848 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\"%{p0}"); -var part860 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/0", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} reason=\"%{result}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{p0}"); +var part849 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\"%{p0}"); -var part861 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/2", "nwparser.p0", "%{service}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{p0}"); +var part850 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); -var part862 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/4", "nwparser.p0", "%{}src-nat-rule-name=\"%{rulename}\" dst-nat-rule-%{p0}"); +var part851 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{p0}"); -var part863 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_0", "nwparser.p0", "type=%{fld7->} dst-nat-rule-name=\"%{rule_template}\"%{p0}"); +var part852 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/6", "nwparser.p0", "\"%{rule_template->} protocol-id=\"%{protocol}\" policy-name=\"%{policyname}\" source-zone-name=\"%{src_zone}\" destination-zone-name=\"%{dst_zone}\" session-id-32=\"%{sessionid}\" packets-from-client=\"%{packets}\" bytes-from-client=\"%{rbytes}\" packets-from-server=\"%{dclass_counter1}\" bytes-from-server=\"%{sbytes}\" elapsed-time=\"%{duration}\"%{p0}"); -var part864 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/5_1", "nwparser.p0", "name=\"%{rule_template}\"%{p0}"); +var part853 = match("MESSAGE#492:RT_FLOW_SESSION_CLOSE:01/7_0", "nwparser.p0", " application=\"%{fld6}\" nested-application=\"%{fld7}\" username=\"%{username}\" roles=\"%{fld15}\" packet-incoming-interface=\"%{dinterface}\" encrypted=%{fld16->} %{p0}"); -var part865 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); +var part854 = match("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' set: [%{action}] %{p0}"); -var part866 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); +var part855 = match_copy("MESSAGE#630:UI_CFG_AUDIT_OTHER:02/1_1", "nwparser.p0", "space"); -var part867 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "%{}-> \"%{change_new}\""); +var part856 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/1_1", "nwparser.p0", "\u003c\u003c%{change_old}> %{p0}"); -var part868 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); +var part857 = match("MESSAGE#634:UI_CFG_AUDIT_SET:01/2", "nwparser.p0", "-> \"%{change_new}\""); -var part869 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); +var part858 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/0", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: User '%{username}' %{p0}"); -var part870 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); +var part859 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_0", "nwparser.p0", "set %{p0}"); -var part871 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); +var part860 = match("MESSAGE#637:UI_CFG_AUDIT_SET_SECRET:01/1_1", "nwparser.p0", "replace %{p0}"); -var part872 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); +var part861 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_0", "nwparser.p0", "Network %{p0}"); -var part873 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); +var part862 = match("MESSAGE#675:UI_DAEMON_ACCEPT_FAILED/1_1", "nwparser.p0", "Local %{p0}"); -var part874 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); +var part863 = match("MESSAGE#755:node:05/0", "nwparser.payload", "%{hostname->} %{node->} %{p0}"); -var part875 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); +var part864 = match("MESSAGE#755:node:05/1_0", "nwparser.p0", "partner%{p0}"); + +var part865 = match("MESSAGE#755:node:05/1_1", "nwparser.p0", "actor%{p0}"); var select85 = linear_select([ - dup12, - dup13, dup14, dup15, + dup16, + dup17, ]); +var part866 = match("HEADER#15:0026.upd.a/2", "nwparser.p0", "%{messageid->} [%{p0}", processor_chain([ + dup13, +])); + var select86 = linear_select([ - dup39, dup40, + dup41, ]); -var part876 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ - dup20, +var part867 = match("MESSAGE#125:BFDD_TRAP_STATE_DOWN", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: local discriminator: %{resultcode}, new state: %{result}", processor_chain([ dup21, - dup55, dup22, + dup56, + dup23, ])); -var part877 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ - dup50, - dup21, - dup63, +var part868 = match("MESSAGE#214:DCD_MALLOC_FAILED_INIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Memory allocation failed during initialization for configuration load", processor_chain([ + dup51, dup22, + dup64, + dup23, ])); -var part878 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ - dup29, - dup21, - dup64, +var part869 = match("MESSAGE#225:ECCD_DAEMONIZE_FAILED", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{action}, unable to run in the background as a daemon: %{result}", processor_chain([ + dup30, dup22, + dup65, + dup23, ])); -var part879 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ - dup29, - dup21, - dup65, +var part870 = match("MESSAGE#226:ECCD_DUPLICATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Another copy of this program is running", processor_chain([ + dup30, dup22, + dup66, + dup23, ])); -var part880 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ - dup29, - dup21, - dup66, +var part871 = match("MESSAGE#232:ECCD_PID_FILE_LOCK", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to lock PID file: %{result}", processor_chain([ + dup30, dup22, + dup67, + dup23, ])); -var part881 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ - dup29, - dup21, - dup67, +var part872 = match("MESSAGE#233:ECCD_PID_FILE_UPDATE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to update process PID file: %{result}", processor_chain([ + dup30, dup22, + dup68, + dup23, ])); -var part882 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ - dup29, - dup21, - dup70, +var part873 = match("MESSAGE#272:LIBJNX_EXEC_PIPE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Unable to create pipes for command '%{action}': %{result}", processor_chain([ + dup30, dup22, + dup71, + dup23, ])); var select87 = linear_select([ - dup75, dup76, + dup77, ]); -var part883 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ - dup29, - dup21, - dup78, +var part874 = match("MESSAGE#310:MIB2D_IFD_IFINDEX_FAILURE", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: SNMP index assigned to %{uid->} changed from %{dclass_counter1->} to %{result}", processor_chain([ + dup30, dup22, + dup79, + dup23, ])); -var part884 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ - dup29, - dup21, - dup83, +var part875 = match("MESSAGE#412:RPD_IFL_INDEXCOLLISION", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Logical interface collision -- %{result}, %{info}", processor_chain([ + dup30, dup22, + dup84, + dup23, ])); -var part885 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ - dup29, - dup21, - dup84, +var part876 = match("MESSAGE#466:RPD_SCHED_CALLBACK_LONGRUNTIME", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: %{agent}: excessive runtime time during action of module", processor_chain([ + dup30, dup22, + dup85, + dup23, ])); -var part886 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ - dup20, +var part877 = match("MESSAGE#482:RPD_TASK_REINIT", "nwparser.payload", "%{process}[%{process_id}]: %{event_type}: Reinitializing", processor_chain([ dup21, - dup85, dup22, + dup86, + dup23, ])); var select88 = linear_select([ - dup87, dup88, + dup89, ]); var select89 = linear_select([ - dup89, dup90, + dup45, ]); var select90 = linear_select([ @@ -9930,40 +9939,40 @@ var select90 = linear_select([ var select91 = linear_select([ dup101, - dup102, + dup91, ]); -var part887 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ - dup29, - dup21, - dup51, +var part878 = match("MESSAGE#498:RT_SCREEN_TCP", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} attack-name=\"%{threat_name}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" source-zone-name=\"%{src_zone}\" interface-name=\"%{interface}\" action=\"%{action}\"]", processor_chain([ + dup30, + dup22, + dup52, ])); -var part888 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ - dup26, - dup21, - dup51, +var part879 = match("MESSAGE#527:SSL_PROXY_SSL_SESSION_ALLOW", "nwparser.payload", "%{event_type->} [junos@%{obj_name->} logical-system-name=\"%{hostname}\" session-id=\"%{sessionid}\" source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" nat-source-address=\"%{hostip}\" nat-source-port=\"%{network_port}\" nat-destination-address=\"%{dtransaddr}\" nat-destination-port=\"%{dtransport}\" profile-name=\"%{rulename}\" source-zone-name=\"%{src_zone}\" source-interface-name=\"%{sinterface}\" destination-zone-name=\"%{dst_zone}\" destination-interface-name=\"%{dinterface}\" message=\"%{info}\"]", processor_chain([ + dup27, + dup22, + dup52, ])); var select92 = linear_select([ - dup116, - dup117, + dup118, + dup119, ]); var select93 = linear_select([ - dup121, - dup122, + dup123, + dup124, ]); -var part889 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ - dup29, - dup21, - dup51, +var part880 = match("MESSAGE#733:WEBFILTER_URL_PERMITTED", "nwparser.payload", "%{event_type->} [junos@%{fld21->} source-address=\"%{saddr}\" source-port=\"%{sport}\" destination-address=\"%{daddr}\" destination-port=\"%{dport}\" name=\"%{info}\" error-message=\"%{result}\" profile-name=\"%{profile}\" object-name=\"%{obj_name}\" pathname=\"%{directory}\" username=\"%{username}\" roles=\"%{user_role}\"] WebFilter: ACTION=\"%{action}\" %{fld2}->%{fld3->} CATEGORY=\"%{category}\" REASON=\"%{fld4}\" PROFILE=\"%{fld6}\" URL=%{url->} OBJ=%{fld7->} USERNAME=%{fld8->} ROLES=%{fld9}", processor_chain([ + dup30, + dup22, + dup52, ])); -var part890 = match("MESSAGE#747:cli", "nwparser.payload", "%{fld12}", processor_chain([ +var part881 = match_copy("MESSAGE#747:cli", "nwparser.payload", "fld12", processor_chain([ + dup48, dup47, - dup46, + dup23, dup22, - dup21, ])); diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml index bc38869e537f..9199755b6ac2 100644 --- a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml @@ -55,14 +55,9 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.hostname}}' + value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.hostname && ctx.host?.hostname != '' - - append: - field: related.hosts - value: '{{server.domain}}' - allow_duplicates: false - if: ctx?.server?.domain && ctx.server?.domain != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/juniper/junos/manifest.yml b/x-pack/filebeat/module/juniper/junos/manifest.yml index ddc58972851d..eea60eaefcdb 100644 --- a/x-pack/filebeat/module/juniper/junos/manifest.yml +++ b/x-pack/filebeat/module/juniper/junos/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9513 + default: 9533 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/juniper/junos/test/generated.log b/x-pack/filebeat/module/juniper/junos/test/generated.log new file mode 100644 index 000000000000..e8663f487482 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/test/generated.log @@ -0,0 +1,100 @@ +Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049) +Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed +Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success +Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace> node: dqu +Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367 +Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown +Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono +May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure +May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068 +Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing +Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain +Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd +Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav +Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed +Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown +Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown +Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown +Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed +Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest +Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa +Nov 10 03:01:24 kmd: restart +Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test +Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test +Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357 +Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita +Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown +Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425 +Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693 +Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita +Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure +Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure +Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316 +Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura +May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow' +May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic +Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure +Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable +Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown +Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe +Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176 +Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal +Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown +Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884 +Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146 +Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing +Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex +Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu +Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'. +Dec 15 08:13:24 COS: restart : Received FC->Q map, caecat +Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success +Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les) +Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed +Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file +Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown +Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis +Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur +Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci +Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal +May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure +May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain +Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown +Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification +Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal +Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown +Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere +Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593 +Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown +Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success +Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [ +Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID +Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694 +Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita +Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing +Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure +Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown +Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host +Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen +Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch +Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown +Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339 +Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex +Apr 1 00:38:14 /kmd: +Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown +Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success +May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully +May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success +Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq' +Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server +Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace> BCHIP: : cannot write ucode mask reg +Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown +Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB' +Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure +Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success +Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure +Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse +Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success +Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown +Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed +Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193 +Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure diff --git a/x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json new file mode 100644 index 000000000000..299b588a5f01 --- /dev/null +++ b/x-pack/filebeat/module/juniper/junos/test/generated.log-expected.json @@ -0,0 +1,2908 @@ +[ + { + "@timestamp": "2020-01-29T08:09:59.000Z", + "event.action": "RPD_SCHED_TASK_LONGRUNTIME", + "event.code": "RPD_SCHED_TASK_LONGRUNTIME", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049)", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 0, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "ceroinBC.exe", + "process.pid": 6713, + "rsa.counters.dclass_c1": 7309, + "rsa.counters.dclass_c2": 5049, + "rsa.internal.event_desc": "task extended runtime", + "rsa.internal.messageid": "RPD_SCHED_TASK_LONGRUNTIME", + "rsa.misc.client": ": exe", + "rsa.misc.event_type": "RPD_SCHED_TASK_LONGRUNTIME", + "rsa.misc.pid": "6713", + "rsa.time.day": "29", + "rsa.time.event_time": "2020-01-29T08:09:59.000Z", + "rsa.time.month": "Jan", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-12T15:12:33.000Z", + "event.action": "llu", + "event.code": "DCD_FILTER_LIB_ERROR", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 89, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "DCD_FILTER_LIB_ERROR message repeated", + "process.pid": 7608, + "rsa.internal.event_desc": "Filter library initialization failed", + "rsa.internal.messageid": "DCD_FILTER_LIB_ERROR", + "rsa.misc.event_type": "llu", + "rsa.time.day": "12", + "rsa.time.event_time": "2020-02-12T15:12:33.000Z", + "rsa.time.month": "Feb", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-26T22:15:08.000Z", + "event.action": "cancel", + "event.code": "MIB2D_TRAP_SEND_FAILURE", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 193, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "MIB2D_TRAP_SEND_FAILURE: restart", + "process.pid": 6747, + "rsa.internal.event_desc": "MIB2D TRAP SEND FAILURE", + "rsa.internal.messageid": "MIB2D_TRAP_SEND_FAILURE", + "rsa.misc.action": [ + "cancel" + ], + "rsa.misc.event_type": "sum", + "rsa.misc.result": "success", + "rsa.time.day": "26", + "rsa.time.event_time": "2020-02-26T22:15:08.000Z", + "rsa.time.month": "Feb", + "service.name": "uaerat", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-12T05:17:42.000Z", + "event.code": "node", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace> node: dqu", + "fileset.name": "junos", + "host.name": "fug5500.www.domain", + "input.type": "log", + "log.offset": 279, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "trace> node", + "related.hosts": [ + "fug5500.www.domain" + ], + "rsa.db.index": "dqu", + "rsa.internal.messageid": "node", + "rsa.misc.node": "IFP", + "rsa.network.alias_host": [ + "fug5500.www.domain" + ], + "rsa.time.day": "12", + "rsa.time.event_time": "2020-03-12T05:17:42.000Z", + "rsa.time.month": "Mar", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-26T12:20:16.000Z", + "event.code": "[7400]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 368, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[7400]", + "rsa.time.day": "26", + "rsa.time.event_time": "2020-03-26T12:20:16.000Z", + "rsa.time.month": "Mar", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-09T19:22:51.000Z", + "event.action": "ionul", + "event.code": "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 457, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart", + "process.pid": 7618, + "rsa.internal.event_desc": "KRT IFL CELL RELAY MODE UNSPECIFIED", + "rsa.internal.messageid": "RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED", + "rsa.misc.client": "nibus", + "rsa.misc.event_type": "ionul", + "rsa.misc.result": "unknown", + "rsa.time.day": "9", + "rsa.time.event_time": "2020-04-09T19:22:51.000Z", + "rsa.time.month": "Apr", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-24T02:25:25.000Z", + "event.action": "ume", + "event.code": "CHASSISD_SNMP_TRAP10", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 557, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "CHASSISD_SNMP_TRAP10 message repeated", + "process.pid": 1284, + "rsa.db.index": "ono", + "rsa.internal.event_desc": "SNMP trap - FRU power on", + "rsa.internal.messageid": "CHASSISD_SNMP_TRAP10", + "rsa.misc.event_type": "ume", + "rsa.misc.result": "failure", + "rsa.time.day": "24", + "rsa.time.event_time": "2020-04-24T02:25:25.000Z", + "rsa.time.month": "Apr", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-08T09:27:59.000Z", + "event.action": "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID:", + "event.code": "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 648, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "onse.exe", + "process.pid": 254, + "rsa.internal.event_desc": "KRT IFL CELL RELAY MODE INVALID", + "rsa.internal.messageid": "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID", + "rsa.misc.client": "inibusBo", + "rsa.misc.event_type": "RPD_KRT_IFL_CELL_RELAY_MODE_INVALID:", + "rsa.misc.result": "failure", + "rsa.time.day": "8", + "rsa.time.event_time": "2020-05-08T09:27:59.000Z", + "rsa.time.month": "May", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-22T16:30:33.000Z", + "event.action": "SNMPD_USER_ERROR", + "event.code": "SNMPD_USER_ERROR", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 772, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "isc.exe", + "process.pid": 3237, + "related.user": [ + "atiset" + ], + "rsa.counters.dclass_c1": 6404, + "rsa.counters.dclass_c2": 4068, + "rsa.internal.event_desc": "SNMPD USER ERROR", + "rsa.internal.messageid": "SNMPD_USER_ERROR", + "rsa.misc.event_type": "SNMPD_USER_ERROR", + "rsa.misc.result": "conseq: unknown", + "rsa.time.day": "22", + "rsa.time.event_time": "2020-05-22T16:30:33.000Z", + "rsa.time.month": "May", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "atiset" + }, + { + "@timestamp": "2020-06-05T23:33:08.000Z", + "event.code": "[4621]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 895, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[4621]", + "rsa.time.day": "5", + "rsa.time.event_time": "2020-06-05T23:33:08.000Z", + "rsa.time.month": "Jun", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-20T06:35:42.000Z", + "event.code": "[2227]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 961, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[2227]", + "rsa.time.day": "20", + "rsa.time.event_time": "2020-06-20T06:35:42.000Z", + "rsa.time.month": "Jun", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-04T13:38:16.000Z", + "event.action": "aper", + "event.code": "NASD_PPP_SEND_PARTIAL", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 1081, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "NASD_PPP_SEND_PARTIAL: restart", + "process.pid": 3994, + "rsa.internal.event_desc": "Unable to send all of message", + "rsa.internal.messageid": "NASD_PPP_SEND_PARTIAL", + "rsa.misc.event_type": "aper", + "rsa.misc.result_code": "santiumd", + "rsa.time.day": "4", + "rsa.time.event_time": "2020-07-04T13:38:16.000Z", + "rsa.time.month": "Jul", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-18T20:40:50.000Z", + "event.action": "temqu", + "event.code": "UI_COMMIT_AT_FAILED", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 1181, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "UI_COMMIT_AT_FAILED message repeated", + "process.pid": 7440, + "rsa.db.index": "minimav", + "rsa.internal.event_desc": "User commit failed", + "rsa.internal.messageid": "UI_COMMIT_AT_FAILED", + "rsa.misc.event_type": "temqu", + "rsa.misc.result": "success", + "rsa.time.day": "18", + "rsa.time.event_time": "2020-07-18T20:40:50.000Z", + "rsa.time.month": "Jul", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-08-02T03:43:25.000Z", + "event.action": "BOOTPD_NEW_CONF:", + "event.code": "BOOTPD_NEW_CONF", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 1266, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "emipsumd.exe", + "process.pid": 5020, + "rsa.internal.event_desc": "New configuration installed", + "rsa.internal.messageid": "BOOTPD_NEW_CONF", + "rsa.misc.event_type": "BOOTPD_NEW_CONF:", + "rsa.time.day": "2", + "rsa.time.event_time": "2020-08-02T03:43:25.000Z", + "rsa.time.month": "Aug", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-08-16T10:45:59.000Z", + "event.action": "onemulla", + "event.code": "RPD_RIP_JOIN_MULTICAST", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 1372, + "network.interface.name": "enp0s4292", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "RPD_RIP_JOIN_MULTICAST message repeated", + "process.pid": 60, + "rsa.internal.event_desc": "RIP - Unable to join multicast group", + "rsa.internal.messageid": "RPD_RIP_JOIN_MULTICAST", + "rsa.misc.event_type": "onemulla", + "rsa.misc.result": "unknown", + "rsa.network.interface": "enp0s4292", + "rsa.time.day": "16", + "rsa.time.event_time": "2020-08-16T10:45:59.000Z", + "rsa.time.month": "Aug", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-08-30T17:48:33.000Z", + "event.action": "xea", + "event.code": "FSAD_TERMINATED_CONNECTION", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown", + "file.name": "ites", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 1494, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "FSAD_TERMINATED_CONNECTION: restart", + "process.pid": 6703, + "rsa.internal.event_desc": "FSAD TERMINATED CONNECTION", + "rsa.internal.messageid": "FSAD_TERMINATED_CONNECTION", + "rsa.misc.event_type": "xea", + "rsa.misc.result": "unknown", + "rsa.time.day": "30", + "rsa.time.event_time": "2020-08-30T17:48:33.000Z", + "rsa.time.month": "Aug", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-09-14T00:51:07.000Z", + "event.action": "eri", + "event.code": "RPD_KRT_IFL_GENERATION", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 1597, + "network.interface.name": "lo2169", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "RPD_KRT_IFL_GENERATION message repeated", + "process.pid": 5539, + "rsa.internal.event_desc": "ifl generation mismatch", + "rsa.internal.messageid": "RPD_KRT_IFL_GENERATION", + "rsa.misc.event_type": "eri", + "rsa.misc.result": "unknown", + "rsa.network.interface": "lo2169", + "rsa.time.day": "13", + "rsa.time.event_time": "2020-09-14T00:51:07.000Z", + "rsa.time.month": "Sep", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-09-28T07:53:42.000Z", + "event.code": "[3453]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 1708, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[3453]", + "rsa.time.day": "28", + "rsa.time.event_time": "2020-09-28T07:53:42.000Z", + "rsa.time.month": "Sep", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-10-12T14:56:16.000Z", + "event.action": "RMOPD_usage", + "event.code": "RMOPD_usage", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 1797, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "mquisn.exe", + "process.pid": 3993, + "rsa.db.index": "midest", + "rsa.internal.event_desc": "RMOPD usage", + "rsa.internal.messageid": "RMOPD_usage", + "rsa.misc.event_type": "RMOPD_usage", + "rsa.misc.pid": "3993", + "rsa.misc.result": "failure", + "rsa.time.day": "12", + "rsa.time.event_time": "2020-10-12T14:56:16.000Z", + "rsa.time.month": "Oct", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-10-26T21:58:50.000Z", + "event.action": "RPD_ISIS_LSPCKSUM:", + "event.code": "tasun", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 1861, + "network.interface.name": "enp0s1965", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "undeomni.exe", + "process.pid": 4938, + "rsa.counters.dclass_c1": 715, + "rsa.counters.dclass_c2": 3203, + "rsa.internal.event_desc": "IS-IS LSP checksum error on iterface", + "rsa.internal.messageid": "RPD_ISIS_LSPCKSUM", + "rsa.misc.event_type": "RPD_ISIS_LSPCKSUM:", + "rsa.misc.pid": "4938", + "rsa.misc.reference_id": "tasun", + "rsa.misc.result_code": "eratv", + "rsa.network.interface": "enp0s1965", + "rsa.time.day": "26", + "rsa.time.event_time": "2020-10-26T21:58:50.000Z", + "rsa.time.month": "Oct", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-10T05:01:24.000Z", + "event.action": "VPN", + "event.code": "kmd", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Nov 10 03:01:24 kmd: restart ", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2028, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "kmd", + "rsa.misc.event_type": "VPN", + "rsa.time.day": "10", + "rsa.time.event_time": "2020-11-10T05:01:24.000Z", + "rsa.time.month": "Nov", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-24T12:03:59.000Z", + "destination.address": "erspi4926.www5.test", + "event.action": "LOGIN_FAILED:", + "event.code": "LOGIN_FAILED", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test", + "event.outcome": "failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2058, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "ever.exe", + "process.pid": 6463, + "related.hosts": [ + "erspi4926.www5.test" + ], + "related.user": [ + "atq" + ], + "rsa.internal.event_desc": "Login failure", + "rsa.internal.messageid": "LOGIN_FAILED", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.event_type": "LOGIN_FAILED:", + "rsa.misc.pid": "6463", + "rsa.network.host_dst": "erspi4926.www5.test", + "rsa.time.day": "24", + "rsa.time.event_time": "2020-11-24T12:03:59.000Z", + "rsa.time.month": "Nov", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "atq" + }, + { + "@timestamp": "2020-12-08T19:06:33.000Z", + "event.action": "iadese", + "event.code": "CHASSISD_MBUS_ERROR", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2162, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "CHASSISD_MBUS_ERROR message repeated", + "process.pid": 72, + "rsa.internal.event_desc": "management bus failed sanity test", + "rsa.internal.messageid": "CHASSISD_MBUS_ERROR", + "rsa.misc.event_type": "iadese", + "rsa.misc.result_code": "imad", + "rsa.time.day": "8", + "rsa.time.event_time": "2020-12-08T19:06:33.000Z", + "rsa.time.month": "Dec", + "service.name": "nisiu", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-23T02:09:07.000Z", + "event.action": "TFTPD_NAK_ERR", + "event.code": "TFTPD_NAK_ERR", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2274, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "niamquis.exe", + "process.pid": 1471, + "rsa.counters.dclass_c1": 357, + "rsa.internal.event_desc": "TFTPD NAK ERROR", + "rsa.internal.messageid": "TFTPD_NAK_ERR", + "rsa.misc.event_type": "TFTPD_NAK_ERR", + "rsa.misc.pid": "1471", + "rsa.misc.result_code": "ptatems", + "rsa.time.day": "23", + "rsa.time.event_time": "2019-12-23T02:09:07.000Z", + "rsa.time.month": "Dec", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-06T09:11:41.000Z", + "event.action": "atqu", + "event.code": "UI_DUPLICATE_UID", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2349, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "UI_DUPLICATE_UID: restart", + "process.pid": 3350, + "related.user": [ + "olorsita", + "naturau" + ], + "rsa.internal.event_desc": "Users have the same UID", + "rsa.internal.messageid": "UI_DUPLICATE_UID", + "rsa.misc.event_type": "atqu", + "rsa.time.day": "6", + "rsa.time.event_time": "2020-01-06T09:11:41.000Z", + "rsa.time.month": "Jan", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "naturau" + }, + { + "@timestamp": "2020-01-20T16:14:16.000Z", + "event.action": "TFTPD_CREATE_ERR:", + "event.code": "TFTPD_CREATE_ERR", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2445, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "piscivel.exe", + "process.pid": 4753, + "rsa.internal.event_desc": "TFTPD CREATE ERROR", + "rsa.internal.messageid": "TFTPD_CREATE_ERR", + "rsa.misc.event_type": "TFTPD_CREATE_ERR:", + "rsa.misc.pid": "4753", + "rsa.misc.result": "unknown", + "rsa.time.day": "20", + "rsa.time.event_time": "2020-01-20T16:14:16.000Z", + "rsa.time.month": "Jan", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-03T23:16:50.000Z", + "event.code": "[1269]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2521, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[1269]", + "rsa.time.day": "3", + "rsa.time.event_time": "2020-02-03T23:16:50.000Z", + "rsa.time.month": "Feb", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-18T06:19:24.000Z", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2603, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.time.day": "18", + "rsa.time.event_time": "2020-02-18T06:19:24.000Z", + "rsa.time.month": "Feb", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-04T13:21:59.000Z", + "event.action": "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", + "event.code": "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2685, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "ilm.exe", + "process.pid": 3193, + "rsa.counters.dclass_c1": 4003, + "rsa.counters.dclass_c2": 4568, + "rsa.internal.event_desc": "SNMPD TRAP QUEUE MAX_ATTEMPTS - deleting some traps", + "rsa.internal.messageid": "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", + "rsa.misc.client": ": fugiatqu", + "rsa.misc.event_type": "SNMPD_TRAP_QUEUE_MAX_ATTEMPTS", + "rsa.misc.obj_name": "exercita", + "rsa.time.day": "4", + "rsa.time.event_time": "2020-03-04T13:21:59.000Z", + "rsa.time.month": "Mar", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-18T20:24:33.000Z", + "event.action": "ntut", + "event.code": "TFTPD_BIND_ERR", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2845, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "TFTPD_BIND_ERR: restart", + "process.pid": 1431, + "rsa.internal.event_desc": "TFTPD BIND ERROR", + "rsa.internal.messageid": "TFTPD_BIND_ERR", + "rsa.misc.event_type": "ntut", + "rsa.misc.result": "failure", + "rsa.time.day": "18", + "rsa.time.event_time": "2020-03-18T20:24:33.000Z", + "rsa.time.month": "Mar", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-02T03:27:07.000Z", + "destination.ip": [ + "10.88.126.165" + ], + "event.action": "RPD_LDP_SESSIONDOWN:", + "event.code": "RPD_LDP_SESSIONDOWN", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 2913, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "doei.exe", + "process.pid": 7073, + "related.ip": [ + "10.88.126.165" + ], + "rsa.internal.event_desc": "LDP session down", + "rsa.internal.messageid": "RPD_LDP_SESSIONDOWN", + "rsa.misc.event_type": "RPD_LDP_SESSIONDOWN:", + "rsa.misc.result": "failure", + "rsa.time.day": "2", + "rsa.time.event_time": "2020-04-02T03:27:07.000Z", + "rsa.time.month": "Apr", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-16T10:29:41.000Z", + "event.code": "[180]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 3033, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[180]", + "rsa.time.day": "16", + "rsa.time.event_time": "2020-04-16T10:29:41.000Z", + "rsa.time.month": "Apr", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-30T17:32:16.000Z", + "event.action": "iumdo", + "event.code": "NASD_CHAP_INVALID_CHAP_IDENTIFIER", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura", + "file.name": "aturv", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 3125, + "network.interface.name": "lo2721", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated", + "process.pid": 796, + "rsa.internal.event_desc": "CHAP INVALID_CHAP IDENTIFIER", + "rsa.internal.messageid": "NASD_CHAP_INVALID_CHAP_IDENTIFIER", + "rsa.misc.event_type": "iumdo", + "rsa.misc.result_code": "ectetura", + "rsa.network.interface": "lo2721", + "rsa.time.day": "30", + "rsa.time.event_time": "2020-04-30T17:32:16.000Z", + "rsa.time.month": "Apr", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-15T00:34:50.000Z", + "event.action": "allow", + "event.code": "UI_LOAD_EVENT", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow'", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 3256, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "UI_LOAD_EVENT message repeated", + "process.pid": 6342, + "related.user": [ + "moll" + ], + "rsa.internal.event_desc": "User command", + "rsa.internal.messageid": "UI_LOAD_EVENT", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "seq", + "rsa.time.day": "14", + "rsa.time.event_time": "2020-05-15T00:34:50.000Z", + "rsa.time.month": "May", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "moll" + }, + { + "@timestamp": "2020-05-29T07:37:24.000Z", + "event.action": "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", + "event.code": "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 3352, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "fdeFin.exe", + "process.pid": 4053, + "rsa.counters.dclass_c1": 1450, + "rsa.internal.event_desc": "SNMP TRAP TRACE ROUTE TEST FAILED", + "rsa.internal.messageid": "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", + "rsa.misc.event_type": "SNMP_TRAP_TRACE_ROUTE_TEST_FAILED", + "rsa.misc.obj_name": "edic", + "rsa.misc.pid": "4053", + "rsa.time.day": "29", + "rsa.time.event_time": "2020-05-29T07:37:24.000Z", + "rsa.time.month": "May", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-12T14:39:58.000Z", + "event.action": "uae", + "event.code": "SNMPD_RTSLIB_ASYNC_EVENT", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 3483, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "SNMPD_RTSLIB_ASYNC_EVENT: restart", + "process.pid": 508, + "rsa.internal.event_desc": "sequence mismatch", + "rsa.internal.messageid": "SNMPD_RTSLIB_ASYNC_EVENT", + "rsa.misc.client": "oremip", + "rsa.misc.event_type": "uae", + "rsa.misc.result": "failure", + "rsa.time.day": "12", + "rsa.time.event_time": "2020-06-12T14:39:58.000Z", + "rsa.time.month": "Jun", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-26T21:42:33.000Z", + "event.action": "BOOTPD_TIMEOUT:", + "event.code": "BOOTPD_TIMEOUT", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 3579, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "ine.exe", + "process.pid": 3181, + "rsa.internal.event_desc": "timeout unreasonable", + "rsa.internal.messageid": "BOOTPD_TIMEOUT", + "rsa.misc.event_type": "BOOTPD_TIMEOUT:", + "rsa.misc.result": "success", + "rsa.time.day": "26", + "rsa.time.event_time": "2020-06-26T21:42:33.000Z", + "rsa.time.month": "Jun", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-11T04:45:07.000Z", + "event.action": "abore", + "event.code": "NASD_RADIUS_MESSAGE_UNEXPECTED", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 3696, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "NASD_RADIUS_MESSAGE_UNEXPECTED message repeated", + "process.pid": 33, + "rsa.internal.event_desc": "Unknown response from RADIUS server", + "rsa.internal.messageid": "NASD_RADIUS_MESSAGE_UNEXPECTED", + "rsa.misc.event_type": "abore", + "rsa.misc.result": "unknown", + "rsa.time.day": "11", + "rsa.time.event_time": "2020-07-11T04:45:07.000Z", + "rsa.time.month": "Jul", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-25T11:47:41.000Z", + "event.action": "illum", + "event.code": "PWC_LOCKFILE_BAD_FORMAT", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 3818, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "PWC_LOCKFILE_BAD_FORMAT: restart", + "process.pid": 3426, + "rsa.internal.event_desc": "PID lock file has bad format", + "rsa.internal.messageid": "PWC_LOCKFILE_BAD_FORMAT", + "rsa.misc.client": "eprehe", + "rsa.misc.event_type": "illum", + "rsa.time.day": "25", + "rsa.time.event_time": "2020-07-25T11:47:41.000Z", + "rsa.time.month": "Jul", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-08-08T18:50:15.000Z", + "event.action": "RPD_KRT_AFUNSUPRT", + "event.code": "RPD_KRT_AFUNSUPRT", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 3919, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "snostr.exe", + "process.pid": 1613, + "rsa.counters.dclass_c1": 4176, + "rsa.internal.event_desc": "message with unsupported address family received", + "rsa.internal.messageid": "RPD_KRT_AFUNSUPRT", + "rsa.misc.client": "itaspe", + "rsa.misc.event_type": "RPD_KRT_AFUNSUPRT", + "rsa.misc.pid": "1613", + "rsa.misc.result_code": "tec", + "rsa.time.day": "8", + "rsa.time.event_time": "2020-08-08T18:50:15.000Z", + "rsa.time.month": "Aug", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-08-23T01:52:50.000Z", + "event.action": "PWC_PROCESS_FORCED_HOLD", + "event.code": "PWC_PROCESS_FORCED_HOLD", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 4038, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "oreeufug.exe", + "process.pid": 6086, + "rsa.internal.event_desc": "Process forcing hold down of child until signalled", + "rsa.internal.messageid": "PWC_PROCESS_FORCED_HOLD", + "rsa.misc.client": "plicaboN", + "rsa.misc.event_type": "PWC_PROCESS_FORCED_HOLD", + "rsa.misc.pid": "6086", + "rsa.time.day": "22", + "rsa.time.event_time": "2020-08-23T01:52:50.000Z", + "rsa.time.month": "Aug", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-09-06T08:55:24.000Z", + "event.action": "tiu", + "event.code": "MIB2D_IFL_IFINDEX_FAILURE", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 4161, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "MIB2D_IFL_IFINDEX_FAILURE message repeated", + "process.pid": 4115, + "related.user": [ + "wri" + ], + "rsa.counters.dclass_c1": 3902, + "rsa.internal.event_desc": "SNMP index assigned changed", + "rsa.internal.messageid": "MIB2D_IFL_IFINDEX_FAILURE", + "rsa.misc.event_type": "tiu", + "rsa.misc.result": "unknown", + "rsa.time.day": "6", + "rsa.time.event_time": "2020-09-06T08:55:24.000Z", + "rsa.time.month": "Sep", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "wri" + }, + { + "@timestamp": "2020-09-20T15:57:58.000Z", + "event.action": "UI_DBASE_MISMATCH_MAJOR:", + "event.code": "UI_DBASE_MISMATCH_MAJOR", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884", + "file.name": "ende", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 4288, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "pitlabo.exe", + "process.pid": 3498, + "rsa.counters.dclass_c1": 6053, + "rsa.counters.dclass_c2": 4884, + "rsa.internal.event_desc": "Database header major version number mismatch", + "rsa.internal.messageid": "UI_DBASE_MISMATCH_MAJOR", + "rsa.misc.event_type": "UI_DBASE_MISMATCH_MAJOR:", + "rsa.time.day": "20", + "rsa.time.event_time": "2020-09-20T15:57:58.000Z", + "rsa.time.month": "Sep", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-10-04T23:00:32.000Z", + "event.action": "SNMPD_VIEW_INSTALL_DEFAULT", + "event.code": "SNMPD_VIEW_INSTALL_DEFAULT", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 4467, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "nul.exe", + "process.pid": 1005, + "rsa.counters.dclass_c1": 1243, + "rsa.counters.dclass_c2": 5146, + "rsa.internal.event_desc": "installing default SNMP view", + "rsa.internal.messageid": "SNMPD_VIEW_INSTALL_DEFAULT", + "rsa.misc.event_type": "SNMPD_VIEW_INSTALL_DEFAULT", + "rsa.misc.result": "eetdo: success", + "rsa.time.day": "4", + "rsa.time.event_time": "2020-10-04T23:00:32.000Z", + "rsa.time.month": "Oct", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-10-19T06:03:07.000Z", + "event.action": "uptatem", + "event.code": "DCD_PARSE_STATE_EMERGENCY", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 4606, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "DCD_PARSE_STATE_EMERGENCY message repeated", + "process.pid": 2498, + "rsa.internal.event_desc": "unhandled state was encountered during interface parsing", + "rsa.internal.messageid": "DCD_PARSE_STATE_EMERGENCY", + "rsa.misc.event_type": "uptatem", + "rsa.time.day": "19", + "rsa.time.event_time": "2020-10-19T06:03:07.000Z", + "rsa.time.month": "Oct", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-02T13:05:41.000Z", + "event.action": "LOGIN_PAM_MAX_RETRIES:", + "event.code": "LOGIN_PAM_MAX_RETRIES", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex", + "event.outcome": "failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 4742, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "ain.exe", + "process.pid": 7192, + "related.user": [ + "iquipex" + ], + "rsa.internal.event_desc": "Login failure", + "rsa.internal.messageid": "LOGIN_PAM_MAX_RETRIES", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.event_type": "LOGIN_PAM_MAX_RETRIES:", + "rsa.misc.result": "Too many retries while authenticating user", + "rsa.time.day": "2", + "rsa.time.event_time": "2020-11-02T13:05:41.000Z", + "rsa.time.month": "Nov", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "iquipex" + }, + { + "@timestamp": "2020-11-16T20:08:15.000Z", + "event.action": "BOOTPD_NO_BOOTSTRING", + "event.code": "BOOTPD_NO_BOOTSTRING", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu", + "file.name": "veleu", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 4882, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "onorume.exe", + "process.pid": 3290, + "rsa.internal.event_desc": "No boot string found", + "rsa.internal.messageid": "BOOTPD_NO_BOOTSTRING", + "rsa.misc.event_type": "BOOTPD_NO_BOOTSTRING", + "rsa.misc.pid": "3290", + "rsa.time.day": "16", + "rsa.time.event_time": "2020-11-16T20:08:15.000Z", + "rsa.time.month": "Nov", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-01T03:10:49.000Z", + "event.code": "sshd", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'.", + "event.outcome": "failure", + "fileset.name": "junos", + "host.ip": "10.252.209.246", + "input.type": "log", + "log.offset": 4976, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "sshd", + "related.ip": [ + "10.252.209.246" + ], + "related.user": [ + "ciatisun" + ], + "rsa.internal.event_desc": "Login failed for user", + "rsa.internal.messageid": "sshd", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Authentication", + "rsa.time.day": "1", + "rsa.time.event_time": "2020-12-01T03:10:49.000Z", + "rsa.time.month": "Dec", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "ciatisun" + }, + { + "@timestamp": "2020-12-15T10:13:24.000Z", + "event.code": "COS", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Dec 15 08:13:24 COS: restart : Received FC->Q map, caecat", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 5114, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "COS: restart", + "rsa.db.index": "caecat", + "rsa.internal.event_desc": "Received FC Q map", + "rsa.internal.messageid": "COS", + "rsa.time.day": "15", + "rsa.time.event_time": "2020-12-15T10:13:24.000Z", + "rsa.time.month": "Dec", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-29T17:15:58.000Z", + "event.action": "nvolupta", + "event.code": "cgatool", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 5172, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "cgatool message repeated", + "rsa.internal.event_desc": "cga address genration", + "rsa.internal.messageid": "cgatool", + "rsa.misc.event_type": "nvolupta", + "rsa.misc.result": "success", + "rsa.time.day": "29", + "rsa.time.event_time": "2019-12-29T17:15:58.000Z", + "rsa.time.month": "Dec", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-13T00:18:32.000Z", + "event.action": "idolor", + "event.code": "CHASSISD_SNMP_TRAP6", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les)", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 5254, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "CHASSISD_SNMP_TRAP6 message repeated", + "process.pid": 4667, + "rsa.db.index": "les", + "rsa.internal.event_desc": "SNMP Trap6 generated", + "rsa.internal.messageid": "CHASSISD_SNMP_TRAP6", + "rsa.misc.event_type": "idolor", + "rsa.misc.result": "success", + "rsa.time.day": "12", + "rsa.time.event_time": "2020-01-13T00:18:32.000Z", + "rsa.time.month": "Jan", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-27T07:21:06.000Z", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 5358, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.time.day": "27", + "rsa.time.event_time": "2020-01-27T07:21:06.000Z", + "rsa.time.month": "Jan", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-10T14:23:41.000Z", + "event.action": "serrorsi", + "event.code": "DFWD_PARSE_FILTER_EMERGENCY", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 5485, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "DFWD_PARSE_FILTER_EMERGENCY message repeated", + "process.pid": 2037, + "rsa.internal.event_desc": "errors encountered while parsing filter index file", + "rsa.internal.messageid": "DFWD_PARSE_FILTER_EMERGENCY", + "rsa.misc.event_type": "serrorsi", + "rsa.time.day": "10", + "rsa.time.event_time": "2020-02-10T14:23:41.000Z", + "rsa.time.month": "Feb", + "service.name": "tsedquia", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-24T21:26:15.000Z", + "destination.ip": [ + "10.148.255.126" + ], + "event.action": "RPD_LDP_SESSIONDOWN:", + "event.code": "RPD_LDP_SESSIONDOWN", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 5624, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "tesse.exe", + "process.pid": 4358, + "related.ip": [ + "10.148.255.126" + ], + "rsa.internal.event_desc": "LDP session down", + "rsa.internal.messageid": "RPD_LDP_SESSIONDOWN", + "rsa.misc.event_type": "RPD_LDP_SESSIONDOWN:", + "rsa.misc.result": "unknown", + "rsa.time.day": "24", + "rsa.time.event_time": "2020-02-24T21:26:15.000Z", + "rsa.time.month": "Feb", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-11T04:28:49.000Z", + "event.code": "[mipsumqu]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 5755, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[mipsumqu]", + "rsa.time.day": "11", + "rsa.time.event_time": "2020-03-11T04:28:49.000Z", + "rsa.time.month": "Mar", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-25T11:31:24.000Z", + "event.code": "lsys_ssam_handler", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 5876, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "lsys_ssam_handler:", + "rsa.db.index": "tur", + "rsa.internal.event_desc": "processing lsys root-logical-system", + "rsa.internal.messageid": "lsys_ssam_handler", + "rsa.misc.node": "mquis", + "rsa.time.day": "25", + "rsa.time.event_time": "2020-03-25T11:31:24.000Z", + "rsa.time.month": "Mar", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-08T18:33:58.000Z", + "event.action": "loreeuf", + "event.code": "UI_LOST_CONN", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 5981, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "UI_LOST_CONN message repeated", + "process.pid": 7847, + "rsa.internal.event_desc": "Lost connection to daemon", + "rsa.internal.messageid": "UI_LOST_CONN", + "rsa.misc.client": "orainci", + "rsa.misc.event_type": "loreeuf", + "rsa.time.day": "8", + "rsa.time.event_time": "2020-04-08T18:33:58.000Z", + "rsa.time.month": "Apr", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-23T01:36:32.000Z", + "event.action": "itse", + "event.code": "PWC_PROCESS_HOLD", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 6077, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "PWC_PROCESS_HOLD: restart", + "process.pid": 1791, + "rsa.internal.event_desc": "Process holding down child until signalled", + "rsa.internal.messageid": "PWC_PROCESS_HOLD", + "rsa.misc.client": "lapari", + "rsa.misc.event_type": "itse", + "rsa.time.day": "22", + "rsa.time.event_time": "2020-04-23T01:36:32.000Z", + "rsa.time.month": "Apr", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-07T08:39:06.000Z", + "event.action": "LIBSERVICED_SOCKET_BIND", + "event.code": "LIBSERVICED_SOCKET_BIND", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 6185, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "norum.exe", + "process.pid": 4443, + "rsa.internal.event_desc": "unable to bind socket", + "rsa.internal.messageid": "LIBSERVICED_SOCKET_BIND", + "rsa.misc.event_type": "LIBSERVICED_SOCKET_BIND", + "rsa.misc.result": "failure", + "rsa.misc.result_code": ": dantium", + "rsa.time.day": "7", + "rsa.time.event_time": "2020-05-07T08:39:06.000Z", + "rsa.time.month": "May", + "rsa.wireless.wlan_ssid": "ors", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-21T15:41:41.000Z", + "destination.address": "mSect5899.domain", + "event.action": "LOGIN_FAILED:", + "event.code": "LOGIN_FAILED", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain", + "event.outcome": "failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 6319, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "mfugiat.exe", + "process.pid": 3946, + "related.hosts": [ + "mSect5899.domain" + ], + "related.user": [ + "olu" + ], + "rsa.internal.event_desc": "Login failure", + "rsa.internal.messageid": "LOGIN_FAILED", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.event_type": "LOGIN_FAILED:", + "rsa.network.host_dst": "mSect5899.domain", + "rsa.time.day": "21", + "rsa.time.event_time": "2020-05-21T15:41:41.000Z", + "rsa.time.month": "May", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "olu" + }, + { + "@timestamp": "2020-06-04T22:44:15.000Z", + "event.action": "MIB2D_IFL_IFINDEX_FAILURE:", + "event.code": "MIB2D_IFL_IFINDEX_FAILURE", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 6444, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "idolo.exe", + "process.pid": 6535, + "related.user": [ + "deseru" + ], + "rsa.counters.dclass_c1": 6460, + "rsa.internal.event_desc": "SNMP index assigned changed", + "rsa.internal.messageid": "MIB2D_IFL_IFINDEX_FAILURE", + "rsa.misc.event_type": "MIB2D_IFL_IFINDEX_FAILURE:", + "rsa.misc.pid": "6535", + "rsa.misc.result": "unknown", + "rsa.time.day": "4", + "rsa.time.event_time": "2020-06-04T22:44:15.000Z", + "rsa.time.month": "Jun", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "deseru" + }, + { + "@timestamp": "2020-06-19T05:46:49.000Z", + "event.action": "CHASSISD_RELEASE_MASTERSHIP:", + "event.code": "CHASSISD_RELEASE_MASTERSHIP", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 6564, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "modtempo.exe", + "process.pid": 5276, + "rsa.internal.event_desc": "Release mastership notification", + "rsa.internal.messageid": "CHASSISD_RELEASE_MASTERSHIP", + "rsa.misc.event_type": "CHASSISD_RELEASE_MASTERSHIP:", + "rsa.misc.pid": "5276", + "rsa.time.day": "19", + "rsa.time.event_time": "2020-06-19T05:46:49.000Z", + "rsa.time.month": "Jun", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-03T12:49:23.000Z", + "event.code": "[3450]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 6663, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[3450]", + "rsa.time.day": "3", + "rsa.time.event_time": "2020-07-03T12:49:23.000Z", + "rsa.time.month": "Jul", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-17T19:51:58.000Z", + "event.action": "SERVICED_RTSOCK_SEQUENCE", + "event.code": "SERVICED_RTSOCK_SEQUENCE", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 6769, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "ame.exe", + "process.pid": 226, + "rsa.internal.event_desc": "routing socket sequence error", + "rsa.internal.messageid": "SERVICED_RTSOCK_SEQUENCE", + "rsa.misc.client": "boreet", + "rsa.misc.event_type": "SERVICED_RTSOCK_SEQUENCE", + "rsa.misc.pid": "226", + "rsa.misc.result": "unknown", + "rsa.time.day": "17", + "rsa.time.event_time": "2020-07-17T19:51:58.000Z", + "rsa.time.month": "Jul", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-08-01T02:54:32.000Z", + "event.action": "VPN", + "event.code": "idpinfo", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 6873, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "idpinfo", + "rsa.misc.event_type": "VPN", + "rsa.misc.pid": "940", + "rsa.time.day": "1", + "rsa.time.event_time": "2020-08-01T02:54:32.000Z", + "rsa.time.month": "Aug", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-08-15T09:57:06.000Z", + "event.action": "oreeufug", + "event.code": "RPD_KRT_NOIFD", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 6947, + "network.interface.name": "lo4593", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "RPD_KRT_NOIFD: restart", + "process.pid": 4822, + "rsa.counters.dclass_c1": 5020, + "rsa.internal.event_desc": "No device for interface", + "rsa.internal.messageid": "RPD_KRT_NOIFD", + "rsa.misc.event_type": "oreeufug", + "rsa.network.interface": "lo4593", + "rsa.time.day": "15", + "rsa.time.event_time": "2020-08-15T09:57:06.000Z", + "rsa.time.month": "Aug", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-08-29T16:59:40.000Z", + "event.action": "craftd:", + "event.code": "craftd", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 7040, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "citatio.exe", + "process.pid": 5029, + "rsa.internal.event_desc": "License expiration warning", + "rsa.internal.messageid": "craftd", + "rsa.misc.event_type": "craftd:", + "rsa.misc.result": "unknown", + "rsa.time.day": "29", + "rsa.time.event_time": "2020-08-29T16:59:40.000Z", + "rsa.time.month": "Aug", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-09-13T00:02:15.000Z", + "event.action": "eetd", + "event.code": "ACCT_CU_RTSLIB_error", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success", + "file.name": "liquide", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 7123, + "network.interface.name": "enp0s2674", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "ACCT_CU_RTSLIB_error message repeated", + "process.pid": 7583, + "rsa.internal.event_desc": "Class usage statistics error for interface", + "rsa.internal.messageid": "ACCT_CU_RTSLIB_error", + "rsa.misc.event_type": "eetd", + "rsa.misc.result": "success", + "rsa.network.interface": "enp0s2674", + "rsa.time.day": "12", + "rsa.time.event_time": "2020-09-13T00:02:15.000Z", + "rsa.time.month": "Sep", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-09-27T07:04:49.000Z", + "event.action": "VPN", + "event.code": "kmd", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 7263, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "kmd", + "rsa.misc.event_type": "VPN", + "rsa.time.day": "27", + "rsa.time.event_time": "2020-09-27T07:04:49.000Z", + "rsa.time.month": "Sep", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-10-11T14:07:23.000Z", + "event.action": "rauto", + "event.code": "LOGIN_PAM_NONLOCAL_USER", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID", + "event.outcome": "failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 7328, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "LOGIN_PAM_NONLOCAL_USER: restart", + "process.pid": 686, + "related.user": [ + "rese" + ], + "rsa.internal.event_desc": "Login failure", + "rsa.internal.messageid": "LOGIN_PAM_NONLOCAL_USER", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.event_type": "rauto", + "rsa.misc.result": "User authenticated but has no local login ID", + "rsa.time.day": "11", + "rsa.time.event_time": "2020-10-11T14:07:23.000Z", + "rsa.time.month": "Oct", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "rese" + }, + { + "@timestamp": "2020-10-25T21:09:57.000Z", + "event.action": "RPD_KRT_NOIFD", + "event.code": "RPD_KRT_NOIFD", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 7441, + "network.interface.name": "enp0s7694", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "doconse.exe", + "process.pid": 6184, + "rsa.counters.dclass_c1": 5991, + "rsa.internal.event_desc": "No device for interface", + "rsa.internal.messageid": "RPD_KRT_NOIFD", + "rsa.misc.event_type": "RPD_KRT_NOIFD", + "rsa.misc.pid": "6184", + "rsa.network.interface": "enp0s7694", + "rsa.time.day": "25", + "rsa.time.event_time": "2020-10-25T21:09:57.000Z", + "rsa.time.month": "Oct", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-09T04:12:32.000Z", + "event.code": "uspinfo", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 7531, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "quidolor1064.www.domain: uspinfo:", + "rsa.db.index": "rcita", + "rsa.internal.event_desc": "flow_print_session_summary_output received", + "rsa.internal.messageid": "uspinfo", + "rsa.time.day": "9", + "rsa.time.event_time": "2020-11-09T04:12:32.000Z", + "rsa.time.month": "Nov", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-23T11:15:06.000Z", + "event.action": "mfugi", + "event.code": "RPD_TASK_REINIT", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 7631, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "RPD_TASK_REINIT: restart", + "process.pid": 1810, + "rsa.internal.event_desc": "Reinitializing", + "rsa.internal.messageid": "RPD_TASK_REINIT", + "rsa.misc.event_type": "mfugi", + "rsa.time.day": "23", + "rsa.time.event_time": "2020-11-23T11:15:06.000Z", + "rsa.time.month": "Nov", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-07T18:17:40.000Z", + "event.action": "allow", + "event.code": "ECCD_TRACE_FILE_OPEN_FAILED", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 7702, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "inibusBo.exe", + "process.pid": 2509, + "rsa.internal.event_desc": "ECCD TRACE FILE OPEN FAILURE", + "rsa.internal.messageid": "ECCD_TRACE_FILE_OPEN_FAILED", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.event_type": "ECCD_TRACE_FILE_OPEN_FAILED", + "rsa.misc.pid": "2509", + "rsa.misc.result": "failure", + "rsa.time.day": "7", + "rsa.time.event_time": "2020-12-07T18:17:40.000Z", + "rsa.time.month": "Dec", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2019-12-22T01:20:14.000Z", + "event.action": "accept", + "event.code": "ECCD_TRACE_FILE_OPEN_FAILED", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 7782, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "ECCD_TRACE_FILE_OPEN_FAILED message repeated", + "process.pid": 2815, + "rsa.internal.event_desc": "ECCD TRACE FILE OPEN FAILURE", + "rsa.internal.messageid": "ECCD_TRACE_FILE_OPEN_FAILED", + "rsa.misc.action": [ + "accept" + ], + "rsa.misc.event_type": "rudexer", + "rsa.misc.result": "unknown", + "rsa.time.day": "21", + "rsa.time.event_time": "2019-12-22T01:20:14.000Z", + "rsa.time.month": "Dec", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-01-05T08:22:49.000Z", + "destination.address": "tod6376.mail.host", + "event.action": "LOGIN_FAILED:", + "event.code": "LOGIN_FAILED", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host", + "event.outcome": "failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 7876, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "laud.exe", + "process.pid": 913, + "related.hosts": [ + "tod6376.mail.host" + ], + "related.user": [ + "turQ" + ], + "rsa.internal.event_desc": "Login failure", + "rsa.internal.messageid": "LOGIN_FAILED", + "rsa.investigations.ec_activity": "Logon", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "User", + "rsa.investigations.ec_theme": "Authentication", + "rsa.misc.event_type": "LOGIN_FAILED:", + "rsa.network.host_dst": "tod6376.mail.host", + "rsa.time.day": "5", + "rsa.time.event_time": "2020-01-05T08:22:49.000Z", + "rsa.time.month": "Jan", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ], + "user.name": "turQ" + }, + { + "@timestamp": "2020-01-19T15:25:23.000Z", + "event.action": "FSAD_CONNTIMEDOUT", + "event.code": "FSAD_CONNTIMEDOUT", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen", + "fileset.name": "junos", + "host.hostname": "oreve2538.www.localdomain", + "input.type": "log", + "log.offset": 8004, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "ine.exe", + "process.pid": 1578, + "related.hosts": [ + "oreve2538.www.localdomain" + ], + "related.ip": [ + "10.44.24.103" + ], + "rsa.internal.event_desc": "Connection timed out to client", + "rsa.internal.messageid": "FSAD_CONNTIMEDOUT", + "rsa.misc.event_type": "FSAD_CONNTIMEDOUT", + "rsa.misc.obj_type": "reprehen", + "rsa.misc.pid": "1578", + "rsa.time.day": "19", + "rsa.time.event_time": "2020-01-19T15:25:23.000Z", + "rsa.time.month": "Jan", + "service.type": "juniper", + "source.address": "oreve2538.www.localdomain", + "source.ip": [ + "10.44.24.103" + ], + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-02T22:27:57.000Z", + "event.action": "rinre", + "event.code": "UI_SCHEMA_SEQUENCE_ERROR", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 8161, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "UI_SCHEMA_SEQUENCE_ERROR: restart", + "process.pid": 734, + "rsa.internal.event_desc": "Schema sequence number mismatch", + "rsa.internal.messageid": "UI_SCHEMA_SEQUENCE_ERROR", + "rsa.misc.event_type": "rinre", + "rsa.time.day": "2", + "rsa.time.event_time": "2020-02-02T22:27:57.000Z", + "rsa.time.month": "Feb", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-02-17T05:30:32.000Z", + "event.action": "deny", + "event.code": "LIBJNX_EXEC_PIPE", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 8256, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "LIBJNX_EXEC_PIPE: restart", + "process.pid": 946, + "rsa.internal.event_desc": "Unable to create pipes for command", + "rsa.internal.messageid": "LIBJNX_EXEC_PIPE", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.event_type": "olors", + "rsa.misc.result": "unknown", + "rsa.time.day": "17", + "rsa.time.event_time": "2020-02-17T05:30:32.000Z", + "rsa.time.month": "Feb", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-03T12:33:06.000Z", + "event.action": "isnost", + "event.code": "UI_DBASE_MISMATCH_EXTENT", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 8363, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "UI_DBASE_MISMATCH_EXTENT: restart", + "process.pid": 4686, + "rsa.counters.dclass_c1": 559, + "rsa.counters.dclass_c2": 7339, + "rsa.internal.event_desc": "Database header extent mismatch", + "rsa.internal.messageid": "UI_DBASE_MISMATCH_EXTENT", + "rsa.misc.client": "lumdolor", + "rsa.misc.event_type": "isnost", + "rsa.time.day": "3", + "rsa.time.event_time": "2020-03-03T12:33:06.000Z", + "rsa.time.month": "Mar", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-03-17T19:35:40.000Z", + "event.action": "eumfu", + "event.code": "NASD_usage", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 8505, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "NASD_usage message repeated", + "process.pid": 7744, + "rsa.db.index": "quidex", + "rsa.internal.event_desc": "NASD Usage", + "rsa.internal.messageid": "NASD_usage", + "rsa.misc.event_type": "eumfu", + "rsa.misc.result": "unknown", + "rsa.time.day": "17", + "rsa.time.event_time": "2020-03-17T19:35:40.000Z", + "rsa.time.month": "Mar", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-01T02:38:14.000Z", + "event.action": "VPN", + "event.code": "kmd", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Apr 1 00:38:14 /kmd: ", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 8580, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "kmd", + "rsa.misc.event_type": "VPN", + "rsa.time.day": "1", + "rsa.time.event_time": "2020-04-01T02:38:14.000Z", + "rsa.time.month": "Apr", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-15T09:40:49.000Z", + "event.code": "sshd", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown", + "fileset.name": "junos", + "input.type": "log", + "log.level": "very-high", + "log.offset": 8602, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "sshd message repeated", + "rsa.internal.event_desc": "can't get client address", + "rsa.internal.messageid": "sshd", + "rsa.misc.result": "unknown", + "rsa.misc.severity": "very-high", + "rsa.time.day": "15", + "rsa.time.event_time": "2020-04-15T09:40:49.000Z", + "rsa.time.month": "Apr", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-04-29T16:43:23.000Z", + "event.code": "[4279]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 8687, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[4279]", + "rsa.time.day": "29", + "rsa.time.event_time": "2020-04-29T16:43:23.000Z", + "rsa.time.month": "Apr", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-13T23:45:57.000Z", + "event.action": "SNMPD_TRAP_QUEUE_DRAINED", + "event.code": "SNMPD_TRAP_QUEUE_DRAINED", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 8789, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "uel.exe", + "process.pid": 5770, + "rsa.internal.event_desc": "traps queued - sent successfully", + "rsa.internal.messageid": "SNMPD_TRAP_QUEUE_DRAINED", + "rsa.misc.client": ": metco", + "rsa.misc.event_type": "SNMPD_TRAP_QUEUE_DRAINED", + "rsa.misc.obj_name": "vel", + "rsa.time.day": "13", + "rsa.time.event_time": "2020-05-13T23:45:57.000Z", + "rsa.time.month": "May", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-05-28T06:48:31.000Z", + "event.code": "[4837]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 8919, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[4837]", + "rsa.time.day": "28", + "rsa.time.event_time": "2020-05-28T06:48:31.000Z", + "rsa.time.month": "May", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-11T13:51:06.000Z", + "event.action": "piciatis", + "event.code": "TFTPD_RECVCOMPLETE_INFO", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq'", + "file.name": "tatisetq", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 8994, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "TFTPD_RECVCOMPLETE_INFO message repeated", + "process.pid": 7501, + "rsa.counters.dclass_c1": 3501, + "rsa.counters.dclass_c2": 5877, + "rsa.internal.event_desc": "TFTPD RECVCOMPLETE INFO", + "rsa.internal.messageid": "TFTPD_RECVCOMPLETE_INFO", + "rsa.misc.event_type": "piciatis", + "rsa.time.day": "11", + "rsa.time.event_time": "2020-06-11T13:51:06.000Z", + "rsa.time.month": "Jun", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-06-25T20:53:40.000Z", + "event.code": "usp_trace_ipc_reconnect", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 9123, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "message repeated illum.exe", + "rsa.internal.event_desc": "USP trace client cannot reconnect to server", + "rsa.internal.messageid": "usp_trace_ipc_reconnect", + "rsa.misc.node": "usp_trace_ipc_reconnect", + "rsa.time.day": "25", + "rsa.time.event_time": "2020-06-25T20:53:40.000Z", + "rsa.time.month": "Jun", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-10T03:56:14.000Z", + "event.code": "BCHIP", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace> BCHIP: : cannot write ucode mask reg", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 9234, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "tatiset.exe", + "rsa.internal.event_desc": "cannot write ucode mask reg", + "rsa.internal.messageid": "BCHIP", + "rsa.misc.device_name": "IFP trace> BCHIP:", + "rsa.time.day": "10", + "rsa.time.event_time": "2020-07-10T03:56:14.000Z", + "rsa.time.month": "Jul", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-07-24T10:58:48.000Z", + "event.action": "moditemp", + "event.code": "RPD_MPLS_LSP_DOWN", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 9344, + "network.interface.name": "eth2042", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "RPD_MPLS_LSP_DOWN message repeated", + "process.pid": 5094, + "rsa.internal.event_desc": "MPLS LSP DOWN", + "rsa.internal.messageid": "RPD_MPLS_LSP_DOWN", + "rsa.misc.event_type": "moditemp", + "rsa.misc.result": "unknown", + "rsa.network.interface": "eth2042", + "rsa.time.day": "24", + "rsa.time.event_time": "2020-07-24T10:58:48.000Z", + "rsa.time.month": "Jul", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-08-07T18:01:23.000Z", + "event.action": "uatDuisa", + "event.code": "CHASSISD_PARSE_INIT", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB'", + "file.name": "usB", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 9438, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "CHASSISD_PARSE_INIT: restart", + "process.pid": 4153, + "rsa.internal.event_desc": "Parsing configuration file", + "rsa.internal.messageid": "CHASSISD_PARSE_INIT", + "rsa.misc.event_type": "uatDuisa", + "rsa.time.day": "7", + "rsa.time.event_time": "2020-08-07T18:01:23.000Z", + "rsa.time.month": "Aug", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-08-22T01:03:57.000Z", + "event.action": "upidatat", + "event.code": "RMOPD_ROUTING_INSTANCE_NO_INFO", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 9533, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "RMOPD_ROUTING_INSTANCE_NO_INFO: restart", + "process.pid": 6922, + "rsa.internal.event_desc": "No information for routing instance", + "rsa.internal.messageid": "RMOPD_ROUTING_INSTANCE_NO_INFO", + "rsa.misc.client": "non", + "rsa.misc.event_type": "upidatat", + "rsa.misc.result": "failure", + "rsa.time.day": "21", + "rsa.time.event_time": "2020-08-22T01:03:57.000Z", + "rsa.time.month": "Aug", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-09-05T08:06:31.000Z", + "event.action": "CHASSISD_TERM_SIGNAL:", + "event.code": "CHASSISD_TERM_SIGNAL", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 9656, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "Utenimad.exe", + "process.pid": 4305, + "rsa.internal.event_desc": "Received SIGTERM request", + "rsa.internal.messageid": "CHASSISD_TERM_SIGNAL", + "rsa.misc.event_type": "CHASSISD_TERM_SIGNAL:", + "rsa.misc.pid": "4305", + "rsa.misc.result": "success", + "rsa.time.day": "5", + "rsa.time.event_time": "2020-09-05T08:06:31.000Z", + "rsa.time.month": "Sep", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-09-19T15:09:05.000Z", + "destination.ip": [ + "10.49.190.163" + ], + "event.action": "RPD_OSPF_NBRUP", + "event.code": "RPD_OSPF_NBRUP", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 9749, + "network.interface.name": "lo50", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "tseddo.exe", + "process.pid": 484, + "related.ip": [ + "10.49.190.163" + ], + "rsa.internal.event_desc": "OSPF neighbor up", + "rsa.internal.messageid": "RPD_OSPF_NBRUP", + "rsa.misc.disposition": "aUteni", + "rsa.misc.event_type": "RPD_OSPF_NBRUP", + "rsa.misc.pid": "484", + "rsa.misc.result": "failure", + "rsa.network.interface": "lo50", + "rsa.time.day": "19", + "rsa.time.event_time": "2020-09-19T15:09:05.000Z", + "rsa.time.month": "Sep", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-10-03T22:11:40.000Z", + "event.code": "[6968]", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 9856, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "rsa.internal.messageid": "[6968]", + "rsa.time.day": "3", + "rsa.time.event_time": "2020-10-03T22:11:40.000Z", + "rsa.time.month": "Oct", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-10-18T05:14:14.000Z", + "destination.ip": [ + "10.101.99.109" + ], + "event.action": "emu", + "event.code": "RPD_LDP_NBRDOWN", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 9924, + "network.interface.name": "eth4282", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "RPD_LDP_NBRDOWN message repeated", + "process.pid": 4598, + "related.ip": [ + "10.101.99.109" + ], + "rsa.internal.event_desc": "LDP neighbor down", + "rsa.internal.messageid": "RPD_LDP_NBRDOWN", + "rsa.misc.event_type": "emu", + "rsa.misc.result": "success", + "rsa.network.interface": "eth4282", + "rsa.time.day": "18", + "rsa.time.event_time": "2020-10-18T05:14:14.000Z", + "rsa.time.month": "Oct", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-01T12:16:48.000Z", + "event.action": "con", + "event.code": "RPD_RDISC_NOMULTI", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 10034, + "network.interface.name": "lo7449", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "RPD_RDISC_NOMULTI message repeated", + "process.pid": 4764, + "rsa.counters.dclass_c1": 594, + "rsa.internal.event_desc": "Ignoring interface", + "rsa.internal.messageid": "RPD_RDISC_NOMULTI", + "rsa.misc.event_type": "con", + "rsa.misc.result": "unknown", + "rsa.network.interface": "lo7449", + "rsa.time.day": "1", + "rsa.time.event_time": "2020-11-01T12:16:48.000Z", + "rsa.time.month": "Nov", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-15T19:19:22.000Z", + "event.action": "isquames", + "event.code": "BOOTPD_NEW_CONF", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 10141, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "BOOTPD_NEW_CONF: restart", + "process.pid": 1768, + "rsa.internal.event_desc": "New configuration installed", + "rsa.internal.messageid": "BOOTPD_NEW_CONF", + "rsa.misc.event_type": "isquames", + "rsa.time.day": "15", + "rsa.time.event_time": "2020-11-15T19:19:22.000Z", + "rsa.time.month": "Nov", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-11-30T02:21:57.000Z", + "event.action": "ngelit", + "event.code": "SNMP_TRAP_LINK_DOWN", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 10228, + "network.interface.name": "lo3193", + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "SNMP_TRAP_LINK_DOWN message repeated", + "process.pid": 7368, + "rsa.counters.dclass_c1": 4197, + "rsa.internal.event_desc": "SNMP TRAP LINK DOWN", + "rsa.internal.messageid": "SNMP_TRAP_LINK_DOWN", + "rsa.misc.event_type": "ngelit", + "rsa.misc.result": "unknown", + "rsa.misc.result_code": "ons", + "rsa.network.interface": "lo3193", + "rsa.time.day": "30", + "rsa.time.event_time": "2020-11-30T02:21:57.000Z", + "rsa.time.month": "Nov", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + }, + { + "@timestamp": "2020-12-14T09:24:31.000Z", + "event.action": "udexerci", + "event.code": "MIB2D_ATM_ERROR", + "event.dataset": "juniper.junos", + "event.module": "juniper", + "event.original": "Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure", + "fileset.name": "junos", + "input.type": "log", + "log.offset": 10366, + "observer.product": "Junos", + "observer.type": "Routers", + "observer.vendor": "Juniper", + "process.name": "MIB2D_ATM_ERROR message repeated", + "process.pid": 4927, + "rsa.internal.event_desc": "MIB2D ATM ERROR", + "rsa.internal.messageid": "MIB2D_ATM_ERROR", + "rsa.misc.event_type": "udexerci", + "rsa.misc.result": "failure", + "rsa.time.day": "14", + "rsa.time.event_time": "2020-12-14T09:24:31.000Z", + "rsa.time.month": "Dec", + "service.name": "voluptat", + "service.type": "juniper", + "tags": [ + "juniper.junos", + "forwarded" + ] + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/juniper/netscreen/config/input.yml b/x-pack/filebeat/module/juniper/netscreen/config/input.yml index 75586aca33f7..0ec5bf4cda1e 100644 --- a/x-pack/filebeat/module/juniper/netscreen/config/input.yml +++ b/x-pack/filebeat/module/juniper/netscreen/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js b/x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js +++ b/x-pack/filebeat/module/juniper/netscreen/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml index 7e5bef61bab3..74d2f3cc11a4 100644 --- a/x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/netscreen/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/juniper/netscreen/manifest.yml b/x-pack/filebeat/module/juniper/netscreen/manifest.yml index 7da6bc1d60b2..a6e16398dd2f 100644 --- a/x-pack/filebeat/module/juniper/netscreen/manifest.yml +++ b/x-pack/filebeat/module/juniper/netscreen/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9523 + default: 9539 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json index da17c3a5f761..2ca88f3b2d38 100644 --- a/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json +++ b/x-pack/filebeat/module/juniper/netscreen/test/generated.log-expected.json @@ -1353,8 +1353,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.154.16.147", - "10.142.21.251" + "10.142.21.251", + "10.154.16.147" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "ute", @@ -1581,7 +1581,6 @@ "rsa.misc.hardware_id": "eetdo", "rsa.misc.policy_name": "mipsamv", "rsa.misc.severity": "low", - "rsa.misc.space": "", "rsa.misc.vsys": "mquisno", "rsa.network.interface": "enp0s4987", "service.type": "juniper", @@ -1852,8 +1851,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.193.80.21", - "10.51.161.245" + "10.51.161.245", + "10.193.80.21" ], "rsa.internal.messageid": "00625", "rsa.misc.hardware_id": "modi", @@ -2479,8 +2478,8 @@ "observer.type": "Firewall", "observer.vendor": "Juniper", "related.ip": [ - "10.96.218.99", - "10.96.165.147" + "10.96.165.147", + "10.96.218.99" ], "related.user": [ "utla" diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml index e786b2e068d6..2d6d418b4d9a 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js +++ b/x-pack/filebeat/module/microsoft/dhcp/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js b/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js index aeecb9729444..6e446e40af2f 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js +++ b/x-pack/filebeat/module/microsoft/dhcp/config/pipeline.js @@ -23,7 +23,7 @@ var dup3 = match("MESSAGE#0:00/1_2", "nwparser.p0", "%{smacaddr},"); var dup4 = match("MESSAGE#0:00/1_3", "nwparser.p0", "%{smacaddr},%{fld6}"); -var dup5 = match("MESSAGE#0:00/1_4", "nwparser.p0", "%{smacaddr}"); +var dup5 = match_copy("MESSAGE#0:00/1_4", "nwparser.p0", "smacaddr"); var dup6 = setc("eventcategory","1605020000"); @@ -1046,7 +1046,7 @@ var part70 = match("MESSAGE#0:00/1_2", "nwparser.p0", "%{smacaddr},"); var part71 = match("MESSAGE#0:00/1_3", "nwparser.p0", "%{smacaddr},%{fld6}"); -var part72 = match("MESSAGE#0:00/1_4", "nwparser.p0", "%{smacaddr}"); +var part72 = match_copy("MESSAGE#0:00/1_4", "nwparser.p0", "smacaddr"); var select2 = linear_select([ dup1, diff --git a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml index 6ba5eef30321..896e301275d8 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml @@ -55,14 +55,9 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.hostname}}' + value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.hostname != null && ctx.host?.hostname != '' - - append: - field: related.hosts - value: '{{source.address}}' - allow_duplicates: false - if: ctx?.source?.address != null && ctx.source?.address != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/microsoft/dhcp/manifest.yml b/x-pack/filebeat/module/microsoft/dhcp/manifest.yml index 55c069159b7f..986ce98fd011 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/manifest.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9515 + default: 9534 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log index d5c7d43d5b0d..920ab99df988 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log @@ -1,100 +1,100 @@ -%MSDHCP-4257-11030: 11030,1/29/16,6:09:59,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer -%MSDHCP-363-11015: 11015,2/12/16,1:12:33,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu -%MSDHCP-5738-11008: 11008,2/26/16,8:15:08,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit -%MSDHCP-1579-11011: 11011,3/12/16,3:17:42,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep -%MSDHCP-5393-11003: 11003,3/26/16,10:20:16,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB -%MSDHCP-6103-11018: 11018,4/9/16,5:22:51,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun -%MSDHCP-5524-11019: 11019,4/24/16,12:25:25,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi -%MSDHCP-5841-11021: 11021,5/8/16,7:27:59,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion -%MSDHCP-1559-11020: 11020,5/22/16,2:30:33,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac -%MSDHCP-7427-11006: 11006,6/5/16,9:33:08,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme -%MSDHCP-3458-11003: 11003,6/20/16,4:35:42,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta -%MSDHCP-6972-11012: 11012,7/4/16,11:38:16,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame -%MSDHCP-4977-11019: 11019,7/18/16,6:40:50,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq -%MSDHCP-1180-11010: 11010,8/2/16,1:43:25,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp -%MSDHCP-2628-11013: 11013,8/16/16,8:45:59,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre -%MSDHCP-5037-11004: 11004,8/30/16,3:48:33,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam -%MSDHCP-6385-1103: 1103,9/13/16,10:51:07,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno -%MSDHCP-1747-11011: 11011,9/28/16,5:53:42,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium -%MSDHCP-4949-11020: 11020,10/12/16,12:56:16,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr -%MSDHCP-4824-11010: 11010,10/26/16,7:58:50,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu -%MSDHCP-1842-11023: 11023,11/10/16,3:01:24,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno -%MSDHCP-5263-11007: 11007,11/24/16,10:03:59,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons -%MSDHCP-4410-11003: 11003,12/8/16,5:06:33,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov -%MSDHCP-3253-ID: ID,12/23/16,12:09:07,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65 -%MSDHCP-1394-11000: 11000,1/6/17,7:11:41,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag -%MSDHCP-2516-11007: 11007,1/20/17,2:14:16,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli -%MSDHCP-543-11006: 11006,2/3/17,9:16:50,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui -%MSDHCP-6846-11014: 11014,2/18/17,4:19:24,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun -%MSDHCP-7741-1103: 1103,3/4/17,11:21:59,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo -%MSDHCP-18-11005: 11005,3/18/17,6:24:33,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia -%MSDHCP-6789-11015: 11015,4/2/17,1:27:07,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender -%MSDHCP-1540-11014: 11014,4/16/17,8:29:41,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni -%MSDHCP-5663-11025: 11025,4/30/17,3:32:16,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab -%MSDHCP-5224-11011: 11011,5/14/17,10:34:50,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured -%MSDHCP-5608-11019: 11019,5/29/17,5:37:24,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat -%MSDHCP-3051-1098: 1098,6/12/17,12:39:58,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor -%MSDHCP-6444-11001: 11001,6/26/17,7:42:33,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide -%MSDHCP-5524-1098: 1098,7/11/17,2:45:07,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem -%MSDHCP-1978-11019: 11019,7/25/17,9:47:41,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation -%MSDHCP-5469-11024: 11024,8/8/17,4:50:15,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori -%MSDHCP-2-11004: 11004,8/22/17,11:52:50,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse -%MSDHCP-4924-11025: 11025,9/6/17,6:55:24,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa -%MSDHCP-3023-11023: 11023,9/20/17,1:57:58,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt -%MSDHCP-3896-11011: 11011,10/4/17,9:00:32,isn,10.74.240.121,equ4808.www.localhost,siuta,urmagn,dquia,temporin -%MSDHCP-6160-1098: 1098,10/19/17,4:03:07,obeataev,10.139.127.232,nsec923.internal.local,agnaaliq,tlaboree,norumet,dtempo -%MSDHCP-4862-11009: 11009,11/2/17,11:05:41,iumtot,10.170.6.54,emoe4059.api.localdomain,ehende,eaqueip,eum,lamc -%MSDHCP-1664-11007: 11007,11/16/17,6:08:15,sciun,10.46.115.216,equun6662.home,uia,iciad,lorem,nsequunt -%MSDHCP-6603-11017: 11017,12/1/17,1:10:49,gnaa,10.226.5.189,dtempori5735.www5.local,dexerc,strumex,eprehend,asnu -%MSDHCP-1313-11030: 11030,12/15/17,8:13:24,derit,10.0.20.5,cupi7581.internal.local,dunt,litsedq,nderiti,ntNe -%MSDHCP-4024-11023: 11023,12/29/17,3:15:58,olorema,10.180.101.232,quasiar5281.mail.invalid,emip,inBC,mol,tur -%MSDHCP-754-11018: 11018,1/12/18,10:18:32,irured,10.141.158.225,tionula1586.host,idolor,ratvolu,nreprehe,onse -%MSDHCP-3617-11013: 11013,1/27/18,5:21:06,tatnon,10.94.88.5,ore5643.api.lan,metco,acom,ceroinB,nim -%MSDHCP-4248-11024: 11024,2/10/18,12:23:41,aspe,10.155.18.139,ciun39.localdomain,iatqu,inBCSedu,erspi,rorsit -%MSDHCP-5976-11013: 11013,2/24/18,7:26:15,undeomni,10.85.48.117,iutali7297.www.domain,Finibus,radi,xeacom,des -%MSDHCP-77-11003: 11003,3/11/18,2:28:49,eprehend,10.224.146.6,docon5398.mail.host,uptate,lloinven,econs,lmolesti -%MSDHCP-2519-11007: 11007,3/25/18,9:31:24,doeiu,10.182.152.242,destlabo7803.mail.localhost,ecillum,isci,dolor,tiumto -%MSDHCP-6515-11000: 11000,4/8/18,4:33:58,quin,10.225.157.110,fugits1163.host,vol,admi,onnu,olorema -%MSDHCP-4357-11005: 11005,4/22/18,11:36:32,tcupida,10.236.185.102,adol170.internal.example,niam,pernat,rerepre,nculpaq -%MSDHCP-2577-11010: 11010,5/7/18,6:39:06,billoinv,10.146.72.62,red5516.localhost,agnaaliq,est,mquisno,aev -%MSDHCP-5343-1103: 1103,5/21/18,1:41:41,lapar,10.221.7.206,qui3176.internal.example,mexerc,meaque,uid,equaturv -%MSDHCP-653-1103: 1103,6/4/18,8:44:15,maccusa,10.196.35.130,luptat2979.internal.local,uradi,velitsed,magnaali,mwrit -%MSDHCP-6378-11014: 11014,6/19/18,3:46:49,equatDu,10.182.219.241,prehe1037.api.example,eiusmod,itation,veleum,piciatis -%MSDHCP-7616-11021: 11021,7/3/18,10:49:23,tanimid,10.101.163.40,abor1370.www.domain,remips,illoi,reetdolo,rationev -%MSDHCP-3147-11003: 11003,7/17/18,5:51:58,oremi,10.141.39.190,atDuis5759.internal.test,rumwri,velill,ore,tation -%MSDHCP-7360-11009: 11009,8/1/18,12:54:32,tperspic,10.41.89.217,ict2699.internal.localhost,riosamni,icta,luptate,llamc -%MSDHCP-2454-11007: 11007,8/15/18,7:57:06,tesseci,10.86.44.130,cive2292.api.local,nisiuta,stiaecon,dol,sumquiad -%MSDHCP-7311-11024: 11024,8/29/18,2:59:40,uid,10.209.71.69,aconsequ2331.www5.localhost,sequat,lor,ccaec,atu -%MSDHCP-4968-1098: 1098,9/12/18,10:02:15,laudanti,10.48.104.137,rsitvolu3596.www.test,uameiusm,adm,gelitsed,tiumto -%MSDHCP-2648-11023: 11023,9/27/18,5:04:49,nihil,10.225.255.211,elites6366.mail.lan,eursinto,litesse,fugiatn,uaeabi -%MSDHCP-2724-11013: 11013,10/11/18,12:07:23,olu,10.137.103.62,orumSe4514.www.corp,umquam,emagn,emulla,mips -%MSDHCP-3887-11015: 11015,10/25/18,7:09:57,etdol,10.156.88.51,fdeFi6975.www5.local,equat,aliquid,usantiu,idunt -%MSDHCP-5999-11025: 11025,11/9/18,2:12:32,quiacons,10.7.99.47,dol3000.www5.local,teturadi,ditau,atemaccu,veritat -%MSDHCP-5374-11010: 11010,11/23/18,9:15:06,ueip,10.243.252.157,umd5182.mail.host,tur,acon,Nemoenim,usm -%MSDHCP-5397-11013: 11013,12/7/18,4:17:40,tise,10.95.73.196,expl2616.www.test,itinvol,ten,litanim,rQuisaut -%MSDHCP-1636-11004: 11004,12/21/18,11:20:14,teni,10.145.104.170,risni1535.example,onemulla,riaturEx,deri,amqu -%MSDHCP-1303-11018: 11018,1/5/19,6:22:49,edquian,10.18.152.236,umtotamr7221.mail.host,rnat,rur,itse,ilm -%MSDHCP-2746-11015: 11015,1/19/19,1:25:23,oloree,10.15.240.220,teir7585.www5.localdomain,quu,xeac,llitanim,quamei -%MSDHCP-5996-11000: 11000,2/2/19,8:27:57,meum,10.147.130.71,tur4536.localdomain,iamqui,tassita,colabori,imidestl -%MSDHCP-956-11002: 11002,2/17/19,3:30:32,isn,10.203.146.137,ffic6926.home,aparia,CSe,exerci,inesciu -%MSDHCP-5452-11012: 11012,3/3/19,10:33:06,emu,10.5.98.182,ate4386.api.localhost,minimve,serrorsi,tametco,mquisnos -%MSDHCP-6034-11014: 11014,3/17/19,5:35:40,ici,10.6.180.90,iameaque5093.api.corp,aquio,rspicia,deom,oluptat -%MSDHCP-3545-11004: 11004,4/1/19,12:38:14,onproide,10.111.93.224,tatisetq3237.www5.corp,emag,oquisq,abori,sit -%MSDHCP-7051-11002: 11002,4/15/19,7:40:49,lumdolor,10.196.157.28,rvelill32.internal.corp,tatevel,midestl,nci,orroquis -%MSDHCP-4040-11017: 11017,4/29/19,2:43:23,meiusm,10.143.0.78,ectetura2657.www.localdomain,seq,moll,quaeabil,emip -%MSDHCP-3376-1103: 1103,5/13/19,9:45:57,mipsumqu,10.184.187.32,ico3220.api.test,evi,tionula,accus,uatu -%MSDHCP-111-11019: 11019,5/28/19,4:48:31,sumquiad,10.30.87.51,Duisa7769.test,iaecon,aevitaed,byCic,leumiur -%MSDHCP-5483-11000: 11000,6/11/19,11:51:06,tno,10.180.62.222,ptatev6552.www.test,ctetura,msequ,nvol,enimadmi -%MSDHCP-7708-1098: 1098,6/25/19,6:53:40,adeser,10.198.9.209,olore6487.www5.local,inea,animid,upta,ioff -%MSDHCP-4197-1098: 1098,7/10/19,1:56:14,iuntN,10.41.217.115,nvol548.corp,sin,idexeac,nimadmin,midest -%MSDHCP-2952-11030: 11030,7/24/19,8:58:48,quatu,10.212.196.228,pteursi466.www.localdomain,essecill,totamre,rpo,velites -%MSDHCP-7651-11002: 11002,8/7/19,4:01:23,uisaute,10.166.180.119,olupt1936.host,imide,ncul,taliq,tautfugi -%MSDHCP-163-11030: 11030,8/21/19,11:03:57,volup,10.7.142.212,uisaut2157.corp,tuser,ctasu,irat,sitame -%MSDHCP-3403-11023: 11023,9/5/19,6:06:31,uptateve,10.209.237.97,ecte882.www5.host,Malor,boriosa,cillumdo,ditau -%MSDHCP-801-11025: 11025,9/19/19,1:09:05,sci,10.61.26.207,doloreeu4417.example,ametcons,tconse,eumf,roquisq -%MSDHCP-3103-1098: 1098,10/3/19,8:11:40,tDuisau,10.139.88.194,tper4341.lan,nulamc,sint,etcon,ctobeat -%MSDHCP-598-11008: 11008,10/18/19,3:14:14,lorumw,10.86.134.125,nimve4965.mail.corp,ola,ptat,quasi,tium -%MSDHCP-5046-11008: 11008,11/1/19,10:16:48,nul,10.41.78.169,mquisno5146.home,mipsamv,exeacomm,sequines,cto -%MSDHCP-5270-11014: 11014,11/15/19,5:19:22,lumquid,10.69.181.95,imaveni4500.api.localdomain,ssequamn,ave,taliqui,idi -%MSDHCP-5895-1098: 1098,11/30/19,12:21:57,mqu,10.222.6.52,veleu2874.www5.localhost,tasnu,loru,iadeser,litess -%MSDHCP-7704-ID: ID,12/14/19,7:24:31,quovolu,10.218.41.80,nemul5083.api.localdomain,01:00:5e:52:c7:67 +%MSDHCP-905-50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac +%MSDHCP-4257-11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer +%MSDHCP-5634-62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost,01:00:5e:3a:fe:e3,mest +%MSDHCP-363-11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu +%MSDHCP-4880-57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp,01:00:5e:ad:16:77, +%MSDHCP-6962-57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home,01:00:5e:33:84:66 +%MSDHCP-5355-60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home,01:00:5e:69:9a:1a,eumiu +%MSDHCP-7417-15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu +%MSDHCP-5162-59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno +%MSDHCP-4141-10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain,01:00:5e:f5:8e:0d +%MSDHCP-5408-15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet +%MSDHCP-5738-11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit +%MSDHCP-4243-25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor +%MSDHCP-1579-11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep +%MSDHCP-3971-56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos +%MSDHCP-2933-17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example,01:00:5e:c9:5b:b2, +%MSDHCP-5393-11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB +%MSDHCP-4171-16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain,01:00:5e:e7:c7:cb +%MSDHCP-7290-32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido +%MSDHCP-4125-53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain,01:00:5e:10:76:60,ender +%MSDHCP-5368-50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home,01:00:5e:b9:7e:b1 +%MSDHCP-4173-33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost,01:00:5e:fa:2b:37 +%MSDHCP-5883-52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host,01:00:5e:37:14:9d,tessec +%MSDHCP-6446-36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain,01:00:5e:59:a3:48, +%MSDHCP-686-12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example,01:00:5e:44:c4:69 +%MSDHCP-2230-25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol +%MSDHCP-6103-11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun +%MSDHCP-927-58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home,01:00:5e:24:f1:b2 +%MSDHCP-4632-51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost,01:00:5e:31:b9:65,dtem +%MSDHCP-5377-50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host,01:00:5e:60:77:c7,tinvol +%MSDHCP-5524-11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi +%MSDHCP-5841-11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion +%MSDHCP-5705-52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi +%MSDHCP-1559-11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac +%MSDHCP-2228-20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home,01:00:5e:cc:0b:8f +%MSDHCP-7427-11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme +%MSDHCP-2991-16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example,01:00:5e:e1:73:47,maccusa +%MSDHCP-3458-11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta +%MSDHCP-2807-53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home,01:00:5e:a0:cd:2f,iamquis +%MSDHCP-6972-11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame +%MSDHCP-5040-24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid,01:00:5e:c7:b7:18 +%MSDHCP-2026-02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example,01:00:5e:81:99:6f,dol +%MSDHCP-4977-11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq +%MSDHCP-1180-11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp +%MSDHCP-2628-11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre +%MSDHCP-2949-11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test,01:00:5e:35:a8:83,fugitse +%MSDHCP-3331-54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local,01:00:5e:3b:7a:f1,sperna +%MSDHCP-7576-30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain,01:00:5e:1e:d6:07,texp +%MSDHCP-5037-11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam +%MSDHCP-6385-1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno +%MSDHCP-1747-11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium +%MSDHCP-6686-57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain,01:00:5e:5b:99:6c,magnid +%MSDHCP-7582-17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local,01:00:5e:78:a7:55,gnido +%MSDHCP-6036-50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host,01:00:5e:ed:c2:f7 +%MSDHCP-4949-11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr +%MSDHCP-6418-59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta +%MSDHCP-4824-11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu +%MSDHCP-5368-60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu +%MSDHCP-5740-24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest +%MSDHCP-1842-11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno +%MSDHCP-5263-11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons +%MSDHCP-510-20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local,01:00:5e:7e:22:1b +%MSDHCP-4410-11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov +%MSDHCP-4554-01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin +%MSDHCP-3253-ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65 +%MSDHCP-1394-11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag +%MSDHCP-5983-56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite +%MSDHCP-7829-32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home,01:00:5e:c1:3c:48,exercita +%MSDHCP-2516-11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli +%MSDHCP-543-11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui +%MSDHCP-6846-11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun +%MSDHCP-7741-1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo +%MSDHCP-18-11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia +%MSDHCP-6789-11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender +%MSDHCP-1540-11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni +%MSDHCP-2244-32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid,01:00:5e:fd:3d:c2,nts +%MSDHCP-5663-11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab +%MSDHCP-6672-12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain,01:00:5e:ba:09:4a,tpersp +%MSDHCP-6797-01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat +%MSDHCP-4494-51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo +%MSDHCP-7205-50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain,01:00:5e:27:0a:9d, +%MSDHCP-5224-11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured +%MSDHCP-5608-11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat +%MSDHCP-3051-1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor +%MSDHCP-2315-01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac +%MSDHCP-2690-14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local,01:00:5e:7a:4c:6e,miu +%MSDHCP-6444-11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide +%MSDHCP-7037-11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example,01:00:5e:0b:fb:4a +%MSDHCP-6392-64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home,01:00:5e:80:9d:2c, +%MSDHCP-5524-1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem +%MSDHCP-1978-11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation +%MSDHCP-5469-11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori +%MSDHCP-2-11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse +%MSDHCP-2859-59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home,01:00:5e:1b:92:a6 +%MSDHCP-4924-11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa +%MSDHCP-1738-25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi +%MSDHCP-5282-60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil +%MSDHCP-3023-11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt +%MSDHCP-4890-23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example,01:00:5e:11:45:1e,itaedict +%MSDHCP-4271-55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example,01:00:5e:01:2f:7d diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json index 48ad613503de..8bc24bf8ae5a 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json @@ -1,62 +1,67 @@ [ { "@timestamp": "2016-01-29T08:09:59.000Z", - "event.code": "11030", + "event.code": "50", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4257-11030: 11030,1/29/16,6:09:59,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer", + "event.original": "%MSDHCP-905-50: 50,1/29/16,6:09:59,nnumqua,10.133.8.128,sse3269.invalid,01:00:5e:ce:bf:42,ventore,ivelitse,ritin,uredolor,tatemac", "fileset.name": "dhcp", - "host.hostname": "ciade5699.domain", + "host.hostname": "sse3269.invalid", "input.type": "log", "log.offset": 0, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ciade5699.domain" + "sse3269.invalid" ], "related.ip": [ - "10.124.22.221" + "10.133.8.128" ], - "rsa.internal.event_desc": "oremi", - "rsa.internal.messageid": "11030", + "related.user": [ + "ventore" + ], + "rsa.internal.event_desc": "nnumqua", + "rsa.internal.messageid": "50", "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "microsoft", - "source.address": "ciade5699.domain", + "source.address": "sse3269.invalid", "source.ip": [ - "10.124.22.221" + "10.133.8.128" ], + "source.mac": "01:00:5e:ce:bf:42", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "ventore" }, { "@timestamp": "2016-02-12T03:12:33.000Z", - "event.code": "11015", + "event.code": "11030", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-363-11015: 11015,2/12/16,1:12:33,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu", + "event.original": "%MSDHCP-4257-11030: 11030,2/12/16,1:12:33,oremi,10.124.22.221,ciade5699.domain,umq,ntium,psaq,cer", "fileset.name": "dhcp", - "host.hostname": "orev6153.internal.domain", + "host.hostname": "ciade5699.domain", "input.type": "log", - "log.offset": 98, + "log.offset": 130, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "orev6153.internal.domain" + "ciade5699.domain" ], "related.ip": [ - "10.103.162.55" + "10.124.22.221" ], - "rsa.internal.event_desc": "nci", - "rsa.internal.messageid": "11015", + "rsa.internal.event_desc": "oremi", + "rsa.internal.messageid": "11030", "rsa.time.event_time": "2016-02-12T03:12:33.000Z", "service.type": "microsoft", - "source.address": "orev6153.internal.domain", + "source.address": "ciade5699.domain", "source.ip": [ - "10.103.162.55" + "10.124.22.221" ], "tags": [ "microsoft.dhcp", @@ -65,31 +70,32 @@ }, { "@timestamp": "2016-02-26T10:15:08.000Z", - "event.code": "11008", + "event.code": "62", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5738-11008: 11008,2/26/16,8:15:08,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit", + "event.original": "%MSDHCP-5634-62: 62,2/26/16,8:15:08,equepor,10.196.153.12,sequa6540.www5.localhost,01:00:5e:3a:fe:e3,mest", "fileset.name": "dhcp", - "host.hostname": "uatDuis2964.test", + "host.hostname": "sequa6540.www5.localhost", "input.type": "log", - "log.offset": 204, + "log.offset": 228, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "uatDuis2964.test" + "sequa6540.www5.localhost" ], "related.ip": [ - "10.58.0.245" + "10.196.153.12" ], - "rsa.internal.event_desc": "ccaecat", - "rsa.internal.messageid": "11008", + "rsa.internal.event_desc": "equepor", + "rsa.internal.messageid": "62", "rsa.time.event_time": "2016-02-26T10:15:08.000Z", "service.type": "microsoft", - "source.address": "uatDuis2964.test", + "source.address": "sequa6540.www5.localhost", "source.ip": [ - "10.58.0.245" + "10.196.153.12" ], + "source.mac": "01:00:5e:3a:fe:e3", "tags": [ "microsoft.dhcp", "forwarded" @@ -97,32 +103,30 @@ }, { "@timestamp": "2016-03-12T05:17:42.000Z", - "event.code": "11011", + "event.code": "11015", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1579-11011: 11011,3/12/16,3:17:42,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep", + "event.original": "%MSDHCP-363-11015: 11015,3/12/16,3:17:42,nci,10.103.162.55,orev6153.internal.domain,deF,sist,nnumqu,iatnu", "fileset.name": "dhcp", - "host.hostname": "untNequ5075.www5.domain", + "host.hostname": "orev6153.internal.domain", "input.type": "log", - "log.offset": 311, + "log.offset": 334, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "untNequ5075.www5.domain" + "orev6153.internal.domain" ], "related.ip": [ - "10.163.217.10" + "10.103.162.55" ], - "rsa.internal.event_desc": "natura", - "rsa.internal.messageid": "11011", - "rsa.investigations.ec_activity": "Stop", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "nci", + "rsa.internal.messageid": "11015", "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "microsoft", - "source.address": "untNequ5075.www5.domain", + "source.address": "orev6153.internal.domain", "source.ip": [ - "10.163.217.10" + "10.103.162.55" ], "tags": [ "microsoft.dhcp", @@ -131,31 +135,32 @@ }, { "@timestamp": "2016-03-26T12:20:16.000Z", - "event.code": "11003", + "event.code": "57", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5393-11003: 11003,3/26/16,10:20:16,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB", + "event.original": "%MSDHCP-4880-57: 57,3/26/16,10:20:16,quipexe,10.162.33.193,agn2581.www5.corp,01:00:5e:ad:16:77,", "fileset.name": "dhcp", - "host.hostname": "idexea3181.www.local", + "host.hostname": "agn2581.www5.corp", "input.type": "log", - "log.offset": 421, + "log.offset": 440, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "idexea3181.www.local" + "agn2581.www5.corp" ], "related.ip": [ - "10.111.27.193" + "10.162.33.193" ], - "rsa.internal.event_desc": "temsequ", - "rsa.internal.messageid": "11003", + "rsa.internal.event_desc": "quipexe", + "rsa.internal.messageid": "57", "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "microsoft", - "source.address": "idexea3181.www.local", + "source.address": "agn2581.www5.corp", "source.ip": [ - "10.111.27.193" + "10.162.33.193" ], + "source.mac": "01:00:5e:ad:16:77", "tags": [ "microsoft.dhcp", "forwarded" @@ -163,31 +168,32 @@ }, { "@timestamp": "2016-04-09T07:22:51.000Z", - "event.code": "11018", + "event.code": "57", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6103-11018: 11018,4/9/16,5:22:51,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun", + "event.original": "%MSDHCP-6962-57: 57,4/9/16,5:22:51,moenimi,10.156.15.206,enatus2114.mail.home,01:00:5e:33:84:66", "fileset.name": "dhcp", - "host.hostname": "etM953.api.domain", + "host.hostname": "enatus2114.mail.home", "input.type": "log", - "log.offset": 529, + "log.offset": 536, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "etM953.api.domain" + "enatus2114.mail.home" ], "related.ip": [ - "10.97.38.141" + "10.156.15.206" ], - "rsa.internal.event_desc": "lapariat", - "rsa.internal.messageid": "11018", + "rsa.internal.event_desc": "moenimi", + "rsa.internal.messageid": "57", "rsa.time.event_time": "2016-04-09T07:22:51.000Z", "service.type": "microsoft", - "source.address": "etM953.api.domain", + "source.address": "enatus2114.mail.home", "source.ip": [ - "10.97.38.141" + "10.156.15.206" ], + "source.mac": "01:00:5e:33:84:66", "tags": [ "microsoft.dhcp", "forwarded" @@ -195,31 +201,32 @@ }, { "@timestamp": "2016-04-24T14:25:25.000Z", - "event.code": "11019", + "event.code": "60", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5524-11019: 11019,4/24/16,12:25:25,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi", + "event.original": "%MSDHCP-5355-60: 60,4/24/16,12:25:25,ntex,10.1.118.72,proident2802.home,01:00:5e:69:9a:1a,eumiu", "fileset.name": "dhcp", - "host.hostname": "inv5716.mail.invalid", + "host.hostname": "proident2802.home", "input.type": "log", - "log.offset": 633, + "log.offset": 632, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "inv5716.mail.invalid" + "proident2802.home" ], "related.ip": [ - "10.17.21.125" + "10.1.118.72" ], - "rsa.internal.event_desc": "moenimi", - "rsa.internal.messageid": "11019", + "rsa.internal.event_desc": "ntex", + "rsa.internal.messageid": "60", "rsa.time.event_time": "2016-04-24T14:25:25.000Z", "service.type": "microsoft", - "source.address": "inv5716.mail.invalid", + "source.address": "proident2802.home", "source.ip": [ - "10.17.21.125" + "10.1.118.72" ], + "source.mac": "01:00:5e:69:9a:1a", "tags": [ "microsoft.dhcp", "forwarded" @@ -227,95 +234,111 @@ }, { "@timestamp": "2016-05-08T09:27:59.000Z", - "event.code": "11021", + "event.code": "15", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5841-11021: 11021,5/8/16,7:27:59,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion", + "event.original": "%MSDHCP-7417-15: 15,5/8/16,7:27:59,orisn,10.70.235.184,ofdeF7240.www.home,01:00:5e:a2:09:ea,tionulam,uameius,ratio,ptas,nevolu", "fileset.name": "dhcp", - "host.hostname": "uines6355.internal.localdomain", + "host.hostname": "ofdeF7240.www.home", "input.type": "log", - "log.offset": 748, + "log.offset": 728, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "uines6355.internal.localdomain" + "ofdeF7240.www.home" ], "related.ip": [ - "10.73.69.75" + "10.70.235.184" ], - "rsa.internal.event_desc": "nofdeF", - "rsa.internal.messageid": "11021", + "related.user": [ + "tionulam" + ], + "rsa.internal.event_desc": "orisn", + "rsa.internal.messageid": "15", "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "microsoft", - "source.address": "uines6355.internal.localdomain", + "source.address": "ofdeF7240.www.home", "source.ip": [ - "10.73.69.75" + "10.70.235.184" ], + "source.mac": "01:00:5e:a2:09:ea", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "tionulam" }, { "@timestamp": "2016-05-22T04:30:33.000Z", - "event.code": "11020", + "event.code": "59", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1559-11020: 11020,5/22/16,2:30:33,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac", + "event.original": "%MSDHCP-5162-59: 59,5/22/16,2:30:33,nci,10.86.118.154,amco5712.www5.localdomain,01:00:5e:35:c0:09,con,uia,quiavo,issusci,mol,taspe,mvolu,radip,tNequ,gelit,tatno", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "rehender4535.www5.test", + "host.hostname": "amco5712.www5.localdomain", "input.type": "log", - "log.offset": 863, + "log.offset": 855, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "rehender4535.www5.test" + "amco5712.www5.localdomain" ], "related.ip": [ - "10.45.25.68" + "10.86.118.154" ], - "rsa.internal.event_desc": "deFinibu", - "rsa.internal.messageid": "11020", + "related.user": [ + "con" + ], + "rsa.internal.event_desc": "nci", + "rsa.internal.messageid": "59", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "radip", + "rsa.misc.log_session_id": "uia", "rsa.time.event_time": "2016-05-22T04:30:33.000Z", "service.type": "microsoft", - "source.address": "rehender4535.www5.test", + "source.address": "amco5712.www5.localdomain", "source.ip": [ - "10.45.25.68" + "10.86.118.154" ], + "source.mac": "01:00:5e:35:c0:09", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "con" }, { "@timestamp": "2016-06-05T11:33:08.000Z", - "event.code": "11006", + "event.code": "10", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7427-11006: 11006,6/5/16,9:33:08,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme", + "event.original": "%MSDHCP-4141-10: 10,6/5/16,9:33:08,uam,10.5.62.63,llu4762.mail.localdomain,01:00:5e:f5:8e:0d", "fileset.name": "dhcp", - "host.hostname": "mporain2624.www.localhost", + "host.hostname": "llu4762.mail.localdomain", "input.type": "log", - "log.offset": 974, + "log.offset": 1016, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "mporain2624.www.localhost" + "llu4762.mail.localdomain" ], "related.ip": [ - "10.68.93.6" + "10.5.62.63" ], - "rsa.internal.event_desc": "psaquae", - "rsa.internal.messageid": "11006", + "rsa.internal.event_desc": "uam", + "rsa.internal.messageid": "10", "rsa.time.event_time": "2016-06-05T11:33:08.000Z", "service.type": "microsoft", - "source.address": "mporain2624.www.localhost", + "source.address": "llu4762.mail.localdomain", "source.ip": [ - "10.68.93.6" + "10.5.62.63" ], + "source.mac": "01:00:5e:f5:8e:0d", "tags": [ "microsoft.dhcp", "forwarded" @@ -323,62 +346,67 @@ }, { "@timestamp": "2016-06-20T06:35:42.000Z", - "event.code": "11003", + "event.code": "15", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3458-11003: 11003,6/20/16,4:35:42,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta", + "event.original": "%MSDHCP-5408-15: 15,6/20/16,4:35:42,llumd,10.66.3.197,emaper2638.lan,01:00:5e:0b:42:ab,uaerat,boreet,onev,tenima,laboreet", "fileset.name": "dhcp", - "host.hostname": "tutla2716.www.domain", + "host.hostname": "emaper2638.lan", "input.type": "log", - "log.offset": 1085, + "log.offset": 1109, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "tutla2716.www.domain" + "emaper2638.lan" ], "related.ip": [ - "10.192.110.182" + "10.66.3.197" ], - "rsa.internal.event_desc": "idex", - "rsa.internal.messageid": "11003", + "related.user": [ + "uaerat" + ], + "rsa.internal.event_desc": "llumd", + "rsa.internal.messageid": "15", "rsa.time.event_time": "2016-06-20T06:35:42.000Z", "service.type": "microsoft", - "source.address": "tutla2716.www.domain", + "source.address": "emaper2638.lan", "source.ip": [ - "10.192.110.182" + "10.66.3.197" ], + "source.mac": "01:00:5e:0b:42:ab", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "uaerat" }, { "@timestamp": "2016-07-04T13:38:16.000Z", - "event.code": "11012", + "event.code": "11008", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6972-11012: 11012,7/4/16,11:38:16,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame", + "event.original": "%MSDHCP-5738-11008: 11008,7/4/16,11:38:16,ccaecat,10.58.0.245,uatDuis2964.test,veri,rsita,siutaliq,exercit", "fileset.name": "dhcp", - "host.hostname": "conseq557.mail.lan", + "host.hostname": "uatDuis2964.test", "input.type": "log", - "log.offset": 1195, + "log.offset": 1231, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "conseq557.mail.lan" + "uatDuis2964.test" ], "related.ip": [ - "10.148.153.201" + "10.58.0.245" ], - "rsa.internal.event_desc": "ittenbyC", - "rsa.internal.messageid": "11012", + "rsa.internal.event_desc": "ccaecat", + "rsa.internal.messageid": "11008", "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "microsoft", - "source.address": "conseq557.mail.lan", + "source.address": "uatDuis2964.test", "source.ip": [ - "10.148.153.201" + "10.58.0.245" ], "tags": [ "microsoft.dhcp", @@ -387,64 +415,69 @@ }, { "@timestamp": "2016-07-18T08:40:50.000Z", - "event.code": "11019", + "event.code": "25", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4977-11019: 11019,7/18/16,6:40:50,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq", + "event.original": "%MSDHCP-4243-25: 25,7/18/16,6:40:50,antium,10.103.246.190,iusmodt2597.api.domain,01:00:5e:8b:ba:06,ect,reetdolo,nrepreh,obeataev,lor", "fileset.name": "dhcp", - "host.hostname": "etconse7424.internal.lan", + "host.hostname": "iusmodt2597.api.domain", "input.type": "log", - "log.offset": 1308, + "log.offset": 1338, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "etconse7424.internal.lan" + "iusmodt2597.api.domain" ], "related.ip": [ - "10.213.147.241" + "10.103.246.190" ], - "rsa.internal.event_desc": "que", - "rsa.internal.messageid": "11019", + "related.user": [ + "ect" + ], + "rsa.internal.event_desc": "antium", + "rsa.internal.messageid": "25", "rsa.time.event_time": "2016-07-18T08:40:50.000Z", "service.type": "microsoft", - "source.address": "etconse7424.internal.lan", + "source.address": "iusmodt2597.api.domain", "source.ip": [ - "10.213.147.241" + "10.103.246.190" ], + "source.mac": "01:00:5e:8b:ba:06", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "ect" }, { "@timestamp": "2016-08-02T03:43:25.000Z", - "event.code": "11010", + "event.code": "11011", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1180-11010: 11010,8/2/16,1:43:25,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp", + "event.original": "%MSDHCP-1579-11011: 11011,8/2/16,1:43:25,natura,10.163.217.10,untNequ5075.www5.domain,erep,iutal,dexe,urerep", "fileset.name": "dhcp", - "host.hostname": "tMalor7410.www.localhost", + "host.hostname": "untNequ5075.www5.domain", "input.type": "log", - "log.offset": 1413, + "log.offset": 1471, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "tMalor7410.www.localhost" + "untNequ5075.www5.domain" ], "related.ip": [ - "10.183.233.5" + "10.163.217.10" ], - "rsa.internal.event_desc": "serunt", - "rsa.internal.messageid": "11010", - "rsa.investigations.ec_activity": "Start", + "rsa.internal.event_desc": "natura", + "rsa.internal.messageid": "11011", + "rsa.investigations.ec_activity": "Stop", "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "service.type": "microsoft", - "source.address": "tMalor7410.www.localhost", + "source.address": "untNequ5075.www5.domain", "source.ip": [ - "10.183.233.5" + "10.163.217.10" ], "tags": [ "microsoft.dhcp", @@ -453,63 +486,74 @@ }, { "@timestamp": "2016-08-16T10:45:59.000Z", - "event.code": "11013", + "event.code": "56", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2628-11013: 11013,8/16/16,8:45:59,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre", + "event.original": "%MSDHCP-3971-56: 56,8/16/16,8:45:59,lorem,10.150.193.226,uidolore6237.internal.local,01:00:5e:42:6c:b4,suntinc,elits,llam,llamcorp,ari,eataevit,uptatev,uovol,dmi,olab,mquisnos", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "equat2243.www5.localdomain", + "host.hostname": "uidolore6237.internal.local", "input.type": "log", - "log.offset": 1522, + "log.offset": 1580, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "equat2243.www5.localdomain" + "uidolore6237.internal.local" ], "related.ip": [ - "10.52.186.29" + "10.150.193.226" ], - "rsa.internal.event_desc": "tNequepo", - "rsa.internal.messageid": "11013", + "related.user": [ + "suntinc" + ], + "rsa.internal.event_desc": "lorem", + "rsa.internal.messageid": "56", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "AccessControl", + "rsa.investigations.event_vcat": "uovol", + "rsa.misc.log_session_id": "elits", "rsa.time.event_time": "2016-08-16T10:45:59.000Z", "service.type": "microsoft", - "source.address": "equat2243.www5.localdomain", + "source.address": "uidolore6237.internal.local", "source.ip": [ - "10.52.186.29" + "10.150.193.226" ], + "source.mac": "01:00:5e:42:6c:b4", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "suntinc" }, { "@timestamp": "2016-08-30T05:48:33.000Z", - "event.code": "11004", + "event.code": "17", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5037-11004: 11004,8/30/16,3:48:33,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam", + "event.original": "%MSDHCP-2933-17: 17,8/30/16,3:48:33,tsed,10.111.61.181,incididu1896.example,01:00:5e:c9:5b:b2,", "fileset.name": "dhcp", - "host.hostname": "ectio2175.www.localhost", + "host.hostname": "incididu1896.example", "input.type": "log", - "log.offset": 1640, + "log.offset": 1756, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ectio2175.www.localhost" + "incididu1896.example" ], "related.ip": [ - "10.194.114.58" + "10.111.61.181" ], - "rsa.internal.event_desc": "uela", - "rsa.internal.messageid": "11004", + "rsa.internal.event_desc": "tsed", + "rsa.internal.messageid": "17", "rsa.time.event_time": "2016-08-30T05:48:33.000Z", "service.type": "microsoft", - "source.address": "ectio2175.www.localhost", + "source.address": "incididu1896.example", "source.ip": [ - "10.194.114.58" + "10.111.61.181" ], + "source.mac": "01:00:5e:c9:5b:b2", "tags": [ "microsoft.dhcp", "forwarded" @@ -517,30 +561,30 @@ }, { "@timestamp": "2016-09-13T12:51:07.000Z", - "event.code": "1103", + "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6385-1103: 1103,9/13/16,10:51:07,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno", + "event.original": "%MSDHCP-5393-11003: 11003,9/13/16,10:51:07,temsequ,10.111.27.193,idexea3181.www.local,tvol,moll,tatione,inB", "fileset.name": "dhcp", - "host.hostname": "liqui6106.internal.home", + "host.hostname": "idexea3181.www.local", "input.type": "log", - "log.offset": 1750, + "log.offset": 1851, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "liqui6106.internal.home" + "idexea3181.www.local" ], "related.ip": [ - "10.212.42.224" + "10.111.27.193" ], - "rsa.internal.event_desc": "ris", - "rsa.internal.messageid": "1103", + "rsa.internal.event_desc": "temsequ", + "rsa.internal.messageid": "11003", "rsa.time.event_time": "2016-09-13T12:51:07.000Z", "service.type": "microsoft", - "source.address": "liqui6106.internal.home", + "source.address": "idexea3181.www.local", "source.ip": [ - "10.212.42.224" + "10.111.27.193" ], "tags": [ "microsoft.dhcp", @@ -549,33 +593,34 @@ }, { "@timestamp": "2016-09-28T07:53:42.000Z", - "event.code": "11011", + "event.code": "16", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1747-11011: 11011,9/28/16,5:53:42,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium", + "event.original": "%MSDHCP-4171-16: 16,9/28/16,5:53:42,ntsuntin,10.153.112.62,imav3236.mail.domain,01:00:5e:e7:c7:cb", "fileset.name": "dhcp", - "host.hostname": "eratv6205.internal.lan", + "host.hostname": "imav3236.mail.domain", "input.type": "log", - "log.offset": 1861, + "log.offset": 1959, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "eratv6205.internal.lan" + "imav3236.mail.domain" ], "related.ip": [ - "10.244.144.198" + "10.153.112.62" ], - "rsa.internal.event_desc": "aliquam", - "rsa.internal.messageid": "11011", - "rsa.investigations.ec_activity": "Stop", + "rsa.internal.event_desc": "ntsuntin", + "rsa.internal.messageid": "16", + "rsa.investigations.ec_activity": "Delete", "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2016-09-28T07:53:42.000Z", "service.type": "microsoft", - "source.address": "eratv6205.internal.lan", + "source.address": "imav3236.mail.domain", "source.ip": [ - "10.244.144.198" + "10.153.112.62" ], + "source.mac": "01:00:5e:e7:c7:cb", "tags": [ "microsoft.dhcp", "forwarded" @@ -583,65 +628,72 @@ }, { "@timestamp": "2016-10-12T14:56:16.000Z", - "event.code": "11020", + "event.code": "32", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4949-11020: 11020,10/12/16,12:56:16,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr", + "event.original": "%MSDHCP-7290-32: 32,10/12/16,12:56:16,iam,10.98.34.185,ercit3947.api.local,01:00:5e:a4:f5:60,olupta,turveli,toccae,tatno,nido", + "event.outcome": "success", "fileset.name": "dhcp", - "host.hostname": "piscin6866.internal.host", + "host.hostname": "ercit3947.api.local", "input.type": "log", - "log.offset": 1979, + "log.offset": 2057, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "piscin6866.internal.host" + "ercit3947.api.local" ], "related.ip": [ - "10.90.86.89" + "10.98.34.185" ], - "rsa.internal.event_desc": "derit", - "rsa.internal.messageid": "11020", + "related.user": [ + "olupta" + ], + "rsa.internal.event_desc": "iam", + "rsa.internal.messageid": "32", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "Configuration", "rsa.time.event_time": "2016-10-12T14:56:16.000Z", "service.type": "microsoft", - "source.address": "piscin6866.internal.host", + "source.address": "ercit3947.api.local", "source.ip": [ - "10.90.86.89" + "10.98.34.185" ], + "source.mac": "01:00:5e:a4:f5:60", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "olupta" }, { "@timestamp": "2016-10-26T09:58:50.000Z", - "event.code": "11010", + "event.code": "53", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4824-11010: 11010,10/26/16,7:58:50,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu", + "event.original": "%MSDHCP-4125-53: 53,10/26/16,7:58:50,itlabori,10.252.112.103,usan6343.www5.domain,01:00:5e:10:76:60,ender", "fileset.name": "dhcp", - "host.hostname": "riosamn7650.api.test", + "host.hostname": "usan6343.www5.domain", "input.type": "log", - "log.offset": 2093, + "log.offset": 2183, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "riosamn7650.api.test" + "usan6343.www5.domain" ], "related.ip": [ - "10.158.237.92" + "10.252.112.103" ], - "rsa.internal.event_desc": "volupt", - "rsa.internal.messageid": "11010", - "rsa.investigations.ec_activity": "Start", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "itlabori", + "rsa.internal.messageid": "53", "rsa.time.event_time": "2016-10-26T09:58:50.000Z", "service.type": "microsoft", - "source.address": "riosamn7650.api.test", + "source.address": "usan6343.www5.domain", "source.ip": [ - "10.158.237.92" + "10.252.112.103" ], + "source.mac": "01:00:5e:10:76:60", "tags": [ "microsoft.dhcp", "forwarded" @@ -649,35 +701,32 @@ }, { "@timestamp": "2016-11-10T05:01:24.000Z", - "event.code": "11023", + "event.code": "50", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1842-11023: 11023,11/10/16,3:01:24,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno", - "event.outcome": "failure", + "event.original": "%MSDHCP-5368-50: 50,11/10/16,3:01:24,atquovo,10.246.117.190,mquaera3924.www5.home,01:00:5e:b9:7e:b1", "fileset.name": "dhcp", - "host.hostname": "aper5651.test", + "host.hostname": "mquaera3924.www5.home", "input.type": "log", - "log.offset": 2205, + "log.offset": 2289, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "aper5651.test" + "mquaera3924.www5.home" ], "related.ip": [ - "10.20.147.134" + "10.246.117.190" ], - "rsa.internal.event_desc": "epte", - "rsa.internal.messageid": "11023", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Service", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "atquovo", + "rsa.internal.messageid": "50", "rsa.time.event_time": "2016-11-10T05:01:24.000Z", "service.type": "microsoft", - "source.address": "aper5651.test", + "source.address": "mquaera3924.www5.home", "source.ip": [ - "10.20.147.134" + "10.246.117.190" ], + "source.mac": "01:00:5e:b9:7e:b1", "tags": [ "microsoft.dhcp", "forwarded" @@ -685,31 +734,35 @@ }, { "@timestamp": "2016-11-24T12:03:59.000Z", - "event.code": "11007", + "event.code": "33", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5263-11007: 11007,11/24/16,10:03:59,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons", + "event.original": "%MSDHCP-4173-33: 33,11/24/16,10:03:59,undeo,10.82.52.233,atuse2703.localhost,01:00:5e:fa:2b:37", + "event.outcome": "success", "fileset.name": "dhcp", - "host.hostname": "inventor6088.www.invalid", + "host.hostname": "atuse2703.localhost", "input.type": "log", - "log.offset": 2302, + "log.offset": 2389, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "inventor6088.www.invalid" + "atuse2703.localhost" ], "related.ip": [ - "10.213.145.202" + "10.82.52.233" ], - "rsa.internal.event_desc": "saute", - "rsa.internal.messageid": "11007", + "rsa.internal.event_desc": "undeo", + "rsa.internal.messageid": "33", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "Configuration", "rsa.time.event_time": "2016-11-24T12:03:59.000Z", "service.type": "microsoft", - "source.address": "inventor6088.www.invalid", + "source.address": "atuse2703.localhost", "source.ip": [ - "10.213.145.202" + "10.82.52.233" ], + "source.mac": "01:00:5e:fa:2b:37", "tags": [ "microsoft.dhcp", "forwarded" @@ -717,31 +770,32 @@ }, { "@timestamp": "2016-12-08T07:06:33.000Z", - "event.code": "11003", + "event.code": "52", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4410-11003: 11003,12/8/16,5:06:33,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov", + "event.original": "%MSDHCP-5883-52: 52,12/8/16,5:06:33,ips,10.149.59.28,emporinc5075.internal.host,01:00:5e:37:14:9d,tessec", "fileset.name": "dhcp", - "host.hostname": "cipitlab6201.www5.example", + "host.hostname": "emporinc5075.internal.host", "input.type": "log", - "log.offset": 2415, + "log.offset": 2484, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "cipitlab6201.www5.example" + "emporinc5075.internal.host" ], "related.ip": [ - "10.76.10.73" + "10.149.59.28" ], - "rsa.internal.event_desc": "itinvol", - "rsa.internal.messageid": "11003", + "rsa.internal.event_desc": "ips", + "rsa.internal.messageid": "52", "rsa.time.event_time": "2016-12-08T07:06:33.000Z", "service.type": "microsoft", - "source.address": "cipitlab6201.www5.example", + "source.address": "emporinc5075.internal.host", "source.ip": [ - "10.76.10.73" + "10.149.59.28" ], + "source.mac": "01:00:5e:37:14:9d", "tags": [ "microsoft.dhcp", "forwarded" @@ -749,32 +803,32 @@ }, { "@timestamp": "2016-12-23T14:09:07.000Z", - "event.code": "ID", + "event.code": "36", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3253-ID: ID,12/23/16,12:09:07,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65", + "event.original": "%MSDHCP-6446-36: 36,12/23/16,12:09:07,ist,10.169.144.147,onsequat2984.www5.domain,01:00:5e:59:a3:48,", "fileset.name": "dhcp", - "host.hostname": "Nemoenim2039.api.localhost", + "host.hostname": "onsequat2984.www5.domain", "input.type": "log", - "log.offset": 2524, + "log.offset": 2589, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "Nemoenim2039.api.localhost" + "onsequat2984.www5.domain" ], "related.ip": [ - "10.226.199.190" + "10.169.144.147" ], - "rsa.internal.event_desc": "roid", - "rsa.internal.messageid": "ID", + "rsa.internal.event_desc": "ist", + "rsa.internal.messageid": "36", "rsa.time.event_time": "2016-12-23T14:09:07.000Z", "service.type": "microsoft", - "source.address": "Nemoenim2039.api.localhost", + "source.address": "onsequat2984.www5.domain", "source.ip": [ - "10.226.199.190" + "10.169.144.147" ], - "source.mac": "01:00:5e:f6:ba:65", + "source.mac": "01:00:5e:59:a3:48", "tags": [ "microsoft.dhcp", "forwarded" @@ -782,31 +836,32 @@ }, { "@timestamp": "2017-01-06T09:11:41.000Z", - "event.code": "11000", + "event.code": "12", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1394-11000: 11000,1/6/17,7:11:41,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag", + "event.original": "%MSDHCP-686-12: 12,1/6/17,7:11:41,nsequu,10.66.168.154,omm4276.www.example,01:00:5e:44:c4:69", "fileset.name": "dhcp", - "host.hostname": "iquipe2458.api.host", + "host.hostname": "omm4276.www.example", "input.type": "log", - "log.offset": 2627, + "log.offset": 2690, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "iquipe2458.api.host" + "omm4276.www.example" ], "related.ip": [ - "10.20.129.206" + "10.66.168.154" ], - "rsa.internal.event_desc": "itessequ", - "rsa.internal.messageid": "11000", + "rsa.internal.event_desc": "nsequu", + "rsa.internal.messageid": "12", "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "microsoft", - "source.address": "iquipe2458.api.host", + "source.address": "omm4276.www.example", "source.ip": [ - "10.20.129.206" + "10.66.168.154" ], + "source.mac": "01:00:5e:44:c4:69", "tags": [ "microsoft.dhcp", "forwarded" @@ -814,62 +869,69 @@ }, { "@timestamp": "2017-01-20T04:14:16.000Z", - "event.code": "11007", + "event.code": "25", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2516-11007: 11007,1/20/17,2:14:16,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli", + "event.original": "%MSDHCP-2230-25: 25,1/20/17,2:14:16,torev,10.214.241.84,ctetura4886.www5.lan,01:00:5e:3a:d0:86,ita,ipi,rsitamet,lupt,xea,qua,luptatev,admi,modocons,elaudant,tinvol", "fileset.name": "dhcp", - "host.hostname": "intoc1426.mail.lan", + "host.hostname": "ctetura4886.www5.lan", "input.type": "log", - "log.offset": 2736, + "log.offset": 2783, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "intoc1426.mail.lan" + "ctetura4886.www5.lan" ], "related.ip": [ - "10.22.110.210" + "10.214.241.84" ], - "rsa.internal.event_desc": "oremeu", - "rsa.internal.messageid": "11007", + "related.user": [ + "ita" + ], + "rsa.internal.event_desc": "torev", + "rsa.internal.messageid": "25", + "rsa.investigations.event_vcat": "admi", + "rsa.misc.log_session_id": "ipi", "rsa.time.event_time": "2017-01-20T04:14:16.000Z", "service.type": "microsoft", - "source.address": "intoc1426.mail.lan", + "source.address": "ctetura4886.www5.lan", "source.ip": [ - "10.22.110.210" + "10.214.241.84" ], + "source.mac": "01:00:5e:3a:d0:86", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "ita" }, { "@timestamp": "2017-02-03T11:16:50.000Z", - "event.code": "11006", + "event.code": "11018", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-543-11006: 11006,2/3/17,9:16:50,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui", + "event.original": "%MSDHCP-6103-11018: 11018,2/3/17,9:16:50,lapariat,10.97.38.141,etM953.api.domain,xercitat,lpa,entsu,dun", "fileset.name": "dhcp", - "host.hostname": "rsitvolu3751.mail.lan", + "host.hostname": "etM953.api.domain", "input.type": "log", - "log.offset": 2844, + "log.offset": 2947, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "rsitvolu3751.mail.lan" + "etM953.api.domain" ], "related.ip": [ - "10.218.87.174" + "10.97.38.141" ], - "rsa.internal.event_desc": "eturadi", - "rsa.internal.messageid": "11006", + "rsa.internal.event_desc": "lapariat", + "rsa.internal.messageid": "11018", "rsa.time.event_time": "2017-02-03T11:16:50.000Z", "service.type": "microsoft", - "source.address": "rsitvolu3751.mail.lan", + "source.address": "etM953.api.domain", "source.ip": [ - "10.218.87.174" + "10.97.38.141" ], "tags": [ "microsoft.dhcp", @@ -878,31 +940,35 @@ }, { "@timestamp": "2017-02-18T06:19:24.000Z", - "event.code": "11014", + "event.code": "58", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6846-11014: 11014,2/18/17,4:19:24,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun", + "event.original": "%MSDHCP-927-58: 58,2/18/17,4:19:24,itaut,10.33.140.180,umdolo7781.api.home,01:00:5e:24:f1:b2", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "tqu4367.www5.localhost", + "host.hostname": "umdolo7781.api.home", "input.type": "log", - "log.offset": 2953, + "log.offset": 3051, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "tqu4367.www5.localhost" + "umdolo7781.api.home" ], "related.ip": [ - "10.140.113.244" + "10.33.140.180" ], - "rsa.internal.event_desc": "adeser", - "rsa.internal.messageid": "11014", + "rsa.internal.event_desc": "itaut", + "rsa.internal.messageid": "58", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "microsoft", - "source.address": "tqu4367.www5.localhost", + "source.address": "umdolo7781.api.home", "source.ip": [ - "10.140.113.244" + "10.33.140.180" ], + "source.mac": "01:00:5e:24:f1:b2", "tags": [ "microsoft.dhcp", "forwarded" @@ -910,31 +976,35 @@ }, { "@timestamp": "2017-03-04T13:21:59.000Z", - "event.code": "1103", + "event.code": "51", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7741-1103: 1103,3/4/17,11:21:59,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo", + "event.original": "%MSDHCP-4632-51: 51,3/4/17,11:21:59,fugi,10.119.185.63,imadmini2625.www5.localhost,01:00:5e:31:b9:65,dtem", + "event.outcome": "success", "fileset.name": "dhcp", - "host.hostname": "inci5738.www5.invalid", + "host.hostname": "imadmini2625.www5.localhost", "input.type": "log", - "log.offset": 3064, + "log.offset": 3144, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "inci5738.www5.invalid" + "imadmini2625.www5.localhost" ], "related.ip": [ - "10.159.181.29" + "10.119.185.63" ], - "rsa.internal.event_desc": "dmin", - "rsa.internal.messageid": "1103", + "rsa.internal.event_desc": "fugi", + "rsa.internal.messageid": "51", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "microsoft", - "source.address": "inci5738.www5.invalid", + "source.address": "imadmini2625.www5.localhost", "source.ip": [ - "10.159.181.29" + "10.119.185.63" ], + "source.mac": "01:00:5e:31:b9:65", "tags": [ "microsoft.dhcp", "forwarded" @@ -942,31 +1012,32 @@ }, { "@timestamp": "2017-03-18T08:24:33.000Z", - "event.code": "11005", + "event.code": "50", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-18-11005: 11005,3/18/17,6:24:33,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia", + "event.original": "%MSDHCP-5377-50: 50,3/18/17,6:24:33,stl,10.95.193.186,picia6119.mail.host,01:00:5e:60:77:c7,tinvol", "fileset.name": "dhcp", - "host.hostname": "itecto1300.internal.corp", + "host.hostname": "picia6119.mail.host", "input.type": "log", - "log.offset": 3176, + "log.offset": 3250, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "itecto1300.internal.corp" + "picia6119.mail.host" ], "related.ip": [ - "10.178.173.128" + "10.95.193.186" ], - "rsa.internal.event_desc": "cusant", - "rsa.internal.messageid": "11005", + "rsa.internal.event_desc": "stl", + "rsa.internal.messageid": "50", "rsa.time.event_time": "2017-03-18T08:24:33.000Z", "service.type": "microsoft", - "source.address": "itecto1300.internal.corp", + "source.address": "picia6119.mail.host", "source.ip": [ - "10.178.173.128" + "10.95.193.186" ], + "source.mac": "01:00:5e:60:77:c7", "tags": [ "microsoft.dhcp", "forwarded" @@ -974,30 +1045,30 @@ }, { "@timestamp": "2017-04-02T03:27:07.000Z", - "event.code": "11015", + "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6789-11015: 11015,4/2/17,1:27:07,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender", + "event.original": "%MSDHCP-5524-11019: 11019,4/2/17,1:27:07,moenimi,10.17.21.125,inv5716.mail.invalid,sequatur,uidolo,lumquido,nihi", "fileset.name": "dhcp", - "host.hostname": "siut1579.www.domain", + "host.hostname": "inv5716.mail.invalid", "input.type": "log", - "log.offset": 3290, + "log.offset": 3349, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "siut1579.www.domain" + "inv5716.mail.invalid" ], "related.ip": [ - "10.217.38.30" + "10.17.21.125" ], - "rsa.internal.event_desc": "uia", - "rsa.internal.messageid": "11015", + "rsa.internal.event_desc": "moenimi", + "rsa.internal.messageid": "11019", "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "microsoft", - "source.address": "siut1579.www.domain", + "source.address": "inv5716.mail.invalid", "source.ip": [ - "10.217.38.30" + "10.17.21.125" ], "tags": [ "microsoft.dhcp", @@ -1006,30 +1077,30 @@ }, { "@timestamp": "2017-04-16T10:29:41.000Z", - "event.code": "11014", + "event.code": "11021", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1540-11014: 11014,4/16/17,8:29:41,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni", + "event.original": "%MSDHCP-5841-11021: 11021,4/16/17,8:29:41,nofdeF,10.73.69.75,uines6355.internal.localdomain,estqu,inibusBo,tat,tion", "fileset.name": "dhcp", - "host.hostname": "ame6223.www5.localhost", + "host.hostname": "uines6355.internal.localdomain", "input.type": "log", - "log.offset": 3387, + "log.offset": 3462, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ame6223.www5.localhost" + "uines6355.internal.localdomain" ], "related.ip": [ - "10.178.49.161" + "10.73.69.75" ], - "rsa.internal.event_desc": "edic", - "rsa.internal.messageid": "11014", + "rsa.internal.event_desc": "nofdeF", + "rsa.internal.messageid": "11021", "rsa.time.event_time": "2017-04-16T10:29:41.000Z", "service.type": "microsoft", - "source.address": "ame6223.www5.localhost", + "source.address": "uines6355.internal.localdomain", "source.ip": [ - "10.178.49.161" + "10.73.69.75" ], "tags": [ "microsoft.dhcp", @@ -1038,64 +1109,67 @@ }, { "@timestamp": "2017-04-30T05:32:16.000Z", - "event.code": "11025", + "event.code": "52", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5663-11025: 11025,4/30/17,3:32:16,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab", + "event.original": "%MSDHCP-5705-52: 52,4/30/17,3:32:16,uasia,10.64.70.5,ici3995.lan,01:00:5e:4e:97:83,iscinge,atvol,umiur,imad,msequi", "fileset.name": "dhcp", - "host.hostname": "aturve1647.mail.localhost", + "host.hostname": "ici3995.lan", "input.type": "log", - "log.offset": 3497, + "log.offset": 3578, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "aturve1647.mail.localhost" + "ici3995.lan" ], "related.ip": [ - "10.175.103.215" + "10.64.70.5" ], - "rsa.internal.event_desc": "ano", - "rsa.internal.messageid": "11025", + "related.user": [ + "iscinge" + ], + "rsa.internal.event_desc": "uasia", + "rsa.internal.messageid": "52", "rsa.time.event_time": "2017-04-30T05:32:16.000Z", "service.type": "microsoft", - "source.address": "aturve1647.mail.localhost", + "source.address": "ici3995.lan", "source.ip": [ - "10.175.103.215" + "10.64.70.5" ], + "source.mac": "01:00:5e:4e:97:83", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "iscinge" }, { "@timestamp": "2017-05-14T12:34:50.000Z", - "event.code": "11011", + "event.code": "11020", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5224-11011: 11011,5/14/17,10:34:50,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured", + "event.original": "%MSDHCP-1559-11020: 11020,5/14/17,10:34:50,deFinibu,10.45.25.68,rehender4535.www5.test,hil,atquovo,suntinc,xeac", "fileset.name": "dhcp", - "host.hostname": "aco6894.mail.home", + "host.hostname": "rehender4535.www5.test", "input.type": "log", - "log.offset": 3608, + "log.offset": 3693, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "aco6894.mail.home" + "rehender4535.www5.test" ], "related.ip": [ - "10.192.21.74" + "10.45.25.68" ], - "rsa.internal.event_desc": "liqua", - "rsa.internal.messageid": "11011", - "rsa.investigations.ec_activity": "Stop", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "deFinibu", + "rsa.internal.messageid": "11020", "rsa.time.event_time": "2017-05-14T12:34:50.000Z", "service.type": "microsoft", - "source.address": "aco6894.mail.home", + "source.address": "rehender4535.www5.test", "source.ip": [ - "10.192.21.74" + "10.45.25.68" ], "tags": [ "microsoft.dhcp", @@ -1104,31 +1178,32 @@ }, { "@timestamp": "2017-05-29T07:37:24.000Z", - "event.code": "11019", + "event.code": "20", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5608-11019: 11019,5/29/17,5:37:24,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat", + "event.original": "%MSDHCP-2228-20: 20,5/29/17,5:37:24,eli,10.28.127.218,pida2286.internal.home,01:00:5e:cc:0b:8f", "fileset.name": "dhcp", - "host.hostname": "tetu2485.internal.invalid", + "host.hostname": "pida2286.internal.home", "input.type": "log", - "log.offset": 3718, + "log.offset": 3805, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "tetu2485.internal.invalid" + "pida2286.internal.home" ], "related.ip": [ - "10.142.25.100" + "10.28.127.218" ], - "rsa.internal.event_desc": "bor", - "rsa.internal.messageid": "11019", + "rsa.internal.event_desc": "eli", + "rsa.internal.messageid": "20", "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "microsoft", - "source.address": "tetu2485.internal.invalid", + "source.address": "pida2286.internal.home", "source.ip": [ - "10.142.25.100" + "10.28.127.218" ], + "source.mac": "01:00:5e:cc:0b:8f", "tags": [ "microsoft.dhcp", "forwarded" @@ -1136,33 +1211,30 @@ }, { "@timestamp": "2017-06-12T14:39:58.000Z", - "event.code": "1098", + "event.code": "11006", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3051-1098: 1098,6/12/17,12:39:58,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor", - "event.outcome": "failure", + "event.original": "%MSDHCP-7427-11006: 11006,6/12/17,12:39:58,psaquae,10.68.93.6,mporain2624.www.localhost,iunt,temveleu,colabo,eme", "fileset.name": "dhcp", - "host.hostname": "doloreme60.www5.localhost", + "host.hostname": "mporain2624.www.localhost", "input.type": "log", - "log.offset": 3825, + "log.offset": 3900, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "doloreme60.www5.localhost" + "mporain2624.www.localhost" ], "related.ip": [ - "10.162.114.217" + "10.68.93.6" ], - "rsa.internal.event_desc": "ven", - "rsa.internal.messageid": "1098", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "psaquae", + "rsa.internal.messageid": "11006", "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "microsoft", - "source.address": "doloreme60.www5.localhost", + "source.address": "mporain2624.www.localhost", "source.ip": [ - "10.162.114.217" + "10.68.93.6" ], "tags": [ "microsoft.dhcp", @@ -1171,31 +1243,34 @@ }, { "@timestamp": "2017-06-26T09:42:33.000Z", - "event.code": "11001", + "event.code": "16", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6444-11001: 11001,6/26/17,7:42:33,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide", + "event.original": "%MSDHCP-2991-16: 16,6/26/17,7:42:33,civeli,10.116.104.101,gnam2508.mail.example,01:00:5e:e1:73:47,maccusa", "fileset.name": "dhcp", - "host.hostname": "luptat7214.domain", + "host.hostname": "gnam2508.mail.example", "input.type": "log", - "log.offset": 3936, + "log.offset": 4013, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "luptat7214.domain" + "gnam2508.mail.example" ], "related.ip": [ - "10.0.132.176" + "10.116.104.101" ], - "rsa.internal.event_desc": "mex", - "rsa.internal.messageid": "11001", + "rsa.internal.event_desc": "civeli", + "rsa.internal.messageid": "16", + "rsa.investigations.ec_activity": "Delete", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2017-06-26T09:42:33.000Z", "service.type": "microsoft", - "source.address": "luptat7214.domain", + "source.address": "gnam2508.mail.example", "source.ip": [ - "10.0.132.176" + "10.116.104.101" ], + "source.mac": "01:00:5e:e1:73:47", "tags": [ "microsoft.dhcp", "forwarded" @@ -1203,33 +1278,30 @@ }, { "@timestamp": "2017-07-11T04:45:07.000Z", - "event.code": "1098", + "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5524-1098: 1098,7/11/17,2:45:07,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem", - "event.outcome": "failure", + "event.original": "%MSDHCP-3458-11003: 11003,7/11/17,2:45:07,idex,10.192.110.182,tutla2716.www.domain,inesci,serror,aliqu,olupta", "fileset.name": "dhcp", - "host.hostname": "amcor5091.internal.corp", + "host.hostname": "tutla2716.www.domain", "input.type": "log", - "log.offset": 4041, + "log.offset": 4119, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "amcor5091.internal.corp" + "tutla2716.www.domain" ], "related.ip": [ - "10.22.187.69" + "10.192.110.182" ], - "rsa.internal.event_desc": "lupta", - "rsa.internal.messageid": "1098", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "idex", + "rsa.internal.messageid": "11003", "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "microsoft", - "source.address": "amcor5091.internal.corp", + "source.address": "tutla2716.www.domain", "source.ip": [ - "10.22.187.69" + "10.192.110.182" ], "tags": [ "microsoft.dhcp", @@ -1238,31 +1310,32 @@ }, { "@timestamp": "2017-07-25T11:47:41.000Z", - "event.code": "11019", + "event.code": "53", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1978-11019: 11019,7/25/17,9:47:41,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation", + "event.original": "%MSDHCP-2807-53: 53,7/25/17,9:47:41,ihilm,10.219.84.37,ercit2385.internal.home,01:00:5e:a0:cd:2f,iamquis", "fileset.name": "dhcp", - "host.hostname": "ncidid5410.internal.domain", + "host.hostname": "ercit2385.internal.home", "input.type": "log", - "log.offset": 4144, + "log.offset": 4229, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ncidid5410.internal.domain" + "ercit2385.internal.home" ], "related.ip": [ - "10.2.128.234" + "10.219.84.37" ], - "rsa.internal.event_desc": "atisund", - "rsa.internal.messageid": "11019", + "rsa.internal.event_desc": "ihilm", + "rsa.internal.messageid": "53", "rsa.time.event_time": "2017-07-25T11:47:41.000Z", "service.type": "microsoft", - "source.address": "ncidid5410.internal.domain", + "source.address": "ercit2385.internal.home", "source.ip": [ - "10.2.128.234" + "10.219.84.37" ], + "source.mac": "01:00:5e:a0:cd:2f", "tags": [ "microsoft.dhcp", "forwarded" @@ -1270,34 +1343,30 @@ }, { "@timestamp": "2017-08-08T06:50:15.000Z", - "event.code": "11024", + "event.code": "11012", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5469-11024: 11024,8/8/17,4:50:15,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori", - "event.outcome": "success", + "event.original": "%MSDHCP-6972-11012: 11012,8/8/17,4:50:15,ittenbyC,10.148.153.201,conseq557.mail.lan,aaliquaU,ntor,lpaqui,sitame", "fileset.name": "dhcp", - "host.hostname": "nofd988.api.example", + "host.hostname": "conseq557.mail.lan", "input.type": "log", - "log.offset": 4266, + "log.offset": 4334, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "nofd988.api.example" + "conseq557.mail.lan" ], "related.ip": [ - "10.223.160.140" - ], - "rsa.internal.event_desc": "porincid", - "rsa.internal.messageid": "11024", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "Service", - "rsa.investigations.ec_theme": "AccessControl", + "10.148.153.201" + ], + "rsa.internal.event_desc": "ittenbyC", + "rsa.internal.messageid": "11012", "rsa.time.event_time": "2017-08-08T06:50:15.000Z", "service.type": "microsoft", - "source.address": "nofd988.api.example", + "source.address": "conseq557.mail.lan", "source.ip": [ - "10.223.160.140" + "10.148.153.201" ], "tags": [ "microsoft.dhcp", @@ -1306,31 +1375,32 @@ }, { "@timestamp": "2017-08-22T13:52:50.000Z", - "event.code": "11004", + "event.code": "24", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2-11004: 11004,8/22/17,11:52:50,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse", + "event.original": "%MSDHCP-5040-24: 24,8/22/17,11:52:50,utla,10.103.118.137,oei5200.www5.invalid,01:00:5e:c7:b7:18", "fileset.name": "dhcp", - "host.hostname": "borisnis6159.www5.localdomain", + "host.hostname": "oei5200.www5.invalid", "input.type": "log", - "log.offset": 4373, + "log.offset": 4446, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "borisnis6159.www5.localdomain" + "oei5200.www5.invalid" ], "related.ip": [ - "10.137.14.180" + "10.103.118.137" ], - "rsa.internal.event_desc": "elit", - "rsa.internal.messageid": "11004", + "rsa.internal.event_desc": "utla", + "rsa.internal.messageid": "24", "rsa.time.event_time": "2017-08-22T13:52:50.000Z", "service.type": "microsoft", - "source.address": "borisnis6159.www5.localdomain", + "source.address": "oei5200.www5.invalid", "source.ip": [ - "10.137.14.180" + "10.103.118.137" ], + "source.mac": "01:00:5e:c7:b7:18", "tags": [ "microsoft.dhcp", "forwarded" @@ -1338,31 +1408,32 @@ }, { "@timestamp": "2017-09-06T08:55:24.000Z", - "event.code": "11025", + "event.code": "02", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4924-11025: 11025,9/6/17,6:55:24,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa", + "event.original": "%MSDHCP-2026-02: 02,9/6/17,6:55:24,nnum,10.137.223.15,adol485.example,01:00:5e:81:99:6f,dol", "fileset.name": "dhcp", - "host.hostname": "dminima4348.mail.home", + "host.hostname": "adol485.example", "input.type": "log", - "log.offset": 4489, + "log.offset": 4542, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "dminima4348.mail.home" + "adol485.example" ], "related.ip": [ - "10.192.182.230" + "10.137.223.15" ], - "rsa.internal.event_desc": "periam", - "rsa.internal.messageid": "11025", + "rsa.internal.event_desc": "nnum", + "rsa.internal.messageid": "02", "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "microsoft", - "source.address": "dminima4348.mail.home", + "source.address": "adol485.example", "source.ip": [ - "10.192.182.230" + "10.137.223.15" ], + "source.mac": "01:00:5e:81:99:6f", "tags": [ "microsoft.dhcp", "forwarded" @@ -1370,34 +1441,30 @@ }, { "@timestamp": "2017-09-20T03:57:58.000Z", - "event.code": "11023", + "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3023-11023: 11023,9/20/17,1:57:58,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt", - "event.outcome": "failure", + "event.original": "%MSDHCP-4977-11019: 11019,9/20/17,1:57:58,que,10.213.147.241,etconse7424.internal.lan,lit,asun,estia,eaq", "fileset.name": "dhcp", - "host.hostname": "oluptas6981.www5.localhost", + "host.hostname": "etconse7424.internal.lan", "input.type": "log", - "log.offset": 4595, + "log.offset": 4634, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "oluptas6981.www5.localhost" + "etconse7424.internal.lan" ], "related.ip": [ - "10.95.241.28" + "10.213.147.241" ], - "rsa.internal.event_desc": "atise", - "rsa.internal.messageid": "11023", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Service", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "que", + "rsa.internal.messageid": "11019", "rsa.time.event_time": "2017-09-20T03:57:58.000Z", "service.type": "microsoft", - "source.address": "oluptas6981.www5.localhost", + "source.address": "etconse7424.internal.lan", "source.ip": [ - "10.95.241.28" + "10.213.147.241" ], "tags": [ "microsoft.dhcp", @@ -1406,32 +1473,32 @@ }, { "@timestamp": "2017-10-04T11:00:32.000Z", - "event.code": "11011", + "event.code": "11010", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3896-11011: 11011,10/4/17,9:00:32,isn,10.74.240.121,equ4808.www.localhost,siuta,urmagn,dquia,temporin", + "event.original": "%MSDHCP-1180-11010: 11010,10/4/17,9:00:32,serunt,10.183.233.5,tMalor7410.www.localhost,eaq,amest,corp,modtemp", "fileset.name": "dhcp", - "host.hostname": "equ4808.www.localhost", + "host.hostname": "tMalor7410.www.localhost", "input.type": "log", - "log.offset": 4708, + "log.offset": 4739, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "equ4808.www.localhost" + "tMalor7410.www.localhost" ], "related.ip": [ - "10.74.240.121" + "10.183.233.5" ], - "rsa.internal.event_desc": "isn", - "rsa.internal.messageid": "11011", - "rsa.investigations.ec_activity": "Stop", + "rsa.internal.event_desc": "serunt", + "rsa.internal.messageid": "11010", + "rsa.investigations.ec_activity": "Start", "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2017-10-04T11:00:32.000Z", "service.type": "microsoft", - "source.address": "equ4808.www.localhost", + "source.address": "tMalor7410.www.localhost", "source.ip": [ - "10.74.240.121" + "10.183.233.5" ], "tags": [ "microsoft.dhcp", @@ -1440,33 +1507,30 @@ }, { "@timestamp": "2017-10-19T06:03:07.000Z", - "event.code": "1098", + "event.code": "11013", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6160-1098: 1098,10/19/17,4:03:07,obeataev,10.139.127.232,nsec923.internal.local,agnaaliq,tlaboree,norumet,dtempo", - "event.outcome": "failure", + "event.original": "%MSDHCP-2628-11013: 11013,10/19/17,4:03:07,tNequepo,10.52.186.29,equat2243.www5.localdomain,ione,ihilmole,eriamea,amre", "fileset.name": "dhcp", - "host.hostname": "nsec923.internal.local", + "host.hostname": "equat2243.www5.localdomain", "input.type": "log", - "log.offset": 4818, + "log.offset": 4849, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "nsec923.internal.local" + "equat2243.www5.localdomain" ], "related.ip": [ - "10.139.127.232" + "10.52.186.29" ], - "rsa.internal.event_desc": "obeataev", - "rsa.internal.messageid": "1098", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "tNequepo", + "rsa.internal.messageid": "11013", "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "microsoft", - "source.address": "nsec923.internal.local", + "source.address": "equat2243.www5.localdomain", "source.ip": [ - "10.139.127.232" + "10.52.186.29" ], "tags": [ "microsoft.dhcp", @@ -1475,31 +1539,34 @@ }, { "@timestamp": "2017-11-02T13:05:41.000Z", - "event.code": "11009", + "event.code": "11", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4862-11009: 11009,11/2/17,11:05:41,iumtot,10.170.6.54,emoe4059.api.localdomain,ehende,eaqueip,eum,lamc", + "event.original": "%MSDHCP-2949-11: 11,11/2/17,11:05:41,uptat,10.64.199.102,tmo1835.test,01:00:5e:35:a8:83,fugitse", "fileset.name": "dhcp", - "host.hostname": "emoe4059.api.localdomain", + "host.hostname": "tmo1835.test", "input.type": "log", - "log.offset": 4939, + "log.offset": 4968, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "emoe4059.api.localdomain" + "tmo1835.test" ], "related.ip": [ - "10.170.6.54" + "10.64.199.102" ], - "rsa.internal.event_desc": "iumtot", - "rsa.internal.messageid": "11009", + "rsa.internal.event_desc": "uptat", + "rsa.internal.messageid": "11", + "rsa.investigations.ec_activity": "Restore", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "microsoft", - "source.address": "emoe4059.api.localdomain", + "source.address": "tmo1835.test", "source.ip": [ - "10.170.6.54" + "10.64.199.102" ], + "source.mac": "01:00:5e:35:a8:83", "tags": [ "microsoft.dhcp", "forwarded" @@ -1507,31 +1574,35 @@ }, { "@timestamp": "2017-11-16T08:08:15.000Z", - "event.code": "11007", + "event.code": "54", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1664-11007: 11007,11/16/17,6:08:15,sciun,10.46.115.216,equun6662.home,uia,iciad,lorem,nsequunt", + "event.original": "%MSDHCP-3331-54: 54,11/16/17,6:08:15,etMalor,10.196.143.87,quatD4191.local,01:00:5e:3b:7a:f1,sperna", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "equun6662.home", + "host.hostname": "quatD4191.local", "input.type": "log", - "log.offset": 5050, + "log.offset": 5064, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "equun6662.home" + "quatD4191.local" ], "related.ip": [ - "10.46.115.216" + "10.196.143.87" ], - "rsa.internal.event_desc": "sciun", - "rsa.internal.messageid": "11007", + "rsa.internal.event_desc": "etMalor", + "rsa.internal.messageid": "54", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2017-11-16T08:08:15.000Z", "service.type": "microsoft", - "source.address": "equun6662.home", + "source.address": "quatD4191.local", "source.ip": [ - "10.46.115.216" + "10.196.143.87" ], + "source.mac": "01:00:5e:3b:7a:f1", "tags": [ "microsoft.dhcp", "forwarded" @@ -1539,31 +1610,33 @@ }, { "@timestamp": "2017-12-01T03:10:49.000Z", - "event.code": "11017", + "event.code": "30", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6603-11017: 11017,12/1/17,1:10:49,gnaa,10.226.5.189,dtempori5735.www5.local,dexerc,strumex,eprehend,asnu", + "event.original": "%MSDHCP-7576-30: 30,12/1/17,1:10:49,tper,10.163.5.243,osqui3661.mail.domain,01:00:5e:1e:d6:07,texp", "fileset.name": "dhcp", - "host.hostname": "dtempori5735.www5.local", + "host.hostname": "osqui3661.mail.domain", "input.type": "log", - "log.offset": 5153, + "log.offset": 5164, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "dtempori5735.www5.local" + "osqui3661.mail.domain" ], "related.ip": [ - "10.226.5.189" + "10.163.5.243" ], - "rsa.internal.event_desc": "gnaa", - "rsa.internal.messageid": "11017", + "rsa.internal.event_desc": "tper", + "rsa.internal.messageid": "30", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2017-12-01T03:10:49.000Z", "service.type": "microsoft", - "source.address": "dtempori5735.www5.local", + "source.address": "osqui3661.mail.domain", "source.ip": [ - "10.226.5.189" + "10.163.5.243" ], + "source.mac": "01:00:5e:1e:d6:07", "tags": [ "microsoft.dhcp", "forwarded" @@ -1571,30 +1644,30 @@ }, { "@timestamp": "2017-12-15T10:13:24.000Z", - "event.code": "11030", + "event.code": "11004", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1313-11030: 11030,12/15/17,8:13:24,derit,10.0.20.5,cupi7581.internal.local,dunt,litsedq,nderiti,ntNe", + "event.original": "%MSDHCP-5037-11004: 11004,12/15/17,8:13:24,uela,10.194.114.58,ectio2175.www.localhost,ihilmo,radi,gel,lorsitam", "fileset.name": "dhcp", - "host.hostname": "cupi7581.internal.local", + "host.hostname": "ectio2175.www.localhost", "input.type": "log", - "log.offset": 5266, + "log.offset": 5263, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "cupi7581.internal.local" + "ectio2175.www.localhost" ], "related.ip": [ - "10.0.20.5" + "10.194.114.58" ], - "rsa.internal.event_desc": "derit", - "rsa.internal.messageid": "11030", + "rsa.internal.event_desc": "uela", + "rsa.internal.messageid": "11004", "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "microsoft", - "source.address": "cupi7581.internal.local", + "source.address": "ectio2175.www.localhost", "source.ip": [ - "10.0.20.5" + "10.194.114.58" ], "tags": [ "microsoft.dhcp", @@ -1603,34 +1676,30 @@ }, { "@timestamp": "2017-12-29T05:15:58.000Z", - "event.code": "11023", + "event.code": "1103", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4024-11023: 11023,12/29/17,3:15:58,olorema,10.180.101.232,quasiar5281.mail.invalid,emip,inBC,mol,tur", - "event.outcome": "failure", + "event.original": "%MSDHCP-6385-1103: 1103,12/29/17,3:15:58,ris,10.212.42.224,liqui6106.internal.home,amvolu,eturadi,uamei,quisno", "fileset.name": "dhcp", - "host.hostname": "quasiar5281.mail.invalid", + "host.hostname": "liqui6106.internal.home", "input.type": "log", - "log.offset": 5375, + "log.offset": 5374, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "quasiar5281.mail.invalid" + "liqui6106.internal.home" ], "related.ip": [ - "10.180.101.232" + "10.212.42.224" ], - "rsa.internal.event_desc": "olorema", - "rsa.internal.messageid": "11023", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Service", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "ris", + "rsa.internal.messageid": "1103", "rsa.time.event_time": "2017-12-29T05:15:58.000Z", "service.type": "microsoft", - "source.address": "quasiar5281.mail.invalid", + "source.address": "liqui6106.internal.home", "source.ip": [ - "10.180.101.232" + "10.212.42.224" ], "tags": [ "microsoft.dhcp", @@ -1639,30 +1708,32 @@ }, { "@timestamp": "2018-01-12T12:18:32.000Z", - "event.code": "11018", + "event.code": "11011", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-754-11018: 11018,1/12/18,10:18:32,irured,10.141.158.225,tionula1586.host,idolor,ratvolu,nreprehe,onse", + "event.original": "%MSDHCP-1747-11011: 11011,1/12/18,10:18:32,aliquam,10.244.144.198,eratv6205.internal.lan,reme,acommod,uaUteni,udantium", "fileset.name": "dhcp", - "host.hostname": "tionula1586.host", + "host.hostname": "eratv6205.internal.lan", "input.type": "log", - "log.offset": 5484, + "log.offset": 5485, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "tionula1586.host" + "eratv6205.internal.lan" ], "related.ip": [ - "10.141.158.225" + "10.244.144.198" ], - "rsa.internal.event_desc": "irured", - "rsa.internal.messageid": "11018", + "rsa.internal.event_desc": "aliquam", + "rsa.internal.messageid": "11011", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2018-01-12T12:18:32.000Z", "service.type": "microsoft", - "source.address": "tionula1586.host", + "source.address": "eratv6205.internal.lan", "source.ip": [ - "10.141.158.225" + "10.244.144.198" ], "tags": [ "microsoft.dhcp", @@ -1671,31 +1742,32 @@ }, { "@timestamp": "2018-01-27T07:21:06.000Z", - "event.code": "11013", + "event.code": "57", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3617-11013: 11013,1/27/18,5:21:06,tatnon,10.94.88.5,ore5643.api.lan,metco,acom,ceroinB,nim", + "event.original": "%MSDHCP-6686-57: 57,1/27/18,5:21:06,stlabo,10.134.192.241,catc6134.localdomain,01:00:5e:5b:99:6c,magnid", "fileset.name": "dhcp", - "host.hostname": "ore5643.api.lan", + "host.hostname": "catc6134.localdomain", "input.type": "log", - "log.offset": 5594, + "log.offset": 5604, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ore5643.api.lan" + "catc6134.localdomain" ], "related.ip": [ - "10.94.88.5" + "10.134.192.241" ], - "rsa.internal.event_desc": "tatnon", - "rsa.internal.messageid": "11013", + "rsa.internal.event_desc": "stlabo", + "rsa.internal.messageid": "57", "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "microsoft", - "source.address": "ore5643.api.lan", + "source.address": "catc6134.localdomain", "source.ip": [ - "10.94.88.5" + "10.134.192.241" ], + "source.mac": "01:00:5e:5b:99:6c", "tags": [ "microsoft.dhcp", "forwarded" @@ -1703,35 +1775,32 @@ }, { "@timestamp": "2018-02-10T14:23:41.000Z", - "event.code": "11024", + "event.code": "17", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4248-11024: 11024,2/10/18,12:23:41,aspe,10.155.18.139,ciun39.localdomain,iatqu,inBCSedu,erspi,rorsit", - "event.outcome": "success", + "event.original": "%MSDHCP-7582-17: 17,2/10/18,12:23:41,quiratio,10.62.191.18,tevelite245.mail.local,01:00:5e:78:a7:55,gnido", "fileset.name": "dhcp", - "host.hostname": "ciun39.localdomain", + "host.hostname": "tevelite245.mail.local", "input.type": "log", - "log.offset": 5693, + "log.offset": 5708, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ciun39.localdomain" + "tevelite245.mail.local" ], "related.ip": [ - "10.155.18.139" + "10.62.191.18" ], - "rsa.internal.event_desc": "aspe", - "rsa.internal.messageid": "11024", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "Service", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "quiratio", + "rsa.internal.messageid": "17", "rsa.time.event_time": "2018-02-10T14:23:41.000Z", "service.type": "microsoft", - "source.address": "ciun39.localdomain", + "source.address": "tevelite245.mail.local", "source.ip": [ - "10.155.18.139" + "10.62.191.18" ], + "source.mac": "01:00:5e:78:a7:55", "tags": [ "microsoft.dhcp", "forwarded" @@ -1739,31 +1808,32 @@ }, { "@timestamp": "2018-02-24T09:26:15.000Z", - "event.code": "11013", + "event.code": "50", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5976-11013: 11013,2/24/18,7:26:15,undeomni,10.85.48.117,iutali7297.www.domain,Finibus,radi,xeacom,des", + "event.original": "%MSDHCP-6036-50: 50,2/24/18,7:26:15,numqua,10.89.22.113,abo1637.mail.host,01:00:5e:ed:c2:f7", "fileset.name": "dhcp", - "host.hostname": "iutali7297.www.domain", + "host.hostname": "abo1637.mail.host", "input.type": "log", - "log.offset": 5802, + "log.offset": 5814, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "iutali7297.www.domain" + "abo1637.mail.host" ], "related.ip": [ - "10.85.48.117" + "10.89.22.113" ], - "rsa.internal.event_desc": "undeomni", - "rsa.internal.messageid": "11013", + "rsa.internal.event_desc": "numqua", + "rsa.internal.messageid": "50", "rsa.time.event_time": "2018-02-24T09:26:15.000Z", "service.type": "microsoft", - "source.address": "iutali7297.www.domain", + "source.address": "abo1637.mail.host", "source.ip": [ - "10.85.48.117" + "10.89.22.113" ], + "source.mac": "01:00:5e:ed:c2:f7", "tags": [ "microsoft.dhcp", "forwarded" @@ -1771,30 +1841,30 @@ }, { "@timestamp": "2018-03-11T04:28:49.000Z", - "event.code": "11003", + "event.code": "11020", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-77-11003: 11003,3/11/18,2:28:49,eprehend,10.224.146.6,docon5398.mail.host,uptate,lloinven,econs,lmolesti", + "event.original": "%MSDHCP-4949-11020: 11020,3/11/18,2:28:49,derit,10.90.86.89,piscin6866.internal.host,uptatema,intocc,liqu,eporr", "fileset.name": "dhcp", - "host.hostname": "docon5398.mail.host", + "host.hostname": "piscin6866.internal.host", "input.type": "log", - "log.offset": 5912, + "log.offset": 5906, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "docon5398.mail.host" + "piscin6866.internal.host" ], "related.ip": [ - "10.224.146.6" + "10.90.86.89" ], - "rsa.internal.event_desc": "eprehend", - "rsa.internal.messageid": "11003", + "rsa.internal.event_desc": "derit", + "rsa.internal.messageid": "11020", "rsa.time.event_time": "2018-03-11T04:28:49.000Z", "service.type": "microsoft", - "source.address": "docon5398.mail.host", + "source.address": "piscin6866.internal.host", "source.ip": [ - "10.224.146.6" + "10.90.86.89" ], "tags": [ "microsoft.dhcp", @@ -1803,62 +1873,74 @@ }, { "@timestamp": "2018-03-25T11:31:24.000Z", - "event.code": "11007", + "event.code": "59", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2519-11007: 11007,3/25/18,9:31:24,doeiu,10.182.152.242,destlabo7803.mail.localhost,ecillum,isci,dolor,tiumto", + "event.original": "%MSDHCP-6418-59: 59,3/25/18,9:31:24,nofdeFin,10.67.38.204,idex6952.www.localhost,01:00:5e:69:58:0e,ecte,tinvolu,iurer,iciadese,quidolor,tessec,olupta,litse,icabo,itatio,uta", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "destlabo7803.mail.localhost", + "host.hostname": "idex6952.www.localhost", "input.type": "log", - "log.offset": 6025, + "log.offset": 6018, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "destlabo7803.mail.localhost" + "idex6952.www.localhost" ], "related.ip": [ - "10.182.152.242" + "10.67.38.204" ], - "rsa.internal.event_desc": "doeiu", - "rsa.internal.messageid": "11007", + "related.user": [ + "ecte" + ], + "rsa.internal.event_desc": "nofdeFin", + "rsa.internal.messageid": "59", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "litse", + "rsa.misc.log_session_id": "tinvolu", "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "microsoft", - "source.address": "destlabo7803.mail.localhost", + "source.address": "idex6952.www.localhost", "source.ip": [ - "10.182.152.242" + "10.67.38.204" ], + "source.mac": "01:00:5e:69:58:0e", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "ecte" }, { "@timestamp": "2018-04-08T06:33:58.000Z", - "event.code": "11000", + "event.code": "11010", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6515-11000: 11000,4/8/18,4:33:58,quin,10.225.157.110,fugits1163.host,vol,admi,onnu,olorema", + "event.original": "%MSDHCP-4824-11010: 11010,4/8/18,4:33:58,volupt,10.158.237.92,riosamn7650.api.test,rcitati,eni,ionevo,ugiatnu", "fileset.name": "dhcp", - "host.hostname": "fugits1163.host", + "host.hostname": "riosamn7650.api.test", "input.type": "log", - "log.offset": 6142, + "log.offset": 6191, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "fugits1163.host" + "riosamn7650.api.test" ], "related.ip": [ - "10.225.157.110" + "10.158.237.92" ], - "rsa.internal.event_desc": "quin", - "rsa.internal.messageid": "11000", + "rsa.internal.event_desc": "volupt", + "rsa.internal.messageid": "11010", + "rsa.investigations.ec_activity": "Start", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2018-04-08T06:33:58.000Z", "service.type": "microsoft", - "source.address": "fugits1163.host", + "source.address": "riosamn7650.api.test", "source.ip": [ - "10.225.157.110" + "10.158.237.92" ], "tags": [ "microsoft.dhcp", @@ -1867,96 +1949,108 @@ }, { "@timestamp": "2018-04-22T13:36:32.000Z", - "event.code": "11005", + "event.code": "60", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4357-11005: 11005,4/22/18,11:36:32,tcupida,10.236.185.102,adol170.internal.example,niam,pernat,rerepre,nculpaq", + "event.original": "%MSDHCP-5368-60: 60,4/22/18,11:36:32,mnisi,10.107.168.60,ehen7519.www5.lan,01:00:5e:a7:ac:70,stquido,ommodico,ptas,pta,tetu", "fileset.name": "dhcp", - "host.hostname": "adol170.internal.example", + "host.hostname": "ehen7519.www5.lan", "input.type": "log", - "log.offset": 6241, + "log.offset": 6301, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "adol170.internal.example" + "ehen7519.www5.lan" ], "related.ip": [ - "10.236.185.102" + "10.107.168.60" ], - "rsa.internal.event_desc": "tcupida", - "rsa.internal.messageid": "11005", + "related.user": [ + "stquido" + ], + "rsa.internal.event_desc": "mnisi", + "rsa.internal.messageid": "60", "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "microsoft", - "source.address": "adol170.internal.example", + "source.address": "ehen7519.www5.lan", "source.ip": [ - "10.236.185.102" + "10.107.168.60" ], + "source.mac": "01:00:5e:a7:ac:70", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "stquido" }, { "@timestamp": "2018-05-07T08:39:06.000Z", - "event.code": "11010", + "event.code": "24", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2577-11010: 11010,5/7/18,6:39:06,billoinv,10.146.72.62,red5516.localhost,agnaaliq,est,mquisno,aev", + "event.original": "%MSDHCP-5740-24: 24,5/7/18,6:39:06,Nequepo,10.207.201.9,boree513.www.corp,01:00:5e:e2:17:79,reetdolo,smo,etcons,iusmodi,uamest", "fileset.name": "dhcp", - "host.hostname": "red5516.localhost", + "host.hostname": "boree513.www.corp", "input.type": "log", - "log.offset": 6360, + "log.offset": 6425, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "red5516.localhost" + "boree513.www.corp" ], "related.ip": [ - "10.146.72.62" + "10.207.201.9" ], - "rsa.internal.event_desc": "billoinv", - "rsa.internal.messageid": "11010", - "rsa.investigations.ec_activity": "Start", - "rsa.investigations.ec_theme": "Communication", + "related.user": [ + "reetdolo" + ], + "rsa.internal.event_desc": "Nequepo", + "rsa.internal.messageid": "24", "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "microsoft", - "source.address": "red5516.localhost", + "source.address": "boree513.www.corp", "source.ip": [ - "10.146.72.62" + "10.207.201.9" ], + "source.mac": "01:00:5e:e2:17:79", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "reetdolo" }, { "@timestamp": "2018-05-21T03:41:41.000Z", - "event.code": "1103", + "event.code": "11023", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5343-1103: 1103,5/21/18,1:41:41,lapar,10.221.7.206,qui3176.internal.example,mexerc,meaque,uid,equaturv", + "event.original": "%MSDHCP-1842-11023: 11023,5/21/18,1:41:41,epte,10.20.147.134,aper5651.test,roi,niamqui,orem,sno", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "qui3176.internal.example", + "host.hostname": "aper5651.test", "input.type": "log", - "log.offset": 6466, + "log.offset": 6552, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "qui3176.internal.example" + "aper5651.test" ], "related.ip": [ - "10.221.7.206" + "10.20.147.134" ], - "rsa.internal.event_desc": "lapar", - "rsa.internal.messageid": "1103", + "rsa.internal.event_desc": "epte", + "rsa.internal.messageid": "11023", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2018-05-21T03:41:41.000Z", "service.type": "microsoft", - "source.address": "qui3176.internal.example", + "source.address": "aper5651.test", "source.ip": [ - "10.221.7.206" + "10.20.147.134" ], "tags": [ "microsoft.dhcp", @@ -1965,30 +2059,30 @@ }, { "@timestamp": "2018-06-04T10:44:15.000Z", - "event.code": "1103", + "event.code": "11007", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-653-1103: 1103,6/4/18,8:44:15,maccusa,10.196.35.130,luptat2979.internal.local,uradi,velitsed,magnaali,mwrit", + "event.original": "%MSDHCP-5263-11007: 11007,6/4/18,8:44:15,saute,10.213.145.202,inventor6088.www.invalid,quamni,iatisu,sec,cons", "fileset.name": "dhcp", - "host.hostname": "luptat2979.internal.local", + "host.hostname": "inventor6088.www.invalid", "input.type": "log", - "log.offset": 6577, + "log.offset": 6648, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "luptat2979.internal.local" + "inventor6088.www.invalid" ], "related.ip": [ - "10.196.35.130" + "10.213.145.202" ], - "rsa.internal.event_desc": "maccusa", - "rsa.internal.messageid": "1103", + "rsa.internal.event_desc": "saute", + "rsa.internal.messageid": "11007", "rsa.time.event_time": "2018-06-04T10:44:15.000Z", "service.type": "microsoft", - "source.address": "luptat2979.internal.local", + "source.address": "inventor6088.www.invalid", "source.ip": [ - "10.196.35.130" + "10.213.145.202" ], "tags": [ "microsoft.dhcp", @@ -1997,31 +2091,32 @@ }, { "@timestamp": "2018-06-19T05:46:49.000Z", - "event.code": "11014", + "event.code": "20", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6378-11014: 11014,6/19/18,3:46:49,equatDu,10.182.219.241,prehe1037.api.example,eiusmod,itation,veleum,piciatis", + "event.original": "%MSDHCP-510-20: 20,6/19/18,3:46:49,tae,10.14.81.228,aperiame1458.www5.local,01:00:5e:7e:22:1b", "fileset.name": "dhcp", - "host.hostname": "prehe1037.api.example", + "host.hostname": "aperiame1458.www5.local", "input.type": "log", - "log.offset": 6693, + "log.offset": 6758, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "prehe1037.api.example" + "aperiame1458.www5.local" ], "related.ip": [ - "10.182.219.241" + "10.14.81.228" ], - "rsa.internal.event_desc": "equatDu", - "rsa.internal.messageid": "11014", + "rsa.internal.event_desc": "tae", + "rsa.internal.messageid": "20", "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "microsoft", - "source.address": "prehe1037.api.example", + "source.address": "aperiame1458.www5.local", "source.ip": [ - "10.182.219.241" + "10.14.81.228" ], + "source.mac": "01:00:5e:7e:22:1b", "tags": [ "microsoft.dhcp", "forwarded" @@ -2029,30 +2124,30 @@ }, { "@timestamp": "2018-07-03T12:49:23.000Z", - "event.code": "11021", + "event.code": "11003", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7616-11021: 11021,7/3/18,10:49:23,tanimid,10.101.163.40,abor1370.www.domain,remips,illoi,reetdolo,rationev", + "event.original": "%MSDHCP-4410-11003: 11003,7/3/18,10:49:23,itinvol,10.76.10.73,cipitlab6201.www5.example,ios,evolu,ersp,tquov", "fileset.name": "dhcp", - "host.hostname": "abor1370.www.domain", + "host.hostname": "cipitlab6201.www5.example", "input.type": "log", - "log.offset": 6812, + "log.offset": 6852, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "abor1370.www.domain" + "cipitlab6201.www5.example" ], "related.ip": [ - "10.101.163.40" + "10.76.10.73" ], - "rsa.internal.event_desc": "tanimid", - "rsa.internal.messageid": "11021", + "rsa.internal.event_desc": "itinvol", + "rsa.internal.messageid": "11003", "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "microsoft", - "source.address": "abor1370.www.domain", + "source.address": "cipitlab6201.www5.example", "source.ip": [ - "10.101.163.40" + "10.76.10.73" ], "tags": [ "microsoft.dhcp", @@ -2061,63 +2156,71 @@ }, { "@timestamp": "2018-07-17T07:51:58.000Z", - "event.code": "11003", + "event.code": "01", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3147-11003: 11003,7/17/18,5:51:58,oremi,10.141.39.190,atDuis5759.internal.test,rumwri,velill,ore,tation", + "event.original": "%MSDHCP-4554-01: 01,7/17/18,5:51:58,osquira,10.220.5.143,com5308.api.domain,01:00:5e:55:ee:a4,reetdolo,norum,madmi,uidol,mporin", "fileset.name": "dhcp", - "host.hostname": "atDuis5759.internal.test", + "host.hostname": "com5308.api.domain", "input.type": "log", - "log.offset": 6927, + "log.offset": 6961, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "atDuis5759.internal.test" + "com5308.api.domain" ], "related.ip": [ - "10.141.39.190" + "10.220.5.143" ], - "rsa.internal.event_desc": "oremi", - "rsa.internal.messageid": "11003", + "related.user": [ + "reetdolo" + ], + "rsa.internal.event_desc": "osquira", + "rsa.internal.messageid": "01", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2018-07-17T07:51:58.000Z", "service.type": "microsoft", - "source.address": "atDuis5759.internal.test", + "source.address": "com5308.api.domain", "source.ip": [ - "10.141.39.190" + "10.220.5.143" ], + "source.mac": "01:00:5e:55:ee:a4", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "reetdolo" }, { "@timestamp": "2018-08-01T14:54:32.000Z", - "event.code": "11009", + "event.code": "ID", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7360-11009: 11009,8/1/18,12:54:32,tperspic,10.41.89.217,ict2699.internal.localhost,riosamni,icta,luptate,llamc", + "event.original": "%MSDHCP-3253-ID: ID,8/1/18,12:54:32,roid,10.226.199.190,Nemoenim2039.api.localhost,01:00:5e:f6:ba:65", "fileset.name": "dhcp", - "host.hostname": "ict2699.internal.localhost", + "host.hostname": "Nemoenim2039.api.localhost", "input.type": "log", - "log.offset": 7039, + "log.offset": 7089, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ict2699.internal.localhost" + "Nemoenim2039.api.localhost" ], "related.ip": [ - "10.41.89.217" + "10.226.199.190" ], - "rsa.internal.event_desc": "tperspic", - "rsa.internal.messageid": "11009", + "rsa.internal.event_desc": "roid", + "rsa.internal.messageid": "ID", "rsa.time.event_time": "2018-08-01T14:54:32.000Z", "service.type": "microsoft", - "source.address": "ict2699.internal.localhost", + "source.address": "Nemoenim2039.api.localhost", "source.ip": [ - "10.41.89.217" + "10.226.199.190" ], + "source.mac": "01:00:5e:f6:ba:65", "tags": [ "microsoft.dhcp", "forwarded" @@ -2125,30 +2228,30 @@ }, { "@timestamp": "2018-08-15T09:57:06.000Z", - "event.code": "11007", + "event.code": "11000", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2454-11007: 11007,8/15/18,7:57:06,tesseci,10.86.44.130,cive2292.api.local,nisiuta,stiaecon,dol,sumquiad", + "event.original": "%MSDHCP-1394-11000: 11000,8/15/18,7:57:06,itessequ,10.20.129.206,iquipe2458.api.host,modtemp,quovol,nve,remag", "fileset.name": "dhcp", - "host.hostname": "cive2292.api.local", + "host.hostname": "iquipe2458.api.host", "input.type": "log", - "log.offset": 7158, + "log.offset": 7190, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "cive2292.api.local" + "iquipe2458.api.host" ], "related.ip": [ - "10.86.44.130" + "10.20.129.206" ], - "rsa.internal.event_desc": "tesseci", - "rsa.internal.messageid": "11007", + "rsa.internal.event_desc": "itessequ", + "rsa.internal.messageid": "11000", "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "microsoft", - "source.address": "cive2292.api.local", + "source.address": "iquipe2458.api.host", "source.ip": [ - "10.86.44.130" + "10.20.129.206" ], "tags": [ "microsoft.dhcp", @@ -2157,70 +2260,77 @@ }, { "@timestamp": "2018-08-29T04:59:40.000Z", - "event.code": "11024", + "event.code": "56", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7311-11024: 11024,8/29/18,2:59:40,uid,10.209.71.69,aconsequ2331.www5.localhost,sequat,lor,ccaec,atu", - "event.outcome": "success", + "event.original": "%MSDHCP-5983-56: 56,8/29/18,2:59:40,tquiin,10.174.176.36,ovol3674.www5.host,01:00:5e:bb:1d:bf,str,idolore,pid,illoin,tanimid,umdo,natuse,gnamal,metMalo,ntexplic,archite", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "aconsequ2331.www5.localhost", + "host.hostname": "ovol3674.www5.host", "input.type": "log", - "log.offset": 7270, + "log.offset": 7300, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "aconsequ2331.www5.localhost" + "ovol3674.www5.host" ], "related.ip": [ - "10.209.71.69" + "10.174.176.36" ], - "rsa.internal.event_desc": "uid", - "rsa.internal.messageid": "11024", - "rsa.investigations.ec_outcome": "Success", - "rsa.investigations.ec_subject": "Service", + "related.user": [ + "str" + ], + "rsa.internal.event_desc": "tquiin", + "rsa.internal.messageid": "56", + "rsa.investigations.ec_outcome": "Failure", "rsa.investigations.ec_theme": "AccessControl", + "rsa.investigations.event_vcat": "gnamal", + "rsa.misc.log_session_id": "idolore", "rsa.time.event_time": "2018-08-29T04:59:40.000Z", "service.type": "microsoft", - "source.address": "aconsequ2331.www5.localhost", + "source.address": "ovol3674.www5.host", "source.ip": [ - "10.209.71.69" + "10.174.176.36" ], + "source.mac": "01:00:5e:bb:1d:bf", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "str" }, { "@timestamp": "2018-09-12T12:02:15.000Z", - "event.code": "1098", + "event.code": "32", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4968-1098: 1098,9/12/18,10:02:15,laudanti,10.48.104.137,rsitvolu3596.www.test,uameiusm,adm,gelitsed,tiumto", - "event.outcome": "failure", + "event.original": "%MSDHCP-7829-32: 32,9/12/18,10:02:15,asi,10.94.38.110,nisist2752.home,01:00:5e:c1:3c:48,exercita", + "event.outcome": "success", "fileset.name": "dhcp", - "host.hostname": "rsitvolu3596.www.test", + "host.hostname": "nisist2752.home", "input.type": "log", - "log.offset": 7378, + "log.offset": 7469, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "rsitvolu3596.www.test" + "nisist2752.home" ], "related.ip": [ - "10.48.104.137" + "10.94.38.110" ], - "rsa.internal.event_desc": "laudanti", - "rsa.internal.messageid": "1098", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "asi", + "rsa.internal.messageid": "32", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "Configuration", "rsa.time.event_time": "2018-09-12T12:02:15.000Z", "service.type": "microsoft", - "source.address": "rsitvolu3596.www.test", + "source.address": "nisist2752.home", "source.ip": [ - "10.48.104.137" + "10.94.38.110" ], + "source.mac": "01:00:5e:c1:3c:48", "tags": [ "microsoft.dhcp", "forwarded" @@ -2228,34 +2338,30 @@ }, { "@timestamp": "2018-09-27T07:04:49.000Z", - "event.code": "11023", + "event.code": "11007", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2648-11023: 11023,9/27/18,5:04:49,nihil,10.225.255.211,elites6366.mail.lan,eursinto,litesse,fugiatn,uaeabi", - "event.outcome": "failure", + "event.original": "%MSDHCP-2516-11007: 11007,9/27/18,5:04:49,oremeu,10.22.110.210,intoc1426.mail.lan,eeufugia,evit,runtm,molli", "fileset.name": "dhcp", - "host.hostname": "elites6366.mail.lan", + "host.hostname": "intoc1426.mail.lan", "input.type": "log", - "log.offset": 7493, + "log.offset": 7566, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "elites6366.mail.lan" + "intoc1426.mail.lan" ], "related.ip": [ - "10.225.255.211" - ], - "rsa.internal.event_desc": "nihil", - "rsa.internal.messageid": "11023", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Service", - "rsa.investigations.ec_theme": "AccessControl", + "10.22.110.210" + ], + "rsa.internal.event_desc": "oremeu", + "rsa.internal.messageid": "11007", "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "microsoft", - "source.address": "elites6366.mail.lan", + "source.address": "intoc1426.mail.lan", "source.ip": [ - "10.225.255.211" + "10.22.110.210" ], "tags": [ "microsoft.dhcp", @@ -2264,30 +2370,30 @@ }, { "@timestamp": "2018-10-11T14:07:23.000Z", - "event.code": "11013", + "event.code": "11006", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2724-11013: 11013,10/11/18,12:07:23,olu,10.137.103.62,orumSe4514.www.corp,umquam,emagn,emulla,mips", + "event.original": "%MSDHCP-543-11006: 11006,10/11/18,12:07:23,eturadi,10.218.87.174,rsitvolu3751.mail.lan,olor,ineavo,pexe,niamqui", "fileset.name": "dhcp", - "host.hostname": "orumSe4514.www.corp", + "host.hostname": "rsitvolu3751.mail.lan", "input.type": "log", - "log.offset": 7608, + "log.offset": 7674, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "orumSe4514.www.corp" + "rsitvolu3751.mail.lan" ], "related.ip": [ - "10.137.103.62" + "10.218.87.174" ], - "rsa.internal.event_desc": "olu", - "rsa.internal.messageid": "11013", + "rsa.internal.event_desc": "eturadi", + "rsa.internal.messageid": "11006", "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "microsoft", - "source.address": "orumSe4514.www.corp", + "source.address": "rsitvolu3751.mail.lan", "source.ip": [ - "10.137.103.62" + "10.218.87.174" ], "tags": [ "microsoft.dhcp", @@ -2296,30 +2402,30 @@ }, { "@timestamp": "2018-10-25T09:09:57.000Z", - "event.code": "11015", + "event.code": "11014", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3887-11015: 11015,10/25/18,7:09:57,etdol,10.156.88.51,fdeFi6975.www5.local,equat,aliquid,usantiu,idunt", + "event.original": "%MSDHCP-6846-11014: 11014,10/25/18,7:09:57,adeser,10.140.113.244,tqu4367.www5.localhost,quam,quid,fugiat,atisun", "fileset.name": "dhcp", - "host.hostname": "fdeFi6975.www5.local", + "host.hostname": "tqu4367.www5.localhost", "input.type": "log", - "log.offset": 7715, + "log.offset": 7786, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "fdeFi6975.www5.local" + "tqu4367.www5.localhost" ], "related.ip": [ - "10.156.88.51" + "10.140.113.244" ], - "rsa.internal.event_desc": "etdol", - "rsa.internal.messageid": "11015", + "rsa.internal.event_desc": "adeser", + "rsa.internal.messageid": "11014", "rsa.time.event_time": "2018-10-25T09:09:57.000Z", "service.type": "microsoft", - "source.address": "fdeFi6975.www5.local", + "source.address": "tqu4367.www5.localhost", "source.ip": [ - "10.156.88.51" + "10.140.113.244" ], "tags": [ "microsoft.dhcp", @@ -2328,30 +2434,30 @@ }, { "@timestamp": "2018-11-09T04:12:32.000Z", - "event.code": "11025", + "event.code": "1103", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5999-11025: 11025,11/9/18,2:12:32,quiacons,10.7.99.47,dol3000.www5.local,teturadi,ditau,atemaccu,veritat", + "event.original": "%MSDHCP-7741-1103: 1103,11/9/18,2:12:32,dmin,10.159.181.29,inci5738.www5.invalid,rnatur,ofdeFin,essequam,acommo", "fileset.name": "dhcp", - "host.hostname": "dol3000.www5.local", + "host.hostname": "inci5738.www5.invalid", "input.type": "log", - "log.offset": 7826, + "log.offset": 7898, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "dol3000.www5.local" + "inci5738.www5.invalid" ], "related.ip": [ - "10.7.99.47" + "10.159.181.29" ], - "rsa.internal.event_desc": "quiacons", - "rsa.internal.messageid": "11025", + "rsa.internal.event_desc": "dmin", + "rsa.internal.messageid": "1103", "rsa.time.event_time": "2018-11-09T04:12:32.000Z", "service.type": "microsoft", - "source.address": "dol3000.www5.local", + "source.address": "inci5738.www5.invalid", "source.ip": [ - "10.7.99.47" + "10.159.181.29" ], "tags": [ "microsoft.dhcp", @@ -2360,32 +2466,30 @@ }, { "@timestamp": "2018-11-23T11:15:06.000Z", - "event.code": "11010", + "event.code": "11005", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5374-11010: 11010,11/23/18,9:15:06,ueip,10.243.252.157,umd5182.mail.host,tur,acon,Nemoenim,usm", + "event.original": "%MSDHCP-18-11005: 11005,11/23/18,9:15:06,cusant,10.178.173.128,itecto1300.internal.corp,tut,ercita,ciadeser,emquia", "fileset.name": "dhcp", - "host.hostname": "umd5182.mail.host", + "host.hostname": "itecto1300.internal.corp", "input.type": "log", - "log.offset": 7939, + "log.offset": 8010, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "umd5182.mail.host" + "itecto1300.internal.corp" ], "related.ip": [ - "10.243.252.157" + "10.178.173.128" ], - "rsa.internal.event_desc": "ueip", - "rsa.internal.messageid": "11010", - "rsa.investigations.ec_activity": "Start", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "cusant", + "rsa.internal.messageid": "11005", "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "microsoft", - "source.address": "umd5182.mail.host", + "source.address": "itecto1300.internal.corp", "source.ip": [ - "10.243.252.157" + "10.178.173.128" ], "tags": [ "microsoft.dhcp", @@ -2394,30 +2498,30 @@ }, { "@timestamp": "2018-12-07T06:17:40.000Z", - "event.code": "11013", + "event.code": "11015", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5397-11013: 11013,12/7/18,4:17:40,tise,10.95.73.196,expl2616.www.test,itinvol,ten,litanim,rQuisaut", + "event.original": "%MSDHCP-6789-11015: 11015,12/7/18,4:17:40,uia,10.217.38.30,siut1579.www.domain,eFi,mexe,its,ender", "fileset.name": "dhcp", - "host.hostname": "expl2616.www.test", + "host.hostname": "siut1579.www.domain", "input.type": "log", - "log.offset": 8042, + "log.offset": 8125, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "expl2616.www.test" + "siut1579.www.domain" ], "related.ip": [ - "10.95.73.196" + "10.217.38.30" ], - "rsa.internal.event_desc": "tise", - "rsa.internal.messageid": "11013", + "rsa.internal.event_desc": "uia", + "rsa.internal.messageid": "11015", "rsa.time.event_time": "2018-12-07T06:17:40.000Z", "service.type": "microsoft", - "source.address": "expl2616.www.test", + "source.address": "siut1579.www.domain", "source.ip": [ - "10.95.73.196" + "10.217.38.30" ], "tags": [ "microsoft.dhcp", @@ -2426,30 +2530,30 @@ }, { "@timestamp": "2018-12-21T13:20:14.000Z", - "event.code": "11004", + "event.code": "11014", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1636-11004: 11004,12/21/18,11:20:14,teni,10.145.104.170,risni1535.example,onemulla,riaturEx,deri,amqu", + "event.original": "%MSDHCP-1540-11014: 11014,12/21/18,11:20:14,edic,10.178.49.161,ame6223.www5.localhost,meius,billo,labo,oNemoeni", "fileset.name": "dhcp", - "host.hostname": "risni1535.example", + "host.hostname": "ame6223.www5.localhost", "input.type": "log", - "log.offset": 8149, + "log.offset": 8223, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "risni1535.example" + "ame6223.www5.localhost" ], "related.ip": [ - "10.145.104.170" + "10.178.49.161" ], - "rsa.internal.event_desc": "teni", - "rsa.internal.messageid": "11004", + "rsa.internal.event_desc": "edic", + "rsa.internal.messageid": "11014", "rsa.time.event_time": "2018-12-21T13:20:14.000Z", "service.type": "microsoft", - "source.address": "risni1535.example", + "source.address": "ame6223.www5.localhost", "source.ip": [ - "10.145.104.170" + "10.178.49.161" ], "tags": [ "microsoft.dhcp", @@ -2458,31 +2562,35 @@ }, { "@timestamp": "2019-01-05T08:22:49.000Z", - "event.code": "11018", + "event.code": "32", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-1303-11018: 11018,1/5/19,6:22:49,edquian,10.18.152.236,umtotamr7221.mail.host,rnat,rur,itse,ilm", + "event.original": "%MSDHCP-2244-32: 32,1/5/19,6:22:49,stenatu,10.215.205.216,ratv5227.www.invalid,01:00:5e:fd:3d:c2,nts", + "event.outcome": "success", "fileset.name": "dhcp", - "host.hostname": "umtotamr7221.mail.host", + "host.hostname": "ratv5227.www.invalid", "input.type": "log", - "log.offset": 8259, + "log.offset": 8335, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "umtotamr7221.mail.host" + "ratv5227.www.invalid" ], "related.ip": [ - "10.18.152.236" + "10.215.205.216" ], - "rsa.internal.event_desc": "edquian", - "rsa.internal.messageid": "11018", + "rsa.internal.event_desc": "stenatu", + "rsa.internal.messageid": "32", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "Configuration", "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "microsoft", - "source.address": "umtotamr7221.mail.host", + "source.address": "ratv5227.www.invalid", "source.ip": [ - "10.18.152.236" + "10.215.205.216" ], + "source.mac": "01:00:5e:fd:3d:c2", "tags": [ "microsoft.dhcp", "forwarded" @@ -2490,30 +2598,30 @@ }, { "@timestamp": "2019-01-19T03:25:23.000Z", - "event.code": "11015", + "event.code": "11025", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2746-11015: 11015,1/19/19,1:25:23,oloree,10.15.240.220,teir7585.www5.localdomain,quu,xeac,llitanim,quamei", + "event.original": "%MSDHCP-5663-11025: 11025,1/19/19,1:25:23,ano,10.175.103.215,aturve1647.mail.localhost,uunturm,temUte,sit,olab", "fileset.name": "dhcp", - "host.hostname": "teir7585.www5.localdomain", + "host.hostname": "aturve1647.mail.localhost", "input.type": "log", - "log.offset": 8363, + "log.offset": 8436, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "teir7585.www5.localdomain" + "aturve1647.mail.localhost" ], "related.ip": [ - "10.15.240.220" + "10.175.103.215" ], - "rsa.internal.event_desc": "oloree", - "rsa.internal.messageid": "11015", + "rsa.internal.event_desc": "ano", + "rsa.internal.messageid": "11025", "rsa.time.event_time": "2019-01-19T03:25:23.000Z", "service.type": "microsoft", - "source.address": "teir7585.www5.localdomain", + "source.address": "aturve1647.mail.localhost", "source.ip": [ - "10.15.240.220" + "10.175.103.215" ], "tags": [ "microsoft.dhcp", @@ -2522,31 +2630,32 @@ }, { "@timestamp": "2019-02-02T10:27:57.000Z", - "event.code": "11000", + "event.code": "12", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5996-11000: 11000,2/2/19,8:27:57,meum,10.147.130.71,tur4536.localdomain,iamqui,tassita,colabori,imidestl", + "event.original": "%MSDHCP-6672-12: 12,2/2/19,8:27:57,enderi,10.236.150.115,umwrit5433.www5.domain,01:00:5e:ba:09:4a,tpersp", "fileset.name": "dhcp", - "host.hostname": "tur4536.localdomain", + "host.hostname": "umwrit5433.www5.domain", "input.type": "log", - "log.offset": 8477, + "log.offset": 8547, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "tur4536.localdomain" + "umwrit5433.www5.domain" ], "related.ip": [ - "10.147.130.71" + "10.236.150.115" ], - "rsa.internal.event_desc": "meum", - "rsa.internal.messageid": "11000", + "rsa.internal.event_desc": "enderi", + "rsa.internal.messageid": "12", "rsa.time.event_time": "2019-02-02T10:27:57.000Z", "service.type": "microsoft", - "source.address": "tur4536.localdomain", + "source.address": "umwrit5433.www5.domain", "source.ip": [ - "10.147.130.71" + "10.236.150.115" ], + "source.mac": "01:00:5e:ba:09:4a", "tags": [ "microsoft.dhcp", "forwarded" @@ -2554,95 +2663,113 @@ }, { "@timestamp": "2019-02-17T05:30:32.000Z", - "event.code": "11002", + "event.code": "01", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-956-11002: 11002,2/17/19,3:30:32,isn,10.203.146.137,ffic6926.home,aparia,CSe,exerci,inesciu", + "event.original": "%MSDHCP-6797-01: 01,2/17/19,3:30:32,oeni,10.223.90.192,llamco7206.www.home,01:00:5e:8f:35:71,orsit,asiar,ise,itau,apariat", "fileset.name": "dhcp", - "host.hostname": "ffic6926.home", + "host.hostname": "llamco7206.www.home", "input.type": "log", - "log.offset": 8590, + "log.offset": 8652, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ffic6926.home" + "llamco7206.www.home" ], "related.ip": [ - "10.203.146.137" + "10.223.90.192" + ], + "related.user": [ + "orsit" ], - "rsa.internal.event_desc": "isn", - "rsa.internal.messageid": "11002", + "rsa.internal.event_desc": "oeni", + "rsa.internal.messageid": "01", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "microsoft", - "source.address": "ffic6926.home", + "source.address": "llamco7206.www.home", "source.ip": [ - "10.203.146.137" + "10.223.90.192" ], + "source.mac": "01:00:5e:8f:35:71", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "orsit" }, { "@timestamp": "2019-03-03T12:33:06.000Z", - "event.code": "11012", + "event.code": "51", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5452-11012: 11012,3/3/19,10:33:06,emu,10.5.98.182,ate4386.api.localhost,minimve,serrorsi,tametco,mquisnos", + "event.original": "%MSDHCP-4494-51: 51,3/3/19,10:33:06,dolore,10.165.192.48,nBCSedut1502.www5.example,01:00:5e:c7:c2:10,odoconse,emp,pisciv,lumdolor,nonp,labo,ulapar,aboreetd,hilm,llitanim,invo", + "event.outcome": "success", "fileset.name": "dhcp", - "host.hostname": "ate4386.api.localhost", + "host.hostname": "nBCSedut1502.www5.example", "input.type": "log", - "log.offset": 8690, + "log.offset": 8774, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ate4386.api.localhost" + "nBCSedut1502.www5.example" ], "related.ip": [ - "10.5.98.182" + "10.165.192.48" ], - "rsa.internal.event_desc": "emu", - "rsa.internal.messageid": "11012", + "related.user": [ + "odoconse" + ], + "rsa.internal.event_desc": "dolore", + "rsa.internal.messageid": "51", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_theme": "AccessControl", + "rsa.investigations.event_vcat": "aboreetd", + "rsa.misc.log_session_id": "emp", "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "microsoft", - "source.address": "ate4386.api.localhost", + "source.address": "nBCSedut1502.www5.example", "source.ip": [ - "10.5.98.182" + "10.165.192.48" ], + "source.mac": "01:00:5e:c7:c2:10", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "odoconse" }, { "@timestamp": "2019-03-17T07:35:40.000Z", - "event.code": "11014", + "event.code": "50", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-6034-11014: 11014,3/17/19,5:35:40,ici,10.6.180.90,iameaque5093.api.corp,aquio,rspicia,deom,oluptat", + "event.original": "%MSDHCP-7205-50: 50,3/17/19,5:35:40,ama,10.80.152.108,texpli2782.mail.domain,01:00:5e:27:0a:9d,", "fileset.name": "dhcp", - "host.hostname": "iameaque5093.api.corp", + "host.hostname": "texpli2782.mail.domain", "input.type": "log", - "log.offset": 8804, + "log.offset": 8949, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "iameaque5093.api.corp" + "texpli2782.mail.domain" ], "related.ip": [ - "10.6.180.90" + "10.80.152.108" ], - "rsa.internal.event_desc": "ici", - "rsa.internal.messageid": "11014", + "rsa.internal.event_desc": "ama", + "rsa.internal.messageid": "50", "rsa.time.event_time": "2019-03-17T07:35:40.000Z", "service.type": "microsoft", - "source.address": "iameaque5093.api.corp", + "source.address": "texpli2782.mail.domain", "source.ip": [ - "10.6.180.90" + "10.80.152.108" ], + "source.mac": "01:00:5e:27:0a:9d", "tags": [ "microsoft.dhcp", "forwarded" @@ -2650,30 +2777,32 @@ }, { "@timestamp": "2019-04-01T14:38:14.000Z", - "event.code": "11004", + "event.code": "11011", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3545-11004: 11004,4/1/19,12:38:14,onproide,10.111.93.224,tatisetq3237.www5.corp,emag,oquisq,abori,sit", + "event.original": "%MSDHCP-5224-11011: 11011,4/1/19,12:38:14,liqua,10.192.21.74,aco6894.mail.home,emUteni,rum,gnaaliqu,teirured", "fileset.name": "dhcp", - "host.hostname": "tatisetq3237.www5.corp", + "host.hostname": "aco6894.mail.home", "input.type": "log", - "log.offset": 8911, + "log.offset": 9045, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "tatisetq3237.www5.corp" + "aco6894.mail.home" ], "related.ip": [ - "10.111.93.224" + "10.192.21.74" ], - "rsa.internal.event_desc": "onproide", - "rsa.internal.messageid": "11004", + "rsa.internal.event_desc": "liqua", + "rsa.internal.messageid": "11011", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2019-04-01T14:38:14.000Z", "service.type": "microsoft", - "source.address": "tatisetq3237.www5.corp", + "source.address": "aco6894.mail.home", "source.ip": [ - "10.111.93.224" + "10.192.21.74" ], "tags": [ "microsoft.dhcp", @@ -2682,30 +2811,30 @@ }, { "@timestamp": "2019-04-15T09:40:49.000Z", - "event.code": "11002", + "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7051-11002: 11002,4/15/19,7:40:49,lumdolor,10.196.157.28,rvelill32.internal.corp,tatevel,midestl,nci,orroquis", + "event.original": "%MSDHCP-5608-11019: 11019,4/15/19,7:40:49,bor,10.142.25.100,tetu2485.internal.invalid,nby,mve,osqui,sequat", "fileset.name": "dhcp", - "host.hostname": "rvelill32.internal.corp", + "host.hostname": "tetu2485.internal.invalid", "input.type": "log", - "log.offset": 9021, + "log.offset": 9154, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "rvelill32.internal.corp" + "tetu2485.internal.invalid" ], "related.ip": [ - "10.196.157.28" + "10.142.25.100" ], - "rsa.internal.event_desc": "lumdolor", - "rsa.internal.messageid": "11002", + "rsa.internal.event_desc": "bor", + "rsa.internal.messageid": "11019", "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "microsoft", - "source.address": "rvelill32.internal.corp", + "source.address": "tetu2485.internal.invalid", "source.ip": [ - "10.196.157.28" + "10.142.25.100" ], "tags": [ "microsoft.dhcp", @@ -2714,30 +2843,33 @@ }, { "@timestamp": "2019-04-29T04:43:23.000Z", - "event.code": "11017", + "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4040-11017: 11017,4/29/19,2:43:23,meiusm,10.143.0.78,ectetura2657.www.localdomain,seq,moll,quaeabil,emip", + "event.original": "%MSDHCP-3051-1098: 1098,4/29/19,2:43:23,ven,10.162.114.217,doloreme60.www5.localhost,evitaed,inimveni,dex,lor", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "ectetura2657.www.localdomain", + "host.hostname": "doloreme60.www5.localhost", "input.type": "log", - "log.offset": 9139, + "log.offset": 9261, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ectetura2657.www.localdomain" + "doloreme60.www5.localhost" ], "related.ip": [ - "10.143.0.78" + "10.162.114.217" ], - "rsa.internal.event_desc": "meiusm", - "rsa.internal.messageid": "11017", + "rsa.internal.event_desc": "ven", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2019-04-29T04:43:23.000Z", "service.type": "microsoft", - "source.address": "ectetura2657.www.localdomain", + "source.address": "doloreme60.www5.localhost", "source.ip": [ - "10.143.0.78" + "10.162.114.217" ], "tags": [ "microsoft.dhcp", @@ -2746,63 +2878,73 @@ }, { "@timestamp": "2019-05-13T11:45:57.000Z", - "event.code": "1103", + "event.code": "01", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3376-1103: 1103,5/13/19,9:45:57,mipsumqu,10.184.187.32,ico3220.api.test,evi,tionula,accus,uatu", + "event.original": "%MSDHCP-2315-01: 01,5/13/19,9:45:57,amcorp,10.57.57.241,liqua6498.api.invalid,01:00:5e:d8:53:15,iduntu,ccaeca,niamq,lapariat,remagn,mquae,consequa,moenimi,olupt,oconsequ,edquiac", "fileset.name": "dhcp", - "host.hostname": "ico3220.api.test", + "host.hostname": "liqua6498.api.invalid", "input.type": "log", - "log.offset": 9252, + "log.offset": 9371, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ico3220.api.test" + "liqua6498.api.invalid" ], "related.ip": [ - "10.184.187.32" + "10.57.57.241" ], - "rsa.internal.event_desc": "mipsumqu", - "rsa.internal.messageid": "1103", + "related.user": [ + "iduntu" + ], + "rsa.internal.event_desc": "amcorp", + "rsa.internal.messageid": "01", + "rsa.investigations.ec_activity": "Stop", + "rsa.investigations.ec_theme": "Communication", + "rsa.investigations.event_vcat": "moenimi", + "rsa.misc.log_session_id": "ccaeca", "rsa.time.event_time": "2019-05-13T11:45:57.000Z", "service.type": "microsoft", - "source.address": "ico3220.api.test", + "source.address": "liqua6498.api.invalid", "source.ip": [ - "10.184.187.32" + "10.57.57.241" ], + "source.mac": "01:00:5e:d8:53:15", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "iduntu" }, { "@timestamp": "2019-05-28T06:48:31.000Z", - "event.code": "11019", + "event.code": "14", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-111-11019: 11019,5/28/19,4:48:31,sumquiad,10.30.87.51,Duisa7769.test,iaecon,aevitaed,byCic,leumiur", + "event.original": "%MSDHCP-2690-14: 14,5/28/19,4:48:31,quamest,10.152.28.171,rsita2628.www5.local,01:00:5e:7a:4c:6e,miu", "fileset.name": "dhcp", - "host.hostname": "Duisa7769.test", + "host.hostname": "rsita2628.www5.local", "input.type": "log", - "log.offset": 9355, + "log.offset": 9549, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "Duisa7769.test" + "rsita2628.www5.local" ], "related.ip": [ - "10.30.87.51" + "10.152.28.171" ], - "rsa.internal.event_desc": "sumquiad", - "rsa.internal.messageid": "11019", + "rsa.internal.event_desc": "quamest", + "rsa.internal.messageid": "14", "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "microsoft", - "source.address": "Duisa7769.test", + "source.address": "rsita2628.www5.local", "source.ip": [ - "10.30.87.51" + "10.152.28.171" ], + "source.mac": "01:00:5e:7a:4c:6e", "tags": [ "microsoft.dhcp", "forwarded" @@ -2810,30 +2952,30 @@ }, { "@timestamp": "2019-06-11T13:51:06.000Z", - "event.code": "11000", + "event.code": "11001", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5483-11000: 11000,6/11/19,11:51:06,tno,10.180.62.222,ptatev6552.www.test,ctetura,msequ,nvol,enimadmi", + "event.original": "%MSDHCP-6444-11001: 11001,6/11/19,11:51:06,mex,10.0.132.176,luptat7214.domain,lillum,remips,uisaute,imide", "fileset.name": "dhcp", - "host.hostname": "ptatev6552.www.test", + "host.hostname": "luptat7214.domain", "input.type": "log", - "log.offset": 9462, + "log.offset": 9650, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ptatev6552.www.test" + "luptat7214.domain" ], "related.ip": [ - "10.180.62.222" + "10.0.132.176" ], - "rsa.internal.event_desc": "tno", - "rsa.internal.messageid": "11000", + "rsa.internal.event_desc": "mex", + "rsa.internal.messageid": "11001", "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "microsoft", - "source.address": "ptatev6552.www.test", + "source.address": "luptat7214.domain", "source.ip": [ - "10.180.62.222" + "10.0.132.176" ], "tags": [ "microsoft.dhcp", @@ -2842,34 +2984,34 @@ }, { "@timestamp": "2019-06-25T08:53:40.000Z", - "event.code": "1098", + "event.code": "11", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7708-1098: 1098,6/25/19,6:53:40,adeser,10.198.9.209,olore6487.www5.local,inea,animid,upta,ioff", - "event.outcome": "failure", + "event.original": "%MSDHCP-7037-11: 11,6/25/19,6:53:40,itesseq,10.125.134.213,tpersp2624.mail.example,01:00:5e:0b:fb:4a", "fileset.name": "dhcp", - "host.hostname": "olore6487.www5.local", + "host.hostname": "tpersp2624.mail.example", "input.type": "log", - "log.offset": 9571, + "log.offset": 9756, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "olore6487.www5.local" + "tpersp2624.mail.example" ], "related.ip": [ - "10.198.9.209" + "10.125.134.213" ], - "rsa.internal.event_desc": "adeser", - "rsa.internal.messageid": "1098", - "rsa.investigations.ec_outcome": "Failure", + "rsa.internal.event_desc": "itesseq", + "rsa.internal.messageid": "11", + "rsa.investigations.ec_activity": "Restore", "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2019-06-25T08:53:40.000Z", "service.type": "microsoft", - "source.address": "olore6487.www5.local", + "source.address": "tpersp2624.mail.example", "source.ip": [ - "10.198.9.209" + "10.125.134.213" ], + "source.mac": "01:00:5e:0b:fb:4a", "tags": [ "microsoft.dhcp", "forwarded" @@ -2877,34 +3019,32 @@ }, { "@timestamp": "2019-07-10T03:56:14.000Z", - "event.code": "1098", + "event.code": "64", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-4197-1098: 1098,7/10/19,1:56:14,iuntN,10.41.217.115,nvol548.corp,sin,idexeac,nimadmin,midest", - "event.outcome": "failure", + "event.original": "%MSDHCP-6392-64: 64,7/10/19,1:56:14,mvolu,10.206.96.56,aincidu2687.mail.home,01:00:5e:80:9d:2c,", "fileset.name": "dhcp", - "host.hostname": "nvol548.corp", + "host.hostname": "aincidu2687.mail.home", "input.type": "log", - "log.offset": 9674, + "log.offset": 9857, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "nvol548.corp" + "aincidu2687.mail.home" ], "related.ip": [ - "10.41.217.115" + "10.206.96.56" ], - "rsa.internal.event_desc": "iuntN", - "rsa.internal.messageid": "1098", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "mvolu", + "rsa.internal.messageid": "64", "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "microsoft", - "source.address": "nvol548.corp", + "source.address": "aincidu2687.mail.home", "source.ip": [ - "10.41.217.115" + "10.206.96.56" ], + "source.mac": "01:00:5e:80:9d:2c", "tags": [ "microsoft.dhcp", "forwarded" @@ -2912,30 +3052,33 @@ }, { "@timestamp": "2019-07-24T10:58:48.000Z", - "event.code": "11030", + "event.code": "1098", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-2952-11030: 11030,7/24/19,8:58:48,quatu,10.212.196.228,pteursi466.www.localdomain,essecill,totamre,rpo,velites", + "event.original": "%MSDHCP-5524-1098: 1098,7/24/19,8:58:48,lupta,10.22.187.69,amcor5091.internal.corp,nbyCi,tevel,usc,rem", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "pteursi466.www.localdomain", + "host.hostname": "amcor5091.internal.corp", "input.type": "log", - "log.offset": 9775, + "log.offset": 9953, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "pteursi466.www.localdomain" + "amcor5091.internal.corp" ], "related.ip": [ - "10.212.196.228" + "10.22.187.69" ], - "rsa.internal.event_desc": "quatu", - "rsa.internal.messageid": "11030", + "rsa.internal.event_desc": "lupta", + "rsa.internal.messageid": "1098", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "microsoft", - "source.address": "pteursi466.www.localdomain", + "source.address": "amcor5091.internal.corp", "source.ip": [ - "10.212.196.228" + "10.22.187.69" ], "tags": [ "microsoft.dhcp", @@ -2944,30 +3087,30 @@ }, { "@timestamp": "2019-08-07T06:01:23.000Z", - "event.code": "11002", + "event.code": "11019", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7651-11002: 11002,8/7/19,4:01:23,uisaute,10.166.180.119,olupt1936.host,imide,ncul,taliq,tautfugi", + "event.original": "%MSDHCP-1978-11019: 11019,8/7/19,4:01:23,atisund,10.2.128.234,ncidid5410.internal.domain,velite,teturad,perspici,itation", "fileset.name": "dhcp", - "host.hostname": "olupt1936.host", + "host.hostname": "ncidid5410.internal.domain", "input.type": "log", - "log.offset": 9894, + "log.offset": 10056, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "olupt1936.host" + "ncidid5410.internal.domain" ], "related.ip": [ - "10.166.180.119" + "10.2.128.234" ], - "rsa.internal.event_desc": "uisaute", - "rsa.internal.messageid": "11002", + "rsa.internal.event_desc": "atisund", + "rsa.internal.messageid": "11019", "rsa.time.event_time": "2019-08-07T06:01:23.000Z", "service.type": "microsoft", - "source.address": "olupt1936.host", + "source.address": "ncidid5410.internal.domain", "source.ip": [ - "10.166.180.119" + "10.2.128.234" ], "tags": [ "microsoft.dhcp", @@ -2976,30 +3119,34 @@ }, { "@timestamp": "2019-08-21T13:03:57.000Z", - "event.code": "11030", + "event.code": "11024", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-163-11030: 11030,8/21/19,11:03:57,volup,10.7.142.212,uisaut2157.corp,tuser,ctasu,irat,sitame", + "event.original": "%MSDHCP-5469-11024: 11024,8/21/19,11:03:57,porincid,10.223.160.140,nofd988.api.example,ilmol,eri,quunt,olori", + "event.outcome": "success", "fileset.name": "dhcp", - "host.hostname": "uisaut2157.corp", + "host.hostname": "nofd988.api.example", "input.type": "log", - "log.offset": 9999, + "log.offset": 10177, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "uisaut2157.corp" + "nofd988.api.example" ], "related.ip": [ - "10.7.142.212" + "10.223.160.140" ], - "rsa.internal.event_desc": "volup", - "rsa.internal.messageid": "11030", + "rsa.internal.event_desc": "porincid", + "rsa.internal.messageid": "11024", + "rsa.investigations.ec_outcome": "Success", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "service.type": "microsoft", - "source.address": "uisaut2157.corp", + "source.address": "nofd988.api.example", "source.ip": [ - "10.7.142.212" + "10.223.160.140" ], "tags": [ "microsoft.dhcp", @@ -3008,34 +3155,30 @@ }, { "@timestamp": "2019-09-05T08:06:31.000Z", - "event.code": "11023", + "event.code": "11004", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3403-11023: 11023,9/5/19,6:06:31,uptateve,10.209.237.97,ecte882.www5.host,Malor,boriosa,cillumdo,ditau", - "event.outcome": "failure", + "event.original": "%MSDHCP-2-11004: 11004,9/5/19,6:06:31,elit,10.137.14.180,borisnis6159.www5.localdomain,inven,eufugi,accusant,onse", "fileset.name": "dhcp", - "host.hostname": "ecte882.www5.host", + "host.hostname": "borisnis6159.www5.localdomain", "input.type": "log", - "log.offset": 10100, + "log.offset": 10286, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "ecte882.www5.host" + "borisnis6159.www5.localdomain" ], "related.ip": [ - "10.209.237.97" + "10.137.14.180" ], - "rsa.internal.event_desc": "uptateve", - "rsa.internal.messageid": "11023", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Service", - "rsa.investigations.ec_theme": "AccessControl", + "rsa.internal.event_desc": "elit", + "rsa.internal.messageid": "11004", "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "microsoft", - "source.address": "ecte882.www5.host", + "source.address": "borisnis6159.www5.localdomain", "source.ip": [ - "10.209.237.97" + "10.137.14.180" ], "tags": [ "microsoft.dhcp", @@ -3044,31 +3187,35 @@ }, { "@timestamp": "2019-09-19T03:09:05.000Z", - "event.code": "11025", + "event.code": "59", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-801-11025: 11025,9/19/19,1:09:05,sci,10.61.26.207,doloreeu4417.example,ametcons,tconse,eumf,roquisq", + "event.original": "%MSDHCP-2859-59: 59,9/19/19,1:09:05,inibu,10.106.93.26,isetquas3096.home,01:00:5e:1b:92:a6", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "doloreeu4417.example", + "host.hostname": "isetquas3096.home", "input.type": "log", - "log.offset": 10211, + "log.offset": 10400, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "doloreeu4417.example" + "isetquas3096.home" ], "related.ip": [ - "10.61.26.207" + "10.106.93.26" ], - "rsa.internal.event_desc": "sci", - "rsa.internal.messageid": "11025", + "rsa.internal.event_desc": "inibu", + "rsa.internal.messageid": "59", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_theme": "Communication", "rsa.time.event_time": "2019-09-19T03:09:05.000Z", "service.type": "microsoft", - "source.address": "doloreeu4417.example", + "source.address": "isetquas3096.home", "source.ip": [ - "10.61.26.207" + "10.106.93.26" ], + "source.mac": "01:00:5e:1b:92:a6", "tags": [ "microsoft.dhcp", "forwarded" @@ -3076,33 +3223,30 @@ }, { "@timestamp": "2019-10-03T10:11:40.000Z", - "event.code": "1098", + "event.code": "11025", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-3103-1098: 1098,10/3/19,8:11:40,tDuisau,10.139.88.194,tper4341.lan,nulamc,sint,etcon,ctobeat", - "event.outcome": "failure", + "event.original": "%MSDHCP-4924-11025: 11025,10/3/19,8:11:40,periam,10.192.182.230,dminima4348.mail.home,tame,naaliq,nte,ulpa", "fileset.name": "dhcp", - "host.hostname": "tper4341.lan", + "host.hostname": "dminima4348.mail.home", "input.type": "log", - "log.offset": 10319, + "log.offset": 10491, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "tper4341.lan" + "dminima4348.mail.home" ], "related.ip": [ - "10.139.88.194" + "10.192.182.230" ], - "rsa.internal.event_desc": "tDuisau", - "rsa.internal.messageid": "1098", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "periam", + "rsa.internal.messageid": "11025", "rsa.time.event_time": "2019-10-03T10:11:40.000Z", "service.type": "microsoft", - "source.address": "tper4341.lan", + "source.address": "dminima4348.mail.home", "source.ip": [ - "10.139.88.194" + "10.192.182.230" ], "tags": [ "microsoft.dhcp", @@ -3111,94 +3255,110 @@ }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "event.code": "11008", + "event.code": "25", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-598-11008: 11008,10/18/19,3:14:14,lorumw,10.86.134.125,nimve4965.mail.corp,ola,ptat,quasi,tium", + "event.original": "%MSDHCP-1738-25: 25,10/18/19,3:14:14,loi,10.24.111.229,volupt2952.api.local,01:00:5e:64:62:d1,sequat,giatquov,tconsec,miurerep,toccaec,fugi,labo,nostrud,gnaal,qui,cupi", "fileset.name": "dhcp", - "host.hostname": "nimve4965.mail.corp", + "host.hostname": "volupt2952.api.local", "input.type": "log", - "log.offset": 10420, + "log.offset": 10598, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "nimve4965.mail.corp" + "volupt2952.api.local" ], "related.ip": [ - "10.86.134.125" + "10.24.111.229" ], - "rsa.internal.event_desc": "lorumw", - "rsa.internal.messageid": "11008", + "related.user": [ + "sequat" + ], + "rsa.internal.event_desc": "loi", + "rsa.internal.messageid": "25", + "rsa.investigations.event_vcat": "nostrud", + "rsa.misc.log_session_id": "giatquov", "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "microsoft", - "source.address": "nimve4965.mail.corp", + "source.address": "volupt2952.api.local", "source.ip": [ - "10.86.134.125" + "10.24.111.229" ], + "source.mac": "01:00:5e:64:62:d1", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "sequat" }, { "@timestamp": "2019-11-01T12:16:48.000Z", - "event.code": "11008", + "event.code": "60", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5046-11008: 11008,11/1/19,10:16:48,nul,10.41.78.169,mquisno5146.home,mipsamv,exeacomm,sequines,cto", + "event.original": "%MSDHCP-5282-60: 60,11/1/19,10:16:48,lores,10.45.253.103,uii5923.internal.home,01:00:5e:2f:ff:49,rcit,llamco,atu,untincul,ssecil", "fileset.name": "dhcp", - "host.hostname": "mquisno5146.home", + "host.hostname": "uii5923.internal.home", "input.type": "log", - "log.offset": 10523, + "log.offset": 10766, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "mquisno5146.home" + "uii5923.internal.home" ], "related.ip": [ - "10.41.78.169" + "10.45.253.103" ], - "rsa.internal.event_desc": "nul", - "rsa.internal.messageid": "11008", + "related.user": [ + "rcit" + ], + "rsa.internal.event_desc": "lores", + "rsa.internal.messageid": "60", "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "microsoft", - "source.address": "mquisno5146.home", + "source.address": "uii5923.internal.home", "source.ip": [ - "10.41.78.169" + "10.45.253.103" ], + "source.mac": "01:00:5e:2f:ff:49", "tags": [ "microsoft.dhcp", "forwarded" - ] + ], + "user.name": "rcit" }, { "@timestamp": "2019-11-15T07:19:22.000Z", - "event.code": "11014", + "event.code": "11023", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5270-11014: 11014,11/15/19,5:19:22,lumquid,10.69.181.95,imaveni4500.api.localdomain,ssequamn,ave,taliqui,idi", + "event.original": "%MSDHCP-3023-11023: 11023,11/15/19,5:19:22,atise,10.95.241.28,oluptas6981.www5.localhost,lor,Sedut,yCiceroi,quunt", + "event.outcome": "failure", "fileset.name": "dhcp", - "host.hostname": "imaveni4500.api.localdomain", + "host.hostname": "oluptas6981.www5.localhost", "input.type": "log", - "log.offset": 10630, + "log.offset": 10895, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "imaveni4500.api.localdomain" + "oluptas6981.www5.localhost" ], "related.ip": [ - "10.69.181.95" + "10.95.241.28" ], - "rsa.internal.event_desc": "lumquid", - "rsa.internal.messageid": "11014", + "rsa.internal.event_desc": "atise", + "rsa.internal.messageid": "11023", + "rsa.investigations.ec_outcome": "Failure", + "rsa.investigations.ec_subject": "Service", + "rsa.investigations.ec_theme": "AccessControl", "rsa.time.event_time": "2019-11-15T07:19:22.000Z", "service.type": "microsoft", - "source.address": "imaveni4500.api.localdomain", + "source.address": "oluptas6981.www5.localhost", "source.ip": [ - "10.69.181.95" + "10.95.241.28" ], "tags": [ "microsoft.dhcp", @@ -3207,34 +3367,32 @@ }, { "@timestamp": "2019-11-30T14:21:57.000Z", - "event.code": "1098", + "event.code": "23", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-5895-1098: 1098,11/30/19,12:21:57,mqu,10.222.6.52,veleu2874.www5.localhost,tasnu,loru,iadeser,litess", - "event.outcome": "failure", + "event.original": "%MSDHCP-4890-23: 23,11/30/19,12:21:57,dolore,10.84.32.178,vitaed4959.example,01:00:5e:11:45:1e,itaedict", "fileset.name": "dhcp", - "host.hostname": "veleu2874.www5.localhost", + "host.hostname": "vitaed4959.example", "input.type": "log", - "log.offset": 10747, + "log.offset": 11009, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "veleu2874.www5.localhost" + "vitaed4959.example" ], "related.ip": [ - "10.222.6.52" + "10.84.32.178" ], - "rsa.internal.event_desc": "mqu", - "rsa.internal.messageid": "1098", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_theme": "Communication", + "rsa.internal.event_desc": "dolore", + "rsa.internal.messageid": "23", "rsa.time.event_time": "2019-11-30T14:21:57.000Z", "service.type": "microsoft", - "source.address": "veleu2874.www5.localhost", + "source.address": "vitaed4959.example", "source.ip": [ - "10.222.6.52" + "10.84.32.178" ], + "source.mac": "01:00:5e:11:45:1e", "tags": [ "microsoft.dhcp", "forwarded" @@ -3242,32 +3400,32 @@ }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "event.code": "ID", + "event.code": "55", "event.dataset": "microsoft.dhcp", "event.module": "microsoft", - "event.original": "%MSDHCP-7704-ID: ID,12/14/19,7:24:31,quovolu,10.218.41.80,nemul5083.api.localdomain,01:00:5e:52:c7:67", + "event.original": "%MSDHCP-4271-55: 55,12/14/19,7:24:31,ruredo,10.72.196.74,boreetdo1725.example,01:00:5e:01:2f:7d", "fileset.name": "dhcp", - "host.hostname": "nemul5083.api.localdomain", + "host.hostname": "boreetdo1725.example", "input.type": "log", - "log.offset": 10856, + "log.offset": 11113, "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", "related.hosts": [ - "nemul5083.api.localdomain" + "boreetdo1725.example" ], "related.ip": [ - "10.218.41.80" + "10.72.196.74" ], - "rsa.internal.event_desc": "quovolu", - "rsa.internal.messageid": "ID", + "rsa.internal.event_desc": "ruredo", + "rsa.internal.messageid": "55", "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "microsoft", - "source.address": "nemul5083.api.localdomain", + "source.address": "boreetdo1725.example", "source.ip": [ - "10.218.41.80" + "10.72.196.74" ], - "source.mac": "01:00:5e:52:c7:67", + "source.mac": "01:00:5e:01:2f:7d", "tags": [ "microsoft.dhcp", "forwarded" diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml index f9a1f17141e9..cc3b20640245 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/input.yml +++ b/x-pack/filebeat/module/netscout/sightline/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js +++ b/x-pack/filebeat/module/netscout/sightline/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/netscout/sightline/config/pipeline.js b/x-pack/filebeat/module/netscout/sightline/config/pipeline.js index ae844c74f9de..c7ed573458f3 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/pipeline.js +++ b/x-pack/filebeat/module/netscout/sightline/config/pipeline.js @@ -15,7 +15,15 @@ function DeviceProcessor() { } } -var dup1 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}"); +var dup1 = call({ + dest: "nwparser.payload", + fn: STRCAT, + args: [ + field("hdata"), + constant(": "), + field("p0"), + ], +}); var dup2 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); @@ -41,7 +49,7 @@ var dup8 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); var dup9 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); -var dup10 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}"); +var dup10 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{p0}"); var dup11 = call({ dest: "nwparser.payload", @@ -49,7 +57,7 @@ var dup11 = call({ args: [ field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }); @@ -87,7 +95,7 @@ var dup21 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21 var dup22 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); -var dup23 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}"); +var dup23 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "leader %{parent_node}"); var dup24 = setc("eventcategory","1502020000"); @@ -107,7 +115,7 @@ var dup31 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{f var dup32 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); -var dup33 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); +var dup33 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); var dup34 = setc("eventcategory","1002000000"); @@ -121,7 +129,7 @@ var dup36 = date_time({ ], }); -var dup37 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); +var dup37 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); var dup38 = date_time({ dest: "starttime", @@ -131,36 +139,40 @@ var dup38 = date_time({ ], }); -var dup39 = linear_select([ +var dup39 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}", processor_chain([ + dup1, +])); + +var dup40 = linear_select([ dup2, dup3, ]); -var dup40 = linear_select([ +var dup41 = linear_select([ dup6, dup7, dup8, dup9, ]); -var dup41 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var dup42 = match("MESSAGE#2:BGP:Down", "nwparser.payload", "%{protocol->} down for router %{node}, leader %{parent_node->} since %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup12, dup13, dup14, ])); -var dup42 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ +var dup43 = match("MESSAGE#3:BGP:Restored", "nwparser.payload", "%{protocol->} restored for router %{node}, leader %{parent_node->} at %{fld15}-%{fld16}-%{fld17->} %{fld18}:%{fld19}:%{fld20->} %{fld21}", processor_chain([ dup15, dup13, dup16, ])); -var dup43 = linear_select([ +var dup44 = linear_select([ dup21, dup22, ]); -var dup44 = linear_select([ +var dup45 = linear_select([ dup31, dup32, ]); @@ -180,11 +192,11 @@ var select1 = linear_select([ part4, ]); -var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{} %{messageid->} %{payload}"); +var part5 = match("HEADER#0:0001/2", "nwparser.p0", "%{} %{messageid->} %{p0}"); var all1 = all_match({ processors: [ - dup1, + dup39, select1, part5, ], @@ -193,12 +205,12 @@ var all1 = all_match({ ]), }); -var part6 = match("HEADER#1:0002/2", "nwparser.p0", "%{}interface %{msgIdPart1->} %{msgIdPart2->} %{payload}"); +var part6 = match("HEADER#1:0002/2", "nwparser.p0", "%{}interface %{msgIdPart1->} %{msgIdPart2->} %{p0}"); var all2 = all_match({ processors: [ - dup1, dup39, + dup40, part6, ], on_success: processor_chain([ @@ -207,14 +219,14 @@ var all2 = all_match({ ]), }); -var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1->} for service %{payload}"); +var part7 = match("HEADER#2:0008/4", "nwparser.p0", "%{} %{msgIdPart1->} %{hfld1->} for service %{p0}"); var all3 = all_match({ processors: [ - dup1, dup39, - dup5, dup40, + dup5, + dup41, part7, ], on_success: processor_chain([ @@ -232,10 +244,10 @@ var all3 = all_match({ var all4 = all_match({ processors: [ - dup1, dup39, - dup5, dup40, + dup5, + dup41, dup10, ], on_success: processor_chain([ @@ -254,7 +266,7 @@ var select2 = linear_select([ var all5 = all_match({ processors: [ - dup1, + dup39, select2, dup10, ], @@ -264,17 +276,17 @@ var all5 = all_match({ ]), }); -var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: The %{messageid->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#5:0005", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: The %{messageid->} %{p0}", processor_chain([ setc("header_id","0005"), dup11, ])); -var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: Alert %{messageid->} %{payload}", processor_chain([ +var hdr2 = match("HEADER#6:0006", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: Alert %{messageid->} %{p0}", processor_chain([ setc("header_id","0006"), dup11, ])); -var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: %{messageid->} %{payload}", processor_chain([ +var hdr3 = match("HEADER#7:0007", "message", "%{hmonth->} %{hday->} %{htime->} pfsp: %{messageid->} %{p0}", processor_chain([ setc("header_id","0007"), dup11, ])); @@ -322,9 +334,9 @@ var select4 = linear_select([ msg2, ]); -var msg3 = msg("BGP:Down", dup41); +var msg3 = msg("BGP:Down", dup42); -var msg4 = msg("BGP:Restored", dup42); +var msg4 = msg("BGP:Restored", dup43); var part11 = match("MESSAGE#4:BGP:Instability", "nwparser.payload", "%{protocol->} instability router %{node->} threshold %{fld25->} (%{fld1}) observed %{trigger_val->} (%{fld2})", processor_chain([ dup17, @@ -413,9 +425,9 @@ var select7 = linear_select([ msg13, ]); -var msg14 = msg("SNMP:Down", dup41); +var msg14 = msg("SNMP:Down", dup42); -var msg15 = msg("SNMP:Restored", dup42); +var msg15 = msg("SNMP:Restored", dup43); var select8 = linear_select([ msg14, @@ -465,7 +477,7 @@ var part24 = match("MESSAGE#19:mitigation:TMS_Start/0", "nwparser.payload", "pfs var all6 = all_match({ processors: [ part24, - dup43, + dup44, dup23, ], on_success: processor_chain([ @@ -484,7 +496,7 @@ var part25 = match("MESSAGE#20:mitigation:TMS_Stop/0", "nwparser.payload", "pfsp var all7 = all_match({ processors: [ part25, - dup43, + dup44, dup23, ], on_success: processor_chain([ @@ -503,7 +515,7 @@ var part26 = match("MESSAGE#21:mitigation:Thirdparty_Start/0", "nwparser.payload var all8 = all_match({ processors: [ part26, - dup43, + dup44, dup23, ], on_success: processor_chain([ @@ -522,7 +534,7 @@ var part27 = match("MESSAGE#22:mitigation:Thirdparty_Stop/0", "nwparser.payload" var all9 = all_match({ processors: [ part27, - dup43, + dup44, dup23, ], on_success: processor_chain([ @@ -540,7 +552,7 @@ var part28 = match("MESSAGE#23:mitigation:Blackhole_Start/0", "nwparser.payload" var all10 = all_match({ processors: [ part28, - dup43, + dup44, dup23, ], on_success: processor_chain([ @@ -559,7 +571,7 @@ var part29 = match("MESSAGE#24:mitigation:Blackhole_Stop/0", "nwparser.payload", var all11 = all_match({ processors: [ part29, - dup43, + dup44, dup23, ], on_success: processor_chain([ @@ -577,7 +589,7 @@ var part30 = match("MESSAGE#25:mitigation:Flowspec_Start/0", "nwparser.payload", var all12 = all_match({ processors: [ part30, - dup43, + dup44, dup23, ], on_success: processor_chain([ @@ -596,7 +608,7 @@ var part31 = match("MESSAGE#26:mitigation:Flowspec_Stop/0", "nwparser.payload", var all13 = all_match({ processors: [ part31, - dup43, + dup44, dup23, ], on_success: processor_chain([ @@ -720,7 +732,7 @@ var part43 = match("MESSAGE#38:script/0", "nwparser.payload", "script %{node->} var all14 = all_match({ processors: [ part43, - dup43, + dup44, dup23, ], on_success: processor_chain([ @@ -739,7 +751,7 @@ var part44 = match("MESSAGE#39:anomaly:Resource_Info:01/0", "nwparser.payload", var all15 = all_match({ processors: [ part44, - dup44, + dup45, dup33, ], on_success: processor_chain([ @@ -757,7 +769,7 @@ var part45 = match("MESSAGE#40:anomaly:Resource_Info:02/0", "nwparser.payload", var all16 = all_match({ processors: [ part45, - dup44, + dup45, dup37, ], on_success: processor_chain([ @@ -775,7 +787,7 @@ var part46 = match("MESSAGE#41:anomaly:Resource_Info:03/0", "nwparser.payload", var all17 = all_match({ processors: [ part46, - dup44, + dup45, dup33, ], on_success: processor_chain([ @@ -792,7 +804,7 @@ var part47 = match("MESSAGE#42:anomaly:Resource_Info:04/0", "nwparser.payload", var all18 = all_match({ processors: [ part47, - dup44, + dup45, dup37, ], on_success: processor_chain([ @@ -955,8 +967,6 @@ var chain1 = processor_chain([ }), ]); -var hdr6 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}"); - var part60 = match("HEADER#1:0002/1_0", "nwparser.p0", "high %{p0}"); var part61 = match("HEADER#1:0002/1_1", "nwparser.p0", "low %{p0}"); @@ -971,21 +981,25 @@ var part65 = match("HEADER#2:0008/3_2", "nwparser.p0", "bps %{p0}"); var part66 = match("HEADER#2:0008/3_3", "nwparser.p0", "pps %{p0}"); -var part67 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{payload}"); +var part67 = match("HEADER#3:0003/4", "nwparser.p0", "%{} %{msgIdPart1->} %{msgIdPart2->} %{p0}"); var part68 = match("MESSAGE#19:mitigation:TMS_Start/1_0", "nwparser.p0", "%{fld21}, %{p0}"); var part69 = match("MESSAGE#19:mitigation:TMS_Start/1_1", "nwparser.p0", ", %{p0}"); -var part70 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "%{}leader %{parent_node}"); +var part70 = match("MESSAGE#19:mitigation:TMS_Start/2", "nwparser.p0", "leader %{parent_node}"); var part71 = match("MESSAGE#39:anomaly:Resource_Info:01/1_0", "nwparser.p0", "%{fld21->} duration %{p0}"); var part72 = match("MESSAGE#39:anomaly:Resource_Info:01/1_1", "nwparser.p0", "duration %{p0}"); -var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); +var part73 = match("MESSAGE#39:anomaly:Resource_Info:01/2", "nwparser.p0", "%{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}, %{info}"); -var part74 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{} %{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); +var part74 = match("MESSAGE#40:anomaly:Resource_Info:02/2", "nwparser.p0", "%{duration->} percent %{fld3->} rate %{fld4->} rateUnit %{fld5->} protocol %{protocol->} flags %{fld6->} url %{url}"); + +var hdr6 = match("HEADER#0:0001/0", "message", "%{hmonth->} %{hday->} %{htime->} %{hdata}: %{p0}", processor_chain([ + dup1, +])); var select17 = linear_select([ dup2, diff --git a/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml index 44b0b754e15e..8a25a657a0a9 100644 --- a/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml +++ b/x-pack/filebeat/module/netscout/sightline/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/netscout/sightline/manifest.yml b/x-pack/filebeat/module/netscout/sightline/manifest.yml index 6c3ae4601101..e10cef66bf8b 100644 --- a/x-pack/filebeat/module/netscout/sightline/manifest.yml +++ b/x-pack/filebeat/module/netscout/sightline/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9502 + default: 9524 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log b/x-pack/filebeat/module/netscout/sightline/test/generated.log index 892a1fc0f2b6..bd8d089c540f 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log @@ -7,94 +7,94 @@ April 9 17:22:51 pfsp: Alert Host Detection alert riosam, start 2016-04-9 17:22: April 24 00:25:25 pfsp: Autoclassification was restarted on 2016-04-24 00:25:25 nim by incidi May 8 07:27:59 pfsp: Alert Peakflow device oloremqu unreachable by temvel since 2016-05-08 07:27:59 May 22 14:30:33 pfsp: Autoclassification was restarted on 2016-05-22 14:30:33 serror by anti -June 5 21:33:08 pfsp: Alert Test syslog message -June 20 04:35:42 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci -July 4 11:38:16 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-04 11:38:16 tNequ -July 18 18:40:50 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap -August 2 01:43:25 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis -August 16 08:45:59 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt -August 30 15:48:33 pfsp: Alert Autoclassification was restarted on 2016-08-30 15:48:33 atatnonp by uiano -September 13 22:51:07 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc -September 28 05:53:42 pfsp: Hardware failure on tatevel since 2016-09-28 05:53:42 GMT: abilloi -October 12 12:56:16 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name "lo5882" porainc -October 26 19:58:50 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name "lo4987" oluptate -November 10 03:01:24 pfsp: Alert Autoclassification was restarted on 2016-11-10 03:01:24 iam by qua -November 24 10:03:59 pfsp: Test syslog message -December 8 17:06:33 pfsp: Autoclassification was restarted on 2016-12-08 17:06:33 olupta by turveli -December 23 00:09:07 pfsp: Alert Autoclassification was restarted on 2016-12-23 00:09:07 ntutl by caecatc -January 6 07:11:41 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-01-06 07:11:41 lup -January 20 14:14:16 pfsp: Alert Hardware failure on aperi since 2017-01-20 14:14:16 GMT: lor -February 3 21:16:50 pfsp: The BGP Instability for router oin ended -February 18 04:19:24 pfsp: Hardware failure on ritatis done at 2017-02-18 04:19:24 oloremi GMT: pitla -March 4 11:21:59 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des -March 18 18:24:33 pfsp: Device tdolorem unreachable by controller ono since 2017-03-18 18:24:33 -April 2 01:27:07 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-02 01:27:07 lumquido -April 16 08:29:41 Lor: Test: Test syslog message -April 30 15:32:16 pfsp: Alert script modoco ran at 2017-04-30 15:32:16 , leader estqu -May 14 22:34:50 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae -May 29 05:37:24 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore -June 12 12:39:58 pfsp: Device mque reachable again by controller uovolup at 2017-06-12 12:39:58 samvolu -June 26 19:42:33 pfsp: The Host Detection alert eirure, start 2017-06-26 19:42:33 conseq, duration 38.117000, stop 2017-06-26 19:42:33 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui) -July 11 02:45:07 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol -July 25 09:47:41 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih) -August 8 16:50:15 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup -August 22 23:52:50 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv -September 6 06:55:24 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu -September 20 13:57:58 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-09-20 13:57:58 olor -October 4 21:00:32 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-04 21:00:32 fdeFi -October 19 04:03:07 pfsp: BGP down for router ati, leader tlabo since 2017-10-19 04:03:07 uames -November 2 11:05:41 pfsp: script offi ran at 2017-11-02 11:05:41 , leader giatnu -November 16 18:08:15 pfsp: Alert anomaly ncidid id 6f3fd2c5 status uamei severity very-high classification aera src 10.128.31.83/2346 nimid dst 10.97.164.220/6205 uptasn start 2017-11-16 6:08:15 duration 50.929000 percent issus rate osamn rateUnit isnisiu protocol udp flags pre url https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata -December 1 01:10:49 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte -December 15 08:13:24 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-15 08:13:24 dexea -December 29 15:15:58 pfsp: Test syslog message -January 12 22:18:32 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-12 22:18:32 litse -January 27 05:21:06 pfsp: Alert Host Detection alert sperna, start 2018-01-27 05:21:06 sintocc, duration 24.633000, stop 2018-01-27 05:21:06 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius) -February 10 12:23:41 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc -February 24 19:26:15 pfsp: BGP Instability for router iatisu ended -March 11 02:28:49 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven -March 25 09:31:24 pfsp: Test syslog message -April 8 16:33:58 Sedutp: Test: Test syslog message -April 22 23:36:32 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe -May 7 06:39:06 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse -May 21 13:41:41 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro -June 4 20:44:15 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-04 20:44:15 -June 19 03:46:49 pfsp: configuration was changed on leader natuse to version 1.4425 by ati -July 3 10:49:23 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name "enp0s4306" aturauto -July 17 17:51:58 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-07-17 17:51:58 dmin -August 1 00:54:32 pfsp: The Host Detection alert uscipitl, start 2018-08-1 00:54:32 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its) -August 15 07:57:06 pfsp: Alert Test syslog message -August 29 14:59:40 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name "lo4293" labo -September 12 22:02:15 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla) -September 27 05:04:49 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden -October 11 12:07:23 pfsp: Device isis reachable again by controller uasiar at 2018-10-11 12:07:23 utlab -October 25 19:09:57 pfsp: The anomaly ntsunt id c8947b2b status liqua severity low classification utodita src 10.216.83.142/4365 iquidexe dst 10.224.198.212/2003 reseo start 2018-10-25 7:09:57 duration 2.919000 percent mquae rate consequa rateUnit moenimi protocol tcp flags icabo url https://example.net/con/preh.html?quamest=mac#qui -November 9 02:12:32 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips -November 23 09:15:06 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt -December 7 16:17:40 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation -December 21 23:20:14 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt -January 5 06:22:49 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo -January 19 13:25:23 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo -February 2 20:27:57 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor -February 17 03:30:32 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed) -March 3 10:33:06 pfsp: Alert Test syslog message -March 17 17:35:40 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex -April 1 00:38:14 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu -April 15 07:40:49 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done -April 29 14:43:23 pfsp: Host Detection alert col, start 2019-04-29 14:43:23 mve, duration 177.586000, stop 2019-04-29 14:43:23 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq) -May 13 21:45:57 pfsp: script remipsum ran at 2019-05-13 21:45:57 , leader tempor -May 28 04:48:31 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela -June 11 11:51:06 uto: Test: Test syslog message -June 25 18:53:40 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol -July 10 01:56:14 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae -July 24 08:58:48 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom -August 7 16:01:23 pfsp: The Host Detection alert inBCSedu, start 2019-08-7 16:01:23 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab) -August 21 23:03:57 pfsp: Hardware failure on ntiu since 2019-08-21 23:03:57 GMT: radipisc -September 5 06:06:31 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu -September 19 13:09:05 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui -October 3 20:11:40 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis -October 18 03:14:14 fugits: Test: Test syslog message -November 1 10:16:48 pfsp: GRE tunnel restored for destination 10.226.51.191, leader magnid at 2019-11-01 10:16:48 adol -November 15 17:19:22 culpaqui: Change Log: Username:tvolup, Subsystem:tdolore, Setting Type:ventore, Message:red -November 30 00:21:57 pfsp: Alert Autoclassification was restarted on 2019-11-30 00:21:57 tatev by luptas -December 14 07:24:31 pfsp: Alert Device aev reachable again by controller inrepr at 2019-12-14 07:24:31 mol +June 5 21:33:08 pfsp: script ufugiatn ran at 2016-06-05 21:33:08 tionulam, leader uameius +June 20 04:35:42 pfsp: Alert Test syslog message +July 4 11:38:16 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci +July 18 18:40:50 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-18 18:40:50 tNequ +August 2 01:43:25 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap +August 16 08:45:59 pfsp: Alert script estqui ran at 2016-08-16 08:45:59 uasiarch, leader emaper +August 30 15:48:33 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis +September 13 22:51:07 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt +September 28 05:53:42 pfsp: Alert Autoclassification was restarted on 2016-09-28 05:53:42 atatnonp by uiano +October 12 12:56:16 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc +October 26 19:58:50 pfsp: Hardware failure on tatevel since 2016-10-26 19:58:50 GMT: abilloi +November 10 03:01:24 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name "lo5882" porainc +November 24 10:03:59 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name "lo4987" oluptate +December 8 17:06:33 pfsp: Alert Autoclassification was restarted on 2016-12-08 17:06:33 iam by qua +December 23 00:09:07 pfsp: Test syslog message +January 6 07:11:41 pfsp: Autoclassification was restarted on 2017-01-06 07:11:41 olupta by turveli +January 20 14:14:16 pfsp: Alert Autoclassification was restarted on 2017-01-20 14:14:16 ntutl by caecatc +February 3 21:16:50 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-02-03 21:16:50 lup +February 18 04:19:24 pfsp: Alert Hardware failure on aperi since 2017-02-18 04:19:24 GMT: lor +March 4 11:21:59 pfsp: The BGP Instability for router oin ended +March 18 18:24:33 pfsp: Hardware failure on ritatis done at 2017-03-18 18:24:33 oloremi GMT: pitla +April 2 01:27:07 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des +April 16 08:29:41 pfsp: Device tdolorem unreachable by controller ono since 2017-04-16 08:29:41 +April 30 15:32:16 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-30 15:32:16 lumquido +May 14 22:34:50 Lor: Test: Test syslog message +May 29 05:37:24 pfsp: Alert script modoco ran at 2017-05-29 05:37:24 , leader estqu +June 12 12:39:58 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae +June 26 19:42:33 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore +July 11 02:45:07 pfsp: Device mque reachable again by controller uovolup at 2017-07-11 02:45:07 samvolu +July 25 09:47:41 pfsp: The Host Detection alert eirure, start 2017-07-25 09:47:41 conseq, duration 38.117000, stop 2017-07-25 09:47:41 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui) +August 8 16:50:15 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol +August 22 23:52:50 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih) +September 6 06:55:24 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup +September 20 13:57:58 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv +October 4 21:00:32 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu +October 19 04:03:07 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-10-19 04:03:07 olor +November 2 11:05:41 pfsp: Alert Device xerc reachable again by controller iutali at 2017-11-02 11:05:41 fdeFi +November 16 18:08:15 pfsp: BGP down for router ati, leader tlabo since 2017-11-16 18:08:15 uames +December 1 01:10:49 pfsp: script offi ran at 2017-12-01 01:10:49 , leader giatnu +December 15 08:13:24 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte +December 29 15:15:58 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-29 15:15:58 dexea +January 12 22:18:32 pfsp: Test syslog message +January 27 05:21:06 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-27 05:21:06 litse +February 10 12:23:41 pfsp: Alert Host Detection alert sperna, start 2018-02-10 12:23:41 sintocc, duration 24.633000, stop 2018-02-10 12:23:41 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius) +February 24 19:26:15 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc +March 11 02:28:49 pfsp: BGP Instability for router iatisu ended +March 25 09:31:24 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven +April 8 16:33:58 pfsp: Test syslog message +April 22 23:36:32 Sedutp: Test: Test syslog message +May 7 06:39:06 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe +May 21 13:41:41 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse +June 4 20:44:15 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro +June 19 03:46:49 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-19 03:46:49 +July 3 10:49:23 pfsp: configuration was changed on leader natuse to version 1.4425 by ati +July 17 17:51:58 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name "enp0s4306" aturauto +August 1 00:54:32 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-08-01 00:54:32 dmin +August 15 07:57:06 pfsp: The Host Detection alert uscipitl, start 2018-08-15 07:57:06 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its) +August 29 14:59:40 pfsp: Alert Test syslog message +September 12 22:02:15 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name "lo4293" labo +September 27 05:04:49 pfsp: Alert script nre ran at 2018-09-27 05:04:49 veli, leader volupta +October 11 12:07:23 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla) +October 25 19:09:57 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden +November 9 02:12:32 pfsp: Device isis reachable again by controller uasiar at 2018-11-09 02:12:32 utlab +November 23 09:15:06 pfsp: Alert script dantium ran at 2018-11-23 09:15:06 lor, leader velillu +December 7 16:17:40 pfsp: The script tvolu ran at 2018-12-07 16:17:40 nreprehe, leader tetu +December 21 23:20:14 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips +January 5 06:22:49 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt +January 19 13:25:23 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation +February 2 20:27:57 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt +February 17 03:30:32 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo +March 3 10:33:06 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo +March 17 17:35:40 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor +April 1 00:38:14 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed) +April 15 07:40:49 pfsp: Alert Test syslog message +April 29 14:43:23 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex +May 13 21:45:57 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu +May 28 04:48:31 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done +June 11 11:51:06 pfsp: Host Detection alert col, start 2019-06-11 11:51:06 mve, duration 177.586000, stop 2019-06-11 11:51:06 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq) +June 25 18:53:40 pfsp: script remipsum ran at 2019-06-25 18:53:40 , leader tempor +July 10 01:56:14 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela +July 24 08:58:48 uto: Test: Test syslog message +August 7 16:01:23 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol +August 21 23:03:57 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae +September 5 06:06:31 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom +September 19 13:09:05 pfsp: The Host Detection alert inBCSedu, start 2019-09-19 13:09:05 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab) +October 3 20:11:40 pfsp: Hardware failure on ntiu since 2019-10-03 20:11:40 GMT: radipisc +October 18 03:14:14 pfsp: script vitaed ran at 2019-10-18 03:14:14 ser, leader etconsec +November 1 10:16:48 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu +November 15 17:19:22 pfsp: Alert script msequ ran at 2019-11-15 17:19:22 uat, leader lupta +November 30 00:21:57 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui +December 14 07:24:31 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 2ac0d3443e7a..9225c96180a5 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -212,16 +212,40 @@ "user.name": "anti" }, { - "event.code": "Test", + "event.action": "Script mitigation", + "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 5 21:33:08 pfsp: Alert Test syslog message", + "event.original": "June 5 21:33:08 pfsp: script ufugiatn ran at 2016-06-05 21:33:08 tionulam, leader uameius", "fileset.name": "sightline", "input.type": "log", "log.offset": 1002, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "ufugiatn", + "rsa.misc.parent_node": "uameius", + "rsa.time.starttime": "2016-06-05T23:33:08.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, + { + "event.code": "Test", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "June 20 04:35:42 pfsp: Alert Test syslog message", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1092, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", "rsa.internal.messageid": "Test", "service.type": "netscout", "tags": [ @@ -233,10 +257,10 @@ "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 20 04:35:42 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci", + "event.original": "July 4 11:38:16 pfsp: configuration was changed on leader uipexea to version 1.5162 by nci", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1050, + "log.offset": 1141, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -259,10 +283,10 @@ "event.code": "SNMP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 4 11:38:16 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-04 11:38:16 tNequ", + "event.original": "July 18 18:40:50 pfsp: The SNMP restored for router mvolu, leader radip at 2016-07-18 18:40:50 tNequ", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1142, + "log.offset": 1232, "network.protocol": "SNMP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -270,7 +294,7 @@ "rsa.internal.messageid": "SNMP", "rsa.misc.node": "mvolu", "rsa.misc.parent_node": "radip", - "rsa.time.endtime": "2016-07-04T13:38:16.000Z", + "rsa.time.endtime": "2016-07-18T20:40:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -281,11 +305,11 @@ "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 18 18:40:50 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", + "event.original": "August 2 01:43:25 tatno: Protection Mode: Changed protection mode to active for protection groupdquiac,URL:https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap", "fileset.name": "sightline", "group.name": "dquiac", "input.type": "log", - "log.offset": 1243, + "log.offset": 1333, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -301,6 +325,30 @@ ], "url.original": "https://mail.example.net/uam/untutl.jpg?llu=uptassi#tamremap" }, + { + "event.action": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "August 16 08:45:59 pfsp: Alert script estqui ran at 2016-08-16 08:45:59 uasiarch, leader emaper", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 1501, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "estqui", + "rsa.misc.parent_node": "emaper", + "rsa.time.starttime": "2016-08-16T10:45:59.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, { "destination.ip": [ "10.155.162.162" @@ -308,17 +356,17 @@ "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 2 01:43:25 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis", + "event.original": "August 30 15:48:33 eum: Blocked Host: Blocked host10.66.171.247atsitby Blocked Countries usingudpdestination10.155.162.162,URL:https://www5.example.org/seq/olorema.jpg?quid=fug#uatDuis", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1410, + "log.offset": 1597, "network.protocol": "udp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.155.162.162", - "10.66.171.247" + "10.66.171.247", + "10.155.162.162" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -338,10 +386,10 @@ "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 16 08:45:59 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt", + "event.original": "September 13 22:51:07 pfsp: Alert TMS 'eip' fault for resource 'lupta' on TMS iusmodt", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1594, + "log.offset": 1782, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -360,10 +408,10 @@ "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 30 15:48:33 pfsp: Alert Autoclassification was restarted on 2016-08-30 15:48:33 atatnonp by uiano", + "event.original": "September 28 05:53:42 pfsp: Alert Autoclassification was restarted on 2016-09-28 05:53:42 atatnonp by uiano", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1677, + "log.offset": 1868, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -372,7 +420,7 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2016-08-30T17:48:33.000Z", + "rsa.time.starttime": "2016-09-28T07:53:42.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -387,17 +435,17 @@ "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 13 22:51:07 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", + "event.original": "October 12 12:56:16 temq: Blocked Host: Blocked host10.38.77.13ataquaeabby Blocked Countries usingipv6-icmpdestination10.179.26.34,URL:https://example.org/isiu/nimadmi.gif?ari=equun#suntinc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1782, + "log.offset": 1976, "network.protocol": "ipv6-icmp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.38.77.13", - "10.179.26.34" + "10.179.26.34", + "10.38.77.13" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -416,17 +464,17 @@ "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 28 05:53:42 pfsp: Hardware failure on tatevel since 2016-09-28 05:53:42 GMT: abilloi", + "event.original": "October 26 19:58:50 pfsp: Hardware failure on tatevel since 2016-10-26 19:58:50 GMT: abilloi", "fileset.name": "sightline", "input.type": "log", - "log.offset": 1974, + "log.offset": 2166, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "abilloi", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "tatevel", - "rsa.time.starttime": "2016-09-28T07:53:42.000Z", + "rsa.time.starttime": "2016-10-26T21:58:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -437,11 +485,11 @@ "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 12 12:56:16 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name \"lo5882\" porainc", + "event.original": "November 10 03:01:24 pfsp: The anomaly ore id 2933 status tsed severity very-high classification enimad router incididu router_name eci interface aali interface_name \"lo5882\" porainc", "fileset.name": "sightline", "input.type": "log", "log.level": "very-high", - "log.offset": 2069, + "log.offset": 2259, "network.interface.name": "lo5882", "observer.product": "Arbor", "observer.type": "DDOS", @@ -464,11 +512,11 @@ "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 26 19:58:50 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", + "event.original": "November 24 10:03:59 moll: anomaly: anomaly Bandwidth id 2902 status inim severity high classification deomni router tquovol router_name ntsuntin interface aecatcup interface_name \"lo4987\" oluptate", "fileset.name": "sightline", "input.type": "log", "log.level": "high", - "log.offset": 2251, + "log.offset": 2442, "network.interface.name": "lo4987", "observer.product": "Arbor", "observer.type": "DDOS", @@ -491,10 +539,10 @@ "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 10 03:01:24 pfsp: Alert Autoclassification was restarted on 2016-11-10 03:01:24 iam by qua", + "event.original": "December 8 17:06:33 pfsp: Alert Autoclassification was restarted on 2016-12-08 17:06:33 iam by qua", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2448, + "log.offset": 2640, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -503,7 +551,7 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2016-11-10T05:01:24.000Z", + "rsa.time.starttime": "2016-12-08T19:06:33.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -515,10 +563,10 @@ "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 24 10:03:59 pfsp: Test syslog message", + "event.original": "December 23 00:09:07 pfsp: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2548, + "log.offset": 2739, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -533,10 +581,10 @@ "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 8 17:06:33 pfsp: Autoclassification was restarted on 2016-12-08 17:06:33 olupta by turveli", + "event.original": "January 6 07:11:41 pfsp: Autoclassification was restarted on 2017-01-06 07:11:41 olupta by turveli", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2595, + "log.offset": 2786, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -545,7 +593,7 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2016-12-08T19:06:33.000Z", + "rsa.time.starttime": "2017-01-06T09:11:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -557,10 +605,10 @@ "event.code": "Autoclassification", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 23 00:09:07 pfsp: Alert Autoclassification was restarted on 2016-12-23 00:09:07 ntutl by caecatc", + "event.original": "January 20 14:14:16 pfsp: Alert Autoclassification was restarted on 2017-01-20 14:14:16 ntutl by caecatc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2695, + "log.offset": 2885, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -569,7 +617,7 @@ ], "rsa.internal.event_desc": "Autoclassification restarted", "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2016-12-23T02:09:07.000Z", + "rsa.time.starttime": "2017-01-20T16:14:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -584,10 +632,10 @@ "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 6 07:11:41 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-01-06 07:11:41 lup", + "event.original": "February 3 21:16:50 pfsp: Alert GRE tunnel restored for destination 10.224.68.213, leader taed at 2017-02-03 21:16:50 lup", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2801, + "log.offset": 2990, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -596,7 +644,7 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "taed", - "rsa.time.endtime": "2017-01-06T09:11:41.000Z", + "rsa.time.endtime": "2017-02-03T23:16:50.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -607,17 +655,17 @@ "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 20 14:14:16 pfsp: Alert Hardware failure on aperi since 2017-01-20 14:14:16 GMT: lor", + "event.original": "February 18 04:19:24 pfsp: Alert Hardware failure on aperi since 2017-02-18 04:19:24 GMT: lor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 2922, + "log.offset": 3112, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "lor", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "aperi", - "rsa.time.starttime": "2017-01-20T16:14:16.000Z", + "rsa.time.starttime": "2017-02-18T06:19:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -628,10 +676,10 @@ "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 3 21:16:50 pfsp: The BGP Instability for router oin ended", + "event.original": "March 4 11:21:59 pfsp: The BGP Instability for router oin ended", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3015, + "log.offset": 3206, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -648,17 +696,17 @@ "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 18 04:19:24 pfsp: Hardware failure on ritatis done at 2017-02-18 04:19:24 oloremi GMT: pitla", + "event.original": "March 18 18:24:33 pfsp: Hardware failure on ritatis done at 2017-03-18 18:24:33 oloremi GMT: pitla", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3083, + "log.offset": 3270, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "pitla", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "ritatis", - "rsa.time.endtime": "2017-02-18T06:19:24.000Z", + "rsa.time.endtime": "2017-03-18T20:24:33.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -669,10 +717,10 @@ "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 4 11:21:59 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des", + "event.original": "April 2 01:27:07 eomnisis: Change Log: Username:mqui, Subsystem:civeli, Setting Type:errorsi, Message:des", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3185, + "log.offset": 3369, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -693,17 +741,17 @@ "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 18 18:24:33 pfsp: Device tdolorem unreachable by controller ono since 2017-03-18 18:24:33", + "event.original": "April 16 08:29:41 pfsp: Device tdolorem unreachable by controller ono since 2017-04-16 08:29:41", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3291, + "log.offset": 3475, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "tdolorem", "rsa.misc.parent_node": "ono", - "rsa.time.starttime": "2017-03-18T20:24:33.000Z", + "rsa.time.starttime": "2017-04-16T10:29:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -717,10 +765,10 @@ "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 2 01:27:07 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-02 01:27:07 lumquido", + "event.original": "April 30 15:32:16 pfsp: The GRE tunnel down for destination 10.60.185.151, leader uidolo since 2017-04-30 15:32:16 lumquido", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3387, + "log.offset": 3571, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -729,7 +777,7 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "uidolo", - "rsa.time.starttime": "2017-04-02T03:27:07.000Z", + "rsa.time.starttime": "2017-04-30T17:32:16.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -740,10 +788,10 @@ "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 16 08:29:41 Lor: Test: Test syslog message", + "event.original": "May 14 22:34:50 Lor: Test: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3510, + "log.offset": 3695, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -759,10 +807,10 @@ "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 30 15:32:16 pfsp: Alert script modoco ran at 2017-04-30 15:32:16 , leader estqu", + "event.original": "May 29 05:37:24 pfsp: Alert script modoco ran at 2017-05-29 05:37:24 , leader estqu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3559, + "log.offset": 3742, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -771,7 +819,7 @@ "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "modoco", "rsa.misc.parent_node": "estqu", - "rsa.time.starttime": "2017-04-30T17:32:16.000Z", + "rsa.time.starttime": "2017-05-29T07:37:24.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -782,11 +830,11 @@ "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 14 22:34:50 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", + "event.original": "June 12 12:39:58 intoccae: Protection Mode: Changed protection mode to active for protection groupents,URL:https://www.example.net/nse/sinto.gif?CSed=lupt#psaquae", "fileset.name": "sightline", "group.name": "ents", "input.type": "log", - "log.offset": 3647, + "log.offset": 3826, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -806,10 +854,10 @@ "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 29 05:37:24 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore", + "event.original": "June 26 19:42:33 pfsp: The BGP Trap reetd: Prefix lumqui itinvo mdolore", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3809, + "log.offset": 3989, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -827,17 +875,17 @@ "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 12 12:39:58 pfsp: Device mque reachable again by controller uovolup at 2017-06-12 12:39:58 samvolu", + "event.original": "July 11 02:45:07 pfsp: Device mque reachable again by controller uovolup at 2017-07-11 02:45:07 samvolu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 3881, + "log.offset": 4061, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "mque", "rsa.misc.parent_node": "uovolup", - "rsa.time.endtime": "2017-06-12T14:39:58.000Z", + "rsa.time.endtime": "2017-07-11T04:45:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -848,11 +896,11 @@ "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 26 19:42:33 pfsp: The Host Detection alert eirure, start 2017-06-26 19:42:33 conseq, duration 38.117000, stop 2017-06-26 19:42:33 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui)", + "event.original": "July 25 09:47:41 pfsp: The Host Detection alert eirure, start 2017-07-25 09:47:41 conseq, duration 38.117000, stop 2017-07-25 09:47:41 mpori, , importance very-high, managed_objects (atu), is now unknown, (parent managed object lpaqui)", "fileset.name": "sightline", "input.type": "log", "log.level": "very-high", - "log.offset": 3985, + "log.offset": 4165, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -860,8 +908,8 @@ "rsa.misc.result": "unknown", "rsa.misc.severity": "very-high", "rsa.time.duration_time": 38.117, - "rsa.time.endtime": "2017-06-26T21:42:33.000Z", - "rsa.time.starttime": "2017-06-26T21:42:33.000Z", + "rsa.time.endtime": "2017-07-25T11:47:41.000Z", + "rsa.time.starttime": "2017-07-25T11:47:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -872,10 +920,10 @@ "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 11 02:45:07 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol", + "event.original": "August 8 16:50:15 pfsp: BGP Trap doloremi: Prefix luptasn hitect dol", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4221, + "log.offset": 4401, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -893,10 +941,10 @@ "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 25 09:47:41 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih)", + "event.original": "August 22 23:52:50 nsecte: BGP: ipv6 instability router tincu threshold ari (exercit) observed sci (quamnih)", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4290, + "log.offset": 4470, "network.protocol": "ipv6", "observer.product": "Arbor", "observer.type": "DDOS", @@ -914,11 +962,11 @@ "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 8 16:50:15 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup", + "event.original": "September 6 06:55:24 emoe: Protection Mode: Changed protection mode to active for protection groupeaq,URL:https://mail.example.net/corp/modtemp.jpg?oluptas=tNequepo#lup", "fileset.name": "sightline", "group.name": "eaq", "input.type": "log", - "log.offset": 4397, + "log.offset": 4579, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -938,10 +986,10 @@ "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 22 23:52:50 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv", + "event.original": "September 20 13:57:58 evita: Change Log: Username:suntexp, Subsystem:duntut, Setting Type:magni, Message:pisciv", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4563, + "log.offset": 4748, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -965,17 +1013,17 @@ "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 6 06:55:24 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", + "event.original": "October 4 21:00:32 radipisc: Blocked Host: Blocked host10.136.232.108atabiby Blocked Countries usingrdpdestination10.168.131.247,URL:https://example.net/temqu/edol.jpg?ipi=reseos#pariatu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4672, + "log.offset": 4860, "network.protocol": "rdp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.136.232.108", - "10.168.131.247" + "10.168.131.247", + "10.136.232.108" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -997,10 +1045,10 @@ "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 20 13:57:58 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-09-20 13:57:58 olor", + "event.original": "October 19 04:03:07 pfsp: GRE tunnel restored for destination 10.209.182.237, leader tper at 2017-10-19 04:03:07 olor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4861, + "log.offset": 5047, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1009,7 +1057,7 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "tper", - "rsa.time.endtime": "2017-09-20T15:57:58.000Z", + "rsa.time.endtime": "2017-10-19T06:03:07.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1020,17 +1068,17 @@ "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 4 21:00:32 pfsp: Alert Device xerc reachable again by controller iutali at 2017-10-04 21:00:32 fdeFi", + "event.original": "November 2 11:05:41 pfsp: Alert Device xerc reachable again by controller iutali at 2017-11-02 11:05:41 fdeFi", "fileset.name": "sightline", "input.type": "log", - "log.offset": 4981, + "log.offset": 5165, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "xerc", "rsa.misc.parent_node": "iutali", - "rsa.time.endtime": "2017-10-04T23:00:32.000Z", + "rsa.time.endtime": "2017-11-02T13:05:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1041,10 +1089,10 @@ "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 19 04:03:07 pfsp: BGP down for router ati, leader tlabo since 2017-10-19 04:03:07 uames", + "event.original": "November 16 18:08:15 pfsp: BGP down for router ati, leader tlabo since 2017-11-16 18:08:15 uames", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5090, + "log.offset": 5275, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1052,7 +1100,7 @@ "rsa.internal.messageid": "BGP", "rsa.misc.node": "ati", "rsa.misc.parent_node": "tlabo", - "rsa.time.starttime": "2017-10-19T06:03:07.000Z", + "rsa.time.starttime": "2017-11-16T20:08:15.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1064,10 +1112,10 @@ "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 2 11:05:41 pfsp: script offi ran at 2017-11-02 11:05:41 , leader giatnu", + "event.original": "December 1 01:10:49 pfsp: script offi ran at 2017-12-01 01:10:49 , leader giatnu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5187, + "log.offset": 5372, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1076,53 +1124,13 @@ "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "offi", "rsa.misc.parent_node": "giatnu", - "rsa.time.starttime": "2017-11-02T13:05:41.000Z", + "rsa.time.starttime": "2017-12-01T03:10:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" ] }, - { - "destination.ip": [ - "10.128.31.83" - ], - "destination.port": 2346, - "event.code": "anomaly", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 16 18:08:15 pfsp: Alert anomaly ncidid id 6f3fd2c5 status uamei severity very-high classification aera src 10.128.31.83/2346 nimid dst 10.97.164.220/6205 uptasn start 2017-11-16 6:08:15 duration 50.929000 percent issus rate osamn rateUnit isnisiu protocol udp flags pre url https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata", - "fileset.name": "sightline", - "input.type": "log", - "log.level": "very-high", - "log.offset": 5270, - "network.protocol": "udp", - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.ip": [ - "10.128.31.83", - "10.97.164.220" - ], - "rsa.internal.messageid": "anomaly", - "rsa.misc.category": "aera", - "rsa.misc.disposition": "uamei", - "rsa.misc.event_id": "6f3fd2c5", - "rsa.misc.policy_name": "ncidid", - "rsa.misc.severity": "very-high", - "rsa.time.duration_time": 50.929, - "rsa.time.starttime": "2017-11-16T08:08:15.000Z", - "service.type": "netscout", - "source.ip": [ - "10.97.164.220" - ], - "source.port": 6205, - "tags": [ - "netscout.sightline", - "forwarded" - ], - "url.original": "https://internal.example.org/stlabo/dictasu.gif?catc=nsect#idata" - }, { "destination.ip": [ "10.163.161.165" @@ -1130,10 +1138,10 @@ "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 1 01:10:49 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte", + "event.original": "December 15 08:13:24 untex: Blocked Host: Blocked host10.83.23.104attisetqby Blocked Countries usingrdpdestination10.163.161.165,URL:https://www5.example.org/atem/gnido.txt?tmollita=fde#nsecte", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5621, + "log.offset": 5453, "network.protocol": "rdp", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1162,10 +1170,10 @@ "event.code": "GRE", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 15 08:13:24 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-15 08:13:24 dexea", + "event.original": "December 29 15:15:58 pfsp: GRE tunnel restored for destination 10.53.248.4, leader derit at 2017-12-29 15:15:58 dexea", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5813, + "log.offset": 5646, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1174,7 +1182,7 @@ ], "rsa.internal.messageid": "GRE", "rsa.misc.parent_node": "derit", - "rsa.time.endtime": "2017-12-15T10:13:24.000Z", + "rsa.time.endtime": "2017-12-29T17:15:58.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1185,10 +1193,10 @@ "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 29 15:15:58 pfsp: Test syslog message", + "event.original": "January 12 22:18:32 pfsp: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5931, + "log.offset": 5764, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1203,17 +1211,17 @@ "event.code": "Flow", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 12 22:18:32 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-12 22:18:32 litse", + "event.original": "January 27 05:21:06 pfsp: Alert Flow down for router tessec, leader olupta since 2018-01-27 05:21:06 litse", "fileset.name": "sightline", "input.type": "log", - "log.offset": 5978, + "log.offset": 5810, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Flow", "rsa.misc.node": "tessec", "rsa.misc.parent_node": "olupta", - "rsa.time.starttime": "2018-01-13T00:18:32.000Z", + "rsa.time.starttime": "2018-01-27T07:21:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1224,11 +1232,11 @@ "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 27 05:21:06 pfsp: Alert Host Detection alert sperna, start 2018-01-27 05:21:06 sintocc, duration 24.633000, stop 2018-01-27 05:21:06 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", + "event.original": "February 10 12:23:41 pfsp: Alert Host Detection alert sperna, start 2018-02-10 12:23:41 sintocc, duration 24.633000, stop 2018-02-10 12:23:41 scivelit, , importance medium, managed_objects (ehen), is now success, (parent managed object quameius)", "fileset.name": "sightline", "input.type": "log", "log.level": "medium", - "log.offset": 6085, + "log.offset": 5917, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1236,8 +1244,8 @@ "rsa.misc.result": "success", "rsa.misc.severity": "medium", "rsa.time.duration_time": 24.633, - "rsa.time.endtime": "2018-01-27T07:21:06.000Z", - "rsa.time.starttime": "2018-01-27T07:21:06.000Z", + "rsa.time.endtime": "2018-02-10T14:23:41.000Z", + "rsa.time.starttime": "2018-02-10T14:23:41.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1248,10 +1256,10 @@ "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 10 12:23:41 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc", + "event.original": "February 24 19:26:15 ate: Change Log: Username:uiac, Subsystem:epte, Setting Type:idolo, Message:quinesc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6330, + "log.offset": 6163, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1272,10 +1280,10 @@ "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 24 19:26:15 pfsp: BGP Instability for router iatisu ended", + "event.original": "March 11 02:28:49 pfsp: BGP Instability for router iatisu ended", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6435, + "log.offset": 6268, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1292,10 +1300,10 @@ "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 11 02:28:49 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven", + "event.original": "March 25 09:31:24 evolu: Change Log: Username:ersp, Subsystem:tquov, Setting Type:diconseq, Message:inven", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6503, + "log.offset": 6332, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1316,10 +1324,10 @@ "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 25 09:31:24 pfsp: Test syslog message", + "event.original": "April 8 16:33:58 pfsp: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6609, + "log.offset": 6438, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1334,10 +1342,10 @@ "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 8 16:33:58 Sedutp: Test: Test syslog message", + "event.original": "April 22 23:36:32 Sedutp: Test: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6653, + "log.offset": 6481, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1352,10 +1360,10 @@ "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 22 23:36:32 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe", + "event.original": "May 7 06:39:06 ema: Change Log: Username:rsitv, Subsystem:iciade, Setting Type:ntiumt, Message:iquipe", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6704, + "log.offset": 6533, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1376,11 +1384,11 @@ "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 7 06:39:06 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", + "event.original": "May 21 13:41:41 quin: Protection Mode: Changed protection mode to active for protection groupupida,URL:https://api.example.com/eufugi/pici.html?ccaecat=tquiin#tse", "fileset.name": "sightline", "group.name": "upida", "input.type": "log", - "log.offset": 6809, + "log.offset": 6635, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1400,10 +1408,10 @@ "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 21 13:41:41 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro", + "event.original": "June 4 20:44:15 minimav: Change Log: Username:udexerci, Subsystem:naal, Setting Type:lore, Message:tnonpro", "fileset.name": "sightline", "input.type": "log", - "log.offset": 6971, + "log.offset": 6798, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1424,17 +1432,17 @@ "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 4 20:44:15 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-04 20:44:15", + "event.original": "June 19 03:46:49 pfsp: The Device illoin unreachable by controller tanimid since 2018-06-19 03:46:49", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7078, + "log.offset": 6905, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "illoin", "rsa.misc.parent_node": "tanimid", - "rsa.time.starttime": "2018-06-04T22:44:15.000Z", + "rsa.time.starttime": "2018-06-19T05:46:49.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1445,10 +1453,10 @@ "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 19 03:46:49 pfsp: configuration was changed on leader natuse to version 1.4425 by ati", + "event.original": "July 3 10:49:23 pfsp: configuration was changed on leader natuse to version 1.4425 by ati", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7178, + "log.offset": 7006, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1471,11 +1479,11 @@ "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 3 10:49:23 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name \"enp0s4306\" aturauto", + "event.original": "July 17 17:51:58 boree: anomaly: anomaly Bandwidth id 2366 status queips severity low classification itess router iscinge router_name ofdeFini interface irat interface_name \"enp0s4306\" aturauto", "fileset.name": "sightline", "input.type": "log", "log.level": "low", - "log.offset": 7269, + "log.offset": 7096, "network.interface.name": "enp0s4306", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1498,10 +1506,10 @@ "event.code": "SNMP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 17 17:51:58 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-07-17 17:51:58 dmin", + "event.original": "August 1 00:54:32 pfsp: SNMP restored for router entsunt, leader ihilm at 2018-08-01 00:54:32 dmin", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7462, + "log.offset": 7290, "network.protocol": "SNMP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1509,7 +1517,7 @@ "rsa.internal.messageid": "SNMP", "rsa.misc.node": "entsunt", "rsa.misc.parent_node": "ihilm", - "rsa.time.endtime": "2018-07-17T19:51:58.000Z", + "rsa.time.endtime": "2018-08-01T02:54:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1520,11 +1528,11 @@ "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 1 00:54:32 pfsp: The Host Detection alert uscipitl, start 2018-08-1 00:54:32 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its)", + "event.original": "August 15 07:57:06 pfsp: The Host Detection alert uscipitl, start 2018-08-15 07:57:06 uia, duration 29.657000, direction internal, host 10.54.49.84, signatures (ciad), impact tali, importance medium, managed_objects (mexe), (parent managed object its)", "fileset.name": "sightline", "input.type": "log", "log.level": "medium", - "log.offset": 7561, + "log.offset": 7389, "network.direction": "internal", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1536,7 +1544,7 @@ "rsa.misc.policy_name": "ciad", "rsa.misc.severity": "medium", "rsa.time.duration_time": 29.657, - "rsa.time.starttime": "2018-08-01T02:54:32.000Z", + "rsa.time.starttime": "2018-08-15T09:57:06.000Z", "service.type": "netscout", "source.ip": [ "10.54.49.84" @@ -1550,10 +1558,10 @@ "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 15 07:57:06 pfsp: Alert Test syslog message", + "event.original": "August 29 14:59:40 pfsp: Alert Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 7811, + "log.offset": 7641, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1568,11 +1576,11 @@ "event.code": "anomaly", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 29 14:59:40 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name \"lo4293\" labo", + "event.original": "September 12 22:02:15 pfsp: anomaly Bandwidth id 5089 status commodo severity medium classification tutlab router sau router_name atevelit interface meius interface_name \"lo4293\" labo", "fileset.name": "sightline", "input.type": "log", "log.level": "medium", - "log.offset": 7862, + "log.offset": 7692, "network.interface.name": "lo4293", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1591,14 +1599,38 @@ "forwarded" ] }, + { + "event.action": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "September 27 05:04:49 pfsp: Alert script nre ran at 2018-09-27 05:04:49 veli, leader volupta", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 7876, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "nre", + "rsa.misc.parent_node": "volupta", + "rsa.time.starttime": "2018-09-27T07:04:49.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] + }, { "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 12 22:02:15 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla)", + "event.original": "October 11 12:07:23 pfsp: The BGP instability router uptate threshold mac (iumdol) observed tpersp (stla)", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8043, + "log.offset": 7969, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1617,10 +1649,10 @@ "event.code": "TMS", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 27 05:04:49 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden", + "event.original": "October 25 19:09:57 pfsp: Alert TMS 'tem' fault for resource 'dol' on TMS proiden", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8152, + "log.offset": 8075, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1639,17 +1671,17 @@ "event.code": "Device", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 11 12:07:23 pfsp: Device isis reachable again by controller uasiar at 2018-10-11 12:07:23 utlab", + "event.original": "November 9 02:12:32 pfsp: Device isis reachable again by controller uasiar at 2018-11-09 02:12:32 utlab", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8236, + "log.offset": 8157, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.messageid": "Device", "rsa.misc.node": "isis", "rsa.misc.parent_node": "uasiar", - "rsa.time.endtime": "2018-10-11T14:07:23.000Z", + "rsa.time.endtime": "2018-11-09T04:12:32.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -1657,44 +1689,52 @@ ] }, { - "destination.ip": [ - "10.216.83.142" - ], - "destination.port": 4365, - "event.code": "anomaly", + "event.action": "Script mitigation", + "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 25 19:09:57 pfsp: The anomaly ntsunt id c8947b2b status liqua severity low classification utodita src 10.216.83.142/4365 iquidexe dst 10.224.198.212/2003 reseo start 2018-10-25 7:09:57 duration 2.919000 percent mquae rate consequa rateUnit moenimi protocol tcp flags icabo url https://example.net/con/preh.html?quamest=mac#qui", + "event.original": "November 23 09:15:06 pfsp: Alert script dantium ran at 2018-11-23 09:15:06 lor, leader velillu", "fileset.name": "sightline", "input.type": "log", - "log.level": "low", - "log.offset": 8340, - "network.protocol": "tcp", + "log.offset": 8261, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.ip": [ - "10.224.198.212", - "10.216.83.142" - ], - "rsa.internal.messageid": "anomaly", - "rsa.misc.category": "utodita", - "rsa.misc.disposition": "liqua", - "rsa.misc.event_id": "c8947b2b", - "rsa.misc.policy_name": "ntsunt", - "rsa.misc.severity": "low", - "rsa.time.duration_time": 2.919, - "rsa.time.starttime": "2018-10-25T09:09:57.000Z", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "dantium", + "rsa.misc.parent_node": "velillu", + "rsa.time.starttime": "2018-11-23T11:15:06.000Z", "service.type": "netscout", - "source.ip": [ - "10.224.198.212" - ], - "source.port": 2003, "tags": [ "netscout.sightline", "forwarded" - ], - "url.original": "https://example.net/con/preh.html?quamest=mac#qui" + ] + }, + { + "event.action": "Script mitigation", + "event.code": "script", + "event.dataset": "netscout.sightline", + "event.module": "netscout", + "event.original": "December 7 16:17:40 pfsp: The script tvolu ran at 2018-12-07 16:17:40 nreprehe, leader tetu", + "fileset.name": "sightline", + "input.type": "log", + "log.offset": 8356, + "observer.product": "Arbor", + "observer.type": "DDOS", + "observer.vendor": "Netscout", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "tvolu", + "rsa.misc.parent_node": "tetu", + "rsa.time.starttime": "2018-12-07T18:17:40.000Z", + "service.type": "netscout", + "tags": [ + "netscout.sightline", + "forwarded" + ] }, { "destination.ip": [ @@ -1703,10 +1743,10 @@ "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 9 02:12:32 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips", + "event.original": "December 21 23:20:14 temporin: Blocked Host: Blocked host10.122.76.148atmiuby Blocked Countries usingipv6-icmpdestination10.28.226.128,URL:https://mail.example.org/idunt/luptat.txt?ica=lillum#remips", "fileset.name": "sightline", "input.type": "log", - "log.offset": 8678, + "log.offset": 8448, "network.protocol": "ipv6-icmp", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1732,11 +1772,11 @@ "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 23 09:15:06 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", + "event.original": "January 5 06:22:49 cola: Protection Mode: Changed protection mode to active for protection groupamcor,URL:https://internal.example.com/ineavol/iosa.html?usc=rem#amvolupt", "fileset.name": "sightline", "group.name": "amcor", "input.type": "log", - "log.offset": 8876, + "log.offset": 8647, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1756,11 +1796,11 @@ "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 7 16:17:40 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", + "event.original": "January 19 13:25:23 mnis: Protection Mode: Changed protection mode to active for protection groupequepor,URL:https://internal.example.org/quaUten/nisiut.txt?teturad=perspici#itation", "fileset.name": "sightline", "group.name": "equepor", "input.type": "log", - "log.offset": 9048, + "log.offset": 8817, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1780,11 +1820,11 @@ "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "December 21 23:20:14 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", + "event.original": "February 2 20:27:57 nimave: Protection Mode: Changed protection mode to active for protection groupisciv,URL:https://mail.example.org/nofd/dipisci.txt?ilmol=eri#quunt", "fileset.name": "sightline", "group.name": "isciv", "input.type": "log", - "log.offset": 9230, + "log.offset": 8999, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1807,10 +1847,10 @@ "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 5 06:22:49 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo", + "event.original": "February 17 03:30:32 iosamnis: Blocked Host: Blocked host10.31.177.226atdeserunby Blocked Countries usingggpdestination10.98.209.10,URL:https://www.example.org/ptateve/enderi.html?toccaec=fugi#labo", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9398, + "log.offset": 9166, "network.protocol": "ggp", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1839,17 +1879,17 @@ "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "January 19 13:25:23 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "event.original": "March 3 10:33:06 estl: Blocked Host: Blocked host10.44.47.27atmmodocby Blocked Countries usingigmpdestination10.179.210.218,URL:https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9594, + "log.offset": 9364, "network.protocol": "igmp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.179.210.218", - "10.44.47.27" + "10.44.47.27", + "10.179.210.218" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1868,10 +1908,10 @@ "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 2 20:27:57 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", + "event.original": "March 17 17:35:40 pfsp: Alert configuration was changed on leader emvele to version 1.2883 by lor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9795, + "log.offset": 9562, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1894,10 +1934,10 @@ "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "February 17 03:30:32 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", + "event.original": "April 1 00:38:14 pfsp: Alert BGP instability router iquamqua threshold sit (rumSect) observed ita (vitaed)", "fileset.name": "sightline", "input.type": "log", - "log.offset": 9895, + "log.offset": 9660, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -1915,10 +1955,10 @@ "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 3 10:33:06 pfsp: Alert Test syslog message", + "event.original": "April 15 07:40:49 pfsp: Alert Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10007, + "log.offset": 9767, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1933,10 +1973,10 @@ "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "March 17 17:35:40 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", + "event.original": "April 29 14:43:23 numquam: Change Log: Username:tMal, Subsystem:ommodo, Setting Type:uptat, Message:idex", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10056, + "log.offset": 9817, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1957,10 +1997,10 @@ "event.code": "configuration", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 1 00:38:14 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", + "event.original": "May 13 21:45:57 pfsp: Alert configuration was changed on leader maveni to version 1.2552 by onu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10161, + "log.offset": 9922, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -1983,10 +2023,10 @@ "event.code": "BGP", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 15 07:40:49 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", + "event.original": "May 28 04:48:31 pfsp: Alert BGP Hijack for prefix tlaboree router norumet done", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10258, + "log.offset": 10018, "network.protocol": "BGP", "observer.product": "Arbor", "observer.type": "DDOS", @@ -2003,11 +2043,11 @@ "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "April 29 14:43:23 pfsp: Host Detection alert col, start 2019-04-29 14:43:23 mve, duration 177.586000, stop 2019-04-29 14:43:23 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", + "event.original": "June 11 11:51:06 pfsp: Host Detection alert col, start 2019-06-11 11:51:06 mve, duration 177.586000, stop 2019-06-11 11:51:06 tinvolup, , importance very-high, managed_objects (Sedutpe), is now failure, (parent managed object rroq)", "fileset.name": "sightline", "input.type": "log", "log.level": "very-high", - "log.offset": 10340, + "log.offset": 10097, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2015,8 +2055,8 @@ "rsa.misc.result": "failure", "rsa.misc.severity": "very-high", "rsa.time.duration_time": 177.586, - "rsa.time.endtime": "2019-04-29T16:43:23.000Z", - "rsa.time.starttime": "2019-04-29T16:43:23.000Z", + "rsa.time.endtime": "2019-06-11T13:51:06.000Z", + "rsa.time.starttime": "2019-06-11T13:51:06.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2028,10 +2068,10 @@ "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 13 21:45:57 pfsp: script remipsum ran at 2019-05-13 21:45:57 , leader tempor", + "event.original": "June 25 18:53:40 pfsp: script remipsum ran at 2019-06-25 18:53:40 , leader tempor", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10573, + "log.offset": 10329, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2040,7 +2080,7 @@ "rsa.misc.event_type": "Script mitigation", "rsa.misc.node": "remipsum", "rsa.misc.parent_node": "tempor", - "rsa.time.starttime": "2019-05-13T23:45:57.000Z", + "rsa.time.starttime": "2019-06-25T20:53:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2051,10 +2091,10 @@ "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "May 28 04:48:31 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela", + "event.original": "July 10 01:56:14 ccae: Change Log: Username:orroqu, Subsystem:elitsed, Setting Type:labore, Message:uela", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10656, + "log.offset": 10411, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2075,10 +2115,10 @@ "event.code": "Test", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 11 11:51:06 uto: Test: Test syslog message", + "event.original": "July 24 08:58:48 uto: Test: Test syslog message", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10760, + "log.offset": 10516, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2093,10 +2133,10 @@ "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "June 25 18:53:40 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol", + "event.original": "August 7 16:01:23 remq: Change Log: Username:veniamq, Subsystem:occ, Setting Type:oloreseo, Message:iruredol", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10808, + "log.offset": 10564, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2120,17 +2160,17 @@ "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 10 01:56:14 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae", + "event.original": "August 21 23:03:57 cupi: Blocked Host: Blocked host10.151.129.181atduntby Blocked Countries usingggpdestination10.55.156.64,URL:https://www.example.net/itanim/nesciun.txt?mollita=tatem#iae", "fileset.name": "sightline", "input.type": "log", - "log.offset": 10916, + "log.offset": 10673, "network.protocol": "ggp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.55.156.64", - "10.151.129.181" + "10.151.129.181", + "10.55.156.64" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -2149,11 +2189,11 @@ "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "July 24 08:58:48 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom", + "event.original": "September 5 06:06:31 eumi: Protection Mode: Changed protection mode to active for protection groupquasiarc,URL:https://www.example.net/rever/ore.jpg?oluptat=metco#acom", "fileset.name": "sightline", "group.name": "quasiarc", "input.type": "log", - "log.offset": 11103, + "log.offset": 10862, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", @@ -2173,11 +2213,11 @@ "event.code": "Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 7 16:01:23 pfsp: The Host Detection alert inBCSedu, start 2019-08-7 16:01:23 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab)", + "event.original": "September 19 13:09:05 pfsp: The Host Detection alert inBCSedu, start 2019-09-19 13:09:05 erspi, duration 77.637000, direction internal, host 10.46.77.76, signatures (iacons), impact occaec, importance medium, managed_objects (uov), (parent managed object quaeab)", "fileset.name": "sightline", "input.type": "log", "log.level": "medium", - "log.offset": 11267, + "log.offset": 11030, "network.direction": "internal", "observer.product": "Arbor", "observer.type": "DDOS", @@ -2189,7 +2229,7 @@ "rsa.misc.policy_name": "iacons", "rsa.misc.severity": "medium", "rsa.time.duration_time": 77.637, - "rsa.time.starttime": "2019-08-07T18:01:23.000Z", + "rsa.time.starttime": "2019-09-19T15:09:05.000Z", "service.type": "netscout", "source.ip": [ "10.46.77.76" @@ -2203,17 +2243,17 @@ "event.code": "Hardware", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "August 21 23:03:57 pfsp: Hardware failure on ntiu since 2019-08-21 23:03:57 GMT: radipisc", + "event.original": "October 3 20:11:40 pfsp: Hardware failure on ntiu since 2019-10-03 20:11:40 GMT: radipisc", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11525, + "log.offset": 11293, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "rsa.internal.event_desc": "radipisc", "rsa.internal.messageid": "Hardware", "rsa.misc.node": "ntiu", - "rsa.time.starttime": "2019-08-22T01:03:57.000Z", + "rsa.time.starttime": "2019-10-03T22:11:40.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2221,97 +2261,79 @@ ] }, { - "destination.ip": [ - "10.166.90.130" - ], - "event.code": "Blocked_Host", + "event.action": "Script mitigation", + "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "September 5 06:06:31 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu", + "event.original": "October 18 03:14:14 pfsp: script vitaed ran at 2019-10-18 03:14:14 ser, leader etconsec", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11615, - "network.protocol": "icmp", + "log.offset": 11383, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.ip": [ - "10.73.89.189", - "10.166.90.130" - ], - "rsa.internal.messageid": "Blocked_Host", - "rsa.misc.msgIdPart1": "Blocked", - "rsa.misc.msgIdPart2": "Host", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "vitaed", + "rsa.misc.parent_node": "etconsec", + "rsa.time.starttime": "2019-10-18T05:14:14.000Z", "service.type": "netscout", - "source.ip": [ - "10.73.89.189" - ], "tags": [ "netscout.sightline", "forwarded" - ], - "url.original": "https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu" + ] }, { - "event.code": "Protection_Mode", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "September 19 13:09:05 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui", - "fileset.name": "sightline", - "group.name": "laudan", - "input.type": "log", - "log.offset": 11810, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.event_desc": "Changed protection mode to active for protection group", - "rsa.internal.messageid": "Protection_Mode", - "rsa.misc.group": "laudan", - "rsa.misc.msgIdPart1": "Protection", - "rsa.misc.msgIdPart2": "Mode", - "service.type": "netscout", - "tags": [ - "netscout.sightline", - "forwarded" + "destination.ip": [ + "10.166.90.130" ], - "url.original": "https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui" - }, - { - "event.code": "Change_Log", + "event.code": "Blocked_Host", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 3 20:11:40 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis", + "event.original": "November 1 10:16:48 upt: Blocked Host: Blocked host10.73.89.189atidoloby Blocked Countries usingicmpdestination10.166.90.130,URL:https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu", "fileset.name": "sightline", "input.type": "log", - "log.offset": 11995, + "log.offset": 11471, + "network.protocol": "icmp", "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.user": [ - "rcitat" + "related.ip": [ + "10.166.90.130", + "10.73.89.189" ], - "rsa.internal.messageid": "Change_Log", - "rsa.misc.msgIdPart1": "Change", - "rsa.misc.msgIdPart2": "Log", + "rsa.internal.messageid": "Blocked_Host", + "rsa.misc.msgIdPart1": "Blocked", + "rsa.misc.msgIdPart2": "Host", "service.type": "netscout", + "source.ip": [ + "10.73.89.189" + ], "tags": [ "netscout.sightline", "forwarded" ], - "user.name": "rcitat" + "url.original": "https://api.example.org/eosquira/pta.htm?econs=lmolesti#apariatu" }, { - "event.code": "Test", + "event.action": "Script mitigation", + "event.code": "script", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "October 18 03:14:14 fugits: Test: Test syslog message", + "event.original": "November 15 17:19:22 pfsp: Alert script msequ ran at 2019-11-15 17:19:22 uat, leader lupta", "fileset.name": "sightline", "input.type": "log", - "log.offset": 12109, + "log.offset": 11665, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "rsa.internal.messageid": "Test", + "rsa.internal.messageid": "script", + "rsa.misc.disposition": "ongoing", + "rsa.misc.event_type": "Script mitigation", + "rsa.misc.node": "msequ", + "rsa.misc.parent_node": "lupta", + "rsa.time.starttime": "2019-11-15T19:19:22.000Z", "service.type": "netscout", "tags": [ "netscout.sightline", @@ -2319,44 +2341,42 @@ ] }, { - "destination.ip": [ - "10.226.51.191" - ], - "event.code": "GRE", + "event.code": "Protection_Mode", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 1 10:16:48 pfsp: GRE tunnel restored for destination 10.226.51.191, leader magnid at 2019-11-01 10:16:48 adol", + "event.original": "November 30 00:21:57 tlabori: Protection Mode: Changed protection mode to active for protection grouplaudan,URL:https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui", "fileset.name": "sightline", + "group.name": "laudan", "input.type": "log", - "log.offset": 12163, + "log.offset": 11756, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", - "related.ip": [ - "10.226.51.191" - ], - "rsa.internal.messageid": "GRE", - "rsa.misc.parent_node": "magnid", - "rsa.time.endtime": "2019-11-01T12:16:48.000Z", + "rsa.internal.event_desc": "Changed protection mode to active for protection group", + "rsa.internal.messageid": "Protection_Mode", + "rsa.misc.group": "laudan", + "rsa.misc.msgIdPart1": "Protection", + "rsa.misc.msgIdPart2": "Mode", "service.type": "netscout", "tags": [ "netscout.sightline", "forwarded" - ] + ], + "url.original": "https://www5.example.com/atcupida/tessequa.htm?dolores=equamnih#taliqui" }, { "event.code": "Change_Log", "event.dataset": "netscout.sightline", "event.module": "netscout", - "event.original": "November 15 17:19:22 culpaqui: Change Log: Username:tvolup, Subsystem:tdolore, Setting Type:ventore, Message:red", + "event.original": "December 14 07:24:31 destlabo: Change Log: Username:rcitat, Subsystem:dolorema, Setting Type:emagn, Message:radipis", "fileset.name": "sightline", "input.type": "log", - "log.offset": 12282, + "log.offset": 11940, "observer.product": "Arbor", "observer.type": "DDOS", "observer.vendor": "Netscout", "related.user": [ - "tvolup" + "rcitat" ], "rsa.internal.messageid": "Change_Log", "rsa.misc.msgIdPart1": "Change", @@ -2366,51 +2386,6 @@ "netscout.sightline", "forwarded" ], - "user.name": "tvolup" - }, - { - "event.code": "Autoclassification", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "November 30 00:21:57 pfsp: Alert Autoclassification was restarted on 2019-11-30 00:21:57 tatev by luptas", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 12395, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "related.user": [ - "luptas" - ], - "rsa.internal.event_desc": "Autoclassification restarted", - "rsa.internal.messageid": "Autoclassification", - "rsa.time.starttime": "2019-11-30T02:21:57.000Z", - "service.type": "netscout", - "tags": [ - "netscout.sightline", - "forwarded" - ], - "user.name": "luptas" - }, - { - "event.code": "Device", - "event.dataset": "netscout.sightline", - "event.module": "netscout", - "event.original": "December 14 07:24:31 pfsp: Alert Device aev reachable again by controller inrepr at 2019-12-14 07:24:31 mol", - "fileset.name": "sightline", - "input.type": "log", - "log.offset": 12500, - "observer.product": "Arbor", - "observer.type": "DDOS", - "observer.vendor": "Netscout", - "rsa.internal.messageid": "Device", - "rsa.misc.node": "aev", - "rsa.misc.parent_node": "inrepr", - "rsa.time.endtime": "2019-12-14T09:24:31.000Z", - "service.type": "netscout", - "tags": [ - "netscout.sightline", - "forwarded" - ] + "user.name": "rcitat" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml index b85b88f7c992..0b23c8ce377b 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js b/x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml index a5eafc083d99..6d2b0346ac2d 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml @@ -57,12 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' - - append: - field: related.hosts - value: '{{destination.address}}' - allow_duplicates: false - if: ctx?.destination?.address != null && ctx.destination?.address != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml index de5ef117be3a..508b0323eb3e 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9531 + default: 9547 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json index f9043afa34aa..d29937f64d94 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json @@ -36,6 +36,9 @@ "observer.product": "Email", "observer.type": "Firewall", "observer.vendor": "Proofpoint", + "related.hosts": [ + "enatus" + ], "rsa.internal.messageid": "session_store", "rsa.misc.client": "mipsumq", "rsa.misc.event_source": "enatus", @@ -943,6 +946,9 @@ "observer.product": "Email", "observer.type": "Firewall", "observer.vendor": "Proofpoint", + "related.hosts": [ + "lamc" + ], "rsa.internal.messageid": "session_store", "rsa.misc.client": "eaqueip", "rsa.misc.event_source": "lamc", @@ -1667,6 +1673,9 @@ "observer.product": "Email", "observer.type": "Firewall", "observer.vendor": "Proofpoint", + "related.hosts": [ + "turQuis" + ], "rsa.internal.messageid": "session_judge", "rsa.misc.client": "session_judge", "rsa.misc.event_source": "turQuis", @@ -1982,6 +1991,9 @@ "observer.product": "Email", "observer.type": "Firewall", "observer.vendor": "Proofpoint", + "related.hosts": [ + "inimve" + ], "rsa.counters.dclass_c1": 5821, "rsa.counters.dclass_c1_str": "No of attachments:", "rsa.counters.dclass_c2": 296, diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml index 2c6d20db4661..76a4ff731651 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/input.yml +++ b/x-pack/filebeat/module/radware/defensepro/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js +++ b/x-pack/filebeat/module/radware/defensepro/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/radware/defensepro/config/pipeline.js b/x-pack/filebeat/module/radware/defensepro/config/pipeline.js index e8ec2256338e..c0b0cbfcf5bd 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/pipeline.js +++ b/x-pack/filebeat/module/radware/defensepro/config/pipeline.js @@ -17,27 +17,29 @@ function DeviceProcessor() { var dup1 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}"); -var dup2 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); +var dup2 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{p0}"); -var dup3 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}"); +var dup3 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{p0}"); -var dup4 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}"); +var dup4 = match("MESSAGE#0:Intrusions:01/2", "nwparser.p0", "%{sport->} %{p0}"); -var dup5 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}"); +var dup5 = match("MESSAGE#0:Intrusions:01/3_0", "nwparser.p0", "%{daddr}:%{p0}"); -var dup6 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); +var dup6 = match("MESSAGE#0:Intrusions:01/3_1", "nwparser.p0", "%{daddr->} %{p0}"); -var dup7 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}"); +var dup7 = match("MESSAGE#0:Intrusions:01/4", "nwparser.p0", "%{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); -var dup8 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}"); +var dup8 = match("MESSAGE#0:Intrusions:01/5_0", "nwparser.p0", "%{action->} %{sigid_string}"); -var dup9 = setc("eventcategory","1001000000"); +var dup9 = match_copy("MESSAGE#0:Intrusions:01/5_1", "nwparser.p0", "action"); -var dup10 = setc("ec_theme","TEV"); +var dup10 = setc("eventcategory","1001000000"); -var dup11 = setf("msg","$MSG"); +var dup11 = setc("ec_theme","TEV"); -var dup12 = date_time({ +var dup12 = setf("msg","$MSG"); + +var dup13 = date_time({ dest: "event_time", args: ["fld1","fld2"], fmts: [ @@ -45,152 +47,156 @@ var dup12 = date_time({ ], }); -var dup13 = setc("dclass_counter1_string","Bandwidth in Kbps"); +var dup14 = setc("dclass_counter1_string","Bandwidth in Kbps"); -var dup14 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); +var dup15 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); -var dup15 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); +var dup16 = match("MESSAGE#1:Intrusions:02/4", "nwparser.p0", "%{dport->} %{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); -var dup16 = setc("eventcategory","1002000000"); +var dup17 = setc("eventcategory","1002000000"); -var dup17 = setc("ec_subject","NetworkComm"); +var dup18 = setc("ec_subject","NetworkComm"); -var dup18 = setc("ec_activity","Scan"); +var dup19 = setc("ec_activity","Scan"); -var dup19 = setc("eventcategory","1401000000"); +var dup20 = setc("eventcategory","1401000000"); -var dup20 = setc("ec_subject","User"); +var dup21 = setc("ec_subject","User"); -var dup21 = setc("ec_theme","ALM"); +var dup22 = setc("ec_theme","ALM"); -var dup22 = setc("ec_activity","Modify"); +var dup23 = setc("ec_activity","Modify"); -var dup23 = setc("ec_theme","Configuration"); +var dup24 = setc("ec_theme","Configuration"); -var dup24 = setc("eventcategory","1612000000"); +var dup25 = setc("eventcategory","1612000000"); -var dup25 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); +var dup26 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); -var dup26 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); +var dup27 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); -var dup27 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); +var dup28 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); -var dup28 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); +var dup29 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); -var dup29 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}"); +var dup30 = match_copy("MESSAGE#22:Login:04/3_1", "nwparser.p0", "result"); -var dup30 = setc("eventcategory","1401030000"); +var dup31 = setc("eventcategory","1401030000"); -var dup31 = setc("ec_activity","Logon"); +var dup32 = setc("ec_activity","Logon"); -var dup32 = setc("ec_theme","Authentication"); +var dup33 = setc("ec_theme","Authentication"); -var dup33 = setc("ec_outcome","Failure"); +var dup34 = setc("ec_outcome","Failure"); -var dup34 = setc("event_description","Login Failed"); +var dup35 = setc("event_description","Login Failed"); -var dup35 = setc("ec_outcome","Error"); +var dup36 = setc("ec_outcome","Error"); -var dup36 = setc("eventcategory","1603000000"); +var dup37 = setc("eventcategory","1603000000"); -var dup37 = setc("ec_theme","AccessControl"); +var dup38 = setc("ec_theme","AccessControl"); -var dup38 = setc("eventcategory","1401060000"); +var dup39 = setc("eventcategory","1401060000"); -var dup39 = setc("ec_outcome","Success"); +var dup40 = setc("ec_outcome","Success"); -var dup40 = setc("event_description","User logged in"); +var dup41 = setc("event_description","User logged in"); -var dup41 = linear_select([ +var dup42 = linear_select([ dup2, dup3, ]); -var dup42 = linear_select([ - dup4, +var dup43 = linear_select([ dup5, + dup6, ]); -var dup43 = linear_select([ - dup7, +var dup44 = linear_select([ dup8, + dup9, ]); -var dup44 = linear_select([ - dup25, +var dup45 = linear_select([ dup26, + dup27, ]); -var dup45 = linear_select([ - dup28, +var dup46 = linear_select([ dup29, + dup30, ]); -var dup46 = all_match({ +var dup47 = all_match({ processors: [ dup1, - dup41, dup42, - dup6, + dup4, dup43, + dup7, + dup44, ], on_success: processor_chain([ - dup9, dup10, dup11, dup12, dup13, + dup14, ]), }); -var dup47 = all_match({ +var dup48 = all_match({ processors: [ - dup14, - dup41, - dup42, dup15, + dup42, + dup4, + dup43, + dup16, ], on_success: processor_chain([ - dup9, dup10, dup11, - dup13, + dup12, + dup14, ]), }); -var dup48 = all_match({ +var dup49 = all_match({ processors: [ dup1, - dup41, dup42, - dup6, + dup4, dup43, + dup7, + dup44, ], on_success: processor_chain([ - dup16, - dup10, + dup17, dup11, dup12, dup13, + dup14, ]), }); -var dup49 = all_match({ +var dup50 = all_match({ processors: [ - dup14, - dup41, - dup42, dup15, + dup42, + dup4, + dup43, + dup16, ], on_success: processor_chain([ - dup16, - dup10, + dup17, dup11, - dup13, + dup12, + dup14, ]), }); -var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} \\\"%{hfld4}\\\" %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} %{hfld3->} %{messageid->} \\\"%{hfld4}\\\" %{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -202,12 +208,12 @@ var hdr1 = match("HEADER#0:0001", "message", "%DefensePro %{hfld1->} %{hfld2->} constant(" \\\""), field("hfld4"), constant("\\\" "), - field("payload"), + field("p0"), ], }), ])); -var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{p0}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", @@ -215,12 +221,12 @@ var hdr2 = match("HEADER#1:0002", "message", "%DefensePro %{messageid->} %{paylo args: [ field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }), ])); -var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid->} \"%{hfld3}\" %{payload}", processor_chain([ +var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{hfld2->} %{messageid->} \"%{hfld3}\" %{p0}", processor_chain([ setc("header_id","0003"), call({ dest: "nwparser.payload", @@ -238,12 +244,12 @@ var hdr3 = match("HEADER#2:0003", "message", "DefensePro: %{hdate->} %{htime->} constant(" \""), field("hfld3"), constant("\" "), - field("payload"), + field("p0"), ], }), ])); -var hdr4 = match("HEADER#3:0004", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{payload}", processor_chain([ +var hdr4 = match("HEADER#3:0004", "message", "DefensePro: %{hdate->} %{htime->} %{hfld1->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0004"), call({ dest: "nwparser.payload", @@ -257,7 +263,7 @@ var hdr4 = match("HEADER#3:0004", "message", "DefensePro: %{hdate->} %{htime->} constant(" "), field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }), ])); @@ -269,20 +275,20 @@ var select1 = linear_select([ hdr4, ]); -var msg1 = msg("Intrusions:01", dup46); +var msg1 = msg("Intrusions:01", dup47); -var msg2 = msg("Intrusions:02", dup47); +var msg2 = msg("Intrusions:02", dup48); var select2 = linear_select([ msg1, msg2, ]); -var msg3 = msg("SynFlood:01", dup48); +var msg3 = msg("SynFlood:01", dup49); -var msg4 = msg("Behavioral-DoS:01", dup48); +var msg4 = msg("Behavioral-DoS:01", dup49); -var msg5 = msg("Behavioral-DoS:02", dup49); +var msg5 = msg("Behavioral-DoS:02", dup50); var select3 = linear_select([ msg4, @@ -292,19 +298,20 @@ var select3 = linear_select([ var all1 = all_match({ processors: [ dup1, - dup41, dup42, - dup6, + dup4, dup43, + dup7, + dup44, ], on_success: processor_chain([ - dup9, - dup17, - dup18, dup10, + dup18, + dup19, dup11, dup12, dup13, + dup14, ]), }); @@ -312,18 +319,19 @@ var msg6 = msg("Anti-Scanning:01", all1); var all2 = all_match({ processors: [ - dup14, - dup41, - dup42, dup15, + dup42, + dup4, + dup43, + dup16, ], on_success: processor_chain([ - dup9, - dup17, - dup18, dup10, + dup18, + dup19, dup11, - dup13, + dup12, + dup14, ]), }); @@ -334,22 +342,23 @@ var select4 = linear_select([ msg7, ]); -var msg8 = msg("DoS:01", dup48); +var msg8 = msg("DoS:01", dup49); var all3 = all_match({ processors: [ - dup14, - dup41, - dup42, dup15, + dup42, + dup4, + dup43, + dup16, ], on_success: processor_chain([ - dup16, dup17, dup18, - dup10, + dup19, dup11, - dup13, + dup12, + dup14, ]), }); @@ -360,27 +369,27 @@ var select5 = linear_select([ msg9, ]); -var msg10 = msg("Cracking-Protection:01", dup46); +var msg10 = msg("Cracking-Protection:01", dup47); -var msg11 = msg("Cracking-Protection:02", dup47); +var msg11 = msg("Cracking-Protection:02", dup48); var select6 = linear_select([ msg10, msg11, ]); -var msg12 = msg("Anomalies:01", dup48); +var msg12 = msg("Anomalies:01", dup49); -var msg13 = msg("Anomalies:02", dup49); +var msg13 = msg("Anomalies:02", dup50); var select7 = linear_select([ msg12, msg13, ]); -var msg14 = msg("HttpFlood:01", dup48); +var msg14 = msg("HttpFlood:01", dup49); -var msg15 = msg("HttpFlood:02", dup49); +var msg15 = msg("HttpFlood:02", dup50); var select8 = linear_select([ msg14, @@ -388,75 +397,75 @@ var select8 = linear_select([ ]); var part1 = match("MESSAGE#15:COMMAND:", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} COMMAND: \"%{action}\" by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ - dup19, dup20, - setc("ec_activity","Execute"), dup21, - dup11, + setc("ec_activity","Execute"), + dup22, dup12, + dup13, ])); var msg16 = msg("COMMAND:", part1); var part2 = match("MESSAGE#16:Configuration:01", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description->} set %{change_new}, Old Values: %{change_old}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([ - dup19, dup20, - dup22, + dup21, dup23, - dup11, + dup24, dup12, + dup13, ])); var msg17 = msg("Configuration:01", part2); var part3 = match("MESSAGE#17:Configuration:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{event_description}, ACTION: %{action->} by user %{username->} via %{network_service->} source IP %{saddr}", processor_chain([ - dup19, dup20, - dup23, - dup11, + dup21, + dup24, dup12, + dup13, ])); var msg18 = msg("Configuration:02", part3); var part4 = match("MESSAGE#18:Configuration:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration File downloaded from device by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ - dup19, dup20, - dup23, - dup11, - setc("event_description","Configuration File downloaded"), + dup21, + dup24, dup12, + setc("event_description","Configuration File downloaded"), + dup13, ])); var msg19 = msg("Configuration:03", part4); var part5 = match("MESSAGE#19:Configuration:04", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Upload has been completed", processor_chain([ + dup25, dup24, - dup23, - dup11, - setc("event_description","Configuration Upload has been completed"), dup12, + setc("event_description","Configuration Upload has been completed"), + dup13, ])); var msg20 = msg("Configuration:04", part5); var part6 = match("MESSAGE#20:Configuration:05", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration Download has been completed", processor_chain([ + dup25, dup24, - dup23, - dup11, - setc("event_description","Configuration Download has been completed"), dup12, + setc("event_description","Configuration Download has been completed"), + dup13, ])); var msg21 = msg("Configuration:05", part6); var part7 = match("MESSAGE#21:Configuration:06", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Configuration file has been modified. Device may fail to load configuration file!", processor_chain([ - dup24, - dup22, + dup25, dup23, - dup11, - setc("event_description","Configuration file has been modified. Device may fail to load configuration file!"), + dup24, dup12, + setc("event_description","Configuration file has been modified. Device may fail to load configuration file!"), + dup13, ])); var msg22 = msg("Configuration:06", part7); @@ -475,30 +484,30 @@ var part8 = match("MESSAGE#22:Login:04/0", "nwparser.payload", "Login failed %{p var all4 = all_match({ processors: [ part8, - dup44, - dup27, dup45, + dup28, + dup46, ], on_success: processor_chain([ - dup30, - dup20, dup31, + dup21, dup32, dup33, - dup11, dup34, + dup12, + dup35, ]), }); var msg23 = msg("Login:04", all4); var part9 = match("MESSAGE#23:Login:05", "nwparser.payload", "Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([ - dup30, - dup20, dup31, + dup21, dup32, - dup35, - dup11, + dup33, + dup36, + dup12, setc("event_description","Login Locked"), ])); @@ -509,46 +518,46 @@ var part10 = match("MESSAGE#24:Login:01/0", "nwparser.payload", "%{fld1->} %{fld var all5 = all_match({ processors: [ part10, - dup44, - dup27, dup45, + dup28, + dup46, ], on_success: processor_chain([ - dup30, - dup20, dup31, + dup21, dup32, dup33, - dup11, dup34, dup12, + dup35, + dup13, ]), }); var msg25 = msg("Login:01", all5); var part11 = match("MESSAGE#25:Login:02", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login failed via %{network_service->} (IP: %{saddr}): %{result}", processor_chain([ - dup30, - dup20, dup31, + dup21, dup32, dup33, - dup11, dup34, dup12, + dup35, + dup13, ])); var msg26 = msg("Login:02", part11); var part12 = match("MESSAGE#26:Login:03", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Login locked user %{username->} (IP: %{saddr}): %{result}", processor_chain([ - dup30, - dup20, dup31, + dup21, dup32, - dup35, - dup11, - dup34, + dup33, + dup36, dup12, + dup35, + dup13, ])); var msg27 = msg("Login:03", part12); @@ -562,43 +571,43 @@ var select10 = linear_select([ ]); var part13 = match("MESSAGE#27:Connection", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Connection to NTP server timed out", processor_chain([ - dup36, - dup21, - dup11, - setc("event_description","Connection to NTP server timed out"), + dup37, + dup22, dup12, + setc("event_description","Connection to NTP server timed out"), + dup13, ])); var msg28 = msg("Connection", part13); var part14 = match("MESSAGE#28:Device", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Device was rebooted by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ - dup19, dup20, dup21, - dup11, - setc("event_description","Device was rebooted"), + dup22, dup12, + setc("event_description","Device was rebooted"), + dup13, ])); var msg29 = msg("Device", part14); var part15 = match("MESSAGE#29:Power", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Power supply fully operational", processor_chain([ - dup24, - dup21, - dup11, - setc("event_description","Power supply fully operational"), + dup25, + dup22, dup12, + setc("event_description","Power supply fully operational"), + dup13, ])); var msg30 = msg("Power", part15); var part16 = match("MESSAGE#30:Cold", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Cold Start", processor_chain([ - dup24, + dup25, setc("ec_activity","Start"), - dup21, - dup11, - setc("event_description","Cold Start"), + dup22, dup12, + setc("event_description","Cold Start"), + dup13, ])); var msg31 = msg("Cold", part16); @@ -607,7 +616,7 @@ var part17 = match("MESSAGE#31:Port/0", "nwparser.payload", "%{fld1->} %{fld2->} var part18 = match("MESSAGE#31:Port/1_0", "nwparser.p0", "Down%{}"); -var part19 = match("MESSAGE#31:Port/1_1", "nwparser.p0", "Up %{}"); +var part19 = match("MESSAGE#31:Port/1_1", "nwparser.p0", "Up%{}"); var select11 = linear_select([ part18, @@ -620,22 +629,22 @@ var all6 = all_match({ select11, ], on_success: processor_chain([ - dup24, - dup21, - dup11, - setc("event_description","Port Status Change"), + dup25, + dup22, dup12, + setc("event_description","Port Status Change"), + dup13, ]), }); var msg32 = msg("Port", all6); var part20 = match("MESSAGE#32:DefensePro", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} DefensePro was powered off", processor_chain([ - dup24, - dup21, - dup11, - setc("event_description","DefensePro Powered off"), + dup25, + dup22, dup12, + setc("event_description","DefensePro Powered off"), + dup13, ])); var msg33 = msg("DefensePro", part20); @@ -645,24 +654,24 @@ var part21 = match("MESSAGE#33:Access:01/0", "nwparser.payload", "%{fld1->} %{fl var all7 = all_match({ processors: [ part21, - dup43, + dup44, ], on_success: processor_chain([ - dup36, dup37, - dup11, + dup38, dup12, + dup13, ]), }); var msg34 = msg("Access:01", all7); var part22 = match("MESSAGE#34:Access", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Access attempted by unauthorized NMS, Community: %{fld3}, IP: \"%{saddr}\"", processor_chain([ - dup36, dup37, - dup11, - setc("event_description","Access attempted by unauthorized NMS"), + dup38, dup12, + setc("event_description","Access attempted by unauthorized NMS"), + dup13, ])); var msg35 = msg("Access", part22); @@ -673,36 +682,36 @@ var select12 = linear_select([ ]); var part23 = match("MESSAGE#35:Please", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Please reboot the device for the latest changes to take effect", processor_chain([ - dup19, - dup21, - dup11, - setc("event_description","Reboot required for latest changes"), + dup20, + dup22, dup12, + setc("event_description","Reboot required for latest changes"), + dup13, ])); var msg36 = msg("Please", part23); var part24 = match("MESSAGE#36:User:01", "nwparser.payload", "User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([ - dup38, - dup20, - dup31, - dup32, dup39, - dup11, + dup21, + dup32, + dup33, dup40, + dup12, + dup41, ])); var msg37 = msg("User:01", part24); var part25 = match("MESSAGE#37:User", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} User %{username->} logged in via %{network_service->} (IP: %{saddr})", processor_chain([ - dup38, - dup20, - dup31, - dup32, dup39, - dup11, + dup21, + dup32, + dup33, dup40, dup12, + dup41, + dup13, ])); var msg38 = msg("User", part25); @@ -713,10 +722,10 @@ var select13 = linear_select([ ]); var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Certificate named %{fld3->} expired on %{fld4->} %{fld5}", processor_chain([ - dup19, - dup11, - setc("event_description","Certificate expired"), + dup20, dup12, + setc("event_description","Certificate expired"), + dup13, date_time({ dest: "endtime", args: ["fld5"], @@ -729,27 +738,27 @@ var part26 = match("MESSAGE#38:Certificate", "nwparser.payload", "%{fld1->} %{fl var msg39 = msg("Certificate", part26); var part27 = match("MESSAGE#39:Vision", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} Vision %{event_description->} by user %{username->} via %{network_service}, source IP %{saddr}", processor_chain([ - dup19, - dup11, + dup20, dup12, + dup13, ])); var msg40 = msg("Vision", part27); var part28 = match("MESSAGE#40:Updating", "nwparser.payload", "Updating policy database%{fld1}", processor_chain([ - dup24, - dup21, - dup11, + dup25, + dup22, + dup12, setc("event_description","Updating policy database"), ])); var msg41 = msg("Updating", part28); var part29 = match("MESSAGE#41:Policy", "nwparser.payload", "Policy database updated successfully.%{}", processor_chain([ + dup25, dup24, - dup23, - dup39, - dup11, + dup40, + dup12, setc("event_description","Policy database updated successfully"), ])); @@ -787,33 +796,35 @@ var chain1 = processor_chain([ var part30 = match("MESSAGE#0:Intrusions:01/0", "nwparser.payload", "%{fld1->} %{fld2->} %{severity->} %{id->} %{category->} \"%{event_type}\" %{protocol->} %{p0}"); -var part31 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); +var part31 = match("MESSAGE#0:Intrusions:01/1_0", "nwparser.p0", "%{saddr}:%{p0}"); + +var part32 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{p0}"); -var part32 = match("MESSAGE#0:Intrusions:01/1_1", "nwparser.p0", "%{saddr->} %{sport->} %{p0}"); +var part33 = match("MESSAGE#0:Intrusions:01/2", "nwparser.p0", "%{sport->} %{p0}"); -var part33 = match("MESSAGE#0:Intrusions:01/2_0", "nwparser.p0", "%{daddr}:%{dport->} %{p0}"); +var part34 = match("MESSAGE#0:Intrusions:01/3_0", "nwparser.p0", "%{daddr}:%{p0}"); -var part34 = match("MESSAGE#0:Intrusions:01/2_1", "nwparser.p0", "%{daddr->} %{dport->} %{p0}"); +var part35 = match("MESSAGE#0:Intrusions:01/3_1", "nwparser.p0", "%{daddr->} %{p0}"); -var part35 = match("MESSAGE#0:Intrusions:01/3", "nwparser.p0", "%{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); +var part36 = match("MESSAGE#0:Intrusions:01/4", "nwparser.p0", "%{dport->} %{interface->} %{context->} \"%{policyname}\" %{event_state->} %{packets->} %{dclass_counter1->} %{vlan->} %{fld15->} %{fld16->} %{risk->} %{p0}"); -var part36 = match("MESSAGE#0:Intrusions:01/4_0", "nwparser.p0", "%{action->} %{sigid_string}"); +var part37 = match("MESSAGE#0:Intrusions:01/5_0", "nwparser.p0", "%{action->} %{sigid_string}"); -var part37 = match("MESSAGE#0:Intrusions:01/4_1", "nwparser.p0", "%{action}"); +var part38 = match_copy("MESSAGE#0:Intrusions:01/5_1", "nwparser.p0", "action"); -var part38 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); +var part39 = match("MESSAGE#1:Intrusions:02/0", "nwparser.payload", "%{id->} %{category->} \\\"%{event_type}\\\" %{protocol->} %{p0}"); -var part39 = match("MESSAGE#1:Intrusions:02/3", "nwparser.p0", "%{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); +var part40 = match("MESSAGE#1:Intrusions:02/4", "nwparser.p0", "%{dport->} %{interface->} %{context->} \\\"%{policyname}\\\" %{event_state->} %{packets->} %{dclass_counter1->} %{fld1->} %{risk->} %{action->} %{vlan->} %{fld15->} %{fld16->} %{direction}"); -var part40 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); +var part41 = match("MESSAGE#22:Login:04/1_0", "nwparser.p0", "for user%{p0}"); -var part41 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); +var part42 = match("MESSAGE#22:Login:04/1_1", "nwparser.p0", "user%{p0}"); -var part42 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); +var part43 = match("MESSAGE#22:Login:04/2", "nwparser.p0", "%{} %{username->} via %{network_service->} (IP: %{saddr})%{p0}"); -var part43 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); +var part44 = match("MESSAGE#22:Login:04/3_0", "nwparser.p0", ": %{result}"); -var part44 = match("MESSAGE#22:Login:04/3_1", "nwparser.p0", "%{result}"); +var part45 = match_copy("MESSAGE#22:Login:04/3_1", "nwparser.p0", "result"); var select14 = linear_select([ dup2, @@ -821,85 +832,89 @@ var select14 = linear_select([ ]); var select15 = linear_select([ - dup4, dup5, + dup6, ]); var select16 = linear_select([ - dup7, dup8, + dup9, ]); var select17 = linear_select([ - dup25, dup26, + dup27, ]); var select18 = linear_select([ - dup28, dup29, + dup30, ]); var all8 = all_match({ processors: [ dup1, - dup41, dup42, - dup6, + dup4, dup43, + dup7, + dup44, ], on_success: processor_chain([ - dup9, dup10, dup11, dup12, dup13, + dup14, ]), }); var all9 = all_match({ processors: [ - dup14, - dup41, - dup42, dup15, + dup42, + dup4, + dup43, + dup16, ], on_success: processor_chain([ - dup9, dup10, dup11, - dup13, + dup12, + dup14, ]), }); var all10 = all_match({ processors: [ dup1, - dup41, dup42, - dup6, + dup4, dup43, + dup7, + dup44, ], on_success: processor_chain([ - dup16, - dup10, + dup17, dup11, dup12, dup13, + dup14, ]), }); var all11 = all_match({ processors: [ - dup14, - dup41, - dup42, dup15, + dup42, + dup4, + dup43, + dup16, ], on_success: processor_chain([ - dup16, - dup10, + dup17, dup11, - dup13, + dup12, + dup14, ]), }); diff --git a/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml index f1ddbd56ba7d..4812096fb70d 100644 --- a/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml +++ b/x-pack/filebeat/module/radware/defensepro/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/radware/defensepro/manifest.yml b/x-pack/filebeat/module/radware/defensepro/manifest.yml index e2037dea3c3d..b516c39cec5c 100644 --- a/x-pack/filebeat/module/radware/defensepro/manifest.yml +++ b/x-pack/filebeat/module/radware/defensepro/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9518 + default: 9535 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml index 0e788196439e..b7fe0e504afa 100644 --- a/x-pack/filebeat/module/snort/log/config/input.yml +++ b/x-pack/filebeat/module/snort/log/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/snort/log/config/liblogparser.js b/x-pack/filebeat/module/snort/log/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/snort/log/config/liblogparser.js +++ b/x-pack/filebeat/module/snort/log/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml index 640c5b2556a9..262bbcff330f 100644 --- a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/snort/log/manifest.yml b/x-pack/filebeat/module/snort/log/manifest.yml index a02cbe98ed66..ae467072b222 100644 --- a/x-pack/filebeat/module/snort/log/manifest.yml +++ b/x-pack/filebeat/module/snort/log/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9532 + default: 9548 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index d1a9aa8535fd..1c42e298457d 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -13,6 +13,7 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.hosts": [ + "veri", "quid2184.invalid" ], "related.ip": [ @@ -212,8 +213,8 @@ "itame189.domain" ], "related.ip": [ - "10.24.67.250", - "10.182.199.231" + "10.182.199.231", + "10.24.67.250" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "oei", @@ -334,8 +335,8 @@ "its7829.localhost" ], "related.ip": [ - "10.157.18.252", - "10.110.31.190" + "10.110.31.190", + "10.157.18.252" ], "rsa.crypto.sig_type": "rQu", "rsa.internal.messageid": "5979", @@ -673,6 +674,7 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.hosts": [ + "nula", "exercita2068.api.invalid" ], "related.ip": [ @@ -709,6 +711,7 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.hosts": [ + "gna", "orumS757.www5.corp" ], "related.ip": [ @@ -963,8 +966,8 @@ "cidu921.internal.lan" ], "related.ip": [ - "10.222.183.123", - "10.165.33.19" + "10.165.33.19", + "10.222.183.123" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "usan", @@ -1006,8 +1009,8 @@ "unturmag6190.api.lan" ], "related.ip": [ - "10.238.223.171", - "10.52.190.18" + "10.52.190.18", + "10.238.223.171" ], "rsa.crypto.sig_type": "Finibus", "rsa.internal.messageid": "16539", @@ -1103,6 +1106,7 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.hosts": [ + "ionula", "tvol3402.www.local" ], "related.ip": [ @@ -1209,8 +1213,8 @@ "iqu4858.mail.invalid" ], "related.ip": [ - "10.116.175.84", - "10.213.100.153" + "10.213.100.153", + "10.116.175.84" ], "rsa.crypto.sig_type": "exercit", "rsa.internal.messageid": "11634", @@ -1731,8 +1735,8 @@ "nofde7732.internal.test" ], "related.ip": [ - "10.36.122.169", - "10.198.44.231" + "10.198.44.231", + "10.36.122.169" ], "rsa.crypto.sig_type": "umquam", "rsa.internal.messageid": "13228", @@ -2033,6 +2037,7 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.hosts": [ + "cto", "pitlab5165.localdomain" ], "related.ip": [ @@ -2113,8 +2118,8 @@ "uovol2459.www5.invalid" ], "related.ip": [ - "10.28.105.106", - "10.60.137.215" + "10.60.137.215", + "10.28.105.106" ], "rsa.crypto.sig_type": "tionu", "rsa.internal.messageid": "5155", @@ -2229,10 +2234,10 @@ "Loremips5368.www5.corp" ], "related.ip": [ + "10.166.40.137", "10.20.167.114", - "10.49.190.163", "10.65.144.119", - "10.166.40.137" + "10.49.190.163" ], "rsa.internal.event_desc": "Offloaded TCP Flow for connection", "rsa.internal.messageid": "FTD_events", @@ -2276,8 +2281,8 @@ "mexer1548.www5.example" ], "related.ip": [ - "10.104.78.147", - "10.162.128.87" + "10.162.128.87", + "10.104.78.147" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "emu", @@ -2316,8 +2321,8 @@ "emulla6625.www5.corp" ], "related.ip": [ - "10.237.43.87", - "10.82.180.46" + "10.82.180.46", + "10.237.43.87" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "oloremqu", @@ -2449,8 +2454,8 @@ "upta788.invalid" ], "related.ip": [ - "10.166.10.187", - "10.40.250.209" + "10.40.250.209", + "10.166.10.187" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "high-temUte", @@ -2578,8 +2583,8 @@ "laparia5374.api.domain" ], "related.ip": [ - "10.232.67.182", - "10.147.155.100" + "10.147.155.100", + "10.232.67.182" ], "rsa.crypto.sig_type": "eufugi", "rsa.internal.messageid": "26152", @@ -2828,8 +2833,8 @@ "borios1685.www.localhost" ], "related.ip": [ - "10.38.22.60", - "10.231.10.63" + "10.231.10.63", + "10.38.22.60" ], "rsa.crypto.sig_type": "taliquip", "rsa.internal.messageid": "10329", @@ -3415,8 +3420,8 @@ "onofdeFi1149.www5.domain" ], "related.ip": [ - "10.186.68.87", - "10.154.87.98" + "10.154.87.98", + "10.186.68.87" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "uptate", @@ -3836,10 +3841,10 @@ "erunt3957.internal.lan" ], "related.ip": [ - "10.32.195.34", - "10.240.77.10", "10.118.103.185", - "10.125.130.61" + "10.125.130.61", + "10.240.77.10", + "10.32.195.34" ], "rsa.internal.event_desc": "TCP Flow is no longer offloaded for connection", "rsa.internal.messageid": "FTD_events", @@ -3883,8 +3888,8 @@ "ntNe7144.api.lan" ], "related.ip": [ - "10.111.130.177", - "10.188.88.133" + "10.188.88.133", + "10.111.130.177" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "numqu", diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml index 6abe28c0fef3..26340d167fc1 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js +++ b/x-pack/filebeat/module/sonicwall/firewall/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js b/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js index 6be7d09fb3d0..23702c227747 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js +++ b/x-pack/filebeat/module/sonicwall/firewall/config/pipeline.js @@ -33,7 +33,7 @@ var dup8 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sin var dup9 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); +var dup10 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); var dup11 = date_time({ dest: "event_time", @@ -53,19 +53,21 @@ var dup15 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{di var dup16 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); -var dup17 = setf("hostip","hhostip"); +var dup17 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); -var dup18 = setf("id","hid"); +var dup18 = setf("hostip","hhostip"); -var dup19 = setf("serial_number","hserial_number"); +var dup19 = setf("id","hid"); -var dup20 = setf("category","hcategory"); +var dup20 = setf("serial_number","hserial_number"); -var dup21 = setf("severity","hseverity"); +var dup21 = setf("category","hcategory"); -var dup22 = setc("eventcategory","1805010000"); +var dup22 = setf("severity","hseverity"); -var dup23 = call({ +var dup23 = setc("eventcategory","1805010000"); + +var dup24 = call({ dest: "nwparser.msg", fn: RMQ, args: [ @@ -73,33 +75,45 @@ var dup23 = call({ ], }); -var dup24 = setc("eventcategory","1302000000"); +var dup25 = setc("eventcategory","1302000000"); + +var dup26 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); + +var dup27 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); + +var dup28 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); -var dup25 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var dup29 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); -var dup26 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); +var dup30 = setc("eventcategory","1401050100"); -var dup27 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); +var dup31 = setc("eventcategory","1401030000"); -var dup28 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} "); +var dup32 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); -var dup29 = setc("eventcategory","1401050100"); +var dup33 = setc("eventcategory","1301020000"); -var dup30 = setc("eventcategory","1401030000"); +var dup34 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); -var dup31 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); +var dup35 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); -var dup32 = setc("eventcategory","1301020000"); +var dup36 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); -var dup33 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); +var dup37 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); -var dup34 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); +var dup38 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); -var dup35 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); +var dup39 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); -var dup36 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); +var dup40 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); -var dup37 = date_time({ +var dup41 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); + +var dup42 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); + +var dup43 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); + +var dup44 = date_time({ dest: "event_time", args: ["date","time"], fmts: [ @@ -107,723 +121,747 @@ var dup37 = date_time({ ], }); -var dup38 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var dup45 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); + +var dup46 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); -var dup39 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); +var dup47 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); -var dup40 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); +var dup48 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); -var dup41 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); +var dup49 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); -var dup42 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); +var dup50 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); -var dup43 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); +var dup51 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); -var dup44 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); +var dup52 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); -var dup45 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); +var dup53 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); -var dup46 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); +var dup54 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); -var dup47 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); +var dup55 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); -var dup48 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); +var dup56 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); -var dup49 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var dup57 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var dup50 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); +var dup58 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); -var dup51 = setc("ec_subject","NetworkComm"); +var dup59 = setc("ec_subject","NetworkComm"); -var dup52 = setc("ec_activity","Deny"); +var dup60 = setc("ec_activity","Deny"); -var dup53 = setc("ec_theme","Communication"); +var dup61 = setc("ec_theme","Communication"); -var dup54 = setf("msg","$MSG"); +var dup62 = setf("msg","$MSG"); -var dup55 = setc("action","dropped"); +var dup63 = setc("action","dropped"); -var dup56 = setc("eventcategory","1608010000"); +var dup64 = setc("eventcategory","1608010000"); -var dup57 = setc("eventcategory","1302010000"); +var dup65 = setc("eventcategory","1302010000"); -var dup58 = setc("eventcategory","1301000000"); +var dup66 = setc("eventcategory","1301000000"); -var dup59 = setc("eventcategory","1001000000"); +var dup67 = setc("eventcategory","1001000000"); -var dup60 = setc("eventcategory","1003030000"); +var dup68 = setc("eventcategory","1003030000"); -var dup61 = setc("eventcategory","1003050000"); +var dup69 = setc("eventcategory","1003050000"); -var dup62 = setc("eventcategory","1103000000"); +var dup70 = setc("eventcategory","1103000000"); -var dup63 = setc("eventcategory","1603110000"); +var dup71 = setc("eventcategory","1603110000"); -var dup64 = setc("eventcategory","1605020000"); +var dup72 = setc("eventcategory","1605020000"); -var dup65 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); +var dup73 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); -var dup66 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); +var dup74 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); -var dup67 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var dup75 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); -var dup68 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); +var dup76 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); -var dup69 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var dup77 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var dup70 = setc("eventcategory","1801000000"); +var dup78 = setc("eventcategory","1801000000"); -var dup71 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); +var dup79 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); -var dup72 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); +var dup80 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); -var dup73 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); +var dup81 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); -var dup74 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); +var dup82 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); -var dup75 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); +var dup83 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); -var dup76 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); +var dup84 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); -var dup77 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); +var dup85 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); -var dup78 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var dup86 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); -var dup79 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); +var dup87 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var dup80 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); +var dup88 = setf("id","hfld1"); -var dup81 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var dup89 = setc("eventcategory","1001020309"); -var dup82 = setf("id","hfld1"); +var dup90 = setc("eventcategory","1303000000"); -var dup83 = setc("eventcategory","1001020309"); +var dup91 = setc("eventcategory","1801010100"); -var dup84 = setc("eventcategory","1303000000"); +var dup92 = setc("eventcategory","1604010000"); -var dup85 = setc("eventcategory","1801010100"); +var dup93 = setc("eventcategory","1002020000"); -var dup86 = setc("eventcategory","1604010000"); +var dup94 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); -var dup87 = setc("eventcategory","1002020000"); +var dup95 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); -var dup88 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); +var dup96 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); -var dup89 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); +var dup97 = setc("eventcategory","1001010000"); -var dup90 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); +var dup98 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); -var dup91 = setc("eventcategory","1001010000"); +var dup99 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); -var dup92 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); +var dup100 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); -var dup93 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); +var dup101 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); -var dup94 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); +var dup102 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); -var dup95 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); +var dup103 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); -var dup96 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); +var dup104 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); -var dup97 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); +var dup105 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); -var dup98 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); +var dup106 = setc("eventcategory","1401060000"); -var dup99 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); +var dup107 = setc("eventcategory","1804000000"); -var dup100 = setc("eventcategory","1401060000"); +var dup108 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); -var dup101 = setc("eventcategory","1804000000"); +var dup109 = setc("eventcategory","1401070000"); -var dup102 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); +var dup110 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); -var dup103 = setc("eventcategory","1401070000"); +var dup111 = setc("eventcategory","1801030000"); -var dup104 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); +var dup112 = setc("eventcategory","1402020300"); -var dup105 = setc("eventcategory","1801030000"); +var dup113 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); -var dup106 = setc("eventcategory","1402020300"); +var dup114 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); -var dup107 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); +var dup115 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); -var dup108 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); +var dup116 = setc("eventcategory","1402000000"); -var dup109 = setc("eventcategory","1402000000"); +var dup117 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); -var dup110 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); +var dup118 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); -var dup111 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); +var dup119 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); -var dup112 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); +var dup120 = setc("eventcategory","1803020000"); -var dup113 = setc("eventcategory","1803020000"); +var dup121 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); -var dup114 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); +var dup122 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); -var dup115 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); +var dup123 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); -var dup116 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); +var dup124 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); -var dup117 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); +var dup125 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); -var dup118 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); +var dup126 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); -var dup119 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); +var dup127 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); -var dup120 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); +var dup128 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); -var dup121 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); +var dup129 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); -var dup122 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); +var dup130 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); -var dup123 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); +var dup131 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); -var dup124 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var dup132 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); -var dup125 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); +var dup133 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); -var dup126 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); +var dup134 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var dup127 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); +var dup135 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); -var dup128 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); +var dup136 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); -var dup129 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); +var dup137 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); -var dup130 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); +var dup138 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); -var dup131 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); +var dup139 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); -var dup132 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); +var dup140 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var dup133 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var dup141 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); -var dup134 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); +var dup142 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); -var dup135 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); +var dup143 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); -var dup136 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); +var dup144 = setc("event_description","Connection Closed"); -var dup137 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); +var dup145 = setc("eventcategory","1801020000"); -var dup138 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var dup146 = setc("ec_activity","Permit"); -var dup139 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); +var dup147 = setc("action","allowed"); -var dup140 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); +var dup148 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); -var dup141 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); +var dup149 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); -var dup142 = setc("event_description","Connection Closed"); +var dup150 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); -var dup143 = setc("eventcategory","1801020000"); +var dup151 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); -var dup144 = setc("ec_activity","Permit"); +var dup152 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); -var dup145 = setc("action","allowed"); +var dup153 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); -var dup146 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var dup154 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); -var dup147 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var dup155 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); -var dup148 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); +var dup156 = setc("eventcategory","1001030500"); -var dup149 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); +var dup157 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); -var dup150 = setc("eventcategory","1001030500"); +var dup158 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); -var dup151 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); +var dup159 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var dup152 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); +var dup160 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var dup153 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var dup161 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); -var dup154 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var dup162 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); -var dup155 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); +var dup163 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); -var dup156 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); +var dup164 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); -var dup157 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); +var dup165 = setc("eventcategory","1801010000"); -var dup158 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); +var dup166 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); -var dup159 = setc("eventcategory","1801010000"); +var dup167 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); -var dup160 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); +var dup168 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); -var dup161 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var dup169 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var dup162 = setc("eventcategory","1003010000"); +var dup170 = setc("eventcategory","1003010000"); -var dup163 = setc("eventcategory","1609000000"); +var dup171 = setc("eventcategory","1609000000"); -var dup164 = setc("eventcategory","1204000000"); +var dup172 = setc("eventcategory","1204000000"); -var dup165 = setc("eventcategory","1602000000"); +var dup173 = setc("eventcategory","1602000000"); -var dup166 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); +var dup174 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); -var dup167 = setc("eventcategory","1803000000"); +var dup175 = setc("eventcategory","1803000000"); -var dup168 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var dup176 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var dup169 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); +var dup177 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); -var dup170 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); +var dup178 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); -var dup171 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); +var dup179 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); -var dup172 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); +var dup180 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); -var dup173 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); +var dup181 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); -var dup174 = linear_select([ +var dup182 = linear_select([ dup8, dup9, ]); -var dup175 = linear_select([ +var dup183 = linear_select([ dup15, dup16, ]); -var dup176 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var dup184 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, - dup23, + dup24, ])); -var dup177 = linear_select([ - dup25, +var dup185 = linear_select([ dup26, + dup27, ]); -var dup178 = linear_select([ - dup27, +var dup186 = linear_select([ dup28, + dup29, ]); -var dup179 = linear_select([ - dup34, +var dup187 = linear_select([ dup35, + dup36, ]); -var dup180 = linear_select([ - dup25, - dup39, +var dup188 = linear_select([ + dup37, + dup38, ]); -var dup181 = linear_select([ - dup41, - dup42, +var dup189 = linear_select([ + dup39, + dup40, ]); -var dup182 = linear_select([ +var dup190 = linear_select([ + dup26, dup46, - dup47, ]); -var dup183 = linear_select([ +var dup191 = linear_select([ + dup48, dup49, - dup50, ]); -var dup184 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup62, +var dup192 = linear_select([ + dup52, + dup53, +]); + +var dup193 = linear_select([ + dup55, + dup56, +]); + +var dup194 = linear_select([ + dup57, + dup58, +]); + +var dup195 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, ])); -var dup185 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var dup196 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup5, ])); -var dup186 = linear_select([ - dup71, +var dup197 = linear_select([ dup75, dup76, ]); -var dup187 = linear_select([ - dup8, - dup25, +var dup198 = linear_select([ + dup83, + dup84, ]); -var dup188 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ +var dup199 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ dup1, ])); -var dup189 = linear_select([ - dup88, - dup89, +var dup200 = linear_select([ + dup94, + dup95, ]); -var dup190 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var dup201 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup5, ])); -var dup191 = linear_select([ - dup92, - dup93, +var dup202 = linear_select([ + dup98, + dup99, ]); -var dup192 = linear_select([ - dup96, - dup97, +var dup203 = linear_select([ + dup86, + dup102, ]); -var dup193 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup87, +var dup204 = linear_select([ + dup103, + dup104, +]); + +var dup205 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, ])); -var dup194 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup87, +var dup206 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, ])); -var dup195 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ +var dup207 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup1, ])); -var dup196 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var dup208 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup1, ])); -var dup197 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ +var dup209 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ dup1, - dup23, + dup24, ])); -var dup198 = linear_select([ - dup66, - dup108, +var dup210 = linear_select([ + dup114, + dup115, ]); -var dup199 = linear_select([ - dup110, - dup111, +var dup211 = linear_select([ + dup117, + dup118, ]); -var dup200 = linear_select([ - dup115, - dup45, +var dup212 = linear_select([ + dup43, + dup42, ]); -var dup201 = linear_select([ +var dup213 = linear_select([ dup8, - dup26, + dup27, ]); -var dup202 = linear_select([ +var dup214 = linear_select([ dup8, - dup25, - dup39, + dup26, + dup46, ]); -var dup203 = linear_select([ - dup71, +var dup215 = linear_select([ + dup80, dup15, dup16, ]); -var dup204 = linear_select([ - dup121, - dup122, -]); - -var dup205 = linear_select([ - dup68, - dup69, - dup74, +var dup216 = linear_select([ + dup124, + dup125, + dup126, + dup38, ]); -var dup206 = linear_select([ +var dup217 = linear_select([ dup127, dup128, ]); -var dup207 = linear_select([ - dup41, - dup42, - dup134, +var dup218 = linear_select([ + dup129, + dup130, ]); -var dup208 = linear_select([ +var dup219 = linear_select([ dup135, dup136, + dup137, ]); -var dup209 = linear_select([ +var dup220 = linear_select([ dup138, - dup139, + dup56, ]); -var dup210 = linear_select([ +var dup221 = linear_select([ dup140, dup141, ]); -var dup211 = linear_select([ - dup49, - dup148, +var dup222 = linear_select([ + dup142, + dup143, ]); -var dup212 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ +var dup223 = linear_select([ dup150, + dup151, +]); + +var dup224 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, ])); -var dup213 = linear_select([ - dup152, - dup40, +var dup225 = linear_select([ + dup158, + dup38, ]); -var dup214 = linear_select([ - dup154, - dup155, +var dup226 = linear_select([ + dup160, + dup161, ]); -var dup215 = linear_select([ - dup156, - dup157, +var dup227 = linear_select([ + dup162, + dup163, ]); -var dup216 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ +var dup228 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ dup5, ])); -var dup217 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ +var dup229 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ dup5, ])); -var dup218 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ +var dup230 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ dup5, - dup23, + dup24, ])); -var dup219 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var dup231 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, - dup23, + dup24, ])); -var dup220 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ +var dup232 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ dup1, - dup23, + dup24, ])); -var dup221 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup163, - dup37, +var dup233 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, ])); -var dup222 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ +var dup234 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ dup1, ])); -var dup223 = linear_select([ - dup169, - dup170, +var dup235 = linear_select([ + dup177, + dup178, ]); -var dup224 = linear_select([ - dup172, - dup173, +var dup236 = linear_select([ + dup180, + dup181, ]); -var dup225 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ +var dup237 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup1, - dup54, - dup17, - dup82, - dup19, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ])); -var dup226 = all_match({ +var dup238 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup186, ], on_success: processor_chain([ - dup30, + dup31, ]), }); -var dup227 = all_match({ +var dup239 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup187, ], on_success: processor_chain([ - dup85, + dup91, ]), }); -var dup228 = all_match({ +var dup240 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup187, ], on_success: processor_chain([ - dup59, + dup67, ]), }); -var dup229 = all_match({ +var dup241 = all_match({ processors: [ - dup95, - dup192, + dup101, + dup203, ], on_success: processor_chain([ - dup59, + dup67, ]), }); -var dup230 = all_match({ +var dup242 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup187, ], on_success: processor_chain([ - dup100, + dup106, ]), }); -var dup231 = all_match({ +var dup243 = all_match({ processors: [ + dup32, + dup185, + dup187, + ], + on_success: processor_chain([ dup31, - dup177, - dup10, - dup178, + ]), +}); + +var dup244 = all_match({ + processors: [ + dup32, + dup185, + dup187, ], on_success: processor_chain([ - dup29, + dup30, ]), }); -var dup232 = all_match({ +var dup245 = all_match({ processors: [ - dup102, - dup177, - dup10, - dup178, + dup108, + dup185, + dup187, ], on_success: processor_chain([ - dup103, + dup109, ]), }); -var dup233 = all_match({ +var dup246 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup110, + dup185, + dup187, ], on_success: processor_chain([ - dup106, + dup112, ]), }); -var dup234 = all_match({ +var dup247 = all_match({ processors: [ - dup107, - dup198, + dup113, + dup210, ], on_success: processor_chain([ - dup87, + dup93, ]), }); -var dup235 = all_match({ +var dup248 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup110, + dup185, + dup187, ], on_success: processor_chain([ - dup109, + dup116, ]), }); -var dup236 = all_match({ +var dup249 = all_match({ processors: [ - dup44, - dup179, - dup36, - dup178, + dup51, + dup189, + dup41, + dup187, ], on_success: processor_chain([ dup5, ]), }); -var dup237 = all_match({ +var dup250 = all_match({ processors: [ - dup80, - dup177, - dup10, - dup175, - dup79, + dup73, + dup185, + dup183, + dup43, ], on_success: processor_chain([ dup1, ]), }); -var dup238 = all_match({ +var dup251 = all_match({ processors: [ - dup151, - dup213, - dup153, - dup214, - dup215, - dup158, + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, ], on_success: processor_chain([ - dup150, - dup51, - dup52, - dup53, - dup54, - dup37, - dup55, - dup17, + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, dup18, dup19, dup20, dup21, + dup22, ]), }); -var dup239 = all_match({ +var dup252 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup191, - dup94, + dup202, + dup100, ], on_success: processor_chain([ dup1, ]), }); -var dup240 = all_match({ +var dup253 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup189, - dup90, + dup200, + dup96, ], on_success: processor_chain([ dup1, @@ -834,7 +872,7 @@ var hdr1 = match("HEADER#0:0001", "message", "id=%{hfld1->} sn=%{hserial_number- setc("header_id","0001"), ])); -var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number->} time=\"%{date->} %{time}\" fw=%{hhostip->} pri=%{hseverity->} %{messageid}= %{p0}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", @@ -842,7 +880,7 @@ var hdr2 = match("HEADER#1:0002", "message", "id=%{hfld1->} sn=%{hserial_number- args: [ field("messageid"), constant("= "), - field("payload"), + field("p0"), ], }), ])); @@ -955,20 +993,17 @@ var part13 = match("MESSAGE#12:13", "nwparser.payload", "Restarting SonicWALL; d var msg13 = msg("13", part13); -var part14 = match("MESSAGE#13:14/0", "nwparser.payload", "%{} %{p0}"); +var part14 = match("MESSAGE#13:14/0_0", "nwparser.payload", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode}"); -var part15 = match("MESSAGE#13:14/1_0", "nwparser.p0", "msg=\"Web site access denied\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstname=%{dhost->} arg=%{fld2->} code=%{icmpcode->} "); - -var part16 = match("MESSAGE#13:14/1_1", "nwparser.p0", "Web site blocked %{}"); +var part15 = match("MESSAGE#13:14/0_1", "nwparser.payload", "Web site blocked%{}"); var select5 = linear_select([ + part14, part15, - part16, ]); var all1 = all_match({ processors: [ - part14, select5, ], on_success: processor_chain([ @@ -979,24 +1014,24 @@ var all1 = all_match({ var msg14 = msg("14", all1); -var part17 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} code= %{p0}"); +var part16 = match("MESSAGE#14:14:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} code= %{p0}"); -var part18 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} code= %{p0}"); +var part17 = match("MESSAGE#14:14:01/3_1", "nwparser.p0", "%{dinterface->} code= %{p0}"); var select6 = linear_select([ + part16, part17, - part18, ]); -var part19 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{} %{fld3->} Category=%{fld4->} npcs=%{info}"); +var part18 = match("MESSAGE#14:14:01/4", "nwparser.p0", "%{fld3->} Category=%{fld4->} npcs=%{info}"); var all2 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, select6, - part19, + part18, ], on_success: processor_chain([ dup6, @@ -1005,33 +1040,33 @@ var all2 = all_match({ var msg15 = msg("14:01", all2); -var part20 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part19 = match("MESSAGE#15:14:02", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup6, dup11, ])); -var msg16 = msg("14:02", part20); +var msg16 = msg("14:02", part19); -var part21 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part20 = match("MESSAGE#16:14:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup6, dup11, ])); -var msg17 = msg("14:03", part21); +var msg17 = msg("14:03", part20); -var part22 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part21 = match("MESSAGE#17:14:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{name->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup6, dup11, ])); -var msg18 = msg("14:04", part22); +var msg18 = msg("14:04", part21); -var part23 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part22 = match("MESSAGE#18:14:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} sess=\"%{fld2}\" n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr}dstMac=%{dmacaddr->} proto=%{protocol->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup6, dup11, ])); -var msg19 = msg("14:05", part23); +var msg19 = msg("14:05", part22); var select7 = linear_select([ msg14, @@ -1042,80 +1077,80 @@ var select7 = linear_select([ msg19, ]); -var part24 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ +var part23 = match("MESSAGE#19:15", "nwparser.payload", "Newsgroup blocked%{}", processor_chain([ dup12, ])); -var msg20 = msg("15", part24); +var msg20 = msg("15", part23); -var part25 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ +var part24 = match("MESSAGE#20:16", "nwparser.payload", "Web site accessed%{}", processor_chain([ dup13, ])); -var msg21 = msg("16", part25); +var msg21 = msg("16", part24); -var part26 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ +var part25 = match("MESSAGE#21:17", "nwparser.payload", "Newsgroup accessed%{}", processor_chain([ dup13, ])); -var msg22 = msg("17", part26); +var msg22 = msg("17", part25); -var part27 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ +var part26 = match("MESSAGE#22:18", "nwparser.payload", "ActiveX blocked%{}", processor_chain([ dup12, ])); -var msg23 = msg("18", part27); +var msg23 = msg("18", part26); -var part28 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ +var part27 = match("MESSAGE#23:19", "nwparser.payload", "Java blocked%{}", processor_chain([ dup12, ])); -var msg24 = msg("19", part28); +var msg24 = msg("19", part27); -var part29 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ +var part28 = match("MESSAGE#24:20", "nwparser.payload", "ActiveX or Java archive blocked%{}", processor_chain([ dup12, ])); -var msg25 = msg("20", part29); +var msg25 = msg("20", part28); -var part30 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ +var part29 = match("MESSAGE#25:21", "nwparser.payload", "Cookie removed%{}", processor_chain([ dup1, ])); -var msg26 = msg("21", part30); +var msg26 = msg("21", part29); -var part31 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ +var part30 = match("MESSAGE#26:22", "nwparser.payload", "Ping of death blocked%{}", processor_chain([ dup14, ])); -var msg27 = msg("22", part31); +var msg27 = msg("22", part30); -var part32 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ +var part31 = match("MESSAGE#27:23", "nwparser.payload", "IP spoof detected%{}", processor_chain([ dup14, ])); -var msg28 = msg("23", part32); +var msg28 = msg("23", part31); -var part33 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part32 = match("MESSAGE#28:23:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part34 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); +var part33 = match("MESSAGE#28:23:01/3_0", "nwparser.p0", "- MAC address: %{p0}"); -var part35 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); +var part34 = match("MESSAGE#28:23:01/3_1", "nwparser.p0", "mac= %{p0}"); var select8 = linear_select([ + part33, part34, - part35, ]); -var part36 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{} %{smacaddr}"); +var part35 = match("MESSAGE#28:23:01/4", "nwparser.p0", "%{smacaddr}"); var all3 = all_match({ processors: [ - part33, - dup175, - dup10, + part32, + dup183, + dup17, select8, - part36, + part35, ], on_success: processor_chain([ dup14, @@ -1124,39 +1159,39 @@ var all3 = all_match({ var msg29 = msg("23:01", all3); -var part37 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ +var part36 = match("MESSAGE#29:23:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} - MAC address: %{smacaddr}", processor_chain([ dup14, ])); -var msg30 = msg("23:02", part37); +var msg30 = msg("23:02", part36); -var part38 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part37 = match("MESSAGE#30:23:03/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); -var part39 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac= %{p0}"); +var part38 = match("MESSAGE#30:23:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac= %{p0}"); -var part40 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac= %{p0}"); +var part39 = match("MESSAGE#30:23:03/1_1", "nwparser.p0", "%{dinterface->} srcMac= %{p0}"); var select9 = linear_select([ + part38, part39, - part40, ]); -var part41 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); +var part40 = match("MESSAGE#30:23:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}"); var all4 = all_match({ processors: [ - part38, + part37, select9, - part41, + part40, ], on_success: processor_chain([ dup14, dup11, - dup17, dup18, dup19, dup20, dup21, + dup22, ]), }); @@ -1169,71 +1204,70 @@ var select10 = linear_select([ msg31, ]); -var part42 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ - dup22, +var part41 = match("MESSAGE#31:24", "nwparser.payload", "Illegal LAN address in use%{}", processor_chain([ + dup23, ])); -var msg32 = msg("24", part42); +var msg32 = msg("24", part41); -var msg33 = msg("24:01", dup176); +var msg33 = msg("24:01", dup184); var select11 = linear_select([ msg32, msg33, ]); -var part43 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ +var part42 = match("MESSAGE#32:25", "nwparser.payload", "Possible SYN flood attack%{}", processor_chain([ dup14, ])); -var msg34 = msg("25", part43); +var msg34 = msg("25", part42); -var part44 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ +var part43 = match("MESSAGE#33:26", "nwparser.payload", "Probable SYN flood attack%{}", processor_chain([ dup14, ])); -var msg35 = msg("26", part44); +var msg35 = msg("26", part43); -var part45 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ +var part44 = match("MESSAGE#34:27", "nwparser.payload", "Land Attack Dropped%{}", processor_chain([ dup14, ])); -var msg36 = msg("27", part45); +var msg36 = msg("27", part44); -var part46 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ +var part45 = match("MESSAGE#35:28", "nwparser.payload", "Fragmented Packet Dropped%{}", processor_chain([ dup14, ])); -var msg37 = msg("28", part46); +var msg37 = msg("28", part45); -var part47 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ +var part46 = match("MESSAGE#36:28:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ dup14, ])); -var msg38 = msg("28:01", part47); +var msg38 = msg("28:01", part46); var select12 = linear_select([ msg37, msg38, ]); -var part48 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ - dup24, +var part47 = match("MESSAGE#37:29", "nwparser.payload", "Successful administrator login%{}", processor_chain([ + dup25, ])); -var msg39 = msg("29", part48); +var msg39 = msg("29", part47); -var part49 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); +var part48 = match("MESSAGE#38:29:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} usr=%{username->} src=%{p0}"); var all5 = all_match({ processors: [ - part49, - dup177, - dup10, - dup178, + part48, + dup185, + dup186, ], on_success: processor_chain([ - dup29, + dup30, ]), }); @@ -1244,59 +1278,58 @@ var select13 = linear_select([ msg40, ]); -var part50 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ - dup30, +var part49 = match("MESSAGE#39:30", "nwparser.payload", "Administrator login failed - incorrect password%{}", processor_chain([ + dup31, ])); -var msg41 = msg("30", part50); +var msg41 = msg("30", part49); -var msg42 = msg("30:01", dup226); +var msg42 = msg("30:01", dup238); var select14 = linear_select([ msg41, msg42, ]); -var part51 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ - dup24, +var part50 = match("MESSAGE#41:31", "nwparser.payload", "Successful user login%{}", processor_chain([ + dup25, ])); -var msg43 = msg("31", part51); +var msg43 = msg("31", part50); var all6 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup186, ], on_success: processor_chain([ - dup24, + dup25, ]), }); var msg44 = msg("31:01", all6); -var part52 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup24, +var part51 = match("MESSAGE#43:31:02", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, dup11, ])); -var msg45 = msg("31:02", part52); +var msg45 = msg("31:02", part51); -var part53 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup24, +var part52 = match("MESSAGE#44:31:03", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration}n=%{fld1}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}proto=%{protocol}note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, dup11, ])); -var msg46 = msg("31:03", part53); +var msg46 = msg("31:03", part52); -var part54 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup24, +var part53 = match("MESSAGE#45:31:04", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup25, dup11, ])); -var msg47 = msg("31:04", part54); +var msg47 = msg("31:04", part53); var select15 = linear_select([ msg43, @@ -1306,34 +1339,33 @@ var select15 = linear_select([ msg47, ]); -var part55 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ - dup30, +var part54 = match("MESSAGE#46:32", "nwparser.payload", "User login failed - incorrect password%{}", processor_chain([ + dup31, ])); -var msg48 = msg("32", part55); +var msg48 = msg("32", part54); -var msg49 = msg("32:01", dup226); +var msg49 = msg("32:01", dup238); var select16 = linear_select([ msg48, msg49, ]); -var part56 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ - dup32, +var part55 = match("MESSAGE#48:33", "nwparser.payload", "Unknown user attempted to log in%{}", processor_chain([ + dup33, ])); -var msg50 = msg("33", part56); +var msg50 = msg("33", part55); var all7 = all_match({ processors: [ - dup33, - dup177, - dup10, - dup178, + dup34, + dup185, + dup186, ], on_success: processor_chain([ - dup30, + dup31, ]), }); @@ -1344,31 +1376,23 @@ var select17 = linear_select([ msg51, ]); -var part57 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ +var part56 = match("MESSAGE#50:34", "nwparser.payload", "Login screen timed out%{}", processor_chain([ dup5, ])); -var msg52 = msg("34", part57); +var msg52 = msg("34", part56); -var part58 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ +var part57 = match("MESSAGE#51:35", "nwparser.payload", "Attempted administrator login from WAN%{}", processor_chain([ setc("eventcategory","1401040000"), ])); -var msg53 = msg("35", part58); - -var part59 = match("MESSAGE#52:35:01/3_1", "nwparser.p0", "%{daddr}"); - -var select18 = linear_select([ - dup27, - part59, -]); +var msg53 = msg("35", part57); var all8 = all_match({ processors: [ - dup31, - dup177, - dup10, - select18, + dup32, + dup185, + dup187, ], on_success: processor_chain([ setc("eventcategory","1401050200"), @@ -1377,78 +1401,66 @@ var all8 = all_match({ var msg54 = msg("35:01", all8); -var select19 = linear_select([ +var select18 = linear_select([ msg53, msg54, ]); -var part60 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ +var part58 = match("MESSAGE#53:36", "nwparser.payload", "TCP connection dropped%{}", processor_chain([ dup5, ])); -var msg55 = msg("36", part60); - -var part61 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); - -var part62 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src= %{p0}"); - -var part63 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{fld1->} src= %{p0}"); - -var select20 = linear_select([ - part62, - part63, -]); +var msg55 = msg("36", part58); -var part64 = match("MESSAGE#54:36:01/6_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); +var part59 = match("MESSAGE#54:36:01/0", "nwparser.payload", "msg=\"%{msg}\" %{p0}"); -var part65 = match("MESSAGE#54:36:01/6_1", "nwparser.p0", " rule=%{rule->} "); +var part60 = match("MESSAGE#54:36:01/2", "nwparser.p0", "%{fld1->} src= %{p0}"); -var part66 = match("MESSAGE#54:36:01/6_2", "nwparser.p0", " proto=%{protocol->} "); +var part61 = match("MESSAGE#54:36:01/7_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); -var select21 = linear_select([ - part64, - part65, - part66, +var select19 = linear_select([ + part61, + dup42, + dup43, ]); var all9 = all_match({ processors: [ - part61, - select20, - dup179, - dup36, - dup175, - dup10, - select21, + part59, + dup188, + part60, + dup189, + dup41, + dup183, + dup17, + select19, ], on_success: processor_chain([ dup5, - dup37, + dup44, ]), }); var msg56 = msg("36:01", all9); -var part67 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} %{p0}"); +var part62 = match("MESSAGE#55:36:02/5_0", "nwparser.p0", "rule=%{rule->} npcs=%{p0}"); -var part68 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} %{p0}"); +var part63 = match("MESSAGE#55:36:02/5_1", "nwparser.p0", "proto=%{protocol->} npcs=%{p0}"); -var select22 = linear_select([ - part67, - part68, +var select20 = linear_select([ + part62, + part63, ]); -var part69 = match("MESSAGE#55:36:02/6", "nwparser.p0", "%{}npcs=%{info}"); - var all10 = all_match({ processors: [ - dup38, - dup180, - dup10, - dup175, - dup10, - select22, - part69, + dup45, + dup190, + dup17, + dup183, + dup17, + select20, + dup47, ], on_success: processor_chain([ dup5, @@ -1457,79 +1469,59 @@ var all10 = all_match({ var msg57 = msg("36:02", all10); -var select23 = linear_select([ +var select21 = linear_select([ msg55, msg56, msg57, ]); -var part70 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ +var part64 = match("MESSAGE#56:37", "nwparser.payload", "UDP packet dropped%{}", processor_chain([ dup5, ])); -var msg58 = msg("37", part70); - -var part71 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); - -var part72 = match("MESSAGE#57:37:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); - -var select24 = linear_select([ - part72, - dup40, -]); - -var part73 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); - -var part74 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); +var msg58 = msg("37", part64); -var part75 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} %{p0}"); +var part65 = match("MESSAGE#57:37:01/0", "nwparser.payload", "msg=\"UDP packet dropped\" %{p0}"); -var part76 = match("MESSAGE#57:37:01/3_2", "nwparser.p0", "%{dport}:%{dinterface->} %{p0}"); +var part66 = match("MESSAGE#57:37:01/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); -var select25 = linear_select([ - part74, - part75, - part76, -]); +var part67 = match("MESSAGE#57:37:01/3_0", "nwparser.p0", "%{dport}proto=%{protocol->} fw_action=\"%{fld3}\""); -var part77 = match("MESSAGE#57:37:01/4_0", "nwparser.p0", "proto=%{protocol->} fw_action=\"%{fld3}\" "); +var part68 = match("MESSAGE#57:37:01/3_1", "nwparser.p0", "%{dport}rule=%{rule}"); -var part78 = match("MESSAGE#57:37:01/4_1", "nwparser.p0", " rule=%{rule}"); - -var select26 = linear_select([ - part77, - part78, +var select22 = linear_select([ + part67, + part68, ]); var all11 = all_match({ processors: [ - part71, - select24, - part73, - select25, - select26, + part65, + dup188, + part66, + select22, ], on_success: processor_chain([ dup5, - dup37, + dup44, ]), }); var msg59 = msg("37:01", all11); -var part79 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ +var part69 = match("MESSAGE#58:37:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} rule=%{rule}", processor_chain([ dup5, ])); -var msg60 = msg("37:02", part79); +var msg60 = msg("37:02", part69); var all12 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup181, - dup43, + dup191, + dup50, ], on_success: processor_chain([ dup5, @@ -1538,14 +1530,14 @@ var all12 = all_match({ var msg61 = msg("37:03", all12); -var part80 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ +var part70 = match("MESSAGE#60:37:04", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ dup5, dup11, ])); -var msg62 = msg("37:04", part80); +var msg62 = msg("37:04", part70); -var select27 = linear_select([ +var select23 = linear_select([ msg58, msg59, msg60, @@ -1553,27 +1545,27 @@ var select27 = linear_select([ msg62, ]); -var part81 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ +var part71 = match("MESSAGE#61:38", "nwparser.payload", "ICMP packet dropped%{}", processor_chain([ dup5, ])); -var msg63 = msg("38", part81); +var msg63 = msg("38", part71); -var part82 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code->} "); +var part72 = match("MESSAGE#62:38:01/5_0", "nwparser.p0", "type=%{type->} code=%{code}"); -var select28 = linear_select([ - part82, - dup45, +var select24 = linear_select([ + part72, + dup42, ]); var all13 = all_match({ processors: [ - dup44, - dup179, - dup36, - dup175, - dup10, - select28, + dup51, + dup189, + dup41, + dup183, + dup17, + select24, ], on_success: processor_chain([ dup5, @@ -1582,15 +1574,15 @@ var all13 = all_match({ var msg64 = msg("38:01", all13); -var part83 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{} %{fld3->} icmpCode=%{fld4->} npcs=%{info}"); +var part73 = match("MESSAGE#63:38:02/4", "nwparser.p0", "%{fld3->} icmpCode=%{fld4->} npcs=%{info}"); var all14 = all_match({ processors: [ dup7, - dup174, - dup10, dup182, - part83, + dup10, + dup192, + part73, ], on_success: processor_chain([ dup5, @@ -1599,173 +1591,164 @@ var all14 = all_match({ var msg65 = msg("38:02", all14); -var part84 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", "%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); - -var part85 = match("MESSAGE#64:38:03/1_1", "nwparser.p0", "%{event_description}\"%{p0}"); - -var select29 = linear_select([ - part84, - part85, -]); +var part74 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part86 = match("MESSAGE#64:38:03/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); - -var part87 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); +var part75 = match("MESSAGE#64:38:03/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\""); var all15 = all_match({ processors: [ - dup48, - select29, - part86, - dup183, - part87, + dup54, + dup193, + part74, + dup194, + part75, ], on_success: processor_chain([ dup5, dup11, - dup18, dup19, dup20, dup21, + dup22, ]), }); var msg66 = msg("38:03", all15); -var select30 = linear_select([ +var select25 = linear_select([ msg63, msg64, msg65, msg66, ]); -var part88 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ +var part76 = match("MESSAGE#65:39", "nwparser.payload", "PPTP packet dropped%{}", processor_chain([ dup5, ])); -var msg67 = msg("39", part88); +var msg67 = msg("39", part76); -var part89 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ +var part77 = match("MESSAGE#66:40", "nwparser.payload", "IPSec packet dropped%{}", processor_chain([ dup5, ])); -var msg68 = msg("40", part89); +var msg68 = msg("40", part77); -var part90 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ +var part78 = match("MESSAGE#67:41:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=\"IP Protocol: %{dclass_counter1}\"", processor_chain([ dup5, - dup51, - dup52, - dup53, - dup54, + dup59, + dup60, + dup61, + dup62, dup11, - dup55, - dup17, + dup63, dup18, dup19, dup20, dup21, + dup22, ])); -var msg69 = msg("41:01", part90); +var msg69 = msg("41:01", part78); -var part91 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ +var part79 = match("MESSAGE#68:41:02", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport}:%{sinterface->} dst=%{dtransaddr}:%{dtransport}::%{dinterface}", processor_chain([ dup5, ])); -var msg70 = msg("41:02", part91); +var msg70 = msg("41:02", part79); -var part92 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ +var part80 = match("MESSAGE#69:41:03", "nwparser.payload", "Unknown protocol dropped%{}", processor_chain([ dup5, ])); -var msg71 = msg("41:03", part92); +var msg71 = msg("41:03", part80); -var select31 = linear_select([ +var select26 = linear_select([ msg69, msg70, msg71, ]); -var part93 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ +var part81 = match("MESSAGE#70:42", "nwparser.payload", "IPSec packet dropped; waiting for pending IPSec connection%{}", processor_chain([ dup5, ])); -var msg72 = msg("42", part93); +var msg72 = msg("42", part81); -var part94 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ +var part82 = match("MESSAGE#71:43", "nwparser.payload", "IPSec connection interrupt%{}", processor_chain([ dup5, ])); -var msg73 = msg("43", part94); +var msg73 = msg("43", part82); -var part95 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ +var part83 = match("MESSAGE#72:44", "nwparser.payload", "NAT could not remap incoming packet%{}", processor_chain([ dup5, ])); -var msg74 = msg("44", part95); +var msg74 = msg("44", part83); -var part96 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ +var part84 = match("MESSAGE#73:45", "nwparser.payload", "ARP timeout%{}", processor_chain([ dup5, ])); -var msg75 = msg("45", part96); +var msg75 = msg("45", part84); -var part97 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ +var part85 = match("MESSAGE#74:45:01", "nwparser.payload", "msg=\"ARP timeout\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ dup5, ])); -var msg76 = msg("45:01", part97); +var msg76 = msg("45:01", part85); -var part98 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ +var part86 = match("MESSAGE#75:45:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} npcs=%{info}", processor_chain([ dup5, ])); -var msg77 = msg("45:02", part98); +var msg77 = msg("45:02", part86); -var select32 = linear_select([ +var select27 = linear_select([ msg75, msg76, msg77, ]); -var part99 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ +var part87 = match("MESSAGE#76:46:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ dup5, - dup51, - dup52, - dup53, - dup54, + dup59, + dup60, + dup61, + dup62, dup11, - dup55, - dup17, + dup63, dup18, dup19, dup20, dup21, + dup22, ])); -var msg78 = msg("46:01", part99); +var msg78 = msg("46:01", part87); -var part100 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ +var part88 = match("MESSAGE#77:46:02", "nwparser.payload", "msg=\"Broadcast packet dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ dup5, ])); -var msg79 = msg("46:02", part100); +var msg79 = msg("46:02", part88); -var part101 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ +var part89 = match("MESSAGE#78:46", "nwparser.payload", "Broadcast packet dropped%{}", processor_chain([ dup5, ])); -var msg80 = msg("46", part101); +var msg80 = msg("46", part89); -var part102 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part90 = match("MESSAGE#79:46:03/0", "nwparser.payload", "msg=\"Broadcast packet dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); var all16 = all_match({ processors: [ - part102, - dup174, + part90, + dup182, dup10, - dup181, - dup43, + dup191, + dup50, ], on_success: processor_chain([ dup5, @@ -1774,468 +1757,460 @@ var all16 = all_match({ var msg81 = msg("46:03", all16); -var select33 = linear_select([ +var select28 = linear_select([ msg78, msg79, msg80, msg81, ]); -var part103 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ +var part91 = match("MESSAGE#80:47", "nwparser.payload", "No ICMP redirect sent%{}", processor_chain([ dup5, ])); -var msg82 = msg("47", part103); +var msg82 = msg("47", part91); -var part104 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ +var part92 = match("MESSAGE#81:48", "nwparser.payload", "Out-of-order command packet dropped%{}", processor_chain([ dup5, ])); -var msg83 = msg("48", part104); +var msg83 = msg("48", part92); -var part105 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ +var part93 = match("MESSAGE#82:49", "nwparser.payload", "Failure to add data channel%{}", processor_chain([ dup5, ])); -var msg84 = msg("49", part105); +var msg84 = msg("49", part93); -var part106 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ +var part94 = match("MESSAGE#83:50", "nwparser.payload", "RealAudio decode failure%{}", processor_chain([ dup5, ])); -var msg85 = msg("50", part106); +var msg85 = msg("50", part94); -var part107 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ +var part95 = match("MESSAGE#84:51", "nwparser.payload", "Duplicate packet dropped%{}", processor_chain([ dup5, ])); -var msg86 = msg("51", part107); +var msg86 = msg("51", part95); -var part108 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ +var part96 = match("MESSAGE#85:52", "nwparser.payload", "No HOST tag found in HTTP request%{}", processor_chain([ dup5, ])); -var msg87 = msg("52", part108); +var msg87 = msg("52", part96); -var part109 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ +var part97 = match("MESSAGE#86:53", "nwparser.payload", "The cache is full; too many open connections; some will be dropped%{}", processor_chain([ dup2, ])); -var msg88 = msg("53", part109); +var msg88 = msg("53", part97); -var part110 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ - dup56, +var part98 = match("MESSAGE#87:58", "nwparser.payload", "License exceeded: Connection dropped because too many IP addresses are in use on your LAN%{}", processor_chain([ + dup64, ])); -var msg89 = msg("58", part110); +var msg89 = msg("58", part98); -var part111 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ +var part99 = match("MESSAGE#88:60", "nwparser.payload", "Access to Proxy Server Blocked%{}", processor_chain([ dup12, ])); -var msg90 = msg("60", part111); +var msg90 = msg("60", part99); -var part112 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ +var part100 = match("MESSAGE#89:61", "nwparser.payload", "Diagnostic Code E%{}", processor_chain([ dup1, ])); -var msg91 = msg("61", part112); +var msg91 = msg("61", part100); -var part113 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ - dup57, +var part101 = match("MESSAGE#90:62", "nwparser.payload", "Dynamic IPSec client connected%{}", processor_chain([ + dup65, ])); -var msg92 = msg("62", part113); +var msg92 = msg("62", part101); -var part114 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ - dup58, +var part102 = match("MESSAGE#91:63", "nwparser.payload", "IPSec packet too big%{}", processor_chain([ + dup66, ])); -var msg93 = msg("63", part114); +var msg93 = msg("63", part102); -var part115 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup58, +var part103 = match("MESSAGE#92:63:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, ])); -var msg94 = msg("63:01", part115); +var msg94 = msg("63:01", part103); -var select34 = linear_select([ +var select29 = linear_select([ msg93, msg94, ]); -var part116 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ +var part104 = match("MESSAGE#93:64", "nwparser.payload", "Diagnostic Code D%{}", processor_chain([ dup1, ])); -var msg95 = msg("64", part116); +var msg95 = msg("64", part104); -var part117 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ - dup58, +var part105 = match("MESSAGE#94:65", "nwparser.payload", "Illegal IPSec SPI%{}", processor_chain([ + dup66, ])); -var msg96 = msg("65", part117); +var msg96 = msg("65", part105); -var part118 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ - dup58, +var part106 = match("MESSAGE#95:66", "nwparser.payload", "Unknown IPSec SPI%{}", processor_chain([ + dup66, ])); -var msg97 = msg("66", part118); +var msg97 = msg("66", part106); -var part119 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ - dup58, +var part107 = match("MESSAGE#96:67", "nwparser.payload", "IPSec Authentication Failed%{}", processor_chain([ + dup66, ])); -var msg98 = msg("67", part119); +var msg98 = msg("67", part107); var all17 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup186, ], on_success: processor_chain([ - dup58, + dup66, ]), }); var msg99 = msg("67:01", all17); -var select35 = linear_select([ +var select30 = linear_select([ msg98, msg99, ]); -var part120 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ - dup58, +var part108 = match("MESSAGE#98:68", "nwparser.payload", "IPSec Decryption Failed%{}", processor_chain([ + dup66, ])); -var msg100 = msg("68", part120); +var msg100 = msg("68", part108); -var part121 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ - dup58, +var part109 = match("MESSAGE#99:69", "nwparser.payload", "Incompatible IPSec Security Association%{}", processor_chain([ + dup66, ])); -var msg101 = msg("69", part121); +var msg101 = msg("69", part109); -var part122 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ - dup58, +var part110 = match("MESSAGE#100:70", "nwparser.payload", "IPSec packet from illegal host%{}", processor_chain([ + dup66, ])); -var msg102 = msg("70", part122); +var msg102 = msg("70", part110); -var part123 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} %{p0}"); +var part111 = match("MESSAGE#101:70:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst%{p0}"); -var part124 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "dst=%{daddr->} "); +var part112 = match("MESSAGE#101:70:01/1_0", "nwparser.p0", "=%{daddr}"); -var part125 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", " dstname=%{name}"); +var part113 = match("MESSAGE#101:70:01/1_1", "nwparser.p0", "name=%{name}"); -var select36 = linear_select([ - part124, - part125, +var select31 = linear_select([ + part112, + part113, ]); var all18 = all_match({ processors: [ - part123, - select36, + part111, + select31, ], on_success: processor_chain([ - dup58, + dup66, ]), }); var msg103 = msg("70:01", all18); -var select37 = linear_select([ +var select32 = linear_select([ msg102, msg103, ]); -var part126 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ - dup59, +var part114 = match("MESSAGE#102:72", "nwparser.payload", "NetBus Attack Dropped%{}", processor_chain([ + dup67, ])); -var msg104 = msg("72", part126); +var msg104 = msg("72", part114); -var part127 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup59, +var part115 = match("MESSAGE#103:72:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup67, ])); -var msg105 = msg("72:01", part127); +var msg105 = msg("72:01", part115); -var select38 = linear_select([ +var select33 = linear_select([ msg104, msg105, ]); -var part128 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ - dup60, +var part116 = match("MESSAGE#104:73", "nwparser.payload", "Back Orifice Attack Dropped%{}", processor_chain([ + dup68, ])); -var msg106 = msg("73", part128); +var msg106 = msg("73", part116); -var part129 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ - dup61, +var part117 = match("MESSAGE#105:74", "nwparser.payload", "Net Spy Attack Dropped%{}", processor_chain([ + dup69, ])); -var msg107 = msg("74", part129); +var msg107 = msg("74", part117); -var part130 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ - dup60, +var part118 = match("MESSAGE#106:75", "nwparser.payload", "Sub Seven Attack Dropped%{}", processor_chain([ + dup68, ])); -var msg108 = msg("75", part130); +var msg108 = msg("75", part118); -var part131 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ - dup59, +var part119 = match("MESSAGE#107:76", "nwparser.payload", "Ripper Attack Dropped%{}", processor_chain([ + dup67, ])); -var msg109 = msg("76", part131); +var msg109 = msg("76", part119); -var part132 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ - dup59, +var part120 = match("MESSAGE#108:77", "nwparser.payload", "Striker Attack Dropped%{}", processor_chain([ + dup67, ])); -var msg110 = msg("77", part132); +var msg110 = msg("77", part120); -var part133 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ - dup61, +var part121 = match("MESSAGE#109:78", "nwparser.payload", "Senna Spy Attack Dropped%{}", processor_chain([ + dup69, ])); -var msg111 = msg("78", part133); +var msg111 = msg("78", part121); -var part134 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ - dup59, +var part122 = match("MESSAGE#110:79", "nwparser.payload", "Priority Attack Dropped%{}", processor_chain([ + dup67, ])); -var msg112 = msg("79", part134); +var msg112 = msg("79", part122); -var part135 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ - dup59, +var part123 = match("MESSAGE#111:80", "nwparser.payload", "Ini Killer Attack Dropped%{}", processor_chain([ + dup67, ])); -var msg113 = msg("80", part135); +var msg113 = msg("80", part123); -var part136 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ +var part124 = match("MESSAGE#112:81", "nwparser.payload", "Smurf Amplification Attack Dropped%{}", processor_chain([ dup14, ])); -var msg114 = msg("81", part136); +var msg114 = msg("81", part124); -var part137 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ - dup62, +var part125 = match("MESSAGE#113:82", "nwparser.payload", "Possible Port Scan%{}", processor_chain([ + dup70, ])); -var msg115 = msg("82", part137); +var msg115 = msg("82", part125); -var part138 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ - dup62, +var part126 = match("MESSAGE#114:82:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{info}\"", processor_chain([ + dup70, ])); -var msg116 = msg("82:02", part138); +var msg116 = msg("82:02", part126); -var part139 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ - dup62, +var part127 = match("MESSAGE#115:82:03", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ + dup70, ])); -var msg117 = msg("82:03", part139); +var msg117 = msg("82:03", part127); -var msg118 = msg("82:01", dup184); +var msg118 = msg("82:01", dup195); -var select39 = linear_select([ +var select34 = linear_select([ msg115, msg116, msg117, msg118, ]); -var part140 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ - dup62, +var part128 = match("MESSAGE#117:83", "nwparser.payload", "Probable Port Scan%{}", processor_chain([ + dup70, ])); -var msg119 = msg("83", part140); +var msg119 = msg("83", part128); -var msg120 = msg("83:01", dup185); +var msg120 = msg("83:01", dup196); -var part141 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ +var part129 = match("MESSAGE#119:83:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{fld3}\" npcs=%{info}", processor_chain([ dup5, ])); -var msg121 = msg("83:02", part141); +var msg121 = msg("83:02", part129); -var select40 = linear_select([ +var select35 = linear_select([ msg119, msg120, msg121, ]); -var part142 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); +var part130 = match("MESSAGE#120:84/0_0", "nwparser.payload", "msg=\"Failed to resolve name\" n=%{fld1->} dstname=%{dhost}"); -var part143 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); +var part131 = match("MESSAGE#120:84/0_1", "nwparser.payload", "Failed to resolve name%{}"); -var select41 = linear_select([ - part142, - part143, +var select36 = linear_select([ + part130, + part131, ]); var all19 = all_match({ processors: [ - select41, + select36, ], on_success: processor_chain([ - dup63, + dup71, setc("action","Failed to resolve name"), ]), }); var msg122 = msg("84", all19); -var part144 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ - dup64, +var part132 = match("MESSAGE#121:87", "nwparser.payload", "IKE Responder: Accepting IPSec proposal%{}", processor_chain([ + dup72, ])); -var msg123 = msg("87", part144); +var msg123 = msg("87", part132); -var part145 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup64, +var part133 = match("MESSAGE#122:87:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup72, ])); -var msg124 = msg("87:01", part145); +var msg124 = msg("87:01", part133); -var select42 = linear_select([ +var select37 = linear_select([ msg123, msg124, ]); -var part146 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ - dup58, +var part134 = match("MESSAGE#123:88", "nwparser.payload", "IKE Responder: IPSec proposal not acceptable%{}", processor_chain([ + dup66, ])); -var msg125 = msg("88", part146); +var msg125 = msg("88", part134); -var part147 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup58, +var part135 = match("MESSAGE#124:88:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup66, ])); -var msg126 = msg("88:01", part147); +var msg126 = msg("88:01", part135); -var select43 = linear_select([ +var select38 = linear_select([ msg125, msg126, ]); -var part148 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ - dup64, +var part136 = match("MESSAGE#125:89", "nwparser.payload", "IKE negotiation complete. Adding IPSec SA%{}", processor_chain([ + dup72, ])); -var msg127 = msg("89", part148); - -var part149 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} %{p0}"); +var msg127 = msg("89", part136); -var part150 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "src=%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface->} "); +var part137 = match("MESSAGE#126:89:01/1_0", "nwparser.p0", "%{saddr}:::%{sinterface->} dst=%{daddr}:::%{dinterface}"); -var part151 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", " src=%{saddr->} dst=%{daddr->} dstname=%{name}"); +var part138 = match("MESSAGE#126:89:01/1_1", "nwparser.p0", "%{saddr->} dst=%{daddr->} dstname=%{name}"); -var select44 = linear_select([ - part150, - part151, +var select39 = linear_select([ + part137, + part138, ]); var all20 = all_match({ processors: [ - part149, - select44, + dup73, + select39, ], on_success: processor_chain([ - dup64, + dup72, ]), }); var msg128 = msg("89:01", all20); -var select45 = linear_select([ +var select40 = linear_select([ msg127, msg128, ]); -var part152 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ - dup64, +var part139 = match("MESSAGE#127:90", "nwparser.payload", "Starting IKE negotiation%{}", processor_chain([ + dup72, ])); -var msg129 = msg("90", part152); +var msg129 = msg("90", part139); -var part153 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ - dup64, +var part140 = match("MESSAGE#128:91", "nwparser.payload", "Deleting IPSec SA for destination%{}", processor_chain([ + dup72, ])); -var msg130 = msg("91", part153); +var msg130 = msg("91", part140); -var part154 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ - dup64, +var part141 = match("MESSAGE#129:92", "nwparser.payload", "Deleting IPSec SA%{}", processor_chain([ + dup72, ])); -var msg131 = msg("92", part154); +var msg131 = msg("92", part141); -var part155 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ +var part142 = match("MESSAGE#130:93", "nwparser.payload", "Diagnostic Code A%{}", processor_chain([ dup1, ])); -var msg132 = msg("93", part155); +var msg132 = msg("93", part142); -var part156 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ +var part143 = match("MESSAGE#131:94", "nwparser.payload", "Diagnostic Code B%{}", processor_chain([ dup1, ])); -var msg133 = msg("94", part156); +var msg133 = msg("94", part143); -var part157 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ +var part144 = match("MESSAGE#132:95", "nwparser.payload", "Diagnostic Code C%{}", processor_chain([ dup1, ])); -var msg134 = msg("95", part157); +var msg134 = msg("95", part144); -var part158 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ +var part145 = match("MESSAGE#133:96", "nwparser.payload", "Status%{}", processor_chain([ dup1, ])); -var msg135 = msg("96", part158); +var msg135 = msg("96", part145); -var part159 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ +var part146 = match("MESSAGE#134:97", "nwparser.payload", "Web site hit%{}", processor_chain([ dup1, ])); -var msg136 = msg("97", part159); +var msg136 = msg("97", part146); -var part160 = match("MESSAGE#135:97:01/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} %{p0}"); +var part147 = match("MESSAGE#135:97:01/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} %{p0}"); -var part161 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); +var part148 = match("MESSAGE#135:97:01/5_0", "nwparser.p0", "rcvd=%{rbytes->} %{p0}"); -var part162 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); +var part149 = match("MESSAGE#135:97:01/5_1", "nwparser.p0", "sent=%{sbytes->} %{p0}"); -var select46 = linear_select([ - part161, - part162, +var select41 = linear_select([ + part148, + part149, ]); -var part163 = match("MESSAGE#135:97:01/7_0", "nwparser.p0", "result=%{result->} dstname=%{name->} "); - -var select47 = linear_select([ - part163, - dup66, -]); +var part150 = match_copy("MESSAGE#135:97:01/7", "nwparser.p0", "name"); var all21 = all_match({ processors: [ - dup65, - dup179, - dup36, - dup175, - part160, - select46, - dup10, - select47, + dup74, + dup189, + dup41, + dup183, + part147, + select41, + dup197, + part150, ], on_success: processor_chain([ dup1, @@ -2244,15 +2219,15 @@ var all21 = all_match({ var msg137 = msg("97:01", all21); -var part164 = match("MESSAGE#136:97:02/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld->} result=%{result}"); +var part151 = match("MESSAGE#136:97:02/4", "nwparser.p0", "proto=%{protocol->} op=%{fld->} result=%{result}"); var all22 = all_match({ processors: [ - dup65, - dup179, - dup36, - dup175, - part164, + dup74, + dup189, + dup41, + dup183, + part151, ], on_success: processor_chain([ dup1, @@ -2261,28 +2236,19 @@ var all22 = all_match({ var msg138 = msg("97:02", all22); -var part165 = match("MESSAGE#137:97:03/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); +var part152 = match("MESSAGE#137:97:03/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} sent=%{sbytes->} rcvd=%{rbytes->} %{p0}"); -var part166 = match("MESSAGE#137:97:03/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} %{p0}"); - -var part167 = match("MESSAGE#137:97:03/5_1", "nwparser.p0", "dstname=%{name->} %{p0}"); - -var select48 = linear_select([ - part166, - part167, -]); - -var part168 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); +var part153 = match("MESSAGE#137:97:03/6", "nwparser.p0", "%{} %{name}arg=%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); var all23 = all_match({ processors: [ - dup67, - dup179, - dup36, - dup175, - part165, - select48, - part168, + dup77, + dup189, + dup41, + dup183, + part152, + dup197, + part153, ], on_success: processor_chain([ dup1, @@ -2291,28 +2257,19 @@ var all23 = all_match({ var msg139 = msg("97:03", all23); -var part169 = match("MESSAGE#138:97:04/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld3->} %{p0}"); - -var part170 = match("MESSAGE#138:97:04/5_0", "nwparser.p0", "result=%{result->} dstname=%{name->} arg= %{p0}"); - -var part171 = match("MESSAGE#138:97:04/5_1", "nwparser.p0", "dstname=%{name->} arg= %{p0}"); - -var select49 = linear_select([ - part170, - part171, -]); +var part154 = match("MESSAGE#138:97:04/4", "nwparser.p0", "proto=%{protocol->} op=%{fld3->} %{p0}"); -var part172 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{} %{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); +var part155 = match("MESSAGE#138:97:04/6", "nwparser.p0", "%{}arg= %{name}%{fld4->} code=%{fld5->} Category=\"%{category}\" npcs=%{info}"); var all24 = all_match({ processors: [ - dup67, - dup179, - dup36, - dup175, - part169, - select49, - part172, + dup77, + dup189, + dup41, + dup183, + part154, + dup197, + part155, ], on_success: processor_chain([ dup1, @@ -2321,15 +2278,15 @@ var all24 = all_match({ var msg140 = msg("97:04", all24); -var part173 = match("MESSAGE#139:97:05/4", "nwparser.p0", "%{}proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); +var part156 = match("MESSAGE#139:97:05/4", "nwparser.p0", "proto=%{protocol->} op=%{fld2->} dstname=%{name->} arg=%{fld3->} code=%{fld4->} Category=%{category}"); var all25 = all_match({ processors: [ - dup65, - dup179, - dup36, - dup175, - part173, + dup74, + dup189, + dup41, + dup183, + part156, ], on_success: processor_chain([ dup1, @@ -2338,76 +2295,80 @@ var all25 = all_match({ var msg141 = msg("97:05", all25); -var part174 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{p0}"); +var part157 = match("MESSAGE#140:97:06/0", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{p0}"); -var select50 = linear_select([ - dup68, - dup69, +var part158 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{sinterface}:%{shost}dst=%{p0}"); + +var part159 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{sinterface}dst=%{p0}"); + +var select42 = linear_select([ + part158, + part159, ]); -var part175 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); +var part160 = match("MESSAGE#140:97:06/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); var all26 = all_match({ processors: [ - part174, - select50, - part175, + part157, + select42, + part160, ], on_success: processor_chain([ - dup70, + dup78, dup11, ]), }); var msg142 = msg("97:06", all26); -var part176 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); +var part161 = match("MESSAGE#141:97:07/0", "nwparser.payload", "app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); -var part177 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{fld3->} srcMac=%{p0}"); +var part162 = match("MESSAGE#141:97:07/1_0", "nwparser.p0", "%{dinterface}:%{fld3->} srcMac=%{p0}"); -var select51 = linear_select([ - part177, - dup49, +var select43 = linear_select([ + part162, + dup79, ]); -var part178 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); +var part163 = match("MESSAGE#141:97:07/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} dstname=%{dhost->} arg=%{param->} code=%{resultcode->} Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\""); var all27 = all_match({ processors: [ - part176, - select51, - part178, + part161, + select43, + part163, ], on_success: processor_chain([ - dup70, + dup78, dup11, ]), }); var msg143 = msg("97:07", all27); -var part179 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup70, +var part164 = match("MESSAGE#142:97:08", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, dup11, ])); -var msg144 = msg("97:08", part179); +var msg144 = msg("97:08", part164); -var part180 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup70, +var part165 = match("MESSAGE#143:97:09", "nwparser.payload", "app=%{fld1}sess=\"%{fld2}\" n=%{fld3}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, dup11, ])); -var msg145 = msg("97:09", part180); +var msg145 = msg("97:09", part165); -var part181 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup70, +var part166 = match("MESSAGE#144:97:10", "nwparser.payload", "app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}dstname=%{dhost}arg=%{param}code=%{resultcode}Category=\"%{category}\" rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup78, dup11, ])); -var msg146 = msg("97:10", part181); +var msg146 = msg("97:10", part166); -var select52 = linear_select([ +var select44 = linear_select([ msg136, msg137, msg138, @@ -2421,126 +2382,128 @@ var select52 = linear_select([ msg146, ]); -var part182 = match("MESSAGE#145:98/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\"%{p0}"); - -var part183 = match("MESSAGE#145:98/0_1", "nwparser.payload", " msg=\"%{event_description}\"%{p0}"); - -var select53 = linear_select([ - part182, - part183, -]); - -var part184 = match("MESSAGE#145:98/1", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); - -var part185 = match("MESSAGE#145:98/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} %{p0}"); +var part167 = match("MESSAGE#145:98/2", "nwparser.p0", "%{}n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{p0}"); -var select54 = linear_select([ - part185, - dup71, -]); +var part168 = match("MESSAGE#145:98/3_0", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); -var part186 = match("MESSAGE#145:98/3_1", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} "); +var part169 = match("MESSAGE#145:98/3_1", "nwparser.p0", "%{dinterface} %{protocol->} sent=%{sbytes}"); -var part187 = match("MESSAGE#145:98/3_2", "nwparser.p0", " proto=%{protocol}"); +var part170 = match("MESSAGE#145:98/3_2", "nwparser.p0", "%{dinterface} %{protocol}"); -var select55 = linear_select([ - dup72, - part186, - part187, +var select45 = linear_select([ + part168, + part169, + part170, ]); var all28 = all_match({ processors: [ - select53, - part184, - select54, - select55, + dup54, + dup193, + part167, + select45, ], on_success: processor_chain([ - dup70, - dup51, + dup78, + dup59, setc("ec_activity","Stop"), - dup53, - dup54, + dup61, + dup62, dup11, setc("action","Opened"), - dup17, dup18, dup19, dup20, dup21, + dup22, ]), }); var msg147 = msg("98", all28); -var part188 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part171 = match("MESSAGE#146:98:07", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{protocol}/%{fld4->} sent=%{sbytes->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup11, - dup17, dup18, dup19, dup20, dup21, + dup22, ])); -var msg148 = msg("98:07", part188); +var msg148 = msg("98:07", part171); -var part189 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", "%{msg}\" app=%{fld2->} sess=\"%{fld3}\"%{p0}"); +var part172 = match("MESSAGE#147:98:01/0", "nwparser.payload", "msg=\"%{msg}\"%{p0}"); -var part190 = match("MESSAGE#147:98:01/1_1", "nwparser.p0", "%{msg}\"%{p0}"); +var part173 = match("MESSAGE#147:98:01/1_0", "nwparser.p0", " app=%{fld2->} sess=\"%{fld3}\"%{p0}"); -var select56 = linear_select([ - part189, - part190, +var select46 = linear_select([ + part173, + dup56, ]); -var part191 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); +var part174 = match("MESSAGE#147:98:01/2", "nwparser.p0", "%{}n=%{p0}"); -var part192 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); +var part175 = match("MESSAGE#147:98:01/3_0", "nwparser.p0", "%{fld1->} usr=%{username->} src=%{p0}"); -var part193 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); +var part176 = match("MESSAGE#147:98:01/3_1", "nwparser.p0", "%{fld1->} src=%{p0}"); -var select57 = linear_select([ - part192, - part193, +var select47 = linear_select([ + part175, + part176, ]); -var select58 = linear_select([ - dup73, - dup69, - dup74, +var part177 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); + +var part178 = match("MESSAGE#147:98:01/4_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); + +var part179 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); + +var select48 = linear_select([ + part177, + part178, + part179, ]); -var part194 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); +var part180 = match("MESSAGE#147:98:01/5", "nwparser.p0", "%{} %{p0}"); + +var part181 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); + +var part182 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", "%{daddr->} %{p0}"); -var part195 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} "); +var select49 = linear_select([ + dup80, + part181, + part182, +]); -var part196 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); +var part183 = match("MESSAGE#147:98:01/7_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); -var part197 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", " proto=%{protocol->} sent=%{sbytes}"); +var part184 = match("MESSAGE#147:98:01/7_1", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes}"); -var part198 = match("MESSAGE#147:98:01/7_5", "nwparser.p0", "proto=%{protocol}"); +var part185 = match("MESSAGE#147:98:01/7_2", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); -var select59 = linear_select([ - part194, - part195, - part196, - dup72, - part197, - part198, +var part186 = match("MESSAGE#147:98:01/7_3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); + +var select50 = linear_select([ + part183, + part184, + part185, + part186, + dup81, + dup43, ]); var all29 = all_match({ processors: [ - dup48, - select56, - part191, - select57, - select58, - dup10, - dup186, - select59, + part172, + select46, + part174, + select47, + select48, + part180, + select49, + select50, ], on_success: processor_chain([ dup1, @@ -2549,93 +2512,94 @@ var all29 = all_match({ var msg149 = msg("98:01", all29); -var part199 = match("MESSAGE#148:98:06/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} appName=\"%{application}\" %{p0}"); +var part187 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "app=%{fld2->} appName=\"%{application}\" n=%{p0}"); -var part200 = match("MESSAGE#148:98:06/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2->} %{p0}"); +var part188 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", "app=%{fld2->} n=%{p0}"); -var part201 = match("MESSAGE#148:98:06/0_2", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} %{p0}"); +var part189 = match("MESSAGE#148:98:06/1_2", "nwparser.p0", "sess=%{fld2->} n=%{p0}"); -var select60 = linear_select([ - part199, - part200, - part201, +var select51 = linear_select([ + part187, + part188, + part189, ]); -var part202 = match("MESSAGE#148:98:06/1_0", "nwparser.p0", "n=%{fld1->} usr=%{username->} %{p0}"); +var part190 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{fld1->} %{p0}"); -var part203 = match("MESSAGE#148:98:06/1_1", "nwparser.p0", " n=%{fld1->} %{p0}"); +var part191 = match("MESSAGE#148:98:06/3_0", "nwparser.p0", "usr=%{username->} %{p0}"); -var select61 = linear_select([ - part202, - part203, +var select52 = linear_select([ + part191, + dup56, ]); -var part204 = match("MESSAGE#148:98:06/2", "nwparser.p0", "%{}src= %{p0}"); +var part192 = match("MESSAGE#148:98:06/4", "nwparser.p0", "src= %{saddr}:%{sport}:%{p0}"); -var part205 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part193 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{dmacaddr->} proto=%{p0}"); -var part206 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part194 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{dmacaddr->} proto=%{p0}"); -var select62 = linear_select([ - part205, - part206, - dup77, - dup78, -]); +var part195 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); -var part207 = match("MESSAGE#148:98:06/6", "nwparser.p0", "%{protocol->} %{p0}"); +var select53 = linear_select([ + part193, + part194, + dup85, + part195, +]); -var part208 = match("MESSAGE#148:98:06/7_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); +var part196 = match("MESSAGE#148:98:06/8", "nwparser.p0", "%{protocol->} %{p0}"); -var part209 = match("MESSAGE#148:98:06/7_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); +var part197 = match("MESSAGE#148:98:06/9_0", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=\"%{action}\""); -var part210 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); +var part198 = match("MESSAGE#148:98:06/9_1", "nwparser.p0", "sent=%{sbytes->} rule=\"%{rulename}\" fw_action=%{action}"); -var part211 = match("MESSAGE#148:98:06/7_3", "nwparser.p0", "sent=%{sbytes}"); +var part199 = match("MESSAGE#148:98:06/9_2", "nwparser.p0", "sent=%{sbytes->} fw_action=\"%{action}\""); -var part212 = match("MESSAGE#148:98:06/7_4", "nwparser.p0", "fw_action=\"%{action}\""); +var part200 = match("MESSAGE#148:98:06/9_4", "nwparser.p0", "fw_action=\"%{action}\""); -var select63 = linear_select([ - part208, - part209, - part210, - part211, - part212, +var select54 = linear_select([ + part197, + part198, + part199, + dup86, + part200, ]); var all30 = all_match({ processors: [ - select60, - select61, - part204, - dup187, - dup10, - select62, - part207, - select63, + dup82, + select51, + part190, + select52, + part192, + dup198, + dup17, + select53, + part196, + select54, ], on_success: processor_chain([ - dup70, + dup78, dup11, - dup17, dup18, dup19, dup20, dup21, + dup22, ]), }); var msg150 = msg("98:06", all30); -var part213 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); +var part201 = match("MESSAGE#149:98:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=%{username->} src=%{p0}"); var all31 = all_match({ processors: [ - part213, - dup177, - dup10, - dup175, - dup79, + part201, + dup185, + dup183, + dup43, ], on_success: processor_chain([ dup1, @@ -2644,36 +2608,35 @@ var all31 = all_match({ var msg151 = msg("98:02", all31); -var part214 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection %{}"); +var part202 = match("MESSAGE#150:98:03/0_0", "nwparser.payload", "Connection%{}"); -var part215 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", " msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} "); +var part203 = match("MESSAGE#150:98:03/0_1", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}"); -var select64 = linear_select([ - part214, - part215, +var select55 = linear_select([ + part202, + part203, ]); var all32 = all_match({ processors: [ - select64, + select55, ], on_success: processor_chain([ dup1, - dup37, + dup44, ]), }); var msg152 = msg("98:03", all32); -var part216 = match("MESSAGE#151:98:04/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); +var part204 = match("MESSAGE#151:98:04/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} vpnpolicy=\"%{policyname}\" npcs=%{info}"); var all33 = all_match({ processors: [ dup7, - dup177, - dup10, - dup175, - part216, + dup185, + dup183, + part204, ], on_success: processor_chain([ dup1, @@ -2682,15 +2645,14 @@ var all33 = all_match({ var msg153 = msg("98:04", all33); -var part217 = match("MESSAGE#152:98:05/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); +var part205 = match("MESSAGE#152:98:05/3", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} npcs=%{info}"); var all34 = all_match({ processors: [ dup7, - dup177, - dup10, - dup175, - part217, + dup185, + dup183, + part205, ], on_success: processor_chain([ dup1, @@ -2699,7 +2661,7 @@ var all34 = all_match({ var msg154 = msg("98:05", all34); -var select65 = linear_select([ +var select56 = linear_select([ msg147, msg148, msg149, @@ -2710,22 +2672,21 @@ var select65 = linear_select([ msg154, ]); -var part218 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup30, +var part206 = match("MESSAGE#153:986", "nwparser.payload", "msg=\"%{msg}\" dur=%{duration->} n=%{fld1->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup31, dup11, ])); -var msg155 = msg("986", part218); +var msg155 = msg("986", part206); -var part219 = match("MESSAGE#154:427/4", "nwparser.p0", "%{}note=\"%{event_description}\""); +var part207 = match("MESSAGE#154:427/3", "nwparser.p0", "note=\"%{event_description}\""); var all35 = all_match({ processors: [ - dup80, - dup177, - dup10, - dup175, - part219, + dup73, + dup185, + dup183, + part207, ], on_success: processor_chain([ dup1, @@ -2734,321 +2695,320 @@ var all35 = all_match({ var msg156 = msg("427", all35); -var part220 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); +var part208 = match("MESSAGE#155:428/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); var all36 = all_match({ processors: [ - dup81, - dup183, - part220, + dup87, + dup194, + part208, ], on_success: processor_chain([ - dup22, - dup54, - dup17, - dup82, - dup19, + dup23, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg157 = msg("428", all36); -var part221 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ - dup64, +var part209 = match("MESSAGE#156:99", "nwparser.payload", "Retransmitting DHCP DISCOVER.%{}", processor_chain([ + dup72, ])); -var msg158 = msg("99", part221); +var msg158 = msg("99", part209); -var part222 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ - dup64, +var part210 = match("MESSAGE#157:100", "nwparser.payload", "Retransmitting DHCP REQUEST (Requesting).%{}", processor_chain([ + dup72, ])); -var msg159 = msg("100", part222); +var msg159 = msg("100", part210); -var part223 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ - dup64, +var part211 = match("MESSAGE#158:101", "nwparser.payload", "Retransmitting DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, ])); -var msg160 = msg("101", part223); +var msg160 = msg("101", part211); -var part224 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ - dup64, +var part212 = match("MESSAGE#159:102", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, ])); -var msg161 = msg("102", part224); +var msg161 = msg("102", part212); -var part225 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ - dup64, +var part213 = match("MESSAGE#160:103", "nwparser.payload", "Retransmitting DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, ])); -var msg162 = msg("103", part225); +var msg162 = msg("103", part213); -var part226 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ - dup64, +var part214 = match("MESSAGE#161:104", "nwparser.payload", "Retransmitting DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, ])); -var msg163 = msg("104", part226); +var msg163 = msg("104", part214); -var part227 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ - dup64, +var part215 = match("MESSAGE#162:105", "nwparser.payload", "Sending DHCP DISCOVER.%{}", processor_chain([ + dup72, ])); -var msg164 = msg("105", part227); +var msg164 = msg("105", part215); -var part228 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ - dup63, +var part216 = match("MESSAGE#163:106", "nwparser.payload", "DHCP Server not available. Did not get any DHCP OFFER.%{}", processor_chain([ + dup71, ])); -var msg165 = msg("106", part228); +var msg165 = msg("106", part216); -var part229 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ - dup64, +var part217 = match("MESSAGE#164:107", "nwparser.payload", "Got DHCP OFFER. Selecting.%{}", processor_chain([ + dup72, ])); -var msg166 = msg("107", part229); +var msg166 = msg("107", part217); -var part230 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ - dup64, +var part218 = match("MESSAGE#165:108", "nwparser.payload", "Sending DHCP REQUEST.%{}", processor_chain([ + dup72, ])); -var msg167 = msg("108", part230); +var msg167 = msg("108", part218); -var part231 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ - dup63, +var part219 = match("MESSAGE#166:109", "nwparser.payload", "DHCP Client did not get DHCP ACK.%{}", processor_chain([ + dup71, ])); -var msg168 = msg("109", part231); +var msg168 = msg("109", part219); -var part232 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ - dup64, +var part220 = match("MESSAGE#167:110", "nwparser.payload", "DHCP Client got NACK.%{}", processor_chain([ + dup72, ])); -var msg169 = msg("110", part232); +var msg169 = msg("110", part220); -var msg170 = msg("111:01", dup188); +var msg170 = msg("111:01", dup199); -var part233 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ - dup64, +var part221 = match("MESSAGE#169:111", "nwparser.payload", "DHCP Client got ACK from server.%{}", processor_chain([ + dup72, ])); -var msg171 = msg("111", part233); +var msg171 = msg("111", part221); -var select66 = linear_select([ +var select57 = linear_select([ msg170, msg171, ]); -var part234 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ - dup64, +var part222 = match("MESSAGE#170:112", "nwparser.payload", "DHCP Client is declining address offered by the server.%{}", processor_chain([ + dup72, ])); -var msg172 = msg("112", part234); +var msg172 = msg("112", part222); -var part235 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ - dup64, +var part223 = match("MESSAGE#171:113", "nwparser.payload", "DHCP Client sending REQUEST and going to REBIND state.%{}", processor_chain([ + dup72, ])); -var msg173 = msg("113", part235); +var msg173 = msg("113", part223); -var part236 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ - dup64, +var part224 = match("MESSAGE#172:114", "nwparser.payload", "DHCP Client sending REQUEST and going to RENEW state.%{}", processor_chain([ + dup72, ])); -var msg174 = msg("114", part236); +var msg174 = msg("114", part224); -var msg175 = msg("115:01", dup188); +var msg175 = msg("115:01", dup199); -var part237 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ - dup64, +var part225 = match("MESSAGE#174:115", "nwparser.payload", "Sending DHCP REQUEST (Renewing).%{}", processor_chain([ + dup72, ])); -var msg176 = msg("115", part237); +var msg176 = msg("115", part225); -var select67 = linear_select([ +var select58 = linear_select([ msg175, msg176, ]); -var part238 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ - dup64, +var part226 = match("MESSAGE#175:116", "nwparser.payload", "Sending DHCP REQUEST (Rebinding).%{}", processor_chain([ + dup72, ])); -var msg177 = msg("116", part238); +var msg177 = msg("116", part226); -var part239 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ - dup64, +var part227 = match("MESSAGE#176:117", "nwparser.payload", "Sending DHCP REQUEST (Rebooting).%{}", processor_chain([ + dup72, ])); -var msg178 = msg("117", part239); +var msg178 = msg("117", part227); -var part240 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ - dup64, +var part228 = match("MESSAGE#177:118", "nwparser.payload", "Sending DHCP REQUEST (Verifying).%{}", processor_chain([ + dup72, ])); -var msg179 = msg("118", part240); +var msg179 = msg("118", part228); -var part241 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ - dup63, +var part229 = match("MESSAGE#178:119", "nwparser.payload", "DHCP Client failed to verify and lease has expired. Go to INIT state.%{}", processor_chain([ + dup71, ])); -var msg180 = msg("119", part241); +var msg180 = msg("119", part229); -var part242 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ - dup63, +var part230 = match("MESSAGE#179:120", "nwparser.payload", "DHCP Client failed to verify and lease is still valid. Go to BOUND state.%{}", processor_chain([ + dup71, ])); -var msg181 = msg("120", part242); +var msg181 = msg("120", part230); -var part243 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ - dup64, +var part231 = match("MESSAGE#180:121", "nwparser.payload", "DHCP Client got a new IP address lease.%{}", processor_chain([ + dup72, ])); -var msg182 = msg("121", part243); +var msg182 = msg("121", part231); -var part244 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ - dup63, +var part232 = match("MESSAGE#181:122", "nwparser.payload", "Access attempt from host without Anti-Virus agent installed%{}", processor_chain([ + dup71, ])); -var msg183 = msg("122", part244); +var msg183 = msg("122", part232); -var part245 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ - dup63, +var part233 = match("MESSAGE#182:123", "nwparser.payload", "Anti-Virus agent out-of-date on host%{}", processor_chain([ + dup71, ])); -var msg184 = msg("123", part245); +var msg184 = msg("123", part233); -var part246 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ - dup64, +var part234 = match("MESSAGE#183:124", "nwparser.payload", "Received AV Alert: %s%{}", processor_chain([ + dup72, ])); -var msg185 = msg("124", part246); +var msg185 = msg("124", part234); -var part247 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ - dup64, +var part235 = match("MESSAGE#184:125", "nwparser.payload", "Unused AV log entry.%{}", processor_chain([ + dup72, ])); -var msg186 = msg("125", part247); +var msg186 = msg("125", part235); -var part248 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup83, +var part236 = match("MESSAGE#185:1254", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup89, dup11, ])); -var msg187 = msg("1254", part248); +var msg187 = msg("1254", part236); -var part249 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup70, - dup54, - dup17, - dup82, - dup19, +var part237 = match("MESSAGE#186:1256", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ])); -var msg188 = msg("1256", part249); +var msg188 = msg("1256", part237); -var part250 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup83, +var part238 = match("MESSAGE#187:1257", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup89, dup11, ])); -var msg189 = msg("1257", part250); +var msg189 = msg("1257", part238); -var part251 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ - dup64, +var part239 = match("MESSAGE#188:126", "nwparser.payload", "Starting PPPoE discovery%{}", processor_chain([ + dup72, ])); -var msg190 = msg("126", part251); +var msg190 = msg("126", part239); -var part252 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ - dup64, +var part240 = match("MESSAGE#189:127", "nwparser.payload", "PPPoE LCP Link Up%{}", processor_chain([ + dup72, ])); -var msg191 = msg("127", part252); +var msg191 = msg("127", part240); -var part253 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ +var part241 = match("MESSAGE#190:128", "nwparser.payload", "PPPoE LCP Link Down%{}", processor_chain([ dup5, ])); -var msg192 = msg("128", part253); +var msg192 = msg("128", part241); -var part254 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ +var part242 = match("MESSAGE#191:129", "nwparser.payload", "PPPoE terminated%{}", processor_chain([ dup5, ])); -var msg193 = msg("129", part254); +var msg193 = msg("129", part242); -var part255 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ +var part243 = match("MESSAGE#192:130", "nwparser.payload", "PPPoE Network Connected%{}", processor_chain([ dup1, ])); -var msg194 = msg("130", part255); +var msg194 = msg("130", part243); -var part256 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ +var part244 = match("MESSAGE#193:131", "nwparser.payload", "PPPoE Network Disconnected%{}", processor_chain([ dup1, ])); -var msg195 = msg("131", part256); +var msg195 = msg("131", part244); -var part257 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ +var part245 = match("MESSAGE#194:132", "nwparser.payload", "PPPoE discovery process complete%{}", processor_chain([ dup1, ])); -var msg196 = msg("132", part257); +var msg196 = msg("132", part245); -var part258 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ +var part246 = match("MESSAGE#195:133", "nwparser.payload", "PPPoE starting CHAP Authentication%{}", processor_chain([ dup1, ])); -var msg197 = msg("133", part258); +var msg197 = msg("133", part246); -var part259 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ +var part247 = match("MESSAGE#196:134", "nwparser.payload", "PPPoE starting PAP Authentication%{}", processor_chain([ dup1, ])); -var msg198 = msg("134", part259); +var msg198 = msg("134", part247); -var part260 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ - dup84, +var part248 = match("MESSAGE#197:135", "nwparser.payload", "PPPoE CHAP Authentication Failed%{}", processor_chain([ + dup90, ])); -var msg199 = msg("135", part260); +var msg199 = msg("135", part248); -var part261 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ - dup84, +var part249 = match("MESSAGE#198:136", "nwparser.payload", "PPPoE PAP Authentication Failed%{}", processor_chain([ + dup90, ])); -var msg200 = msg("136", part261); +var msg200 = msg("136", part249); -var part262 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ +var part250 = match("MESSAGE#199:137", "nwparser.payload", "Wan IP Changed%{}", processor_chain([ dup3, ])); -var msg201 = msg("137", part262); +var msg201 = msg("137", part250); -var part263 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ +var part251 = match("MESSAGE#200:138", "nwparser.payload", "XAUTH Succeeded%{}", processor_chain([ dup3, ])); -var msg202 = msg("138", part263); +var msg202 = msg("138", part251); -var part264 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ +var part252 = match("MESSAGE#201:139", "nwparser.payload", "XAUTH Failed%{}", processor_chain([ dup5, ])); -var msg203 = msg("139", part264); +var msg203 = msg("139", part252); var all37 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup187, ], on_success: processor_chain([ setc("eventcategory","1801020100"), @@ -3057,295 +3017,294 @@ var all37 = all_match({ var msg204 = msg("139:01", all37); -var select68 = linear_select([ +var select59 = linear_select([ msg203, msg204, ]); -var msg205 = msg("140", dup227); +var msg205 = msg("140", dup239); -var msg206 = msg("141", dup227); +var msg206 = msg("141", dup239); -var part265 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ +var part253 = match("MESSAGE#205:142", "nwparser.payload", "Primary firewall has transitioned to Active%{}", processor_chain([ dup1, ])); -var msg207 = msg("142", part265); +var msg207 = msg("142", part253); -var part266 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ +var part254 = match("MESSAGE#206:143", "nwparser.payload", "Backup firewall has transitioned to Active%{}", processor_chain([ dup1, ])); -var msg208 = msg("143", part266); +var msg208 = msg("143", part254); -var part267 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ - dup70, +var part255 = match("MESSAGE#207:1431", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=::%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} type=%{icmptype->} icmpCode=%{icmpcode->} fw_action=\"%{action}\"", processor_chain([ + dup78, dup11, ])); -var msg209 = msg("1431", part267); +var msg209 = msg("1431", part255); -var part268 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ +var part256 = match("MESSAGE#208:144", "nwparser.payload", "Primary firewall has transitioned to Idle%{}", processor_chain([ dup1, ])); -var msg210 = msg("144", part268); +var msg210 = msg("144", part256); -var part269 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ +var part257 = match("MESSAGE#209:145", "nwparser.payload", "Backup firewall has transitioned to Idle%{}", processor_chain([ dup1, ])); -var msg211 = msg("145", part269); +var msg211 = msg("145", part257); -var part270 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ - dup86, +var part258 = match("MESSAGE#210:146", "nwparser.payload", "Primary missed heartbeats from Active Backup: Primary going Active%{}", processor_chain([ + dup92, ])); -var msg212 = msg("146", part270); +var msg212 = msg("146", part258); -var part271 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ - dup86, +var part259 = match("MESSAGE#211:147", "nwparser.payload", "Backup missed heartbeats from Active Primary: Backup going Active%{}", processor_chain([ + dup92, ])); -var msg213 = msg("147", part271); +var msg213 = msg("147", part259); -var part272 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ +var part260 = match("MESSAGE#212:148", "nwparser.payload", "Primary received error signal from Active Backup: Primary going Active%{}", processor_chain([ dup1, ])); -var msg214 = msg("148", part272); +var msg214 = msg("148", part260); -var part273 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ +var part261 = match("MESSAGE#213:1480", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ setc("eventcategory","1204010000"), dup11, ])); -var msg215 = msg("1480", part273); +var msg215 = msg("1480", part261); -var part274 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ +var part262 = match("MESSAGE#214:149", "nwparser.payload", "Backup received error signal from Active Primary: Backup going Active%{}", processor_chain([ dup1, ])); -var msg216 = msg("149", part274); +var msg216 = msg("149", part262); -var part275 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ +var part263 = match("MESSAGE#215:150", "nwparser.payload", "Backup firewall being preempted by Primary%{}", processor_chain([ dup1, ])); -var msg217 = msg("150", part275); +var msg217 = msg("150", part263); -var part276 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ +var part264 = match("MESSAGE#216:151", "nwparser.payload", "Primary firewall preempting Backup%{}", processor_chain([ dup1, ])); -var msg218 = msg("151", part276); +var msg218 = msg("151", part264); -var part277 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ +var part265 = match("MESSAGE#217:152", "nwparser.payload", "Active Backup detects Active Primary: Backup rebooting%{}", processor_chain([ dup1, ])); -var msg219 = msg("152", part277); +var msg219 = msg("152", part265); -var part278 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ +var part266 = match("MESSAGE#218:153", "nwparser.payload", "Imported HA hardware ID did not match this firewall%{}", processor_chain([ setc("eventcategory","1603010000"), ])); -var msg220 = msg("153", part278); +var msg220 = msg("153", part266); -var part279 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ - dup56, +var part267 = match("MESSAGE#219:154", "nwparser.payload", "Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. %s%{}", processor_chain([ + dup64, ])); -var msg221 = msg("154", part279); +var msg221 = msg("154", part267); -var part280 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ - dup86, +var part268 = match("MESSAGE#220:155", "nwparser.payload", "Primary received heartbeat from wrong source%{}", processor_chain([ + dup92, ])); -var msg222 = msg("155", part280); +var msg222 = msg("155", part268); -var part281 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ - dup86, +var part269 = match("MESSAGE#221:156", "nwparser.payload", "Backup received heartbeat from wrong source%{}", processor_chain([ + dup92, ])); -var msg223 = msg("156", part281); +var msg223 = msg("156", part269); -var part282 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ +var part270 = match("MESSAGE#222:157:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ dup1, ])); -var msg224 = msg("157:01", part282); +var msg224 = msg("157:01", part270); -var part283 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ +var part271 = match("MESSAGE#223:157", "nwparser.payload", "HA packet processing error%{}", processor_chain([ dup5, ])); -var msg225 = msg("157", part283); +var msg225 = msg("157", part271); -var select69 = linear_select([ +var select60 = linear_select([ msg224, msg225, ]); -var part284 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ - dup86, +var part272 = match("MESSAGE#224:158", "nwparser.payload", "Heartbeat received from incompatible source%{}", processor_chain([ + dup92, ])); -var msg226 = msg("158", part284); +var msg226 = msg("158", part272); -var part285 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ +var part273 = match("MESSAGE#225:159", "nwparser.payload", "Diagnostic Code F%{}", processor_chain([ dup5, ])); -var msg227 = msg("159", part285); +var msg227 = msg("159", part273); -var part286 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ +var part274 = match("MESSAGE#226:160", "nwparser.payload", "Forbidden E-mail attachment altered%{}", processor_chain([ setc("eventcategory","1203000000"), ])); -var msg228 = msg("160", part286); +var msg228 = msg("160", part274); -var part287 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ - dup57, +var part275 = match("MESSAGE#227:161", "nwparser.payload", "PPPoE PAP Authentication success.%{}", processor_chain([ + dup65, ])); -var msg229 = msg("161", part287); +var msg229 = msg("161", part275); -var part288 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ - dup32, +var part276 = match("MESSAGE#228:162", "nwparser.payload", "PPPoE PAP Authentication Failed. Please verify PPPoE username and password%{}", processor_chain([ + dup33, ])); -var msg230 = msg("162", part288); +var msg230 = msg("162", part276); -var part289 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ +var part277 = match("MESSAGE#229:163", "nwparser.payload", "Disconnecting PPPoE due to traffic timeout%{}", processor_chain([ dup5, ])); -var msg231 = msg("163", part289); +var msg231 = msg("163", part277); -var part290 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ +var part278 = match("MESSAGE#230:164", "nwparser.payload", "No response from ISP Disconnecting PPPoE.%{}", processor_chain([ dup5, ])); -var msg232 = msg("164", part290); +var msg232 = msg("164", part278); -var part291 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ +var part279 = match("MESSAGE#231:165", "nwparser.payload", "Backup going Active in preempt mode after reboot%{}", processor_chain([ dup1, ])); -var msg233 = msg("165", part291); +var msg233 = msg("165", part279); -var part292 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ +var part280 = match("MESSAGE#232:166", "nwparser.payload", "Denied TCP connection from LAN%{}", processor_chain([ dup12, ])); -var msg234 = msg("166", part292); +var msg234 = msg("166", part280); -var part293 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ +var part281 = match("MESSAGE#233:167", "nwparser.payload", "Denied UDP packet from LAN%{}", processor_chain([ dup12, ])); -var msg235 = msg("167", part293); +var msg235 = msg("167", part281); -var part294 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ +var part282 = match("MESSAGE#234:168", "nwparser.payload", "Denied ICMP packet from LAN%{}", processor_chain([ dup12, ])); -var msg236 = msg("168", part294); +var msg236 = msg("168", part282); -var part295 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ +var part283 = match("MESSAGE#235:169", "nwparser.payload", "Firewall access from LAN%{}", processor_chain([ dup1, ])); -var msg237 = msg("169", part295); +var msg237 = msg("169", part283); -var part296 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ +var part284 = match("MESSAGE#236:170", "nwparser.payload", "Received a path MTU icmp message from router/gateway%{}", processor_chain([ dup1, ])); -var msg238 = msg("170", part296); +var msg238 = msg("170", part284); -var part297 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ - dup62, +var part285 = match("MESSAGE#237:171", "nwparser.payload", "Probable TCP FIN scan%{}", processor_chain([ + dup70, ])); -var msg239 = msg("171", part297); +var msg239 = msg("171", part285); -var part298 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup87, +var part286 = match("MESSAGE#238:171:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, ])); -var msg240 = msg("171:01", part298); +var msg240 = msg("171:01", part286); -var part299 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ - dup87, +var part287 = match("MESSAGE#239:171:02", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, ])); -var msg241 = msg("171:02", part299); +var msg241 = msg("171:02", part287); -var part300 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); +var part288 = match("MESSAGE#240:171:03/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld1}\" sess=%{fld2->} n=%{fld3->} src=%{p0}"); var all38 = all_match({ processors: [ - part300, - dup174, + part288, + dup182, dup10, - dup189, - dup90, + dup200, + dup96, ], on_success: processor_chain([ - dup87, + dup93, ]), }); var msg242 = msg("171:03", all38); -var select70 = linear_select([ +var select61 = linear_select([ msg239, msg240, msg241, msg242, ]); -var part301 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ - dup62, +var part289 = match("MESSAGE#241:172", "nwparser.payload", "Probable TCP XMAS scan%{}", processor_chain([ + dup70, ])); -var msg243 = msg("172", part301); +var msg243 = msg("172", part289); -var part302 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ - dup62, +var part290 = match("MESSAGE#242:172:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ + dup70, ])); -var msg244 = msg("172:01", part302); +var msg244 = msg("172:01", part290); -var select71 = linear_select([ +var select62 = linear_select([ msg243, msg244, ]); -var part303 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ - dup62, +var part291 = match("MESSAGE#243:173", "nwparser.payload", "Probable TCP NULL scan%{}", processor_chain([ + dup70, ])); -var msg245 = msg("173", part303); +var msg245 = msg("173", part291); -var part304 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ - dup59, +var part292 = match("MESSAGE#244:174", "nwparser.payload", "IPSEC Replay Detected%{}", processor_chain([ + dup67, ])); -var msg246 = msg("174", part304); +var msg246 = msg("174", part292); var all39 = all_match({ processors: [ - dup80, - dup177, - dup10, - dup175, - dup79, + dup73, + dup185, + dup183, + dup43, ], on_success: processor_chain([ - dup59, + dup67, ]), }); @@ -3353,10 +3312,10 @@ var msg247 = msg("174:01", all39); var all40 = all_match({ processors: [ - dup44, - dup179, - dup36, - dup178, + dup51, + dup189, + dup41, + dup187, ], on_success: processor_chain([ dup12, @@ -3368,10 +3327,10 @@ var msg248 = msg("174:02", all40); var all41 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup181, - dup43, + dup191, + dup50, ], on_success: processor_chain([ dup12, @@ -3380,58 +3339,57 @@ var all41 = all_match({ var msg249 = msg("174:03", all41); -var select72 = linear_select([ +var select63 = linear_select([ msg246, msg247, msg248, msg249, ]); -var part305 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ - dup59, +var part293 = match("MESSAGE#248:175", "nwparser.payload", "TCP FIN packet dropped%{}", processor_chain([ + dup67, ])); -var msg250 = msg("175", part305); +var msg250 = msg("175", part293); -var part306 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ - dup59, +var part294 = match("MESSAGE#249:175:01", "nwparser.payload", "msg=\"ICMP packet from LAN dropped\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} type=%{type}", processor_chain([ + dup67, ])); -var msg251 = msg("175:01", part306); +var msg251 = msg("175:01", part294); -var part307 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ - dup59, +var part295 = match("MESSAGE#250:175:02", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr->} dst=%{daddr->} type=%{type->} icmpCode=%{fld3->} npcs=%{info}", processor_chain([ + dup67, ])); -var msg252 = msg("175:02", part307); +var msg252 = msg("175:02", part295); -var select73 = linear_select([ +var select64 = linear_select([ msg250, msg251, msg252, ]); -var part308 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ - dup87, +var part296 = match("MESSAGE#251:176", "nwparser.payload", "Fraudulent Microsoft Certificate Blocked%{}", processor_chain([ + dup93, ])); -var msg253 = msg("176", part308); +var msg253 = msg("176", part296); -var msg254 = msg("177", dup185); +var msg254 = msg("177", dup196); -var msg255 = msg("178", dup190); +var msg255 = msg("178", dup201); -var msg256 = msg("179", dup185); +var msg256 = msg("179", dup196); var all42 = all_match({ processors: [ - dup33, - dup177, - dup10, - dup178, + dup34, + dup185, + dup187, ], on_success: processor_chain([ - dup91, + dup97, ]), }); @@ -3440,65 +3398,58 @@ var msg257 = msg("180", all42); var all43 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup191, - dup94, + dup202, + dup100, ], on_success: processor_chain([ - dup91, + dup97, ]), }); var msg258 = msg("180:01", all43); -var select74 = linear_select([ +var select65 = linear_select([ msg257, msg258, ]); -var msg259 = msg("181", dup184); +var msg259 = msg("181", dup195); var all44 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup189, - dup90, + dup200, + dup96, ], on_success: processor_chain([ - dup62, + dup70, ]), }); var msg260 = msg("181:01", all44); -var select75 = linear_select([ +var select66 = linear_select([ msg259, msg260, ]); -var msg261 = msg("193", dup228); - -var msg262 = msg("194", dup229); - -var msg263 = msg("195", dup229); +var msg261 = msg("193", dup240); -var part309 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); +var msg262 = msg("194", dup241); -var part310 = match("MESSAGE#262:196/1_1", "nwparser.p0", " rcvd=%{rbytes->} cmd=%{p0}"); +var msg263 = msg("195", dup241); -var select76 = linear_select([ - dup98, - part310, -]); +var part297 = match("MESSAGE#262:196/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{fld2->} dst=%{daddr}:%{fld3->} sport=%{sport->} dport=%{dport->} %{p0}"); var all45 = all_match({ processors: [ - part309, - select76, - dup99, + part297, + dup204, + dup105, ], on_success: processor_chain([ dup1, @@ -3507,18 +3458,11 @@ var all45 = all_match({ var msg264 = msg("196", all45); -var part311 = match("MESSAGE#263:196:01/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); - -var select77 = linear_select([ - dup98, - part311, -]); - var all46 = all_match({ processors: [ - dup95, - select77, - dup99, + dup101, + dup204, + dup105, ], on_success: processor_chain([ dup1, @@ -3527,247 +3471,244 @@ var all46 = all_match({ var msg265 = msg("196:01", all46); -var select78 = linear_select([ +var select67 = linear_select([ msg264, msg265, ]); -var msg266 = msg("199", dup230); +var msg266 = msg("199", dup242); -var msg267 = msg("200", dup226); +var msg267 = msg("200", dup243); -var part312 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ - dup29, +var part298 = match("MESSAGE#266:235:02", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ + dup30, ])); -var msg268 = msg("235:02", part312); +var msg268 = msg("235:02", part298); -var part313 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); +var part299 = match("MESSAGE#267:235/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} usr=%{username->} src=%{p0}"); var all47 = all_match({ processors: [ - part313, - dup177, - dup10, - dup178, + part299, + dup185, + dup187, ], on_success: processor_chain([ - dup29, + dup30, ]), }); var msg269 = msg("235", all47); -var msg270 = msg("235:01", dup231); +var msg270 = msg("235:01", dup244); -var select79 = linear_select([ +var select68 = linear_select([ msg268, msg269, msg270, ]); -var msg271 = msg("236", dup231); +var msg271 = msg("236", dup244); -var msg272 = msg("237", dup230); +var msg272 = msg("237", dup242); -var msg273 = msg("238", dup230); +var msg273 = msg("238", dup242); -var part314 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup101, +var part300 = match("MESSAGE#272:239", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, ])); -var msg274 = msg("239", part314); +var msg274 = msg("239", part300); -var part315 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ - dup101, +var part301 = match("MESSAGE#273:240", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr}", processor_chain([ + dup107, ])); -var msg275 = msg("240", part315); +var msg275 = msg("240", part301); -var part316 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup70, +var part302 = match("MESSAGE#274:241", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup78, ])); -var msg276 = msg("241", part316); +var msg276 = msg("241", part302); -var part317 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup70, +var part303 = match("MESSAGE#275:241:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup78, ])); -var msg277 = msg("241:01", part317); +var msg277 = msg("241:01", part303); -var select80 = linear_select([ +var select69 = linear_select([ msg276, msg277, ]); -var part318 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); +var part304 = match("MESSAGE#276:242/1_0", "nwparser.p0", "%{saddr}:%{sport}:: %{p0}"); -var part319 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); +var part305 = match("MESSAGE#276:242/1_1", "nwparser.p0", "%{saddr}:%{sport->} %{p0}"); -var select81 = linear_select([ - part318, - part319, - dup35, +var select70 = linear_select([ + part304, + part305, + dup40, ]); -var part320 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}:: "); +var part306 = match("MESSAGE#276:242/3_0", "nwparser.p0", "%{daddr}:%{dport}::"); -var part321 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport->} "); +var part307 = match("MESSAGE#276:242/3_1", "nwparser.p0", "%{daddr}:%{dport}"); -var select82 = linear_select([ - part320, - part321, - dup28, +var select71 = linear_select([ + part306, + part307, + dup36, ]); var all48 = all_match({ processors: [ - dup44, - select81, - dup36, - select82, + dup51, + select70, + dup41, + select71, ], on_success: processor_chain([ - dup70, + dup78, ]), }); var msg278 = msg("242", all48); -var msg279 = msg("252", dup193); +var msg279 = msg("252", dup205); -var msg280 = msg("255", dup193); +var msg280 = msg("255", dup205); -var msg281 = msg("257", dup193); +var msg281 = msg("257", dup205); -var msg282 = msg("261:01", dup232); +var msg282 = msg("261:01", dup245); -var msg283 = msg("261", dup193); +var msg283 = msg("261", dup205); -var select83 = linear_select([ +var select72 = linear_select([ msg282, msg283, ]); -var msg284 = msg("262", dup232); +var msg284 = msg("262", dup245); var all49 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup110, + dup185, + dup187, ], on_success: processor_chain([ - dup105, + dup111, ]), }); var msg285 = msg("273", all49); -var msg286 = msg("328", dup233); +var msg286 = msg("328", dup246); -var msg287 = msg("329", dup226); +var msg287 = msg("329", dup243); -var msg288 = msg("346", dup193); +var msg288 = msg("346", dup205); -var msg289 = msg("350", dup193); +var msg289 = msg("350", dup205); -var msg290 = msg("351", dup193); +var msg290 = msg("351", dup205); -var msg291 = msg("352", dup193); +var msg291 = msg("352", dup205); -var msg292 = msg("353:01", dup190); +var msg292 = msg("353:01", dup201); -var part322 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ +var part308 = match("MESSAGE#291:353", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost->} lifeSeconds=%{misc}\"", processor_chain([ dup5, ])); -var msg293 = msg("353", part322); +var msg293 = msg("353", part308); -var select84 = linear_select([ +var select73 = linear_select([ msg292, msg293, ]); -var part323 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ +var part309 = match("MESSAGE#292:354", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=\"%{shost->} lifeSeconds=%{misc}\"", processor_chain([ dup1, ])); -var msg294 = msg("354", part323); +var msg294 = msg("354", part309); -var msg295 = msg("355", dup194); +var msg295 = msg("355", dup206); -var msg296 = msg("355:01", dup193); +var msg296 = msg("355:01", dup205); -var select85 = linear_select([ +var select74 = linear_select([ msg295, msg296, ]); -var msg297 = msg("356", dup195); +var msg297 = msg("356", dup207); -var part324 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ - dup87, +var part310 = match("MESSAGE#296:357", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} dstname=%{name}", processor_chain([ + dup93, ])); -var msg298 = msg("357", part324); +var msg298 = msg("357", part310); -var part325 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup87, +var part311 = match("MESSAGE#297:357:01", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, ])); -var msg299 = msg("357:01", part325); +var msg299 = msg("357:01", part311); -var select86 = linear_select([ +var select75 = linear_select([ msg298, msg299, ]); -var msg300 = msg("358", dup196); +var msg300 = msg("358", dup208); -var part326 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ +var part312 = match("MESSAGE#299:371", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr->} dst=%{dtransaddr->} dstname=%{shost}", processor_chain([ setc("eventcategory","1503000000"), ])); -var msg301 = msg("371", part326); +var msg301 = msg("371", part312); -var msg302 = msg("371:01", dup197); +var msg302 = msg("371:01", dup209); -var select87 = linear_select([ +var select76 = linear_select([ msg301, msg302, ]); -var msg303 = msg("372", dup193); +var msg303 = msg("372", dup205); -var msg304 = msg("373", dup195); +var msg304 = msg("373", dup207); -var msg305 = msg("401", dup234); +var msg305 = msg("401", dup247); -var msg306 = msg("402", dup234); +var msg306 = msg("402", dup247); -var msg307 = msg("406", dup196); +var msg307 = msg("406", dup208); -var part327 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var part313 = match("MESSAGE#305:413", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup1, ])); -var msg308 = msg("413", part327); +var msg308 = msg("413", part313); -var msg309 = msg("414", dup193); +var msg309 = msg("414", dup205); -var msg310 = msg("438", dup235); +var msg310 = msg("438", dup248); -var msg311 = msg("439", dup235); +var msg311 = msg("439", dup248); var all50 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup110, + dup185, + dup187, ], on_success: processor_chain([ setc("eventcategory","1501020000"), @@ -3778,10 +3719,9 @@ var msg312 = msg("440", all50); var all51 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup110, + dup185, + dup187, ], on_success: processor_chain([ setc("eventcategory","1502050000"), @@ -3790,23 +3730,22 @@ var all51 = all_match({ var msg313 = msg("441", all51); -var part328 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ +var part314 = match("MESSAGE#311:441:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1}", processor_chain([ setc("eventcategory","1001020000"), ])); -var msg314 = msg("441:01", part328); +var msg314 = msg("441:01", part314); -var select88 = linear_select([ +var select77 = linear_select([ msg313, msg314, ]); var all52 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup110, + dup185, + dup187, ], on_success: processor_chain([ setc("eventcategory","1501030000"), @@ -3815,67 +3754,66 @@ var all52 = all_match({ var msg315 = msg("442", all52); -var part329 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); +var part315 = match("MESSAGE#313:446/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{p0}"); -var part330 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); +var part316 = match("MESSAGE#313:446/1_0", "nwparser.p0", "%{fld1->} appName=\"%{application}\" n=%{p0}"); -var part331 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); +var part317 = match("MESSAGE#313:446/1_1", "nwparser.p0", "%{fld1->} n=%{p0}"); -var select89 = linear_select([ - part330, - part331, +var select78 = linear_select([ + part316, + part317, ]); -var part332 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part318 = match("MESSAGE#313:446/2", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); var all53 = all_match({ processors: [ - part329, - select89, - part332, - dup199, - dup112, + part315, + select78, + part318, + dup211, + dup119, ], on_success: processor_chain([ - dup59, - dup54, - dup17, - dup82, - dup19, + dup67, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg316 = msg("446", all53); -var part333 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ - dup113, - dup51, - dup52, - dup53, - dup54, +var part319 = match("MESSAGE#314:477", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"MAC=%{smacaddr->} HostName:%{hostname}\"", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, dup11, - dup55, - dup17, + dup63, dup18, dup19, dup20, dup21, + dup22, ])); -var msg317 = msg("477", part333); +var msg317 = msg("477", part319); var all54 = all_match({ processors: [ - dup80, - dup177, - dup10, - dup178, + dup73, + dup185, + dup187, ], on_success: processor_chain([ - dup29, + dup30, ]), }); @@ -3883,31 +3821,30 @@ var msg318 = msg("509", all54); var all55 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup110, + dup185, + dup187, ], on_success: processor_chain([ - dup103, + dup109, ]), }); var msg319 = msg("520", all55); -var msg320 = msg("522", dup236); +var msg320 = msg("522", dup249); -var part334 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); +var part320 = match("MESSAGE#318:522:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} srcV6=%{saddr_v6->} src= %{p0}"); -var part335 = match("MESSAGE#318:522:01/2", "nwparser.p0", "%{}dstV6=%{daddr_v6->} dst= %{p0}"); +var part321 = match("MESSAGE#318:522:01/2", "nwparser.p0", "dstV6=%{daddr_v6->} dst= %{p0}"); var all56 = all_match({ processors: [ - part334, - dup179, - part335, - dup175, - dup114, + part320, + dup189, + part321, + dup183, + dup121, ], on_success: processor_chain([ dup5, @@ -3916,20 +3853,20 @@ var all56 = all_match({ var msg321 = msg("522:01", all56); -var part336 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); +var part322 = match("MESSAGE#319:522:02/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{shost->} dst= %{p0}"); -var select90 = linear_select([ - part336, - dup39, +var select79 = linear_select([ + part322, + dup46, ]); var all57 = all_match({ processors: [ - dup38, - select90, - dup10, - dup175, - dup114, + dup45, + select79, + dup17, + dup183, + dup121, ], on_success: processor_chain([ dup5, @@ -3938,22 +3875,21 @@ var all57 = all_match({ var msg322 = msg("522:02", all57); -var select91 = linear_select([ +var select80 = linear_select([ msg320, msg321, msg322, ]); -var msg323 = msg("523", dup236); +var msg323 = msg("523", dup249); var all58 = all_match({ processors: [ - dup80, - dup177, - dup10, - dup175, - dup10, - dup200, + dup73, + dup185, + dup183, + dup17, + dup212, ], on_success: processor_chain([ dup1, @@ -3962,24 +3898,23 @@ var all58 = all_match({ var msg324 = msg("524", all58); -var part337 = match("MESSAGE#322:524:01/5_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); +var part323 = match("MESSAGE#322:524:01/4_0", "nwparser.p0", "proto=%{protocol->} npcs= %{p0}"); -var part338 = match("MESSAGE#322:524:01/5_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); +var part324 = match("MESSAGE#322:524:01/4_1", "nwparser.p0", "rule=%{rule->} npcs= %{p0}"); -var select92 = linear_select([ - part337, - part338, +var select81 = linear_select([ + part323, + part324, ]); var all59 = all_match({ processors: [ dup7, - dup177, - dup10, - dup175, - dup10, - select92, - dup90, + dup185, + dup183, + dup17, + select81, + dup47, ], on_success: processor_chain([ dup1, @@ -3988,24 +3923,22 @@ var all59 = all_match({ var msg325 = msg("524:01", all59); -var part339 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{p0}"); - -var part340 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", "%{rule}\" note=\"%{rulename}\"%{p0}"); +var part325 = match("MESSAGE#323:524:02/0", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol}rule=\"%{rule}\"%{p0}"); -var part341 = match("MESSAGE#323:524:02/1_1", "nwparser.p0", "%{rule}\"%{p0}"); +var part326 = match("MESSAGE#323:524:02/1_0", "nwparser.p0", " note=\"%{rulename}\"%{p0}"); -var select93 = linear_select([ - part340, - part341, +var select82 = linear_select([ + part326, + dup56, ]); -var part342 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); +var part327 = match("MESSAGE#323:524:02/2", "nwparser.p0", "%{}fw_action=\"%{action}\""); var all60 = all_match({ processors: [ - part339, - select93, - part342, + part325, + select82, + part327, ], on_success: processor_chain([ dup6, @@ -4015,35 +3948,35 @@ var all60 = all_match({ var msg326 = msg("524:02", all60); -var select94 = linear_select([ +var select83 = linear_select([ msg324, msg325, msg326, ]); -var msg327 = msg("526", dup237); +var msg327 = msg("526", dup250); -var part343 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); +var part328 = match("MESSAGE#325:526:01/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{fld20->} dst= %{p0}"); -var select95 = linear_select([ - dup25, - part343, - dup39, +var select84 = linear_select([ + dup26, + part328, + dup46, ]); -var part344 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", " %{daddr->} "); +var part329 = match("MESSAGE#325:526:01/3_1", "nwparser.p0", "%{daddr}"); -var select96 = linear_select([ - dup27, - part344, +var select85 = linear_select([ + dup35, + part329, ]); var all61 = all_match({ processors: [ - dup80, - select95, - dup10, - select96, + dup73, + select84, + dup17, + select85, ], on_success: processor_chain([ dup1, @@ -4055,10 +3988,9 @@ var msg328 = msg("526:01", all61); var all62 = all_match({ processors: [ dup7, - dup201, - dup10, - dup175, - dup114, + dup213, + dup183, + dup121, ], on_success: processor_chain([ dup1, @@ -4067,28 +3999,28 @@ var all62 = all_match({ var msg329 = msg("526:02", all62); -var part345 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part330 = match("MESSAGE#327:526:03", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup11, ])); -var msg330 = msg("526:03", part345); +var msg330 = msg("526:03", part330); -var part346 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part331 = match("MESSAGE#328:526:04", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup11, ])); -var msg331 = msg("526:04", part346); +var msg331 = msg("526:04", part331); -var part347 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ +var part332 = match("MESSAGE#329:526:05", "nwparser.payload", "msg=\"%{msg}\" app=%{fld1}n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ dup1, dup11, ])); -var msg332 = msg("526:05", part347); +var msg332 = msg("526:05", part332); -var select97 = linear_select([ +var select86 = linear_select([ msg327, msg328, msg329, @@ -4097,436 +4029,409 @@ var select97 = linear_select([ msg332, ]); -var part348 = match("MESSAGE#330:537:01/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); +var part333 = match("MESSAGE#330:537:01/4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} rcvd=%{p0}"); -var part349 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3->} "); +var part334 = match("MESSAGE#330:537:01/5_0", "nwparser.p0", "%{rbytes->} vpnpolicy=%{fld3}"); -var part350 = match("MESSAGE#330:537:01/5_1", "nwparser.p0", "%{rbytes->} "); - -var select98 = linear_select([ - part349, - part350, +var select87 = linear_select([ + part334, + dup123, ]); var all63 = all_match({ processors: [ - dup116, - dup202, - dup10, - dup203, - part348, - select98, + dup122, + dup214, + dup17, + dup215, + part333, + select87, ], on_success: processor_chain([ - dup105, + dup111, ]), }); var msg333 = msg("537:01", all63); -var part351 = match("MESSAGE#331:537:02/4", "nwparser.p0", "%{}proto=%{protocol->} sent=%{sbytes}"); - var all64 = all_match({ processors: [ - dup116, - dup202, - dup10, - dup203, - part351, + dup122, + dup214, + dup17, + dup215, + dup81, ], on_success: processor_chain([ - dup105, + dup111, ]), }); var msg334 = msg("537:02", all64); -var select99 = linear_select([ - dup117, - dup118, - dup119, - dup120, -]); +var part335 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); -var part352 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var part336 = match("MESSAGE#332:537:08/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var part353 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", " %{daddr}srcMac=%{p0}"); +var part337 = match("MESSAGE#332:537:08/3_2", "nwparser.p0", "%{saddr->} %{daddr}srcMac=%{p0}"); -var select100 = linear_select([ - dup123, - part352, - part353, +var select88 = linear_select([ + part335, + part336, + part337, ]); -var part354 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); - -var select101 = linear_select([ - dup124, - dup125, -]); +var part338 = match("MESSAGE#332:537:08/4", "nwparser.p0", "%{} %{smacaddr->} %{p0}"); -var part355 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); +var part339 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); -var part356 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); +var part340 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", "proto=%{protocol->} sent=%{p0}"); -var select102 = linear_select([ - part355, - part356, +var select89 = linear_select([ + part339, + part340, ]); -var part357 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\" "); - -var part358 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); - -var part359 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\" "); - -var part360 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7->} "); +var part341 = match("MESSAGE#332:537:08/7_0", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} fw_action=\"%{action}\""); -var part361 = match("MESSAGE#332:537:08/7_4", "nwparser.p0", "%{fld3}"); +var part342 = match("MESSAGE#332:537:08/7_2", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} fw_action=\"%{action}\""); -var select103 = linear_select([ - part357, - part358, - part359, - part360, - part361, +var select90 = linear_select([ + part341, + dup131, + part342, + dup132, + dup133, ]); var all65 = all_match({ processors: [ - select99, - dup204, - dup205, - select100, - part354, - select101, - select102, - select103, + dup54, + dup216, + dup217, + select88, + part338, + select89, + dup218, + select90, ], on_success: processor_chain([ - dup105, + dup111, dup11, - dup17, dup18, dup19, dup20, dup21, + dup22, ]), }); var msg335 = msg("537:08", all65); -var select104 = linear_select([ - dup118, - dup117, - dup119, - dup120, +var select91 = linear_select([ + dup125, + dup124, + dup126, + dup38, ]); -var part362 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); +var part343 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); -var part363 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", " %{daddr}dstMac=%{p0}"); +var part344 = match("MESSAGE#333:537:09/3_1", "nwparser.p0", "%{saddr->} %{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); -var select105 = linear_select([ - dup126, - part362, - part363, +var part345 = match("MESSAGE#333:537:09/3_2", "nwparser.p0", "%{saddr->} %{daddr}dstMac=%{p0}"); + +var select92 = linear_select([ + part343, + part344, + part345, ]); -var part364 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var part346 = match("MESSAGE#333:537:09/4", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{p0}"); -var select106 = linear_select([ - dup129, - dup130, +var part347 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", "%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); + +var select93 = linear_select([ + part347, dup131, dup132, + dup133, ]); var all66 = all_match({ processors: [ - select104, - dup204, - dup205, - select105, - part364, - dup206, - select106, + dup54, + select91, + dup217, + select92, + part346, + dup218, + select93, ], on_success: processor_chain([ - dup105, + dup111, dup11, - dup17, dup18, dup19, dup20, dup21, + dup22, ]), }); var msg336 = msg("537:09", all66); -var part365 = match("MESSAGE#334:537:07/0_1", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); +var part348 = match("MESSAGE#334:537:07/3_0", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); -var select107 = linear_select([ - dup117, - part365, - dup119, - dup120, -]); - -var part366 = match("MESSAGE#334:537:07/4_0", "nwparser.p0", "srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var part349 = match("MESSAGE#334:537:07/3_1", "nwparser.p0", "%{saddr} %{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); -var part367 = match("MESSAGE#334:537:07/4_1", "nwparser.p0", " srcMac=%{smacaddr->} proto=%{protocol->} sent=%{p0}"); +var part350 = match("MESSAGE#334:537:07/3_2", "nwparser.p0", "%{saddr} %{fld3->} cdur=%{fld7}"); -var select108 = linear_select([ - part366, - part367, - dup124, - dup125, -]); +var part351 = match("MESSAGE#334:537:07/3_3", "nwparser.p0", "%{saddr} %{fld3->} fw_action=\"%{action}\""); -var part368 = match("MESSAGE#334:537:07/6_3", "nwparser.p0", " spkt=%{fld3->} fw_action=\"%{action}\""); +var part352 = match("MESSAGE#334:537:07/3_4", "nwparser.p0", "%{saddr} %{fld3}"); -var select109 = linear_select([ - dup129, - dup130, - dup131, - part368, - dup132, +var select94 = linear_select([ + part348, + part349, + part350, + part351, + part352, ]); var all67 = all_match({ processors: [ - select107, - dup204, - dup205, - dup186, - select108, - dup206, - select109, + dup54, + dup216, + dup217, + select94, ], on_success: processor_chain([ - dup105, + dup111, dup11, - dup17, dup18, dup19, dup20, dup21, + dup22, ]), }); var msg337 = msg("537:07", all67); -var part369 = match("MESSAGE#335:537/1_0", "nwparser.p0", "%{action}\" app=%{fld51->} appName=\"%{application}\"%{p0}"); +var part353 = match("MESSAGE#335:537/0", "nwparser.payload", "msg=\"%{action}\"%{p0}"); -var part370 = match("MESSAGE#335:537/1_1", "nwparser.p0", "%{action}\"%{p0}"); +var part354 = match("MESSAGE#335:537/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"%{p0}"); -var select110 = linear_select([ - part369, - part370, +var select95 = linear_select([ + part354, + dup56, ]); -var part371 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); +var part355 = match("MESSAGE#335:537/2", "nwparser.p0", "%{}n=%{fld1->} src= %{p0}"); -var part372 = match("MESSAGE#335:537/4_0", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} sent=%{p0}"); +var part356 = match("MESSAGE#335:537/3_0", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); -var part373 = match("MESSAGE#335:537/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}: proto=%{protocol->} sent=%{p0}"); +var part357 = match("MESSAGE#335:537/3_1", "nwparser.p0", "%{saddr} %{daddr}:%{dport}:%{dinterface}: proto=%{p0}"); -var part374 = match("MESSAGE#335:537/4_2", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} sent=%{p0}"); +var part358 = match("MESSAGE#335:537/3_2", "nwparser.p0", "%{saddr}%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); -var part375 = match("MESSAGE#335:537/4_3", "nwparser.p0", " %{daddr->} proto=%{protocol->} sent=%{p0}"); +var part359 = match("MESSAGE#335:537/3_3", "nwparser.p0", "%{saddr}%{daddr->} proto=%{p0}"); -var select111 = linear_select([ - part372, - part373, - part374, - part375, +var select96 = linear_select([ + part356, + part357, + part358, + part359, ]); -var part376 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); +var part360 = match("MESSAGE#335:537/4", "nwparser.p0", "%{protocol->} sent=%{p0}"); -var part377 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); +var part361 = match("MESSAGE#335:537/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} fw_action=\"%{fld6}\""); -var part378 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); +var part362 = match("MESSAGE#335:537/5_1", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} fw_action=\"%{fld5}\""); -var part379 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); +var part363 = match("MESSAGE#335:537/5_2", "nwparser.p0", "%{sbytes->} spkt=%{fld3}fw_action=\"%{fld4}\""); -var part380 = match("MESSAGE#335:537/5_4", "nwparser.p0", "%{sbytes}"); +var part364 = match("MESSAGE#335:537/5_3", "nwparser.p0", "%{sbytes}rcvd=%{rbytes}"); -var select112 = linear_select([ - part376, - part377, - part378, - part379, - part380, +var part365 = match_copy("MESSAGE#335:537/5_4", "nwparser.p0", "sbytes"); + +var select97 = linear_select([ + part361, + part362, + part363, + part364, + part365, ]); var all68 = all_match({ processors: [ - dup48, - select110, - part371, - dup202, - select111, - select112, + part353, + select95, + part355, + select96, + part360, + select97, ], on_success: processor_chain([ - dup105, + dup111, ]), }); var msg338 = msg("537", all68); -var part381 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); +var part366 = match("MESSAGE#336:537:04/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} cdur=%{fld5->} npcs=%{info}"); var all69 = all_match({ processors: [ - dup133, - dup180, - dup10, - dup207, - part381, + dup134, + dup190, + dup17, + dup219, + part366, ], on_success: processor_chain([ - dup105, + dup111, ]), }); var msg339 = msg("537:04", all69); -var part382 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{p0}"); +var part367 = match("MESSAGE#337:537:05/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} cdur=%{fld4->} %{p0}"); -var part383 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "%{fld4->} appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); +var part368 = match("MESSAGE#337:537:05/5_0", "nwparser.p0", "appcat=%{fld5->} appid=%{fld6->} npcs= %{p0}"); -var part384 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "%{fld4->} npcs= %{p0}"); +var part369 = match("MESSAGE#337:537:05/5_1", "nwparser.p0", "npcs= %{p0}"); -var select113 = linear_select([ - part383, - part384, +var select98 = linear_select([ + part368, + part369, ]); var all70 = all_match({ processors: [ - dup133, - dup180, - dup10, - dup207, - part382, - select113, - dup90, + dup134, + dup190, + dup17, + dup219, + part367, + select98, + dup96, ], on_success: processor_chain([ - dup105, + dup111, ]), }); var msg340 = msg("537:05", all70); -var part385 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{p0}"); +var part370 = match("MESSAGE#338:537:10/0", "nwparser.payload", "msg=\"%{event_description}\" sess=%{fld1->} n=%{fld2->} %{p0}"); -var part386 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); +var part371 = match("MESSAGE#338:537:10/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); -var part387 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); +var part372 = match("MESSAGE#338:537:10/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} dstMac=%{p0}"); -var select114 = linear_select([ - dup126, - part386, - part387, +var part373 = match("MESSAGE#338:537:10/4_2", "nwparser.p0", "%{daddr->} dstMac=%{p0}"); + +var select99 = linear_select([ + part371, + part372, + part373, ]); -var part388 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); +var part374 = match("MESSAGE#338:537:10/5", "nwparser.p0", "%{} %{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); var all71 = all_match({ processors: [ - part385, - dup208, - dup137, - dup209, - select114, - part388, - dup210, + part370, + dup220, + dup139, + dup221, + select99, + part374, + dup222, ], on_success: processor_chain([ - dup105, + dup111, dup11, - dup17, dup18, dup19, dup20, dup21, + dup22, ]), }); var msg341 = msg("537:10", all71); -var part389 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{p0}"); +var part375 = match("MESSAGE#339:537:03/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} %{p0}"); -var part390 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part376 = match("MESSAGE#339:537:03/4_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); -var part391 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); +var part377 = match("MESSAGE#339:537:03/4_2", "nwparser.p0", "%{daddr->} proto=%{p0}"); -var select115 = linear_select([ - dup77, - part390, - part391, +var select100 = linear_select([ + dup85, + part376, + part377, ]); -var part392 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); +var part378 = match("MESSAGE#339:537:03/5", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld10->} rpkt=%{fld11->} %{p0}"); var all72 = all_match({ processors: [ - part389, - dup208, - dup137, - dup209, - select115, - part392, - dup210, + part375, + dup220, + dup139, + dup221, + select100, + part378, + dup222, ], on_success: processor_chain([ - dup105, + dup111, ]), }); var msg342 = msg("537:03", all72); -var part393 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{} %{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); +var part379 = match("MESSAGE#340:537:06/4", "nwparser.p0", "%{protocol->} sent=%{sbytes->} spkt=%{fld3->} npcs=%{info}"); var all73 = all_match({ processors: [ - dup133, - dup180, - dup10, - dup207, - part393, + dup134, + dup190, + dup17, + dup219, + part379, ], on_success: processor_chain([ - dup105, + dup111, ]), }); var msg343 = msg("537:06", all73); -var part394 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup105, - dup54, +var part380 = match("MESSAGE#341:537:11", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2}usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}sent=%{sbytes}rcvd=%{rbytes}spkt=%{fld3}rpkt=%{fld4}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, dup11, - dup142, + dup144, ])); -var msg344 = msg("537:11", part394); +var msg344 = msg("537:11", part380); -var part395 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup105, - dup54, +var part381 = match("MESSAGE#342:537:12", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes->} spkt=%{fld3->} rpkt=%{fld4->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup111, + dup62, dup11, - dup142, + dup144, ])); -var msg345 = msg("537:12", part395); +var msg345 = msg("537:12", part381); -var select116 = linear_select([ +var select101 = linear_select([ msg333, msg334, msg335, @@ -4542,18 +4447,17 @@ var select116 = linear_select([ msg345, ]); -var msg346 = msg("538", dup228); +var msg346 = msg("538", dup240); -var msg347 = msg("549", dup226); +var msg347 = msg("549", dup243); -var msg348 = msg("557", dup226); +var msg348 = msg("557", dup243); var all74 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup110, + dup185, + dup187, ], on_success: processor_chain([ setc("eventcategory","1402020200"), @@ -4562,18 +4466,17 @@ var all74 = all_match({ var msg349 = msg("558", all74); -var msg350 = msg("561", dup233); +var msg350 = msg("561", dup246); -var msg351 = msg("562", dup233); +var msg351 = msg("562", dup246); -var msg352 = msg("563", dup233); +var msg352 = msg("563", dup246); var all75 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup110, + dup185, + dup187, ], on_success: processor_chain([ setc("eventcategory","1402020400"), @@ -4582,38 +4485,40 @@ var all75 = all_match({ var msg353 = msg("583", all75); -var part396 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ - dup143, - dup51, - dup144, - dup53, - dup54, - dup11, +var part382 = match("MESSAGE#351:597:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ dup145, - dup17, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, dup18, dup19, dup20, dup21, + dup22, ])); -var msg354 = msg("597:01", part396); +var msg354 = msg("597:01", part382); -var part397 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ +var part383 = match("MESSAGE#352:597:02", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{icmptype->} code=%{icmpcode}", processor_chain([ dup1, ])); -var msg355 = msg("597:02", part397); +var msg355 = msg("597:02", part383); + +var part384 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{saddr}:%{sport}:%{p0}"); -var part398 = match("MESSAGE#353:597:03/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part385 = match("MESSAGE#353:597:03/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); var all76 = all_match({ processors: [ - part398, - dup187, - dup10, - dup189, - dup90, + part384, + dup198, + part385, + dup200, + dup96, ], on_success: processor_chain([ dup1, @@ -4622,25 +4527,25 @@ var all76 = all_match({ var msg356 = msg("597:03", all76); -var select117 = linear_select([ +var select102 = linear_select([ msg354, msg355, msg356, ]); -var part399 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ +var part386 = match("MESSAGE#354:598", "nwparser.payload", "msg=%{msg->} n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} type=%{type->} code=%{code}", processor_chain([ dup1, ])); -var msg357 = msg("598", part399); +var msg357 = msg("598", part386); -var part400 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{} %{type->} npcs=%{info}"); +var part387 = match("MESSAGE#355:598:01/2", "nwparser.p0", "%{type->} npcs=%{info}"); var all77 = all_match({ processors: [ - dup146, - dup182, - part400, + dup148, + dup192, + part387, ], on_success: processor_chain([ dup1, @@ -4651,9 +4556,9 @@ var msg358 = msg("598:01", all77); var all78 = all_match({ processors: [ - dup146, - dup189, - dup90, + dup148, + dup200, + dup96, ], on_success: processor_chain([ dup1, @@ -4662,38 +4567,37 @@ var all78 = all_match({ var msg359 = msg("598:02", all78); -var select118 = linear_select([ +var select103 = linear_select([ msg357, msg358, msg359, ]); -var part401 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ - dup143, - dup51, - dup144, - dup53, - dup54, - dup11, +var part388 = match("MESSAGE#357:602:01", "nwparser.payload", "msg=\"%{event_description}allowed\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} proto=%{protocol}/%{fld4}", processor_chain([ dup145, - dup17, + dup59, + dup146, + dup61, + dup62, + dup11, + dup147, dup18, dup19, dup20, dup21, + dup22, ])); -var msg360 = msg("602:01", part401); +var msg360 = msg("602:01", part388); -var msg361 = msg("602:02", dup237); +var msg361 = msg("602:02", dup250); var all79 = all_match({ processors: [ dup7, - dup177, - dup10, - dup175, - dup79, + dup185, + dup183, + dup43, ], on_success: processor_chain([ dup1, @@ -4702,298 +4606,292 @@ var all79 = all_match({ var msg362 = msg("602:03", all79); -var select119 = linear_select([ +var select104 = linear_select([ msg360, msg361, msg362, ]); -var msg363 = msg("605", dup196); +var msg363 = msg("605", dup208); var all80 = all_match({ processors: [ - dup147, - dup211, dup149, - dup199, - dup112, + dup223, + dup152, + dup211, + dup119, ], on_success: processor_chain([ - dup87, - dup54, - dup17, - dup82, - dup19, + dup93, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg364 = msg("606", all80); -var part402 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); +var part389 = match("MESSAGE#362:608/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} ipscat=%{ipscat->} ipspri=%{p0}"); -var part403 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); +var part390 = match("MESSAGE#362:608/1_0", "nwparser.p0", "%{fld66->} pktdatId=%{fld11->} n=%{p0}"); -var part404 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); +var part391 = match("MESSAGE#362:608/1_1", "nwparser.p0", "%{ipspri->} n=%{p0}"); -var select120 = linear_select([ - part403, - part404, +var select105 = linear_select([ + part390, + part391, ]); -var part405 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); +var part392 = match("MESSAGE#362:608/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{p0}"); -var part406 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); +var part393 = match("MESSAGE#362:608/3_0", "nwparser.p0", "%{sport}:%{sinterface->} dst=%{p0}"); -var part407 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); +var part394 = match("MESSAGE#362:608/3_1", "nwparser.p0", "%{sport->} dst=%{p0}"); -var select121 = linear_select([ - part406, - part407, +var select106 = linear_select([ + part393, + part394, ]); -var part408 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); - -var part409 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); +var part395 = match("MESSAGE#362:608/5_0", "nwparser.p0", "%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{fld2}\""); -var part410 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); - -var part411 = match("MESSAGE#362:608/5_2", "nwparser.p0", "%{dport}"); - -var select122 = linear_select([ - part409, - part410, - part411, +var select107 = linear_select([ + part395, + dup154, + dup155, ]); var all81 = all_match({ processors: [ - part402, - select120, - part405, - select121, - part408, - select122, + part389, + select105, + part392, + select106, + dup153, + select107, ], on_success: processor_chain([ dup1, - dup37, + dup44, ]), }); var msg365 = msg("608", all81); -var msg366 = msg("616", dup194); +var msg366 = msg("616", dup206); -var msg367 = msg("658", dup190); +var msg367 = msg("658", dup201); -var msg368 = msg("710", dup212); +var msg368 = msg("710", dup224); -var msg369 = msg("712:02", dup238); +var msg369 = msg("712:02", dup251); -var msg370 = msg("712", dup212); +var msg370 = msg("712", dup224); var all82 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup191, - dup94, + dup202, + dup100, ], on_success: processor_chain([ - dup150, + dup156, ]), }); var msg371 = msg("712:01", all82); -var select123 = linear_select([ +var select108 = linear_select([ msg369, msg370, msg371, ]); -var part412 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ +var part396 = match("MESSAGE#369:713:01", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{fld2->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld3->} note=%{info}", processor_chain([ dup5, - dup51, - dup52, - dup53, - dup54, + dup59, + dup60, + dup61, + dup62, dup11, - dup55, - dup17, + dup63, dup18, dup19, dup20, dup21, + dup22, ])); -var msg372 = msg("713:01", part412); +var msg372 = msg("713:01", part396); -var msg373 = msg("713:04", dup238); +var msg373 = msg("713:04", dup251); -var msg374 = msg("713:02", dup212); +var msg374 = msg("713:02", dup224); -var part413 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ +var part397 = match("MESSAGE#372:713:03", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=\"%{action}\" npcs=%{info}", processor_chain([ dup5, - dup51, - dup52, - dup53, - dup54, + dup59, + dup60, + dup61, + dup62, dup11, - dup55, - dup17, + dup63, dup18, dup19, dup20, dup21, + dup22, ])); -var msg375 = msg("713:03", part413); +var msg375 = msg("713:03", part397); -var select124 = linear_select([ +var select109 = linear_select([ msg372, msg373, msg374, msg375, ]); -var part414 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ - dup113, - dup51, - dup52, - dup53, - dup54, +var part398 = match("MESSAGE#373:760", "nwparser.payload", "msg=\"%{event_description}dropped\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=%{info}", processor_chain([ + dup120, + dup59, + dup60, + dup61, + dup62, dup11, - dup55, - dup17, + dup63, dup18, dup19, dup20, dup21, + dup22, ])); -var msg376 = msg("760", part414); +var msg376 = msg("760", part398); -var part415 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part399 = match("MESSAGE#374:760:01/0", "nwparser.payload", "msg=\"%{event_description}dropped\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var part416 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{} %{action->} npcs=%{info}"); +var part400 = match("MESSAGE#374:760:01/4", "nwparser.p0", "%{action->} npcs=%{info}"); var all83 = all_match({ processors: [ - part415, - dup174, + part399, + dup182, dup10, - dup191, - part416, + dup202, + part400, ], on_success: processor_chain([ - dup113, - dup51, - dup52, - dup53, - dup54, + dup120, + dup59, + dup60, + dup61, + dup62, dup11, - dup55, - dup17, + dup63, dup18, dup19, dup20, dup21, + dup22, ]), }); var msg377 = msg("760:01", all83); -var select125 = linear_select([ +var select110 = linear_select([ msg376, msg377, ]); -var msg378 = msg("766", dup216); +var msg378 = msg("766", dup228); -var msg379 = msg("860", dup216); +var msg379 = msg("860", dup228); -var msg380 = msg("860:01", dup217); +var msg380 = msg("860:01", dup229); -var select126 = linear_select([ +var select111 = linear_select([ msg379, msg380, ]); -var part417 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); +var part401 = match("MESSAGE#378:866/0", "nwparser.payload", "msg=\"%{msg}\" n=%{p0}"); -var part418 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\" "); +var part402 = match("MESSAGE#378:866/1_0", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\""); -var part419 = match("MESSAGE#378:866/1_1", "nwparser.p0", "%{ntype->} "); +var part403 = match_copy("MESSAGE#378:866/1_1", "nwparser.p0", "ntype"); -var select127 = linear_select([ - part418, - part419, +var select112 = linear_select([ + part402, + part403, ]); var all84 = all_match({ processors: [ - part417, - select127, + part401, + select112, ], on_success: processor_chain([ dup5, - dup37, + dup44, ]), }); var msg381 = msg("866", all84); -var msg382 = msg("866:01", dup217); +var msg382 = msg("866:01", dup229); -var select128 = linear_select([ +var select113 = linear_select([ msg381, msg382, ]); -var msg383 = msg("867", dup216); +var msg383 = msg("867", dup228); -var msg384 = msg("867:01", dup217); +var msg384 = msg("867:01", dup229); -var select129 = linear_select([ +var select114 = linear_select([ msg383, msg384, ]); -var part420 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ +var part404 = match("MESSAGE#382:882", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol}", processor_chain([ dup1, ])); -var msg385 = msg("882", part420); +var msg385 = msg("882", part404); -var part421 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ +var part405 = match("MESSAGE#383:882:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} npcs=%{info}", processor_chain([ dup1, ])); -var msg386 = msg("882:01", part421); +var msg386 = msg("882:01", part405); -var select130 = linear_select([ +var select115 = linear_select([ msg385, msg386, ]); -var part422 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup159, +var part406 = match("MESSAGE#384:888", "nwparser.payload", "msg=\"%{reason};%{action}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup165, ])); -var msg387 = msg("888", part422); +var msg387 = msg("888", part406); -var part423 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ - dup159, +var part407 = match("MESSAGE#385:888:01", "nwparser.payload", "msg=\"%{reason};%{action}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} note=%{fld3->} npcs=%{info}", processor_chain([ + dup165, ])); -var msg388 = msg("888:01", part423); +var msg388 = msg("888:01", part407); -var select131 = linear_select([ +var select116 = linear_select([ msg387, msg388, ]); @@ -5001,74 +4899,76 @@ var select131 = linear_select([ var all85 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup189, - dup90, + dup200, + dup96, ], on_success: processor_chain([ - dup159, + dup165, ]), }); var msg389 = msg("892", all85); -var msg390 = msg("904", dup216); +var msg390 = msg("904", dup228); -var msg391 = msg("905", dup216); +var msg391 = msg("905", dup228); -var msg392 = msg("906", dup216); +var msg392 = msg("906", dup228); -var msg393 = msg("907", dup216); +var msg393 = msg("907", dup228); -var select132 = linear_select([ - dup73, - dup138, +var part408 = match("MESSAGE#391:908/1_0", "nwparser.p0", "%{sinterface}:%{shost->} dst=%{p0}"); + +var select117 = linear_select([ + part408, + dup167, ]); var all86 = all_match({ processors: [ - dup160, - select132, - dup10, + dup166, + select117, + dup168, + dup223, + dup169, dup211, - dup161, - dup199, - dup112, + dup119, ], on_success: processor_chain([ - dup70, - dup54, - dup17, - dup82, - dup19, + dup78, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg394 = msg("908", all86); -var msg395 = msg("909", dup216); +var msg395 = msg("909", dup228); -var msg396 = msg("914", dup218); +var msg396 = msg("914", dup230); -var part424 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ - dup64, +var part409 = match("MESSAGE#394:931", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ + dup72, ])); -var msg397 = msg("931", part424); +var msg397 = msg("931", part409); -var msg398 = msg("657", dup218); +var msg398 = msg("657", dup230); var all87 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup189, - dup90, + dup200, + dup96, ], on_success: processor_chain([ dup5, @@ -5077,325 +4977,328 @@ var all87 = all_match({ var msg399 = msg("657:01", all87); -var select133 = linear_select([ +var select118 = linear_select([ msg398, msg399, ]); -var msg400 = msg("403", dup197); +var msg400 = msg("403", dup209); -var msg401 = msg("534", dup176); +var msg401 = msg("534", dup184); -var msg402 = msg("994", dup219); +var msg402 = msg("994", dup231); -var part425 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ +var part410 = match("MESSAGE#400:243", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} proto=%{protocol}", processor_chain([ dup1, - dup23, + dup24, ])); -var msg403 = msg("243", part425); +var msg403 = msg("243", part410); -var msg404 = msg("995", dup176); +var msg404 = msg("995", dup184); -var part426 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ +var part411 = match("MESSAGE#402:997", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface}:%{fld3->} dst=%{daddr}:%{dport}:%{dinterface}:%{fld4->} note=\"%{info}\"", processor_chain([ dup1, - dup51, - dup53, - dup54, + dup59, + dup61, + dup62, dup11, - dup17, dup18, dup19, dup20, dup21, + dup22, ])); -var msg405 = msg("997", part426); +var msg405 = msg("997", part411); -var msg406 = msg("998", dup219); +var msg406 = msg("998", dup231); -var part427 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup105, +var part412 = match("MESSAGE#405:998:01", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld3->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup111, dup11, ])); -var msg407 = msg("998:01", part427); +var msg407 = msg("998:01", part412); -var select134 = linear_select([ +var select119 = linear_select([ msg406, msg407, ]); -var msg408 = msg("1110", dup220); +var msg408 = msg("1110", dup232); -var msg409 = msg("565", dup220); +var msg409 = msg("565", dup232); -var part428 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ +var part413 = match("MESSAGE#408:404", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} note=\"%{event_description}\"", processor_chain([ dup1, - dup54, + dup62, ])); -var msg410 = msg("404", part428); +var msg410 = msg("404", part413); -var select135 = linear_select([ - dup148, - dup50, +var part414 = match("MESSAGE#409:267:01/1_0", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); + +var select120 = linear_select([ + part414, + dup58, ]); -var part429 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); +var part415 = match("MESSAGE#409:267:01/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{fld3}\" fw_action=\"%{action}\""); var all88 = all_match({ processors: [ - dup81, - select135, - part429, + dup87, + select120, + part415, ], on_success: processor_chain([ - dup105, - dup54, - dup17, - dup82, - dup19, + dup111, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg411 = msg("267:01", all88); -var part430 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ +var part416 = match("MESSAGE#410:267", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}", processor_chain([ dup1, - dup54, + dup62, ])); -var msg412 = msg("267", part430); +var msg412 = msg("267", part416); -var select136 = linear_select([ +var select121 = linear_select([ msg411, msg412, ]); -var part431 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ +var part417 = match("MESSAGE#411:263", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} proto=%{protocol}", processor_chain([ dup1, - dup23, + dup24, ])); -var msg413 = msg("263", part431); +var msg413 = msg("263", part417); -var part432 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup103, +var part418 = match("MESSAGE#412:264", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup109, dup11, ])); -var msg414 = msg("264", part432); +var msg414 = msg("264", part418); -var msg415 = msg("412", dup197); +var msg415 = msg("412", dup209); -var part433 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ +var part419 = match("MESSAGE#415:793", "nwparser.payload", "msg=\"%{msg}\" af_polid=%{fld1->} af_policy=\"%{fld2}\" af_type=\"%{fld3}\" af_service=\"%{fld4}\" af_action=\"%{fld5}\" n=%{fld6->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ dup1, - dup23, + dup24, ])); -var msg416 = msg("793", part433); +var msg416 = msg("793", part419); -var part434 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ +var part420 = match("MESSAGE#416:805", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} if=%{fld2->} ucastRx=%{fld3->} bcastRx=%{fld4->} bytesRx=%{rbytes->} ucastTx=%{fld5->} bcastTx=%{fld6->} bytesTx=%{sbytes}", processor_chain([ dup1, - dup23, + dup24, ])); -var msg417 = msg("805", part434); +var msg417 = msg("805", part420); -var part435 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup162, +var part421 = match("MESSAGE#417:809", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, dup11, ])); -var msg418 = msg("809", part435); +var msg418 = msg("809", part421); -var part436 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ - dup162, +var part422 = match("MESSAGE#418:809:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} fw_action=\"%{action}\"", processor_chain([ + dup170, dup11, ])); -var msg419 = msg("809:01", part436); +var msg419 = msg("809:01", part422); -var select137 = linear_select([ +var select122 = linear_select([ msg418, msg419, ]); -var msg420 = msg("935", dup218); +var msg420 = msg("935", dup230); -var msg421 = msg("614", dup221); +var msg421 = msg("614", dup233); -var part437 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part423 = match("MESSAGE#421:748/0", "nwparser.payload", "msg=\"%{event_description}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); var all89 = all_match({ processors: [ - part437, - dup199, - dup112, + part423, + dup211, + dup119, ], on_success: processor_chain([ - dup58, - dup37, + dup66, + dup44, ]), }); var msg422 = msg("748", all89); -var part438 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part424 = match("MESSAGE#422:794/0", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} spycat=%{fld1->} spypri=%{fld2->} pktdatId=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); -var part439 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); +var part425 = match("MESSAGE#422:794/1_0", "nwparser.p0", "%{protocol}/%{fld5->} fw_action=\"%{p0}"); -var select138 = linear_select([ - part439, - dup111, +var select123 = linear_select([ + part425, + dup118, ]); var all90 = all_match({ processors: [ - part438, - select138, - dup112, + part424, + select123, + dup119, ], on_success: processor_chain([ - dup163, - dup37, + dup171, + dup44, ]), }); var msg423 = msg("794", all90); -var msg424 = msg("1086", dup221); +var msg424 = msg("1086", dup233); -var part440 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup163, - dup37, +var part426 = match("MESSAGE#424:1430", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, ])); -var msg425 = msg("1430", part440); +var msg425 = msg("1430", part426); -var msg426 = msg("1149", dup221); +var msg426 = msg("1149", dup233); -var msg427 = msg("1159", dup221); +var msg427 = msg("1159", dup233); -var part441 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup163, - dup37, +var part427 = match("MESSAGE#427:1195", "nwparser.payload", "n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, ])); -var msg428 = msg("1195", part441); +var msg428 = msg("1195", part427); -var part442 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ - dup163, - dup37, +var part428 = match("MESSAGE#428:1195:01", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}", processor_chain([ + dup171, + dup44, ])); -var msg429 = msg("1195:01", part442); +var msg429 = msg("1195:01", part428); -var select139 = linear_select([ +var select124 = linear_select([ msg428, msg429, ]); -var part443 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ +var part429 = match("MESSAGE#429:1226", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup5, - dup37, + dup44, ])); -var msg430 = msg("1226", part443); +var msg430 = msg("1226", part429); -var part444 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ +var part430 = match("MESSAGE#430:1222", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport->} note=\"%{fld3}\" fw_action=\"%{action}\"", processor_chain([ dup5, - dup37, + dup44, ])); -var msg431 = msg("1222", part444); +var msg431 = msg("1222", part430); -var part445 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ +var part431 = match("MESSAGE#431:1154", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{shost->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{dhost}", processor_chain([ dup1, - dup23, + dup24, ])); -var msg432 = msg("1154", part445); +var msg432 = msg("1154", part431); -var part446 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); +var part432 = match("MESSAGE#432:1154:01/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{p0}"); var all91 = all_match({ processors: [ - part446, - dup174, + part432, + dup182, dup10, - dup189, - dup90, + dup200, + dup96, ], on_success: processor_chain([ dup1, - dup23, + dup24, ]), }); var msg433 = msg("1154:01", all91); -var part447 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup164, +var part433 = match("MESSAGE#433:1154:02", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid%{fld2->} catid=%{fld3->} sess=\"%{fld4}\" n=%{fld5->} usr=\"%{username}\" src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup172, dup11, ])); -var msg434 = msg("1154:02", part447); +var msg434 = msg("1154:02", part433); -var part448 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part434 = match("MESSAGE#434:1154:03/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=\"%{fld1}\" appid=%{fld2->} catid=%{fld3->} n=%{fld4->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); -var select140 = linear_select([ - dup123, - dup49, +var part435 = match("MESSAGE#434:1154:03/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} srcMac=%{p0}"); + +var select125 = linear_select([ + part435, + dup79, ]); -var part449 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); +var part436 = match("MESSAGE#434:1154:03/2", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} rule=\"%{rule}\" fw_action=\"%{action}\""); var all92 = all_match({ processors: [ - part448, - select140, - part449, + part434, + select125, + part436, ], on_success: processor_chain([ - dup164, + dup172, dup11, ]), }); var msg435 = msg("1154:03", all92); -var select141 = linear_select([ +var select126 = linear_select([ msg432, msg433, msg434, msg435, ]); -var part450 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ - dup165, +var part437 = match("MESSAGE#435:msg", "nwparser.payload", "msg=\"%{msg}\" src=%{stransaddr->} dst=%{dtransaddr->} %{result}", processor_chain([ + dup173, ])); -var msg436 = msg("msg", part450); +var msg436 = msg("msg", part437); -var part451 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ - dup165, +var part438 = match("MESSAGE#436:src", "nwparser.payload", "src=%{stransaddr->} dst=%{dtransaddr->} %{msg}", processor_chain([ + dup173, ])); -var msg437 = msg("src", part451); +var msg437 = msg("src", part438); var all93 = all_match({ processors: [ dup7, - dup177, - dup10, - dup175, - dup10, - dup200, + dup185, + dup183, + dup17, + dup212, ], on_success: processor_chain([ dup1, @@ -5404,15 +5307,15 @@ var all93 = all_match({ var msg438 = msg("1235", all93); -var part452 = match("MESSAGE#438:1197/4", "nwparser.p0", "%{}\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); +var part439 = match("MESSAGE#438:1197/4", "nwparser.p0", "\"%{fld3->} Protocol:%{protocol}\" npcs=%{info}"); var all94 = all_match({ processors: [ dup7, - dup177, + dup185, dup10, - dup191, - part452, + dup202, + part439, ], on_success: processor_chain([ dup1, @@ -5421,13 +5324,13 @@ var all94 = all_match({ var msg439 = msg("1197", all94); -var part453 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part440 = match("MESSAGE#439:1199/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3->} sess=%{fld1->} n=%{fld2->} src=%{p0}"); var all95 = all_match({ processors: [ - part453, - dup177, - dup166, + part440, + dup185, + dup174, ], on_success: processor_chain([ dup1, @@ -5436,35 +5339,35 @@ var all95 = all_match({ var msg440 = msg("1199", all95); -var part454 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup167, +var part441 = match("MESSAGE#440:1199:01", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, dup11, ])); -var msg441 = msg("1199:01", part454); +var msg441 = msg("1199:01", part441); -var part455 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ - dup167, +var part442 = match("MESSAGE#441:1199:02", "nwparser.payload", "msg=\"Responder from country blocked: Responder IP:%{fld1}Country Name:%{location_country}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}rule=\"%{rule}\" fw_action=\"%{action}\"", processor_chain([ + dup175, dup11, ])); -var msg442 = msg("1199:02", part455); +var msg442 = msg("1199:02", part442); -var select142 = linear_select([ +var select127 = linear_select([ msg440, msg441, msg442, ]); -var part456 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); +var part443 = match("MESSAGE#442:1155/0", "nwparser.payload", "msg=\"%{msg}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} catid=%{fld3->} sess=%{fld4->} n=%{fld5->} src=%{p0}"); var all96 = all_match({ processors: [ - part456, - dup174, + part443, + dup182, dup10, - dup189, - dup90, + dup200, + dup96, ], on_success: processor_chain([ dup1, @@ -5473,22 +5376,22 @@ var all96 = all_match({ var msg443 = msg("1155", all96); -var part457 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ - dup105, +var part444 = match("MESSAGE#443:1155:01", "nwparser.payload", "msg=\"%{action}\" sid=%{sid->} appcat=%{fld1->} appid=%{fld2->} n=%{fld3->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost}", processor_chain([ + dup111, ])); -var msg444 = msg("1155:01", part457); +var msg444 = msg("1155:01", part444); -var select143 = linear_select([ +var select128 = linear_select([ msg443, msg444, ]); var all97 = all_match({ processors: [ - dup168, - dup201, - dup166, + dup176, + dup213, + dup174, ], on_success: processor_chain([ dup1, @@ -5500,8 +5403,8 @@ var msg445 = msg("1198", all97); var all98 = all_match({ processors: [ dup7, - dup177, - dup166, + dup185, + dup174, ], on_success: processor_chain([ dup1, @@ -5510,30 +5413,30 @@ var all98 = all_match({ var msg446 = msg("714", all98); -var msg447 = msg("709", dup239); +var msg447 = msg("709", dup252); -var msg448 = msg("1005", dup239); +var msg448 = msg("1005", dup252); -var msg449 = msg("1003", dup239); +var msg449 = msg("1003", dup252); -var msg450 = msg("1007", dup240); +var msg450 = msg("1007", dup253); -var part458 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ - dup103, +var part445 = match("MESSAGE#450:1008", "nwparser.payload", "msg=\"%{msg}\" sess=\"%{fld1}\" dur=%{duration->} n=%{fld2->} usr=\"%{username}\" src=%{saddr}::%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} note=\"%{rulename}\" fw_action=\"%{action}\"", processor_chain([ + dup109, dup11, ])); -var msg451 = msg("1008", part458); +var msg451 = msg("1008", part445); -var msg452 = msg("708", dup240); +var msg452 = msg("708", dup253); var all99 = all_match({ processors: [ - dup168, - dup174, + dup176, + dup182, dup10, - dup189, - dup90, + dup200, + dup96, ], on_success: processor_chain([ dup1, @@ -5542,167 +5445,166 @@ var all99 = all_match({ var msg453 = msg("1201", all99); -var msg454 = msg("1201:01", dup240); +var msg454 = msg("1201:01", dup253); -var select144 = linear_select([ +var select129 = linear_select([ msg453, msg454, ]); -var msg455 = msg("654", dup222); +var msg455 = msg("654", dup234); -var msg456 = msg("670", dup222); +var msg456 = msg("670", dup234); -var msg457 = msg("884", dup240); +var msg457 = msg("884", dup253); -var part459 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ +var part446 = match("MESSAGE#457:1153", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{protocol->} rcvd=%{rbytes->} note=\"%{info}\"", processor_chain([ dup1, ])); -var msg458 = msg("1153", part459); +var msg458 = msg("1153", part446); -var part460 = match("MESSAGE#458:1153:01/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} sess=%{fld2->} n=%{p0}"); +var part447 = match("MESSAGE#458:1153:01/1_0", "nwparser.p0", " app=%{fld1->} sess=%{fld2->} n=%{p0}"); -var part461 = match("MESSAGE#458:1153:01/0_1", "nwparser.payload", " msg=\"%{event_description}\" sess=%{fld2->} n=%{p0}"); +var part448 = match("MESSAGE#458:1153:01/1_1", "nwparser.p0", " sess=%{fld2->} n=%{p0}"); -var part462 = match("MESSAGE#458:1153:01/0_2", "nwparser.payload", " msg=\"%{event_description}\" n=%{p0}"); +var part449 = match("MESSAGE#458:1153:01/1_2", "nwparser.p0", " n=%{p0}"); -var select145 = linear_select([ - part460, - part461, - part462, +var select130 = linear_select([ + part447, + part448, + part449, ]); -var part463 = match("MESSAGE#458:1153:01/1", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); +var part450 = match("MESSAGE#458:1153:01/2", "nwparser.p0", "%{fld3->} usr=\"%{username}\" src=%{p0}"); -var part464 = match("MESSAGE#458:1153:01/2_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); +var part451 = match("MESSAGE#458:1153:01/3_0", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); -var select146 = linear_select([ - part464, - dup25, +var select131 = linear_select([ + part451, + dup26, ]); -var part465 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); +var part452 = match("MESSAGE#458:1153:01/4_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac= %{p0}"); -var part466 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); +var part453 = match("MESSAGE#458:1153:01/4_1", "nwparser.p0", "%{daddr}:%{dport}srcMac= %{p0}"); -var part467 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); +var part454 = match("MESSAGE#458:1153:01/4_2", "nwparser.p0", "%{daddr}srcMac= %{p0}"); -var select147 = linear_select([ - part465, - part466, - part467, +var select132 = linear_select([ + part452, + part453, + part454, ]); -var part468 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); +var part455 = match("MESSAGE#458:1153:01/5", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} %{p0}"); -var part469 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{rbytes->} "); +var part456 = match("MESSAGE#458:1153:01/6_0", "nwparser.p0", "sent=%{sbytes}rcvd=%{p0}"); -var part470 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{rbytes->} "); +var part457 = match("MESSAGE#458:1153:01/6_1", "nwparser.p0", "type=%{fld4->} icmpCode=%{fld5->} rcvd=%{p0}"); -var part471 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{rbytes->} "); +var part458 = match("MESSAGE#458:1153:01/6_2", "nwparser.p0", "rcvd=%{p0}"); -var select148 = linear_select([ - part469, - part470, - part471, +var select133 = linear_select([ + part456, + part457, + part458, ]); var all100 = all_match({ processors: [ - select145, - part463, - select146, - dup10, - select147, - part468, - select148, + dup54, + select130, + part450, + select131, + select132, + part455, + select133, + dup123, ], on_success: processor_chain([ dup1, dup11, - dup17, dup18, dup19, dup20, dup21, + dup22, ]), }); var msg459 = msg("1153:01", all100); -var part472 = match("MESSAGE#459:1153:02/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); +var part459 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); -var part473 = match("MESSAGE#459:1153:02/1_0", "nwparser.p0", "app=%{fld1->} n=%{fld2->} src=%{p0}"); +var part460 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", "n=%{fld2->} src=%{p0}"); -var part474 = match("MESSAGE#459:1153:02/1_1", "nwparser.p0", " n=%{fld2->} src=%{p0}"); - -var select149 = linear_select([ - part473, - part474, +var select134 = linear_select([ + part459, + part460, ]); -var part475 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); +var part461 = match("MESSAGE#459:1153:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{sbytes->} rcvd=%{rbytes}"); var all101 = all_match({ processors: [ - part472, - select149, - part475, + dup82, + select134, + part461, ], on_success: processor_chain([ dup1, dup11, - dup17, dup18, dup19, dup20, dup21, + dup22, ]), }); var msg460 = msg("1153:02", all101); -var select150 = linear_select([ +var select135 = linear_select([ msg458, msg459, msg460, ]); -var part476 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ +var part462 = match("MESSAGE#460:1107", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1}", processor_chain([ dup1, ])); -var msg461 = msg("1107", part476); +var msg461 = msg("1107", part462); -var part477 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); +var part463 = match("MESSAGE#461:1220/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{p0}"); -var part478 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part464 = match("MESSAGE#461:1220/1_0", "nwparser.p0", "%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part479 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst=%{p0}"); +var part465 = match("MESSAGE#461:1220/1_1", "nwparser.p0", "%{fld2}src=%{saddr}:%{sport->} dst= %{p0}"); -var select151 = linear_select([ - part478, - part479, +var select136 = linear_select([ + part464, + part465, ]); var all102 = all_match({ processors: [ - part477, - select151, - dup10, - dup223, - dup171, + part463, + select136, + dup153, + dup235, + dup179, ], on_success: processor_chain([ - dup159, - dup54, - dup17, - dup82, - dup19, + dup165, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); @@ -5710,68 +5612,69 @@ var msg462 = msg("1220", all102); var all103 = all_match({ processors: [ - dup147, - dup223, - dup171, + dup149, + dup235, + dup179, ], on_success: processor_chain([ - dup159, - dup54, - dup17, - dup82, - dup19, + dup165, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg463 = msg("1230", all103); -var part480 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ +var part466 = match("MESSAGE#463:1231", "nwparser.payload", "msg=\"%{msg}\"%{space}n=%{fld1->} note=\"%{info}\"", processor_chain([ dup1, ])); -var msg464 = msg("1231", part480); +var msg464 = msg("1231", part466); -var part481 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup167, +var part467 = match("MESSAGE#464:1233", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup175, dup11, ])); -var msg465 = msg("1233", part481); +var msg465 = msg("1233", part467); -var part482 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); +var part468 = match("MESSAGE#465:1079/0", "nwparser.payload", "msg=\"User%{username}log%{p0}"); -var part483 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); +var part469 = match("MESSAGE#465:1079/1_0", "nwparser.p0", "in%{p0}"); -var part484 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); +var part470 = match("MESSAGE#465:1079/1_1", "nwparser.p0", "out%{p0}"); -var select152 = linear_select([ - part483, - part484, +var select137 = linear_select([ + part469, + part470, ]); -var part485 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); +var part471 = match("MESSAGE#465:1079/2", "nwparser.p0", "\"%{p0}"); -var part486 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{fld1}"); +var part472 = match("MESSAGE#465:1079/3_0", "nwparser.p0", "dur=%{duration->} %{space}n=%{p0}"); -var part487 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{fld1->} "); +var part473 = match("MESSAGE#465:1079/3_1", "nwparser.p0", "sess=\"%{fld2}\" n=%{p0}"); -var part488 = match("MESSAGE#465:1079/3_2", "nwparser.p0", "n=%{fld1}"); - -var select153 = linear_select([ - part486, - part487, - part488, +var select138 = linear_select([ + part472, + part473, + dup38, ]); +var part474 = match_copy("MESSAGE#465:1079/4", "nwparser.p0", "fld1"); + var all104 = all_match({ processors: [ - part482, - select152, - part485, - select153, + part468, + select137, + part471, + select138, + part474, ], on_success: processor_chain([ dup1, @@ -5780,68 +5683,69 @@ var all104 = all_match({ var msg466 = msg("1079", all104); -var part489 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ +var part475 = match("MESSAGE#466:1079:01", "nwparser.payload", "msg=\"Client%{username}is assigned IP:%{hostip}\" %{space->} n=%{fld1}", processor_chain([ dup1, ])); -var msg467 = msg("1079:01", part489); +var msg467 = msg("1079:01", part475); -var part490 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ +var part476 = match("MESSAGE#467:1079:02", "nwparser.payload", "msg=\"destination for %{daddr->} is not allowed by access control\" n=%{fld2}", processor_chain([ dup1, dup11, setc("event_description","destination is not allowed by access control"), - dup17, dup18, dup19, dup20, dup21, + dup22, ])); -var msg468 = msg("1079:02", part490); +var msg468 = msg("1079:02", part476); -var part491 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ +var part477 = match("MESSAGE#468:1079:03", "nwparser.payload", "msg=\"SSLVPN Client %{username->} matched device profile Default Device Profile for Windows\" n=%{fld2}", processor_chain([ dup1, dup11, setc("event_description","SSLVPN Client matched device profile Default Device Profile for Windows"), - dup17, dup18, dup19, dup20, dup21, + dup22, ])); -var msg469 = msg("1079:03", part491); +var msg469 = msg("1079:03", part477); -var select154 = linear_select([ +var select139 = linear_select([ msg466, msg467, msg468, msg469, ]); -var part492 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); +var part478 = match("MESSAGE#469:1080/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} usr=\"%{username}\" src= %{p0}"); -var part493 = match("MESSAGE#469:1080/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part479 = match("MESSAGE#469:1080/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var select155 = linear_select([ - dup73, - part493, +var select140 = linear_select([ + dup8, + part479, ]); -var select156 = linear_select([ - dup77, - dup78, +var part480 = match("MESSAGE#469:1080/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); + +var select141 = linear_select([ + dup135, + part480, ]); -var part494 = match("MESSAGE#469:1080/4", "nwparser.p0", "%{} %{protocol}"); +var part481 = match_copy("MESSAGE#469:1080/3", "nwparser.p0", "protocol"); var all105 = all_match({ processors: [ - part492, - select155, - dup10, - select156, - part494, + part478, + select140, + select141, + part481, ], on_success: processor_chain([ dup1, @@ -5850,36 +5754,36 @@ var all105 = all_match({ var msg470 = msg("1080", all105); -var part495 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part482 = match("MESSAGE#470:580", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{protocol->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup5, - dup54, - dup17, - dup82, - dup19, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ])); -var msg471 = msg("580", part495); +var msg471 = msg("580", part482); -var part496 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); +var part483 = match("MESSAGE#471:1369/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{p0}"); var all106 = all_match({ processors: [ - part496, - dup224, - dup112, + part483, + dup236, + dup119, ], on_success: processor_chain([ - dup70, - dup54, - dup17, - dup82, - dup19, + dup78, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); @@ -5887,21 +5791,21 @@ var msg472 = msg("1369", all106); var all107 = all_match({ processors: [ - dup147, - dup211, dup149, - dup224, - dup112, + dup223, + dup152, + dup236, + dup119, ], on_success: processor_chain([ - dup70, - dup54, - dup17, - dup82, - dup19, + dup78, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); @@ -5909,273 +5813,274 @@ var msg473 = msg("1370", all107); var all108 = all_match({ processors: [ - dup147, + dup149, + dup223, + dup169, dup211, - dup161, - dup199, - dup112, + dup119, ], on_success: processor_chain([ - dup70, - dup54, - dup17, - dup82, - dup19, + dup78, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg474 = msg("1371", all108); -var part497 = match("MESSAGE#474:1387/1_1", "nwparser.p0", "%{saddr}:%{sport}: dst=%{p0}"); +var part484 = match("MESSAGE#474:1387/1_1", "nwparser.p0", " dst=%{p0}"); -var select157 = linear_select([ - dup138, - part497, +var select142 = linear_select([ + dup167, + part484, ]); var all109 = all_match({ processors: [ - dup160, - select157, - dup10, + dup166, + select142, + dup168, + dup223, + dup169, dup211, - dup161, - dup199, - dup112, + dup119, ], on_success: processor_chain([ - dup159, - dup54, - dup17, - dup82, - dup19, + dup165, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg475 = msg("1387", all109); -var part498 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{p0}"); - -var part499 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{saddr}:%{sport}dst=%{p0}"); +var part485 = match("MESSAGE#475:1391/0", "nwparser.payload", "pktdatId=%{fld1}pktdatNum=\"%{fld2}\" pktdatEnc=\"%{fld3}\" n=%{fld4}src=%{saddr}:%{p0}"); -var select158 = linear_select([ - dup69, - part499, -]); +var part486 = match("MESSAGE#475:1391/1_0", "nwparser.p0", "%{sport}:%{sinterface}dst=%{p0}"); -var part500 = match("MESSAGE#475:1391/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}"); +var part487 = match("MESSAGE#475:1391/1_1", "nwparser.p0", "%{sport}dst=%{p0}"); -var part501 = match("MESSAGE#475:1391/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); +var select143 = linear_select([ + part486, + part487, +]); -var part502 = match("MESSAGE#475:1391/2_2", "nwparser.p0", "%{daddr}:%{dport}"); +var part488 = match("MESSAGE#475:1391/3_0", "nwparser.p0", "%{dport}:%{dinterface}:%{dhost}"); -var select159 = linear_select([ - part500, - part501, - part502, +var select144 = linear_select([ + part488, + dup154, + dup155, ]); var all110 = all_match({ processors: [ - part498, - select158, - select159, + part485, + select143, + dup153, + select144, ], on_success: processor_chain([ dup1, - dup54, - dup17, - dup82, - dup19, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg476 = msg("1391", all110); -var part503 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ +var part489 = match("MESSAGE#476:1253", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1}appName=\"%{application}\" n=%{fld2}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{dinterface}srcMac=%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\"", processor_chain([ dup5, - dup54, - dup17, - dup82, - dup19, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ])); -var msg477 = msg("1253", part503); +var msg477 = msg("1253", part489); -var part504 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part490 = match("MESSAGE#477:1009", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup5, - dup54, - dup17, - dup82, - dup19, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ])); -var msg478 = msg("1009", part504); +var msg478 = msg("1009", part490); -var part505 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var part491 = match("MESSAGE#478:910/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld2}appName=\"%{application}\" n=%{fld3}src=%{saddr}:%{sport}:%{sinterface}dst=%{daddr}:%{dport}:%{p0}"); -var part506 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost}srcMac=%{p0}"); +var part492 = match("MESSAGE#478:910/1_0", "nwparser.p0", "%{dinterface}:%{dhost}srcMac=%{p0}"); -var part507 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}srcMac=%{p0}"); +var part493 = match("MESSAGE#478:910/1_1", "nwparser.p0", "%{dinterface}srcMac=%{p0}"); -var select160 = linear_select([ - part506, - part507, +var select145 = linear_select([ + part492, + part493, ]); -var part508 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); +var part494 = match("MESSAGE#478:910/2", "nwparser.p0", "%{smacaddr}dstMac=%{dmacaddr}proto=%{protocol}fw_action=\"%{action}\""); var all111 = all_match({ processors: [ - part505, - select160, - part508, + part491, + select145, + part494, ], on_success: processor_chain([ dup5, - dup54, - dup17, - dup82, - dup19, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg479 = msg("910", all111); -var part509 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ +var part495 = match("MESSAGE#479:m:01", "nwparser.payload", "m=%{id1}msg=\"%{event_description}\" n=%{fld2}if=%{interface}ucastRx=%{fld3}bcastRx=%{fld4}bytesRx=%{rbytes}ucastTx=%{fld5}bcastTx=%{fld6}bytesTx=%{sbytes}", processor_chain([ dup1, - dup54, - dup17, - dup82, - dup19, - dup21, - dup37, + dup62, + dup18, + dup88, + dup20, + dup22, + dup44, ])); -var msg480 = msg("m:01", part509); +var msg480 = msg("m:01", part495); -var part510 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ +var part496 = match("MESSAGE#480:1011", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1}note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ dup1, - dup54, - dup17, - dup82, - dup19, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ])); -var msg481 = msg("1011", part510); +var msg481 = msg("1011", part496); -var part511 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ - dup164, - dup54, - dup17, - dup82, - dup19, +var part497 = match("MESSAGE#481:609", "nwparser.payload", "msg=\"%{event_description}\" sid=%{sid->} ipscat=\"%{fld3}\" ipspri=%{fld4->} pktdatId=%{fld5->} n=%{fld6->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} proto=%{protocol->} fw_action=\"%{action}\"", processor_chain([ + dup172, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ])); -var msg482 = msg("609", part511); +var msg482 = msg("609", part497); -var msg483 = msg("796", dup225); +var msg483 = msg("796", dup237); -var part512 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ - dup70, - dup54, - dup17, - dup82, - dup19, +var part498 = match("MESSAGE#483:880", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} note=\"%{info}\" fw_action=\"%{action}\"", processor_chain([ + dup78, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ])); -var msg484 = msg("880", part512); +var msg484 = msg("880", part498); -var part513 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup159, - dup54, - dup17, - dup82, - dup19, +var part499 = match("MESSAGE#484:1309", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup165, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ])); -var msg485 = msg("1309", part513); +var msg485 = msg("1309", part499); -var msg486 = msg("1310", dup225); +var msg486 = msg("1310", dup237); -var part514 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note=\"%{p0}"); +var part500 = match("MESSAGE#486:1232/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{p0}"); -var part515 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=\"%{p0}"); +var part501 = match("MESSAGE#486:1232/1_0", "nwparser.p0", "%{dinterface}:%{dhost->} note=\"%{p0}"); -var select161 = linear_select([ - part514, - part515, +var part502 = match("MESSAGE#486:1232/1_1", "nwparser.p0", "%{dinterface->} note=\"%{p0}"); + +var select146 = linear_select([ + part501, + part502, ]); -var part516 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); +var part503 = match("MESSAGE#486:1232/2", "nwparser.p0", "%{info}\" fw_action=\"%{action}\""); var all112 = all_match({ processors: [ - dup81, - select161, - part516, + part500, + select146, + part503, ], on_success: processor_chain([ dup1, - dup54, - dup17, - dup82, - dup19, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); var msg487 = msg("1232", all112); -var part517 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part504 = match("MESSAGE#487:1447/0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld1->} appName=\"%{application}\" n=%{fld2->} srcV6=%{saddr_v6->} src=%{saddr}:%{sport}:%{sinterface->} dstV6=%{daddr_v6->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); var all113 = all_match({ processors: [ - part517, - dup199, - dup112, + part504, + dup211, + dup119, ], on_success: processor_chain([ - dup159, - dup54, - dup17, - dup82, - dup19, + dup165, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ]), }); @@ -6199,7 +6104,7 @@ var chain1 = processor_chain([ "105": msg164, "106": msg165, "107": msg166, - "1079": select154, + "1079": select139, "108": msg167, "1080": msg470, "1086": msg424, @@ -6207,28 +6112,28 @@ var chain1 = processor_chain([ "11": msg10, "110": msg169, "1107": msg461, - "111": select66, + "111": select57, "1110": msg408, "112": msg172, "113": msg173, "114": msg174, "1149": msg426, - "115": select67, - "1153": select150, - "1154": select141, - "1155": select143, + "115": select58, + "1153": select135, + "1154": select126, + "1155": select128, "1159": msg427, "116": msg177, "117": msg178, "118": msg179, "119": msg180, - "1195": select139, + "1195": select124, "1197": msg439, "1198": msg445, - "1199": select142, + "1199": select127, "12": select4, "120": msg181, - "1201": select144, + "1201": select129, "121": msg182, "122": msg183, "1220": msg462, @@ -6266,7 +6171,7 @@ var chain1 = processor_chain([ "1371": msg474, "138": msg202, "1387": msg475, - "139": select68, + "139": select59, "1391": msg476, "14": select7, "140": msg205, @@ -6291,7 +6196,7 @@ var chain1 = processor_chain([ "154": msg221, "155": msg222, "156": msg223, - "157": select69, + "157": select60, "158": msg226, "159": msg227, "16": msg21, @@ -6307,37 +6212,37 @@ var chain1 = processor_chain([ "169": msg237, "17": msg22, "170": msg238, - "171": select70, - "172": select71, + "171": select61, + "172": select62, "173": msg245, - "174": select72, - "175": select73, + "174": select63, + "175": select64, "176": msg253, "177": msg254, "178": msg255, "179": msg256, "18": msg23, - "180": select74, - "181": select75, + "180": select65, + "181": select66, "19": msg24, "193": msg261, "194": msg262, "195": msg263, - "196": select78, + "196": select67, "199": msg266, "20": msg25, "200": msg267, "21": msg26, "22": msg27, "23": select10, - "235": select79, + "235": select68, "236": msg271, "237": msg272, "238": msg273, "239": msg274, "24": select11, "240": msg275, - "241": select80, + "241": select69, "242": msg278, "243": msg403, "25": msg34, @@ -6345,11 +6250,11 @@ var chain1 = processor_chain([ "255": msg280, "257": msg281, "26": msg35, - "261": select83, + "261": select72, "262": msg284, "263": msg413, "264": msg414, - "267": select136, + "267": select121, "27": msg36, "273": msg285, "28": select12, @@ -6362,22 +6267,22 @@ var chain1 = processor_chain([ "33": select17, "34": msg52, "346": msg288, - "35": select19, + "35": select18, "350": msg289, "351": msg290, "352": msg291, - "353": select84, + "353": select73, "354": msg294, - "355": select85, + "355": select74, "356": msg297, - "357": select86, + "357": select75, "358": msg300, - "36": select23, - "37": select27, - "371": select87, + "36": select21, + "37": select23, + "371": select76, "372": msg303, "373": msg304, - "38": select30, + "38": select25, "39": msg67, "4": msg1, "40": msg68, @@ -6386,7 +6291,7 @@ var chain1 = processor_chain([ "403": msg400, "404": msg410, "406": msg307, - "41": select31, + "41": select26, "412": msg415, "413": msg308, "414": msg309, @@ -6398,11 +6303,11 @@ var chain1 = processor_chain([ "439": msg311, "44": msg74, "440": msg312, - "441": select88, + "441": select77, "442": msg315, "446": msg316, - "45": select32, - "46": select33, + "45": select27, + "46": select28, "47": msg82, "477": msg317, "48": msg83, @@ -6413,13 +6318,13 @@ var chain1 = processor_chain([ "51": msg86, "52": msg87, "520": msg319, - "522": select91, + "522": select80, "523": msg323, - "524": select94, - "526": select97, + "524": select83, + "526": select86, "53": msg88, "534": msg401, - "537": select116, + "537": select101, "538": msg346, "549": msg347, "557": msg348, @@ -6431,11 +6336,11 @@ var chain1 = processor_chain([ "58": msg89, "580": msg471, "583": msg353, - "597": select117, - "598": select118, + "597": select102, + "598": select103, "6": select3, "60": msg90, - "602": select119, + "602": select104, "605": msg363, "606": msg364, "608": msg365, @@ -6444,32 +6349,32 @@ var chain1 = processor_chain([ "614": msg421, "616": msg366, "62": msg92, - "63": select34, + "63": select29, "64": msg95, "65": msg96, "654": msg455, - "657": select133, + "657": select118, "658": msg367, "66": msg97, - "67": select35, + "67": select30, "670": msg456, "68": msg100, "69": msg101, "7": msg6, - "70": select37, + "70": select32, "708": msg452, "709": msg447, "710": msg368, - "712": select123, - "713": select124, + "712": select108, + "713": select109, "714": msg446, - "72": select38, + "72": select33, "73": msg106, "74": msg107, "748": msg422, "75": msg108, "76": msg109, - "760": select125, + "760": select110, "766": msg378, "77": msg110, "78": msg111, @@ -6480,21 +6385,21 @@ var chain1 = processor_chain([ "8": msg7, "80": msg113, "805": msg417, - "809": select137, + "809": select122, "81": msg114, - "82": select39, - "83": select40, + "82": select34, + "83": select35, "84": msg122, - "860": select126, - "866": select128, - "867": select129, - "87": select42, - "88": select43, + "860": select111, + "866": select113, + "867": select114, + "87": select37, + "88": select38, "880": msg484, - "882": select130, + "882": select115, "884": msg457, - "888": select131, - "89": select45, + "888": select116, + "89": select40, "892": msg389, "9": msg8, "90": msg129, @@ -6514,687 +6419,725 @@ var chain1 = processor_chain([ "94": msg133, "95": msg134, "96": msg135, - "97": select52, - "98": select65, + "97": select44, + "98": select56, "986": msg155, "99": msg158, "994": msg402, "995": msg404, "997": msg405, - "998": select134, + "998": select119, "m": msg480, "msg": msg436, "src": msg437, }), ]); -var part518 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part505 = match("MESSAGE#14:14:01/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); -var part519 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); +var part506 = match("MESSAGE#14:14:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst= %{p0}"); -var part520 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part507 = match("MESSAGE#14:14:01/1_1", "nwparser.p0", " %{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part521 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{} %{p0}"); +var part508 = match("MESSAGE#14:14:01/2", "nwparser.p0", "%{daddr}:%{dport}:%{p0}"); -var part522 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); +var part509 = match("MESSAGE#28:23:01/1_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} %{p0}"); -var part523 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); +var part510 = match("MESSAGE#28:23:01/1_1", "nwparser.p0", "%{daddr->} %{p0}"); -var part524 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part511 = match("MESSAGE#28:23:01/2", "nwparser.p0", "%{p0}"); -var part525 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); +var part512 = match("MESSAGE#38:29:01/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); -var part526 = match("MESSAGE#38:29:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); +var part513 = match("MESSAGE#38:29:01/1_1", "nwparser.p0", " %{saddr->} dst= %{p0}"); -var part527 = match("MESSAGE#38:29:01/3_1", "nwparser.p0", "%{daddr->} "); +var part514 = match("MESSAGE#38:29:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} "); -var part528 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); +var part515 = match("MESSAGE#38:29:01/2_1", "nwparser.p0", "%{daddr->} "); -var part529 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); +var part516 = match("MESSAGE#40:30:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld->} src=%{p0}"); -var part530 = match("MESSAGE#54:36:01/2_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); +var part517 = match("MESSAGE#49:33:01/0", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{p0}"); -var part531 = match("MESSAGE#54:36:01/2_1", "nwparser.p0", "%{saddr->} %{p0}"); +var part518 = match("MESSAGE#52:35:01/2_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}"); -var part532 = match("MESSAGE#54:36:01/3", "nwparser.p0", "%{}dst= %{p0}"); +var part519 = match_copy("MESSAGE#52:35:01/2_1", "nwparser.p0", "daddr"); -var part533 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part520 = match("MESSAGE#54:36:01/1_0", "nwparser.p0", "app=%{fld51->} appName=\"%{application}\" n=%{p0}"); -var part534 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); +var part521 = match("MESSAGE#54:36:01/1_1", "nwparser.p0", "n=%{p0}"); -var part535 = match("MESSAGE#57:37:01/1_1", "nwparser.p0", "n=%{fld1->} src=%{p0}"); +var part522 = match("MESSAGE#54:36:01/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} %{p0}"); -var part536 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); +var part523 = match("MESSAGE#54:36:01/3_1", "nwparser.p0", "%{saddr->} %{p0}"); -var part537 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); +var part524 = match("MESSAGE#54:36:01/4", "nwparser.p0", "dst= %{p0}"); -var part538 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{} %{protocol->} npcs=%{info}"); +var part525 = match("MESSAGE#54:36:01/7_1", "nwparser.p0", "rule=%{rule}"); -var part539 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); +var part526 = match("MESSAGE#54:36:01/7_2", "nwparser.p0", "proto=%{protocol}"); -var part540 = match("MESSAGE#62:38:01/5_1", "nwparser.p0", "rule=%{rule->} "); +var part527 = match("MESSAGE#55:36:02/0", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var part541 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} type= %{p0}"); +var part528 = match("MESSAGE#55:36:02/1_1", "nwparser.p0", "%{saddr->} dst= %{p0}"); -var part542 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} type= %{p0}"); +var part529 = match_copy("MESSAGE#55:36:02/6", "nwparser.p0", "info"); -var part543 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{p0}"); +var part530 = match("MESSAGE#59:37:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} proto= %{p0}"); -var part544 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var part531 = match("MESSAGE#59:37:03/3_1", "nwparser.p0", "%{dinterface->} proto= %{p0}"); -var part545 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); +var part532 = match("MESSAGE#59:37:03/4", "nwparser.p0", "%{protocol->} npcs=%{info}"); -var part546 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); +var part533 = match("MESSAGE#62:38:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src= %{p0}"); -var part547 = match("MESSAGE#135:97:01/7_1", "nwparser.p0", "dstname=%{name->} "); +var part534 = match("MESSAGE#63:38:02/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} type= %{p0}"); -var part548 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part535 = match("MESSAGE#63:38:02/3_1", "nwparser.p0", "%{dinterface->} type= %{p0}"); -var part549 = match("MESSAGE#140:97:06/1_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost}dst=%{p0}"); +var part536 = match("MESSAGE#64:38:03/0", "nwparser.payload", "msg=\"%{event_description}\"%{p0}"); -var part550 = match("MESSAGE#140:97:06/1_1", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}dst=%{p0}"); +var part537 = match("MESSAGE#64:38:03/1_0", "nwparser.p0", " app=%{fld2->} appName=\"%{application}\"%{p0}"); -var part551 = match("MESSAGE#145:98/2_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); +var part538 = match_copy("MESSAGE#64:38:03/1_1", "nwparser.p0", "p0"); -var part552 = match("MESSAGE#145:98/3_0", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes->} fw_action=\"%{action}\""); +var part539 = match("MESSAGE#64:38:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var part553 = match("MESSAGE#147:98:01/4_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface}:%{shost->} dst=%{p0}"); +var part540 = match("MESSAGE#64:38:03/3_1", "nwparser.p0", "%{daddr->} srcMac=%{p0}"); -var part554 = match("MESSAGE#147:98:01/4_2", "nwparser.p0", "%{saddr}dst=%{p0}"); +var part541 = match("MESSAGE#126:89:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); -var part555 = match("MESSAGE#147:98:01/6_1", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} %{p0}"); +var part542 = match("MESSAGE#135:97:01/0", "nwparser.payload", "n=%{fld1->} src= %{p0}"); -var part556 = match("MESSAGE#147:98:01/6_2", "nwparser.p0", " %{daddr->} %{p0}"); +var part543 = match("MESSAGE#135:97:01/6_0", "nwparser.p0", "result=%{result->} dstname=%{p0}"); -var part557 = match("MESSAGE#148:98:06/5_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); +var part544 = match("MESSAGE#135:97:01/6_1", "nwparser.p0", "dstname=%{p0}"); -var part558 = match("MESSAGE#148:98:06/5_3", "nwparser.p0", " %{daddr}:%{dport}:%{dinterface->} proto=%{p0}"); +var part545 = match("MESSAGE#137:97:03/0", "nwparser.payload", "sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var part559 = match("MESSAGE#149:98:02/4", "nwparser.p0", "%{}proto=%{protocol}"); +var part546 = match("MESSAGE#141:97:07/1_1", "nwparser.p0", "%{dinterface->} srcMac=%{p0}"); -var part560 = match("MESSAGE#154:427/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{p0}"); +var part547 = match("MESSAGE#147:98:01/6_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} %{p0}"); -var part561 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part548 = match("MESSAGE#147:98:01/7_4", "nwparser.p0", "proto=%{protocol->} sent=%{sbytes}"); -var part562 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} npcs= %{p0}"); +var part549 = match("MESSAGE#148:98:06/0", "nwparser.payload", "msg=\"%{event_description}\" %{p0}"); -var part563 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs= %{p0}"); +var part550 = match("MESSAGE#148:98:06/5_0", "nwparser.p0", "%{sinterface}:%{shost->} dst= %{p0}"); -var part564 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{} %{info}"); +var part551 = match("MESSAGE#148:98:06/5_1", "nwparser.p0", "%{sinterface->} dst= %{p0}"); -var part565 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} note= %{p0}"); +var part552 = match("MESSAGE#148:98:06/7_2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto=%{p0}"); -var part566 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note= %{p0}"); +var part553 = match("MESSAGE#148:98:06/9_3", "nwparser.p0", "sent=%{sbytes}"); -var part567 = match("MESSAGE#256:180:01/4", "nwparser.p0", "%{}\"%{fld3}\" npcs=%{info}"); +var part554 = match("MESSAGE#155:428/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part568 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); +var part555 = match("MESSAGE#240:171:03/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} npcs= %{p0}"); -var part569 = match("MESSAGE#260:194/1_0", "nwparser.p0", "sent=%{sbytes->} "); +var part556 = match("MESSAGE#240:171:03/3_1", "nwparser.p0", "%{dinterface->} npcs= %{p0}"); -var part570 = match("MESSAGE#260:194/1_1", "nwparser.p0", " rcvd=%{rbytes}"); +var part557 = match("MESSAGE#240:171:03/4", "nwparser.p0", "%{info}"); -var part571 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); +var part558 = match("MESSAGE#256:180:01/3_0", "nwparser.p0", "%{dinterface}:%{dhost->} note= %{p0}"); -var part572 = match("MESSAGE#262:196/2", "nwparser.p0", "%{method}"); +var part559 = match("MESSAGE#256:180:01/3_1", "nwparser.p0", "%{dinterface->} note= %{p0}"); -var part573 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); +var part560 = match("MESSAGE#256:180:01/4", "nwparser.p0", "\"%{fld3}\" npcs=%{info}"); -var part574 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); +var part561 = match("MESSAGE#260:194/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} sport=%{sport->} dport=%{dport->} %{p0}"); -var part575 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); +var part562 = match("MESSAGE#260:194/1_1", "nwparser.p0", "rcvd=%{rbytes}"); -var part576 = match("MESSAGE#302:401/1_1", "nwparser.p0", " %{space}"); +var part563 = match("MESSAGE#262:196/1_0", "nwparser.p0", "sent=%{sbytes->} cmd=%{p0}"); -var part577 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); +var part564 = match("MESSAGE#262:196/1_1", "nwparser.p0", "rcvd=%{rbytes->} cmd=%{p0}"); -var part578 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); +var part565 = match_copy("MESSAGE#262:196/2", "nwparser.p0", "method"); -var part579 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); +var part566 = match("MESSAGE#280:261:01/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{p0}"); -var part580 = match("MESSAGE#318:522:01/4", "nwparser.p0", "%{}proto=%{protocol->} npcs=%{info}"); +var part567 = match("MESSAGE#283:273/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld->} src=%{p0}"); -var part581 = match("MESSAGE#321:524/5_0", "nwparser.p0", "proto=%{protocol->} "); +var part568 = match("MESSAGE#302:401/0", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr->} %{p0}"); -var part582 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); +var part569 = match("MESSAGE#302:401/1_0", "nwparser.p0", "dstname=%{name}"); -var part583 = match("MESSAGE#332:537:08/0_0", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} appName=\"%{application}\"n=%{p0}"); +var part570 = match_copy("MESSAGE#302:401/1_1", "nwparser.p0", "space"); -var part584 = match("MESSAGE#332:537:08/0_1", "nwparser.payload", "msg=\"%{event_description}\" app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); +var part571 = match("MESSAGE#313:446/3_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=\"%{p0}"); -var part585 = match("MESSAGE#332:537:08/0_2", "nwparser.payload", " msg=\"%{event_description}\" app=%{fld51}n=%{p0}"); +var part572 = match("MESSAGE#313:446/3_1", "nwparser.p0", "%{protocol->} fw_action=\"%{p0}"); -var part586 = match("MESSAGE#332:537:08/0_3", "nwparser.payload", "msg=\"%{event_description}\"n=%{p0}"); +var part573 = match("MESSAGE#313:446/4", "nwparser.p0", "%{action}\""); -var part587 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); +var part574 = match("MESSAGE#318:522:01/4", "nwparser.p0", "proto=%{protocol->} npcs=%{info}"); -var part588 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", "%{fld1}src=%{p0}"); +var part575 = match("MESSAGE#330:537:01/0", "nwparser.payload", "msg=\"%{action}\" f=%{fld1->} n=%{fld2->} src= %{p0}"); -var part589 = match("MESSAGE#332:537:08/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} srcMac=%{p0}"); +var part576 = match_copy("MESSAGE#330:537:01/5_1", "nwparser.p0", "rbytes"); -var part590 = match("MESSAGE#332:537:08/5_0", "nwparser.p0", "dstMac=%{dmacaddr->} proto=%{protocol->} sent=%{p0}"); +var part577 = match("MESSAGE#332:537:08/1_0", "nwparser.p0", " app=%{fld51->} appName=\"%{application}\"n=%{p0}"); -var part591 = match("MESSAGE#332:537:08/5_1", "nwparser.p0", " proto=%{protocol->} sent=%{p0}"); +var part578 = match("MESSAGE#332:537:08/1_1", "nwparser.p0", " app=%{fld51->} sess=\"%{fld4}\" n=%{p0}"); -var part592 = match("MESSAGE#333:537:09/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} dstMac=%{p0}"); +var part579 = match("MESSAGE#332:537:08/1_2", "nwparser.p0", " app=%{fld51}n=%{p0}"); -var part593 = match("MESSAGE#333:537:09/5_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} %{p0}"); +var part580 = match("MESSAGE#332:537:08/2_0", "nwparser.p0", "%{fld1->} usr=\"%{username}\"src=%{p0}"); -var part594 = match("MESSAGE#333:537:09/5_1", "nwparser.p0", "%{sbytes->} %{p0}"); +var part581 = match("MESSAGE#332:537:08/2_1", "nwparser.p0", "%{fld1}src=%{p0}"); -var part595 = match("MESSAGE#333:537:09/6_0", "nwparser.p0", " spkt=%{fld3->} cdur=%{fld7->} fw_action=\"%{action}\""); +var part582 = match("MESSAGE#332:537:08/6_0", "nwparser.p0", "%{sbytes->} rcvd=%{rbytes->} spkt=%{p0}"); -var part596 = match("MESSAGE#333:537:09/6_1", "nwparser.p0", "spkt=%{fld3->} rpkt=%{fld6->} cdur=%{fld7->} "); +var part583 = match("MESSAGE#332:537:08/6_1", "nwparser.p0", "%{sbytes->} spkt=%{p0}"); -var part597 = match("MESSAGE#333:537:09/6_2", "nwparser.p0", "spkt=%{fld3->} cdur=%{fld7->} "); +var part584 = match("MESSAGE#332:537:08/7_1", "nwparser.p0", "%{fld3->} rpkt=%{fld6->} cdur=%{fld7}"); -var part598 = match("MESSAGE#333:537:09/6_3", "nwparser.p0", " spkt=%{fld3}"); +var part585 = match("MESSAGE#332:537:08/7_3", "nwparser.p0", "%{fld3->} cdur=%{fld7}"); -var part599 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); +var part586 = match_copy("MESSAGE#332:537:08/7_4", "nwparser.p0", "fld3"); -var part600 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); +var part587 = match("MESSAGE#336:537:04/0", "nwparser.payload", "msg=\"%{action}\" sess=%{fld1->} n=%{fld2->} src= %{p0}"); -var part601 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "%{fld2->} usr=\"%{username}\" %{p0}"); +var part588 = match("MESSAGE#336:537:04/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface}:%{dhost->} proto= %{p0}"); -var part602 = match("MESSAGE#338:537:10/1_1", "nwparser.p0", "%{fld2->} %{p0}"); +var part589 = match("MESSAGE#336:537:04/3_1", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} proto= %{p0}"); -var part603 = match("MESSAGE#338:537:10/2", "nwparser.p0", "%{}src=%{p0}"); +var part590 = match("MESSAGE#336:537:04/3_2", "nwparser.p0", "%{daddr->} proto= %{p0}"); -var part604 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part591 = match("MESSAGE#338:537:10/1_0", "nwparser.p0", "usr=\"%{username}\" %{p0}"); -var part605 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); +var part592 = match("MESSAGE#338:537:10/2", "nwparser.p0", "src=%{p0}"); -var part606 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info->} "); +var part593 = match("MESSAGE#338:537:10/3_0", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); -var part607 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12->} "); +var part594 = match("MESSAGE#338:537:10/3_1", "nwparser.p0", "%{saddr->} dst=%{p0}"); -var part608 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{p0}"); +var part595 = match("MESSAGE#338:537:10/6_0", "nwparser.p0", "npcs=%{info}"); -var part609 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{p0}"); +var part596 = match("MESSAGE#338:537:10/6_1", "nwparser.p0", "cdur=%{fld12}"); -var part610 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{daddr}:%{dport->} srcMac=%{p0}"); +var part597 = match("MESSAGE#355:598:01/0", "nwparser.payload", "msg=%{msg->} sess=%{fld1->} n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst= %{daddr}:%{dport}:%{p0}"); -var part611 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); +var part598 = match("MESSAGE#361:606/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{p0}"); -var part612 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); +var part599 = match("MESSAGE#361:606/1_0", "nwparser.p0", "%{dport}:%{dinterface->} srcMac=%{p0}"); -var part613 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{fld1->} src=%{p0}"); +var part600 = match("MESSAGE#361:606/1_1", "nwparser.p0", "%{dport->} srcMac=%{p0}"); -var part614 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); +var part601 = match("MESSAGE#361:606/2", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr}proto=%{p0}"); -var part615 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part602 = match("MESSAGE#362:608/4", "nwparser.p0", "%{daddr}:%{p0}"); -var part616 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); +var part603 = match("MESSAGE#362:608/5_1", "nwparser.p0", "%{dport}:%{dinterface}"); -var part617 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); +var part604 = match_copy("MESSAGE#362:608/5_2", "nwparser.p0", "dport"); -var part618 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); +var part605 = match("MESSAGE#366:712:02/0", "nwparser.payload", "msg=\"%{action}\" %{p0}"); -var part619 = match("MESSAGE#366:712:02/5", "nwparser.p0", "%{fld51}"); +var part606 = match("MESSAGE#366:712:02/1_0", "nwparser.p0", "app=%{fld21->} appName=\"%{application}\" n=%{p0}"); -var part620 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{p0}"); +var part607 = match("MESSAGE#366:712:02/2", "nwparser.p0", "%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface->} srcMac=%{p0}"); -var part621 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); +var part608 = match("MESSAGE#366:712:02/3_0", "nwparser.p0", "%{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); -var part622 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{} %{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); +var part609 = match("MESSAGE#366:712:02/3_1", "nwparser.p0", "%{smacaddr->} proto=%{p0}"); -var part623 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); +var part610 = match("MESSAGE#366:712:02/4_0", "nwparser.p0", "%{protocol}/%{fld3->} fw_action=%{p0}"); -var part624 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} note=%{p0}"); +var part611 = match("MESSAGE#366:712:02/4_1", "nwparser.p0", "%{protocol->} fw_action=%{p0}"); -var part625 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{daddr}:%{dport->} note=%{p0}"); +var part612 = match_copy("MESSAGE#366:712:02/5", "nwparser.p0", "fld51"); -var part626 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); +var part613 = match("MESSAGE#391:908/0", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld2->} src=%{saddr}:%{sport}:%{p0}"); -var part627 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); +var part614 = match("MESSAGE#391:908/1_1", "nwparser.p0", "%{sinterface->} dst=%{p0}"); -var part628 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); +var part615 = match("MESSAGE#391:908/2", "nwparser.p0", "%{} %{daddr}:%{p0}"); -var select162 = linear_select([ +var part616 = match("MESSAGE#391:908/4", "nwparser.p0", "%{} %{smacaddr->} dstMac=%{dmacaddr->} proto=%{p0}"); + +var part617 = match("MESSAGE#439:1199/2", "nwparser.p0", "%{daddr}:%{dport}:%{dinterface->} npcs=%{info}"); + +var part618 = match("MESSAGE#444:1198/0", "nwparser.payload", "msg=\"%{msg}\" note=\"%{fld3}\" sess=%{fld1->} n=%{fld2->} src=%{p0}"); + +var part619 = match("MESSAGE#461:1220/3_0", "nwparser.p0", "%{dport}:%{dinterface->} note=%{p0}"); + +var part620 = match("MESSAGE#461:1220/3_1", "nwparser.p0", "%{dport->} note=%{p0}"); + +var part621 = match("MESSAGE#461:1220/4", "nwparser.p0", "%{}\"%{info}\" fw_action=\"%{action}\""); + +var part622 = match("MESSAGE#471:1369/1_0", "nwparser.p0", "%{protocol}/%{fld3}fw_action=\"%{p0}"); + +var part623 = match("MESSAGE#471:1369/1_1", "nwparser.p0", "%{protocol}fw_action=\"%{p0}"); + +var select147 = linear_select([ dup8, dup9, ]); -var select163 = linear_select([ +var select148 = linear_select([ dup15, dup16, ]); -var part629 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var part624 = match("MESSAGE#403:24:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, - dup23, + dup24, ])); -var select164 = linear_select([ - dup25, +var select149 = linear_select([ dup26, + dup27, ]); -var select165 = linear_select([ - dup27, +var select150 = linear_select([ dup28, + dup29, ]); -var select166 = linear_select([ - dup34, +var select151 = linear_select([ dup35, + dup36, ]); -var select167 = linear_select([ - dup25, - dup39, +var select152 = linear_select([ + dup37, + dup38, ]); -var select168 = linear_select([ - dup41, - dup42, +var select153 = linear_select([ + dup39, + dup40, ]); -var select169 = linear_select([ +var select154 = linear_select([ + dup26, dup46, - dup47, ]); -var select170 = linear_select([ +var select155 = linear_select([ + dup48, dup49, - dup50, ]); -var part630 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ - dup62, +var select156 = linear_select([ + dup52, + dup53, +]); + +var select157 = linear_select([ + dup55, + dup56, +]); + +var select158 = linear_select([ + dup57, + dup58, +]); + +var part625 = match("MESSAGE#116:82:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ + dup70, ])); -var part631 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ +var part626 = match("MESSAGE#118:83:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr}:%{sport}:%{sinterface->} dst=%{daddr}:%{dport}:%{dinterface}", processor_chain([ dup5, ])); -var select171 = linear_select([ - dup71, +var select159 = linear_select([ dup75, dup76, ]); -var select172 = linear_select([ - dup8, - dup25, +var select160 = linear_select([ + dup83, + dup84, ]); -var part632 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ +var part627 = match("MESSAGE#168:111:01", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} dstname=%{shost}", processor_chain([ dup1, ])); -var select173 = linear_select([ - dup88, - dup89, +var select161 = linear_select([ + dup94, + dup95, ]); -var part633 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var part628 = match("MESSAGE#253:178", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup5, ])); -var select174 = linear_select([ - dup92, - dup93, +var select162 = linear_select([ + dup98, + dup99, ]); -var select175 = linear_select([ - dup96, - dup97, +var select163 = linear_select([ + dup86, + dup102, +]); + +var select164 = linear_select([ + dup103, + dup104, ]); -var part634 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ - dup87, +var part629 = match("MESSAGE#277:252", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{saddr->} dst=%{daddr}", processor_chain([ + dup93, ])); -var part635 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ - dup87, +var part630 = match("MESSAGE#293:355", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup93, ])); -var part636 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ +var part631 = match("MESSAGE#295:356", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ dup1, ])); -var part637 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ +var part632 = match("MESSAGE#298:358", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport}", processor_chain([ dup1, ])); -var part638 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ +var part633 = match("MESSAGE#414:371:01", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr->} note=\"%{event_description}\"", processor_chain([ dup1, - dup23, + dup24, ])); -var select176 = linear_select([ - dup66, - dup108, +var select165 = linear_select([ + dup114, + dup115, ]); -var select177 = linear_select([ - dup110, - dup111, +var select166 = linear_select([ + dup117, + dup118, ]); -var select178 = linear_select([ - dup115, - dup45, +var select167 = linear_select([ + dup43, + dup42, ]); -var select179 = linear_select([ +var select168 = linear_select([ dup8, - dup26, + dup27, ]); -var select180 = linear_select([ +var select169 = linear_select([ dup8, - dup25, - dup39, + dup26, + dup46, ]); -var select181 = linear_select([ - dup71, +var select170 = linear_select([ + dup80, dup15, dup16, ]); -var select182 = linear_select([ - dup121, - dup122, -]); - -var select183 = linear_select([ - dup68, - dup69, - dup74, +var select171 = linear_select([ + dup124, + dup125, + dup126, + dup38, ]); -var select184 = linear_select([ +var select172 = linear_select([ dup127, dup128, ]); -var select185 = linear_select([ - dup41, - dup42, - dup134, +var select173 = linear_select([ + dup129, + dup130, ]); -var select186 = linear_select([ +var select174 = linear_select([ dup135, dup136, + dup137, ]); -var select187 = linear_select([ +var select175 = linear_select([ dup138, - dup139, + dup56, ]); -var select188 = linear_select([ +var select176 = linear_select([ dup140, dup141, ]); -var select189 = linear_select([ - dup49, - dup148, +var select177 = linear_select([ + dup142, + dup143, ]); -var part639 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ +var select178 = linear_select([ dup150, + dup151, +]); + +var part634 = match("MESSAGE#365:710", "nwparser.payload", "msg=\"%{action}\" n=%{fld1->} src=%{saddr}:%{sport->} dst=%{daddr}:%{dport}", processor_chain([ + dup156, ])); -var select190 = linear_select([ - dup152, - dup40, +var select179 = linear_select([ + dup158, + dup38, ]); -var select191 = linear_select([ - dup154, - dup155, +var select180 = linear_select([ + dup160, + dup161, ]); -var select192 = linear_select([ - dup156, - dup157, +var select181 = linear_select([ + dup162, + dup163, ]); -var part640 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ +var part635 = match("MESSAGE#375:766", "nwparser.payload", "msg=\"%{msg}\" n=%{ntype}", processor_chain([ dup5, ])); -var part641 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ +var part636 = match("MESSAGE#377:860:01", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{ntype}", processor_chain([ dup5, ])); -var part642 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ +var part637 = match("MESSAGE#393:914", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} src=%{stransaddr}:%{stransport}:%{sinterface}:%{host->} dst=%{dtransaddr}:%{dtransport}:%{dinterface}:%{shost}", processor_chain([ dup5, - dup23, + dup24, ])); -var part643 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ +var part638 = match("MESSAGE#399:994", "nwparser.payload", "msg=\"%{msg}\" n=%{fld1->} usr=%{username->} src=%{stransaddr}:%{stransport->} dst=%{dtransaddr}:%{dtransport->} note=\"%{event_description}\"", processor_chain([ dup1, - dup23, + dup24, ])); -var part644 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ +var part639 = match("MESSAGE#406:1110", "nwparser.payload", "msg=\"%{msg}\" %{space->} n=%{fld1}", processor_chain([ dup1, - dup23, + dup24, ])); -var part645 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ - dup163, - dup37, +var part640 = match("MESSAGE#420:614", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ + dup171, + dup44, ])); -var part646 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ +var part641 = match("MESSAGE#454:654", "nwparser.payload", "msg=\"%{msg}\" sess=%{fld1->} n=%{fld2}", processor_chain([ dup1, ])); -var select193 = linear_select([ - dup169, - dup170, +var select182 = linear_select([ + dup177, + dup178, ]); -var select194 = linear_select([ - dup172, - dup173, +var select183 = linear_select([ + dup180, + dup181, ]); -var part647 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ +var part642 = match("MESSAGE#482:796", "nwparser.payload", "msg=\"%{event_description}\" n=%{fld1->} fw_action=\"%{action}\"", processor_chain([ dup1, - dup54, - dup17, - dup82, - dup19, + dup62, + dup18, + dup88, dup20, dup21, - dup37, + dup22, + dup44, ])); var all114 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup186, ], on_success: processor_chain([ - dup30, + dup31, ]), }); var all115 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup187, ], on_success: processor_chain([ - dup85, + dup91, ]), }); var all116 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup187, ], on_success: processor_chain([ - dup59, + dup67, ]), }); var all117 = all_match({ processors: [ - dup95, - dup192, + dup101, + dup203, ], on_success: processor_chain([ - dup59, + dup67, ]), }); var all118 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup187, ], on_success: processor_chain([ - dup100, + dup106, ]), }); var all119 = all_match({ processors: [ - dup31, - dup177, - dup10, - dup178, + dup32, + dup185, + dup187, ], on_success: processor_chain([ - dup29, + dup31, ]), }); var all120 = all_match({ processors: [ - dup102, - dup177, - dup10, - dup178, + dup32, + dup185, + dup187, ], on_success: processor_chain([ - dup103, + dup30, ]), }); var all121 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup108, + dup185, + dup187, ], on_success: processor_chain([ - dup106, + dup109, ]), }); var all122 = all_match({ processors: [ - dup107, - dup198, + dup110, + dup185, + dup187, ], on_success: processor_chain([ - dup87, + dup112, ]), }); var all123 = all_match({ processors: [ - dup104, - dup177, - dup10, - dup178, + dup113, + dup210, ], on_success: processor_chain([ - dup109, + dup93, ]), }); var all124 = all_match({ processors: [ - dup44, - dup179, - dup36, - dup178, + dup110, + dup185, + dup187, ], on_success: processor_chain([ - dup5, + dup116, ]), }); var all125 = all_match({ processors: [ - dup80, - dup177, - dup10, - dup175, - dup79, + dup51, + dup189, + dup41, + dup187, ], on_success: processor_chain([ - dup1, + dup5, ]), }); var all126 = all_match({ processors: [ - dup151, - dup213, - dup153, - dup214, - dup215, - dup158, + dup73, + dup185, + dup183, + dup43, ], on_success: processor_chain([ - dup150, - dup51, - dup52, - dup53, - dup54, - dup37, - dup55, - dup17, + dup1, + ]), +}); + +var all127 = all_match({ + processors: [ + dup157, + dup225, + dup159, + dup226, + dup227, + dup164, + ], + on_success: processor_chain([ + dup156, + dup59, + dup60, + dup61, + dup62, + dup44, + dup63, dup18, dup19, dup20, dup21, + dup22, ]), }); -var all127 = all_match({ +var all128 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup191, - dup94, + dup202, + dup100, ], on_success: processor_chain([ dup1, ]), }); -var all128 = all_match({ +var all129 = all_match({ processors: [ dup7, - dup174, + dup182, dup10, - dup189, - dup90, + dup200, + dup96, ], on_success: processor_chain([ dup1, diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml index 01202648b26b..0d5140dee4c5 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml @@ -57,22 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' - - append: - field: related.hosts - value: '{{host.hostname}}' - allow_duplicates: false - if: ctx?.host?.hostname != null && ctx.host?.hostname != '' - - append: - field: related.hosts - value: '{{source.address}}' - allow_duplicates: false - if: ctx?.source?.address != null && ctx.source?.address != '' - - append: - field: related.hosts - value: '{{destination.address}}' - allow_duplicates: false - if: ctx?.destination?.address != null && ctx.destination?.address != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml index 18e06e5fd2e1..f9949f03fd52 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/manifest.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9519 + default: 9536 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json index 37d6d4325b79..dc2a22faf280 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/general.log-expected.json @@ -7,21 +7,19 @@ "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:06\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 0, "log.original": "Connection Opened", - "observer.ingress.interface.name": "WAN", + "observer.ingress.interface.name": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ "2.2.2.2" ], + "rsa.internal.event_desc": "Connection Opened", "rsa.internal.messageid": "98", "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN", + "rsa.network.sinterface": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "rsa.time.event_time": "2007-01-03T16:48:06.000Z", "service.type": "sonicwall", "source.as.number": 3215, @@ -75,21 +73,19 @@ "event.original": "Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:07\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23420 src=2.2.2.2:36702:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 414, "log.original": "Connection Opened", - "observer.ingress.interface.name": "WAN", + "observer.ingress.interface.name": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ "2.2.2.2" ], + "rsa.internal.event_desc": "Connection Opened", "rsa.internal.messageid": "98", "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN", + "rsa.network.sinterface": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "rsa.time.event_time": "2007-01-03T16:48:07.000Z", "service.type": "sonicwall", "source.as.number": 3215, @@ -124,6 +120,7 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "Connection Closed", "rsa.internal.messageid": "537", "rsa.misc.action": [ "Connection Closed" @@ -151,6 +148,7 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "Connection Closed", "rsa.internal.messageid": "537", "rsa.misc.action": [ "Connection Closed" @@ -178,6 +176,7 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "Connection Closed", "rsa.internal.messageid": "537", "rsa.misc.action": [ "Connection Closed" @@ -205,6 +204,7 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "Connection Closed", "rsa.internal.messageid": "537", "rsa.misc.action": [ "Connection Closed" @@ -224,21 +224,19 @@ "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:10\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23421 src=2.2.2.2:36703:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 1560, "log.original": "Connection Opened", - "observer.ingress.interface.name": "WAN", + "observer.ingress.interface.name": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ "2.2.2.2" ], + "rsa.internal.event_desc": "Connection Opened", "rsa.internal.messageid": "98", "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN", + "rsa.network.sinterface": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "rsa.time.event_time": "2007-01-03T16:48:10.000Z", "service.type": "sonicwall", "source.as.number": 3215, @@ -292,21 +290,19 @@ "event.original": "Jan 3 13:45:40 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:11\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23422 src=2.2.2.2:36704:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 1974, "log.original": "Connection Opened", - "observer.ingress.interface.name": "WAN", + "observer.ingress.interface.name": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ "2.2.2.2" ], + "rsa.internal.event_desc": "Connection Opened", "rsa.internal.messageid": "98", "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN", + "rsa.network.sinterface": "WAN dst=1.1.1.1:50000:WAN proto=tcp/50000", "rsa.time.event_time": "2007-01-03T16:48:11.000Z", "service.type": "sonicwall", "source.as.number": 3215, @@ -379,6 +375,7 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "Connection Closed", "rsa.internal.messageid": "537", "rsa.misc.action": [ "Connection Closed" @@ -420,21 +417,19 @@ "event.original": "Jan 3 13:45:44 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23423 src=1.1.1.1:500:WAN dst=2.2.2.2:500:WAN proto=udp/500", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 2780, "log.original": "Connection Opened", - "observer.ingress.interface.name": "WAN", + "observer.ingress.interface.name": "WAN dst=2.2.2.2:500:WAN proto=udp/500", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ "1.1.1.1" ], + "rsa.internal.event_desc": "Connection Opened", "rsa.internal.messageid": "98", "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN", + "rsa.network.sinterface": "WAN dst=2.2.2.2:500:WAN proto=udp/500", "rsa.time.event_time": "2007-01-03T16:48:15.000Z", "service.type": "sonicwall", "source.as.number": 13335, @@ -481,21 +476,19 @@ "event.original": "Jan 3 13:45:45 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:15\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23424 src=192.168.115.10:11549:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 3165, "log.original": "Connection Opened", - "observer.ingress.interface.name": "WAN", + "observer.ingress.interface.name": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ "192.168.115.10" ], + "rsa.internal.event_desc": "Connection Opened", "rsa.internal.messageid": "98", "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN", + "rsa.network.sinterface": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "rsa.time.event_time": "2007-01-03T16:48:15.000Z", "service.type": "sonicwall", "source.ip": [ @@ -515,21 +508,19 @@ "event.original": "Jan 3 13:45:46 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:17\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23425 src=192.168.5.64:3182:LAN dst=192.168.1.100:445:WAN proto=tcp/445", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 3375, "log.original": "Connection Opened", - "observer.ingress.interface.name": "LAN", + "observer.ingress.interface.name": "LAN dst=192.168.1.100:445:WAN proto=tcp/445", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ "192.168.5.64" ], + "rsa.internal.event_desc": "Connection Opened", "rsa.internal.messageid": "98", "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "LAN", + "rsa.network.sinterface": "LAN dst=192.168.1.100:445:WAN proto=tcp/445", "rsa.time.event_time": "2007-01-03T16:48:17.000Z", "service.type": "sonicwall", "source.ip": [ @@ -557,6 +548,7 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "Connection Closed", "rsa.internal.messageid": "537", "rsa.misc.action": [ "Connection Closed" @@ -584,6 +576,7 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "rsa.internal.event_desc": "Connection Closed", "rsa.internal.messageid": "537", "rsa.misc.action": [ "Connection Closed" @@ -603,21 +596,19 @@ "event.original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:20\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23426 src=192.168.125.75:524:WAN dst=192.168.5.10:3582:LAN proto=udp/3582", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 4049, "log.original": "Connection Opened", - "observer.ingress.interface.name": "WAN", + "observer.ingress.interface.name": "WAN dst=192.168.5.10:3582:LAN proto=udp/3582", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ "192.168.125.75" ], + "rsa.internal.event_desc": "Connection Opened", "rsa.internal.messageid": "98", "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN", + "rsa.network.sinterface": "WAN dst=192.168.5.10:3582:LAN proto=udp/3582", "rsa.time.event_time": "2007-01-03T16:48:20.000Z", "service.type": "sonicwall", "source.ip": [ @@ -637,21 +628,19 @@ "event.original": "Jan 3 13:45:50 192.168.5.1 id=firewall sn=000SERIAL time=\"2007-01-03 14:48:21\" fw=1.1.1.1 pri=6 c=262144 m=98 msg=\"Connection Opened\" n=23427 src=192.168.6.10:28503:WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], "log.offset": 4260, "log.original": "Connection Opened", - "observer.ingress.interface.name": "WAN", + "observer.ingress.interface.name": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ "192.168.6.10" ], + "rsa.internal.event_desc": "Connection Opened", "rsa.internal.messageid": "98", "rsa.internal.msg": "Connection Opened", - "rsa.network.sinterface": "WAN", + "rsa.network.sinterface": "WAN dst=192.168.5.10:53:LAN proto=tcp/dns", "rsa.time.event_time": "2007-01-03T16:48:21.000Z", "service.type": "sonicwall", "source.ip": [ diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log index eb7e231070a9..303aa073e77f 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log @@ -1,100 +1,100 @@ -idi id=pexe sn=nes time="2016/01/29 06:09:59" fw=10.254.41.82 pri=low c=Ute m=914 msg="lupt" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp -id=umexe sn=estlabo time="2016/02/12 13:12:33" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed -id=alo sn=eosquir time="2016-2-26 8:15:08" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg="ctetur" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action="allow" -emape id=aer sn=lupt time="2016/03/12 03:17:42" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up -id=consec sn=taliquip time="2016/03/26 10:20:16" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway -id=tconsec sn=nsequat time="2016/04/09 17:22:51" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 -llamcorp id=ari sn=eataevit time="2016/04/24 00:25:25" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked -mquisnos id=loremagn sn=iciade time="2016/05/08 07:27:59" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure -id=aali sn=ametcons time="2016/05/22 14:30:33" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal -orsitame id=quiratio sn=ite time="2016/06/05 21:33:08" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked -id=usan sn=aper time="2016/06/20 04:35:42" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host -id=atquovo sn=iumto time="2016/07/04 11:38:16" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated -id=undeo sn=loremip time="2016-7-18 6:40:50" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" -id=rveli sn=rsint time="2016/08/02 01:43:25" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped -id=qua sn=luptatev time="2016/08/16 08:45:59" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores -id=tatiset sn=eprehen time="2016/08/30 15:48:33" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings -id=aliq sn=rsitam time="2016/09/13 22:51:07" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" -id=itecto sn=erc time="2016/09/28 05:53:42" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed -id=tat sn=tion time="2016/10/12 12:56:16" fw=10.53.150.119 pri=medium c=uasia m=24 msg="emp" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note="taut" -id=nidolo sn=tatn time="2016/10/26 19:58:50" fw=10.18.109.121 pri=very-high c=dolo m=87 msg="Loremip" n=idolor src=10.204.11.20 dst=10.239.201.234 -id=quip sn=mporain time="2016-11-10 3:01:24" fw=10.34.161.166 pri=very-high c=sequi m=428 msg="rehend" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action="accept" -id=idex sn=xerci time="2016/11/24 10:03:59" fw=10.84.206.79 pri=high c=uipe m=401 msg="inesci" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib -id=ari sn=exercit time="2016/12/08 17:06:33" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active -id=serunt sn=aquaeabi time="2016/12/23 00:09:07" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying). -id=veniamq sn=one time="2017/01/06 07:11:41" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source -id=tin sn=tenima time="2017/01/20 14:14:16" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete -id=equat sn=derit time="2017/02/03 21:16:50" fw=10.90.86.89 pri=medium c=labor m=867 msg="didunt" sess=uptatema n=intocc -eporr id=xeacomm sn=mveleu time="2017/02/18 04:19:24" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated -id=nisi sn=dant time="2017/03/04 11:21:59" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state. -id=quidolor sn=tessec time="2017/03/18 18:24:33" fw=10.135.160.125 pri=low c=icabo m=882 msg="itatio" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp -id=Nequepor sn=ali time="2017/04/02 01:27:07" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed -id=ehen sn=tate time="2017/04/16 08:29:41" fw=10.140.167.6 pri=low c=stquido m=372 msg="ommodico" n=ptas src=10.60.129.15 dst=10.248.101.25 -id=Nequepo sn=ipsumd time="2017/04/30 15:32:16" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed -id=reetdolo sn=smo time="2017/05/14 22:34:50" fw=10.107.31.179 pri=high c=uamest m=1079 msg="Clienttcois assigned IP:10.14.111.221" n=itam -santiumd id=turadip sn=uatD time="2017/05/29 05:37:24" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped -id=volu sn=nonn time="2017/06/12 12:39:58" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login -id=sBon sn=orro time="2017/06/26 19:42:33" fw=10.34.194.149 pri=medium c=ten m=196 msg="vita" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD -amvo id=qui sn=tasn time="2017/07/11 02:45:07" fw=10.243.138.88 pri=high c=Sedutp m=998 msg="utp" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note="quin" -id=tvolupt sn=eufugi time="2017/07/25 09:47:41" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available -temqu id=ovol sn=ptasn time="2017/08/08 16:50:15" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped -id=pid sn=illoin time="2017/08/22 23:52:50" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout -id=mestq sn=temUt time="2017/09/06 06:55:24" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active -id=adeser sn=oin time="2017/09/20 13:57:58" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg="quam" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 -reetdol id=totamre sn=isnostr time="2017/10/04 21:00:32" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out -psaquaea id=taevita sn=ameiusm time="2017/10/19 04:03:07" fw=10.227.15.253 pri=high c=piscinge m=402 msg="tvol" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit -elitse id=ima sn=quasia time="2017/11/02 11:05:41" fw=10.150.107.25 pri=low c=uptate m=1154 msg="mac" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local -id=asiarc sn=ian time="2017/11/16 18:08:15" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed -id=intocc sn=amcorp time="2017/12/01 01:10:49" fw=10.57.57.241 pri=low c=litani m=83 msg="utodita" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note="tiaec" npcs=rumwrit -id=gna sn=con time="2017/12/15 08:13:24" fw=10.11.44.250 pri=high c=etMal m=931 msg="qua" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497 -rem id=asper sn=idunt time="2017/12/29 15:15:58" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server -id=uisaute sn=imide time="2018/01/12 22:18:32" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable -id=ilmol sn=eri time="2018/01/27 05:21:06" fw=10.154.53.249 pri=low c=mquae m=243 msg="eriti" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp -id=ntutlabo sn=iusmodte time="2018-2-10 12:23:41" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action="deny" -id=emvele sn=isnost time="2018/02/24 19:26:15" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped -sit id=rumSect sn=ita time="2018/03/11 02:28:49" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E -oremag id=illu sn=ruredo time="2018/03/25 09:31:24" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg="its" n=lore -id=onu sn=liquaUte time="2018/04/08 16:33:58" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication -id=mveniamq sn=taedict time="2018-4-22 11:36:32" fw=10.206.69.135 pri=high c=aturve m=880 msg="utfug" n=aturQu note="aaliq" fw_action="allow" -id=uiinea sn=mnisiut time="2018/05/07 06:39:06" fw=10.208.228.129 pri=low c=olup m=441 msg="labor" n=dol src= 10.240.54.28 dst= 10.115.38.80 -id=mve sn=uia time="2018/05/21 13:41:41" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout -id=doei sn=cipitl time="2018/06/04 20:44:15" fw=10.53.127.17 pri=very-high c=strumex m=252 msg="eprehend" n=asnu src=10.102.166.19 dst=10.104.49.142 -ipsa id=asuntexp sn=adminim time="2018/06/19 03:46:49" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable -id=iumt sn=tsed time="2018/07/03 10:49:23" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out -id=loremag sn=tcu time="2018/07/17 17:51:58" fw=10.84.251.253 pri=high c=erspi m=195 msg="rorsit" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629 -elillum id=upt sn=rnat time="2018/08/01 00:54:32" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped -doeiu id=deF sn=itempo time="2018/08/15 07:57:06" fw=10.200.237.196 pri=medium c=ecillum m=995 msg="isci" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note="equep" -BCS id=qui sn=ugiatquo time="2018/08/29 14:59:40" fw=10.204.133.116 pri=medium c=autemv m=909 msg="emq" n=plicaboN -id=vol sn=admi time="2018/09/12 22:02:15" fw=10.77.229.168 pri=high c=aquiof m=178 msg="ende" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 -id=olorem sn=gitse time="2018/09/27 05:04:49" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg="sci" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note="mquisno" -id=gna sn=isiutali time="2018/10/11 12:07:23" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed -id=uaturve sn=amquisno time="2018/10/25 19:09:57" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg="CSe" n=lors src=10.135.70.159 dst=10.195.223.82 -id=atu sn=iusm time="2018/11/09 02:12:32" fw=10.20.81.176 pri=low c=stquido m=261 msg="rsitvolu" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 -id=oin sn=itseddoe time="2018/11/23 09:15:06" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry. -id=giatquov sn=olu time="2018/12/07 16:17:40" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER. -emagn id=emulla sn=mips time="2018/12/21 23:20:14" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out -id=itametc sn=ori time="2019/01/05 06:22:49" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle -id=doconse sn=etdol time="2019/01/19 13:25:23" fw=10.156.88.51 pri=high c=tura m=658 msg="osquirat" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 -id=min sn=oluptat time="2019/02/02 20:27:57" fw=10.162.129.196 pri=medium c=snisi m=195 msg="magnaal" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416 -id=eacommo sn=ueip time="2019/02/17 03:30:32" fw=10.243.252.157 pri=low c=minim m=867 msg="scipi" sess=tur n=acon -usm id=labori sn=porai time="2019/03/03 10:33:06" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked -id=lup sn=upta time="2019-3-17 5:35:40" fw=10.247.88.138 pri=very-high c=orissu m=794 msg="fic" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action="allow" -id=mmod sn=iti time="2019/04/01 00:38:14" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked -id=mag sn=gelitse time="2019/04/15 07:40:49" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 -id=nostrud sn=cteturad time="2019/04/29 14:43:23" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F -oluptate id=lit sn=santi time="2019/05/13 21:45:57" fw=10.211.112.194 pri=low c=uis m=1079 msg="Clientamcis assigned IP:10.221.220.148" n=apar -id=vol sn=psumd time="2019/05/28 04:48:31" fw=10.103.29.178 pri=low c=rios m=355 msg="labo" n=lpaquiof src=10.78.29.246 dst=10.125.85.128 -enbyCi id=reetdo sn=tat time="2019/06/11 11:51:06" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing). -id=iamqui sn=tassita time="2019/06/25 18:53:40" fw=10.7.47.118 pri=medium c=piscing m=712 msg="allow" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129 -inesciu id=quid sn=atcupid time="2019/07/10 01:56:14" fw=10.29.5.115 pri=very-high c=ate m=670 msg="con" sess=tqu n=eirur -hite id=ianonnum sn=nofdeFi time="2019/07/24 08:58:48" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup -id=arch sn=lite time="2019/08/07 16:01:23" fw=10.25.118.123 pri=high c=borumSec m=931 msg="aecatcup" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374 -id=rumSecti sn=Utenima time="2019-8-21 11:03:57" fw=10.74.166.70 pri=very-high c=olor m=1086 msg="radip" n=rchitect fw_action="deny" -id=amquisno sn=modoc time="2019/09/05 06:06:31" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded -id=Bonorum sn=lesti time="2019/09/19 13:09:05" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked -uuntur id=tsedquia sn=its time="2019/10/03 20:11:40" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent -id=tatevel sn=midestl time="2019/10/18 03:14:14" fw=10.222.197.130 pri=medium c=ulapa m=713 msg="block" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342 -id=hilmole sn=sequ time="2019/11/01 10:16:48" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination -umtota id=etdolore sn=magnaa time="2019/11/15 17:19:22" fw=10.209.34.197 pri=very-high c=tes m=766 msg="equam" n=isi -id=rep sn=remap time="2019/11/30 00:21:57" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN -id=nesciun sn=amcolab time="2019/12/14 07:24:31" fw=10.142.7.145 pri=low c=iuta m=373 msg="deny" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745 +id=nnumqua sn=eacommod time="2016/01/29 06:09:59" fw=10.208.232.8 pri=very-high c=tur m=1197 msg="itv" sess=odoco n=ria src=10.20.234.169:1001:eth5722 dst= 10.208.15.216:4257:lo6125 note= "ntsunti Protocol:udp" npcs=ciade +idi id=pexe sn=nes time="2016/02/12 13:12:33" fw=10.254.41.82 pri=low c=Ute m=914 msg="lupt" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp +id=umexe sn=estlabo time="2016/02/26 20:15:08" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed +id=alo sn=eosquir time="2016-3-12 3:17:42" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg="ctetur" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action="allow" +emape id=aer sn=lupt time="2016/03/26 10:20:16" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up +id=consec sn=taliquip time="2016/04/09 17:22:51" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway +id=tconsec sn=nsequat time="2016/04/24 00:25:25" fw=10.137.246.137 pri=medium c=oluptas m=372 msg="llu" n=uptassi src=10.95.245.65 dst=10.13.70.213 +llamcorp id=ari sn=eataevit time="2016/05/08 07:27:59" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked +mquisnos id=loremagn sn=iciade time="2016/05/22 14:30:33" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure +id=aali sn=ametcons time="2016/06/05 21:33:08" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal +emip id=tvol sn=moll time="2016/06/20 04:35:42" fw=10.228.149.225 pri=high c=deomni m=139 msg="accept" n=onse src=10.136.153.149:3788:enp0s2489 dst= 10.16.52.205 +orsitame id=quiratio sn=ite time="2016/07/04 11:38:16" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked +id=usan sn=aper time="2016/07/18 18:40:50" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host +id=atquovo sn=iumto time="2016/08/02 01:43:25" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated +id=undeo sn=loremip time="2016-8-16 8:45:59" fw=10.134.0.141 pri=very-high c=uis m=1149 msg="idolore" n=onse fw_action="cancel" +id=rveli sn=rsint time="2016/08/30 15:48:33" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped +id=qua sn=luptatev time="2016/09/13 22:51:07" fw=10.123.104.59 pri=low c=elaudant m=1110 msg="tinvol" n=lores +id=tatiset sn=eprehen time="2016/09/28 05:53:42" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings +id=aliq sn=rsitam time="2016/10/12 12:56:16" fw=10.79.33.129 pri=high c=umdolo m=353 msg="onproide" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini" +id=itecto sn=erc time="2016/10/26 19:58:50" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed +id=tat sn=tion time="2016/11/10 03:01:24" fw=10.53.150.119 pri=medium c=uasia m=24 msg="emp" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note="taut" +id=tati sn=utaliqu time="2016/11/24 10:03:59" fw=10.53.187.44 pri=high c=iadese m=242 msg="imidest" n=emagnama src= 10.153.136.222 dst= 10.206.136.206:4108 +id=nidolo sn=tatn time="2016/12/08 17:06:33" fw=10.18.109.121 pri=very-high c=dolo m=87 msg="Loremip" n=idolor src=10.204.11.20 dst=10.239.201.234 +id=quip sn=mporain time="2016-12-23 12:09:07" fw=10.34.161.166 pri=very-high c=sequi m=428 msg="rehend" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action="accept" +id=idex sn=xerci time="2017/01/06 07:11:41" fw=10.84.206.79 pri=high c=uipe m=401 msg="inesci" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib +id=ari sn=exercit time="2017/01/20 14:14:16" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active +id=serunt sn=aquaeabi time="2017/02/03 21:16:50" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying). +id=veniamq sn=one time="2017/02/18 04:19:24" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source +id=tin sn=tenima time="2017/03/04 11:21:59" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete +id=tmollita sn=fde time="2017-3-18 6:24:33" fw=10.149.89.126 pri=high c=abo m=794 msg="veniamqu" sid=nse spycat=non spypri=paquioff pktdatId=mquisnos n=maven src=10.86.101.235:3266:lo6501 dst=10.30.153.159:6843:enp0s6487 proto=icmp/eporr fw_action="cancel" +id=aturQui sn=utlabor time="2017/04/02 01:27:07" fw=10.38.249.71 pri=low c=mfugiat m=133 PPPoE starting CHAP Authentication +id=tvolu sn=ecte time="2017/04/16 08:29:41" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available +olupta id=litse sn=icabo time="2017/04/30 15:32:16" fw=10.89.208.95 pri=low c=llumdolo m=255 msg="nre" n=ercitat src=10.237.163.139 dst=10.162.172.28 +ionevo id=ugiatnu sn=ciati time="2017/05/14 22:34:50" fw=10.184.122.157 pri=medium c=scivelit m=31 msg="allow" n=ehen src=10.191.23.41:1493:eth4488 dst= 10.250.47.252 +id=pta sn=tetu time="2017/05/29 05:37:24" fw=10.101.57.134 pri=low c=Nequepo m=12 Problem sending log email; check log settings +ntocc id=uteirure sn=nevo time="2017/06/12 12:39:58" fw=10.226.23.214 pri=very-high c=adip m=994 msg="tium" n=nnum usr=tenbyCi src=10.16.72.220:1842 dst=10.111.187.12:3577 note="quinesc" +id=tur sn=roi time="2017/06/26 19:42:33" fw=10.106.31.86 pri=low c=sno m=7 Log full; deactivating SonicWALL +ntocca id=ostru sn=ntoccae time="2017/07/11 02:45:07" fw=10.35.99.92 pri=medium c=iatisu m=866 msg="sec" sess=cons n=sBon +id=ten sn=vita time="2017/07/25 09:47:41" fw=10.35.5.16 pri=high c=emaccusa m=538 msg="accept" n=qui src=10.143.76.137:1414:lo3470 dst= 10.131.61.13 +id=evolu sn=ersp time="2017/08/08 16:50:15" fw=10.64.221.30 pri=medium c=inven m=793 msg="osquira" af_polid=tes af_policy="mquame" af_type="nihilmol" af_service="xercita" af_action="trud" n=eriti src=10.99.0.226:2984:eth1766:sequatu341.mail.invalid dst=10.77.129.130:6604:enp0s4138:Nemoenim2039.api.localhost +id=nbyCic sn=utlabor time="2017/08/22 23:52:50" fw=10.27.251.77 pri=medium c=ine m=905 msg="lup" n=tatemUt +id=quovol sn=nve time="2017/09/06 06:55:24" fw=10.104.201.10 pri=very-high c=ccaecat m=94 Diagnostic Code B +tau id=exercita sn=ris time="2017/09/20 13:57:58" fw=10.84.25.23 pri=high c=boree m=565 msg="intoc" n=ncidi +irat id=onev sn=aturauto time="2017/10/04 21:00:32" fw=10.218.243.47 pri=very-high c=oremi m=37 UDP packet dropped +id=temUt sn=olor time="2017/10/19 04:03:07" fw=10.19.10.148 pri=low c=niamqui m=4 SonicWALL activated +id=ess sn=ipisci time="2017/11/02 11:05:41" fw=10.113.95.59 pri=very-high c=reprehen m=156 Backup received heartbeat from wrong source +luptate id=persp sn=entsunt time="2017/11/16 18:08:15" fw=10.206.107.211 pri=low c=fugi m=140 msg="accept" n=inci src=10.230.173.4:2631:enp0s5632 dst= 10.192.27.157 +id=cusant sn=atemq time="2017/12/01 01:10:49" fw=10.136.31.188 pri=high c=borios m=118 Sending DHCP REQUEST (Verifying). +id=ercita sn=ciadeser time="2017/12/15 08:13:24" fw=10.175.236.135 pri=medium c=isnisi m=18 ActiveX blocked +id=isiuta sn=orsitam time="2017/12/29 15:15:58" fw=10.159.119.34 pri=high c=psaquaea m=195 msg="taevita" n=ameiusm src=10.227.15.253 dst=10.190.175.158 sport=271 dport=7005 rcvd=6587 +id=nre sn=veli time="2018/01/12 22:18:32" fw=10.62.147.186 pri=low c=elitse m=22 Ping of death blocked +id=quasia sn=adi time="2018/01/27 05:21:06" fw=10.9.12.248 pri=medium c=mac m=616 msg="block" n=aveni src=10.29.155.171:1871 dst=10.15.97.155:5935 +id=llamco sn=nea time="2018/02/10 12:23:41" fw=10.123.143.188 pri=medium c=orsit m=9 No new Filter list available +id=ise sn=itau time="2018/02/24 19:26:15" fw=10.44.22.97 pri=very-high c=lorsita m=907 msg="dolore" n=uptate +id=odi sn=ptass time="2018/03/11 02:28:49" fw=10.39.10.155 pri=low c=tametcon m=157 HA packet processing error +id=aco sn=tio time="2018/03/25 09:31:24" fw=10.112.38.219 pri=high c=dantium m=261 msg="lor" n=velillu usr=cteturad src= 10.18.204.87 dst= 10.25.32.107 +id=utodita sn=aec time="2018-4-8 4:33:58" fw=10.21.89.175 pri=medium c=diconse m=428 msg="elitse" n=reseo src=10.71.238.250:41:lo3856 dst=10.246.0.167:2189:eth2632 srcMac= 01:00:5e:7c:42:0b dstMac=01:00:5e:2c:22:06 proto=icmp fw_action="block" +id=ritin sn=temporin time="2018-4-22 11:36:32" fw=10.122.76.148 pri=high c=tdol m=794 msg="upt" sid=mex spycat=tatem spypri=untutlab pktdatId=amcor n=ica src=10.13.66.97:2000:enp0s5411 dst=10.176.209.227:6362:eth7037 proto=ipv6/siu fw_action="allow" +id=quaea sn=ametcons time="2018/05/07 06:39:06" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL +id=ariatur sn=rer time="2018/05/21 13:41:41" fw=10.210.243.175 pri=low c=atisetqu m=240 msg="issuscip" n=uisa src=10.240.49.224 dst=10.77.174.205 +id=luptatem sn=uaeratv time="2018/06/04 20:44:15" fw=10.240.190.136 pri=medium c=atcupid m=255 msg="quamnih" n=dminima src=10.44.150.31 dst=10.187.210.173 +id=ntutlabo sn=iusmodte time="2018-6-19 3:46:49" fw=10.108.84.24 pri=low c=iosamnis m=606 msg="volupt" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action="deny" +id=emvele sn=isnost time="2018/07/03 10:49:23" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped +sit id=rumSect sn=ita time="2018/07/17 17:51:58" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E +oremag id=illu sn=ruredo time="2018/08/01 00:54:32" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg="its" n=lore +sBono id=loremqu sn=tetur time="2018/08/15 07:57:06" fw=10.213.94.135 pri=very-high c=urmagn m=237 msg="block" n=uptat src=10.105.46.101:3346:enp0s382 dst= 10.50.44.5:7668:lo1441 +id=ddoeius sn=ugiatn time="2018/08/29 14:59:40" fw=10.50.102.128 pri=high c=abore m=328 msg="squ" n=uiadol src=10.60.142.127:1081:eth6291 dst= 10.52.248.251:5776:lo2241 +id=onu sn=liquaUte time="2018/09/12 22:02:15" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication +id=mveniamq sn=taedict time="2018-9-27 5:04:49" fw=10.206.69.135 pri=high c=aturve m=880 msg="utfug" n=aturQu note="aaliq" fw_action="allow" +id=uiinea sn=mnisiut time="2018/10/11 12:07:23" fw=10.208.228.129 pri=low c=olup m=441 msg="labor" n=dol src= 10.240.54.28 dst= 10.115.38.80 +id=mve sn=uia time="2018/10/25 19:09:57" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout +id=doei sn=cipitl time="2018/11/09 02:12:32" fw=10.53.127.17 pri=very-high c=strumex m=252 msg="eprehend" n=asnu src=10.102.166.19 dst=10.104.49.142 +id=repreh sn=plic time="2018/11/23 09:15:06" fw=10.17.87.79 pri=high c=saq m=199 msg="block" n=ritqu src=10.203.77.154:3916:lo4991 dst= 10.120.25.169:1965:lo4527 +ipsa id=asuntexp sn=adminim time="2018/12/07 16:17:40" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable +id=iumt sn=tsed time="2018/12/21 23:20:14" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out +id=loremag sn=tcu time="2019/01/05 06:22:49" fw=10.84.251.253 pri=high c=erspi m=195 msg="rorsit" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629 +elillum id=upt sn=rnat time="2019/01/19 13:25:23" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped +doeiu id=deF sn=itempo time="2019/02/02 20:27:57" fw=10.200.237.196 pri=medium c=ecillum m=995 msg="isci" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note="equep" +BCS id=qui sn=ugiatquo time="2019/02/17 03:30:32" fw=10.204.133.116 pri=medium c=autemv m=909 msg="emq" n=plicaboN +id=vol sn=admi time="2019/03/03 10:33:06" fw=10.77.229.168 pri=high c=aquiof m=178 msg="ende" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693 +id=olorem sn=gitse time="2019/03/17 17:35:40" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg="sci" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note="mquisno" +id=nisiu sn=imad time="2019/04/01 00:38:14" fw=10.30.101.79 pri=high c=tenimad m=97 n=sitametc src= 10.152.35.175:2737:enp0s3423 dst= 10.88.244.209:6953:enp0s2460 proto=ipv6-icmp op=caecat sent=5835 dstname=tquidol +undeom id=emullamc sn=tec time="2019/04/15 07:40:49" fw=10.29.118.7 pri=medium c=mveleum m=537 msg="accept" f=exercita n=sBonorum src= 10.132.171.15 dst= 10.107.216.138:3147:lo5057:ugitsedq5067.internal.test proto=rdp sent=5943 rcvd=1635 +id=gna sn=isiutali time="2019/04/29 14:43:23" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed +id=uaturve sn=amquisno time="2019/05/13 21:45:57" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg="CSe" n=lors src=10.135.70.159 dst=10.195.223.82 +id=atu sn=iusm time="2019/05/28 04:48:31" fw=10.20.81.176 pri=low c=stquido m=261 msg="rsitvolu" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 +id=oin sn=itseddoe time="2019/06/11 11:51:06" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry. +id=giatquov sn=olu time="2019/06/25 18:53:40" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER. +emagn id=emulla sn=mips time="2019/07/10 01:56:14" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out +id=itametc sn=ori time="2019/07/24 08:58:48" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle +id=doconse sn=etdol time="2019/08/07 16:01:23" fw=10.156.88.51 pri=high c=tura m=658 msg="osquirat" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543 +id=min sn=oluptat time="2019/08/21 23:03:57" fw=10.162.129.196 pri=medium c=snisi m=195 msg="magnaal" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416 +id=eacommo sn=ueip time="2019/09/05 06:06:31" fw=10.243.252.157 pri=low c=minim m=867 msg="scipi" sess=tur n=acon +usm id=labori sn=porai time="2019/09/19 13:09:05" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked +id=lup sn=upta time="2019-10-3 8:11:40" fw=10.247.88.138 pri=very-high c=orissu m=794 msg="fic" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action="allow" +id=mmod sn=iti time="2019/10/18 03:14:14" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked +id=mag sn=gelitse time="2019/11/01 10:16:48" fw=10.195.58.44 pri=high c=radip m=413 msg="upta" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606 +id=nostrud sn=cteturad time="2019/11/15 17:19:22" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F +id=imavenia sn=expli time="2019/11/30 00:21:57" fw=10.144.57.239 pri=medium c=rur m=520 msg="itse" n=ilm src=10.167.9.200:4003:lo5561 dst= 10.119.4.120:3822:enp0s234 +oluptate id=lit sn=santi time="2019/12/14 07:24:31" fw=10.211.112.194 pri=low c=uis m=1079 msg="Clientamcis assigned IP:10.221.220.148" n=apar diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index bd92a3aa08a9..627bee6d9545 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -1,17 +1,58 @@ [ { "@timestamp": "2016-01-29T08:09:59.000Z", + "destination.ip": [ + "10.208.15.216" + ], + "destination.port": 4257, + "event.code": "1197", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=nnumqua sn=eacommod time=\"2016/01/29 06:09:59\" fw=10.208.232.8 pri=very-high c=tur m=1197 msg=\"itv\" sess=odoco n=ria src=10.20.234.169:1001:eth5722 dst= 10.208.15.216:4257:lo6125 note= \"ntsunti Protocol:udp\" npcs=ciade", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 0, + "log.original": "itv", + "network.protocol": "udp", + "observer.egress.interface.name": "lo6125", + "observer.ingress.interface.name": "eth5722", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.20.234.169", + "10.208.15.216" + ], + "rsa.db.index": "ciade", + "rsa.internal.messageid": "1197", + "rsa.internal.msg": "itv", + "rsa.network.dinterface": "lo6125", + "rsa.network.sinterface": "eth5722", + "rsa.time.date": "2016/01/29", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.20.234.169" + ], + "source.port": 1001, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-02-12T15:12:33.000Z", "destination.nat.ip": "10.49.111.67", "destination.nat.port": 884, "event.code": "914", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "idi id=pexe sn=nes time=\"2016/01/29 06:09:59\" fw=10.254.41.82 pri=low c=Ute m=914 msg=\"lupt\" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp", + "event.original": "idi id=pexe sn=nes time=\"2016/02/12 13:12:33\" fw=10.254.41.82 pri=low c=Ute m=914 msg=\"lupt\" n=dolore src=10.92.136.230:6437:eth7178:nostrud4819.mail.test dst=10.49.111.67:884:eth3598:oreetdol1714.internal.corp", "fileset.name": "firewall", "host.hostname": "oreetdol1714.internal.corp", "host.name": "nostrud4819.mail.test", "input.type": "log", - "log.offset": 0, + "log.offset": 222, "log.original": "lupt", "observer.egress.interface.name": "eth3598", "observer.ingress.interface.name": "eth7178", @@ -23,14 +64,14 @@ "oreetdol1714.internal.corp" ], "related.ip": [ - "10.92.136.230", - "10.49.111.67" + "10.49.111.67", + "10.92.136.230" ], "rsa.internal.messageid": "914", "rsa.internal.msg": "lupt", "rsa.network.dinterface": "eth3598", "rsa.network.sinterface": "eth7178", - "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "rsa.time.event_time": "2016-02-12T15:12:33.000Z", "service.type": "sonicwall", "source.address": "oreetdol1714.internal.corp", "source.nat.ip": "10.92.136.230", @@ -41,20 +82,20 @@ ] }, { - "@timestamp": "2016-02-12T15:12:33.000Z", + "@timestamp": "2016-02-26T22:15:08.000Z", "event.code": "16", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=umexe sn=estlabo time=\"2016/02/12 13:12:33\" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed", + "event.original": "id=umexe sn=estlabo time=\"2016/02/26 20:15:08\" fw=10.186.114.123 pri=high c=olupt m=16 Web site accessed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 211, + "log.offset": 433, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "16", - "rsa.time.date": "2016/02/12", - "rsa.time.event_time": "2016-02-12T15:12:33.000Z", + "rsa.time.date": "2016/02/26", + "rsa.time.event_time": "2016-02-26T22:15:08.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -62,7 +103,7 @@ ] }, { - "@timestamp": "2016-02-26T10:15:08.000Z", + "@timestamp": "2016-03-12T05:17:42.000Z", "destination.ip": [ "10.227.15.1" ], @@ -72,12 +113,12 @@ "event.code": "alo", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=alo sn=eosquir time=\"2016-2-26 8:15:08\" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg=\"ctetur\" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action=\"allow\"", + "event.original": "id=alo sn=eosquir time=\"2016-3-12 3:17:42\" fw=10.149.203.46 pri=medium c=mwritten m=1369 msg=\"ctetur\" n=uidolorsrc=10.150.156.22:6378:eth6183dst=10.227.15.1:410:eth1977srcMac=01:00:5e:84:66:6cdstMac=01:00:5e:f7:a9:ffproto=rdp/ommfw_action=\"allow\"", "fileset.name": "firewall", "host.ip": "10.149.203.46", "input.type": "log", "log.level": "medium", - "log.offset": 316, + "log.offset": 538, "network.protocol": "rdp", "observer.egress.interface.name": "eth1977", "observer.ingress.interface.name": "eth6183", @@ -85,9 +126,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ + "10.149.203.46", "10.227.15.1", - "10.150.156.22", - "10.149.203.46" + "10.150.156.22" ], "rsa.internal.event_desc": "ctetur", "rsa.internal.messageid": "1369", @@ -100,8 +141,8 @@ "rsa.misc.severity": "medium", "rsa.network.dinterface": "eth1977", "rsa.network.sinterface": "eth6183", - "rsa.time.date": "2016-2-26", - "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "rsa.time.date": "2016-3-12", + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "sonicwall", "source.ip": [ "10.150.156.22" @@ -114,19 +155,19 @@ ] }, { - "@timestamp": "2016-03-12T05:17:42.000Z", + "@timestamp": "2016-03-26T12:20:16.000Z", "event.code": "127", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "emape id=aer sn=lupt time=\"2016/03/12 03:17:42\" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up", + "event.original": "emape id=aer sn=lupt time=\"2016/03/26 10:20:16\" fw=10.26.46.95 pri=medium c=temvel m=127 PPPoE LCP Link Up", "fileset.name": "firewall", "input.type": "log", - "log.offset": 563, + "log.offset": 785, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "127", - "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -134,20 +175,20 @@ ] }, { - "@timestamp": "2016-03-26T12:20:16.000Z", + "@timestamp": "2016-04-09T19:22:51.000Z", "event.code": "170", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=consec sn=taliquip time=\"2016/03/26 10:20:16\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", + "event.original": "id=consec sn=taliquip time=\"2016/04/09 17:22:51\" fw=10.134.172.34 pri=high c=snos m=170 Received a path MTU icmp message from router/gateway", "fileset.name": "firewall", "input.type": "log", - "log.offset": 670, + "log.offset": 892, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "170", - "rsa.time.date": "2016/03/26", - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "rsa.time.date": "2016/04/09", + "rsa.time.event_time": "2016-04-09T19:22:51.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -155,17 +196,17 @@ ] }, { - "@timestamp": "2016-04-09T19:22:51.000Z", + "@timestamp": "2016-04-24T02:25:25.000Z", "destination.ip": [ "10.13.70.213" ], "event.code": "372", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tconsec sn=nsequat time=\"2016/04/09 17:22:51\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", + "event.original": "id=tconsec sn=nsequat time=\"2016/04/24 00:25:25\" fw=10.137.246.137 pri=medium c=oluptas m=372 msg=\"llu\" n=uptassi src=10.95.245.65 dst=10.13.70.213", "fileset.name": "firewall", "input.type": "log", - "log.offset": 811, + "log.offset": 1033, "log.original": "llu", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -176,8 +217,8 @@ ], "rsa.internal.messageid": "372", "rsa.internal.msg": "llu", - "rsa.time.date": "2016/04/09", - "rsa.time.event_time": "2016-04-09T19:22:51.000Z", + "rsa.time.date": "2016/04/24", + "rsa.time.event_time": "2016-04-24T02:25:25.000Z", "service.type": "sonicwall", "source.ip": [ "10.95.245.65" @@ -188,19 +229,19 @@ ] }, { - "@timestamp": "2016-04-24T02:25:25.000Z", + "@timestamp": "2016-05-08T09:27:59.000Z", "event.code": "176", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "llamcorp id=ari sn=eataevit time=\"2016/04/24 00:25:25\" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked", + "event.original": "llamcorp id=ari sn=eataevit time=\"2016/05/08 07:27:59\" fw=10.50.112.141 pri=very-high c=dmi m=176 Fraudulent Microsoft Certificate Blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 959, + "log.offset": 1181, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "176", - "rsa.time.event_time": "2016-04-24T02:25:25.000Z", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -208,19 +249,19 @@ ] }, { - "@timestamp": "2016-05-08T09:27:59.000Z", + "@timestamp": "2016-05-22T16:30:33.000Z", "event.code": "50", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "mquisnos id=loremagn sn=iciade time=\"2016/05/08 07:27:59\" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure", + "event.original": "mquisnos id=loremagn sn=iciade time=\"2016/05/22 14:30:33\" fw=10.137.104.79 pri=medium c=mUt m=50 RealAudio decode failure", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1098, + "log.offset": 1320, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "50", - "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "rsa.time.event_time": "2016-05-22T16:30:33.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -228,20 +269,20 @@ ] }, { - "@timestamp": "2016-05-22T16:30:33.000Z", + "@timestamp": "2016-06-05T23:33:08.000Z", "event.code": "87", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=aali sn=ametcons time=\"2016/05/22 14:30:33\" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal", + "event.original": "id=aali sn=ametcons time=\"2016/06/05 21:33:08\" fw=10.244.98.230 pri=low c=iinea m=87 IKE Responder: Accepting IPSec proposal", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1220, + "log.offset": 1442, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "87", - "rsa.time.date": "2016/05/22", - "rsa.time.event_time": "2016-05-22T16:30:33.000Z", + "rsa.time.date": "2016/06/05", + "rsa.time.event_time": "2016-06-05T23:33:08.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -249,19 +290,56 @@ ] }, { - "@timestamp": "2016-06-05T23:33:08.000Z", + "@timestamp": "2016-06-20T06:35:42.000Z", + "destination.ip": [ + "10.16.52.205" + ], + "event.action": "accept", + "event.code": "139", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "emip id=tvol sn=moll time=\"2016/06/20 04:35:42\" fw=10.228.149.225 pri=high c=deomni m=139 msg=\"accept\" n=onse src=10.136.153.149:3788:enp0s2489 dst= 10.16.52.205", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 1567, + "observer.ingress.interface.name": "enp0s2489", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.16.52.205", + "10.136.153.149" + ], + "rsa.internal.messageid": "139", + "rsa.misc.action": [ + "accept" + ], + "rsa.network.sinterface": "enp0s2489", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.136.153.149" + ], + "source.port": 3788, + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", "event.code": "15", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "orsitame id=quiratio sn=ite time=\"2016/06/05 21:33:08\" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked", + "event.original": "orsitame id=quiratio sn=ite time=\"2016/07/04 11:38:16\" fw=10.72.98.186 pri=very-high c=ercit m=15 Newsgroup blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1345, + "log.offset": 1729, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "15", - "rsa.time.event_time": "2016-06-05T23:33:08.000Z", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -269,20 +347,20 @@ ] }, { - "@timestamp": "2016-06-20T06:35:42.000Z", + "@timestamp": "2016-07-18T20:40:50.000Z", "event.code": "70", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=usan sn=aper time=\"2016/06/20 04:35:42\" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host", + "event.original": "id=usan sn=aper time=\"2016/07/18 18:40:50\" fw=10.183.16.166 pri=low c=ender m=70 IPSec packet from illegal host", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1461, + "log.offset": 1845, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "70", - "rsa.time.date": "2016/06/20", - "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "rsa.time.date": "2016/07/18", + "rsa.time.event_time": "2016-07-18T20:40:50.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -290,23 +368,20 @@ ] }, { - "@timestamp": "2016-07-04T13:38:16.000Z", + "@timestamp": "2016-08-02T03:43:25.000Z", "event.code": "129", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=atquovo sn=iumto time=\"2016/07/04 11:38:16\" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated", + "event.original": "id=atquovo sn=iumto time=\"2016/08/02 01:43:25\" fw=10.117.18.47 pri=low c=essecill m=129 PPPoE terminated", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 1573, + "log.offset": 1957, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "129", - "rsa.time.date": "2016/07/04", - "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "rsa.time.date": "2016/08/02", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -314,15 +389,15 @@ ] }, { - "@timestamp": "2016-07-18T08:40:50.000Z", + "@timestamp": "2016-08-16T10:45:59.000Z", "event.action": "cancel", "event.code": "1149", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=undeo sn=loremip time=\"2016-7-18 6:40:50\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", + "event.original": "id=undeo sn=loremip time=\"2016-8-16 8:45:59\" fw=10.134.0.141 pri=very-high c=uis m=1149 msg=\"idolore\" n=onse fw_action=\"cancel\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1679, + "log.offset": 2062, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", @@ -331,8 +406,8 @@ "rsa.misc.action": [ "cancel" ], - "rsa.time.date": "2016-7-18", - "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.time.date": "2016-8-16", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -340,20 +415,20 @@ ] }, { - "@timestamp": "2016-08-02T03:43:25.000Z", + "@timestamp": "2016-08-30T17:48:33.000Z", "event.code": "81", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=rveli sn=rsint time=\"2016/08/02 01:43:25\" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped", + "event.original": "id=rveli sn=rsint time=\"2016/08/30 15:48:33\" fw=10.172.146.234 pri=very-high c=Nemoeni m=81 Smurf Amplification Attack Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1807, + "log.offset": 2190, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "81", - "rsa.time.date": "2016/08/02", - "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.time.date": "2016/08/30", + "rsa.time.event_time": "2016-08-30T17:48:33.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -361,23 +436,23 @@ ] }, { - "@timestamp": "2016-08-16T10:45:59.000Z", + "@timestamp": "2016-09-14T00:51:07.000Z", "event.code": "1110", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=qua sn=luptatev time=\"2016/08/16 08:45:59\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", + "event.original": "id=qua sn=luptatev time=\"2016/09/13 22:51:07\" fw=10.123.104.59 pri=low c=elaudant m=1110 msg=\"tinvol\" n=lores", "fileset.name": "firewall", "input.type": "log", - "log.offset": 1934, - "log.original": "tinvol", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 2317, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "1110", - "rsa.internal.msg": "tinvol", - "rsa.misc.space": "", - "rsa.time.date": "2016/08/16", - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "rsa.time.date": "2016/09/13", + "rsa.time.event_time": "2016-09-14T00:51:07.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -385,20 +460,20 @@ ] }, { - "@timestamp": "2016-08-30T17:48:33.000Z", + "@timestamp": "2016-09-28T07:53:42.000Z", "event.code": "10", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tatiset sn=eprehen time=\"2016/08/30 15:48:33\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", + "event.original": "id=tatiset sn=eprehen time=\"2016/09/28 05:53:42\" fw=10.117.146.33 pri=high c=entsu m=10 Problem loading the Filter list; check Filter settings", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2046, + "log.offset": 2427, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "10", - "rsa.time.date": "2016/08/30", - "rsa.time.event_time": "2016-08-30T17:48:33.000Z", + "rsa.time.date": "2016/09/28", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -406,16 +481,16 @@ ] }, { - "@timestamp": "2016-09-14T00:51:07.000Z", + "@timestamp": "2016-10-12T14:56:16.000Z", "destination.nat.ip": "10.30.196.102", "event.code": "353", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=aliq sn=rsitam time=\"2016/09/13 22:51:07\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", + "event.original": "id=aliq sn=rsitam time=\"2016/10/12 12:56:16\" fw=10.79.33.129 pri=high c=umdolo m=353 msg=\"onproide\" n=Nemoen src=10.241.178.107 dst=10.30.196.102 dstname=fugi4637.www.lan lifeSeconds=imadmini\"", "fileset.name": "firewall", "host.hostname": "fugi4637.www.lan", "input.type": "log", - "log.offset": 2189, + "log.offset": 2570, "log.original": "onproide", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -424,15 +499,15 @@ "fugi4637.www.lan" ], "related.ip": [ - "10.241.178.107", - "10.30.196.102" + "10.30.196.102", + "10.241.178.107" ], "rsa.internal.messageid": "353", "rsa.internal.msg": "onproide", "rsa.misc.misc": "imadmini", "rsa.misc.ntype": "Nemoen", - "rsa.time.date": "2016/09/13", - "rsa.time.event_time": "2016-09-14T00:51:07.000Z", + "rsa.time.date": "2016/10/12", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", "service.type": "sonicwall", "source.address": "fugi4637.www.lan", "source.nat.ip": "10.241.178.107", @@ -442,20 +517,20 @@ ] }, { - "@timestamp": "2016-09-28T07:53:42.000Z", + "@timestamp": "2016-10-26T21:58:50.000Z", "event.code": "68", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=itecto sn=erc time=\"2016/09/28 05:53:42\" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed", + "event.original": "id=itecto sn=erc time=\"2016/10/26 19:58:50\" fw=10.69.57.206 pri=high c=nsec m=68 IPSec Decryption Failed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2382, + "log.offset": 2763, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "68", - "rsa.time.date": "2016/09/28", - "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "rsa.time.date": "2016/10/26", + "rsa.time.event_time": "2016-10-26T21:58:50.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -463,16 +538,16 @@ ] }, { - "@timestamp": "2016-10-12T14:56:16.000Z", + "@timestamp": "2016-11-10T05:01:24.000Z", "destination.nat.ip": "10.78.151.178", "destination.nat.port": 3088, "event.code": "24", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tat sn=tion time=\"2016/10/12 12:56:16\" fw=10.53.150.119 pri=medium c=uasia m=24 msg=\"emp\" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note=\"taut\"", + "event.original": "id=tat sn=tion time=\"2016/11/10 03:01:24\" fw=10.53.150.119 pri=medium c=uasia m=24 msg=\"emp\" n=aperia src=10.157.161.103:383 dst=10.78.151.178:3088 note=\"taut\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2487, + "log.offset": 2868, "log.original": "emp", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -484,8 +559,8 @@ "rsa.internal.event_desc": "taut", "rsa.internal.messageid": "24", "rsa.internal.msg": "emp", - "rsa.time.date": "2016/10/12", - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "rsa.time.date": "2016/11/10", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", "service.type": "sonicwall", "source.nat.ip": "10.157.161.103", "source.nat.port": 383, @@ -495,17 +570,51 @@ ] }, { - "@timestamp": "2016-10-26T21:58:50.000Z", + "@timestamp": "2016-11-24T12:03:59.000Z", + "destination.ip": [ + "10.206.136.206" + ], + "destination.port": 4108, + "event.code": "242", + "event.dataset": "sonicwall.firewall", + "event.module": "sonicwall", + "event.original": "id=tati sn=utaliqu time=\"2016/11/24 10:03:59\" fw=10.53.187.44 pri=high c=iadese m=242 msg=\"imidest\" n=emagnama src= 10.153.136.222 dst= 10.206.136.206:4108", + "fileset.name": "firewall", + "input.type": "log", + "log.offset": 3028, + "log.original": "imidest", + "observer.product": "Firewalls", + "observer.type": "Firewall", + "observer.vendor": "Sonicwall", + "related.ip": [ + "10.153.136.222", + "10.206.136.206" + ], + "rsa.internal.messageid": "242", + "rsa.internal.msg": "imidest", + "rsa.time.date": "2016/11/24", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "service.type": "sonicwall", + "source.ip": [ + "10.153.136.222" + ], + "tags": [ + "sonicwall.firewall", + "forwarded" + ] + }, + { + "@timestamp": "2016-12-08T19:06:33.000Z", "destination.ip": [ "10.239.201.234" ], "event.code": "87", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nidolo sn=tatn time=\"2016/10/26 19:58:50\" fw=10.18.109.121 pri=very-high c=dolo m=87 msg=\"Loremip\" n=idolor src=10.204.11.20 dst=10.239.201.234", + "event.original": "id=nidolo sn=tatn time=\"2016/12/08 17:06:33\" fw=10.18.109.121 pri=very-high c=dolo m=87 msg=\"Loremip\" n=idolor src=10.204.11.20 dst=10.239.201.234", "fileset.name": "firewall", "input.type": "log", - "log.offset": 2647, + "log.offset": 3184, "log.original": "Loremip", "observer.product": "Firewalls", "observer.type": "Firewall", @@ -516,8 +625,8 @@ ], "rsa.internal.messageid": "87", "rsa.internal.msg": "Loremip", - "rsa.time.date": "2016/10/26", - "rsa.time.event_time": "2016-10-26T21:58:50.000Z", + "rsa.time.date": "2016/12/08", + "rsa.time.event_time": "2016-12-08T19:06:33.000Z", "service.type": "sonicwall", "source.ip": [ "10.204.11.20" @@ -528,7 +637,7 @@ ] }, { - "@timestamp": "2016-11-10T05:01:24.000Z", + "@timestamp": "2016-12-23T14:09:07.000Z", "destination.ip": [ "10.219.116.137" ], @@ -538,12 +647,12 @@ "event.code": "quip", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=quip sn=mporain time=\"2016-11-10 3:01:24\" fw=10.34.161.166 pri=very-high c=sequi m=428 msg=\"rehend\" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action=\"accept\"", + "event.original": "id=quip sn=mporain time=\"2016-12-23 12:09:07\" fw=10.34.161.166 pri=very-high c=sequi m=428 msg=\"rehend\" n=tio src=10.245.200.97:3768:eth4059 dst=10.219.116.137:3452:enp0s3611 srcMac= 01:00:5e:1a:ec:91 dstMac=01:00:5e:e1:73:47 proto=icmp fw_action=\"accept\"", "fileset.name": "firewall", "host.ip": "10.34.161.166", "input.type": "log", "log.level": "very-high", - "log.offset": 2794, + "log.offset": 3331, "network.protocol": "icmp", "observer.egress.interface.name": "enp0s3611", "observer.ingress.interface.name": "eth4059", @@ -566,13 +675,13 @@ "rsa.misc.severity": "very-high", "rsa.network.dinterface": "enp0s3611", "rsa.network.sinterface": "eth4059", - "rsa.time.date": "2016-11-10", - "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.time.date": "2016-12-23", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", "service.type": "sonicwall", "source.ip": [ "10.245.200.97" ], - "source.mac": " 01:00:5e:1a:ec:91", + "source.mac": "01:00:5e:1a:ec:91", "source.port": 3768, "tags": [ "sonicwall.firewall", @@ -580,32 +689,30 @@ ] }, { - "@timestamp": "2016-11-24T12:03:59.000Z", + "@timestamp": "2017-01-06T09:11:41.000Z", "destination.ip": [ "10.252.122.195" ], "event.code": "401", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=idex sn=xerci time=\"2016/11/24 10:03:59\" fw=10.84.206.79 pri=high c=uipe m=401 msg=\"inesci\" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib ", + "event.original": "id=idex sn=xerci time=\"2017/01/06 07:11:41\" fw=10.84.206.79 pri=high c=uipe m=401 msg=\"inesci\" n=serror src=10.118.80.140 dst=10.252.122.195 dstname=eFinib", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3050, + "log.offset": 3587, "log.original": "inesci", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.252.122.195", - "10.118.80.140" + "10.118.80.140", + "10.252.122.195" ], "rsa.internal.messageid": "401", "rsa.internal.msg": "inesci", - "rsa.time.date": "2016/11/24", - "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.misc.name": "eFinib", + "rsa.time.date": "2017/01/06", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "sonicwall", "source.ip": [ "10.118.80.140" @@ -616,20 +723,20 @@ ] }, { - "@timestamp": "2016-12-08T19:06:33.000Z", + "@timestamp": "2017-01-20T16:14:16.000Z", "event.code": "143", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ari sn=exercit time=\"2016/12/08 17:06:33\" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active", + "event.original": "id=ari sn=exercit time=\"2017/01/20 14:14:16\" fw=10.220.244.59 pri=high c=oluptate m=143 Backup firewall has transitioned to Active", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3207, + "log.offset": 3743, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "143", - "rsa.time.date": "2016/12/08", - "rsa.time.event_time": "2016-12-08T19:06:33.000Z", + "rsa.time.date": "2017/01/20", + "rsa.time.event_time": "2017-01-20T16:14:16.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -637,20 +744,20 @@ ] }, { - "@timestamp": "2016-12-23T02:09:07.000Z", + "@timestamp": "2017-02-03T23:16:50.000Z", "event.code": "104", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=serunt sn=aquaeabi time=\"2016/12/23 00:09:07\" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying).", + "event.original": "id=serunt sn=aquaeabi time=\"2017/02/03 21:16:50\" fw=10.171.157.74 pri=high c=emoe m=104 Retransmitting DHCP REQUEST (Verifying).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3338, + "log.offset": 3874, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "104", - "rsa.time.date": "2016/12/23", - "rsa.time.event_time": "2016-12-23T02:09:07.000Z", + "rsa.time.date": "2017/02/03", + "rsa.time.event_time": "2017-02-03T23:16:50.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -658,20 +765,20 @@ ] }, { - "@timestamp": "2017-01-06T09:11:41.000Z", + "@timestamp": "2017-02-18T06:19:24.000Z", "event.code": "156", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=veniamq sn=one time=\"2017/01/06 07:11:41\" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source", + "event.original": "id=veniamq sn=one time=\"2017/02/18 04:19:24\" fw=10.4.26.208 pri=very-high c=reseos m=156 Backup received heartbeat from wrong source", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3467, + "log.offset": 4003, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "156", - "rsa.time.date": "2017/01/06", - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.time.date": "2017/02/18", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -679,20 +786,20 @@ ] }, { - "@timestamp": "2017-01-20T16:14:16.000Z", + "@timestamp": "2017-03-04T13:21:59.000Z", "event.code": "132", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tin sn=tenima time=\"2017/01/20 14:14:16\" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete", + "event.original": "id=tin sn=tenima time=\"2017/03/04 11:21:59\" fw=10.241.177.156 pri=medium c=proide m=132 PPPoE discovery process complete", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3600, + "log.offset": 4136, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "132", - "rsa.time.date": "2017/01/20", - "rsa.time.event_time": "2017-01-20T16:14:16.000Z", + "rsa.time.date": "2017/03/04", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -700,46 +807,64 @@ ] }, { - "@timestamp": "2017-02-03T23:16:50.000Z", - "event.code": "867", + "@timestamp": "2017-03-18T08:24:33.000Z", + "destination.ip": [ + "10.30.153.159" + ], + "destination.port": 6843, + "event.action": "cancel", + "event.code": "794", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=equat sn=derit time=\"2017/02/03 21:16:50\" fw=10.90.86.89 pri=medium c=labor m=867 msg=\"didunt\" sess=uptatema n=intocc", + "event.original": "id=tmollita sn=fde time=\"2017-3-18 6:24:33\" fw=10.149.89.126 pri=high c=abo m=794 msg=\"veniamqu\" sid=nse spycat=non spypri=paquioff pktdatId=mquisnos n=maven src=10.86.101.235:3266:lo6501 dst=10.30.153.159:6843:enp0s6487 proto=icmp/eporr fw_action=\"cancel\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3721, - "log.original": "didunt", + "log.offset": 4257, + "network.protocol": "icmp", + "observer.egress.interface.name": "enp0s6487", + "observer.ingress.interface.name": "lo6501", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "867", - "rsa.internal.msg": "didunt", - "rsa.misc.ntype": "intocc", - "rsa.time.date": "2017/02/03", - "rsa.time.event_time": "2017-02-03T23:16:50.000Z", + "related.ip": [ + "10.30.153.159", + "10.86.101.235" + ], + "rsa.identity.user_sid_dst": "nse", + "rsa.internal.event_desc": "veniamqu", + "rsa.internal.messageid": "794", + "rsa.misc.action": [ + "cancel" + ], + "rsa.network.dinterface": "enp0s6487", + "rsa.network.sinterface": "lo6501", + "rsa.time.date": "2017-3-18", + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.86.101.235" + ], + "source.port": 3266, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2017-02-18T06:19:24.000Z", - "event.code": "129", + "@timestamp": "2017-04-02T03:27:07.000Z", + "event.code": "133", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "eporr id=xeacomm sn=mveleu time=\"2017/02/18 04:19:24\" fw=10.149.128.155 pri=high c=temvel m=129 PPPoE terminated", + "event.original": "id=aturQui sn=utlabor time=\"2017/04/02 01:27:07\" fw=10.38.249.71 pri=low c=mfugiat m=133 PPPoE starting CHAP Authentication", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 3842, + "log.offset": 4514, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "129", - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.internal.messageid": "133", + "rsa.time.date": "2017/04/02", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -747,20 +872,20 @@ ] }, { - "@timestamp": "2017-03-04T13:21:59.000Z", - "event.code": "113", + "@timestamp": "2017-04-16T10:29:41.000Z", + "event.code": "9", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nisi sn=dant time=\"2017/03/04 11:21:59\" fw=10.14.211.43 pri=high c=eiu m=113 DHCP Client sending REQUEST and going to REBIND state.", + "event.original": "id=tvolu sn=ecte time=\"2017/04/16 08:29:41\" fw=10.130.14.60 pri=low c=iciadese m=9 No new Filter list available", "fileset.name": "firewall", "input.type": "log", - "log.offset": 3956, + "log.offset": 4638, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "113", - "rsa.time.date": "2017/03/04", - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.internal.messageid": "9", + "rsa.time.date": "2017/04/16", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -768,114 +893,88 @@ ] }, { - "@timestamp": "2017-03-18T20:24:33.000Z", + "@timestamp": "2017-04-30T17:32:16.000Z", "destination.ip": [ - "10.237.163.139" + "10.162.172.28" ], - "destination.port": 4402, - "event.code": "882", + "event.code": "255", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=quidolor sn=tessec time=\"2017/03/18 18:24:33\" fw=10.135.160.125 pri=low c=icabo m=882 msg=\"itatio\" n=uta src=10.135.187.104:7557:enp0s6614 dst=10.237.163.139:4402:eth1612 proto=igmp", + "event.original": "olupta id=litse sn=icabo time=\"2017/04/30 15:32:16\" fw=10.89.208.95 pri=low c=llumdolo m=255 msg=\"nre\" n=ercitat src=10.237.163.139 dst=10.162.172.28", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4091, - "log.original": "itatio", - "network.protocol": "igmp", - "observer.egress.interface.name": "eth1612", - "observer.ingress.interface.name": "enp0s6614", + "log.offset": 4750, + "log.original": "nre", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.135.187.104", - "10.237.163.139" + "10.237.163.139", + "10.162.172.28" ], - "rsa.internal.messageid": "882", - "rsa.internal.msg": "itatio", - "rsa.network.dinterface": "eth1612", - "rsa.network.sinterface": "enp0s6614", - "rsa.time.date": "2017/03/18", - "rsa.time.event_time": "2017-03-18T20:24:33.000Z", + "rsa.internal.messageid": "255", + "rsa.internal.msg": "nre", + "rsa.time.event_time": "2017-04-30T17:32:16.000Z", "service.type": "sonicwall", "source.ip": [ - "10.135.187.104" + "10.237.163.139" ], - "source.port": 7557, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2017-04-02T03:27:07.000Z", - "event.code": "139", + "@timestamp": "2017-05-15T00:34:50.000Z", + "event.action": "allow", + "event.code": "31", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=Nequepor sn=ali time=\"2017/04/02 01:27:07\" fw=10.252.74.209 pri=low c=sintocc m=139 XAUTH Failed", + "event.original": "ionevo id=ugiatnu sn=ciati time=\"2017/05/14 22:34:50\" fw=10.184.122.157 pri=medium c=scivelit m=31 msg=\"allow\" n=ehen src=10.191.23.41:1493:eth4488 dst= 10.250.47.252 ", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4276, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "139", - "rsa.time.date": "2017/04/02", - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", - "service.type": "sonicwall", - "tags": [ - "sonicwall.firewall", - "forwarded" - ] - }, - { - "@timestamp": "2017-04-16T10:29:41.000Z", - "destination.ip": [ - "10.248.101.25" - ], - "event.code": "372", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=ehen sn=tate time=\"2017/04/16 08:29:41\" fw=10.140.167.6 pri=low c=stquido m=372 msg=\"ommodico\" n=ptas src=10.60.129.15 dst=10.248.101.25", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4376, - "log.original": "ommodico", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 4900, + "observer.ingress.interface.name": "eth4488", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.60.129.15", - "10.248.101.25" + "10.191.23.41" ], - "rsa.internal.messageid": "372", - "rsa.internal.msg": "ommodico", - "rsa.time.date": "2017/04/16", - "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.internal.messageid": "31", + "rsa.misc.action": [ + "allow" + ], + "rsa.network.sinterface": "eth4488", + "rsa.time.event_time": "2017-05-15T00:34:50.000Z", "service.type": "sonicwall", "source.ip": [ - "10.60.129.15" + "10.191.23.41" ], + "source.port": 1493, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2017-04-30T17:32:16.000Z", - "event.code": "136", + "@timestamp": "2017-05-29T07:37:24.000Z", + "event.code": "12", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=Nequepo sn=ipsumd time=\"2017/04/30 15:32:16\" fw=10.48.126.147 pri=medium c=nevo m=136 PPPoE PAP Authentication Failed", + "event.original": "id=pta sn=tetu time=\"2017/05/29 05:37:24\" fw=10.101.57.134 pri=low c=Nequepo m=12 Problem sending log email; check log settings", "fileset.name": "firewall", "input.type": "log", - "log.offset": 4516, + "log.offset": 5068, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "136", - "rsa.time.date": "2017/04/30", - "rsa.time.event_time": "2017-04-30T17:32:16.000Z", + "rsa.internal.messageid": "12", + "rsa.time.date": "2017/05/29", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "service.type": "sonicwall", "tags": [ "sonicwall.firewall", @@ -883,108 +982,56 @@ ] }, { - "@timestamp": "2017-05-15T00:34:50.000Z", - "event.code": "1079", + "@timestamp": "2017-06-12T14:39:58.000Z", + "destination.nat.ip": "10.111.187.12", + "destination.nat.port": 3577, + "event.code": "994", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=reetdolo sn=smo time=\"2017/05/14 22:34:50\" fw=10.107.31.179 pri=high c=uamest m=1079 msg=\"Clienttcois assigned IP:10.14.111.221\" n=itam", + "event.original": "ntocc id=uteirure sn=nevo time=\"2017/06/12 12:39:58\" fw=10.226.23.214 pri=very-high c=adip m=994 msg=\"tium\" n=nnum usr=tenbyCi src=10.16.72.220:1842 dst=10.111.187.12:3577 note=\"quinesc\"", "fileset.name": "firewall", - "host.ip": "10.14.111.221", "input.type": "log", - "log.offset": 4637, + "log.offset": 5196, + "log.original": "tium", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.14.111.221" + "10.16.72.220", + "10.111.187.12" ], "related.user": [ - "tco" - ], - "rsa.internal.messageid": "1079", - "rsa.misc.space": "", - "rsa.time.date": "2017/05/14", - "rsa.time.event_time": "2017-05-15T00:34:50.000Z", - "service.type": "sonicwall", - "tags": [ - "sonicwall.firewall", - "forwarded" + "tenbyCi" ], - "user.name": "tco" - }, - { - "@timestamp": "2017-05-29T07:37:24.000Z", - "event.code": "76", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "santiumd id=turadip sn=uatD time=\"2017/05/29 05:37:24\" fw=10.31.77.157 pri=low c=nci m=76 Ripper Attack Dropped", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4780, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "76", - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", - "service.type": "sonicwall", - "tags": [ - "sonicwall.firewall", - "forwarded" - ] - }, - { - "@timestamp": "2017-06-12T14:39:58.000Z", - "event.code": "29", - "event.dataset": "sonicwall.firewall", - "event.module": "sonicwall", - "event.original": "id=volu sn=nonn time=\"2017/06/12 12:39:58\" fw=10.55.88.154 pri=very-high c=rrorsi m=29 Successful administrator login", - "fileset.name": "firewall", - "input.type": "log", - "log.offset": 4892, - "observer.product": "Firewalls", - "observer.type": "Firewall", - "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "29", - "rsa.time.date": "2017/06/12", + "rsa.internal.event_desc": "quinesc", + "rsa.internal.messageid": "994", + "rsa.internal.msg": "tium", "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.16.72.220", + "source.nat.port": 1842, "tags": [ "sonicwall.firewall", "forwarded" - ] + ], + "user.name": "tenbyCi" }, { "@timestamp": "2017-06-26T21:42:33.000Z", - "destination.ip": [ - "10.14.1.45" - ], - "destination.port": 4499, - "event.code": "196", + "event.code": "7", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=sBon sn=orro time=\"2017/06/26 19:42:33\" fw=10.34.194.149 pri=medium c=ten m=196 msg=\"vita\" n=fugiatnu src=10.126.34.82 dst=10.14.1.45 sport=3142 dport=4499 sent=2224 cmd=HEAD", + "event.original": "id=tur sn=roi time=\"2017/06/26 19:42:33\" fw=10.106.31.86 pri=low c=sno m=7 Log full; deactivating SonicWALL", "fileset.name": "firewall", - "http.request.method": "HEAD", "input.type": "log", - "log.offset": 5010, - "log.original": "vita", + "log.offset": 5383, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.14.1.45", - "10.126.34.82" - ], - "rsa.internal.messageid": "196", - "rsa.internal.msg": "vita", + "rsa.internal.messageid": "7", "rsa.time.date": "2017/06/26", "rsa.time.event_time": "2017-06-26T21:42:33.000Z", "service.type": "sonicwall", - "source.bytes": 2224, - "source.ip": [ - "10.126.34.82" - ], - "source.port": 3142, "tags": [ "sonicwall.firewall", "forwarded" @@ -992,55 +1039,60 @@ }, { "@timestamp": "2017-07-11T04:45:07.000Z", - "destination.nat.ip": "10.101.74.44", - "destination.nat.port": 2134, - "event.code": "998", + "event.code": "866", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "amvo id=qui sn=tasn time=\"2017/07/11 02:45:07\" fw=10.243.138.88 pri=high c=Sedutp m=998 msg=\"utp\" n=ema usr=rsitv src=10.251.20.13:264 dst=10.101.74.44:2134 note=\"quin\"", + "event.original": "ntocca id=ostru sn=ntoccae time=\"2017/07/11 02:45:07\" fw=10.35.99.92 pri=medium c=iatisu m=866 msg=\"sec\" sess=cons n=sBon", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5189, - "log.original": "utp", + "log.offset": 5491, + "log.original": "sec", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.251.20.13", - "10.101.74.44" - ], - "related.user": [ - "rsitv" - ], - "rsa.internal.event_desc": "quin", - "rsa.internal.messageid": "998", - "rsa.internal.msg": "utp", + "rsa.internal.messageid": "866", + "rsa.internal.msg": "sec", + "rsa.misc.ntype": "sBon", "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.251.20.13", - "source.nat.port": 264, "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": "rsitv" + ] }, { "@timestamp": "2017-07-25T11:47:41.000Z", - "event.code": "9", + "destination.ip": [ + "10.131.61.13" + ], + "event.action": "accept", + "event.code": "538", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tvolupt sn=eufugi time=\"2017/07/25 09:47:41\" fw=10.201.171.120 pri=low c=utpe m=9 No new Filter list available", + "event.original": "id=ten sn=vita time=\"2017/07/25 09:47:41\" fw=10.35.5.16 pri=high c=emaccusa m=538 msg=\"accept\" n=qui src=10.143.76.137:1414:lo3470 dst= 10.131.61.13", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5358, + "log.offset": 5613, + "observer.ingress.interface.name": "lo3470", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "9", + "related.ip": [ + "10.143.76.137", + "10.131.61.13" + ], + "rsa.internal.messageid": "538", + "rsa.misc.action": [ + "accept" + ], + "rsa.network.sinterface": "lo3470", "rsa.time.date": "2017/07/25", "rsa.time.event_time": "2017-07-25T11:47:41.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.143.76.137" + ], + "source.port": 1414, "tags": [ "sonicwall.firewall", "forwarded" @@ -1048,19 +1100,42 @@ }, { "@timestamp": "2017-08-08T18:50:15.000Z", - "event.code": "40", + "destination.address": "Nemoenim2039.api.localhost", + "destination.nat.ip": "10.77.129.130", + "destination.nat.port": 6604, + "event.code": "793", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "temqu id=ovol sn=ptasn time=\"2017/08/08 16:50:15\" fw=10.101.187.122 pri=very-high c=str m=40 IPSec packet dropped", + "event.original": "id=evolu sn=ersp time=\"2017/08/08 16:50:15\" fw=10.64.221.30 pri=medium c=inven m=793 msg=\"osquira\" af_polid=tes af_policy=\"mquame\" af_type=\"nihilmol\" af_service=\"xercita\" af_action=\"trud\" n=eriti src=10.99.0.226:2984:eth1766:sequatu341.mail.invalid dst=10.77.129.130:6604:enp0s4138:Nemoenim2039.api.localhost", "fileset.name": "firewall", + "host.hostname": "sequatu341.mail.invalid", "input.type": "log", - "log.offset": 5472, + "log.offset": 5762, + "log.original": "osquira", + "observer.egress.interface.name": "enp0s4138", + "observer.ingress.interface.name": "eth1766", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "40", + "related.hosts": [ + "Nemoenim2039.api.localhost", + "sequatu341.mail.invalid" + ], + "related.ip": [ + "10.77.129.130", + "10.99.0.226" + ], + "rsa.internal.messageid": "793", + "rsa.internal.msg": "osquira", + "rsa.network.dinterface": "enp0s4138", + "rsa.network.host_dst": "Nemoenim2039.api.localhost", + "rsa.network.sinterface": "eth1766", + "rsa.time.date": "2017/08/08", "rsa.time.event_time": "2017-08-08T18:50:15.000Z", "service.type": "sonicwall", + "source.address": "sequatu341.mail.invalid", + "source.nat.ip": "10.99.0.226", + "source.nat.port": 2984, "tags": [ "sonicwall.firewall", "forwarded" @@ -1068,17 +1143,20 @@ }, { "@timestamp": "2017-08-23T01:52:50.000Z", - "event.code": "163", + "event.code": "905", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=pid sn=illoin time=\"2017/08/22 23:52:50\" fw=10.130.38.118 pri=low c=natuse m=163 Disconnecting PPPoE due to traffic timeout", + "event.original": "id=nbyCic sn=utlabor time=\"2017/08/22 23:52:50\" fw=10.27.251.77 pri=medium c=ine m=905 msg=\"lup\" n=tatemUt", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5586, + "log.offset": 6071, + "log.original": "lup", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "163", + "rsa.internal.messageid": "905", + "rsa.internal.msg": "lup", + "rsa.misc.ntype": "tatemUt", "rsa.time.date": "2017/08/22", "rsa.time.event_time": "2017-08-23T01:52:50.000Z", "service.type": "sonicwall", @@ -1089,17 +1167,17 @@ }, { "@timestamp": "2017-09-06T08:55:24.000Z", - "event.code": "147", + "event.code": "94", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mestq sn=temUt time=\"2017/09/06 06:55:24\" fw=10.233.239.112 pri=high c=pexe m=147 Backup missed heartbeats from Active Primary: Backup going Active", + "event.original": "id=quovol sn=nve time=\"2017/09/06 06:55:24\" fw=10.104.201.10 pri=very-high c=ccaecat m=94 Diagnostic Code B", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5713, + "log.offset": 6178, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "147", + "rsa.internal.messageid": "94", "rsa.time.date": "2017/09/06", "rsa.time.event_time": "2017-09-06T08:55:24.000Z", "service.type": "sonicwall", @@ -1110,31 +1188,22 @@ }, { "@timestamp": "2017-09-20T15:57:58.000Z", - "event.code": "441", + "event.code": "565", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=adeser sn=oin time=\"2017/09/20 13:57:58\" fw=10.95.66.217 pri=very-high c=fugitsed m=441 msg=\"quam\" n=quid src=10.1.36.97:3628:enp0s3962 dst= 10.107.251.87:6337:lo3319 ", + "event.original": "tau id=exercita sn=ris time=\"2017/09/20 13:57:58\" fw=10.84.25.23 pri=high c=boree m=565 msg=\"intoc\" n=ncidi", "fileset.name": "firewall", "input.type": "log", - "log.offset": 5864, - "log.original": "quam", - "observer.ingress.interface.name": "enp0s3962", + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 6286, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.1.36.97" - ], - "rsa.internal.messageid": "441", - "rsa.internal.msg": "quam", - "rsa.network.sinterface": "enp0s3962", - "rsa.time.date": "2017/09/20", + "rsa.internal.messageid": "565", "rsa.time.event_time": "2017-09-20T15:57:58.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.1.36.97" - ], - "source.port": 3628, "tags": [ "sonicwall.firewall", "forwarded" @@ -1142,17 +1211,17 @@ }, { "@timestamp": "2017-10-04T23:00:32.000Z", - "event.code": "34", + "event.code": "37", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "reetdol id=totamre sn=isnostr time=\"2017/10/04 21:00:32\" fw=10.203.153.38 pri=very-high c=adipisc m=34 Login screen timed out", + "event.original": "irat id=onev sn=aturauto time=\"2017/10/04 21:00:32\" fw=10.218.243.47 pri=very-high c=oremi m=37 UDP packet dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6038, + "log.offset": 6394, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "34", + "rsa.internal.messageid": "37", "rsa.time.event_time": "2017-10-04T23:00:32.000Z", "service.type": "sonicwall", "tags": [ @@ -1162,34 +1231,20 @@ }, { "@timestamp": "2017-10-19T06:03:07.000Z", - "destination.ip": [ - "10.216.125.252" - ], - "event.code": "402", + "event.code": "4", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "psaquaea id=taevita sn=ameiusm time=\"2017/10/19 04:03:07\" fw=10.227.15.253 pri=high c=piscinge m=402 msg=\"tvol\" n=velitess src=10.54.14.189 dst=10.216.125.252 dstname=sit ", + "event.original": "id=temUt sn=olor time=\"2017/10/19 04:03:07\" fw=10.19.10.148 pri=low c=niamqui m=4 SonicWALL activated", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 6164, - "log.original": "tvol", + "log.offset": 6509, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.216.125.252", - "10.54.14.189" - ], - "rsa.internal.messageid": "402", - "rsa.internal.msg": "tvol", + "rsa.internal.messageid": "4", + "rsa.time.date": "2017/10/19", "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.54.14.189" - ], "tags": [ "sonicwall.firewall", "forwarded" @@ -1197,42 +1252,20 @@ }, { "@timestamp": "2017-11-02T13:05:41.000Z", - "destination.address": "ise5905.www.local", - "destination.nat.ip": "10.53.113.23", - "destination.nat.port": 4027, - "event.code": "1154", + "event.code": "156", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "elitse id=ima sn=quasia time=\"2017/11/02 11:05:41\" fw=10.150.107.25 pri=low c=uptate m=1154 msg=\"mac\" sid=iumdol appcat=tpersp appid=stla n=uptatema src=10.97.124.211:6198:eth5313:tiaec5551.www.local dst=10.53.113.23:4027:lo1918:ise5905.www.local", + "event.original": "id=ess sn=ipisci time=\"2017/11/02 11:05:41\" fw=10.113.95.59 pri=very-high c=reprehen m=156 Backup received heartbeat from wrong source", "fileset.name": "firewall", - "host.hostname": "tiaec5551.www.local", "input.type": "log", - "log.offset": 6336, - "log.original": "mac", - "observer.egress.interface.name": "lo1918", - "observer.ingress.interface.name": "eth5313", + "log.offset": 6611, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.hosts": [ - "tiaec5551.www.local", - "ise5905.www.local" - ], - "related.ip": [ - "10.53.113.23", - "10.97.124.211" - ], - "rsa.identity.user_sid_dst": "iumdol", - "rsa.internal.messageid": "1154", - "rsa.internal.msg": "mac", - "rsa.network.dinterface": "lo1918", - "rsa.network.host_dst": "ise5905.www.local", - "rsa.network.sinterface": "eth5313", + "rsa.internal.messageid": "156", + "rsa.time.date": "2017/11/02", "rsa.time.event_time": "2017-11-02T13:05:41.000Z", "service.type": "sonicwall", - "source.address": "tiaec5551.www.local", - "source.nat.ip": "10.97.124.211", - "source.nat.port": 6198, "tags": [ "sonicwall.firewall", "forwarded" @@ -1240,20 +1273,36 @@ }, { "@timestamp": "2017-11-16T20:08:15.000Z", - "event.code": "135", + "destination.ip": [ + "10.192.27.157" + ], + "event.action": "accept", + "event.code": "140", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=asiarc sn=ian time=\"2017/11/16 18:08:15\" fw=10.53.165.209 pri=medium c=nBCSedut m=135 PPPoE CHAP Authentication Failed", + "event.original": "luptate id=persp sn=entsunt time=\"2017/11/16 18:08:15\" fw=10.206.107.211 pri=low c=fugi m=140 msg=\"accept\" n=inci src=10.230.173.4:2631:enp0s5632 dst= 10.192.27.157", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6583, + "log.offset": 6746, + "observer.ingress.interface.name": "enp0s5632", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "135", - "rsa.time.date": "2017/11/16", + "related.ip": [ + "10.192.27.157", + "10.230.173.4" + ], + "rsa.internal.messageid": "140", + "rsa.misc.action": [ + "accept" + ], + "rsa.network.sinterface": "enp0s5632", "rsa.time.event_time": "2017-11-16T20:08:15.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.230.173.4" + ], + "source.port": 2631, "tags": [ "sonicwall.firewall", "forwarded" @@ -1261,39 +1310,20 @@ }, { "@timestamp": "2017-12-01T03:10:49.000Z", - "destination.ip": [ - "10.64.229.79" - ], - "destination.port": 3620, - "event.code": "83", + "event.code": "118", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=intocc sn=amcorp time=\"2017/12/01 01:10:49\" fw=10.57.57.241 pri=low c=litani m=83 msg=\"utodita\" sess=aec n=fdeF src=10.187.201.250:5504:eth2003 dst=10.64.229.79:3620:eth41 note=\"tiaec\" npcs=rumwrit", + "event.original": "id=cusant sn=atemq time=\"2017/12/01 01:10:49\" fw=10.136.31.188 pri=high c=borios m=118 Sending DHCP REQUEST (Verifying).", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6705, - "log.original": "utodita", - "observer.egress.interface.name": "eth41", - "observer.ingress.interface.name": "eth2003", + "log.offset": 6911, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.64.229.79", - "10.187.201.250" - ], - "rsa.db.index": "rumwrit", - "rsa.internal.messageid": "83", - "rsa.internal.msg": "utodita", - "rsa.network.dinterface": "eth41", - "rsa.network.sinterface": "eth2003", + "rsa.internal.messageid": "118", "rsa.time.date": "2017/12/01", "rsa.time.event_time": "2017-12-01T03:10:49.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.187.201.250" - ], - "source.port": 5504, "tags": [ "sonicwall.firewall", "forwarded" @@ -1301,31 +1331,20 @@ }, { "@timestamp": "2017-12-15T10:13:24.000Z", - "destination.nat.ip": "10.76.110.144", - "destination.nat.port": 2497, - "event.code": "931", + "event.code": "18", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=gna sn=con time=\"2017/12/15 08:13:24\" fw=10.11.44.250 pri=high c=etMal m=931 msg=\"qua\" n=rsita src=10.108.249.60:7150 dst=10.76.110.144:2497", + "event.original": "id=ercita sn=ciadeser time=\"2017/12/15 08:13:24\" fw=10.175.236.135 pri=medium c=isnisi m=18 ActiveX blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 6906, - "log.original": "qua", + "log.offset": 7032, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.76.110.144", - "10.108.249.60" - ], - "rsa.internal.messageid": "931", - "rsa.internal.msg": "qua", - "rsa.misc.ntype": "rsita", + "rsa.internal.messageid": "18", "rsa.time.date": "2017/12/15", "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.108.249.60", - "source.nat.port": 7150, "tags": [ "sonicwall.firewall", "forwarded" @@ -1333,19 +1352,35 @@ }, { "@timestamp": "2017-12-29T17:15:58.000Z", - "event.code": "11", + "destination.bytes": 6587, + "destination.ip": [ + "10.190.175.158" + ], + "destination.port": 7005, + "event.code": "195", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "rem id=asper sn=idunt time=\"2017/12/29 15:15:58\" fw=10.65.232.27 pri=low c=plicab m=11 Problem loading the Filter list; check your DNS server", + "event.original": "id=isiuta sn=orsitam time=\"2017/12/29 15:15:58\" fw=10.159.119.34 pri=high c=psaquaea m=195 msg=\"taevita\" n=ameiusm src=10.227.15.253 dst=10.190.175.158 sport=271 dport=7005 rcvd=6587", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7050, + "log.offset": 7140, + "log.original": "taevita", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "11", + "related.ip": [ + "10.227.15.253", + "10.190.175.158" + ], + "rsa.internal.messageid": "195", + "rsa.internal.msg": "taevita", + "rsa.time.date": "2017/12/29", "rsa.time.event_time": "2017-12-29T17:15:58.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.227.15.253" + ], + "source.port": 271, "tags": [ "sonicwall.firewall", "forwarded" @@ -1353,17 +1388,17 @@ }, { "@timestamp": "2018-01-13T00:18:32.000Z", - "event.code": "88", + "event.code": "22", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uisaute sn=imide time=\"2018/01/12 22:18:32\" fw=10.77.226.215 pri=medium c=itesseq m=88 IKE Responder: IPSec proposal not acceptable", + "event.original": "id=nre sn=veli time=\"2018/01/12 22:18:32\" fw=10.62.147.186 pri=low c=elitse m=22 Ping of death blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7192, + "log.offset": 7323, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "88", + "rsa.internal.messageid": "22", "rsa.time.date": "2018/01/12", "rsa.time.event_time": "2018-01-13T00:18:32.000Z", "service.type": "sonicwall", @@ -1374,85 +1409,57 @@ }, { "@timestamp": "2018-01-27T07:21:06.000Z", - "destination.nat.ip": "10.31.190.145", - "destination.nat.port": 3333, - "event.code": "243", + "destination.ip": [ + "10.15.97.155" + ], + "destination.port": 5935, + "event.action": "block", + "event.code": "616", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ilmol sn=eri time=\"2018/01/27 05:21:06\" fw=10.154.53.249 pri=low c=mquae m=243 msg=\"eriti\" n=atcupi usr=corpori src=10.147.88.219:7595 dst=10.31.190.145:3333 proto=icmp", + "event.original": "id=quasia sn=adi time=\"2018/01/27 05:21:06\" fw=10.9.12.248 pri=medium c=mac m=616 msg=\"block\" n=aveni src=10.29.155.171:1871 dst=10.15.97.155:5935", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7327, - "log.original": "eriti", - "network.protocol": "icmp", + "log.offset": 7426, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.147.88.219", - "10.31.190.145" + "10.29.155.171", + "10.15.97.155" ], - "related.user": [ - "corpori" + "rsa.internal.messageid": "616", + "rsa.misc.action": [ + "block" ], - "rsa.internal.messageid": "243", - "rsa.internal.msg": "eriti", "rsa.time.date": "2018/01/27", "rsa.time.event_time": "2018-01-27T07:21:06.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.147.88.219", - "source.nat.port": 7595, + "source.ip": [ + "10.29.155.171" + ], + "source.port": 1871, "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": "corpori" + ] }, { "@timestamp": "2018-02-10T14:23:41.000Z", - "destination.ip": [ - "10.251.248.228" - ], - "destination.mac": "01:00:5e:c3:ed:55", - "destination.port": 6909, - "event.action": "deny", - "event.code": "ntutlabo", + "event.code": "9", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=ntutlabo sn=iusmodte time=\"2018-2-10 12:23:41\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action=\"deny\"", + "event.original": "id=llamco sn=nea time=\"2018/02/10 12:23:41\" fw=10.123.143.188 pri=medium c=orsit m=9 No new Filter list available", "fileset.name": "firewall", - "host.ip": "10.108.84.24", "input.type": "log", - "log.level": "low", - "log.offset": 7499, - "network.protocol": "udp", - "observer.ingress.interface.name": "eth163", + "log.offset": 7573, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.251.248.228", - "10.113.100.237", - "10.108.84.24" - ], - "rsa.internal.event_desc": "volupt", - "rsa.internal.messageid": "606", - "rsa.misc.action": [ - "deny" - ], - "rsa.misc.category": "iosamnis", - "rsa.misc.reference_id": "ntutlabo", - "rsa.misc.serial_number": "iusmodte", - "rsa.misc.severity": "low", - "rsa.network.sinterface": "eth163", - "rsa.time.date": "2018-2-10", + "rsa.internal.messageid": "9", + "rsa.time.date": "2018/02/10", "rsa.time.event_time": "2018-02-10T14:23:41.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.113.100.237" - ], - "source.mac": " 01:00:5e:8b:c1:b4", - "source.port": 3887, "tags": [ "sonicwall.firewall", "forwarded" @@ -1460,17 +1467,20 @@ }, { "@timestamp": "2018-02-24T21:26:15.000Z", - "event.code": "28", + "event.code": "907", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=emvele sn=isnost time=\"2018/02/24 19:26:15\" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped", + "event.original": "id=ise sn=itau time=\"2018/02/24 19:26:15\" fw=10.44.22.97 pri=very-high c=lorsita m=907 msg=\"dolore\" n=uptate", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7742, + "log.offset": 7687, + "log.original": "dolore", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "28", + "rsa.internal.messageid": "907", + "rsa.internal.msg": "dolore", + "rsa.misc.ntype": "uptate", "rsa.time.date": "2018/02/24", "rsa.time.event_time": "2018-02-24T21:26:15.000Z", "service.type": "sonicwall", @@ -1481,17 +1491,18 @@ }, { "@timestamp": "2018-03-11T04:28:49.000Z", - "event.code": "61", + "event.code": "157", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "sit id=rumSect sn=ita time=\"2018/03/11 02:28:49\" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E", + "event.original": "id=odi sn=ptass time=\"2018/03/11 02:28:49\" fw=10.39.10.155 pri=low c=tametcon m=157 HA packet processing error", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7855, + "log.offset": 7796, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "61", + "rsa.internal.messageid": "157", + "rsa.time.date": "2018/03/11", "rsa.time.event_time": "2018-03-11T04:28:49.000Z", "service.type": "sonicwall", "tags": [ @@ -1501,43 +1512,88 @@ }, { "@timestamp": "2018-03-25T11:31:24.000Z", - "event.code": "906", + "destination.ip": [ + "10.25.32.107" + ], + "event.code": "261", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "oremag id=illu sn=ruredo time=\"2018/03/25 09:31:24\" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg=\"its\" n=lore", + "event.original": "id=aco sn=tio time=\"2018/03/25 09:31:24\" fw=10.112.38.219 pri=high c=dantium m=261 msg=\"lor\" n=velillu usr=cteturad src= 10.18.204.87 dst= 10.25.32.107", "fileset.name": "firewall", "input.type": "log", - "log.offset": 7959, - "log.original": "its", + "log.offset": 7907, + "log.original": "lor", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "906", - "rsa.internal.msg": "its", - "rsa.misc.ntype": "lore", + "related.ip": [ + "10.25.32.107", + "10.18.204.87" + ], + "related.user": [ + "cteturad" + ], + "rsa.internal.messageid": "261", + "rsa.internal.msg": "lor", + "rsa.time.date": "2018/03/25", "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.18.204.87" + ], "tags": [ "sonicwall.firewall", "forwarded" - ] + ], + "user.name": "cteturad" }, { - "@timestamp": "2018-04-08T18:33:58.000Z", - "event.code": "134", + "@timestamp": "2018-04-08T06:33:58.000Z", + "destination.ip": [ + "10.246.0.167" + ], + "destination.mac": "01:00:5e:2c:22:06", + "destination.port": 2189, + "event.action": "block", + "event.code": "utodita", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=onu sn=liquaUte time=\"2018/04/08 16:33:58\" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication", + "event.original": "id=utodita sn=aec time=\"2018-4-8 4:33:58\" fw=10.21.89.175 pri=medium c=diconse m=428 msg=\"elitse\" n=reseo src=10.71.238.250:41:lo3856 dst=10.246.0.167:2189:eth2632 srcMac= 01:00:5e:7c:42:0b dstMac=01:00:5e:2c:22:06 proto=icmp fw_action=\"block\"", "fileset.name": "firewall", + "host.ip": "10.21.89.175", "input.type": "log", - "log.offset": 8075, + "log.level": "medium", + "log.offset": 8059, + "network.protocol": "icmp", + "observer.egress.interface.name": "eth2632", + "observer.ingress.interface.name": "lo3856", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "134", - "rsa.time.date": "2018/04/08", - "rsa.time.event_time": "2018-04-08T18:33:58.000Z", + "related.ip": [ + "10.71.238.250", + "10.21.89.175", + "10.246.0.167" + ], + "rsa.internal.event_desc": "elitse", + "rsa.internal.messageid": "428", + "rsa.misc.action": [ + "block" + ], + "rsa.misc.category": "diconse", + "rsa.misc.reference_id": "utodita", + "rsa.misc.serial_number": "aec", + "rsa.misc.severity": "medium", + "rsa.network.dinterface": "eth2632", + "rsa.network.sinterface": "lo3856", + "rsa.time.date": "2018-4-8", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.71.238.250" + ], + "source.mac": "01:00:5e:7c:42:0b", + "source.port": 41, "tags": [ "sonicwall.firewall", "forwarded" @@ -1545,35 +1601,43 @@ }, { "@timestamp": "2018-04-22T13:36:32.000Z", + "destination.ip": [ + "10.176.209.227" + ], + "destination.port": 6362, "event.action": "allow", - "event.code": "mveniamq", + "event.code": "794", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mveniamq sn=taedict time=\"2018-4-22 11:36:32\" fw=10.206.69.135 pri=high c=aturve m=880 msg=\"utfug\" n=aturQu note=\"aaliq\" fw_action=\"allow\"", + "event.original": "id=ritin sn=temporin time=\"2018-4-22 11:36:32\" fw=10.122.76.148 pri=high c=tdol m=794 msg=\"upt\" sid=mex spycat=tatem spypri=untutlab pktdatId=amcor n=ica src=10.13.66.97:2000:enp0s5411 dst=10.176.209.227:6362:eth7037 proto=ipv6/siu fw_action=\"allow\"", "fileset.name": "firewall", - "host.ip": "10.206.69.135", "input.type": "log", - "log.level": "high", - "log.offset": 8197, + "log.offset": 8303, + "network.protocol": "ipv6", + "observer.egress.interface.name": "eth7037", + "observer.ingress.interface.name": "enp0s5411", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.206.69.135" + "10.13.66.97", + "10.176.209.227" ], - "rsa.db.index": "aaliq", - "rsa.internal.event_desc": "utfug", - "rsa.internal.messageid": "880", + "rsa.identity.user_sid_dst": "mex", + "rsa.internal.event_desc": "upt", + "rsa.internal.messageid": "794", "rsa.misc.action": [ "allow" ], - "rsa.misc.category": "aturve", - "rsa.misc.reference_id": "mveniamq", - "rsa.misc.serial_number": "taedict", - "rsa.misc.severity": "high", + "rsa.network.dinterface": "eth7037", + "rsa.network.sinterface": "enp0s5411", "rsa.time.date": "2018-4-22", "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.13.66.97" + ], + "source.port": 2000, "tags": [ "sonicwall.firewall", "forwarded" @@ -1581,28 +1645,20 @@ }, { "@timestamp": "2018-05-07T08:39:06.000Z", - "event.code": "441", + "event.code": "7", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uiinea sn=mnisiut time=\"2018/05/07 06:39:06\" fw=10.208.228.129 pri=low c=olup m=441 msg=\"labor\" n=dol src= 10.240.54.28 dst= 10.115.38.80 ", + "event.original": "id=quaea sn=ametcons time=\"2018/05/07 06:39:06\" fw=10.74.46.22 pri=very-high c=tetur m=7 Log full; deactivating SonicWALL", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8339, - "log.original": "labor", + "log.offset": 8553, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.240.54.28" - ], - "rsa.internal.messageid": "441", - "rsa.internal.msg": "labor", + "rsa.internal.messageid": "7", "rsa.time.date": "2018/05/07", "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.240.54.28" - ], "tags": [ "sonicwall.firewall", "forwarded" @@ -1610,20 +1666,29 @@ }, { "@timestamp": "2018-05-21T15:41:41.000Z", - "event.code": "163", + "destination.nat.ip": "10.77.174.205", + "event.code": "240", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mve sn=uia time=\"2018/05/21 13:41:41\" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout", + "event.original": "id=ariatur sn=rer time=\"2018/05/21 13:41:41\" fw=10.210.243.175 pri=low c=atisetqu m=240 msg=\"issuscip\" n=uisa src=10.240.49.224 dst=10.77.174.205", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8484, + "log.offset": 8675, + "log.original": "issuscip", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "163", + "related.ip": [ + "10.77.174.205", + "10.240.49.224" + ], + "rsa.internal.messageid": "240", + "rsa.internal.msg": "issuscip", + "rsa.misc.ntype": "uisa", "rsa.time.date": "2018/05/21", "rsa.time.event_time": "2018-05-21T15:41:41.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.240.49.224", "tags": [ "sonicwall.firewall", "forwarded" @@ -1632,30 +1697,30 @@ { "@timestamp": "2018-06-04T22:44:15.000Z", "destination.ip": [ - "10.104.49.142" + "10.187.210.173" ], - "event.code": "252", + "event.code": "255", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=doei sn=cipitl time=\"2018/06/04 20:44:15\" fw=10.53.127.17 pri=very-high c=strumex m=252 msg=\"eprehend\" n=asnu src=10.102.166.19 dst=10.104.49.142", + "event.original": "id=luptatem sn=uaeratv time=\"2018/06/04 20:44:15\" fw=10.240.190.136 pri=medium c=atcupid m=255 msg=\"quamnih\" n=dminima src=10.44.150.31 dst=10.187.210.173", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8610, - "log.original": "eprehend", + "log.offset": 8821, + "log.original": "quamnih", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.102.166.19", - "10.104.49.142" + "10.44.150.31", + "10.187.210.173" ], - "rsa.internal.messageid": "252", - "rsa.internal.msg": "eprehend", + "rsa.internal.messageid": "255", + "rsa.internal.msg": "quamnih", "rsa.time.date": "2018/06/04", "rsa.time.event_time": "2018-06-04T22:44:15.000Z", "service.type": "sonicwall", "source.ip": [ - "10.102.166.19" + "10.44.150.31" ], "tags": [ "sonicwall.firewall", @@ -1664,19 +1729,49 @@ }, { "@timestamp": "2018-06-19T05:46:49.000Z", - "event.code": "88", + "destination.ip": [ + "10.251.248.228" + ], + "destination.mac": "01:00:5e:c3:ed:55", + "destination.port": 6909, + "event.action": "deny", + "event.code": "ntutlabo", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "ipsa id=asuntexp sn=adminim time=\"2018/06/19 03:46:49\" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable", + "event.original": "id=ntutlabo sn=iusmodte time=\"2018-6-19 3:46:49\" fw=10.108.84.24 pri=low c=iosamnis m=606 msg=\"volupt\" n=rem src=10.113.100.237:3887:eth163 dst=10.251.248.228:6909 srcMac= 01:00:5e:8b:c1:b4 dstMac=01:00:5e:c3:ed:55proto=udp fw_action=\"deny\"", "fileset.name": "firewall", + "host.ip": "10.108.84.24", "input.type": "log", - "log.offset": 8759, + "log.level": "low", + "log.offset": 8976, + "network.protocol": "udp", + "observer.ingress.interface.name": "eth163", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "88", + "related.ip": [ + "10.108.84.24", + "10.251.248.228", + "10.113.100.237" + ], + "rsa.internal.event_desc": "volupt", + "rsa.internal.messageid": "606", + "rsa.misc.action": [ + "deny" + ], + "rsa.misc.category": "iosamnis", + "rsa.misc.reference_id": "ntutlabo", + "rsa.misc.serial_number": "iusmodte", + "rsa.misc.severity": "low", + "rsa.network.sinterface": "eth163", + "rsa.time.date": "2018-6-19", "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.113.100.237" + ], + "source.mac": "01:00:5e:8b:c1:b4", + "source.port": 3887, "tags": [ "sonicwall.firewall", "forwarded" @@ -1684,17 +1779,17 @@ }, { "@timestamp": "2018-07-03T12:49:23.000Z", - "event.code": "34", + "event.code": "28", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=iumt sn=tsed time=\"2018/07/03 10:49:23\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", + "event.original": "id=emvele sn=isnost time=\"2018/07/03 10:49:23\" fw=10.71.112.159 pri=medium c=emqu m=28 Fragmented Packet Dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 8898, + "log.offset": 9217, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "34", + "rsa.internal.messageid": "28", "rsa.time.date": "2018/07/03", "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "service.type": "sonicwall", @@ -1705,37 +1800,19 @@ }, { "@timestamp": "2018-07-17T19:51:58.000Z", - "destination.ip": [ - "10.137.217.159" - ], - "destination.port": 563, - "event.code": "195", + "event.code": "61", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=loremag sn=tcu time=\"2018/07/17 17:51:58\" fw=10.84.251.253 pri=high c=erspi m=195 msg=\"rorsit\" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629", + "event.original": "sit id=rumSect sn=ita time=\"2018/07/17 17:51:58\" fw=10.139.65.241 pri=low c=teni m=61 Diagnostic Code E", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 9005, - "log.original": "rorsit", + "log.offset": 9330, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.77.95.12", - "10.137.217.159" - ], - "rsa.internal.messageid": "195", - "rsa.internal.msg": "rorsit", - "rsa.time.date": "2018/07/17", + "rsa.internal.messageid": "61", "rsa.time.event_time": "2018-07-17T19:51:58.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.77.95.12" - ], - "source.port": 2310, "tags": [ "sonicwall.firewall", "forwarded" @@ -1743,17 +1820,20 @@ }, { "@timestamp": "2018-08-01T02:54:32.000Z", - "event.code": "48", + "event.code": "906", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "elillum id=upt sn=rnat time=\"2018/08/01 00:54:32\" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped", + "event.original": "oremag id=illu sn=ruredo time=\"2018/08/01 00:54:32\" fw=10.72.196.74 pri=very-high c=ptassita m=906 msg=\"its\" n=lore", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9180, + "log.offset": 9434, + "log.original": "its", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "48", + "rsa.internal.messageid": "906", + "rsa.internal.msg": "its", + "rsa.misc.ntype": "lore", "rsa.time.event_time": "2018-08-01T02:54:32.000Z", "service.type": "sonicwall", "tags": [ @@ -1763,30 +1843,39 @@ }, { "@timestamp": "2018-08-15T09:57:06.000Z", - "destination.nat.ip": "10.191.242.168", - "destination.nat.port": 5251, - "event.code": "995", + "destination.ip": [ + "10.50.44.5" + ], + "destination.port": 7668, + "event.action": "block", + "event.code": "237", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "doeiu id=deF sn=itempo time=\"2018/08/15 07:57:06\" fw=10.200.237.196 pri=medium c=ecillum m=995 msg=\"isci\" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note=\"equep\"", + "event.original": "sBono id=loremqu sn=tetur time=\"2018/08/15 07:57:06\" fw=10.213.94.135 pri=very-high c=urmagn m=237 msg=\"block\" n=uptat src=10.105.46.101:3346:enp0s382 dst= 10.50.44.5:7668:lo1441", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9302, - "log.original": "isci", + "log.offset": 9550, + "observer.egress.interface.name": "lo1441", + "observer.ingress.interface.name": "enp0s382", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.191.242.168", - "10.165.48.224" + "10.105.46.101", + "10.50.44.5" ], - "rsa.internal.event_desc": "equep", - "rsa.internal.messageid": "995", - "rsa.internal.msg": "isci", + "rsa.internal.messageid": "237", + "rsa.misc.action": [ + "block" + ], + "rsa.network.dinterface": "lo1441", + "rsa.network.sinterface": "enp0s382", "rsa.time.event_time": "2018-08-15T09:57:06.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.165.48.224", - "source.nat.port": 5386, + "source.ip": [ + "10.105.46.101" + ], + "source.port": 3346, "tags": [ "sonicwall.firewall", "forwarded" @@ -1794,22 +1883,38 @@ }, { "@timestamp": "2018-08-29T16:59:40.000Z", - "event.code": "909", + "destination.ip": [ + "10.52.248.251" + ], + "destination.port": 5776, + "event.code": "328", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "BCS id=qui sn=ugiatquo time=\"2018/08/29 14:59:40\" fw=10.204.133.116 pri=medium c=autemv m=909 msg=\"emq\" n=plicaboN", + "event.original": "id=ddoeius sn=ugiatn time=\"2018/08/29 14:59:40\" fw=10.50.102.128 pri=high c=abore m=328 msg=\"squ\" n=uiadol src=10.60.142.127:1081:eth6291 dst= 10.52.248.251:5776:lo2241", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9476, - "log.original": "emq", + "log.offset": 9729, + "log.original": "squ", + "observer.egress.interface.name": "lo2241", + "observer.ingress.interface.name": "eth6291", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "909", - "rsa.internal.msg": "emq", - "rsa.misc.ntype": "plicaboN", + "related.ip": [ + "10.60.142.127", + "10.52.248.251" + ], + "rsa.internal.messageid": "328", + "rsa.internal.msg": "squ", + "rsa.network.dinterface": "lo2241", + "rsa.network.sinterface": "eth6291", + "rsa.time.date": "2018/08/29", "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.60.142.127" + ], + "source.port": 1081, "tags": [ "sonicwall.firewall", "forwarded" @@ -1817,31 +1922,20 @@ }, { "@timestamp": "2018-09-13T00:02:15.000Z", - "destination.nat.ip": "10.116.173.79", - "destination.nat.port": 7693, - "event.code": "178", + "event.code": "134", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=vol sn=admi time=\"2018/09/12 22:02:15\" fw=10.77.229.168 pri=high c=aquiof m=178 msg=\"ende\" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693", + "event.original": "id=onu sn=liquaUte time=\"2018/09/12 22:02:15\" fw=10.137.202.243 pri=high c=tempor m=134 PPPoE starting PAP Authentication", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9591, - "log.original": "ende", + "log.offset": 9898, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.116.173.79", - "10.185.37.32" - ], - "rsa.internal.messageid": "178", - "rsa.internal.msg": "ende", - "rsa.misc.ntype": "abor", + "rsa.internal.messageid": "134", "rsa.time.date": "2018/09/12", "rsa.time.event_time": "2018-09-13T00:02:15.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.185.37.32", - "source.nat.port": 708, "tags": [ "sonicwall.firewall", "forwarded" @@ -1849,31 +1943,35 @@ }, { "@timestamp": "2018-09-27T07:04:49.000Z", - "destination.nat.ip": "10.57.85.98", - "destination.nat.port": 3286, - "event.code": "995", + "event.action": "allow", + "event.code": "mveniamq", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=olorem sn=gitse time=\"2018/09/27 05:04:49\" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg=\"sci\" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note=\"mquisno\"", + "event.original": "id=mveniamq sn=taedict time=\"2018-9-27 5:04:49\" fw=10.206.69.135 pri=high c=aturve m=880 msg=\"utfug\" n=aturQu note=\"aaliq\" fw_action=\"allow\"", "fileset.name": "firewall", + "host.ip": "10.206.69.135", "input.type": "log", - "log.offset": 9736, - "log.original": "sci", + "log.level": "high", + "log.offset": 10020, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.219.42.212", - "10.57.85.98" + "10.206.69.135" ], - "rsa.internal.event_desc": "mquisno", - "rsa.internal.messageid": "995", - "rsa.internal.msg": "sci", - "rsa.time.date": "2018/09/27", + "rsa.db.index": "aaliq", + "rsa.internal.event_desc": "utfug", + "rsa.internal.messageid": "880", + "rsa.misc.action": [ + "allow" + ], + "rsa.misc.category": "aturve", + "rsa.misc.reference_id": "mveniamq", + "rsa.misc.serial_number": "taedict", + "rsa.misc.severity": "high", + "rsa.time.date": "2018-9-27", "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.219.42.212", - "source.nat.port": 5708, "tags": [ "sonicwall.firewall", "forwarded" @@ -1881,20 +1979,32 @@ }, { "@timestamp": "2018-10-11T14:07:23.000Z", - "event.code": "137", + "destination.ip": [ + "10.115.38.80" + ], + "event.code": "441", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=gna sn=isiutali time=\"2018/10/11 12:07:23\" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed", + "event.original": "id=uiinea sn=mnisiut time=\"2018/10/11 12:07:23\" fw=10.208.228.129 pri=low c=olup m=441 msg=\"labor\" n=dol src= 10.240.54.28 dst= 10.115.38.80", "fileset.name": "firewall", "input.type": "log", - "log.offset": 9906, + "log.offset": 10161, + "log.original": "labor", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "137", + "related.ip": [ + "10.240.54.28", + "10.115.38.80" + ], + "rsa.internal.messageid": "441", + "rsa.internal.msg": "labor", "rsa.time.date": "2018/10/11", "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.240.54.28" + ], "tags": [ "sonicwall.firewall", "forwarded" @@ -1902,32 +2012,20 @@ }, { "@timestamp": "2018-10-25T21:09:57.000Z", - "destination.ip": [ - "10.195.223.82" - ], - "event.code": "351", + "event.code": "163", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=uaturve sn=amquisno time=\"2018/10/25 19:09:57\" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg=\"CSe\" n=lors src=10.135.70.159 dst=10.195.223.82", + "event.original": "id=mve sn=uia time=\"2018/10/25 19:09:57\" fw=10.92.237.93 pri=high c=nsequunt m=163 Disconnecting PPPoE due to traffic timeout", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10011, - "log.original": "CSe", + "log.offset": 10302, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.195.223.82", - "10.135.70.159" - ], - "rsa.internal.messageid": "351", - "rsa.internal.msg": "CSe", + "rsa.internal.messageid": "163", "rsa.time.date": "2018/10/25", "rsa.time.event_time": "2018-10-25T21:09:57.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.135.70.159" - ], "tags": [ "sonicwall.firewall", "forwarded" @@ -1935,56 +2033,73 @@ }, { "@timestamp": "2018-11-09T04:12:32.000Z", - "event.code": "261", + "destination.ip": [ + "10.104.49.142" + ], + "event.code": "252", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=atu sn=iusm time=\"2018/11/09 02:12:32\" fw=10.20.81.176 pri=low c=stquido m=261 msg=\"rsitvolu\" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198 ", + "event.original": "id=doei sn=cipitl time=\"2018/11/09 02:12:32\" fw=10.53.127.17 pri=very-high c=strumex m=252 msg=\"eprehend\" n=asnu src=10.102.166.19 dst=10.104.49.142", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10159, - "log.original": "rsitvolu", - "observer.ingress.interface.name": "eth3249", + "log.offset": 10428, + "log.original": "eprehend", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.22.244.71" - ], - "related.user": [ - "usmo" + "10.104.49.142", + "10.102.166.19" ], - "rsa.internal.messageid": "261", - "rsa.internal.msg": "rsitvolu", - "rsa.network.sinterface": "eth3249", + "rsa.internal.messageid": "252", + "rsa.internal.msg": "eprehend", "rsa.time.date": "2018/11/09", "rsa.time.event_time": "2018-11-09T04:12:32.000Z", "service.type": "sonicwall", "source.ip": [ - "10.22.244.71" + "10.102.166.19" ], - "source.port": 1865, "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": "usmo" + ] }, { "@timestamp": "2018-11-23T11:15:06.000Z", - "event.code": "125", + "destination.ip": [ + "10.120.25.169" + ], + "destination.port": 1965, + "event.action": "block", + "event.code": "199", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=oin sn=itseddoe time=\"2018/11/23 09:15:06\" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry.", + "event.original": "id=repreh sn=plic time=\"2018/11/23 09:15:06\" fw=10.17.87.79 pri=high c=saq m=199 msg=\"block\" n=ritqu src=10.203.77.154:3916:lo4991 dst= 10.120.25.169:1965:lo4527", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10327, + "log.offset": 10577, + "observer.egress.interface.name": "lo4527", + "observer.ingress.interface.name": "lo4991", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "125", + "related.ip": [ + "10.203.77.154", + "10.120.25.169" + ], + "rsa.internal.messageid": "199", + "rsa.misc.action": [ + "block" + ], + "rsa.network.dinterface": "lo4527", + "rsa.network.sinterface": "lo4991", "rsa.time.date": "2018/11/23", "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.203.77.154" + ], + "source.port": 3916, "tags": [ "sonicwall.firewall", "forwarded" @@ -1992,18 +2107,17 @@ }, { "@timestamp": "2018-12-07T18:17:40.000Z", - "event.code": "105", + "event.code": "88", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=giatquov sn=olu time=\"2018/12/07 16:17:40\" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER.", + "event.original": "ipsa id=asuntexp sn=adminim time=\"2018/12/07 16:17:40\" fw=10.115.115.26 pri=high c=modoc m=88 IKE Responder: IPSec proposal not acceptable", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10431, + "log.offset": 10739, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "105", - "rsa.time.date": "2018/12/07", + "rsa.internal.messageid": "88", "rsa.time.event_time": "2018-12-07T18:17:40.000Z", "service.type": "sonicwall", "tags": [ @@ -2016,14 +2130,15 @@ "event.code": "34", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "emagn id=emulla sn=mips time=\"2018/12/21 23:20:14\" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out", + "event.original": "id=iumt sn=tsed time=\"2018/12/21 23:20:14\" fw=10.249.120.78 pri=medium c=atuse m=34 Login screen timed out", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10543, + "log.offset": 10878, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "34", + "rsa.time.date": "2018/12/21", "rsa.time.event_time": "2018-12-22T01:20:14.000Z", "service.type": "sonicwall", "tags": [ @@ -2033,20 +2148,35 @@ }, { "@timestamp": "2019-01-05T08:22:49.000Z", - "event.code": "144", + "destination.bytes": 1629, + "destination.ip": [ + "10.137.217.159" + ], + "destination.port": 563, + "event.code": "195", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=itametc sn=ori time=\"2019/01/05 06:22:49\" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle", + "event.original": "id=loremag sn=tcu time=\"2019/01/05 06:22:49\" fw=10.84.251.253 pri=high c=erspi m=195 msg=\"rorsit\" n=tionemu src=10.77.95.12 dst=10.137.217.159 sport=2310 dport=563 rcvd=1629", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10662, + "log.offset": 10985, + "log.original": "rorsit", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "144", + "related.ip": [ + "10.77.95.12", + "10.137.217.159" + ], + "rsa.internal.messageid": "195", + "rsa.internal.msg": "rorsit", "rsa.time.date": "2019/01/05", "rsa.time.event_time": "2019-01-05T08:22:49.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.77.95.12" + ], + "source.port": 2310, "tags": [ "sonicwall.firewall", "forwarded" @@ -2054,31 +2184,19 @@ }, { "@timestamp": "2019-01-19T15:25:23.000Z", - "destination.nat.ip": "10.12.54.142", - "destination.nat.port": 6543, - "event.code": "658", + "event.code": "48", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=doconse sn=etdol time=\"2019/01/19 13:25:23\" fw=10.156.88.51 pri=high c=tura m=658 msg=\"osquirat\" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543", + "event.original": "elillum id=upt sn=rnat time=\"2019/01/19 13:25:23\" fw=10.1.96.93 pri=high c=edolo m=48 Out-of-order command packet dropped", "fileset.name": "firewall", "input.type": "log", - "log.offset": 10785, - "log.original": "osquirat", + "log.offset": 11159, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.12.54.142", - "10.56.10.84" - ], - "rsa.internal.messageid": "658", - "rsa.internal.msg": "osquirat", - "rsa.misc.ntype": "equat", - "rsa.time.date": "2019/01/19", + "rsa.internal.messageid": "48", "rsa.time.event_time": "2019-01-19T15:25:23.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.56.10.84", - "source.nat.port": 5366, "tags": [ "sonicwall.firewall", "forwarded" @@ -2086,37 +2204,30 @@ }, { "@timestamp": "2019-02-02T22:27:57.000Z", - "destination.ip": [ - "10.117.63.181" - ], - "destination.port": 6863, - "event.code": "195", + "destination.nat.ip": "10.191.242.168", + "destination.nat.port": 5251, + "event.code": "995", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=min sn=oluptat time=\"2019/02/02 20:27:57\" fw=10.162.129.196 pri=medium c=snisi m=195 msg=\"magnaal\" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416", + "event.original": "doeiu id=deF sn=itempo time=\"2019/02/02 20:27:57\" fw=10.200.237.196 pri=medium c=ecillum m=995 msg=\"isci\" n=dolor src=10.165.48.224:5386 dst=10.191.242.168:5251 note=\"equep\"", "fileset.name": "firewall", "input.type": "log", - "log.flags": [ - "dissect_parsing_error" - ], - "log.offset": 10936, - "log.original": "magnaal", + "log.offset": 11281, + "log.original": "isci", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.222.169.140", - "10.117.63.181" + "10.191.242.168", + "10.165.48.224" ], - "rsa.internal.messageid": "195", - "rsa.internal.msg": "magnaal", - "rsa.time.date": "2019/02/02", + "rsa.internal.event_desc": "equep", + "rsa.internal.messageid": "995", + "rsa.internal.msg": "isci", "rsa.time.event_time": "2019-02-02T22:27:57.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.222.169.140" - ], - "source.port": 5299, + "source.nat.ip": "10.165.48.224", + "source.nat.port": 5386, "tags": [ "sonicwall.firewall", "forwarded" @@ -2124,21 +2235,20 @@ }, { "@timestamp": "2019-02-17T05:30:32.000Z", - "event.code": "867", + "event.code": "909", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=eacommo sn=ueip time=\"2019/02/17 03:30:32\" fw=10.243.252.157 pri=low c=minim m=867 msg=\"scipi\" sess=tur n=acon", + "event.original": "BCS id=qui sn=ugiatquo time=\"2019/02/17 03:30:32\" fw=10.204.133.116 pri=medium c=autemv m=909 msg=\"emq\" n=plicaboN", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11116, - "log.original": "scipi", + "log.offset": 11455, + "log.original": "emq", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "867", - "rsa.internal.msg": "scipi", - "rsa.misc.ntype": "acon", - "rsa.time.date": "2019/02/17", + "rsa.internal.messageid": "909", + "rsa.internal.msg": "emq", + "rsa.misc.ntype": "plicaboN", "rsa.time.event_time": "2019-02-17T05:30:32.000Z", "service.type": "sonicwall", "tags": [ @@ -2148,63 +2258,63 @@ }, { "@timestamp": "2019-03-03T12:33:06.000Z", - "event.code": "60", + "destination.nat.ip": "10.116.173.79", + "destination.nat.port": 7693, + "event.code": "178", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "usm id=labori sn=porai time=\"2019/03/03 10:33:06\" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked", + "event.original": "id=vol sn=admi time=\"2019/03/03 10:33:06\" fw=10.77.229.168 pri=high c=aquiof m=178 msg=\"ende\" n=abor src=10.185.37.32:708 dst=10.116.173.79:7693", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11230, + "log.offset": 11570, + "log.original": "ende", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "60", + "related.ip": [ + "10.185.37.32", + "10.116.173.79" + ], + "rsa.internal.messageid": "178", + "rsa.internal.msg": "ende", + "rsa.misc.ntype": "abor", + "rsa.time.date": "2019/03/03", "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.185.37.32", + "source.nat.port": 708, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2019-03-17T07:35:40.000Z", - "destination.ip": [ - "10.200.122.184" - ], - "destination.port": 1176, - "event.action": "allow", - "event.code": "794", + "@timestamp": "2019-03-17T19:35:40.000Z", + "destination.nat.ip": "10.57.85.98", + "destination.nat.port": 3286, + "event.code": "995", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=lup sn=upta time=\"2019-3-17 5:35:40\" fw=10.247.88.138 pri=very-high c=orissu m=794 msg=\"fic\" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action=\"allow\"", + "event.original": "id=olorem sn=gitse time=\"2019/03/17 17:35:40\" fw=10.245.127.213 pri=very-high c=billoinv m=995 msg=\"sci\" n=col src=10.219.42.212:5708 dst=10.57.85.98:3286 note=\"mquisno\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11348, - "network.protocol": "rdp", - "observer.egress.interface.name": "eth5397", - "observer.ingress.interface.name": "lo1325", + "log.offset": 11715, + "log.original": "sci", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.200.122.184", - "10.57.255.4" - ], - "rsa.identity.user_sid_dst": "sBon", - "rsa.internal.event_desc": "fic", - "rsa.internal.messageid": "794", - "rsa.misc.action": [ - "allow" + "10.219.42.212", + "10.57.85.98" ], - "rsa.network.dinterface": "eth5397", - "rsa.network.sinterface": "lo1325", - "rsa.time.date": "2019-3-17", - "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.internal.event_desc": "mquisno", + "rsa.internal.messageid": "995", + "rsa.internal.msg": "sci", + "rsa.time.date": "2019/03/17", + "rsa.time.event_time": "2019-03-17T19:35:40.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.57.255.4" - ], - "source.port": 239, + "source.nat.ip": "10.219.42.212", + "source.nat.port": 5708, "tags": [ "sonicwall.firewall", "forwarded" @@ -2212,20 +2322,39 @@ }, { "@timestamp": "2019-04-01T02:38:14.000Z", - "event.code": "19", + "destination.ip": [ + "10.88.244.209" + ], + "destination.port": 6953, + "event.code": "97", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mmod sn=iti time=\"2019/04/01 00:38:14\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", + "event.original": "id=nisiu sn=imad time=\"2019/04/01 00:38:14\" fw=10.30.101.79 pri=high c=tenimad m=97 n=sitametc src= 10.152.35.175:2737:enp0s3423 dst= 10.88.244.209:6953:enp0s2460 proto=ipv6-icmp op=caecat sent=5835 dstname=tquidol", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11600, + "log.offset": 11885, + "network.protocol": "ipv6-icmp", + "observer.egress.interface.name": "enp0s2460", + "observer.ingress.interface.name": "enp0s3423", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "19", + "related.ip": [ + "10.88.244.209", + "10.152.35.175" + ], + "rsa.internal.messageid": "97", + "rsa.misc.name": "tquidol", + "rsa.network.dinterface": "enp0s2460", + "rsa.network.sinterface": "enp0s3423", "rsa.time.date": "2019/04/01", "rsa.time.event_time": "2019-04-01T02:38:14.000Z", "service.type": "sonicwall", + "source.bytes": 5835, + "source.ip": [ + "10.152.35.175" + ], + "source.port": 2737, "tags": [ "sonicwall.firewall", "forwarded" @@ -2233,30 +2362,44 @@ }, { "@timestamp": "2019-04-15T09:40:49.000Z", - "destination.nat.ip": "10.129.101.147", - "destination.nat.port": 3606, - "event.code": "413", + "destination.address": "ugitsedq5067.internal.test", + "destination.bytes": 1635, + "destination.ip": [ + "10.107.216.138" + ], + "destination.port": 3147, + "event.action": "accept", + "event.code": "537", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=mag sn=gelitse time=\"2019/04/15 07:40:49\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", + "event.original": "undeom id=emullamc sn=tec time=\"2019/04/15 07:40:49\" fw=10.29.118.7 pri=medium c=mveleum m=537 msg=\"accept\" f=exercita n=sBonorum src= 10.132.171.15 dst= 10.107.216.138:3147:lo5057:ugitsedq5067.internal.test proto=rdp sent=5943 rcvd=1635", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11692, - "log.original": "upta", + "log.offset": 12100, + "network.protocol": "rdp", + "observer.egress.interface.name": "lo5057", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.hosts": [ + "ugitsedq5067.internal.test" + ], "related.ip": [ - "10.206.229.61", - "10.129.101.147" + "10.107.216.138", + "10.132.171.15" ], - "rsa.internal.messageid": "413", - "rsa.internal.msg": "upta", - "rsa.time.date": "2019/04/15", + "rsa.internal.messageid": "537", + "rsa.misc.action": [ + "accept" + ], + "rsa.network.dinterface": "lo5057", + "rsa.network.host_dst": "ugitsedq5067.internal.test", "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.206.229.61", - "source.nat.port": 3467, + "source.bytes": 5943, + "source.ip": [ + "10.132.171.15" + ], "tags": [ "sonicwall.firewall", "forwarded" @@ -2264,17 +2407,17 @@ }, { "@timestamp": "2019-04-29T16:43:23.000Z", - "event.code": "159", + "event.code": "137", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nostrud sn=cteturad time=\"2019/04/29 14:43:23\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", + "event.original": "id=gna sn=isiutali time=\"2019/04/29 14:43:23\" fw=10.156.152.182 pri=very-high c=ons m=137 Wan IP Changed", "fileset.name": "firewall", "input.type": "log", - "log.offset": 11843, + "log.offset": 12338, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "159", + "rsa.internal.messageid": "137", "rsa.time.date": "2019/04/29", "rsa.time.event_time": "2019-04-29T16:43:23.000Z", "service.type": "sonicwall", @@ -2285,79 +2428,91 @@ }, { "@timestamp": "2019-05-13T23:45:57.000Z", - "event.code": "1079", + "destination.ip": [ + "10.195.223.82" + ], + "event.code": "351", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "oluptate id=lit sn=santi time=\"2019/05/13 21:45:57\" fw=10.211.112.194 pri=low c=uis m=1079 msg=\"Clientamcis assigned IP:10.221.220.148\" n=apar", + "event.original": "id=uaturve sn=amquisno time=\"2019/05/13 21:45:57\" fw=10.123.74.66 pri=very-high c=mquiad m=351 msg=\"CSe\" n=lors src=10.135.70.159 dst=10.195.223.82", "fileset.name": "firewall", - "host.ip": "10.221.220.148", "input.type": "log", - "log.offset": 11953, + "log.offset": 12443, + "log.original": "CSe", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.221.220.148" - ], - "related.user": [ - "amc" + "10.135.70.159", + "10.195.223.82" ], - "rsa.internal.messageid": "1079", - "rsa.misc.space": "", + "rsa.internal.messageid": "351", + "rsa.internal.msg": "CSe", + "rsa.time.date": "2019/05/13", "rsa.time.event_time": "2019-05-13T23:45:57.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.135.70.159" + ], "tags": [ "sonicwall.firewall", "forwarded" - ], - "user.name": "amc" + ] }, { "@timestamp": "2019-05-28T06:48:31.000Z", "destination.ip": [ - "10.125.85.128" + "10.142.120.198" ], - "event.code": "355", + "event.code": "261", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=vol sn=psumd time=\"2019/05/28 04:48:31\" fw=10.103.29.178 pri=low c=rios m=355 msg=\"labo\" n=lpaquiof src=10.78.29.246 dst=10.125.85.128", + "event.original": "id=atu sn=iusm time=\"2019/05/28 04:48:31\" fw=10.20.81.176 pri=low c=stquido m=261 msg=\"rsitvolu\" n=mnisi usr=usmo src=10.22.244.71:1865:eth3249 dst= 10.142.120.198", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12100, - "log.original": "labo", + "log.offset": 12591, + "log.original": "rsitvolu", + "observer.ingress.interface.name": "eth3249", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.125.85.128", - "10.78.29.246" + "10.142.120.198", + "10.22.244.71" ], - "rsa.internal.messageid": "355", - "rsa.internal.msg": "labo", + "related.user": [ + "usmo" + ], + "rsa.internal.messageid": "261", + "rsa.internal.msg": "rsitvolu", + "rsa.network.sinterface": "eth3249", "rsa.time.date": "2019/05/28", "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "sonicwall", "source.ip": [ - "10.78.29.246" + "10.22.244.71" ], + "source.port": 1865, "tags": [ "sonicwall.firewall", "forwarded" - ] + ], + "user.name": "usmo" }, { "@timestamp": "2019-06-11T13:51:06.000Z", - "event.code": "101", + "event.code": "125", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "enbyCi id=reetdo sn=tat time=\"2019/06/11 11:51:06\" fw=10.164.207.42 pri=low c=hen m=101 Retransmitting DHCP REQUEST (Renewing).", + "event.original": "id=oin sn=itseddoe time=\"2019/06/11 11:51:06\" fw=10.141.143.56 pri=low c=erc m=125 Unused AV log entry.", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12238, + "log.offset": 12755, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "101", + "rsa.internal.messageid": "125", + "rsa.time.date": "2019/06/11", "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "sonicwall", "tags": [ @@ -2367,36 +2522,20 @@ }, { "@timestamp": "2019-06-25T20:53:40.000Z", - "destination.ip": [ - "10.29.120.226" - ], - "destination.port": 1129, - "event.action": "allow", - "event.code": "712", + "event.code": "105", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=iamqui sn=tassita time=\"2019/06/25 18:53:40\" fw=10.7.47.118 pri=medium c=piscing m=712 msg=\"allow\" n=isn src=10.203.146.137:4213 dst=10.29.120.226:1129", + "event.original": "id=giatquov sn=olu time=\"2019/06/25 18:53:40\" fw=10.137.103.62 pri=medium c=serror m=105 Sending DHCP DISCOVER.", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12366, + "log.offset": 12859, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.203.146.137", - "10.29.120.226" - ], - "rsa.internal.messageid": "712", - "rsa.misc.action": [ - "allow" - ], + "rsa.internal.messageid": "105", "rsa.time.date": "2019/06/25", "rsa.time.event_time": "2019-06-25T20:53:40.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.203.146.137" - ], - "source.port": 4213, "tags": [ "sonicwall.firewall", "forwarded" @@ -2404,19 +2543,17 @@ }, { "@timestamp": "2019-07-10T03:56:14.000Z", - "event.code": "670", + "event.code": "34", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "inesciu id=quid sn=atcupid time=\"2019/07/10 01:56:14\" fw=10.29.5.115 pri=very-high c=ate m=670 msg=\"con\" sess=tqu n=eirur", + "event.original": "emagn id=emulla sn=mips time=\"2019/07/10 01:56:14\" fw=10.201.146.83 pri=very-high c=atnula m=34 Login screen timed out", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12521, - "log.original": "con", + "log.offset": 12971, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "670", - "rsa.internal.msg": "con", + "rsa.internal.messageid": "34", "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "sonicwall", "tags": [ @@ -2426,17 +2563,18 @@ }, { "@timestamp": "2019-07-24T10:58:48.000Z", - "event.code": "151", + "event.code": "144", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "hite id=ianonnum sn=nofdeFi time=\"2019/07/24 08:58:48\" fw=10.217.253.76 pri=very-high c=unt m=151 Primary firewall preempting Backup", + "event.original": "id=itametc sn=ori time=\"2019/07/24 08:58:48\" fw=10.202.74.93 pri=low c=ido m=144 Primary firewall has transitioned to Idle", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12643, + "log.offset": 13090, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "151", + "rsa.internal.messageid": "144", + "rsa.time.date": "2019/07/24", "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "sonicwall", "tags": [ @@ -2446,57 +2584,67 @@ }, { "@timestamp": "2019-08-07T18:01:23.000Z", - "destination.nat.ip": "10.110.208.170", - "destination.nat.port": 6374, - "event.code": "931", + "destination.nat.ip": "10.12.54.142", + "destination.nat.port": 6543, + "event.code": "658", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=arch sn=lite time=\"2019/08/07 16:01:23\" fw=10.25.118.123 pri=high c=borumSec m=931 msg=\"aecatcup\" n=snisiut src=10.245.216.15:7800 dst=10.110.208.170:6374", + "event.original": "id=doconse sn=etdol time=\"2019/08/07 16:01:23\" fw=10.156.88.51 pri=high c=tura m=658 msg=\"osquirat\" n=equat src=10.56.10.84:5366 dst=10.12.54.142:6543", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12776, - "log.original": "aecatcup", + "log.offset": 13213, + "log.original": "osquirat", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.110.208.170", - "10.245.216.15" + "10.56.10.84", + "10.12.54.142" ], - "rsa.internal.messageid": "931", - "rsa.internal.msg": "aecatcup", - "rsa.misc.ntype": "snisiut", + "rsa.internal.messageid": "658", + "rsa.internal.msg": "osquirat", + "rsa.misc.ntype": "equat", "rsa.time.date": "2019/08/07", "rsa.time.event_time": "2019-08-07T18:01:23.000Z", "service.type": "sonicwall", - "source.nat.ip": "10.245.216.15", - "source.nat.port": 7800, + "source.nat.ip": "10.56.10.84", + "source.nat.port": 5366, "tags": [ "sonicwall.firewall", "forwarded" ] }, { - "@timestamp": "2019-08-21T13:03:57.000Z", - "event.action": "deny", - "event.code": "1086", + "@timestamp": "2019-08-22T01:03:57.000Z", + "destination.bytes": 7416, + "destination.ip": [ + "10.117.63.181" + ], + "destination.port": 6863, + "event.code": "195", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=rumSecti sn=Utenima time=\"2019-8-21 11:03:57\" fw=10.74.166.70 pri=very-high c=olor m=1086 msg=\"radip\" n=rchitect fw_action=\"deny\"", + "event.original": "id=min sn=oluptat time=\"2019/08/21 23:03:57\" fw=10.162.129.196 pri=medium c=snisi m=195 msg=\"magnaal\" n=uscip src=10.222.169.140 dst=10.117.63.181 sport=5299 dport=6863 rcvd=7416", "fileset.name": "firewall", "input.type": "log", - "log.offset": 12934, + "log.offset": 13364, + "log.original": "magnaal", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.event_desc": "radip", - "rsa.internal.messageid": "1086", - "rsa.misc.action": [ - "deny" + "related.ip": [ + "10.222.169.140", + "10.117.63.181" ], - "rsa.time.date": "2019-8-21", - "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "rsa.internal.messageid": "195", + "rsa.internal.msg": "magnaal", + "rsa.time.date": "2019/08/21", + "rsa.time.event_time": "2019-08-22T01:03:57.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.222.169.140" + ], + "source.port": 5299, "tags": [ "sonicwall.firewall", "forwarded" @@ -2504,17 +2652,20 @@ }, { "@timestamp": "2019-09-05T08:06:31.000Z", - "event.code": "8", + "event.code": "867", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=amquisno sn=modoc time=\"2019/09/05 06:06:31\" fw=10.125.120.97 pri=high c=cid m=8 New Filter list loaded", + "event.original": "id=eacommo sn=ueip time=\"2019/09/05 06:06:31\" fw=10.243.252.157 pri=low c=minim m=867 msg=\"scipi\" sess=tur n=acon", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13067, + "log.offset": 13543, + "log.original": "scipi", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "8", + "rsa.internal.messageid": "867", + "rsa.internal.msg": "scipi", + "rsa.misc.ntype": "acon", "rsa.time.date": "2019/09/05", "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "sonicwall", @@ -2528,15 +2679,14 @@ "event.code": "60", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=Bonorum sn=lesti time=\"2019/09/19 13:09:05\" fw=10.121.58.27 pri=low c=itamet m=60 Access to Proxy Server Blocked", + "event.original": "usm id=labori sn=porai time=\"2019/09/19 13:09:05\" fw=10.73.176.98 pri=high c=ostr m=60 Access to Proxy Server Blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13174, + "log.offset": 13657, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", "rsa.internal.messageid": "60", - "rsa.time.date": "2019/09/19", "rsa.time.event_time": "2019-09-19T15:09:05.000Z", "service.type": "sonicwall", "tags": [ @@ -2545,20 +2695,44 @@ ] }, { - "@timestamp": "2019-10-03T22:11:40.000Z", - "event.code": "47", + "@timestamp": "2019-10-03T10:11:40.000Z", + "destination.ip": [ + "10.200.122.184" + ], + "destination.port": 1176, + "event.action": "allow", + "event.code": "794", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "uuntur id=tsedquia sn=its time=\"2019/10/03 20:11:40\" fw=10.158.54.131 pri=medium c=assi m=47 No ICMP redirect sent", + "event.original": "id=lup sn=upta time=\"2019-10-3 8:11:40\" fw=10.247.88.138 pri=very-high c=orissu m=794 msg=\"fic\" sid=sBon spycat=usmod spypri=umdol pktdatId=rumexerc n=isiutali src=10.57.255.4:239:lo1325 dst=10.200.122.184:1176:eth5397 proto=rdp/amvo fw_action=\"allow\"", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13290, + "log.offset": 13775, + "network.protocol": "rdp", + "observer.egress.interface.name": "eth5397", + "observer.ingress.interface.name": "lo1325", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "47", - "rsa.time.event_time": "2019-10-03T22:11:40.000Z", + "related.ip": [ + "10.200.122.184", + "10.57.255.4" + ], + "rsa.identity.user_sid_dst": "sBon", + "rsa.internal.event_desc": "fic", + "rsa.internal.messageid": "794", + "rsa.misc.action": [ + "allow" + ], + "rsa.network.dinterface": "eth5397", + "rsa.network.sinterface": "lo1325", + "rsa.time.date": "2019-10-3", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.57.255.4" + ], + "source.port": 239, "tags": [ "sonicwall.firewall", "forwarded" @@ -2566,36 +2740,20 @@ }, { "@timestamp": "2019-10-18T05:14:14.000Z", - "destination.ip": [ - "10.250.149.166" - ], - "destination.port": 6342, - "event.action": "block", - "event.code": "713", + "event.code": "19", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=tatevel sn=midestl time=\"2019/10/18 03:14:14\" fw=10.222.197.130 pri=medium c=ulapa m=713 msg=\"block\" n=meiusm src=10.143.0.78:3113 dst=10.250.149.166:6342", + "event.original": "id=mmod sn=iti time=\"2019/10/18 03:14:14\" fw=10.55.81.14 pri=medium c=asp m=19 Java blocked", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13405, + "log.offset": 14027, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.250.149.166", - "10.143.0.78" - ], - "rsa.internal.messageid": "713", - "rsa.misc.action": [ - "block" - ], + "rsa.internal.messageid": "19", "rsa.time.date": "2019/10/18", "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.143.0.78" - ], - "source.port": 3113, "tags": [ "sonicwall.firewall", "forwarded" @@ -2603,20 +2761,30 @@ }, { "@timestamp": "2019-11-01T12:16:48.000Z", - "event.code": "91", + "destination.nat.ip": "10.129.101.147", + "destination.nat.port": 3606, + "event.code": "413", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=hilmole sn=sequ time=\"2019/11/01 10:16:48\" fw=10.74.29.48 pri=high c=tionula m=91 Deleting IPSec SA for destination", + "event.original": "id=mag sn=gelitse time=\"2019/11/01 10:16:48\" fw=10.195.58.44 pri=high c=radip m=413 msg=\"upta\" n=tetura src=10.206.229.61:3467 dst=10.129.101.147:3606", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13563, + "log.offset": 14119, + "log.original": "upta", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "91", + "related.ip": [ + "10.206.229.61", + "10.129.101.147" + ], + "rsa.internal.messageid": "413", + "rsa.internal.msg": "upta", "rsa.time.date": "2019/11/01", "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "sonicwall", + "source.nat.ip": "10.206.229.61", + "source.nat.port": 3467, "tags": [ "sonicwall.firewall", "forwarded" @@ -2624,20 +2792,18 @@ }, { "@timestamp": "2019-11-15T19:19:22.000Z", - "event.code": "766", + "event.code": "159", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "umtota id=etdolore sn=magnaa time=\"2019/11/15 17:19:22\" fw=10.209.34.197 pri=very-high c=tes m=766 msg=\"equam\" n=isi", + "event.original": "id=nostrud sn=cteturad time=\"2019/11/15 17:19:22\" fw=10.150.163.151 pri=high c=veniam m=159 Diagnostic Code F", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13682, - "log.original": "equam", + "log.offset": 14270, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "766", - "rsa.internal.msg": "equam", - "rsa.misc.ntype": "isi", + "rsa.internal.messageid": "159", + "rsa.time.date": "2019/11/15", "rsa.time.event_time": "2019-11-15T19:19:22.000Z", "service.type": "sonicwall", "tags": [ @@ -2647,20 +2813,38 @@ }, { "@timestamp": "2019-11-30T02:21:57.000Z", - "event.code": "58", + "destination.ip": [ + "10.119.4.120" + ], + "destination.port": 3822, + "event.code": "520", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=rep sn=remap time=\"2019/11/30 00:21:57\" fw=10.7.120.36 pri=very-high c=involu m=58 License exceeded: Connection dropped because too many IP addresses are in use on your LAN", + "event.original": "id=imavenia sn=expli time=\"2019/11/30 00:21:57\" fw=10.144.57.239 pri=medium c=rur m=520 msg=\"itse\" n=ilm src=10.167.9.200:4003:lo5561 dst= 10.119.4.120:3822:enp0s234", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13799, + "log.offset": 14380, + "log.original": "itse", + "observer.egress.interface.name": "enp0s234", + "observer.ingress.interface.name": "lo5561", "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "rsa.internal.messageid": "58", + "related.ip": [ + "10.167.9.200", + "10.119.4.120" + ], + "rsa.internal.messageid": "520", + "rsa.internal.msg": "itse", + "rsa.network.dinterface": "enp0s234", + "rsa.network.sinterface": "lo5561", "rsa.time.date": "2019/11/30", "rsa.time.event_time": "2019-11-30T02:21:57.000Z", "service.type": "sonicwall", + "source.ip": [ + "10.167.9.200" + ], + "source.port": 4003, "tags": [ "sonicwall.firewall", "forwarded" @@ -2668,36 +2852,22 @@ }, { "@timestamp": "2019-12-14T09:24:31.000Z", - "destination.ip": [ - "10.219.228.115" - ], - "destination.port": 745, - "event.action": "deny", - "event.code": "373", + "event.code": "1079", "event.dataset": "sonicwall.firewall", "event.module": "sonicwall", - "event.original": "id=nesciun sn=amcolab time=\"2019/12/14 07:24:31\" fw=10.142.7.145 pri=low c=iuta m=373 msg=\"deny\" n=secil src=10.179.3.247:3445 dst=10.219.228.115:745", + "event.original": "oluptate id=lit sn=santi time=\"2019/12/14 07:24:31\" fw=10.211.112.194 pri=low c=uis m=1079 msg=\"Clientamcis assigned IP:10.221.220.148\" n=apar", "fileset.name": "firewall", "input.type": "log", - "log.offset": 13975, + "log.flags": [ + "dissect_parsing_error" + ], + "log.offset": 14546, "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", - "related.ip": [ - "10.179.3.247", - "10.219.228.115" - ], - "rsa.internal.messageid": "373", - "rsa.misc.action": [ - "deny" - ], - "rsa.time.date": "2019/12/14", + "rsa.internal.messageid": "1079", "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "sonicwall", - "source.ip": [ - "10.179.3.247" - ], - "source.port": 3445, "tags": [ "sonicwall.firewall", "forwarded" diff --git a/x-pack/filebeat/module/sophos/utm/config/input.yml b/x-pack/filebeat/module/sophos/utm/config/input.yml index d98fb40b45af..07c7fdcbb183 100644 --- a/x-pack/filebeat/module/sophos/utm/config/input.yml +++ b/x-pack/filebeat/module/sophos/utm/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/sophos/utm/config/liblogparser.js b/x-pack/filebeat/module/sophos/utm/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/sophos/utm/config/liblogparser.js +++ b/x-pack/filebeat/module/sophos/utm/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml index 62aaa2a3c305..3c41092be69f 100644 --- a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml @@ -57,12 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' - - append: - field: related.hosts - value: '{{destination.address}}' - allow_duplicates: false - if: ctx?.destination?.address != null && ctx.destination?.address != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/sophos/utm/manifest.yml b/x-pack/filebeat/module/sophos/utm/manifest.yml index bdf9d5034585..46bc83cd2ddb 100644 --- a/x-pack/filebeat/module/sophos/utm/manifest.yml +++ b/x-pack/filebeat/module/sophos/utm/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9533 + default: 9549 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json index 392ac679e441..582625399fb0 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json @@ -55,13 +55,13 @@ "ercit2385.internal.home" ], "related.ip": [ - "10.47.202.102", - "10.57.170.140" + "10.57.170.140", + "10.47.202.102" ], "related.user": [ + "sunt", "dexeac", - "icistatuscode=giatquov", - "sunt" + "icistatuscode=giatquov" ], "rsa.db.index": "run", "rsa.identity.logon_type": "nofdeF", @@ -70,8 +70,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "ugiatnu", - "block" + "block", + "ugiatnu" ], "rsa.misc.comments": "colabo", "rsa.misc.content_type": "sedd", @@ -163,8 +163,8 @@ "10.106.239.55" ], "related.user": [ - "eaq", - "itquiin" + "itquiin", + "eaq" ], "rsa.identity.logon_type": "stquidol", "rsa.internal.event_desc": "bor", @@ -638,8 +638,8 @@ "10.54.169.175" ], "related.user": [ - "scipit", - "taspe" + "taspe", + "scipit" ], "rsa.identity.logon_type": "olores", "rsa.internal.event_desc": "secil", @@ -974,8 +974,8 @@ "10.232.108.32" ], "related.user": [ - "llum", - "rsp" + "rsp", + "llum" ], "rsa.identity.logon_type": "ntut", "rsa.internal.event_desc": "ittenb", @@ -1029,12 +1029,12 @@ "observer.vendor": "Sophos", "observer.version": "1.5146", "related.hosts": [ - "nostrum6305.internal.localhost", - "Duis583.api.local" + "Duis583.api.local", + "nostrum6305.internal.localhost" ], "related.ip": [ - "10.89.41.97", - "10.17.51.153" + "10.17.51.153", + "10.89.41.97" ], "related.user": [ "tio", @@ -1048,8 +1048,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "iuntN", - "deny" + "deny", + "iuntN" ], "rsa.misc.comments": "onorume", "rsa.misc.content_type": "lapa", @@ -1351,8 +1351,8 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "related.hosts": [ - "reprehe5661.www.lan", - "ntore4333.api.invalid" + "ntore4333.api.invalid", + "reprehe5661.www.lan" ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "iumd", @@ -1851,12 +1851,12 @@ "tenbyCi4371.www5.localdomain" ], "related.ip": [ - "10.214.167.164", - "10.98.126.206" + "10.98.126.206", + "10.214.167.164" ], "related.user": [ - "amremapstatuscode=dolorsit", "isnostru", + "amremapstatuscode=dolorsit", "hen" ], "rsa.db.index": "spernatu", @@ -1866,8 +1866,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "block", - "nsectetu" + "nsectetu", + "block" ], "rsa.misc.comments": "uaer", "rsa.misc.content_type": "eaqu", @@ -2025,16 +2025,16 @@ "observer.vendor": "Sophos", "observer.version": "1.2707", "related.hosts": [ - "iusmo901.www.home", - "tenima5715.api.example" + "tenima5715.api.example", + "iusmo901.www.home" ], "related.ip": [ "10.2.24.156", "10.92.93.236" ], "related.user": [ - "ntoccae", "Sedutper", + "ntoccae", "dolorsistatuscode=acc", "ulpaq" ], @@ -2045,8 +2045,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "block", - "icons" + "icons", + "block" ], "rsa.misc.comments": "porincid", "rsa.misc.content_type": "temvele", @@ -2124,8 +2124,8 @@ "10.202.65.2" ], "related.user": [ - "iscivelistatuscode=urve", "tasu", + "iscivelistatuscode=urve", "atatno" ], "rsa.db.index": "amrem", @@ -2135,8 +2135,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "mquisn", - "cancel" + "cancel", + "mquisn" ], "rsa.misc.comments": "architec", "rsa.misc.content_type": "atisetqu", @@ -2314,12 +2314,12 @@ "obea2960.mail.corp" ], "related.ip": [ - "10.45.12.53", - "10.33.138.154" + "10.33.138.154", + "10.45.12.53" ], "related.user": [ - "porincid", "umqustatuscode=ntexpli", + "porincid", "eturadip" ], "rsa.db.index": "dolor", @@ -2329,8 +2329,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "doc", - "cancel" + "cancel", + "doc" ], "rsa.misc.comments": "riosam", "rsa.misc.content_type": "iusmo", @@ -2481,8 +2481,8 @@ "10.32.85.21" ], "related.user": [ - "etconsec", - "antium" + "antium", + "etconsec" ], "rsa.identity.logon_type": "umiurere", "rsa.internal.event_desc": "serro", @@ -2632,10 +2632,10 @@ "10.85.200.58" ], "related.user": [ - "reetd", + "rExce", "inimastatuscode=emipsum", "Loremi", - "rExce" + "reetd" ], "rsa.db.index": "apa", "rsa.identity.logon_type": "sedquia", @@ -2644,8 +2644,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "odte", - "cancel" + "cancel", + "odte" ], "rsa.misc.comments": "emquia", "rsa.misc.content_type": "sauteir", @@ -3161,8 +3161,8 @@ "observer.vendor": "Sophos", "process.pid": 2389, "related.hosts": [ - "utemvele1838.mail.test", - "seosquir715.local" + "seosquir715.local", + "utemvele1838.mail.test" ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.comments": "rci", @@ -3619,8 +3619,8 @@ "10.96.200.83" ], "related.user": [ - "acommod", - "lapariat" + "lapariat", + "acommod" ], "rsa.identity.logon_type": "remeumf", "rsa.internal.event_desc": "dol", diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml index b6799880e406..c7baa2772dca 100644 --- a/x-pack/filebeat/module/squid/log/config/input.yml +++ b/x-pack/filebeat/module/squid/log/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/squid/log/config/liblogparser.js b/x-pack/filebeat/module/squid/log/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/squid/log/config/liblogparser.js +++ b/x-pack/filebeat/module/squid/log/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/squid/log/config/pipeline.js b/x-pack/filebeat/module/squid/log/config/pipeline.js index 52efb91440b5..a22887a226cc 100644 --- a/x-pack/filebeat/module/squid/log/config/pipeline.js +++ b/x-pack/filebeat/module/squid/log/config/pipeline.js @@ -131,7 +131,7 @@ var dup20 = match("MESSAGE#22:PUT:01", "nwparser.payload", "%{event_time_string} dup12, ])); -var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{payload}", processor_chain([ +var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20->} %{fld21}] \"%{messageid->} %{p0}", processor_chain([ setc("header_id","0001"), call({ dest: "nwparser.payload", @@ -147,12 +147,12 @@ var hdr1 = match("HEADER#0:0001", "message", "%{hsaddr->} %{hsport->} [%{fld20-> constant("] \""), field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }), ])); -var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{payload}", processor_chain([ +var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduration->} %{hsaddr->} %{haction}/%{hresultcode->} %{hsbytes->} %{messageid->} %{p0}", processor_chain([ setc("header_id","0002"), call({ dest: "nwparser.payload", @@ -172,7 +172,7 @@ var hdr2 = match("HEADER#1:0002", "message", "%{hevent_time_string->} %{hduratio constant(" "), field("messageid"), constant(" "), - field("payload"), + field("p0"), ], }), ])); diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml index 9a8f547c6d1c..d2bf90581b81 100644 --- a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml @@ -55,14 +55,9 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{server.domain}}' + value: '{{host.name}}' allow_duplicates: false - if: ctx?.server?.domain != null && ctx.server?.domain != '' - - append: - field: related.hosts - value: '{{url.domain}}' - allow_duplicates: false - if: ctx?.url?.domain != null && ctx.url?.domain != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/squid/log/manifest.yml b/x-pack/filebeat/module/squid/log/manifest.yml index 8ae24b8f1470..6e909b014f51 100644 --- a/x-pack/filebeat/module/squid/log/manifest.yml +++ b/x-pack/filebeat/module/squid/log/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9520 + default: 9537 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index e9284eed5548..a96c175cdc49 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -37,8 +37,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -48,6 +48,9 @@ "rsa.time.event_time_str": "1157689312", "rsa.web.alias_host": "login.yahoo.com", "server.domain": "login.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "login", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 19763, "source.ip": [ @@ -59,6 +62,9 @@ ], "url.domain": "login.yahoo.com", "url.original": "login.yahoo.com:443", + "url.registered_domain": "yahoo.com", + "url.subdomain": "login", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -103,8 +109,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -114,6 +120,9 @@ "rsa.time.event_time_str": "1157689320", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 10182, "source.ip": [ @@ -125,6 +134,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -170,8 +182,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -181,6 +193,9 @@ "rsa.time.event_time_str": "1157689320", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 214, "source.ip": [ @@ -192,6 +207,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/styles.css", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -234,6 +252,9 @@ "rsa.time.event_time_str": "1157689321", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1464, "source.ip": [ @@ -245,6 +266,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/styles.css", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -287,6 +311,9 @@ "rsa.time.event_time_str": "1157689322", "rsa.web.alias_host": "www.google-analytics.com", "server.domain": "www.google-analytics.com", + "server.registered_domain": "google-analytics.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 5626, "source.ip": [ @@ -298,6 +325,9 @@ ], "url.domain": "www.google-analytics.com", "url.original": "http://www.google-analytics.com/urchin.js", + "url.registered_domain": "google-analytics.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -342,8 +372,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -353,6 +383,9 @@ "rsa.time.event_time_str": "1157689323", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 30169, "source.ip": [ @@ -364,6 +397,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -406,8 +442,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -417,6 +453,9 @@ "rsa.time.event_time_str": "1157689324", "rsa.web.alias_host": "www.google-analytics.com", "server.domain": "www.google-analytics.com", + "server.registered_domain": "google-analytics.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 399, "source.ip": [ @@ -428,6 +467,9 @@ ], "url.domain": "www.google-analytics.com", "url.original": "http://www.google-analytics.com/__utm.gif?", + "url.registered_domain": "google-analytics.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -461,8 +503,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -484,6 +526,9 @@ "rsa.time.event_time_str": "1157689324", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 215, "source.ip": [ @@ -495,6 +540,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/graphics/newslogo.gif", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -540,8 +588,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -551,6 +599,9 @@ "rsa.time.event_time_str": "1157689324", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 215, "source.ip": [ @@ -562,6 +613,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/shop/arsenal_shop_ad.jpg", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -618,6 +672,9 @@ "rsa.time.event_time_str": "1157689325", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 214, "source.ip": [ @@ -629,6 +686,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/flags/FUS.gif", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -671,6 +731,9 @@ "rsa.time.event_time_str": "1157689325", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1353, "source.ip": [ @@ -682,6 +745,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/flags/FGB.gif", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -727,8 +793,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -738,6 +804,9 @@ "rsa.time.event_time_str": "1157689325", "rsa.web.alias_host": "as.casalemedia.com", "server.domain": "as.casalemedia.com", + "server.registered_domain": "casalemedia.com", + "server.subdomain": "as", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1013, "source.ip": [ @@ -749,6 +818,9 @@ ], "url.domain": "as.casalemedia.com", "url.original": "http://as.casalemedia.com/s?", + "url.registered_domain": "casalemedia.com", + "url.subdomain": "as", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -787,8 +859,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -798,6 +870,9 @@ "rsa.time.event_time_str": "1157689326", "rsa.web.alias_host": "us.bc.yahoo.com", "server.domain": "us.bc.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "us.bc", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1845, "source.ip": [ @@ -809,6 +884,9 @@ ], "url.domain": "us.bc.yahoo.com", "url.original": "us.bc.yahoo.com:443", + "url.registered_domain": "yahoo.com", + "url.subdomain": "us.bc", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -862,6 +940,9 @@ "rsa.time.event_time_str": "1157689327", "rsa.web.alias_host": "impgb.tradedoubler.com", "server.domain": "impgb.tradedoubler.com", + "server.registered_domain": "tradedoubler.com", + "server.subdomain": "impgb", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 729, "source.ip": [ @@ -873,6 +954,9 @@ ], "url.domain": "impgb.tradedoubler.com", "url.original": "http://impgb.tradedoubler.com/imp/img/16349696/992098", + "url.registered_domain": "tradedoubler.com", + "url.subdomain": "impgb", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -906,8 +990,8 @@ "4.adbrite.com" ], "related.ip": [ - "206.169.136.22", - "10.105.21.199" + "10.105.21.199", + "206.169.136.22" ], "related.user": [ "badeyek" @@ -929,6 +1013,9 @@ "rsa.time.event_time_str": "1157689327", "rsa.web.alias_host": "4.adbrite.com", "server.domain": "4.adbrite.com", + "server.registered_domain": "adbrite.com", + "server.subdomain": "4", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1577, "source.ip": [ @@ -940,6 +1027,9 @@ ], "url.domain": "4.adbrite.com", "url.original": "http://4.adbrite.com/mb/text_group.php?", + "url.registered_domain": "adbrite.com", + "url.subdomain": "4", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -971,8 +1061,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -982,6 +1072,9 @@ "rsa.time.event_time_str": "1157689327", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1353, "source.ip": [ @@ -993,6 +1086,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/flags/FFR.gif", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -1026,8 +1122,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1049,6 +1145,9 @@ "rsa.time.event_time_str": "1157689329", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 214, "source.ip": [ @@ -1060,6 +1159,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/flags/FAU.gif", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -1093,8 +1195,8 @@ "www.goonernews.com" ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1105,8 +1207,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1116,6 +1218,9 @@ "rsa.time.event_time_str": "1157689329", "rsa.web.alias_host": "www.goonernews.com", "server.domain": "www.goonernews.com", + "server.registered_domain": "goonernews.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 213, "source.ip": [ @@ -1127,6 +1232,9 @@ ], "url.domain": "www.goonernews.com", "url.original": "http://www.goonernews.com/graphics/spacer.gif", + "url.registered_domain": "goonernews.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -1155,8 +1263,8 @@ "4.adbrite.com" ], "related.ip": [ - "64.127.126.178", - "10.105.21.199" + "10.105.21.199", + "64.127.126.178" ], "related.user": [ "badeyek" @@ -1178,6 +1286,9 @@ "rsa.time.event_time_str": "1157689330", "rsa.web.alias_host": "4.adbrite.com", "server.domain": "4.adbrite.com", + "server.registered_domain": "adbrite.com", + "server.subdomain": "4", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1784, "source.ip": [ @@ -1189,6 +1300,9 @@ ], "url.domain": "4.adbrite.com", "url.original": "http://4.adbrite.com/mb/text_group.php?", + "url.registered_domain": "adbrite.com", + "url.subdomain": "4", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -1245,6 +1359,9 @@ "rsa.time.event_time_str": "1157689331", "rsa.web.alias_host": "ff.connextra.com", "server.domain": "ff.connextra.com", + "server.registered_domain": "connextra.com", + "server.subdomain": "ff", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 851, "source.ip": [ @@ -1256,6 +1373,9 @@ ], "url.domain": "ff.connextra.com", "url.original": "http://ff.connextra.com/Ladbrokes/selector/image?", + "url.registered_domain": "connextra.com", + "url.subdomain": "ff", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -1289,8 +1409,8 @@ "dd.connextra.com" ], "related.ip": [ - "213.160.98.160", - "10.105.21.199" + "10.105.21.199", + "213.160.98.160" ], "related.user": [ "badeyek" @@ -1312,6 +1432,9 @@ "rsa.time.event_time_str": "1157689335", "rsa.web.alias_host": "dd.connextra.com", "server.domain": "dd.connextra.com", + "server.registered_domain": "connextra.com", + "server.subdomain": "dd", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 30904, "source.ip": [ @@ -1323,6 +1446,9 @@ ], "url.domain": "dd.connextra.com", "url.original": "http://dd.connextra.com/servlet/controller?", + "url.registered_domain": "connextra.com", + "url.subdomain": "dd", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -1353,8 +1479,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1364,6 +1490,8 @@ "rsa.time.event_time_str": "1157689337", "rsa.web.alias_host": "hi5.com", "server.domain": "hi5.com", + "server.registered_domain": "hi5.com", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1661, "source.ip": [ @@ -1375,6 +1503,8 @@ ], "url.domain": "hi5.com", "url.original": "http://hi5.com/", + "url.registered_domain": "hi5.com", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -1415,8 +1545,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1426,6 +1556,9 @@ "rsa.time.event_time_str": "1157689342", "rsa.web.alias_host": "login.yahoo.com", "server.domain": "login.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "login", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 12569, "source.ip": [ @@ -1437,6 +1570,9 @@ ], "url.domain": "login.yahoo.com", "url.original": "login.yahoo.com:443", + "url.registered_domain": "yahoo.com", + "url.subdomain": "login", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -1479,6 +1615,9 @@ "rsa.time.event_time_str": "1157689343", "rsa.web.alias_host": "update.messenger.yahoo.com", "server.domain": "update.messenger.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "update.messenger", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1752, "source.ip": [ @@ -1490,6 +1629,9 @@ ], "url.domain": "update.messenger.yahoo.com", "url.original": "http://update.messenger.yahoo.com/msgrcli7.html", + "url.registered_domain": "yahoo.com", + "url.subdomain": "update.messenger", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -1519,8 +1661,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -1530,8 +1672,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1541,6 +1683,9 @@ "rsa.time.event_time_str": "1157689343", "rsa.web.alias_host": "shttp.msg.yahoo.com", "server.domain": "shttp.msg.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "shttp.msg", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 484, "source.ip": [ @@ -1552,6 +1697,9 @@ ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", + "url.registered_domain": "yahoo.com", + "url.subdomain": "shttp.msg", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -1584,8 +1732,8 @@ "hi5.com" ], "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1596,8 +1744,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1607,6 +1755,8 @@ "rsa.time.event_time_str": "1157689344", "rsa.web.alias_host": "hi5.com", "server.domain": "hi5.com", + "server.registered_domain": "hi5.com", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 29359, "source.ip": [ @@ -1618,6 +1768,8 @@ ], "url.domain": "hi5.com", "url.original": "http://hi5.com/", + "url.registered_domain": "hi5.com", + "url.top_level_domain": "com", "user.name": "nazsoau" }, { @@ -1663,8 +1815,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1674,6 +1826,8 @@ "rsa.time.event_time_str": "1157689344", "rsa.web.alias_host": "hi5.com", "server.domain": "hi5.com", + "server.registered_domain": "hi5.com", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 5930, "source.ip": [ @@ -1685,6 +1839,8 @@ ], "url.domain": "hi5.com", "url.original": "http://hi5.com/friend/styles/homepage.css", + "url.registered_domain": "hi5.com", + "url.top_level_domain": "com", "user.name": "nazsoau" }, { @@ -1714,8 +1870,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -1725,8 +1881,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1736,6 +1892,9 @@ "rsa.time.event_time_str": "1157689345", "rsa.web.alias_host": "shttp.msg.yahoo.com", "server.domain": "shttp.msg.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "shttp.msg", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1645, "source.ip": [ @@ -1747,6 +1906,9 @@ ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", + "url.registered_domain": "yahoo.com", + "url.subdomain": "shttp.msg", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -1778,8 +1940,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1789,6 +1951,9 @@ "rsa.time.event_time_str": "1157689346", "rsa.web.alias_host": "rms.adobe.com", "server.domain": "rms.adobe.com", + "server.registered_domain": "adobe.com", + "server.subdomain": "rms", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1812, "source.ip": [ @@ -1800,6 +1965,9 @@ ], "url.domain": "rms.adobe.com", "url.original": "http://rms.adobe.com/read/0600/win_/ENU/read0600win_ENUadbe0000.xml", + "url.registered_domain": "adobe.com", + "url.subdomain": "rms", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -1831,8 +1999,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1842,6 +2010,9 @@ "rsa.time.event_time_str": "1157689347", "rsa.web.alias_host": "images.hi5.com", "server.domain": "images.hi5.com", + "server.registered_domain": "hi5.com", + "server.subdomain": "images", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 217, "source.ip": [ @@ -1853,6 +2024,9 @@ ], "url.domain": "images.hi5.com", "url.original": "http://images.hi5.com/styles/style.css", + "url.registered_domain": "hi5.com", + "url.subdomain": "images", + "url.top_level_domain": "com", "user.name": "nazsoau" }, { @@ -1895,6 +2069,9 @@ "rsa.time.event_time_str": "1157689347", "rsa.web.alias_host": "images.hi5.com", "server.domain": "images.hi5.com", + "server.registered_domain": "hi5.com", + "server.subdomain": "images", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 217, "source.ip": [ @@ -1906,6 +2083,9 @@ ], "url.domain": "images.hi5.com", "url.original": "http://images.hi5.com/friend/styles/buttons_en_us.css", + "url.registered_domain": "hi5.com", + "url.subdomain": "images", + "url.top_level_domain": "com", "user.name": "nazsoau" }, { @@ -1938,8 +2118,8 @@ "hi5.com" ], "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1961,6 +2141,8 @@ "rsa.time.event_time_str": "1157689347", "rsa.web.alias_host": "hi5.com", "server.domain": "hi5.com", + "server.registered_domain": "hi5.com", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 27799, "source.ip": [ @@ -1972,6 +2154,8 @@ ], "url.domain": "hi5.com", "url.original": "http://hi5.com/", + "url.registered_domain": "hi5.com", + "url.top_level_domain": "com", "user.name": "nazsoau" }, { @@ -2005,8 +2189,8 @@ "hi5.com" ], "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -2017,8 +2201,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -2028,6 +2212,8 @@ "rsa.time.event_time_str": "1157689349", "rsa.web.alias_host": "hi5.com", "server.domain": "hi5.com", + "server.registered_domain": "hi5.com", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 4470, "source.ip": [ @@ -2039,6 +2225,8 @@ ], "url.domain": "hi5.com", "url.original": "http://hi5.com/friend/styles/headernav.css", + "url.registered_domain": "hi5.com", + "url.top_level_domain": "com", "user.name": "nazsoau" }, { @@ -2079,8 +2267,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2090,6 +2278,9 @@ "rsa.time.event_time_str": "1157689350", "rsa.web.alias_host": "shttp.msg.yahoo.com", "server.domain": "shttp.msg.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "shttp.msg", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 382, "source.ip": [ @@ -2101,6 +2292,9 @@ ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", + "url.registered_domain": "yahoo.com", + "url.subdomain": "shttp.msg", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -2128,8 +2322,8 @@ "insider.msg.yahoo.com" ], "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -2151,6 +2345,9 @@ "rsa.time.event_time_str": "1157689353", "rsa.web.alias_host": "insider.msg.yahoo.com", "server.domain": "insider.msg.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "insider.msg", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 24095, "source.ip": [ @@ -2162,6 +2359,9 @@ ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "insider.msg", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -2192,8 +2392,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2204,8 +2404,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2215,6 +2415,9 @@ "rsa.time.event_time_str": "1157689353", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 22964, "source.ip": [ @@ -2226,6 +2429,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/play/playmessenger.asp", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -2255,8 +2461,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -2277,6 +2483,9 @@ "rsa.time.event_time_str": "1157689354", "rsa.web.alias_host": "shttp.msg.yahoo.com", "server.domain": "shttp.msg.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "shttp.msg", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 646, "source.ip": [ @@ -2288,6 +2497,9 @@ ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", + "url.registered_domain": "yahoo.com", + "url.subdomain": "shttp.msg", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -2316,8 +2528,8 @@ "address.yahoo.com" ], "related.ip": [ - "209.191.93.51", - "10.105.33.214" + "10.105.33.214", + "209.191.93.51" ], "related.user": [ "adeolaegbedokun" @@ -2339,6 +2551,9 @@ "rsa.time.event_time_str": "1157689355", "rsa.web.alias_host": "address.yahoo.com", "server.domain": "address.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "address", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 699, "source.ip": [ @@ -2350,6 +2565,9 @@ ], "url.domain": "address.yahoo.com", "url.original": "http://address.yahoo.com/yab/us?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "address", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -2395,8 +2613,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2406,6 +2624,9 @@ "rsa.time.event_time_str": "1157689356", "rsa.web.alias_host": "fxfeeds.mozilla.org", "server.domain": "fxfeeds.mozilla.org", + "server.registered_domain": "mozilla.org", + "server.subdomain": "fxfeeds", + "server.top_level_domain": "org", "service.type": "squid", "source.bytes": 734, "source.ip": [ @@ -2417,6 +2638,9 @@ ], "url.domain": "fxfeeds.mozilla.org", "url.original": "http://fxfeeds.mozilla.org/rss20.xml", + "url.registered_domain": "mozilla.org", + "url.subdomain": "fxfeeds", + "url.top_level_domain": "org", "user.name": "badeyek" }, { @@ -2469,6 +2693,9 @@ "rsa.time.event_time_str": "1157689357", "rsa.web.alias_host": "insider.msg.yahoo.com", "server.domain": "insider.msg.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "insider.msg", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 31400, "source.ip": [ @@ -2480,6 +2707,9 @@ ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/ycontent/?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "insider.msg", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -2507,8 +2737,8 @@ "insider.msg.yahoo.com" ], "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -2530,6 +2760,9 @@ "rsa.time.event_time_str": "1157689357", "rsa.web.alias_host": "insider.msg.yahoo.com", "server.domain": "insider.msg.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "insider.msg", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 21152, "source.ip": [ @@ -2541,6 +2774,9 @@ ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/ycontent/?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "insider.msg", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -2581,6 +2817,9 @@ "rsa.time.event_time_str": "1157689358", "rsa.web.alias_host": "us.mcafee.com", "server.domain": "us.mcafee.com", + "server.registered_domain": "mcafee.com", + "server.subdomain": "us", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1667, "source.ip": [ @@ -2592,6 +2831,9 @@ ], "url.domain": "us.mcafee.com", "url.original": "us.mcafee.com:443", + "url.registered_domain": "mcafee.com", + "url.subdomain": "us", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -2622,8 +2864,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2633,6 +2875,9 @@ "rsa.time.event_time_str": "1157689358", "rsa.web.alias_host": "us.mcafee.com", "server.domain": "us.mcafee.com", + "server.registered_domain": "mcafee.com", + "server.subdomain": "us", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1767, "source.ip": [ @@ -2644,6 +2889,9 @@ ], "url.domain": "us.mcafee.com", "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", + "url.registered_domain": "mcafee.com", + "url.subdomain": "us", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -2674,8 +2922,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2685,6 +2933,9 @@ "rsa.time.event_time_str": "1157689358", "rsa.web.alias_host": "us.mcafee.com", "server.domain": "us.mcafee.com", + "server.registered_domain": "mcafee.com", + "server.subdomain": "us", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1761, "source.ip": [ @@ -2696,6 +2947,9 @@ ], "url.domain": "us.mcafee.com", "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", + "url.registered_domain": "mcafee.com", + "url.subdomain": "us", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -2725,8 +2979,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2736,6 +2990,9 @@ "rsa.time.event_time_str": "1157689358", "rsa.web.alias_host": "us.mcafee.com", "server.domain": "us.mcafee.com", + "server.registered_domain": "mcafee.com", + "server.subdomain": "us", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1667, "source.ip": [ @@ -2747,6 +3004,9 @@ ], "url.domain": "us.mcafee.com", "url.original": "us.mcafee.com:443", + "url.registered_domain": "mcafee.com", + "url.subdomain": "us", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -2789,8 +3049,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2800,6 +3060,9 @@ "rsa.time.event_time_str": "1157689358", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 512, "source.ip": [ @@ -2811,6 +3074,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations.gif", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -2851,6 +3117,9 @@ "rsa.time.event_time_str": "1157689358", "rsa.web.alias_host": "us.mcafee.com", "server.domain": "us.mcafee.com", + "server.registered_domain": "mcafee.com", + "server.subdomain": "us", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1667, "source.ip": [ @@ -2862,6 +3131,9 @@ ], "url.domain": "us.mcafee.com", "url.original": "us.mcafee.com:443", + "url.registered_domain": "mcafee.com", + "url.subdomain": "us", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -2892,8 +3164,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2915,6 +3187,9 @@ "rsa.time.event_time_str": "1157689359", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 512, "source.ip": [ @@ -2926,6 +3201,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_stations_over.gif", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -2955,8 +3233,8 @@ "shttp.msg.yahoo.com" ], "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -2966,8 +3244,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2977,6 +3255,9 @@ "rsa.time.event_time_str": "1157689359", "rsa.web.alias_host": "shttp.msg.yahoo.com", "server.domain": "shttp.msg.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "shttp.msg", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 362, "source.ip": [ @@ -2988,6 +3269,9 @@ ], "url.domain": "shttp.msg.yahoo.com", "url.original": "http://shttp.msg.yahoo.com/notify/", + "url.registered_domain": "yahoo.com", + "url.subdomain": "shttp.msg", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3018,8 +3302,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3041,6 +3325,9 @@ "rsa.time.event_time_str": "1157689359", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 511, "source.ip": [ @@ -3052,6 +3339,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_left.gif", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3105,6 +3395,9 @@ "rsa.time.event_time_str": "1157689360", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 512, "source.ip": [ @@ -3116,6 +3409,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/launchcast_radio.gif", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3157,6 +3453,9 @@ "rsa.time.event_time_str": "1157689360", "rsa.web.alias_host": "us.mcafee.com", "server.domain": "us.mcafee.com", + "server.registered_domain": "mcafee.com", + "server.subdomain": "us", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1767, "source.ip": [ @@ -3168,6 +3467,9 @@ ], "url.domain": "us.mcafee.com", "url.original": "http://us.mcafee.com/apps/agent/submgr/appinstru.asp", + "url.registered_domain": "mcafee.com", + "url.subdomain": "us", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -3198,8 +3500,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "POST" + "POST", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -3209,6 +3511,9 @@ "rsa.time.event_time_str": "1157689361", "rsa.web.alias_host": "us.mcafee.com", "server.domain": "us.mcafee.com", + "server.registered_domain": "mcafee.com", + "server.subdomain": "us", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1761, "source.ip": [ @@ -3220,6 +3525,9 @@ ], "url.domain": "us.mcafee.com", "url.original": "http://us.mcafee.com/apps/agent/submgr/appsync.asp", + "url.registered_domain": "mcafee.com", + "url.subdomain": "us", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -3273,6 +3581,9 @@ "rsa.time.event_time_str": "1157689361", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 512, "source.ip": [ @@ -3284,6 +3595,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_right.gif", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3314,8 +3628,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3337,6 +3651,9 @@ "rsa.time.event_time_str": "1157689361", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 512, "source.ip": [ @@ -3348,6 +3665,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_center.gif", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3390,8 +3710,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3401,6 +3721,9 @@ "rsa.time.event_time_str": "1157689362", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 512, "source.ip": [ @@ -3412,6 +3735,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_off.gif", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3454,8 +3780,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3465,6 +3791,9 @@ "rsa.time.event_time_str": "1157689362", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 512, "source.ip": [ @@ -3476,6 +3805,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3518,6 +3850,9 @@ "rsa.time.event_time_str": "1157689362", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 218, "source.ip": [ @@ -3529,6 +3864,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/images/btn_off_state_station.gif", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3571,6 +3909,9 @@ "rsa.time.event_time_str": "1157689362", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 218, "source.ip": [ @@ -3582,6 +3923,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/538/skins/1/images/bg_controls_fill.gif", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3624,6 +3968,9 @@ "rsa.time.event_time_str": "1157689362", "rsa.web.alias_host": "us.i1.yimg.com", "server.domain": "us.i1.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.i1", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 2263, "source.ip": [ @@ -3635,6 +3982,9 @@ ], "url.domain": "us.i1.yimg.com", "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/toolbar50x50.gif", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.i1", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3688,6 +4038,9 @@ "rsa.time.event_time_str": "1157689363", "rsa.web.alias_host": "newsrss.bbc.co.uk", "server.domain": "newsrss.bbc.co.uk", + "server.registered_domain": "bbc.co.uk", + "server.subdomain": "newsrss", + "server.top_level_domain": "co.uk", "service.type": "squid", "source.bytes": 17396, "source.ip": [ @@ -3699,6 +4052,9 @@ ], "url.domain": "newsrss.bbc.co.uk", "url.original": "http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml", + "url.registered_domain": "bbc.co.uk", + "url.subdomain": "newsrss", + "url.top_level_domain": "co.uk", "user.name": "badeyek" }, { @@ -3752,6 +4108,9 @@ "rsa.time.event_time_str": "1157689364", "rsa.web.alias_host": "insider.msg.yahoo.com", "server.domain": "insider.msg.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "insider.msg", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 407, "source.ip": [ @@ -3763,6 +4122,9 @@ ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php", + "url.registered_domain": "yahoo.com", + "url.subdomain": "insider.msg", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3794,8 +4156,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "304", @@ -3805,6 +4167,9 @@ "rsa.time.event_time_str": "1157689364", "rsa.web.alias_host": "us.ent1.yimg.com", "server.domain": "us.ent1.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.ent1", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 219, "source.ip": [ @@ -3816,6 +4181,9 @@ ], "url.domain": "us.ent1.yimg.com", "url.original": "http://us.ent1.yimg.com/images.launch.yahoo.com/000/032/457/32457654.jpg", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.ent1", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3858,6 +4226,9 @@ "rsa.time.event_time_str": "1157689364", "rsa.web.alias_host": "us.news1.yimg.com", "server.domain": "us.news1.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.news1", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 10593, "source.ip": [ @@ -3869,6 +4240,9 @@ ], "url.domain": "us.news1.yimg.com", "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060906/thumb.71d29ded334347c48ac88433d033c9a9.pakistan_bin_laden_nyol440.jpg", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.news1", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3921,6 +4295,9 @@ "rsa.time.event_time_str": "1157689365", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1270, "source.ip": [ @@ -3932,6 +4309,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -3988,6 +4368,9 @@ "rsa.time.event_time_str": "1157689366", "rsa.web.alias_host": "us.news1.yimg.com", "server.domain": "us.news1.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.news1", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 10519, "source.ip": [ @@ -3999,6 +4382,9 @@ ], "url.domain": "us.news1.yimg.com", "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060908/thumb.443f57762d7349669f609fbf0c97a5f1.academy_awards_host_cacp101.jpg", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.news1", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4041,8 +4427,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -4052,6 +4438,9 @@ "rsa.time.event_time_str": "1157689368", "rsa.web.alias_host": "radio.music.yahoo.com", "server.domain": "radio.music.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.music", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 515, "source.ip": [ @@ -4063,6 +4452,9 @@ ], "url.domain": "radio.music.yahoo.com", "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.music", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4093,8 +4485,8 @@ "radio.music.yahoo.com" ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4116,6 +4508,9 @@ "rsa.time.event_time_str": "1157689368", "rsa.web.alias_host": "radio.music.yahoo.com", "server.domain": "radio.music.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.music", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 14411, "source.ip": [ @@ -4127,6 +4522,9 @@ ], "url.domain": "radio.music.yahoo.com", "url.original": "http://radio.music.yahoo.com/radio/player/ymsgr/initstationfeed.asp?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.music", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4157,8 +4555,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4180,6 +4578,9 @@ "rsa.time.event_time_str": "1157689368", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1627, "source.ip": [ @@ -4191,6 +4592,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/play/authplay.asp?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4222,8 +4626,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4233,6 +4637,9 @@ "rsa.time.event_time_str": "1157689369", "rsa.web.alias_host": "natrocket.kmip.net", "server.domain": "natrocket.kmip.net", + "server.registered_domain": "kmip.net", + "server.subdomain": "natrocket", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 1728, "source.ip": [ @@ -4244,6 +4651,9 @@ ], "url.domain": "natrocket.kmip.net", "url.original": "http://natrocket.kmip.net:5288/iesocks?", + "url.registered_domain": "kmip.net", + "url.subdomain": "natrocket", + "url.top_level_domain": "net", "user.name": "-" }, { @@ -4275,8 +4685,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4286,6 +4696,9 @@ "rsa.time.event_time_str": "1157689369", "rsa.web.alias_host": "natrocket.kmip.net", "server.domain": "natrocket.kmip.net", + "server.registered_domain": "kmip.net", + "server.subdomain": "natrocket", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 1725, "source.ip": [ @@ -4297,6 +4710,9 @@ ], "url.domain": "natrocket.kmip.net", "url.original": "http://natrocket.kmip.net:5288/return?", + "url.registered_domain": "kmip.net", + "url.subdomain": "natrocket", + "url.top_level_domain": "net", "user.name": "-" }, { @@ -4330,8 +4746,8 @@ "us.news1.yimg.com" ], "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -4342,8 +4758,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -4353,6 +4769,9 @@ "rsa.time.event_time_str": "1157689370", "rsa.web.alias_host": "us.news1.yimg.com", "server.domain": "us.news1.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.news1", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 13124, "source.ip": [ @@ -4364,6 +4783,9 @@ ], "url.domain": "us.news1.yimg.com", "url.original": "http://us.news1.yimg.com/us.yimg.com/p/ap/20060907/thumb.1caf18e56db54eafb16da58356eb3382.amazon_com_online_video_watw101.jpg", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.news1", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4394,8 +4816,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4417,6 +4839,9 @@ "rsa.time.event_time_str": "1157689370", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 912, "source.ip": [ @@ -4428,6 +4853,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/clientdata/515/starter.asp?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4458,8 +4886,8 @@ "radio.launch.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4481,6 +4909,9 @@ "rsa.time.event_time_str": "1157689371", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1450, "source.ip": [ @@ -4492,6 +4923,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/player/default.asp?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4525,8 +4959,8 @@ "us.a2.yimg.com" ], "related.ip": [ - "213.160.98.152", - "10.105.33.214" + "10.105.33.214", + "213.160.98.152" ], "related.user": [ "adeolaegbedokun" @@ -4548,6 +4982,9 @@ "rsa.time.event_time_str": "1157689371", "rsa.web.alias_host": "us.a2.yimg.com", "server.domain": "us.a2.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.a2", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 30432, "source.ip": [ @@ -4559,6 +4996,9 @@ ], "url.domain": "us.a2.yimg.com", "url.original": "http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/081106_lrec_msgr_interophitchhiker.swf?", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.a2", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4601,8 +5041,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4612,6 +5052,9 @@ "rsa.time.event_time_str": "1157689373", "rsa.web.alias_host": "radio.launch.yahoo.com", "server.domain": "radio.launch.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "radio.launch", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 14643, "source.ip": [ @@ -4623,6 +5066,9 @@ ], "url.domain": "radio.launch.yahoo.com", "url.original": "http://radio.launch.yahoo.com/radio/player/stickwall.asp?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "radio.launch", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4651,8 +5097,8 @@ "us.bc.yahoo.com" ], "related.ip": [ - "68.142.213.132", - "10.105.33.214" + "10.105.33.214", + "68.142.213.132" ], "related.user": [ "adeolaegbedokun" @@ -4674,6 +5120,9 @@ "rsa.time.event_time_str": "1157689374", "rsa.web.alias_host": "us.bc.yahoo.com", "server.domain": "us.bc.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "us.bc", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 425, "source.ip": [ @@ -4685,6 +5134,9 @@ ], "url.domain": "us.bc.yahoo.com", "url.original": "http://us.bc.yahoo.com/b?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "us.bc", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4725,8 +5177,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4736,6 +5188,9 @@ "rsa.time.event_time_str": "1157689376", "rsa.web.alias_host": "insider.msg.yahoo.com", "server.domain": "insider.msg.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "insider.msg", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 407, "source.ip": [ @@ -4747,6 +5202,9 @@ ], "url.domain": "insider.msg.yahoo.com", "url.original": "http://insider.msg.yahoo.com/ycontent/beacon.php;_ylc=X1MDNTcwMzAyODMEX3IDMgRldnQDdDAEaW50bAN1cwR2ZXIDNywwLDIsMTIw?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "insider.msg", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4774,8 +5232,8 @@ "pclick.internal.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "216.109.124.55" + "216.109.124.55", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4785,8 +5243,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4796,6 +5254,9 @@ "rsa.time.event_time_str": "1157689377", "rsa.web.alias_host": "pclick.internal.yahoo.com", "server.domain": "pclick.internal.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "pclick.internal", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1476, "source.ip": [ @@ -4807,6 +5268,9 @@ ], "url.domain": "pclick.internal.yahoo.com", "url.original": "pclick.internal.yahoo.com:443", + "url.registered_domain": "yahoo.com", + "url.subdomain": "pclick.internal", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -4849,6 +5313,9 @@ "rsa.time.event_time_str": "1157689377", "rsa.web.alias_host": "a1568.g.akamai.net", "server.domain": "a1568.g.akamai.net", + "server.registered_domain": "akamai.net", + "server.subdomain": "a1568.g", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 233, "source.ip": [ @@ -4860,6 +5327,9 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20051025184124/radio.launch.yahoo.com/radioapi/includes/js/compVersionedJS/rapiBridge_1_4.js", + "url.registered_domain": "akamai.net", + "url.subdomain": "a1568.g", + "url.top_level_domain": "net", "user.name": "adeolaegbedokun" }, { @@ -4916,6 +5386,9 @@ "rsa.time.event_time_str": "1157689377", "rsa.web.alias_host": "a1568.g.akamai.net", "server.domain": "a1568.g.akamai.net", + "server.registered_domain": "akamai.net", + "server.subdomain": "a1568.g", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 236, "source.ip": [ @@ -4927,6 +5400,9 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222754/radio.launch.yahoo.com/radio/clientdata/515/other.css", + "url.registered_domain": "akamai.net", + "url.subdomain": "a1568.g", + "url.top_level_domain": "net", "user.name": "adeolaegbedokun" }, { @@ -4972,8 +5448,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4983,6 +5459,9 @@ "rsa.time.event_time_str": "1157689378", "rsa.web.alias_host": "a1568.g.akamai.net", "server.domain": "a1568.g.akamai.net", + "server.registered_domain": "akamai.net", + "server.subdomain": "a1568.g", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 238, "source.ip": [ @@ -4994,6 +5473,9 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_left.gif", + "url.registered_domain": "akamai.net", + "url.subdomain": "a1568.g", + "url.top_level_domain": "net", "user.name": "adeolaegbedokun" }, { @@ -5045,6 +5527,9 @@ "rsa.time.event_time_str": "1157689378", "rsa.web.alias_host": "login.yahoo.com", "server.domain": "login.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "login", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 2681, "source.ip": [ @@ -5056,6 +5541,9 @@ ], "url.domain": "login.yahoo.com", "url.original": "login.yahoo.com:443", + "url.registered_domain": "yahoo.com", + "url.subdomain": "login", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -5089,8 +5577,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5101,8 +5589,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -5112,6 +5600,9 @@ "rsa.time.event_time_str": "1157689378", "rsa.web.alias_host": "a1568.g.akamai.net", "server.domain": "a1568.g.akamai.net", + "server.registered_domain": "akamai.net", + "server.subdomain": "a1568.g", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 136, "source.ip": [ @@ -5123,6 +5614,9 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20050829181418/radio.launch.yahoo.com/radio/common_radio/resources/images/noaccess_msgr_uk.gif", + "url.registered_domain": "akamai.net", + "url.subdomain": "a1568.g", + "url.top_level_domain": "net", "user.name": "adeolaegbedokun" }, { @@ -5156,8 +5650,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5168,8 +5662,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5179,6 +5673,9 @@ "rsa.time.event_time_str": "1157689378", "rsa.web.alias_host": "a1568.g.akamai.net", "server.domain": "a1568.g.akamai.net", + "server.registered_domain": "akamai.net", + "server.subdomain": "a1568.g", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 237, "source.ip": [ @@ -5190,6 +5687,9 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_right.gif", + "url.registered_domain": "akamai.net", + "url.subdomain": "a1568.g", + "url.top_level_domain": "net", "user.name": "adeolaegbedokun" }, { @@ -5221,8 +5721,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5232,6 +5732,9 @@ "rsa.time.event_time_str": "1157689378", "rsa.web.alias_host": "a1568.g.akamai.net", "server.domain": "a1568.g.akamai.net", + "server.registered_domain": "akamai.net", + "server.subdomain": "a1568.g", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 218, "source.ip": [ @@ -5243,6 +5746,9 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222807/radio.launch.yahoo.com/radio/common_radio/resources/images/t.gif", + "url.registered_domain": "akamai.net", + "url.subdomain": "a1568.g", + "url.top_level_domain": "net", "user.name": "adeolaegbedokun" }, { @@ -5276,8 +5782,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5299,6 +5805,9 @@ "rsa.time.event_time_str": "1157689379", "rsa.web.alias_host": "a1568.g.akamai.net", "server.domain": "a1568.g.akamai.net", + "server.registered_domain": "akamai.net", + "server.subdomain": "a1568.g", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 238, "source.ip": [ @@ -5310,6 +5819,9 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_off.gif", + "url.registered_domain": "akamai.net", + "url.subdomain": "a1568.g", + "url.top_level_domain": "net", "user.name": "adeolaegbedokun" }, { @@ -5343,8 +5855,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -5366,6 +5878,9 @@ "rsa.time.event_time_str": "1157689379", "rsa.web.alias_host": "a1568.g.akamai.net", "server.domain": "a1568.g.akamai.net", + "server.registered_domain": "akamai.net", + "server.subdomain": "a1568.g", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 238, "source.ip": [ @@ -5377,6 +5892,9 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222756/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_center.gif", + "url.registered_domain": "akamai.net", + "url.subdomain": "a1568.g", + "url.top_level_domain": "net", "user.name": "adeolaegbedokun" }, { @@ -5410,8 +5928,8 @@ "a1568.g.akamai.net" ], "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -5433,6 +5951,9 @@ "rsa.time.event_time_str": "1157689380", "rsa.web.alias_host": "a1568.g.akamai.net", "server.domain": "a1568.g.akamai.net", + "server.registered_domain": "akamai.net", + "server.subdomain": "a1568.g", + "server.top_level_domain": "net", "service.type": "squid", "source.bytes": 238, "source.ip": [ @@ -5444,6 +5965,9 @@ ], "url.domain": "a1568.g.akamai.net", "url.original": "http://a1568.g.akamai.net/7/1568/1600/20040405222757/radio.launch.yahoo.com/radio/clientdata/515/skins/1/images/bg_controls_fill.gif", + "url.registered_domain": "akamai.net", + "url.subdomain": "a1568.g", + "url.top_level_domain": "net", "user.name": "adeolaegbedokun" }, { @@ -5486,6 +6010,9 @@ "rsa.time.event_time_str": "1157689381", "rsa.web.alias_host": "www.google.com", "server.domain": "www.google.com", + "server.registered_domain": "google.com", + "server.subdomain": "www", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1728, "source.ip": [ @@ -5497,6 +6024,9 @@ ], "url.domain": "www.google.com", "url.original": "http://www.google.com/supported_domains", + "url.registered_domain": "google.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -5539,6 +6069,9 @@ "rsa.time.event_time_str": "1157689381", "rsa.web.alias_host": "us.mcafee.com", "server.domain": "us.mcafee.com", + "server.registered_domain": "mcafee.com", + "server.subdomain": "us", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1782, "source.ip": [ @@ -5550,6 +6083,9 @@ ], "url.domain": "us.mcafee.com", "url.original": "http://us.mcafee.com/apps/agent/en-us/agent5/chknews.asp?", + "url.registered_domain": "mcafee.com", + "url.subdomain": "us", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -5578,8 +6114,8 @@ "launch.adserver.yahoo.com" ], "related.ip": [ - "10.105.33.214", - "216.109.125.112" + "216.109.125.112", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5601,6 +6137,9 @@ "rsa.time.event_time_str": "1157689381", "rsa.web.alias_host": "launch.adserver.yahoo.com", "server.domain": "launch.adserver.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "launch.adserver", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 449, "source.ip": [ @@ -5612,6 +6151,9 @@ ], "url.domain": "launch.adserver.yahoo.com", "url.original": "http://launch.adserver.yahoo.com/l?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "launch.adserver", + "url.top_level_domain": "com", "user.name": "adeolaegbedokun" }, { @@ -5665,6 +6207,9 @@ "rsa.time.event_time_str": "1157689382", "rsa.web.alias_host": "uk.f250.mail.yahoo.com", "server.domain": "uk.f250.mail.yahoo.com", + "server.registered_domain": "yahoo.com", + "server.subdomain": "uk.f250.mail", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 11746, "source.ip": [ @@ -5676,6 +6221,9 @@ ], "url.domain": "uk.f250.mail.yahoo.com", "url.original": "http://uk.f250.mail.yahoo.com/dc/launch?", + "url.registered_domain": "yahoo.com", + "url.subdomain": "uk.f250.mail", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -5705,8 +6253,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5716,6 +6264,9 @@ "rsa.time.event_time_str": "1157689382", "rsa.web.alias_host": "login.live.com", "server.domain": "login.live.com", + "server.registered_domain": "live.com", + "server.subdomain": "login", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1670, "source.ip": [ @@ -5727,6 +6278,9 @@ ], "url.domain": "login.live.com", "url.original": "login.live.com:443", + "url.registered_domain": "live.com", + "url.subdomain": "login", + "url.top_level_domain": "com", "user.name": "-" }, { @@ -5783,6 +6337,9 @@ "rsa.time.event_time_str": "1157689384", "rsa.web.alias_host": "us.js2.yimg.com", "server.domain": "us.js2.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.js2", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 633, "source.ip": [ @@ -5794,6 +6351,9 @@ ], "url.domain": "us.js2.yimg.com", "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/77cf3e56414f974dfd8616f56f0f632c_1.js", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.js2", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -5836,6 +6396,9 @@ "rsa.time.event_time_str": "1157689385", "rsa.web.alias_host": "us.js1.yimg.com", "server.domain": "us.js1.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.js1", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 1742, "source.ip": [ @@ -5847,6 +6410,9 @@ ], "url.domain": "us.js1.yimg.com", "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/hdr/ygma5.css", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.js1", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -5903,6 +6469,9 @@ "rsa.time.event_time_str": "1157689387", "rsa.web.alias_host": "us.js2.yimg.com", "server.domain": "us.js2.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.js2", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 14561, "source.ip": [ @@ -5914,6 +6483,9 @@ ], "url.domain": "us.js2.yimg.com", "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/pim/r/dclient/d/js/uk/f7fc76100697c9c2d25dd0ec35e563b0_1.js", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.js2", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -5956,6 +6528,9 @@ "rsa.time.event_time_str": "1157689387", "rsa.web.alias_host": "us.js1.yimg.com", "server.domain": "us.js1.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.js1", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 68733, "source.ip": [ @@ -5967,6 +6542,9 @@ ], "url.domain": "us.js1.yimg.com", "url.original": "http://us.js1.yimg.com/us.yimg.com/lib/pim/r/medici/13_15/mail/ac.js", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.js1", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -6009,6 +6587,9 @@ "rsa.time.event_time_str": "1157689387", "rsa.web.alias_host": "us.js2.yimg.com", "server.domain": "us.js2.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.js2", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 898, "source.ip": [ @@ -6020,6 +6601,9 @@ ], "url.domain": "us.js2.yimg.com", "url.original": "http://us.js2.yimg.com/us.js.yimg.com/lib/common/utils/2/yahoo_2.0.0-b4.js", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.js2", + "url.top_level_domain": "com", "user.name": "badeyek" }, { @@ -6051,8 +6635,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -6062,6 +6646,9 @@ "rsa.time.event_time_str": "1157689387", "rsa.web.alias_host": "us.i1.yimg.com", "server.domain": "us.i1.yimg.com", + "server.registered_domain": "yimg.com", + "server.subdomain": "us.i1", + "server.top_level_domain": "com", "service.type": "squid", "source.bytes": 26803, "source.ip": [ @@ -6073,6 +6660,9 @@ ], "url.domain": "us.i1.yimg.com", "url.original": "http://us.i1.yimg.com/us.yimg.com/i/us/pim/dclient/d/img/liam_ball_1.gif", + "url.registered_domain": "yimg.com", + "url.subdomain": "us.i1", + "url.top_level_domain": "com", "user.name": "badeyek" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/squid/log/test/generated.log b/x-pack/filebeat/module/squid/log/test/generated.log new file mode 100644 index 000000000000..14078eea6324 --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/generated.log @@ -0,0 +1,100 @@ +10.251.224.219 7337 [29/Jan/2016:6:09:59 nto] "PROPFIND https://example.org/exercita/der.htm?odoco=ria#min ite" 10.234.224.44 etdo tation "quasiarc" liqua ciade 5699 "https://example.net/umq/ntium.gif?nes=eab#aliqu" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" deny +10.102.123.34 7178 [12/Feb/2016:1:12:33 nostrud] "PURGE https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor tatemU" 10.70.36.222 estlabo doeiu "nia" olupt volup 208 "https://example.com/eosquir/orsi.txt?itessequ=vol#luptat" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" deny +10.15.135.248 7269 [26/Feb/2016:8:15:08 mquia] "OPTIONS https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin proident" 10.142.172.64 lupt tia "oloremqu" temvel iatu 5493 "https://example.net/dolo/meumfug.gif?roinBCS=ufugiatn#tionulam" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept +10.44.134.153 5162 [12/Mar/2016:3:17:42 nci] "GET https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con uia" quiavo 1156 "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" allow 10.81.122.126 taev 160.145000 +10.160.95.56 1980 [26/Mar/2016:10:20:16 aqui] "PUT https://api.example.org/isetq/estqui.gif?magn=equuntu#eos enimad" 10.171.175.51 boreet onev "tenima" laboreet aquaeabi 5738 "https://api.example.net/veleumi/tia.gif?ude=maveniam#uian" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel +10.175.107.139 4243 [09/Apr/2016:5:22:51 antium] "HEAD https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect reetdolo" 10.12.195.60 uiano mrema "autfu" natura aboris 2946 "https://api.example.com/ssitaspe/gitsedqu.jpg?iutal=dexe#urerep" "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" accept +10.198.136.50 6875 [24/Apr/2016:12:25:25 llam] "DELETE https://www5.example.com/ari/eataevit.txt?iam=mqua#atat quunt" 10.207.249.121 iciade tsed "orai" mUt usmodte 1296 "https://www.example.org/ametcons/porainc.jpg?temsequ=emquiavo#nonnu" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" allow +10.34.9.93 124 [08/May/2016:7:27:59 onse] "PROPFIND https://example.org/tatno/imav.htm?ofdeF=tion#orsitame quiratio" 10.116.120.216 qua umdo "sed" apariat mol 1510 "https://internal.example.net/turveli/toccae.htm?erc=taliqu#temUten" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" accept +10.90.131.186 6343 [22/May/2016:2:30:33 nimadmin] "HEAD https://example.org/uaera/sitas.txt?aedic=atquovo#iumto aboreetd" 10.30.216.41 enim saute "vel" quu undeo 5794 "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" accept +10.8.88.110 7618 [05/Jun/2016:9:33:08 ionul] "CONNECT https://mail.example.org/edquiano/loru.htm?end=enia#nsequu cup" 10.203.172.203 idestla Nemoeni "uradi" aborumSe luptat 6884 "https://www5.example.org/strude/ctetura.htm?ittenbyC=aperi#lor" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept +10.71.34.9 267 [20/Jun/2016:4:35:42 dolore] "UNLOCK https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat lpa" 10.158.185.163 rudexerc aliq "rsitam" quam adm 987 "https://www.example.org/ritatis/oloremi.txt?icab=mwr#fugi" "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g" allow +10.210.74.24 6423 [04/Jul/2016:11:38:16 untut] "OPTIONS https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu stiae" 10.201.76.240 amqu uines "nsec" onse emips 2655 "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" accept +10.114.138.121 1939 [18/Jul/2016:6:40:50 tati] "COPY https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu uat" 10.206.136.206 suntinc xeac "nidolo" tatn eli 6462 "https://www.example.net/pida/nse.html?emeumfu=CSed#lupt" "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny +10.200.199.166 3727 [02/Aug/2016:1:43:25 amvolup] "COPY https://mail.example.org/rehend/tio.html?numqu=qui#civeli lum" 10.134.161.118 tat ipitla "quae" maccusa uptat 3458 "https://www.example.com/xerci/aqu.htm?olorema=iades#siarchi" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" block +10.122.46.71 2807 [16/Aug/2016:8:45:59 ihilm] "NONE https://www.example.org/eav/ionevo.txt?siar=orev#iamquis quirat" 10.76.3.41 isc aturve "emulla" mpori aaliquaU 2989 "https://www5.example.com/ern/psaquae.html?nsectet=utla#utei" "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow +10.164.250.63 2530 [30/Aug/2016:3:48:33 eritqu] "PROPFIND https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu namali" 10.249.213.83 nsecte itame "eumfug" lit asun 1250 "https://api.example.com/oluptate/onseq.html?labore=texp#tMalor" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" accept +10.61.242.75 2591 [13/Sep/2016:10:51:07 dantiumt] "HEAD https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea amre" 10.236.248.65 pisciv iquidex "radipisc" tmo fficiade 3280 "https://www5.example.net/uioffi/oru.jpg?one=etMalor#ipi" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel +10.13.59.31 5685 [28/Sep/2016:5:53:42 sperna] "PUT https://www5.example.com/estia/tper.gif?volupt=osqui#xerc iutali" 10.214.7.83 liquide etdol "uela" boN eprehend 2462 "https://internal.example.net/lamcolab/ati.jpg?gel=lorsitam#mpo" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block +10.89.201.140 2447 [12/Oct/2016:12:56:16 uamei] "GET https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis uptasn" 10.49.92.179 osamn isnisiu "bore" tsu tcons 3128 "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept +10.235.7.92 5787 [26/Oct/2016:7:58:50 nsecte] "PURGE https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat derit" 10.90.86.89 piscin lapar "laboree" tfu udan 5516 "https://mail.example.net/xeacomm/mveleu.htm?utlabor=rau#idex" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny +10.14.211.43 4762 [10/Nov/2016:3:01:24 eiu] "PROPFIND https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo itatio" 10.14.48.16 sintoc volupt "siste" uiinea Utenima 1612 "https://www5.example.net/ptatem/Nequepor.html?ugiatnu=ciati#nto" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel +10.47.25.230 5491 [24/Nov/2016:10:03:59 ese] "CONNECT https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc uteirure" 10.93.123.174 evelit reetdolo "smo" etcons iusmodi 1563 "https://example.com/uiac/epte.gif?itam=aper#santiumd" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block +10.7.46.36 837 [08/Dec/2016:5:06:33 nonn] "MKOL https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons sBon" 10.233.48.103 leumiur tlab "aperiame" isc ullamcor 584 "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel +10.93.220.10 2805 [23/Dec/2016:12:09:07 com] "PROPATCH https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia sequatu" 10.27.58.92 amvo qui "tasn" Nemoenim squirati 63 "https://mail.example.com/nbyCic/utlabor.html?iciade=ntiumt#iquipe" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept +10.213.144.249 4427 [06/Jan/2017:7:11:41 taedicta] "PURGE https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut uamni" 10.135.217.12 metMalo ntexplic "archite" loreme untu 5676 "https://example.net/con/nisist.gif?ium=esciuntN#idunt" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block +10.13.226.57 3275 [20/Jan/2017:2:14:16 runtm] "PURGE https://mail.example.net/velitse/oditem.html?torever=oremi#mestq temUt" 10.233.239.112 npr mquelau "iadolor" amcol adeser 3780 "https://internal.example.com/tqu/reprehen.gif?quam=quid#fugiat" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" cancel +10.161.203.252 301 [03/Feb/2017:9:16:50 emquia] "CONNECT https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa eFi" 10.21.169.127 rpori ice "oles" edic seq 2835 "https://example.com/tatn/dolorsit.jpg?billo=labo#oNemoeni" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept +10.17.215.111 148 [18/Feb/2017:4:19:24 ratv] "LOCK https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano piscinge" 10.69.139.26 ditemp edqui "nre" veli volupta 7124 "https://api.example.com/ersp/enderi.jpg?adi=umwrit#uptate" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block +10.10.213.83 7206 [04/Mar/2017:11:21:59 nisi] "COPY https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat vitaedi" 10.104.80.189 dolore onsecte "nBCSedut" ugiat onulam 1542 "https://mail.example.org/oditautf/quatu.jpg?lumdolor=nonp#labo" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept +10.125.131.91 3480 [18/Mar/2017:6:24:33 urv] "UNLOCK https://example.org/uatur/adminimv.gif?exeacom=roidents#tem dol" 10.116.230.217 mvele isis "uasiar" utlab emUteni 7122 "https://api.example.org/lor/velillu.html?dolorem=tvolu#nreprehe" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" block +10.26.96.202 2751 [02/Apr/2017:1:27:07 rautodi] "ICP_QUERY https://api.example.com/ven/rQu.html?doloreme=dun#reprehe tincu" 10.119.90.128 lor oraincid "intocc" amcorp ntsunt 4826 "https://mail.example.com/olo/psumqu.txt?fdeF=iquidexe#diconse" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" cancel +10.0.98.205 126 [16/Apr/2017:8:29:41 edquiac] "HEAD https://api.example.net/eseru/quamest.html?qua=rsita#ate ipsamvo" 10.76.110.144 tdol upt "mex" tatem untutlab 3386 "https://mail.example.com/plicab/oremq.html?uisaute=imide#poriss" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" deny +10.224.11.165 1646 [30/Apr/2017:3:32:16 nof] "MOVE https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu licabo" 10.135.46.242 lupta xeaco "nvolupt" oremi elites 1940 "https://www.example.org/boNemoe/onsequ.html?amvolupt=onevolu#mnis" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny +10.27.44.4 4686 [14/May/2017:10:34:50 sequatD] "TRACE https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol eri" 10.154.53.249 tae autodit "elit" cidunt plica 7398 "https://internal.example.org/emqu/nderi.html?accusant=onse#admin" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" accept +10.93.39.140 4275 [29/May/2017:5:37:24 ute] "COPY https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid rExc" 10.150.245.88 orisn reetd "prehen" ntutlabo iusmodte 1738 "https://example.org/isc/Nequepor.txt?rem=idid#tesse" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" cancel +10.61.92.2 6595 [12/Jun/2017:12:39:58 maliquam] "UNLOCK https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn ecillu" 10.73.207.70 llamco atu "untincul" ssecil commodi 3023 "https://mail.example.net/tate/onevo.htm?emvele=isnost#olorem" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block +10.84.32.178 5271 [26/Jun/2017:7:42:33 aliq] "GET https://example.net/mven/olorsit.gif?oremag=illu#ruredo mac" temUt 2741 "https://internal.example.com/uamnihi/risnis.html?scingeli=isn#sBono" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" allow 10.50.124.116 numquam 104.719000 +10.173.222.131 918 [11/Jul/2017:2:45:07 ori] "TRACE https://www5.example.net/rum/eataevi.html?ulla=iqu#oin hil" 10.211.234.224 uiadol Duisa "lupta" aUt boNem 5564 "https://api.example.org/maveni/onevo.htm?liquaUte=alorum#obeataev" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept +10.11.83.126 6581 [25/Jul/2017:9:47:41 naaliq] "PROPFIND https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup tsed" 10.0.157.225 itam atu "lloin" remipsum tempor 1282 "https://www5.example.net/incidid/rure.htm?edquian=loremeu#aturve" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny +10.228.77.21 6889 [08/Aug/2017:4:50:15 lamc] "PUT https://api.example.com/asper/umq.txt?itasper=uae#mve uia" 10.92.237.93 mad onse "redol" gnaa mod 5107 "https://www5.example.com/toditaut/voluptat.htm?strumex=eprehend#asnu" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel +10.102.215.23 3665 [22/Aug/2017:11:52:50 esseq] "POST https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu licaboN" 10.20.28.92 econs ntexpl "dunt" litsedq nderiti 409 "https://api.example.com/Cic/olorema.txt?iscive=quasiar#aeab" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" allow +10.45.28.159 5627 [06/Sep/2017:6:55:24 ree] "NONE https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh plic" 10.17.87.79 tetur tionula "ritqu" ecatcupi uamei 4595 "https://www5.example.com/onse/olorem.gif?duntutla=ntium#iration" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block +10.177.238.45 5137 [20/Sep/2017:1:57:58 ssusci] "DELETE https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi quasiarc" 10.189.94.51 tetura rsp "oluptat" metco acom 5704 "https://api.example.com/tem/exeacomm.txt?taliqui=mides#ciun" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" allow +10.46.77.76 5169 [04/Oct/2017:9:00:32 anim] "GET https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup aco" 10.101.85.169 natu liquid "enim" Finibus radi 5697 "https://example.com/taed/umdolo.html?rroqu=dquiaco#nibus" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36" accept +10.24.54.129 77 [19/Oct/2017:4:03:07 eprehend] "HEAD https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos orsi" 10.231.7.209 lorsita eavol "osamnis" temaccu scipitl 1247 "https://www5.example.org/caboNem/urExcept.txt?litesseq=atcupida#tessequa" "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36" block +10.121.163.5 7803 [02/Nov/2017:11:05:41 redol] "CONNECT https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh ratv" 10.77.129.175 tali BCS "qui" ugiatquo incidid 2617 "https://www.example.com/sBonor/fugits.jpg?amc=vol#admi" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow +10.51.236.148 329 [16/Nov/2017:6:08:15 adol] "PROPFIND https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui tvolup" 10.116.146.114 col obea "emp" agnaaliq est 1444 "https://www.example.com/inculp/onofd.gif?umdolors=dolori#asperna" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" deny +10.244.108.135 6997 [01/Dec/2017:1:10:49 ume] "NONE https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia itesse" 10.217.222.99 ame amvolu "mip" tion tobeatae 2512 "https://api.example.com/iqua/luptat.txt?oremqu=uradi#velitsed" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" block +10.4.69.152 3833 [15/Dec/2017:8:13:24 scivel] "PUT https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame orroquis" 10.150.198.112 ntmoll mexer "estla" uipexe abor 1370 "https://www.example.net/remips/illoi.jpg?abori=uisnostr#reetdol" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block +10.45.114.111 357 [29/Dec/2017:3:15:58 olup] "POST https://example.org/abillo/undeom.html?oraincid=quaer#eetdo tlab" 10.45.54.107 seddoeiu nse "aali" edictasu mdolors 7490 "https://www5.example.org/atis/atDuis.txt?nisiut=rumwri#velill" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" accept +10.49.242.174 4078 [12/Jan/2018:10:18:32 tat] "TRACE https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse venia" 10.205.28.24 oeni untutlab "tvolup" consecte pteurs 742 "https://www5.example.net/ons/tiaecon.html?unt=tass#tiumdol" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" allow +10.17.202.219 487 [27/Jan/2018:5:21:06 iame] "HEAD https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea imaveni" 10.183.223.149 cor odoco "oin" itseddoe elites 6366 "https://mail.example.com/eursinto/litesse.html?licaboNe=tautfug#giatquov" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" deny +10.81.140.173 7623 [10/Feb/2018:12:23:41 itae] "MOVE https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu tan" 10.88.172.222 doconse etdol "dolorsi" nturmag tura 6695 "https://internal.example.org/totam/ntoccae.htm?idunt=atqu#naturau" "mobmail android 2.1.3.3150" cancel +10.162.129.196 4247 [24/Feb/2018:7:26:15 snisi] "OPTIONS https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo Cicero" 10.247.53.179 issu identsu "piscivel" hend eacommo 6835 "https://example.com/osquira/umd.gif?scipi=tur#acon" "mobmail android 2.1.3.3150" accept +10.110.86.230 536 [11/Mar/2018:2:28:49 eFini] "UNLOCK https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai uido" 10.172.148.223 snulap enimadm "stenatu" upta atc 3066 "https://www5.example.net/asnulap/ipi.htm?orissu=fic#sBon" "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80" accept +10.93.159.170 3481 [25/Mar/2018:9:31:24 emullam] "GET https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam modico" 10.232.19.43 porinc riame "riat" sseq eriam 729 "https://internal.example.net/imve/essequam.gif?urQuis=etcon#onsequu" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" deny +10.207.97.192 973 [08/Apr/2018:4:33:58 emp] "ICP_QUERY https://api.example.net/veli/venia.htm?etdolor=uat#onemulla riaturEx" 10.55.55.72 nculp asp "eacom" mag gelitse 2007 "https://example.net/lab/llumq.htm?tetura=rumet#uptasnul" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel +10.41.156.88 203 [22/Apr/2018:11:36:32 oco] "MOVE https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli ugiat" 10.89.73.240 orem ntorever "pisciv" fugiatqu seos 5561 "https://www5.example.net/elillum/veleumi.gif?tvol=oluptate#lit" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" deny +10.54.44.231 5292 [07/May/2018:6:39:06 aco] "CONNECT https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos rios" 10.101.183.86 mvenia mcorpo "ntexpl" abor oreverit 6451 "https://internal.example.net/tat/eufugia.htm?tau=fficia#est" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" allow +10.181.177.74 3378 [21/May/2018:1:41:41 itsedd] "LOCK https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri odoc" 10.130.150.189 oreeu nvo "iamqui" tassita colabori 1223 "https://www.example.net/lpa/isn.htm?iat=ffic#siuta" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept +10.76.220.3 2492 [04/Jun/2018:8:44:15 serrorsi] "GET https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq lup" 10.83.130.95 ipitlabo userror "eacommo" nderi liqua 7030 "https://api.example.net/henderit/remq.jpg?voluptas=velill#rspic" "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36" deny +10.219.245.58 7073 [19/Jun/2018:3:46:49 snisiut] "COPY https://www.example.com/quas/occaeca.htm?ender=dico#uptatem upt" 10.166.160.217 olor radip "rchitect" Dui iameaqu 2429 "https://api.example.com/asnulap/yCiceroi.jpg?ender=inc#tect" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" deny +10.121.121.153 723 [03/Jul/2018:10:49:23 smoditem] "UNLOCK https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit catcu" 10.183.243.246 amni tatio "amquisno" modoc magnam 3267 "https://example.com/idatat/onev.html?lesti=oreseo#reprehen" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" cancel +10.54.5.47 1585 [17/Jul/2018:5:51:58 mmodi] "OPTIONS https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu remagnam" 10.202.224.209 iusmodit aturv "ectetura" obeataev umf 3141 "https://www.example.com/quaeabil/emip.htm?urExc=tDuis#iqu" "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36" cancel +10.72.99.69 3172 [01/Aug/2018:12:54:32 oremeumf] "PROPFIND https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo lors" 10.170.234.233 accus uatu "mquis" lab uido 2046 "https://mail.example.com/tena/aal.jpg?CSedu=mcol#lup" "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow +10.245.240.47 4017 [15/Aug/2018:7:57:06 itaedict] "DELETE https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi edic" 10.142.130.227 olabori odic "iuta" liquaUte scivelit 7795 "https://internal.example.net/scipit/lloinve.htm?evolup=rvelil#isiutali" "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" allow +10.62.188.193 4104 [29/Aug/2018:2:59:40 atu] "DELETE https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa mini" 10.61.110.7 oremque quaU "ufugi" cin tmo 508 "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex" "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" deny +10.172.139.78 6533 [12/Sep/2018:10:02:15 lamco] "COPY https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi tlabore" 10.68.198.188 doeiu onsectet "dentsunt" inea animid 2119 "https://mail.example.net/onnumqua/quioff.html?upt=atatnonp#nvol" "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61" block +10.172.47.7 2805 [27/Sep/2018:5:04:49 midest] "CONNECT https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid rchit" 10.169.63.169 ariat midestl "quatu" avolu teturad 3465 "https://api.example.net/iquaUten/prehende.gif?rpo=velites#nonpro" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" block +10.32.98.109 5012 [11/Oct/2018:12:07:23 dexercit] "PURGE https://example.org/itessequ/porissu.html?uip=ectobea#dat aUtenima" 10.62.10.137 eeufugi deomnisi "olupta" oll laboree 3880 "https://api.example.org/cupidata/stiaecon.htm?rsint=itl#ttenb" "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" cancel +10.176.62.146 5945 [25/Oct/2018:7:09:57 lors] "COPY https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide quelaud" 10.255.40.12 rro oeiusmo "nimv" emeu tatemac 5192 "https://www5.example.com/teursint/etMa.gif?lamcolab=ceroinB#umqui" "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90" deny +10.194.198.46 3387 [09/Nov/2018:2:12:32 cta] "GET https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse mveniam" tuser 2694 "https://internal.example.com/tlaboru/aeabillo.txt?equuntu=quamni#turveli" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" deny 10.88.98.31 rured 105.243000 +10.5.49.20 7503 [23/Nov/2018:9:15:06 macc] "OPTIONS https://example.com/beat/rro.jpg?uisau=qua#iarchite emsequi" 10.1.27.133 edqu tationu "gnaaliq" olore ntutlab 6881 "https://www5.example.com/gnama/esciun.html?ratvo=ntutl#volupt" "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" block +10.11.73.145 6972 [07/Dec/2018:4:17:40 uisautem] "POST https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea aco" 10.70.244.155 olorsi caboNemo "uptas" temaccus ons 2160 "https://internal.example.com/ctetur/mvolupta.html?oreeu=mea#ssec" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" accept +10.204.214.98 985 [21/Dec/2018:11:20:14 equ] "PURGE https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte abo" 10.121.80.158 boriosa cillumdo "ditau" moenimip uames 7663 "https://internal.example.com/lor/oreeu.html?eturadip=nost#atus" "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" accept +10.74.115.33 4006 [05/Jan/2019:6:22:49 nsequat] "PURGE https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors eumfu" 10.139.151.19 eumf roquisq "uasi" maveniam uis 5533 "https://www.example.com/imi/animi.htm?ama=tatnonp#ntiumt" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" block +10.191.220.1 6454 [19/Jan/2019:1:25:23 ctetura] "DELETE https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect pariat" 10.242.48.203 ctobeat isi "idexeac" ntu tdolo 3872 "https://mail.example.com/olupt/ola.jpg?etquasia=qua#adm" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" deny +10.109.88.27 5568 [02/Feb/2019:8:27:57 cidu] "PROPATCH https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip eacommod" 10.254.10.98 adipisc aparia "maliq" ccusant epteurs 6661 "https://www5.example.org/oditau/onsec.gif?temqui=lup#aeca" "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36" accept +10.5.148.114 4749 [17/Feb/2019:3:30:32 ntin] "LOCK https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore tamr" 10.175.138.42 olore onemul "trudexe" remeum etur 890 "https://mail.example.org/quiav/ctionofd.gif?Finibus=uisautei#nevolu" "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" deny +10.0.0.240 1795 [03/Mar/2019:10:33:06 psa] "PROPFIND https://internal.example.org/olupta/tio.jpg?idestl=litani#emp arch" 10.18.199.203 ugits ittenb "tobeatae" ntut llum 366 "https://example.com/equat/estiaec.htm?mquido=ende#ntmollit" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow +10.1.220.47 6685 [17/Mar/2019:5:35:40 mipsamv] "NONE https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq runt" 10.73.80.251 pteurs ercitati "atem" serro lumquid 5939 "https://www5.example.org/imaveni/equ.htm?ssequamn=ave#taliqui" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" allow +10.153.109.61 7499 [01/Apr/2019:12:38:14 numq] "PURGE https://www.example.net/periam/ain.gif?iquipex=mqu#onorume abill" 10.22.34.206 mini mve "tionev" uasiarch velites 1745 "https://api.example.org/equa/edquiaco.gif?olorsit=naaliq#plica" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" block +10.62.168.226 5334 [15/Apr/2019:7:40:49 bori] "CONNECT https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis lupt" 10.199.103.185 uipe ipsa "con" eirured sequamn 5243 "https://mail.example.com/ciatisun/duntutl.htm?didun=riaturEx#nde" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" allow +10.97.33.56 3541 [29/Apr/2019:2:43:23 rad] "COPY https://example.com/tqui/ssequ.gif?emse=emqui#cipitla tlab" 10.128.84.27 nula ptate "volupta" umfu utla 2478 "https://www5.example.com/dolo/velites.gif?equa=apari#tsunt" "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36" block +10.49.169.175 2103 [13/May/2019:9:45:57 sistena] "HEAD https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost sequines" 10.115.154.104 illum ore "spici" Sedut tatis 7767 "https://www5.example.com/sequines/minimve.gif?toditau=uiad#nvolupta" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" allow +10.213.100.153 2571 [28/May/2019:4:48:31 iatquo] "PROPFIND https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu ptatemse" 10.33.112.100 catcup enimad "magnaali" velillum ionev 1594 "https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" block +10.216.143.226 2632 [11/Jun/2019:11:51:06 deomn] "CONNECT https://api.example.net/quido/llo.htm?tpersp=assi#rch psa" 10.25.53.93 tvolup oremeu "lab" lla urau 6127 "https://example.net/equamni/atcupi.htm?onemull=mdo#labore" "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30" cancel +10.139.195.188 893 [25/Jun/2019:6:53:40 aliquaU] "HEAD https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti edictasu" 10.246.115.57 edquiano mSecti "henderi" taevitae tevel 5926 "https://example.com/ita/iquipexe.jpg?quamqua=quuntur#nihi" "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" allow +10.60.56.205 4345 [10/Jul/2019:1:56:14 writtenb] "NONE https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii tesse" 10.82.148.126 inBCSedu ita "ade" nihilmol nder 2214 "https://api.example.net/uunturm/iatn.gif?tseddo=diduntut#rroq" "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]" block +10.245.251.98 261 [24/Jul/2019:8:58:48 mremaper] "DELETE https://api.example.com/ntium/ide.htm?tamrema=isautem#usan gnamali" 10.6.11.124 edqui tvolu "psu" strud onsequ 5930 "https://www5.example.net/iumto/sequatu.jpg?runtm=mdoloree#que" "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36" accept +10.99.55.115 1537 [07/Aug/2019:4:01:23 exerci] "CONNECT https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui uov" 10.145.25.55 litsed lumd "tiaec" lorem iamquisn 2079 "https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve" "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block +10.187.86.64 3325 [21/Aug/2019:11:03:57 atatn] "TRACE https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe ddoeiusm" 10.6.88.105 uptatemU rem "onorumet" iscivel rinci 249 "https://internal.example.com/eriti/uptateve.htm?rema=mcol#tion" "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36" allow +10.252.146.132 503 [05/Sep/2019:6:06:31 tat] "CONNECT https://mail.example.org/turv/use.jpg?mtot=macc#illoin eursi" 10.163.9.35 uatDu umq "ipsu" oremip ota 4562 "https://example.com/epteurs/itse.jpg?modi=cip#tla" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" accept +10.249.101.177 4465 [19/Sep/2019:1:09:05 quam] "DELETE https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol umdo" 10.235.160.245 squamest upta "umquiad" porinc uameiu 4857 "https://api.example.org/mipsa/uas.gif?reeufu=umexe#xce" "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36" deny +10.140.170.171 773 [03/Oct/2019:8:11:40 deom] "TRACE https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup erspici" 10.73.218.58 quidol tinv "Utenima" nse umq 1831 "https://mail.example.org/meaquei/snisiu.htm?atev=vento#litsed" "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36" block +10.248.156.138 2125 [18/Oct/2019:3:14:14 smodit] "OPTIONS https://example.net/dun/xce.jpg?nsequat=mvol#asiar eiu" 10.67.148.40 tcons squamest "ction" emveleum siuta 2155 "https://example.com/epteur/onproi.txt?imveniam=sunte#exerc" "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16" deny +10.83.154.75 4260 [01/Nov/2019:10:16:48 explicab] "UNLOCK https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu orumetMa" 10.37.33.179 taed eatae "siutali" oloremq sum 6106 "https://www.example.org/ulamc/doe.txt?remquela=toreve#squirat" "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30" accept +10.14.29.202 7842 [15/Nov/2019:5:19:22 modoco] "MKOL https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo nimv" 10.84.107.38 tutla usmod "ine" qui itse 2097 "https://www5.example.org/tasn/exeaco.html?metc=aincidu#reprehe" "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10" deny +10.221.86.133 6682 [30/Nov/2019:12:21:57 edi] "POST https://api.example.com/ore/adeser.htm?pre=aute#rchite rcit" 10.204.223.184 oinve ptasnul "utaliqui" mcorpor rerepr 6861 "https://example.com/tuserror/agnama.jpg?deritq=boreetdo#teni" "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]" deny +10.195.4.70 3844 [14/Dec/2019:7:24:31 mfugiat] "PUT https://api.example.com/liqu/dolor.htm?ess=umdo#aer quela" 10.229.39.190 Nequepo edictas "emac" rmagnido exeaco 2574 "https://api.example.org/loremi/nven.htm?usan=ugiatn#squa" "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91" deny diff --git a/x-pack/filebeat/module/squid/log/test/generated.log-expected.json b/x-pack/filebeat/module/squid/log/test/generated.log-expected.json new file mode 100644 index 000000000000..cbf64fd989db --- /dev/null +++ b/x-pack/filebeat/module/squid/log/test/generated.log-expected.json @@ -0,0 +1,7103 @@ +[ + { + "@timestamp": "2016-01-29T08:09:59.000Z", + "destination.ip": [ + "10.234.224.44" + ], + "event.action": "deny", + "event.code": "PROPFIND", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.251.224.219 7337 [29/Jan/2016:6:09:59 nto] \"PROPFIND https://example.org/exercita/der.htm?odoco=ria#min ite\" 10.234.224.44 etdo tation \"quasiarc\" liqua ciade 5699 \"https://example.net/umq/ntium.gif?nes=eab#aliqu\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" deny", + "file.name": "quasiarc", + "fileset.name": "log", + "http.request.referrer": "https://example.net/umq/ntium.gif?nes=eab#aliqu", + "input.type": "log", + "log.offset": 0, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "example.net", + "example.org" + ], + "related.ip": [ + "10.234.224.44", + "10.251.224.219" + ], + "related.user": [ + "tation" + ], + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "PROPFIND", + "deny" + ], + "rsa.misc.content_type": "ciade", + "rsa.misc.result_code": "liqua", + "rsa.network.domain": "example.org", + "rsa.network.network_service": "ite", + "rsa.time.event_time": "2016-01-29T08:09:59.000Z", + "rsa.web.alias_host": "example.org", + "rsa.web.web_ref_domain": "example.net", + "rsa.web.web_ref_query": "nes=eab", + "server.domain": "example.org", + "server.registered_domain": "example.org", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 5699, + "source.ip": [ + "10.251.224.219" + ], + "source.port": 7337, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.org", + "url.original": "https://example.org/exercita/der.htm?odoco=ria#min", + "url.path": "https://example.net", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", + "user.name": "tation", + "user_agent.device.name": "Samsung SM-A715F", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2016-02-12T03:12:33.000Z", + "destination.ip": [ + "10.70.36.222" + ], + "event.action": "deny", + "event.code": "PURGE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.102.123.34 7178 [12/Feb/2016:1:12:33 nostrud] \"PURGE https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor tatemU\" 10.70.36.222 estlabo doeiu \"nia\" olupt volup 208 \"https://example.com/eosquir/orsi.txt?itessequ=vol#luptat\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" deny", + "file.name": "nia", + "fileset.name": "log", + "http.request.referrer": "https://example.com/eosquir/orsi.txt?itessequ=vol#luptat", + "input.type": "log", + "log.offset": 426, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.org", + "example.com" + ], + "related.ip": [ + "10.102.123.34", + "10.70.36.222" + ], + "related.user": [ + "doeiu" + ], + "rsa.internal.messageid": "PURGE", + "rsa.misc.action": [ + "deny", + "PURGE" + ], + "rsa.misc.content_type": "volup", + "rsa.misc.result_code": "olupt", + "rsa.network.domain": "www.example.org", + "rsa.network.network_service": "tatemU", + "rsa.time.event_time": "2016-02-12T03:12:33.000Z", + "rsa.web.alias_host": "www.example.org", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "itessequ=vol", + "server.domain": "www.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 208, + "source.ip": [ + "10.102.123.34" + ], + "source.port": 7178, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.original": "https://www.example.org/enderitq/sperna.txt?billoi=oreetdol#nidolor", + "url.path": "https://example.com", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", + "user.name": "doeiu", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2016-02-26T10:15:08.000Z", + "destination.ip": [ + "10.142.172.64" + ], + "event.action": "accept", + "event.code": "OPTIONS", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.15.135.248 7269 [26/Feb/2016:8:15:08 mquia] \"OPTIONS https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin proident\" 10.142.172.64 lupt tia \"oloremqu\" temvel iatu 5493 \"https://example.net/dolo/meumfug.gif?roinBCS=ufugiatn#tionulam\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", + "file.name": "oloremqu", + "fileset.name": "log", + "http.request.referrer": "https://example.net/dolo/meumfug.gif?roinBCS=ufugiatn#tionulam", + "input.type": "log", + "log.offset": 877, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.com", + "example.net" + ], + "related.ip": [ + "10.15.135.248", + "10.142.172.64" + ], + "related.user": [ + "tia" + ], + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "OPTIONS", + "accept" + ], + "rsa.misc.content_type": "iatu", + "rsa.misc.result_code": "temvel", + "rsa.network.domain": "internal.example.com", + "rsa.network.network_service": "proident", + "rsa.time.event_time": "2016-02-26T10:15:08.000Z", + "rsa.web.alias_host": "internal.example.com", + "rsa.web.web_ref_domain": "example.net", + "rsa.web.web_ref_query": "roinBCS=ufugiatn", + "server.domain": "internal.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "internal", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 5493, + "source.ip": [ + "10.15.135.248" + ], + "source.port": 7269, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.original": "https://internal.example.com/aqu/utper.jpg?eFinib=omm#iin", + "url.path": "https://example.net", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", + "user.name": "tia", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-03-12T05:17:42.000Z", + "destination.ip": [ + "10.81.122.126" + ], + "event.action": "allow", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.44.134.153 5162 [12/Mar/2016:3:17:42 nci] \"GET https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con uia\" quiavo 1156 \"https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" allow 10.81.122.126 taev 160.145000", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/consec/taliquip.html?radip=tNequ#gelit", + "input.type": "log", + "log.offset": 1300, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.com", + "api.example.org" + ], + "related.ip": [ + "10.81.122.126", + "10.44.134.153" + ], + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "allow" + ], + "rsa.misc.content_type": "taev", + "rsa.misc.result_code": "quiavo", + "rsa.network.domain": "api.example.org", + "rsa.network.network_service": "uia", + "rsa.time.duration_time": 160.145, + "rsa.time.event_time": "2016-03-12T05:17:42.000Z", + "rsa.web.alias_host": "api.example.org", + "rsa.web.web_ref_domain": "mail.example.com", + "rsa.web.web_ref_query": "radip=tNequ", + "server.domain": "api.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "api", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 1156, + "source.ip": [ + "10.44.134.153" + ], + "source.port": 5162, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.original": "https://api.example.org/ceroinBC/ratvolup.gif?iatu=ionofde#con", + "url.path": "https://mail.example.com", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-03-26T12:20:16.000Z", + "destination.ip": [ + "10.171.175.51" + ], + "event.action": "cancel", + "event.code": "PUT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.160.95.56 1980 [26/Mar/2016:10:20:16 aqui] \"PUT https://api.example.org/isetq/estqui.gif?magn=equuntu#eos enimad\" 10.171.175.51 boreet onev \"tenima\" laboreet aquaeabi 5738 \"https://api.example.net/veleumi/tia.gif?ude=maveniam#uian\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", + "file.name": "tenima", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/veleumi/tia.gif?ude=maveniam#uian", + "input.type": "log", + "log.offset": 1719, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "api.example.org" + ], + "related.ip": [ + "10.160.95.56", + "10.171.175.51" + ], + "related.user": [ + "onev" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "PUT", + "cancel" + ], + "rsa.misc.content_type": "aquaeabi", + "rsa.misc.result_code": "laboreet", + "rsa.network.domain": "api.example.org", + "rsa.network.network_service": "enimad", + "rsa.time.event_time": "2016-03-26T12:20:16.000Z", + "rsa.web.alias_host": "api.example.org", + "rsa.web.web_ref_domain": "api.example.net", + "rsa.web.web_ref_query": "ude=maveniam", + "server.domain": "api.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "api", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 5738, + "source.ip": [ + "10.160.95.56" + ], + "source.port": 1980, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.original": "https://api.example.org/isetq/estqui.gif?magn=equuntu#eos", + "url.path": "https://api.example.net", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", + "user.name": "onev", + "user_agent.device.name": "POCOPHONE F1", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-04-09T07:22:51.000Z", + "destination.ip": [ + "10.12.195.60" + ], + "event.action": "accept", + "event.code": "HEAD", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.175.107.139 4243 [09/Apr/2016:5:22:51 antium] \"HEAD https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect reetdolo\" 10.12.195.60 uiano mrema \"autfu\" natura aboris 2946 \"https://api.example.com/ssitaspe/gitsedqu.jpg?iutal=dexe#urerep\" \"Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" accept", + "file.name": "autfu", + "fileset.name": "log", + "http.request.referrer": "https://api.example.com/ssitaspe/gitsedqu.jpg?iutal=dexe#urerep", + "input.type": "log", + "log.offset": 2088, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.org", + "api.example.com" + ], + "related.ip": [ + "10.175.107.139", + "10.12.195.60" + ], + "related.user": [ + "mrema" + ], + "rsa.internal.messageid": "HEAD", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "HEAD", + "accept" + ], + "rsa.misc.content_type": "aboris", + "rsa.misc.result_code": "natura", + "rsa.network.domain": "www.example.org", + "rsa.network.network_service": "reetdolo", + "rsa.time.event_time": "2016-04-09T07:22:51.000Z", + "rsa.web.alias_host": "www.example.org", + "rsa.web.web_ref_domain": "api.example.com", + "rsa.web.web_ref_query": "iutal=dexe", + "server.domain": "www.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 2946, + "source.ip": [ + "10.175.107.139" + ], + "source.port": 4243, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.original": "https://www.example.org/inesci/rsitvolu.txt?pori=occ#ect", + "url.path": "https://api.example.com", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", + "user.name": "mrema", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-04-24T14:25:25.000Z", + "destination.ip": [ + "10.207.249.121" + ], + "event.action": "allow", + "event.code": "DELETE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.198.136.50 6875 [24/Apr/2016:12:25:25 llam] \"DELETE https://www5.example.com/ari/eataevit.txt?iam=mqua#atat quunt\" 10.207.249.121 iciade tsed \"orai\" mUt usmodte 1296 \"https://www.example.org/ametcons/porainc.jpg?temsequ=emquiavo#nonnu\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" allow", + "file.name": "orai", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/ametcons/porainc.jpg?temsequ=emquiavo#nonnu", + "input.type": "log", + "log.offset": 2532, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.com", + "www.example.org" + ], + "related.ip": [ + "10.198.136.50", + "10.207.249.121" + ], + "related.user": [ + "tsed" + ], + "rsa.internal.messageid": "DELETE", + "rsa.misc.action": [ + "allow", + "DELETE" + ], + "rsa.misc.content_type": "usmodte", + "rsa.misc.result_code": "mUt", + "rsa.network.domain": "www5.example.com", + "rsa.network.network_service": "quunt", + "rsa.time.event_time": "2016-04-24T14:25:25.000Z", + "rsa.web.alias_host": "www5.example.com", + "rsa.web.web_ref_domain": "www.example.org", + "rsa.web.web_ref_query": "temsequ=emquiavo", + "server.domain": "www5.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "www5", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 1296, + "source.ip": [ + "10.198.136.50" + ], + "source.port": 6875, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.original": "https://www5.example.com/ari/eataevit.txt?iam=mqua#atat", + "url.path": "https://www.example.org", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", + "user.name": "tsed", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2016-05-08T09:27:59.000Z", + "destination.ip": [ + "10.116.120.216" + ], + "event.action": "accept", + "event.code": "PROPFIND", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.34.9.93 124 [08/May/2016:7:27:59 onse] \"PROPFIND https://example.org/tatno/imav.htm?ofdeF=tion#orsitame quiratio\" 10.116.120.216 qua umdo \"sed\" apariat mol 1510 \"https://internal.example.net/turveli/toccae.htm?erc=taliqu#temUten\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" accept", + "file.name": "sed", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/turveli/toccae.htm?erc=taliqu#temUten", + "input.type": "log", + "log.offset": 2912, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "example.org", + "internal.example.net" + ], + "related.ip": [ + "10.116.120.216", + "10.34.9.93" + ], + "related.user": [ + "umdo" + ], + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "PROPFIND", + "accept" + ], + "rsa.misc.content_type": "mol", + "rsa.misc.result_code": "apariat", + "rsa.network.domain": "example.org", + "rsa.network.network_service": "quiratio", + "rsa.time.event_time": "2016-05-08T09:27:59.000Z", + "rsa.web.alias_host": "example.org", + "rsa.web.web_ref_domain": "internal.example.net", + "rsa.web.web_ref_query": "erc=taliqu", + "server.domain": "example.org", + "server.registered_domain": "example.org", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 1510, + "source.ip": [ + "10.34.9.93" + ], + "source.port": 124, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.org", + "url.original": "https://example.org/tatno/imav.htm?ofdeF=tion#orsitame", + "url.path": "https://internal.example.net", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", + "user.name": "umdo", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-05-22T04:30:33.000Z", + "destination.ip": [ + "10.30.216.41" + ], + "event.action": "accept", + "event.code": "HEAD", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.90.131.186 6343 [22/May/2016:2:30:33 nimadmin] \"HEAD https://example.org/uaera/sitas.txt?aedic=atquovo#iumto aboreetd\" 10.30.216.41 enim saute \"vel\" quu undeo 5794 \"https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" accept", + "file.name": "vel", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", + "input.type": "log", + "log.offset": 3271, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "example.org", + "mail.example.net" + ], + "related.ip": [ + "10.30.216.41", + "10.90.131.186" + ], + "related.user": [ + "saute" + ], + "rsa.internal.messageid": "HEAD", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "accept", + "HEAD" + ], + "rsa.misc.content_type": "undeo", + "rsa.misc.result_code": "quu", + "rsa.network.domain": "example.org", + "rsa.network.network_service": "aboreetd", + "rsa.time.event_time": "2016-05-22T04:30:33.000Z", + "rsa.web.alias_host": "example.org", + "rsa.web.web_ref_domain": "mail.example.net", + "rsa.web.web_ref_query": "idolore=onse", + "server.domain": "example.org", + "server.registered_domain": "example.org", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 5794, + "source.ip": [ + "10.90.131.186" + ], + "source.port": 6343, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.org", + "url.original": "https://example.org/uaera/sitas.txt?aedic=atquovo#iumto", + "url.path": "https://mail.example.net", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", + "user.name": "saute", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-06-05T11:33:08.000Z", + "destination.ip": [ + "10.203.172.203" + ], + "event.action": "accept", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.8.88.110 7618 [05/Jun/2016:9:33:08 ionul] \"CONNECT https://mail.example.org/edquiano/loru.htm?end=enia#nsequu cup\" 10.203.172.203 idestla Nemoeni \"uradi\" aborumSe luptat 6884 \"https://www5.example.org/strude/ctetura.htm?ittenbyC=aperi#lor\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", + "file.name": "uradi", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/strude/ctetura.htm?ittenbyC=aperi#lor", + "input.type": "log", + "log.offset": 3691, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.org", + "www5.example.org" + ], + "related.ip": [ + "10.203.172.203", + "10.8.88.110" + ], + "related.user": [ + "Nemoeni" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "accept" + ], + "rsa.misc.content_type": "luptat", + "rsa.misc.result_code": "aborumSe", + "rsa.network.domain": "mail.example.org", + "rsa.network.network_service": "cup", + "rsa.time.event_time": "2016-06-05T11:33:08.000Z", + "rsa.web.alias_host": "mail.example.org", + "rsa.web.web_ref_domain": "www5.example.org", + "rsa.web.web_ref_query": "ittenbyC=aperi", + "server.domain": "mail.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "mail", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 6884, + "source.ip": [ + "10.8.88.110" + ], + "source.port": 7618, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.original": "https://mail.example.org/edquiano/loru.htm?end=enia#nsequu", + "url.path": "https://www5.example.org", + "url.registered_domain": "example.org", + "url.subdomain": "mail", + "url.top_level_domain": "org", + "user.name": "Nemoeni", + "user_agent.device.name": "POCOPHONE F1", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-06-20T06:35:42.000Z", + "destination.ip": [ + "10.158.185.163" + ], + "event.action": "allow", + "event.code": "UNLOCK", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.71.34.9 267 [20/Jun/2016:4:35:42 dolore] \"UNLOCK https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat lpa\" 10.158.185.163 rudexerc aliq \"rsitam\" quam adm 987 \"https://www.example.org/ritatis/oloremi.txt?icab=mwr#fugi\" \"Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g\" allow", + "file.name": "rsitam", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/ritatis/oloremi.txt?icab=mwr#fugi", + "input.type": "log", + "log.offset": 4068, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.org" + ], + "related.ip": [ + "10.158.185.163", + "10.71.34.9" + ], + "related.user": [ + "aliq" + ], + "rsa.internal.messageid": "UNLOCK", + "rsa.misc.action": [ + "allow", + "UNLOCK" + ], + "rsa.misc.content_type": "adm", + "rsa.misc.result_code": "quam", + "rsa.network.domain": "www.example.org", + "rsa.network.network_service": "lpa", + "rsa.time.event_time": "2016-06-20T06:35:42.000Z", + "rsa.web.alias_host": "www.example.org", + "rsa.web.web_ref_domain": "www.example.org", + "rsa.web.web_ref_query": "icab=mwr", + "server.domain": "www.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 987, + "source.ip": [ + "10.71.34.9" + ], + "source.port": 267, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.original": "https://www.example.org/iqui/etc.txt?tatiset=eprehen#xercitat", + "url.path": "https://www.example.org", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", + "user.name": "aliq", + "user_agent.device.name": "XiaoMi Redmi 4X", + "user_agent.name": "MiuiBrowser", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 7.1.2; uz-uz; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.141 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.2.3-g", + "user_agent.os.full": "Android 7.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.1.2", + "user_agent.version": "12.2.3" + }, + { + "@timestamp": "2016-07-04T13:38:16.000Z", + "destination.ip": [ + "10.201.76.240" + ], + "event.action": "accept", + "event.code": "OPTIONS", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.210.74.24 6423 [04/Jul/2016:11:38:16 untut] \"OPTIONS https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu stiae\" 10.201.76.240 amqu uines \"nsec\" onse emips 2655 \"https://example.net/tion/eataev.htm?uiineavo=tisetq#irati\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" accept", + "file.name": "nsec", + "fileset.name": "log", + "http.request.referrer": "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "input.type": "log", + "log.offset": 4495, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.net", + "example.net" + ], + "related.ip": [ + "10.201.76.240", + "10.210.74.24" + ], + "related.user": [ + "uines" + ], + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "accept", + "OPTIONS" + ], + "rsa.misc.content_type": "emips", + "rsa.misc.result_code": "onse", + "rsa.network.domain": "internal.example.net", + "rsa.network.network_service": "stiae", + "rsa.time.event_time": "2016-07-04T13:38:16.000Z", + "rsa.web.alias_host": "internal.example.net", + "rsa.web.web_ref_domain": "example.net", + "rsa.web.web_ref_query": "uiineavo=tisetq", + "server.domain": "internal.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "internal", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 2655, + "source.ip": [ + "10.210.74.24" + ], + "source.port": 6423, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.original": "https://internal.example.net/ommod/sequatur.txt?tlabo=suntexp#ugiatnu", + "url.path": "https://example.net", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", + "user.name": "uines", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2016-07-18T08:40:50.000Z", + "destination.ip": [ + "10.206.136.206" + ], + "event.action": "deny", + "event.code": "COPY", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.114.138.121 1939 [18/Jul/2016:6:40:50 tati] \"COPY https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu uat\" 10.206.136.206 suntinc xeac \"nidolo\" tatn eli 6462 \"https://www.example.net/pida/nse.html?emeumfu=CSed#lupt\" \"Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", + "file.name": "nidolo", + "fileset.name": "log", + "http.request.referrer": "https://www.example.net/pida/nse.html?emeumfu=CSed#lupt", + "input.type": "log", + "log.offset": 4894, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.net", + "api.example.org" + ], + "related.ip": [ + "10.206.136.206", + "10.114.138.121" + ], + "related.user": [ + "xeac" + ], + "rsa.internal.messageid": "COPY", + "rsa.misc.action": [ + "COPY", + "deny" + ], + "rsa.misc.content_type": "eli", + "rsa.misc.result_code": "tatn", + "rsa.network.domain": "api.example.org", + "rsa.network.network_service": "uat", + "rsa.time.event_time": "2016-07-18T08:40:50.000Z", + "rsa.web.alias_host": "api.example.org", + "rsa.web.web_ref_domain": "www.example.net", + "rsa.web.web_ref_query": "emeumfu=CSed", + "server.domain": "api.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "api", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 6462, + "source.ip": [ + "10.114.138.121" + ], + "source.port": 1939, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.original": "https://api.example.org/oriosamn/deFinibu.gif?iciatisu=rehender#eporroqu", + "url.path": "https://www.example.net", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", + "user.name": "xeac", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-08-02T03:43:25.000Z", + "destination.ip": [ + "10.134.161.118" + ], + "event.action": "block", + "event.code": "COPY", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.200.199.166 3727 [02/Aug/2016:1:43:25 amvolup] \"COPY https://mail.example.org/rehend/tio.html?numqu=qui#civeli lum\" 10.134.161.118 tat ipitla \"quae\" maccusa uptat 3458 \"https://www.example.com/xerci/aqu.htm?olorema=iades#siarchi\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" block", + "file.name": "quae", + "fileset.name": "log", + "http.request.referrer": "https://www.example.com/xerci/aqu.htm?olorema=iades#siarchi", + "input.type": "log", + "log.offset": 5263, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.com", + "mail.example.org" + ], + "related.ip": [ + "10.200.199.166", + "10.134.161.118" + ], + "related.user": [ + "ipitla" + ], + "rsa.internal.messageid": "COPY", + "rsa.misc.action": [ + "COPY", + "block" + ], + "rsa.misc.content_type": "uptat", + "rsa.misc.result_code": "maccusa", + "rsa.network.domain": "mail.example.org", + "rsa.network.network_service": "lum", + "rsa.time.event_time": "2016-08-02T03:43:25.000Z", + "rsa.web.alias_host": "mail.example.org", + "rsa.web.web_ref_domain": "www.example.com", + "rsa.web.web_ref_query": "olorema=iades", + "server.domain": "mail.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "mail", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 3458, + "source.ip": [ + "10.200.199.166" + ], + "source.port": 3727, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.original": "https://mail.example.org/rehend/tio.html?numqu=qui#civeli", + "url.path": "https://www.example.com", + "url.registered_domain": "example.org", + "url.subdomain": "mail", + "url.top_level_domain": "org", + "user.name": "ipitla", + "user_agent.device.name": "Mac", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2016-08-16T10:45:59.000Z", + "destination.ip": [ + "10.76.3.41" + ], + "event.action": "allow", + "event.code": "NONE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.122.46.71 2807 [16/Aug/2016:8:45:59 ihilm] \"NONE https://www.example.org/eav/ionevo.txt?siar=orev#iamquis quirat\" 10.76.3.41 isc aturve \"emulla\" mpori aaliquaU 2989 \"https://www5.example.com/ern/psaquae.html?nsectet=utla#utei\" \"Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", + "file.name": "emulla", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.com/ern/psaquae.html?nsectet=utla#utei", + "input.type": "log", + "log.offset": 5659, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.org", + "www5.example.com" + ], + "related.ip": [ + "10.76.3.41", + "10.122.46.71" + ], + "related.user": [ + "aturve" + ], + "rsa.internal.messageid": "NONE", + "rsa.misc.action": [ + "NONE", + "allow" + ], + "rsa.misc.content_type": "aaliquaU", + "rsa.misc.result_code": "mpori", + "rsa.network.domain": "www.example.org", + "rsa.network.network_service": "quirat", + "rsa.time.event_time": "2016-08-16T10:45:59.000Z", + "rsa.web.alias_host": "www.example.org", + "rsa.web.web_ref_domain": "www5.example.com", + "rsa.web.web_ref_query": "nsectet=utla", + "server.domain": "www.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 2989, + "source.ip": [ + "10.122.46.71" + ], + "source.port": 2807, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.original": "https://www.example.org/eav/ionevo.txt?siar=orev#iamquis", + "url.path": "https://www5.example.com", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", + "user.name": "aturve", + "user_agent.device.name": "VS996", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.0.0; VS996) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.0.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.0.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-08-30T05:48:33.000Z", + "destination.ip": [ + "10.249.213.83" + ], + "event.action": "accept", + "event.code": "PROPFIND", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.164.250.63 2530 [30/Aug/2016:3:48:33 eritqu] \"PROPFIND https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu namali\" 10.249.213.83 nsecte itame \"eumfug\" lit asun 1250 \"https://api.example.com/oluptate/onseq.html?labore=texp#tMalor\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" accept", + "file.name": "eumfug", + "fileset.name": "log", + "http.request.referrer": "https://api.example.com/oluptate/onseq.html?labore=texp#tMalor", + "input.type": "log", + "log.offset": 6019, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.net", + "api.example.com" + ], + "related.ip": [ + "10.249.213.83", + "10.164.250.63" + ], + "related.user": [ + "itame" + ], + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "accept", + "PROPFIND" + ], + "rsa.misc.content_type": "asun", + "rsa.misc.result_code": "lit", + "rsa.network.domain": "internal.example.net", + "rsa.network.network_service": "namali", + "rsa.time.event_time": "2016-08-30T05:48:33.000Z", + "rsa.web.alias_host": "internal.example.net", + "rsa.web.web_ref_domain": "api.example.com", + "rsa.web.web_ref_query": "labore=texp", + "server.domain": "internal.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "internal", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 1250, + "source.ip": [ + "10.164.250.63" + ], + "source.port": 2530, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.original": "https://internal.example.net/wri/bor.jpg?hitect=dol#leumiu", + "url.path": "https://api.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", + "user.name": "itame", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2016-09-13T12:51:07.000Z", + "destination.ip": [ + "10.236.248.65" + ], + "event.action": "cancel", + "event.code": "HEAD", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.61.242.75 2591 [13/Sep/2016:10:51:07 dantiumt] \"HEAD https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea amre\" 10.236.248.65 pisciv iquidex \"radipisc\" tmo fficiade 3280 \"https://www5.example.net/uioffi/oru.jpg?one=etMalor#ipi\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", + "file.name": "radipisc", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/uioffi/oru.jpg?one=etMalor#ipi", + "input.type": "log", + "log.offset": 6454, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "www5.example.net" + ], + "related.ip": [ + "10.236.248.65", + "10.61.242.75" + ], + "related.user": [ + "iquidex" + ], + "rsa.internal.messageid": "HEAD", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "HEAD", + "cancel" + ], + "rsa.misc.content_type": "fficiade", + "rsa.misc.result_code": "tmo", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "amre", + "rsa.time.event_time": "2016-09-13T12:51:07.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "www5.example.net", + "rsa.web.web_ref_query": "one=etMalor", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 3280, + "source.ip": [ + "10.61.242.75" + ], + "source.port": 2591, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/equat/doloreme.htm?ione=ihilmole#eriamea", + "url.path": "https://www5.example.net", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "iquidex", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-09-28T07:53:42.000Z", + "destination.ip": [ + "10.214.7.83" + ], + "event.action": "block", + "event.code": "PUT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.13.59.31 5685 [28/Sep/2016:5:53:42 sperna] \"PUT https://www5.example.com/estia/tper.gif?volupt=osqui#xerc iutali\" 10.214.7.83 liquide etdol \"uela\" boN eprehend 2462 \"https://internal.example.net/lamcolab/ati.jpg?gel=lorsitam#mpo\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", + "file.name": "uela", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/lamcolab/ati.jpg?gel=lorsitam#mpo", + "input.type": "log", + "log.offset": 6824, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.net", + "www5.example.com" + ], + "related.ip": [ + "10.13.59.31", + "10.214.7.83" + ], + "related.user": [ + "etdol" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "PUT", + "block" + ], + "rsa.misc.content_type": "eprehend", + "rsa.misc.result_code": "boN", + "rsa.network.domain": "www5.example.com", + "rsa.network.network_service": "iutali", + "rsa.time.event_time": "2016-09-28T07:53:42.000Z", + "rsa.web.alias_host": "www5.example.com", + "rsa.web.web_ref_domain": "internal.example.net", + "rsa.web.web_ref_query": "gel=lorsitam", + "server.domain": "www5.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "www5", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 2462, + "source.ip": [ + "10.13.59.31" + ], + "source.port": 5685, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.original": "https://www5.example.com/estia/tper.gif?volupt=osqui#xerc", + "url.path": "https://internal.example.net", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", + "user.name": "etdol", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2016-10-12T14:56:16.000Z", + "destination.ip": [ + "10.49.92.179" + ], + "event.action": "accept", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.89.201.140 2447 [12/Oct/2016:12:56:16 uamei] \"GET https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis uptasn\" 10.49.92.179 osamn isnisiu \"bore\" tsu tcons 3128 \"https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", + "file.name": "bore", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/lorinre/olorsita.gif?idata=rumwritt#magnid", + "input.type": "log", + "log.offset": 7186, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.net", + "api.example.org" + ], + "related.ip": [ + "10.89.201.140", + "10.49.92.179" + ], + "related.user": [ + "isnisiu" + ], + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "accept", + "GET" + ], + "rsa.misc.content_type": "tcons", + "rsa.misc.result_code": "tsu", + "rsa.network.domain": "internal.example.net", + "rsa.network.network_service": "uptasn", + "rsa.time.event_time": "2016-10-12T14:56:16.000Z", + "rsa.web.alias_host": "internal.example.net", + "rsa.web.web_ref_domain": "api.example.org", + "rsa.web.web_ref_query": "idata=rumwritt", + "server.domain": "internal.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "internal", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 3128, + "source.ip": [ + "10.89.201.140" + ], + "source.port": 2447, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.original": "https://internal.example.net/sin/rvel.htm?nimid=itatione#isnis", + "url.path": "https://api.example.org", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", + "user.name": "isnisiu", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2016-10-26T09:58:50.000Z", + "destination.ip": [ + "10.90.86.89" + ], + "event.action": "deny", + "event.code": "PURGE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.235.7.92 5787 [26/Oct/2016:7:58:50 nsecte] \"PURGE https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat derit\" 10.90.86.89 piscin lapar \"laboree\" tfu udan 5516 \"https://mail.example.net/xeacomm/mveleu.htm?utlabor=rau#idex\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", + "file.name": "laboree", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/xeacomm/mveleu.htm?utlabor=rau#idex", + "input.type": "log", + "log.offset": 7611, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.org", + "mail.example.net" + ], + "related.ip": [ + "10.235.7.92", + "10.90.86.89" + ], + "related.user": [ + "lapar" + ], + "rsa.internal.messageid": "PURGE", + "rsa.misc.action": [ + "PURGE", + "deny" + ], + "rsa.misc.content_type": "udan", + "rsa.misc.result_code": "tfu", + "rsa.network.domain": "api.example.org", + "rsa.network.network_service": "derit", + "rsa.time.event_time": "2016-10-26T09:58:50.000Z", + "rsa.web.alias_host": "api.example.org", + "rsa.web.web_ref_domain": "mail.example.net", + "rsa.web.web_ref_query": "utlabor=rau", + "server.domain": "api.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "api", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 5516, + "source.ip": [ + "10.235.7.92" + ], + "source.port": 5787, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.original": "https://api.example.org/abo/veniamqu.gif?aliquide=ofde#equat", + "url.path": "https://mail.example.net", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", + "user.name": "lapar", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2016-11-10T05:01:24.000Z", + "destination.ip": [ + "10.14.48.16" + ], + "event.action": "cancel", + "event.code": "PROPFIND", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.14.211.43 4762 [10/Nov/2016:3:01:24 eiu] \"PROPFIND https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo itatio\" 10.14.48.16 sintoc volupt \"siste\" uiinea Utenima 1612 \"https://www5.example.net/ptatem/Nequepor.html?ugiatnu=ciati#nto\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", + "file.name": "siste", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/ptatem/Nequepor.html?ugiatnu=ciati#nto", + "input.type": "log", + "log.offset": 7985, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.org", + "www5.example.net" + ], + "related.ip": [ + "10.14.48.16", + "10.14.211.43" + ], + "related.user": [ + "volupt" + ], + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "cancel", + "PROPFIND" + ], + "rsa.misc.content_type": "Utenima", + "rsa.misc.result_code": "uiinea", + "rsa.network.domain": "api.example.org", + "rsa.network.network_service": "itatio", + "rsa.time.event_time": "2016-11-10T05:01:24.000Z", + "rsa.web.alias_host": "api.example.org", + "rsa.web.web_ref_domain": "www5.example.net", + "rsa.web.web_ref_query": "ugiatnu=ciati", + "server.domain": "api.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "api", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 1612, + "source.ip": [ + "10.14.211.43" + ], + "source.port": 4762, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.original": "https://api.example.org/autfu/gnaaliq.jpg?olupta=litse#icabo", + "url.path": "https://www5.example.net", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", + "user.name": "volupt", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2016-11-24T12:03:59.000Z", + "destination.ip": [ + "10.93.123.174" + ], + "event.action": "block", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.47.25.230 5491 [24/Nov/2016:10:03:59 ese] \"CONNECT https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc uteirure\" 10.93.123.174 evelit reetdolo \"smo\" etcons iusmodi 1563 \"https://example.com/uiac/epte.gif?itam=aper#santiumd\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", + "file.name": "smo", + "fileset.name": "log", + "http.request.referrer": "https://example.com/uiac/epte.gif?itam=aper#santiumd", + "input.type": "log", + "log.offset": 8370, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.net", + "example.com" + ], + "related.ip": [ + "10.47.25.230", + "10.93.123.174" + ], + "related.user": [ + "reetdolo" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "block" + ], + "rsa.misc.content_type": "iusmodi", + "rsa.misc.result_code": "etcons", + "rsa.network.domain": "internal.example.net", + "rsa.network.network_service": "uteirure", + "rsa.time.event_time": "2016-11-24T12:03:59.000Z", + "rsa.web.alias_host": "internal.example.net", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "itam=aper", + "server.domain": "internal.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "internal", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 1563, + "source.ip": [ + "10.47.25.230" + ], + "source.port": 5491, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.original": "https://internal.example.net/ptatemq/luptatev.html?Nequepo=ipsumd#ntocc", + "url.path": "https://example.com", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", + "user.name": "reetdolo", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2016-12-08T07:06:33.000Z", + "destination.ip": [ + "10.233.48.103" + ], + "event.action": "cancel", + "event.code": "MKOL", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.7.46.36 837 [08/Dec/2016:5:06:33 nonn] \"MKOL https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons sBon\" 10.233.48.103 leumiur tlab \"aperiame\" isc ullamcor 584 \"https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", + "file.name": "aperiame", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.com/tateve/itinvol.txt?tenatus=cipitlab#ipsumd", + "input.type": "log", + "log.offset": 8829, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.com", + "www5.example.net" + ], + "related.ip": [ + "10.233.48.103", + "10.7.46.36" + ], + "related.user": [ + "tlab" + ], + "rsa.internal.messageid": "MKOL", + "rsa.misc.action": [ + "cancel", + "MKOL" + ], + "rsa.misc.content_type": "ullamcor", + "rsa.misc.result_code": "isc", + "rsa.network.domain": "www5.example.net", + "rsa.network.network_service": "sBon", + "rsa.time.event_time": "2016-12-08T07:06:33.000Z", + "rsa.web.alias_host": "www5.example.net", + "rsa.web.web_ref_domain": "www5.example.com", + "rsa.web.web_ref_query": "tenatus=cipitlab", + "server.domain": "www5.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www5", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 584, + "source.ip": [ + "10.7.46.36" + ], + "source.port": 837, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.original": "https://www5.example.net/quiavol/rrorsi.gif?iatisu=sec#cons", + "url.path": "https://www5.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "www5", + "url.top_level_domain": "net", + "user.name": "tlab", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2016-12-23T14:09:07.000Z", + "destination.ip": [ + "10.27.58.92" + ], + "event.action": "accept", + "event.code": "PROPATCH", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.93.220.10 2805 [23/Dec/2016:12:09:07 com] \"PROPATCH https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia sequatu\" 10.27.58.92 amvo qui \"tasn\" Nemoenim squirati 63 \"https://mail.example.com/nbyCic/utlabor.html?iciade=ntiumt#iquipe\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", + "file.name": "tasn", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/nbyCic/utlabor.html?iciade=ntiumt#iquipe", + "input.type": "log", + "log.offset": 9210, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "mail.example.com" + ], + "related.ip": [ + "10.93.220.10", + "10.27.58.92" + ], + "related.user": [ + "qui" + ], + "rsa.internal.messageid": "PROPATCH", + "rsa.misc.action": [ + "accept", + "PROPATCH" + ], + "rsa.misc.content_type": "squirati", + "rsa.misc.result_code": "Nemoenim", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "sequatu", + "rsa.time.event_time": "2016-12-23T14:09:07.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "mail.example.com", + "rsa.web.web_ref_query": "iciade=ntiumt", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 63, + "source.ip": [ + "10.93.220.10" + ], + "source.port": 2805, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/orain/tiumt.jpg?litessec=itas#edquia", + "url.path": "https://mail.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "qui", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-01-06T09:11:41.000Z", + "destination.ip": [ + "10.135.217.12" + ], + "event.action": "block", + "event.code": "PURGE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.213.144.249 4427 [06/Jan/2017:7:11:41 taedicta] \"PURGE https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut uamni\" 10.135.217.12 metMalo ntexplic \"archite\" loreme untu 5676 \"https://example.net/con/nisist.gif?ium=esciuntN#idunt\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", + "file.name": "archite", + "fileset.name": "log", + "http.request.referrer": "https://example.net/con/nisist.gif?ium=esciuntN#idunt", + "input.type": "log", + "log.offset": 9635, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.net", + "example.net" + ], + "related.ip": [ + "10.213.144.249", + "10.135.217.12" + ], + "related.user": [ + "ntexplic" + ], + "rsa.internal.messageid": "PURGE", + "rsa.misc.action": [ + "PURGE", + "block" + ], + "rsa.misc.content_type": "untu", + "rsa.misc.result_code": "loreme", + "rsa.network.domain": "www.example.net", + "rsa.network.network_service": "uamni", + "rsa.time.event_time": "2017-01-06T09:11:41.000Z", + "rsa.web.alias_host": "www.example.net", + "rsa.web.web_ref_domain": "example.net", + "rsa.web.web_ref_query": "ium=esciuntN", + "server.domain": "www.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 5676, + "source.ip": [ + "10.213.144.249" + ], + "source.port": 4427, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.original": "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "url.path": "https://example.net", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", + "user.name": "ntexplic", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-01-20T04:14:16.000Z", + "destination.ip": [ + "10.233.239.112" + ], + "event.action": "cancel", + "event.code": "PURGE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.13.226.57 3275 [20/Jan/2017:2:14:16 runtm] \"PURGE https://mail.example.net/velitse/oditem.html?torever=oremi#mestq temUt\" 10.233.239.112 npr mquelau \"iadolor\" amcol adeser 3780 \"https://internal.example.com/tqu/reprehen.gif?quam=quid#fugiat\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" cancel", + "file.name": "iadolor", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/tqu/reprehen.gif?quam=quid#fugiat", + "input.type": "log", + "log.offset": 10003, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.com", + "mail.example.net" + ], + "related.ip": [ + "10.13.226.57", + "10.233.239.112" + ], + "related.user": [ + "mquelau" + ], + "rsa.internal.messageid": "PURGE", + "rsa.misc.action": [ + "cancel", + "PURGE" + ], + "rsa.misc.content_type": "adeser", + "rsa.misc.result_code": "amcol", + "rsa.network.domain": "mail.example.net", + "rsa.network.network_service": "temUt", + "rsa.time.event_time": "2017-01-20T04:14:16.000Z", + "rsa.web.alias_host": "mail.example.net", + "rsa.web.web_ref_domain": "internal.example.com", + "rsa.web.web_ref_query": "quam=quid", + "server.domain": "mail.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "mail", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 3780, + "source.ip": [ + "10.13.226.57" + ], + "source.port": 3275, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.original": "https://mail.example.net/velitse/oditem.html?torever=oremi#mestq", + "url.path": "https://internal.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "mail", + "url.top_level_domain": "net", + "user.name": "mquelau", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-02-03T11:16:50.000Z", + "destination.ip": [ + "10.21.169.127" + ], + "event.action": "accept", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.161.203.252 301 [03/Feb/2017:9:16:50 emquia] \"CONNECT https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa eFi\" 10.21.169.127 rpori ice \"oles\" edic seq 2835 \"https://example.com/tatn/dolorsit.jpg?billo=labo#oNemoeni\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", + "file.name": "oles", + "fileset.name": "log", + "http.request.referrer": "https://example.com/tatn/dolorsit.jpg?billo=labo#oNemoeni", + "input.type": "log", + "log.offset": 10374, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.org", + "example.com" + ], + "related.ip": [ + "10.21.169.127", + "10.161.203.252" + ], + "related.user": [ + "ice" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "accept", + "CONNECT" + ], + "rsa.misc.content_type": "seq", + "rsa.misc.result_code": "edic", + "rsa.network.domain": "internal.example.org", + "rsa.network.network_service": "eFi", + "rsa.time.event_time": "2017-02-03T11:16:50.000Z", + "rsa.web.alias_host": "internal.example.org", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "billo=labo", + "server.domain": "internal.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "internal", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 2835, + "source.ip": [ + "10.161.203.252" + ], + "source.port": 301, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.org", + "url.original": "https://internal.example.org/isnisi/ritatise.gif?tamet=quatur#uisa", + "url.path": "https://example.com", + "url.registered_domain": "example.org", + "url.subdomain": "internal", + "url.top_level_domain": "org", + "user.name": "ice", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-02-18T06:19:24.000Z", + "destination.ip": [ + "10.69.139.26" + ], + "event.action": "block", + "event.code": "LOCK", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.17.215.111 148 [18/Feb/2017:4:19:24 ratv] \"LOCK https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano piscinge\" 10.69.139.26 ditemp edqui \"nre\" veli volupta 7124 \"https://api.example.com/ersp/enderi.jpg?adi=umwrit#uptate\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", + "file.name": "nre", + "fileset.name": "log", + "http.request.referrer": "https://api.example.com/ersp/enderi.jpg?adi=umwrit#uptate", + "input.type": "log", + "log.offset": 10735, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.net", + "api.example.com" + ], + "related.ip": [ + "10.69.139.26", + "10.17.215.111" + ], + "related.user": [ + "edqui" + ], + "rsa.internal.messageid": "LOCK", + "rsa.misc.action": [ + "LOCK", + "block" + ], + "rsa.misc.content_type": "volupta", + "rsa.misc.result_code": "veli", + "rsa.network.domain": "www.example.net", + "rsa.network.network_service": "piscinge", + "rsa.time.event_time": "2017-02-18T06:19:24.000Z", + "rsa.web.alias_host": "www.example.net", + "rsa.web.web_ref_domain": "api.example.com", + "rsa.web.web_ref_query": "adi=umwrit", + "server.domain": "www.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 7124, + "source.ip": [ + "10.17.215.111" + ], + "source.port": 148, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.original": "https://www.example.net/ianon/tsed.htm?ameiusm=proide#ano", + "url.path": "https://api.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", + "user.name": "edqui", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-03-04T13:21:59.000Z", + "destination.ip": [ + "10.104.80.189" + ], + "event.action": "accept", + "event.code": "COPY", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.10.213.83 7206 [04/Mar/2017:11:21:59 nisi] \"COPY https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat vitaedi\" 10.104.80.189 dolore onsecte \"nBCSedut\" ugiat onulam 1542 \"https://mail.example.org/oditautf/quatu.jpg?lumdolor=nonp#labo\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", + "file.name": "nBCSedut", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.org/oditautf/quatu.jpg?lumdolor=nonp#labo", + "input.type": "log", + "log.offset": 11158, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.org", + "mail.example.org" + ], + "related.ip": [ + "10.10.213.83", + "10.104.80.189" + ], + "related.user": [ + "onsecte" + ], + "rsa.internal.messageid": "COPY", + "rsa.misc.action": [ + "accept", + "COPY" + ], + "rsa.misc.content_type": "onulam", + "rsa.misc.result_code": "ugiat", + "rsa.network.domain": "www5.example.org", + "rsa.network.network_service": "vitaedi", + "rsa.time.event_time": "2017-03-04T13:21:59.000Z", + "rsa.web.alias_host": "www5.example.org", + "rsa.web.web_ref_domain": "mail.example.org", + "rsa.web.web_ref_query": "lumdolor=nonp", + "server.domain": "www5.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www5", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 1542, + "source.ip": [ + "10.10.213.83" + ], + "source.port": 7206, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.original": "https://www5.example.org/ncididun/umSe.jpg?ise=itau#apariat", + "url.path": "https://mail.example.org", + "url.registered_domain": "example.org", + "url.subdomain": "www5", + "url.top_level_domain": "org", + "user.name": "onsecte", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-03-18T08:24:33.000Z", + "destination.ip": [ + "10.116.230.217" + ], + "event.action": "block", + "event.code": "UNLOCK", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.125.131.91 3480 [18/Mar/2017:6:24:33 urv] \"UNLOCK https://example.org/uatur/adminimv.gif?exeacom=roidents#tem dol\" 10.116.230.217 mvele isis \"uasiar\" utlab emUteni 7122 \"https://api.example.org/lor/velillu.html?dolorem=tvolu#nreprehe\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" block", + "file.name": "uasiar", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/lor/velillu.html?dolorem=tvolu#nreprehe", + "input.type": "log", + "log.offset": 11529, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.org", + "example.org" + ], + "related.ip": [ + "10.116.230.217", + "10.125.131.91" + ], + "related.user": [ + "isis" + ], + "rsa.internal.messageid": "UNLOCK", + "rsa.misc.action": [ + "UNLOCK", + "block" + ], + "rsa.misc.content_type": "emUteni", + "rsa.misc.result_code": "utlab", + "rsa.network.domain": "example.org", + "rsa.network.network_service": "dol", + "rsa.time.event_time": "2017-03-18T08:24:33.000Z", + "rsa.web.alias_host": "example.org", + "rsa.web.web_ref_domain": "api.example.org", + "rsa.web.web_ref_query": "dolorem=tvolu", + "server.domain": "example.org", + "server.registered_domain": "example.org", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 7122, + "source.ip": [ + "10.125.131.91" + ], + "source.port": 3480, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.org", + "url.original": "https://example.org/uatur/adminimv.gif?exeacom=roidents#tem", + "url.path": "https://api.example.org", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", + "user.name": "isis", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2017-04-02T03:27:07.000Z", + "destination.ip": [ + "10.119.90.128" + ], + "event.action": "cancel", + "event.code": "ICP_QUERY", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.26.96.202 2751 [02/Apr/2017:1:27:07 rautodi] \"ICP_QUERY https://api.example.com/ven/rQu.html?doloreme=dun#reprehe tincu\" 10.119.90.128 lor oraincid \"intocc\" amcorp ntsunt 4826 \"https://mail.example.com/olo/psumqu.txt?fdeF=iquidexe#diconse\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" cancel", + "file.name": "intocc", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/olo/psumqu.txt?fdeF=iquidexe#diconse", + "input.type": "log", + "log.offset": 11865, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.com", + "api.example.com" + ], + "related.ip": [ + "10.26.96.202", + "10.119.90.128" + ], + "related.user": [ + "oraincid" + ], + "rsa.internal.messageid": "ICP_QUERY", + "rsa.misc.action": [ + "ICP_QUERY", + "cancel" + ], + "rsa.misc.content_type": "ntsunt", + "rsa.misc.result_code": "amcorp", + "rsa.network.domain": "api.example.com", + "rsa.network.network_service": "tincu", + "rsa.time.event_time": "2017-04-02T03:27:07.000Z", + "rsa.web.alias_host": "api.example.com", + "rsa.web.web_ref_domain": "mail.example.com", + "rsa.web.web_ref_query": "fdeF=iquidexe", + "server.domain": "api.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "api", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 4826, + "source.ip": [ + "10.26.96.202" + ], + "source.port": 2751, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.original": "https://api.example.com/ven/rQu.html?doloreme=dun#reprehe", + "url.path": "https://mail.example.com", + "url.registered_domain": "example.com", + "url.subdomain": "api", + "url.top_level_domain": "com", + "user.name": "oraincid", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-04-16T10:29:41.000Z", + "destination.ip": [ + "10.76.110.144" + ], + "event.action": "deny", + "event.code": "HEAD", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.0.98.205 126 [16/Apr/2017:8:29:41 edquiac] \"HEAD https://api.example.net/eseru/quamest.html?qua=rsita#ate ipsamvo\" 10.76.110.144 tdol upt \"mex\" tatem untutlab 3386 \"https://mail.example.com/plicab/oremq.html?uisaute=imide#poriss\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" deny", + "file.name": "mex", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/plicab/oremq.html?uisaute=imide#poriss", + "input.type": "log", + "log.offset": 12300, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "mail.example.com" + ], + "related.ip": [ + "10.0.98.205", + "10.76.110.144" + ], + "related.user": [ + "upt" + ], + "rsa.internal.messageid": "HEAD", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny", + "HEAD" + ], + "rsa.misc.content_type": "untutlab", + "rsa.misc.result_code": "tatem", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "ipsamvo", + "rsa.time.event_time": "2017-04-16T10:29:41.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "mail.example.com", + "rsa.web.web_ref_query": "uisaute=imide", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 3386, + "source.ip": [ + "10.0.98.205" + ], + "source.port": 126, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/eseru/quamest.html?qua=rsita#ate", + "url.path": "https://mail.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "upt", + "user_agent.device.name": "Mac", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2017-04-30T05:32:16.000Z", + "destination.ip": [ + "10.135.46.242" + ], + "event.action": "deny", + "event.code": "MOVE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.224.11.165 1646 [30/Apr/2017:3:32:16 nof] \"MOVE https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu licabo\" 10.135.46.242 lupta xeaco \"nvolupt\" oremi elites 1940 \"https://www.example.org/boNemoe/onsequ.html?amvolupt=onevolu#mnis\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", + "file.name": "nvolupt", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/boNemoe/onsequ.html?amvolupt=onevolu#mnis", + "input.type": "log", + "log.offset": 12695, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.org", + "www.example.org" + ], + "related.ip": [ + "10.135.46.242", + "10.224.11.165" + ], + "related.user": [ + "xeaco" + ], + "rsa.internal.messageid": "MOVE", + "rsa.misc.action": [ + "deny", + "MOVE" + ], + "rsa.misc.content_type": "elites", + "rsa.misc.result_code": "oremi", + "rsa.network.domain": "internal.example.org", + "rsa.network.network_service": "licabo", + "rsa.time.event_time": "2017-04-30T05:32:16.000Z", + "rsa.web.alias_host": "internal.example.org", + "rsa.web.web_ref_domain": "www.example.org", + "rsa.web.web_ref_query": "amvolupt=onevolu", + "server.domain": "internal.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "internal", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 1940, + "source.ip": [ + "10.224.11.165" + ], + "source.port": 1646, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.org", + "url.original": "https://internal.example.org/mvolu/conse.txt?aincidu=nimadmin#isiu", + "url.path": "https://www.example.org", + "url.registered_domain": "example.org", + "url.subdomain": "internal", + "url.top_level_domain": "org", + "user.name": "xeaco", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2017-05-14T12:34:50.000Z", + "destination.ip": [ + "10.154.53.249" + ], + "event.action": "accept", + "event.code": "TRACE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.27.44.4 4686 [14/May/2017:10:34:50 sequatD] \"TRACE https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol eri\" 10.154.53.249 tae autodit \"elit\" cidunt plica 7398 \"https://internal.example.org/emqu/nderi.html?accusant=onse#admin\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" accept", + "file.name": "elit", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/emqu/nderi.html?accusant=onse#admin", + "input.type": "log", + "log.offset": 13084, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.org" + ], + "related.ip": [ + "10.27.44.4", + "10.154.53.249" + ], + "related.user": [ + "autodit" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "TRACE", + "accept" + ], + "rsa.misc.content_type": "plica", + "rsa.misc.result_code": "cidunt", + "rsa.network.domain": "internal.example.org", + "rsa.network.network_service": "eri", + "rsa.time.event_time": "2017-05-14T12:34:50.000Z", + "rsa.web.alias_host": "internal.example.org", + "rsa.web.web_ref_domain": "internal.example.org", + "rsa.web.web_ref_query": "accusant=onse", + "server.domain": "internal.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "internal", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 7398, + "source.ip": [ + "10.27.44.4" + ], + "source.port": 4686, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.org", + "url.original": "https://internal.example.org/isciv/rroqu.html?uisa=tametco#ilmol", + "url.path": "https://internal.example.org", + "url.registered_domain": "example.org", + "url.subdomain": "internal", + "url.top_level_domain": "org", + "user.name": "autodit", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2017-05-29T07:37:24.000Z", + "destination.ip": [ + "10.150.245.88" + ], + "event.action": "cancel", + "event.code": "COPY", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.93.39.140 4275 [29/May/2017:5:37:24 ute] \"COPY https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid rExc\" 10.150.245.88 orisn reetd \"prehen\" ntutlabo iusmodte 1738 \"https://example.org/isc/Nequepor.txt?rem=idid#tesse\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" cancel", + "file.name": "prehen", + "fileset.name": "log", + "http.request.referrer": "https://example.org/isc/Nequepor.txt?rem=idid#tesse", + "input.type": "log", + "log.offset": 13539, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.net", + "example.org" + ], + "related.ip": [ + "10.93.39.140", + "10.150.245.88" + ], + "related.user": [ + "reetd" + ], + "rsa.internal.messageid": "COPY", + "rsa.misc.action": [ + "cancel", + "COPY" + ], + "rsa.misc.content_type": "iusmodte", + "rsa.misc.result_code": "ntutlabo", + "rsa.network.domain": "www5.example.net", + "rsa.network.network_service": "rExc", + "rsa.time.event_time": "2017-05-29T07:37:24.000Z", + "rsa.web.alias_host": "www5.example.net", + "rsa.web.web_ref_domain": "example.org", + "rsa.web.web_ref_query": "rem=idid", + "server.domain": "www5.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www5", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 1738, + "source.ip": [ + "10.93.39.140" + ], + "source.port": 4275, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.original": "https://www5.example.net/uaeratv/isa.txt?periam=dqu#pid", + "url.path": "https://example.org", + "url.registered_domain": "example.net", + "url.subdomain": "www5", + "url.top_level_domain": "net", + "user.name": "reetd", + "user_agent.device.name": "Mac", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2017-06-12T14:39:58.000Z", + "destination.ip": [ + "10.73.207.70" + ], + "event.action": "block", + "event.code": "UNLOCK", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.61.92.2 6595 [12/Jun/2017:12:39:58 maliquam] \"UNLOCK https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn ecillu\" 10.73.207.70 llamco atu \"untincul\" ssecil commodi 3023 \"https://mail.example.net/tate/onevo.htm?emvele=isnost#olorem\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", + "file.name": "untincul", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/tate/onevo.htm?emvele=isnost#olorem", + "input.type": "log", + "log.offset": 13927, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.com", + "mail.example.net" + ], + "related.ip": [ + "10.61.92.2", + "10.73.207.70" + ], + "related.user": [ + "atu" + ], + "rsa.internal.messageid": "UNLOCK", + "rsa.misc.action": [ + "block", + "UNLOCK" + ], + "rsa.misc.content_type": "commodi", + "rsa.misc.result_code": "ssecil", + "rsa.network.domain": "www5.example.com", + "rsa.network.network_service": "ecillu", + "rsa.time.event_time": "2017-06-12T14:39:58.000Z", + "rsa.web.alias_host": "www5.example.com", + "rsa.web.web_ref_domain": "mail.example.net", + "rsa.web.web_ref_query": "emvele=isnost", + "server.domain": "www5.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "www5", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 3023, + "source.ip": [ + "10.61.92.2" + ], + "source.port": 6595, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.original": "https://www5.example.com/orroq/vitaedic.txt?orisni=ons#remagn", + "url.path": "https://mail.example.net", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", + "user.name": "atu", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2017-06-26T09:42:33.000Z", + "destination.ip": [ + "10.50.124.116" + ], + "event.action": "allow", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.84.32.178 5271 [26/Jun/2017:7:42:33 aliq] \"GET https://example.net/mven/olorsit.gif?oremag=illu#ruredo mac\" temUt 2741 \"https://internal.example.com/uamnihi/risnis.html?scingeli=isn#sBono\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" allow 10.50.124.116 numquam 104.719000", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/uamnihi/risnis.html?scingeli=isn#sBono", + "input.type": "log", + "log.offset": 14365, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.com", + "example.net" + ], + "related.ip": [ + "10.84.32.178", + "10.50.124.116" + ], + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "allow", + "GET" + ], + "rsa.misc.content_type": "numquam", + "rsa.misc.result_code": "temUt", + "rsa.network.domain": "example.net", + "rsa.network.network_service": "mac", + "rsa.time.duration_time": 104.719, + "rsa.time.event_time": "2017-06-26T09:42:33.000Z", + "rsa.web.alias_host": "example.net", + "rsa.web.web_ref_domain": "internal.example.com", + "rsa.web.web_ref_query": "scingeli=isn", + "server.domain": "example.net", + "server.registered_domain": "example.net", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 2741, + "source.ip": [ + "10.84.32.178" + ], + "source.port": 5271, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.net", + "url.original": "https://example.net/mven/olorsit.gif?oremag=illu#ruredo", + "url.path": "https://internal.example.com", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2017-07-11T04:45:07.000Z", + "destination.ip": [ + "10.211.234.224" + ], + "event.action": "accept", + "event.code": "TRACE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.173.222.131 918 [11/Jul/2017:2:45:07 ori] \"TRACE https://www5.example.net/rum/eataevi.html?ulla=iqu#oin hil\" 10.211.234.224 uiadol Duisa \"lupta\" aUt boNem 5564 \"https://api.example.org/maveni/onevo.htm?liquaUte=alorum#obeataev\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", + "file.name": "lupta", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/maveni/onevo.htm?liquaUte=alorum#obeataev", + "input.type": "log", + "log.offset": 14772, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.net", + "api.example.org" + ], + "related.ip": [ + "10.173.222.131", + "10.211.234.224" + ], + "related.user": [ + "Duisa" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "TRACE", + "accept" + ], + "rsa.misc.content_type": "boNem", + "rsa.misc.result_code": "aUt", + "rsa.network.domain": "www5.example.net", + "rsa.network.network_service": "hil", + "rsa.time.event_time": "2017-07-11T04:45:07.000Z", + "rsa.web.alias_host": "www5.example.net", + "rsa.web.web_ref_domain": "api.example.org", + "rsa.web.web_ref_query": "liquaUte=alorum", + "server.domain": "www5.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www5", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 5564, + "source.ip": [ + "10.173.222.131" + ], + "source.port": 918, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.original": "https://www5.example.net/rum/eataevi.html?ulla=iqu#oin", + "url.path": "https://api.example.org", + "url.registered_domain": "example.net", + "url.subdomain": "www5", + "url.top_level_domain": "net", + "user.name": "Duisa", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-07-25T11:47:41.000Z", + "destination.ip": [ + "10.0.157.225" + ], + "event.action": "deny", + "event.code": "PROPFIND", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.11.83.126 6581 [25/Jul/2017:9:47:41 naaliq] \"PROPFIND https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup tsed\" 10.0.157.225 itam atu \"lloin\" remipsum tempor 1282 \"https://www5.example.net/incidid/rure.htm?edquian=loremeu#aturve\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", + "file.name": "lloin", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/incidid/rure.htm?edquian=loremeu#aturve", + "input.type": "log", + "log.offset": 15130, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.net", + "mail.example.net" + ], + "related.ip": [ + "10.0.157.225", + "10.11.83.126" + ], + "related.user": [ + "atu" + ], + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "PROPFIND", + "deny" + ], + "rsa.misc.content_type": "tempor", + "rsa.misc.result_code": "remipsum", + "rsa.network.domain": "mail.example.net", + "rsa.network.network_service": "tsed", + "rsa.time.event_time": "2017-07-25T11:47:41.000Z", + "rsa.web.alias_host": "mail.example.net", + "rsa.web.web_ref_domain": "www5.example.net", + "rsa.web.web_ref_query": "edquian=loremeu", + "server.domain": "mail.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "mail", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 1282, + "source.ip": [ + "10.11.83.126" + ], + "source.port": 6581, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.original": "https://mail.example.net/osquir/mod.txt?fugitse=imad#tinvolup", + "url.path": "https://www5.example.net", + "url.registered_domain": "example.net", + "url.subdomain": "mail", + "url.top_level_domain": "net", + "user.name": "atu", + "user_agent.device.name": "POCOPHONE F1", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-08-08T06:50:15.000Z", + "destination.ip": [ + "10.92.237.93" + ], + "event.action": "cancel", + "event.code": "PUT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.228.77.21 6889 [08/Aug/2017:4:50:15 lamc] \"PUT https://api.example.com/asper/umq.txt?itasper=uae#mve uia\" 10.92.237.93 mad onse \"redol\" gnaa mod 5107 \"https://www5.example.com/toditaut/voluptat.htm?strumex=eprehend#asnu\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", + "file.name": "redol", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.com/toditaut/voluptat.htm?strumex=eprehend#asnu", + "input.type": "log", + "log.offset": 15505, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.com", + "api.example.com" + ], + "related.ip": [ + "10.92.237.93", + "10.228.77.21" + ], + "related.user": [ + "onse" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "cancel", + "PUT" + ], + "rsa.misc.content_type": "mod", + "rsa.misc.result_code": "gnaa", + "rsa.network.domain": "api.example.com", + "rsa.network.network_service": "uia", + "rsa.time.event_time": "2017-08-08T06:50:15.000Z", + "rsa.web.alias_host": "api.example.com", + "rsa.web.web_ref_domain": "www5.example.com", + "rsa.web.web_ref_query": "strumex=eprehend", + "server.domain": "api.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "api", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 5107, + "source.ip": [ + "10.228.77.21" + ], + "source.port": 6889, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.original": "https://api.example.com/asper/umq.txt?itasper=uae#mve", + "url.path": "https://www5.example.com", + "url.registered_domain": "example.com", + "url.subdomain": "api", + "url.top_level_domain": "com", + "user.name": "onse", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2017-08-22T13:52:50.000Z", + "destination.ip": [ + "10.20.28.92" + ], + "event.action": "allow", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.102.215.23 3665 [22/Aug/2017:11:52:50 esseq] \"POST https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu licaboN\" 10.20.28.92 econs ntexpl \"dunt\" litsedq nderiti 409 \"https://api.example.com/Cic/olorema.txt?iscive=quasiar#aeab\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" allow", + "file.name": "dunt", + "fileset.name": "log", + "http.request.referrer": "https://api.example.com/Cic/olorema.txt?iscive=quasiar#aeab", + "input.type": "log", + "log.offset": 15871, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.net", + "api.example.com" + ], + "related.ip": [ + "10.20.28.92", + "10.102.215.23" + ], + "related.user": [ + "ntexpl" + ], + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "allow", + "POST" + ], + "rsa.misc.content_type": "nderiti", + "rsa.misc.result_code": "litsedq", + "rsa.network.domain": "www5.example.net", + "rsa.network.network_service": "licaboN", + "rsa.time.event_time": "2017-08-22T13:52:50.000Z", + "rsa.web.alias_host": "www5.example.net", + "rsa.web.web_ref_domain": "api.example.com", + "rsa.web.web_ref_query": "iscive=quasiar", + "server.domain": "www5.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www5", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 409, + "source.ip": [ + "10.102.215.23" + ], + "source.port": 3665, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.original": "https://www5.example.net/quatD/isqua.jpg?oloreseo=iruredol#veniamqu", + "url.path": "https://api.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "www5", + "url.top_level_domain": "net", + "user.name": "ntexpl", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2017-09-06T08:55:24.000Z", + "destination.ip": [ + "10.17.87.79" + ], + "event.action": "block", + "event.code": "NONE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.45.28.159 5627 [06/Sep/2017:6:55:24 ree] \"NONE https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh plic\" 10.17.87.79 tetur tionula \"ritqu\" ecatcupi uamei 4595 \"https://www5.example.com/onse/olorem.gif?duntutla=ntium#iration\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", + "file.name": "ritqu", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.com/onse/olorem.gif?duntutla=ntium#iration", + "input.type": "log", + "log.offset": 16214, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "www5.example.com" + ], + "related.ip": [ + "10.45.28.159", + "10.17.87.79" + ], + "related.user": [ + "tionula" + ], + "rsa.internal.messageid": "NONE", + "rsa.misc.action": [ + "block", + "NONE" + ], + "rsa.misc.content_type": "uamei", + "rsa.misc.result_code": "ecatcupi", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "plic", + "rsa.time.event_time": "2017-09-06T08:55:24.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "www5.example.com", + "rsa.web.web_ref_query": "duntutla=ntium", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 4595, + "source.ip": [ + "10.45.28.159" + ], + "source.port": 5627, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/ation/luptas.html?iatqu=lorsi#repreh", + "url.path": "https://www5.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "tionula", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-09-20T03:57:58.000Z", + "destination.ip": [ + "10.189.94.51" + ], + "event.action": "allow", + "event.code": "DELETE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.177.238.45 5137 [20/Sep/2017:1:57:58 ssusci] \"DELETE https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi quasiarc\" 10.189.94.51 tetura rsp \"oluptat\" metco acom 5704 \"https://api.example.com/tem/exeacomm.txt?taliqui=mides#ciun\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" allow", + "file.name": "oluptat", + "fileset.name": "log", + "http.request.referrer": "https://api.example.com/tem/exeacomm.txt?taliqui=mides#ciun", + "input.type": "log", + "log.offset": 16583, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.com", + "api.example.com" + ], + "related.ip": [ + "10.189.94.51", + "10.177.238.45" + ], + "related.user": [ + "rsp" + ], + "rsa.internal.messageid": "DELETE", + "rsa.misc.action": [ + "allow", + "DELETE" + ], + "rsa.misc.content_type": "acom", + "rsa.misc.result_code": "metco", + "rsa.network.domain": "internal.example.com", + "rsa.network.network_service": "quasiarc", + "rsa.time.event_time": "2017-09-20T03:57:58.000Z", + "rsa.web.alias_host": "internal.example.com", + "rsa.web.web_ref_domain": "api.example.com", + "rsa.web.web_ref_query": "taliqui=mides", + "server.domain": "internal.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "internal", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 5704, + "source.ip": [ + "10.177.238.45" + ], + "source.port": 5137, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.original": "https://internal.example.com/mpo/unte.jpg?ueipsa=scipitl#eumi", + "url.path": "https://api.example.com", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", + "user.name": "rsp", + "user_agent.device.name": "Mac", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2017-10-04T11:00:32.000Z", + "destination.ip": [ + "10.101.85.169" + ], + "event.action": "accept", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.46.77.76 5169 [04/Oct/2017:9:00:32 anim] \"GET https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup aco\" 10.101.85.169 natu liquid \"enim\" Finibus radi 5697 \"https://example.com/taed/umdolo.html?rroqu=dquiaco#nibus\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36\" accept", + "file.name": "enim", + "fileset.name": "log", + "http.request.referrer": "https://example.com/taed/umdolo.html?rroqu=dquiaco#nibus", + "input.type": "log", + "log.offset": 16986, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.org", + "example.com" + ], + "related.ip": [ + "10.101.85.169", + "10.46.77.76" + ], + "related.user": [ + "liquid" + ], + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "accept" + ], + "rsa.misc.content_type": "radi", + "rsa.misc.result_code": "Finibus", + "rsa.network.domain": "www.example.org", + "rsa.network.network_service": "aco", + "rsa.time.event_time": "2017-10-04T11:00:32.000Z", + "rsa.web.alias_host": "www.example.org", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "rroqu=dquiaco", + "server.domain": "www.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 5697, + "source.ip": [ + "10.46.77.76" + ], + "source.port": 5169, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.original": "https://www.example.org/uov/quaeab.jpg?moles=dipiscin#olup", + "url.path": "https://example.com", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", + "user.name": "liquid", + "user_agent.device.name": "Mac", + "user_agent.name": "Yandex Browser", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", + "user_agent.os.full": "Mac OS X 10.15.6", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15.6", + "user_agent.version": "20.3.0" + }, + { + "@timestamp": "2017-10-19T06:03:07.000Z", + "destination.ip": [ + "10.231.7.209" + ], + "event.action": "block", + "event.code": "HEAD", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.24.54.129 77 [19/Oct/2017:4:03:07 eprehend] \"HEAD https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos orsi\" 10.231.7.209 lorsita eavol \"osamnis\" temaccu scipitl 1247 \"https://www5.example.org/caboNem/urExcept.txt?litesseq=atcupida#tessequa\" \"Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36\" block", + "file.name": "osamnis", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/caboNem/urExcept.txt?litesseq=atcupida#tessequa", + "input.type": "log", + "log.offset": 17373, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "example.net", + "www5.example.org" + ], + "related.ip": [ + "10.24.54.129", + "10.231.7.209" + ], + "related.user": [ + "eavol" + ], + "rsa.internal.messageid": "HEAD", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "HEAD", + "block" + ], + "rsa.misc.content_type": "scipitl", + "rsa.misc.result_code": "temaccu", + "rsa.network.domain": "example.net", + "rsa.network.network_service": "orsi", + "rsa.time.event_time": "2017-10-19T06:03:07.000Z", + "rsa.web.alias_host": "example.net", + "rsa.web.web_ref_domain": "www5.example.org", + "rsa.web.web_ref_query": "litesseq=atcupida", + "server.domain": "example.net", + "server.registered_domain": "example.net", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 1247, + "source.ip": [ + "10.24.54.129" + ], + "source.port": 77, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.net", + "url.original": "https://example.net/edolo/ugiatquo.jpg?eosquira=pta#snos", + "url.path": "https://www5.example.org", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", + "user.name": "eavol", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2017-11-02T13:05:41.000Z", + "destination.ip": [ + "10.77.129.175" + ], + "event.action": "allow", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.121.163.5 7803 [02/Nov/2017:11:05:41 redol] \"CONNECT https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh ratv\" 10.77.129.175 tali BCS \"qui\" ugiatquo incidid 2617 \"https://www.example.com/sBonor/fugits.jpg?amc=vol#admi\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", + "file.name": "qui", + "fileset.name": "log", + "http.request.referrer": "https://www.example.com/sBonor/fugits.jpg?amc=vol#admi", + "input.type": "log", + "log.offset": 17756, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.org", + "www.example.com" + ], + "related.ip": [ + "10.77.129.175", + "10.121.163.5" + ], + "related.user": [ + "BCS" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "allow", + "CONNECT" + ], + "rsa.misc.content_type": "incidid", + "rsa.misc.result_code": "ugiatquo", + "rsa.network.domain": "api.example.org", + "rsa.network.network_service": "ratv", + "rsa.time.event_time": "2017-11-02T13:05:41.000Z", + "rsa.web.alias_host": "api.example.org", + "rsa.web.web_ref_domain": "www.example.com", + "rsa.web.web_ref_query": "amc=vol", + "server.domain": "api.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "api", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 2617, + "source.ip": [ + "10.121.163.5" + ], + "source.port": 7803, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.original": "https://api.example.org/isci/dolor.htm?orinrep=quiavol#nrepreh", + "url.path": "https://www.example.com", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", + "user.name": "BCS", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-11-16T08:08:15.000Z", + "destination.ip": [ + "10.116.146.114" + ], + "event.action": "deny", + "event.code": "PROPFIND", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.51.236.148 329 [16/Nov/2017:6:08:15 adol] \"PROPFIND https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui tvolup\" 10.116.146.114 col obea \"emp\" agnaaliq est 1444 \"https://www.example.com/inculp/onofd.gif?umdolors=dolori#asperna\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" deny", + "file.name": "emp", + "fileset.name": "log", + "http.request.referrer": "https://www.example.com/inculp/onofd.gif?umdolors=dolori#asperna", + "input.type": "log", + "log.offset": 18118, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.com", + "mail.example.com" + ], + "related.ip": [ + "10.116.146.114", + "10.51.236.148" + ], + "related.user": [ + "obea" + ], + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "deny", + "PROPFIND" + ], + "rsa.misc.content_type": "est", + "rsa.misc.result_code": "agnaaliq", + "rsa.network.domain": "mail.example.com", + "rsa.network.network_service": "tvolup", + "rsa.time.event_time": "2017-11-16T08:08:15.000Z", + "rsa.web.alias_host": "mail.example.com", + "rsa.web.web_ref_domain": "www.example.com", + "rsa.web.web_ref_query": "umdolors=dolori", + "server.domain": "mail.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "mail", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 1444, + "source.ip": [ + "10.51.236.148" + ], + "source.port": 329, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.original": "https://mail.example.com/roide/tem.gif?rerepre=nculpaq#culpaqui", + "url.path": "https://www.example.com", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", + "user.name": "obea", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2017-12-01T03:10:49.000Z", + "destination.ip": [ + "10.217.222.99" + ], + "event.action": "block", + "event.code": "NONE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.244.108.135 6997 [01/Dec/2017:1:10:49 ume] \"NONE https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia itesse\" 10.217.222.99 ame amvolu \"mip\" tion tobeatae 2512 \"https://api.example.com/iqua/luptat.txt?oremqu=uradi#velitsed\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" block", + "file.name": "mip", + "fileset.name": "log", + "http.request.referrer": "https://api.example.com/iqua/luptat.txt?oremqu=uradi#velitsed", + "input.type": "log", + "log.offset": 18550, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.net", + "api.example.com" + ], + "related.ip": [ + "10.244.108.135", + "10.217.222.99" + ], + "related.user": [ + "amvolu" + ], + "rsa.internal.messageid": "NONE", + "rsa.misc.action": [ + "block", + "NONE" + ], + "rsa.misc.content_type": "tobeatae", + "rsa.misc.result_code": "tion", + "rsa.network.domain": "internal.example.net", + "rsa.network.network_service": "itesse", + "rsa.time.event_time": "2017-12-01T03:10:49.000Z", + "rsa.web.alias_host": "internal.example.net", + "rsa.web.web_ref_domain": "api.example.com", + "rsa.web.web_ref_query": "oremqu=uradi", + "server.domain": "internal.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "internal", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 2512, + "source.ip": [ + "10.244.108.135" + ], + "source.port": 6997, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.original": "https://internal.example.net/rautod/olest.jpg?lapar=ritati#edquia", + "url.path": "https://api.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", + "user.name": "amvolu", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2017-12-15T10:13:24.000Z", + "destination.ip": [ + "10.150.198.112" + ], + "event.action": "block", + "event.code": "PUT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.4.69.152 3833 [15/Dec/2017:8:13:24 scivel] \"PUT https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame orroquis\" 10.150.198.112 ntmoll mexer \"estla\" uipexe abor 1370 \"https://www.example.net/remips/illoi.jpg?abori=uisnostr#reetdol\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", + "file.name": "estla", + "fileset.name": "log", + "http.request.referrer": "https://www.example.net/remips/illoi.jpg?abori=uisnostr#reetdol", + "input.type": "log", + "log.offset": 18972, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.org", + "www.example.net" + ], + "related.ip": [ + "10.150.198.112", + "10.4.69.152" + ], + "related.user": [ + "mexer" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "PUT", + "block" + ], + "rsa.misc.content_type": "abor", + "rsa.misc.result_code": "uipexe", + "rsa.network.domain": "api.example.org", + "rsa.network.network_service": "orroquis", + "rsa.time.event_time": "2017-12-15T10:13:24.000Z", + "rsa.web.alias_host": "api.example.org", + "rsa.web.web_ref_domain": "www.example.net", + "rsa.web.web_ref_query": "abori=uisnostr", + "server.domain": "api.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "api", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 1370, + "source.ip": [ + "10.4.69.152" + ], + "source.port": 3833, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.original": "https://api.example.org/iusmodt/enim.txt?aquio=ersp#iame", + "url.path": "https://www.example.net", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", + "user.name": "mexer", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2017-12-29T05:15:58.000Z", + "destination.ip": [ + "10.45.54.107" + ], + "event.action": "accept", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.45.114.111 357 [29/Dec/2017:3:15:58 olup] \"POST https://example.org/abillo/undeom.html?oraincid=quaer#eetdo tlab\" 10.45.54.107 seddoeiu nse \"aali\" edictasu mdolors 7490 \"https://www5.example.org/atis/atDuis.txt?nisiut=rumwri#velill\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" accept", + "file.name": "aali", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/atis/atDuis.txt?nisiut=rumwri#velill", + "input.type": "log", + "log.offset": 19421, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.org", + "example.org" + ], + "related.ip": [ + "10.45.54.107", + "10.45.114.111" + ], + "related.user": [ + "nse" + ], + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "accept", + "POST" + ], + "rsa.misc.content_type": "mdolors", + "rsa.misc.result_code": "edictasu", + "rsa.network.domain": "example.org", + "rsa.network.network_service": "tlab", + "rsa.time.event_time": "2017-12-29T05:15:58.000Z", + "rsa.web.alias_host": "example.org", + "rsa.web.web_ref_domain": "www5.example.org", + "rsa.web.web_ref_query": "nisiut=rumwri", + "server.domain": "example.org", + "server.registered_domain": "example.org", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 7490, + "source.ip": [ + "10.45.114.111" + ], + "source.port": 357, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.org", + "url.original": "https://example.org/abillo/undeom.html?oraincid=quaer#eetdo", + "url.path": "https://www5.example.org", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", + "user.name": "nse", + "user_agent.device.name": "Samsung SM-A715F", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2018-01-12T12:18:32.000Z", + "destination.ip": [ + "10.205.28.24" + ], + "event.action": "allow", + "event.code": "TRACE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.49.242.174 4078 [12/Jan/2018:10:18:32 tat] \"TRACE https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse venia\" 10.205.28.24 oeni untutlab \"tvolup\" consecte pteurs 742 \"https://www5.example.net/ons/tiaecon.html?unt=tass#tiumdol\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" allow", + "file.name": "tvolup", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/ons/tiaecon.html?unt=tass#tiumdol", + "input.type": "log", + "log.offset": 19869, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.net", + "www5.example.net" + ], + "related.ip": [ + "10.205.28.24", + "10.49.242.174" + ], + "related.user": [ + "untutlab" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "allow", + "TRACE" + ], + "rsa.misc.content_type": "pteurs", + "rsa.misc.result_code": "consecte", + "rsa.network.domain": "mail.example.net", + "rsa.network.network_service": "venia", + "rsa.time.event_time": "2018-01-12T12:18:32.000Z", + "rsa.web.alias_host": "mail.example.net", + "rsa.web.web_ref_domain": "www5.example.net", + "rsa.web.web_ref_query": "unt=tass", + "server.domain": "mail.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "mail", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 742, + "source.ip": [ + "10.49.242.174" + ], + "source.port": 4078, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.original": "https://mail.example.net/uam/orumSec.jpg?isnisiu=suntincu#sse", + "url.path": "https://www5.example.net", + "url.registered_domain": "example.net", + "url.subdomain": "mail", + "url.top_level_domain": "net", + "user.name": "untutlab", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2018-01-27T07:21:06.000Z", + "destination.ip": [ + "10.183.223.149" + ], + "event.action": "deny", + "event.code": "HEAD", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.17.202.219 487 [27/Jan/2018:5:21:06 iame] \"HEAD https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea imaveni\" 10.183.223.149 cor odoco \"oin\" itseddoe elites 6366 \"https://mail.example.com/eursinto/litesse.html?licaboNe=tautfug#giatquov\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" deny", + "file.name": "oin", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/eursinto/litesse.html?licaboNe=tautfug#giatquov", + "input.type": "log", + "log.offset": 20290, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.org", + "mail.example.com" + ], + "related.ip": [ + "10.183.223.149", + "10.17.202.219" + ], + "related.user": [ + "odoco" + ], + "rsa.internal.messageid": "HEAD", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny", + "HEAD" + ], + "rsa.misc.content_type": "elites", + "rsa.misc.result_code": "itseddoe", + "rsa.network.domain": "www5.example.org", + "rsa.network.network_service": "imaveni", + "rsa.time.event_time": "2018-01-27T07:21:06.000Z", + "rsa.web.alias_host": "www5.example.org", + "rsa.web.web_ref_domain": "mail.example.com", + "rsa.web.web_ref_query": "licaboNe=tautfug", + "server.domain": "www5.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www5", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 6366, + "source.ip": [ + "10.17.202.219" + ], + "source.port": 487, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.original": "https://www5.example.org/umiurer/rere.txt?mnisi=usmo#iamea", + "url.path": "https://mail.example.com", + "url.registered_domain": "example.org", + "url.subdomain": "www5", + "url.top_level_domain": "org", + "user.name": "odoco", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2018-02-10T14:23:41.000Z", + "destination.ip": [ + "10.88.172.222" + ], + "event.action": "cancel", + "event.code": "MOVE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.81.140.173 7623 [10/Feb/2018:12:23:41 itae] \"MOVE https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu tan\" 10.88.172.222 doconse etdol \"dolorsi\" nturmag tura 6695 \"https://internal.example.org/totam/ntoccae.htm?idunt=atqu#naturau\" \"mobmail android 2.1.3.3150\" cancel", + "file.name": "dolorsi", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.org/totam/ntoccae.htm?idunt=atqu#naturau", + "input.type": "log", + "log.offset": 20692, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.org", + "internal.example.net" + ], + "related.ip": [ + "10.81.140.173", + "10.88.172.222" + ], + "related.user": [ + "etdol" + ], + "rsa.internal.messageid": "MOVE", + "rsa.misc.action": [ + "cancel", + "MOVE" + ], + "rsa.misc.content_type": "tura", + "rsa.misc.result_code": "nturmag", + "rsa.network.domain": "internal.example.net", + "rsa.network.network_service": "tan", + "rsa.time.event_time": "2018-02-10T14:23:41.000Z", + "rsa.web.alias_host": "internal.example.net", + "rsa.web.web_ref_domain": "internal.example.org", + "rsa.web.web_ref_query": "idunt=atqu", + "server.domain": "internal.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "internal", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 6695, + "source.ip": [ + "10.81.140.173" + ], + "source.port": 7623, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.original": "https://internal.example.net/atnula/ditautf.jpg?iquidex=olup#remipsu", + "url.path": "https://internal.example.org", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", + "user.name": "etdol", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2018-02-24T09:26:15.000Z", + "destination.ip": [ + "10.247.53.179" + ], + "event.action": "accept", + "event.code": "OPTIONS", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.162.129.196 4247 [24/Feb/2018:7:26:15 snisi] \"OPTIONS https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo Cicero\" 10.247.53.179 issu identsu \"piscivel\" hend eacommo 6835 \"https://example.com/osquira/umd.gif?scipi=tur#acon\" \"mobmail android 2.1.3.3150\" accept", + "file.name": "piscivel", + "fileset.name": "log", + "http.request.referrer": "https://example.com/osquira/umd.gif?scipi=tur#acon", + "input.type": "log", + "log.offset": 20979, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "example.com", + "api.example.net" + ], + "related.ip": [ + "10.247.53.179", + "10.162.129.196" + ], + "related.user": [ + "identsu" + ], + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "accept", + "OPTIONS" + ], + "rsa.misc.content_type": "eacommo", + "rsa.misc.result_code": "hend", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "Cicero", + "rsa.time.event_time": "2018-02-24T09:26:15.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "scipi=tur", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 6835, + "source.ip": [ + "10.162.129.196" + ], + "source.port": 4247, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/uscip/umS.txt?quiacons=uisa#xeacommo", + "url.path": "https://example.com", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "identsu", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "mobmail android 2.1.3.3150" + }, + { + "@timestamp": "2018-03-11T04:28:49.000Z", + "destination.ip": [ + "10.172.148.223" + ], + "event.action": "accept", + "event.code": "UNLOCK", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.110.86.230 536 [11/Mar/2018:2:28:49 eFini] \"UNLOCK https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai uido\" 10.172.148.223 snulap enimadm \"stenatu\" upta atc 3066 \"https://www5.example.net/asnulap/ipi.htm?orissu=fic#sBon\" \"Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80\" accept", + "file.name": "stenatu", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/asnulap/ipi.htm?orissu=fic#sBon", + "input.type": "log", + "log.offset": 21250, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.com", + "www5.example.net" + ], + "related.ip": [ + "10.110.86.230", + "10.172.148.223" + ], + "related.user": [ + "enimadm" + ], + "rsa.internal.messageid": "UNLOCK", + "rsa.misc.action": [ + "UNLOCK", + "accept" + ], + "rsa.misc.content_type": "atc", + "rsa.misc.result_code": "upta", + "rsa.network.domain": "mail.example.com", + "rsa.network.network_service": "uido", + "rsa.time.event_time": "2018-03-11T04:28:49.000Z", + "rsa.web.alias_host": "mail.example.com", + "rsa.web.web_ref_domain": "www5.example.net", + "rsa.web.web_ref_query": "orissu=fic", + "server.domain": "mail.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "mail", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 3066, + "source.ip": [ + "10.110.86.230" + ], + "source.port": 536, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.original": "https://mail.example.com/mrema/ullamc.txt?eufug=roquisq#temporai", + "url.path": "https://www5.example.net", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", + "user.name": "enimadm", + "user_agent.device.name": "Android", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 5.1.1; Android Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/9.80 YaSearchBrowser/9.80", + "user_agent.os.full": "Android 5.1.1", + "user_agent.os.name": "Android", + "user_agent.os.version": "5.1.1", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-03-25T11:31:24.000Z", + "destination.ip": [ + "10.232.19.43" + ], + "event.action": "deny", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.93.159.170 3481 [25/Mar/2018:9:31:24 emullam] \"GET https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam modico\" 10.232.19.43 porinc riame \"riat\" sseq eriam 729 \"https://internal.example.net/imve/essequam.gif?urQuis=etcon#onsequu\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" deny", + "file.name": "riat", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/imve/essequam.gif?urQuis=etcon#onsequu", + "input.type": "log", + "log.offset": 21675, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.com", + "internal.example.net" + ], + "related.ip": [ + "10.232.19.43", + "10.93.159.170" + ], + "related.user": [ + "riame" + ], + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny", + "GET" + ], + "rsa.misc.content_type": "eriam", + "rsa.misc.result_code": "sseq", + "rsa.network.domain": "www5.example.com", + "rsa.network.network_service": "modico", + "rsa.time.event_time": "2018-03-25T11:31:24.000Z", + "rsa.web.alias_host": "www5.example.com", + "rsa.web.web_ref_domain": "internal.example.net", + "rsa.web.web_ref_query": "urQuis=etcon", + "server.domain": "www5.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "www5", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 729, + "source.ip": [ + "10.93.159.170" + ], + "source.port": 3481, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.original": "https://www5.example.com/isau/itinvol.txt?saquaea=ons#orsitam", + "url.path": "https://internal.example.net", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", + "user.name": "riame", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-04-08T06:33:58.000Z", + "destination.ip": [ + "10.55.55.72" + ], + "event.action": "cancel", + "event.code": "ICP_QUERY", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.207.97.192 973 [08/Apr/2018:4:33:58 emp] \"ICP_QUERY https://api.example.net/veli/venia.htm?etdolor=uat#onemulla riaturEx\" 10.55.55.72 nculp asp \"eacom\" mag gelitse 2007 \"https://example.net/lab/llumq.htm?tetura=rumet#uptasnul\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", + "file.name": "eacom", + "fileset.name": "log", + "http.request.referrer": "https://example.net/lab/llumq.htm?tetura=rumet#uptasnul", + "input.type": "log", + "log.offset": 22058, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "example.net" + ], + "related.ip": [ + "10.55.55.72", + "10.207.97.192" + ], + "related.user": [ + "asp" + ], + "rsa.internal.messageid": "ICP_QUERY", + "rsa.misc.action": [ + "cancel", + "ICP_QUERY" + ], + "rsa.misc.content_type": "gelitse", + "rsa.misc.result_code": "mag", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "riaturEx", + "rsa.time.event_time": "2018-04-08T06:33:58.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "example.net", + "rsa.web.web_ref_query": "tetura=rumet", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 2007, + "source.ip": [ + "10.207.97.192" + ], + "source.port": 973, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/veli/venia.htm?etdolor=uat#onemulla", + "url.path": "https://example.net", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "asp", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-04-22T13:36:32.000Z", + "destination.ip": [ + "10.89.73.240" + ], + "event.action": "deny", + "event.code": "MOVE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.41.156.88 203 [22/Apr/2018:11:36:32 oco] \"MOVE https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli ugiat\" 10.89.73.240 orem ntorever \"pisciv\" fugiatqu seos 5561 \"https://www5.example.net/elillum/veleumi.gif?tvol=oluptate#lit\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" deny", + "file.name": "pisciv", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/elillum/veleumi.gif?tvol=oluptate#lit", + "input.type": "log", + "log.offset": 22421, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.net", + "www5.example.net" + ], + "related.ip": [ + "10.41.156.88", + "10.89.73.240" + ], + "related.user": [ + "ntorever" + ], + "rsa.internal.messageid": "MOVE", + "rsa.misc.action": [ + "MOVE", + "deny" + ], + "rsa.misc.content_type": "seos", + "rsa.misc.result_code": "fugiatqu", + "rsa.network.domain": "internal.example.net", + "rsa.network.network_service": "ugiat", + "rsa.time.event_time": "2018-04-22T13:36:32.000Z", + "rsa.web.alias_host": "internal.example.net", + "rsa.web.web_ref_domain": "www5.example.net", + "rsa.web.web_ref_query": "tvol=oluptate", + "server.domain": "internal.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "internal", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 5561, + "source.ip": [ + "10.41.156.88" + ], + "source.port": 203, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.original": "https://internal.example.net/ainci/osqu.jpg?sus=imavenia#expli", + "url.path": "https://www5.example.net", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", + "user.name": "ntorever", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-05-07T08:39:06.000Z", + "destination.ip": [ + "10.101.183.86" + ], + "event.action": "allow", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.54.44.231 5292 [07/May/2018:6:39:06 aco] \"CONNECT https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos rios\" 10.101.183.86 mvenia mcorpo \"ntexpl\" abor oreverit 6451 \"https://internal.example.net/tat/eufugia.htm?tau=fficia#est\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" allow", + "file.name": "ntexpl", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/tat/eufugia.htm?tau=fficia#est", + "input.type": "log", + "log.offset": 22853, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.org", + "internal.example.net" + ], + "related.ip": [ + "10.54.44.231", + "10.101.183.86" + ], + "related.user": [ + "mcorpo" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "allow" + ], + "rsa.misc.content_type": "oreverit", + "rsa.misc.result_code": "abor", + "rsa.network.domain": "www.example.org", + "rsa.network.network_service": "rios", + "rsa.time.event_time": "2018-05-07T08:39:06.000Z", + "rsa.web.alias_host": "www.example.org", + "rsa.web.web_ref_domain": "internal.example.net", + "rsa.web.web_ref_query": "tau=fficia", + "server.domain": "www.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 6451, + "source.ip": [ + "10.54.44.231" + ], + "source.port": 5292, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.original": "https://www.example.org/runtm/eturadip.htm?psumd=oloree#seos", + "url.path": "https://internal.example.net", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", + "user.name": "mcorpo", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2018-05-21T03:41:41.000Z", + "destination.ip": [ + "10.130.150.189" + ], + "event.action": "accept", + "event.code": "LOCK", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.181.177.74 3378 [21/May/2018:1:41:41 itsedd] \"LOCK https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri odoc\" 10.130.150.189 oreeu nvo \"iamqui\" tassita colabori 1223 \"https://www.example.net/lpa/isn.htm?iat=ffic#siuta\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", + "file.name": "iamqui", + "fileset.name": "log", + "http.request.referrer": "https://www.example.net/lpa/isn.htm?iat=ffic#siuta", + "input.type": "log", + "log.offset": 23248, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.net", + "internal.example.org" + ], + "related.ip": [ + "10.181.177.74", + "10.130.150.189" + ], + "related.user": [ + "nvo" + ], + "rsa.internal.messageid": "LOCK", + "rsa.misc.action": [ + "LOCK", + "accept" + ], + "rsa.misc.content_type": "colabori", + "rsa.misc.result_code": "tassita", + "rsa.network.domain": "internal.example.org", + "rsa.network.network_service": "odoc", + "rsa.time.event_time": "2018-05-21T03:41:41.000Z", + "rsa.web.alias_host": "internal.example.org", + "rsa.web.web_ref_domain": "www.example.net", + "rsa.web.web_ref_query": "iat=ffic", + "server.domain": "internal.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "internal", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 1223, + "source.ip": [ + "10.181.177.74" + ], + "source.port": 3378, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.org", + "url.original": "https://internal.example.org/liquipex/uisnos.html?ventor=lupt#umwri", + "url.path": "https://www.example.net", + "url.registered_domain": "example.org", + "url.subdomain": "internal", + "url.top_level_domain": "org", + "user.name": "nvo", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-06-04T10:44:15.000Z", + "destination.ip": [ + "10.83.130.95" + ], + "event.action": "deny", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.76.220.3 2492 [04/Jun/2018:8:44:15 serrorsi] \"GET https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq lup\" 10.83.130.95 ipitlabo userror \"eacommo\" nderi liqua 7030 \"https://api.example.net/henderit/remq.jpg?voluptas=velill#rspic\" \"Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36\" deny", + "file.name": "eacommo", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/henderit/remq.jpg?voluptas=velill#rspic", + "input.type": "log", + "log.offset": 23613, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "api.example.org" + ], + "related.ip": [ + "10.83.130.95", + "10.76.220.3" + ], + "related.user": [ + "userror" + ], + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "deny" + ], + "rsa.misc.content_type": "liqua", + "rsa.misc.result_code": "nderi", + "rsa.network.domain": "api.example.org", + "rsa.network.network_service": "lup", + "rsa.time.event_time": "2018-06-04T10:44:15.000Z", + "rsa.web.alias_host": "api.example.org", + "rsa.web.web_ref_domain": "api.example.net", + "rsa.web.web_ref_query": "voluptas=velill", + "server.domain": "api.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "api", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 7030, + "source.ip": [ + "10.76.220.3" + ], + "source.port": 2492, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.original": "https://api.example.org/mquisnos/lore.txt?siar=isn#veniamq", + "url.path": "https://api.example.net", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", + "user.name": "userror", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-06-19T05:46:49.000Z", + "destination.ip": [ + "10.166.160.217" + ], + "event.action": "deny", + "event.code": "COPY", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.219.245.58 7073 [19/Jun/2018:3:46:49 snisiut] \"COPY https://www.example.com/quas/occaeca.htm?ender=dico#uptatem upt\" 10.166.160.217 olor radip \"rchitect\" Dui iameaqu 2429 \"https://api.example.com/asnulap/yCiceroi.jpg?ender=inc#tect\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" deny", + "file.name": "rchitect", + "fileset.name": "log", + "http.request.referrer": "https://api.example.com/asnulap/yCiceroi.jpg?ender=inc#tect", + "input.type": "log", + "log.offset": 24005, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.com", + "www.example.com" + ], + "related.ip": [ + "10.219.245.58", + "10.166.160.217" + ], + "related.user": [ + "radip" + ], + "rsa.internal.messageid": "COPY", + "rsa.misc.action": [ + "deny", + "COPY" + ], + "rsa.misc.content_type": "iameaqu", + "rsa.misc.result_code": "Dui", + "rsa.network.domain": "www.example.com", + "rsa.network.network_service": "upt", + "rsa.time.event_time": "2018-06-19T05:46:49.000Z", + "rsa.web.alias_host": "www.example.com", + "rsa.web.web_ref_domain": "api.example.com", + "rsa.web.web_ref_query": "ender=inc", + "server.domain": "www.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "www", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 2429, + "source.ip": [ + "10.219.245.58" + ], + "source.port": 7073, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.com", + "url.original": "https://www.example.com/quas/occaeca.htm?ender=dico#uptatem", + "url.path": "https://api.example.com", + "url.registered_domain": "example.com", + "url.subdomain": "www", + "url.top_level_domain": "com", + "user.name": "radip", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-07-03T12:49:23.000Z", + "destination.ip": [ + "10.183.243.246" + ], + "event.action": "cancel", + "event.code": "UNLOCK", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.121.121.153 723 [03/Jul/2018:10:49:23 smoditem] \"UNLOCK https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit catcu\" 10.183.243.246 amni tatio \"amquisno\" modoc magnam 3267 \"https://example.com/idatat/onev.html?lesti=oreseo#reprehen\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" cancel", + "file.name": "amquisno", + "fileset.name": "log", + "http.request.referrer": "https://example.com/idatat/onev.html?lesti=oreseo#reprehen", + "input.type": "log", + "log.offset": 24338, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "example.com", + "www5.example.org" + ], + "related.ip": [ + "10.183.243.246", + "10.121.121.153" + ], + "related.user": [ + "tatio" + ], + "rsa.internal.messageid": "UNLOCK", + "rsa.misc.action": [ + "UNLOCK", + "cancel" + ], + "rsa.misc.content_type": "magnam", + "rsa.misc.result_code": "modoc", + "rsa.network.domain": "www5.example.org", + "rsa.network.network_service": "catcu", + "rsa.time.event_time": "2018-07-03T12:49:23.000Z", + "rsa.web.alias_host": "www5.example.org", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "lesti=oreseo", + "server.domain": "www5.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www5", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 3267, + "source.ip": [ + "10.121.121.153" + ], + "source.port": 723, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.original": "https://www5.example.org/uidolo/umdolore.jpg?oquisq=abori#sit", + "url.path": "https://example.com", + "url.registered_domain": "example.org", + "url.subdomain": "www5", + "url.top_level_domain": "org", + "user.name": "tatio", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-07-17T07:51:58.000Z", + "destination.ip": [ + "10.202.224.209" + ], + "event.action": "cancel", + "event.code": "OPTIONS", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.54.5.47 1585 [17/Jul/2018:5:51:58 mmodi] \"OPTIONS https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu remagnam\" 10.202.224.209 iusmodit aturv \"ectetura\" obeataev umf 3141 \"https://www.example.com/quaeabil/emip.htm?urExc=tDuis#iqu\" \"Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36\" cancel", + "file.name": "ectetura", + "fileset.name": "log", + "http.request.referrer": "https://www.example.com/quaeabil/emip.htm?urExc=tDuis#iqu", + "input.type": "log", + "log.offset": 24774, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.net", + "www.example.com" + ], + "related.ip": [ + "10.54.5.47", + "10.202.224.209" + ], + "related.user": [ + "aturv" + ], + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "cancel", + "OPTIONS" + ], + "rsa.misc.content_type": "umf", + "rsa.misc.result_code": "obeataev", + "rsa.network.domain": "internal.example.net", + "rsa.network.network_service": "remagnam", + "rsa.time.event_time": "2018-07-17T07:51:58.000Z", + "rsa.web.alias_host": "internal.example.net", + "rsa.web.web_ref_domain": "www.example.com", + "rsa.web.web_ref_query": "urExc=tDuis", + "server.domain": "internal.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "internal", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 3141, + "source.ip": [ + "10.54.5.47" + ], + "source.port": 1585, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.net", + "url.original": "https://internal.example.net/eniamqu/inimav.htm?imadm=uta#tisu", + "url.path": "https://www.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", + "user.name": "aturv", + "user_agent.device.name": "Micromax P410i", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 4.1.2; Micromax P410i Build/JZO54K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36", + "user_agent.os.full": "Android 4.1.2", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.1.2", + "user_agent.version": "63.0.3239.111" + }, + { + "@timestamp": "2018-08-01T14:54:32.000Z", + "destination.ip": [ + "10.170.234.233" + ], + "event.action": "allow", + "event.code": "PROPFIND", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.72.99.69 3172 [01/Aug/2018:12:54:32 oremeumf] \"PROPFIND https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo lors\" 10.170.234.233 accus uatu \"mquis\" lab uido 2046 \"https://mail.example.com/tena/aal.jpg?CSedu=mcol#lup\" \"Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", + "file.name": "mquis", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/tena/aal.jpg?CSedu=mcol#lup", + "input.type": "log", + "log.offset": 25173, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.com", + "mail.example.net" + ], + "related.ip": [ + "10.72.99.69", + "10.170.234.233" + ], + "related.user": [ + "uatu" + ], + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "allow", + "PROPFIND" + ], + "rsa.misc.content_type": "uido", + "rsa.misc.result_code": "lab", + "rsa.network.domain": "mail.example.net", + "rsa.network.network_service": "lors", + "rsa.time.event_time": "2018-08-01T14:54:32.000Z", + "rsa.web.alias_host": "mail.example.net", + "rsa.web.web_ref_domain": "mail.example.com", + "rsa.web.web_ref_query": "CSedu=mcol", + "server.domain": "mail.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "mail", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 2046, + "source.ip": [ + "10.72.99.69" + ], + "source.port": 3172, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.net", + "url.original": "https://mail.example.net/sintocca/mipsumqu.htm?tnulapar=ico#giatquo", + "url.path": "https://mail.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "mail", + "url.top_level_domain": "net", + "user.name": "uatu", + "user_agent.device.name": "POCOPHONE F1", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-08-15T09:57:06.000Z", + "destination.ip": [ + "10.142.130.227" + ], + "event.action": "allow", + "event.code": "DELETE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.245.240.47 4017 [15/Aug/2018:7:57:06 itaedict] \"DELETE https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi edic\" 10.142.130.227 olabori odic \"iuta\" liquaUte scivelit 7795 \"https://internal.example.net/scipit/lloinve.htm?evolup=rvelil#isiutali\" \"Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" allow", + "file.name": "iuta", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.net/scipit/lloinve.htm?evolup=rvelil#isiutali", + "input.type": "log", + "log.offset": 25542, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.org", + "internal.example.net" + ], + "related.ip": [ + "10.245.240.47", + "10.142.130.227" + ], + "related.user": [ + "odic" + ], + "rsa.internal.messageid": "DELETE", + "rsa.misc.action": [ + "allow", + "DELETE" + ], + "rsa.misc.content_type": "scivelit", + "rsa.misc.result_code": "liquaUte", + "rsa.network.domain": "api.example.org", + "rsa.network.network_service": "edic", + "rsa.time.event_time": "2018-08-15T09:57:06.000Z", + "rsa.web.alias_host": "api.example.org", + "rsa.web.web_ref_domain": "internal.example.net", + "rsa.web.web_ref_query": "evolup=rvelil", + "server.domain": "api.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "api", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 7795, + "source.ip": [ + "10.245.240.47" + ], + "source.port": 4017, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.original": "https://api.example.org/rep/remap.html?siarc=fdeFin#eleumi", + "url.path": "https://internal.example.net", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", + "user.name": "odic", + "user_agent.device.name": "ZTE Blade V1000RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; ZTE Blade V1000RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2018-08-29T04:59:40.000Z", + "destination.ip": [ + "10.61.110.7" + ], + "event.action": "deny", + "event.code": "DELETE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.62.188.193 4104 [29/Aug/2018:2:59:40 atu] \"DELETE https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa mini\" 10.61.110.7 oremque quaU \"ufugi\" cin tmo 508 \"https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex\" \"Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10\" deny", + "file.name": "ufugi", + "fileset.name": "log", + "http.request.referrer": "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "input.type": "log", + "log.offset": 25999, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "example.com" + ], + "related.ip": [ + "10.62.188.193", + "10.61.110.7" + ], + "related.user": [ + "quaU" + ], + "rsa.internal.messageid": "DELETE", + "rsa.misc.action": [ + "deny", + "DELETE" + ], + "rsa.misc.content_type": "tmo", + "rsa.misc.result_code": "cin", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "mini", + "rsa.time.event_time": "2018-08-29T04:59:40.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "iavol=natuserr", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 508, + "source.ip": [ + "10.62.188.193" + ], + "source.port": 4104, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/eturad/tDuis.htm?enimadmi=tateveli#osa", + "url.path": "https://example.com", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "quaU", + "user_agent.device.name": "Spider", + "user_agent.name": "Other", + "user_agent.original": "Mozilla/5.0 (compatible; Yahoo Ad monitoring; https://help.yahoo.com/kb/yahoo-ad-monitoring-SLN24857.html) yahoo.adquality.lwd.desktop/1591143192-10" + }, + { + "@timestamp": "2018-09-12T12:02:15.000Z", + "destination.ip": [ + "10.68.198.188" + ], + "event.action": "block", + "event.code": "COPY", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.172.139.78 6533 [12/Sep/2018:10:02:15 lamco] \"COPY https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi tlabore\" 10.68.198.188 doeiu onsectet \"dentsunt\" inea animid 2119 \"https://mail.example.net/onnumqua/quioff.html?upt=atatnonp#nvol\" \"Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61\" block", + "file.name": "dentsunt", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.net/onnumqua/quioff.html?upt=atatnonp#nvol", + "input.type": "log", + "log.offset": 26383, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.net", + "mail.example.net" + ], + "related.ip": [ + "10.172.139.78", + "10.68.198.188" + ], + "related.user": [ + "onsectet" + ], + "rsa.internal.messageid": "COPY", + "rsa.misc.action": [ + "COPY", + "block" + ], + "rsa.misc.content_type": "animid", + "rsa.misc.result_code": "inea", + "rsa.network.domain": "www.example.net", + "rsa.network.network_service": "tlabore", + "rsa.time.event_time": "2018-09-12T12:02:15.000Z", + "rsa.web.alias_host": "www.example.net", + "rsa.web.web_ref_domain": "mail.example.net", + "rsa.web.web_ref_query": "upt=atatnonp", + "server.domain": "www.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 2119, + "source.ip": [ + "10.172.139.78" + ], + "source.port": 6533, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.original": "https://www.example.net/hender/ptatemU.htm?mquisnos=tnulapa#madmi", + "url.path": "https://mail.example.net", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", + "user.name": "onsectet", + "user_agent.device.name": "5024D_RU", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2018-09-27T07:04:49.000Z", + "destination.ip": [ + "10.169.63.169" + ], + "event.action": "block", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.172.47.7 2805 [27/Sep/2018:5:04:49 midest] \"CONNECT https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid rchit\" 10.169.63.169 ariat midestl \"quatu\" avolu teturad 3465 \"https://api.example.net/iquaUten/prehende.gif?rpo=velites#nonpro\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" block", + "file.name": "quatu", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/iquaUten/prehende.gif?rpo=velites#nonpro", + "input.type": "log", + "log.offset": 26828, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "www.example.org" + ], + "related.ip": [ + "10.169.63.169", + "10.172.47.7" + ], + "related.user": [ + "midestl" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "block" + ], + "rsa.misc.content_type": "teturad", + "rsa.misc.result_code": "avolu", + "rsa.network.domain": "www.example.org", + "rsa.network.network_service": "rchit", + "rsa.time.event_time": "2018-09-27T07:04:49.000Z", + "rsa.web.alias_host": "www.example.org", + "rsa.web.web_ref_domain": "api.example.net", + "rsa.web.web_ref_query": "rpo=velites", + "server.domain": "www.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 3465, + "source.ip": [ + "10.172.47.7" + ], + "source.port": 2805, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.original": "https://www.example.org/iduntutl/rsitam.htm?ntor=oinBCSed#oid", + "url.path": "https://api.example.net", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", + "user.name": "midestl", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2018-10-11T14:07:23.000Z", + "destination.ip": [ + "10.62.10.137" + ], + "event.action": "cancel", + "event.code": "PURGE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.32.98.109 5012 [11/Oct/2018:12:07:23 dexercit] \"PURGE https://example.org/itessequ/porissu.html?uip=ectobea#dat aUtenima\" 10.62.10.137 eeufugi deomnisi \"olupta\" oll laboree 3880 \"https://api.example.org/cupidata/stiaecon.htm?rsint=itl#ttenb\" \"Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" cancel", + "file.name": "olupta", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/cupidata/stiaecon.htm?rsint=itl#ttenb", + "input.type": "log", + "log.offset": 27172, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.org", + "example.org" + ], + "related.ip": [ + "10.32.98.109", + "10.62.10.137" + ], + "related.user": [ + "deomnisi" + ], + "rsa.internal.messageid": "PURGE", + "rsa.misc.action": [ + "PURGE", + "cancel" + ], + "rsa.misc.content_type": "laboree", + "rsa.misc.result_code": "oll", + "rsa.network.domain": "example.org", + "rsa.network.network_service": "aUtenima", + "rsa.time.event_time": "2018-10-11T14:07:23.000Z", + "rsa.web.alias_host": "example.org", + "rsa.web.web_ref_domain": "api.example.org", + "rsa.web.web_ref_query": "rsint=itl", + "server.domain": "example.org", + "server.registered_domain": "example.org", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 3880, + "source.ip": [ + "10.32.98.109" + ], + "source.port": 5012, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.org", + "url.original": "https://example.org/itessequ/porissu.html?uip=ectobea#dat", + "url.path": "https://api.example.org", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", + "user.name": "deomnisi", + "user_agent.device.name": "LG-$2", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; LG-US998) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2018-10-25T09:09:57.000Z", + "destination.ip": [ + "10.255.40.12" + ], + "event.action": "deny", + "event.code": "COPY", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.176.62.146 5945 [25/Oct/2018:7:09:57 lors] \"COPY https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide quelaud\" 10.255.40.12 rro oeiusmo \"nimv\" emeu tatemac 5192 \"https://www5.example.com/teursint/etMa.gif?lamcolab=ceroinB#umqui\" \"Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90\" deny", + "file.name": "nimv", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.com/teursint/etMa.gif?lamcolab=ceroinB#umqui", + "input.type": "log", + "log.offset": 27547, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "www5.example.com" + ], + "related.ip": [ + "10.176.62.146", + "10.255.40.12" + ], + "related.user": [ + "oeiusmo" + ], + "rsa.internal.messageid": "COPY", + "rsa.misc.action": [ + "COPY", + "deny" + ], + "rsa.misc.content_type": "tatemac", + "rsa.misc.result_code": "emeu", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "quelaud", + "rsa.time.event_time": "2018-10-25T09:09:57.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "www5.example.com", + "rsa.web.web_ref_query": "lamcolab=ceroinB", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 5192, + "source.ip": [ + "10.176.62.146" + ], + "source.port": 5945, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/enimad/tis.txt?mipsumq=ident#nimide", + "url.path": "https://www5.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "oeiusmo", + "user_agent.device.name": "U20", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; U20 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.147 Mobile Safari/537.36 YaApp_Android/10.90 YaSearchBrowser/10.90", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "44.0.2403.147" + }, + { + "@timestamp": "2018-11-09T04:12:32.000Z", + "destination.ip": [ + "10.88.98.31" + ], + "event.action": "deny", + "event.code": "GET", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.194.198.46 3387 [09/Nov/2018:2:12:32 cta] \"GET https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse mveniam\" tuser 2694 \"https://internal.example.com/tlaboru/aeabillo.txt?equuntu=quamni#turveli\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" deny 10.88.98.31 rured 105.243000", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/tlaboru/aeabillo.txt?equuntu=quamni#turveli", + "input.type": "log", + "log.offset": 27967, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.org", + "internal.example.com" + ], + "related.ip": [ + "10.88.98.31", + "10.194.198.46" + ], + "rsa.internal.messageid": "GET", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "GET", + "deny" + ], + "rsa.misc.content_type": "rured", + "rsa.misc.result_code": "tuser", + "rsa.network.domain": "api.example.org", + "rsa.network.network_service": "mveniam", + "rsa.time.duration_time": 105.243, + "rsa.time.event_time": "2018-11-09T04:12:32.000Z", + "rsa.web.alias_host": "api.example.org", + "rsa.web.web_ref_domain": "internal.example.com", + "rsa.web.web_ref_query": "equuntu=quamni", + "server.domain": "api.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "api", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 2694, + "source.ip": [ + "10.194.198.46" + ], + "source.port": 3387, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.org", + "url.original": "https://api.example.org/taspe/yCiceroi.htm?cti=ommodoc#nse", + "url.path": "https://internal.example.com", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2018-11-23T11:15:06.000Z", + "destination.ip": [ + "10.1.27.133" + ], + "event.action": "block", + "event.code": "OPTIONS", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.5.49.20 7503 [23/Nov/2018:9:15:06 macc] \"OPTIONS https://example.com/beat/rro.jpg?uisau=qua#iarchite emsequi\" 10.1.27.133 edqu tationu \"gnaaliq\" olore ntutlab 6881 \"https://www5.example.com/gnama/esciun.html?ratvo=ntutl#volupt\" \"Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" block", + "file.name": "gnaaliq", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.com/gnama/esciun.html?ratvo=ntutl#volupt", + "input.type": "log", + "log.offset": 28483, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "example.com", + "www5.example.com" + ], + "related.ip": [ + "10.1.27.133", + "10.5.49.20" + ], + "related.user": [ + "tationu" + ], + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "block", + "OPTIONS" + ], + "rsa.misc.content_type": "ntutlab", + "rsa.misc.result_code": "olore", + "rsa.network.domain": "example.com", + "rsa.network.network_service": "emsequi", + "rsa.time.event_time": "2018-11-23T11:15:06.000Z", + "rsa.web.alias_host": "example.com", + "rsa.web.web_ref_domain": "www5.example.com", + "rsa.web.web_ref_query": "ratvo=ntutl", + "server.domain": "example.com", + "server.registered_domain": "example.com", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 6881, + "source.ip": [ + "10.5.49.20" + ], + "source.port": 7503, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.com", + "url.original": "https://example.com/beat/rro.jpg?uisau=qua#iarchite", + "url.path": "https://www5.example.com", + "url.registered_domain": "example.com", + "url.top_level_domain": "com", + "user.name": "tationu", + "user_agent.device.name": "Lenovo A2016a40 ", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; Lenovo A2016a40 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.106 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "48.0.2564.106" + }, + { + "@timestamp": "2018-12-07T06:17:40.000Z", + "destination.ip": [ + "10.70.244.155" + ], + "event.action": "accept", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.11.73.145 6972 [07/Dec/2018:4:17:40 uisautem] \"POST https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea aco\" 10.70.244.155 olorsi caboNemo \"uptas\" temaccus ons 2160 \"https://internal.example.com/ctetur/mvolupta.html?oreeu=mea#ssec\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" accept", + "file.name": "uptas", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/ctetur/mvolupta.html?oreeu=mea#ssec", + "input.type": "log", + "log.offset": 28908, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.org", + "internal.example.com" + ], + "related.ip": [ + "10.70.244.155", + "10.11.73.145" + ], + "related.user": [ + "caboNemo" + ], + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "POST", + "accept" + ], + "rsa.misc.content_type": "ons", + "rsa.misc.result_code": "temaccus", + "rsa.network.domain": "www5.example.org", + "rsa.network.network_service": "aco", + "rsa.time.event_time": "2018-12-07T06:17:40.000Z", + "rsa.web.alias_host": "www5.example.org", + "rsa.web.web_ref_domain": "internal.example.com", + "rsa.web.web_ref_query": "oreeu=mea", + "server.domain": "www5.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www5", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 2160, + "source.ip": [ + "10.11.73.145" + ], + "source.port": 6972, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.original": "https://www5.example.org/loremq/turmagni.txt?emUtenim=ende#dexea", + "url.path": "https://internal.example.com", + "url.registered_domain": "example.org", + "url.subdomain": "www5", + "url.top_level_domain": "org", + "user.name": "caboNemo", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2018-12-21T13:20:14.000Z", + "destination.ip": [ + "10.121.80.158" + ], + "event.action": "accept", + "event.code": "PURGE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.204.214.98 985 [21/Dec/2018:11:20:14 equ] \"PURGE https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte abo\" 10.121.80.158 boriosa cillumdo \"ditau\" moenimip uames 7663 \"https://internal.example.com/lor/oreeu.html?eturadip=nost#atus\" \"Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" accept", + "file.name": "ditau", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/lor/oreeu.html?eturadip=nost#atus", + "input.type": "log", + "log.offset": 29441, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.net", + "internal.example.com" + ], + "related.ip": [ + "10.121.80.158", + "10.204.214.98" + ], + "related.user": [ + "cillumdo" + ], + "rsa.internal.messageid": "PURGE", + "rsa.misc.action": [ + "PURGE", + "accept" + ], + "rsa.misc.content_type": "uames", + "rsa.misc.result_code": "moenimip", + "rsa.network.domain": "www5.example.net", + "rsa.network.network_service": "abo", + "rsa.time.event_time": "2018-12-21T13:20:14.000Z", + "rsa.web.alias_host": "www5.example.net", + "rsa.web.web_ref_domain": "internal.example.com", + "rsa.web.web_ref_query": "eturadip=nost", + "server.domain": "www5.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www5", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 7663, + "source.ip": [ + "10.204.214.98" + ], + "source.port": 985, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.original": "https://www5.example.net/deomnisi/ddoe.txt?oremi=ectobeat#ecte", + "url.path": "https://internal.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "www5", + "url.top_level_domain": "net", + "user.name": "cillumdo", + "user_agent.device.name": "Samsung SM-S337TL", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; SM-S337TL) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-01-05T08:22:49.000Z", + "destination.ip": [ + "10.139.151.19" + ], + "event.action": "block", + "event.code": "PURGE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.74.115.33 4006 [05/Jan/2019:6:22:49 nsequat] \"PURGE https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors eumfu\" 10.139.151.19 eumf roquisq \"uasi\" maveniam uis 5533 \"https://www.example.com/imi/animi.htm?ama=tatnonp#ntiumt\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" block", + "file.name": "uasi", + "fileset.name": "log", + "http.request.referrer": "https://www.example.com/imi/animi.htm?ama=tatnonp#ntiumt", + "input.type": "log", + "log.offset": 29818, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "www.example.com" + ], + "related.ip": [ + "10.74.115.33", + "10.139.151.19" + ], + "related.user": [ + "roquisq" + ], + "rsa.internal.messageid": "PURGE", + "rsa.misc.action": [ + "PURGE", + "block" + ], + "rsa.misc.content_type": "uis", + "rsa.misc.result_code": "maveniam", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "eumfu", + "rsa.time.event_time": "2019-01-05T08:22:49.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "www.example.com", + "rsa.web.web_ref_query": "ama=tatnonp", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 5533, + "source.ip": [ + "10.74.115.33" + ], + "source.port": 4006, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/tiset/sci.jpg?rauto=doloreeu#lors", + "url.path": "https://www.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "roquisq", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2019-01-19T03:25:23.000Z", + "destination.ip": [ + "10.242.48.203" + ], + "event.action": "deny", + "event.code": "DELETE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.191.220.1 6454 [19/Jan/2019:1:25:23 ctetura] \"DELETE https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect pariat\" 10.242.48.203 ctobeat isi \"idexeac\" ntu tdolo 3872 \"https://mail.example.com/olupt/ola.jpg?etquasia=qua#adm\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" deny", + "file.name": "idexeac", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/olupt/ola.jpg?etquasia=qua#adm", + "input.type": "log", + "log.offset": 30261, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "mail.example.com" + ], + "related.ip": [ + "10.242.48.203", + "10.191.220.1" + ], + "related.user": [ + "isi" + ], + "rsa.internal.messageid": "DELETE", + "rsa.misc.action": [ + "deny", + "DELETE" + ], + "rsa.misc.content_type": "tdolo", + "rsa.misc.result_code": "ntu", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "pariat", + "rsa.time.event_time": "2019-01-19T03:25:23.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "mail.example.com", + "rsa.web.web_ref_query": "etquasia=qua", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 3872, + "source.ip": [ + "10.191.220.1" + ], + "source.port": 6454, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/tDuisau/aturve.htm?tper=pisciv#tconsect", + "url.path": "https://mail.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "isi", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-02-02T10:27:57.000Z", + "destination.ip": [ + "10.254.10.98" + ], + "event.action": "accept", + "event.code": "PROPATCH", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.109.88.27 5568 [02/Feb/2019:8:27:57 cidu] \"PROPATCH https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip eacommod\" 10.254.10.98 adipisc aparia \"maliq\" ccusant epteurs 6661 \"https://www5.example.org/oditau/onsec.gif?temqui=lup#aeca\" \"Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36\" accept", + "file.name": "maliq", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/oditau/onsec.gif?temqui=lup#aeca", + "input.type": "log", + "log.offset": 30622, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "internal.example.com", + "www5.example.org" + ], + "related.ip": [ + "10.254.10.98", + "10.109.88.27" + ], + "related.user": [ + "aparia" + ], + "rsa.internal.messageid": "PROPATCH", + "rsa.misc.action": [ + "accept", + "PROPATCH" + ], + "rsa.misc.content_type": "epteurs", + "rsa.misc.result_code": "ccusant", + "rsa.network.domain": "internal.example.com", + "rsa.network.network_service": "eacommod", + "rsa.time.event_time": "2019-02-02T10:27:57.000Z", + "rsa.web.alias_host": "internal.example.com", + "rsa.web.web_ref_domain": "www5.example.org", + "rsa.web.web_ref_query": "temqui=lup", + "server.domain": "internal.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "internal", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 6661, + "source.ip": [ + "10.109.88.27" + ], + "source.port": 5568, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.original": "https://internal.example.com/oluptate/todi.jpg?tdolo=ident#scip", + "url.path": "https://www5.example.org", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", + "user.name": "aparia", + "user_agent.device.name": "Pixel 3", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Pixel 3 Build/PD1A.180720.030) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "66.0.3359.158" + }, + { + "@timestamp": "2019-02-17T05:30:32.000Z", + "destination.ip": [ + "10.175.138.42" + ], + "event.action": "deny", + "event.code": "LOCK", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.5.148.114 4749 [17/Feb/2019:3:30:32 ntin] \"LOCK https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore tamr\" 10.175.138.42 olore onemul \"trudexe\" remeum etur 890 \"https://mail.example.org/quiav/ctionofd.gif?Finibus=uisautei#nevolu\" \"Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" deny", + "file.name": "trudexe", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.org/quiav/ctionofd.gif?Finibus=uisautei#nevolu", + "input.type": "log", + "log.offset": 31020, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.com", + "mail.example.org" + ], + "related.ip": [ + "10.5.148.114", + "10.175.138.42" + ], + "related.user": [ + "onemul" + ], + "rsa.internal.messageid": "LOCK", + "rsa.misc.action": [ + "LOCK", + "deny" + ], + "rsa.misc.content_type": "etur", + "rsa.misc.result_code": "remeum", + "rsa.network.domain": "mail.example.com", + "rsa.network.network_service": "tamr", + "rsa.time.event_time": "2019-02-17T05:30:32.000Z", + "rsa.web.alias_host": "mail.example.com", + "rsa.web.web_ref_domain": "mail.example.org", + "rsa.web.web_ref_query": "Finibus=uisautei", + "server.domain": "mail.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "mail", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 890, + "source.ip": [ + "10.5.148.114" + ], + "source.port": 4749, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.original": "https://mail.example.com/radipis/lore.html?civeli=eufugia#utlabore", + "url.path": "https://mail.example.org", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", + "user.name": "onemul", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-03-03T12:33:06.000Z", + "destination.ip": [ + "10.18.199.203" + ], + "event.action": "allow", + "event.code": "PROPFIND", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.0.0.240 1795 [03/Mar/2019:10:33:06 psa] \"PROPFIND https://internal.example.org/olupta/tio.jpg?idestl=litani#emp arch\" 10.18.199.203 ugits ittenb \"tobeatae\" ntut llum 366 \"https://example.com/equat/estiaec.htm?mquido=ende#ntmollit\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", + "file.name": "tobeatae", + "fileset.name": "log", + "http.request.referrer": "https://example.com/equat/estiaec.htm?mquido=ende#ntmollit", + "input.type": "log", + "log.offset": 31401, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "example.com", + "internal.example.org" + ], + "related.ip": [ + "10.18.199.203", + "10.0.0.240" + ], + "related.user": [ + "ittenb" + ], + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "PROPFIND", + "allow" + ], + "rsa.misc.content_type": "llum", + "rsa.misc.result_code": "ntut", + "rsa.network.domain": "internal.example.org", + "rsa.network.network_service": "arch", + "rsa.time.event_time": "2019-03-03T12:33:06.000Z", + "rsa.web.alias_host": "internal.example.org", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "mquido=ende", + "server.domain": "internal.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "internal", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 366, + "source.ip": [ + "10.0.0.240" + ], + "source.port": 1795, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.org", + "url.original": "https://internal.example.org/olupta/tio.jpg?idestl=litani#emp", + "url.path": "https://example.com", + "url.registered_domain": "example.org", + "url.subdomain": "internal", + "url.top_level_domain": "org", + "user.name": "ittenb", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-03-17T07:35:40.000Z", + "destination.ip": [ + "10.73.80.251" + ], + "event.action": "allow", + "event.code": "NONE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.1.220.47 6685 [17/Mar/2019:5:35:40 mipsamv] \"NONE https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq runt\" 10.73.80.251 pteurs ercitati \"atem\" serro lumquid 5939 \"https://www5.example.org/imaveni/equ.htm?ssequamn=ave#taliqui\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" allow", + "file.name": "atem", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/imaveni/equ.htm?ssequamn=ave#taliqui", + "input.type": "log", + "log.offset": 31762, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.org", + "www5.example.com" + ], + "related.ip": [ + "10.73.80.251", + "10.1.220.47" + ], + "related.user": [ + "ercitati" + ], + "rsa.internal.messageid": "NONE", + "rsa.misc.action": [ + "allow", + "NONE" + ], + "rsa.misc.content_type": "lumquid", + "rsa.misc.result_code": "serro", + "rsa.network.domain": "www5.example.com", + "rsa.network.network_service": "runt", + "rsa.time.event_time": "2019-03-17T07:35:40.000Z", + "rsa.web.alias_host": "www5.example.com", + "rsa.web.web_ref_domain": "www5.example.org", + "rsa.web.web_ref_query": "ssequamn=ave", + "server.domain": "www5.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "www5", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 5939, + "source.ip": [ + "10.1.220.47" + ], + "source.port": 6685, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.original": "https://www5.example.com/sequines/cto.gif?temaccu=uamqua#Neq", + "url.path": "https://www5.example.org", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", + "user.name": "ercitati", + "user_agent.device.name": "Samsung SM-A715F", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2019-04-01T14:38:14.000Z", + "destination.ip": [ + "10.22.34.206" + ], + "event.action": "block", + "event.code": "PURGE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.153.109.61 7499 [01/Apr/2019:12:38:14 numq] \"PURGE https://www.example.net/periam/ain.gif?iquipex=mqu#onorume abill\" 10.22.34.206 mini mve \"tionev\" uasiarch velites 1745 \"https://api.example.org/equa/edquiaco.gif?olorsit=naaliq#plica\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" block", + "file.name": "tionev", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/equa/edquiaco.gif?olorsit=naaliq#plica", + "input.type": "log", + "log.offset": 32212, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.net", + "api.example.org" + ], + "related.ip": [ + "10.22.34.206", + "10.153.109.61" + ], + "related.user": [ + "mve" + ], + "rsa.internal.messageid": "PURGE", + "rsa.misc.action": [ + "PURGE", + "block" + ], + "rsa.misc.content_type": "velites", + "rsa.misc.result_code": "uasiarch", + "rsa.network.domain": "www.example.net", + "rsa.network.network_service": "abill", + "rsa.time.event_time": "2019-04-01T14:38:14.000Z", + "rsa.web.alias_host": "www.example.net", + "rsa.web.web_ref_domain": "api.example.org", + "rsa.web.web_ref_query": "olorsit=naaliq", + "server.domain": "www.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 1745, + "source.ip": [ + "10.153.109.61" + ], + "source.port": 7499, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.original": "https://www.example.net/periam/ain.gif?iquipex=mqu#onorume", + "url.path": "https://api.example.org", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", + "user.name": "mve", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-04-15T09:40:49.000Z", + "destination.ip": [ + "10.199.103.185" + ], + "event.action": "allow", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.62.168.226 5334 [15/Apr/2019:7:40:49 bori] \"CONNECT https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis lupt\" 10.199.103.185 uipe ipsa \"con\" eirured sequamn 5243 \"https://mail.example.com/ciatisun/duntutl.htm?didun=riaturEx#nde\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" allow", + "file.name": "con", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.com/ciatisun/duntutl.htm?didun=riaturEx#nde", + "input.type": "log", + "log.offset": 32641, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.net", + "mail.example.com" + ], + "related.ip": [ + "10.62.168.226", + "10.199.103.185" + ], + "related.user": [ + "ipsa" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "allow" + ], + "rsa.misc.content_type": "sequamn", + "rsa.misc.result_code": "eirured", + "rsa.network.domain": "www.example.net", + "rsa.network.network_service": "lupt", + "rsa.time.event_time": "2019-04-15T09:40:49.000Z", + "rsa.web.alias_host": "www.example.net", + "rsa.web.web_ref_domain": "mail.example.com", + "rsa.web.web_ref_query": "didun=riaturEx", + "server.domain": "www.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 5243, + "source.ip": [ + "10.62.168.226" + ], + "source.port": 5334, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.original": "https://www.example.net/ecatc/quovolu.jpg?dexe=nemul#Duis", + "url.path": "https://mail.example.com", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", + "user.name": "ipsa", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2019-04-29T04:43:23.000Z", + "destination.ip": [ + "10.128.84.27" + ], + "event.action": "block", + "event.code": "COPY", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.97.33.56 3541 [29/Apr/2019:2:43:23 rad] \"COPY https://example.com/tqui/ssequ.gif?emse=emqui#cipitla tlab\" 10.128.84.27 nula ptate \"volupta\" umfu utla 2478 \"https://www5.example.com/dolo/velites.gif?equa=apari#tsunt\" \"Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36\" block", + "file.name": "volupta", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.com/dolo/velites.gif?equa=apari#tsunt", + "input.type": "log", + "log.offset": 33163, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "example.com", + "www5.example.com" + ], + "related.ip": [ + "10.97.33.56", + "10.128.84.27" + ], + "related.user": [ + "ptate" + ], + "rsa.internal.messageid": "COPY", + "rsa.misc.action": [ + "COPY", + "block" + ], + "rsa.misc.content_type": "utla", + "rsa.misc.result_code": "umfu", + "rsa.network.domain": "example.com", + "rsa.network.network_service": "tlab", + "rsa.time.event_time": "2019-04-29T04:43:23.000Z", + "rsa.web.alias_host": "example.com", + "rsa.web.web_ref_domain": "www5.example.com", + "rsa.web.web_ref_query": "equa=apari", + "server.domain": "example.com", + "server.registered_domain": "example.com", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 2478, + "source.ip": [ + "10.97.33.56" + ], + "source.port": 3541, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.com", + "url.original": "https://example.com/tqui/ssequ.gif?emse=emqui#cipitla", + "url.path": "https://www5.example.com", + "url.registered_domain": "example.com", + "url.top_level_domain": "com", + "user.name": "ptate", + "user_agent.device.name": "Asus X01BDA", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; ASUS_X01BDA) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.162 Mobile Safari/537.36", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "80.0.3987.162" + }, + { + "@timestamp": "2019-05-13T11:45:57.000Z", + "destination.ip": [ + "10.115.154.104" + ], + "event.action": "allow", + "event.code": "HEAD", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.49.169.175 2103 [13/May/2019:9:45:57 sistena] \"HEAD https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost sequines\" 10.115.154.104 illum ore \"spici\" Sedut tatis 7767 \"https://www5.example.com/sequines/minimve.gif?toditau=uiad#nvolupta\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" allow", + "file.name": "spici", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.com/sequines/minimve.gif?toditau=uiad#nvolupta", + "input.type": "log", + "log.offset": 33516, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.com", + "example.com" + ], + "related.ip": [ + "10.49.169.175", + "10.115.154.104" + ], + "related.user": [ + "ore" + ], + "rsa.internal.messageid": "HEAD", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "allow", + "HEAD" + ], + "rsa.misc.content_type": "tatis", + "rsa.misc.result_code": "Sedut", + "rsa.network.domain": "example.com", + "rsa.network.network_service": "sequines", + "rsa.time.event_time": "2019-05-13T11:45:57.000Z", + "rsa.web.alias_host": "example.com", + "rsa.web.web_ref_domain": "www5.example.com", + "rsa.web.web_ref_query": "toditau=uiad", + "server.domain": "example.com", + "server.registered_domain": "example.com", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 7767, + "source.ip": [ + "10.49.169.175" + ], + "source.port": 2103, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.com", + "url.original": "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "url.path": "https://www5.example.com", + "url.registered_domain": "example.com", + "url.top_level_domain": "com", + "user.name": "ore", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-05-28T06:48:31.000Z", + "destination.ip": [ + "10.33.112.100" + ], + "event.action": "block", + "event.code": "PROPFIND", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.213.100.153 2571 [28/May/2019:4:48:31 iatquo] \"PROPFIND https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu ptatemse\" 10.33.112.100 catcup enimad \"magnaali\" velillum ionev 1594 \"https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" block", + "file.name": "magnaali", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/ameaq/Quis.html?lestiae=iav#umiure", + "input.type": "log", + "log.offset": 33948, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.org", + "internal.example.com" + ], + "related.ip": [ + "10.213.100.153", + "10.33.112.100" + ], + "related.user": [ + "enimad" + ], + "rsa.internal.messageid": "PROPFIND", + "rsa.misc.action": [ + "block", + "PROPFIND" + ], + "rsa.misc.content_type": "ionev", + "rsa.misc.result_code": "velillum", + "rsa.network.domain": "www.example.org", + "rsa.network.network_service": "ptatemse", + "rsa.time.event_time": "2019-05-28T06:48:31.000Z", + "rsa.web.alias_host": "www.example.org", + "rsa.web.web_ref_domain": "internal.example.com", + "rsa.web.web_ref_query": "lestiae=iav", + "server.domain": "www.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 1594, + "source.ip": [ + "10.213.100.153" + ], + "source.port": 2571, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.org", + "url.original": "https://www.example.org/oinvento/ali.htm?utaliqui=isciv#osqu", + "url.path": "https://internal.example.com", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", + "user.name": "enimad", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2019-06-11T13:51:06.000Z", + "destination.ip": [ + "10.25.53.93" + ], + "event.action": "cancel", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.216.143.226 2632 [11/Jun/2019:11:51:06 deomn] \"CONNECT https://api.example.net/quido/llo.htm?tpersp=assi#rch psa\" 10.25.53.93 tvolup oremeu \"lab\" lla urau 6127 \"https://example.net/equamni/atcupi.htm?onemull=mdo#labore\" \"Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30\" cancel", + "file.name": "lab", + "fileset.name": "log", + "http.request.referrer": "https://example.net/equamni/atcupi.htm?onemull=mdo#labore", + "input.type": "log", + "log.offset": 34344, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.net", + "example.net" + ], + "related.ip": [ + "10.216.143.226", + "10.25.53.93" + ], + "related.user": [ + "oremeu" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "cancel" + ], + "rsa.misc.content_type": "urau", + "rsa.misc.result_code": "lla", + "rsa.network.domain": "api.example.net", + "rsa.network.network_service": "psa", + "rsa.time.event_time": "2019-06-11T13:51:06.000Z", + "rsa.web.alias_host": "api.example.net", + "rsa.web.web_ref_domain": "example.net", + "rsa.web.web_ref_query": "onemull=mdo", + "server.domain": "api.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "api", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 6127, + "source.ip": [ + "10.216.143.226" + ], + "source.port": 2632, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.net", + "url.original": "https://api.example.net/quido/llo.htm?tpersp=assi#rch", + "url.path": "https://example.net", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", + "user.name": "oremeu", + "user_agent.device.name": "Samsung GT-P3100 ", + "user_agent.name": "Android", + "user_agent.original": "Mozilla/5.0 (Linux; U; Android 4.0.3; es-us; GT-P3100 Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30", + "user_agent.os.full": "Android 4.0.3", + "user_agent.os.name": "Android", + "user_agent.os.version": "4.0.3", + "user_agent.version": "4.0.3" + }, + { + "@timestamp": "2019-06-25T08:53:40.000Z", + "destination.ip": [ + "10.246.115.57" + ], + "event.action": "allow", + "event.code": "HEAD", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.139.195.188 893 [25/Jun/2019:6:53:40 aliquaU] \"HEAD https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti edictasu\" 10.246.115.57 edquiano mSecti \"henderi\" taevitae tevel 5926 \"https://example.com/ita/iquipexe.jpg?quamqua=quuntur#nihi\" \"Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" allow", + "file.name": "henderi", + "fileset.name": "log", + "http.request.referrer": "https://example.com/ita/iquipexe.jpg?quamqua=quuntur#nihi", + "input.type": "log", + "log.offset": 34709, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.net", + "example.com" + ], + "related.ip": [ + "10.139.195.188", + "10.246.115.57" + ], + "related.user": [ + "mSecti" + ], + "rsa.internal.messageid": "HEAD", + "rsa.investigations.ec_activity": "Request", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "HEAD", + "allow" + ], + "rsa.misc.content_type": "tevel", + "rsa.misc.result_code": "taevitae", + "rsa.network.domain": "www.example.net", + "rsa.network.network_service": "edictasu", + "rsa.time.event_time": "2019-06-25T08:53:40.000Z", + "rsa.web.alias_host": "www.example.net", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "quamqua=quuntur", + "server.domain": "www.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 5926, + "source.ip": [ + "10.139.195.188" + ], + "source.port": 893, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www.example.net", + "url.original": "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "url.path": "https://example.com", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", + "user.name": "mSecti", + "user_agent.device.name": "G8142", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-07-10T03:56:14.000Z", + "destination.ip": [ + "10.82.148.126" + ], + "event.action": "block", + "event.code": "NONE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.60.56.205 4345 [10/Jul/2019:1:56:14 writtenb] \"NONE https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii tesse\" 10.82.148.126 inBCSedu ita \"ade\" nihilmol nder 2214 \"https://api.example.net/uunturm/iatn.gif?tseddo=diduntut#rroq\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]\" block", + "file.name": "ade", + "fileset.name": "log", + "http.request.referrer": "https://api.example.net/uunturm/iatn.gif?tseddo=diduntut#rroq", + "input.type": "log", + "log.offset": 35079, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.com", + "api.example.net" + ], + "related.ip": [ + "10.82.148.126", + "10.60.56.205" + ], + "related.user": [ + "ita" + ], + "rsa.internal.messageid": "NONE", + "rsa.misc.action": [ + "NONE", + "block" + ], + "rsa.misc.content_type": "nder", + "rsa.misc.result_code": "nihilmol", + "rsa.network.domain": "www5.example.com", + "rsa.network.network_service": "tesse", + "rsa.time.event_time": "2019-07-10T03:56:14.000Z", + "rsa.web.alias_host": "www5.example.com", + "rsa.web.web_ref_domain": "api.example.net", + "rsa.web.web_ref_query": "tseddo=diduntut", + "server.domain": "www5.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "www5", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 2214, + "source.ip": [ + "10.60.56.205" + ], + "source.port": 4345, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.com", + "url.original": "https://www5.example.com/ugitsed/dminimve.htm?onse=uiac#tquii", + "url.path": "https://api.example.net", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", + "user.name": "ita", + "user_agent.device.name": "iPhone", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 LightSpeed [FBAN/MessengerLiteForiOS;FBAV/266.0.0.32.114;FBBV/216059178;FBDV/iPhone10,6;FBMD/iPhone;FBSN/iOS;FBSV/13.4.1;FBSS/3;FBCR/;FBID/phone;FBLC/en_US;FBOP/0]", + "user_agent.os.full": "iOS 13.4.1", + "user_agent.os.name": "iOS", + "user_agent.os.version": "13.4.1", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2019-07-24T10:58:48.000Z", + "destination.ip": [ + "10.6.11.124" + ], + "event.action": "accept", + "event.code": "DELETE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.245.251.98 261 [24/Jul/2019:8:58:48 mremaper] \"DELETE https://api.example.com/ntium/ide.htm?tamrema=isautem#usan gnamali\" 10.6.11.124 edqui tvolu \"psu\" strud onsequ 5930 \"https://www5.example.net/iumto/sequatu.jpg?runtm=mdoloree#que\" \"Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36\" accept", + "file.name": "psu", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.net/iumto/sequatu.jpg?runtm=mdoloree#que", + "input.type": "log", + "log.offset": 35603, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.net", + "api.example.com" + ], + "related.ip": [ + "10.6.11.124", + "10.245.251.98" + ], + "related.user": [ + "tvolu" + ], + "rsa.internal.messageid": "DELETE", + "rsa.misc.action": [ + "accept", + "DELETE" + ], + "rsa.misc.content_type": "onsequ", + "rsa.misc.result_code": "strud", + "rsa.network.domain": "api.example.com", + "rsa.network.network_service": "gnamali", + "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.web.alias_host": "api.example.com", + "rsa.web.web_ref_domain": "www5.example.net", + "rsa.web.web_ref_query": "runtm=mdoloree", + "server.domain": "api.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "api", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 5930, + "source.ip": [ + "10.245.251.98" + ], + "source.port": 261, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.original": "https://api.example.com/ntium/ide.htm?tamrema=isautem#usan", + "url.path": "https://www5.example.net", + "url.registered_domain": "example.com", + "url.subdomain": "api", + "url.top_level_domain": "com", + "user.name": "tvolu", + "user_agent.device.name": "QMobile X700 PRO II", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; QMobile X700 PRO II) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "77.0.3865.92" + }, + { + "@timestamp": "2019-08-07T06:01:23.000Z", + "destination.ip": [ + "10.145.25.55" + ], + "event.action": "block", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.99.55.115 1537 [07/Aug/2019:4:01:23 exerci] \"CONNECT https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui uov\" 10.145.25.55 litsed lumd \"tiaec\" lorem iamquisn 2079 \"https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve\" \"Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", + "file.name": "tiaec", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.org/aper/entor.txt?lumdol=edutper#utemve", + "input.type": "log", + "log.offset": 35983, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.org", + "mail.example.org" + ], + "related.ip": [ + "10.99.55.115", + "10.145.25.55" + ], + "related.user": [ + "lumd" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "block" + ], + "rsa.misc.content_type": "iamquisn", + "rsa.misc.result_code": "lorem", + "rsa.network.domain": "www5.example.org", + "rsa.network.network_service": "uov", + "rsa.time.event_time": "2019-08-07T06:01:23.000Z", + "rsa.web.alias_host": "www5.example.org", + "rsa.web.web_ref_domain": "mail.example.org", + "rsa.web.web_ref_query": "lumdol=edutper", + "server.domain": "www5.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "www5", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 2079, + "source.ip": [ + "10.99.55.115" + ], + "source.port": 1537, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.org", + "url.original": "https://www5.example.org/iad/ngelits.jpg?mporin=orissusc#utaliqui", + "url.path": "https://mail.example.org", + "url.registered_domain": "example.org", + "url.subdomain": "www5", + "url.top_level_domain": "org", + "user.name": "lumd", + "user_agent.device.name": "ZTE BLADE V7", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE V7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 6.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "6.0", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-08-21T13:03:57.000Z", + "destination.ip": [ + "10.6.88.105" + ], + "event.action": "allow", + "event.code": "TRACE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.187.86.64 3325 [21/Aug/2019:11:03:57 atatn] \"TRACE https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe ddoeiusm\" 10.6.88.105 uptatemU rem \"onorumet\" iscivel rinci 249 \"https://internal.example.com/eriti/uptateve.htm?rema=mcol#tion\" \"Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36\" allow", + "file.name": "onorumet", + "fileset.name": "log", + "http.request.referrer": "https://internal.example.com/eriti/uptateve.htm?rema=mcol#tion", + "input.type": "log", + "log.offset": 36362, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.com", + "internal.example.com" + ], + "related.ip": [ + "10.6.88.105", + "10.187.86.64" + ], + "related.user": [ + "rem" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "TRACE", + "allow" + ], + "rsa.misc.content_type": "rinci", + "rsa.misc.result_code": "iscivel", + "rsa.network.domain": "mail.example.com", + "rsa.network.network_service": "ddoeiusm", + "rsa.time.event_time": "2019-08-21T13:03:57.000Z", + "rsa.web.alias_host": "mail.example.com", + "rsa.web.web_ref_domain": "internal.example.com", + "rsa.web.web_ref_query": "rema=mcol", + "server.domain": "mail.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "mail", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 249, + "source.ip": [ + "10.187.86.64" + ], + "source.port": 3325, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.original": "https://mail.example.com/iatnulap/roi.htm?uine=loreeu#eprehe", + "url.path": "https://internal.example.com", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", + "user.name": "rem", + "user_agent.device.name": "Notepad_K10", + "user_agent.name": "Chrome", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-09-05T08:06:31.000Z", + "destination.ip": [ + "10.163.9.35" + ], + "event.action": "accept", + "event.code": "CONNECT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.252.146.132 503 [05/Sep/2019:6:06:31 tat] \"CONNECT https://mail.example.org/turv/use.jpg?mtot=macc#illoin eursi\" 10.163.9.35 uatDu umq \"ipsu\" oremip ota 4562 \"https://example.com/epteurs/itse.jpg?modi=cip#tla\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" accept", + "file.name": "ipsu", + "fileset.name": "log", + "http.request.referrer": "https://example.com/epteurs/itse.jpg?modi=cip#tla", + "input.type": "log", + "log.offset": 36731, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.org", + "example.com" + ], + "related.ip": [ + "10.252.146.132", + "10.163.9.35" + ], + "related.user": [ + "umq" + ], + "rsa.internal.messageid": "CONNECT", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "CONNECT", + "accept" + ], + "rsa.misc.content_type": "ota", + "rsa.misc.result_code": "oremip", + "rsa.network.domain": "mail.example.org", + "rsa.network.network_service": "eursi", + "rsa.time.event_time": "2019-09-05T08:06:31.000Z", + "rsa.web.alias_host": "mail.example.org", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "modi=cip", + "server.domain": "mail.example.org", + "server.registered_domain": "example.org", + "server.subdomain": "mail", + "server.top_level_domain": "org", + "service.type": "squid", + "source.bytes": 4562, + "source.ip": [ + "10.252.146.132" + ], + "source.port": 503, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.org", + "url.original": "https://mail.example.org/turv/use.jpg?mtot=macc#illoin", + "url.path": "https://example.com", + "url.registered_domain": "example.org", + "url.subdomain": "mail", + "url.top_level_domain": "org", + "user.name": "umq", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-09-19T03:09:05.000Z", + "destination.ip": [ + "10.235.160.245" + ], + "event.action": "deny", + "event.code": "DELETE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.249.101.177 4465 [19/Sep/2019:1:09:05 quam] \"DELETE https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol umdo\" 10.235.160.245 squamest upta \"umquiad\" porinc uameiu 4857 \"https://api.example.org/mipsa/uas.gif?reeufu=umexe#xce\" \"Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36\" deny", + "file.name": "umquiad", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/mipsa/uas.gif?reeufu=umexe#xce", + "input.type": "log", + "log.offset": 37127, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.com", + "api.example.org" + ], + "related.ip": [ + "10.249.101.177", + "10.235.160.245" + ], + "related.user": [ + "upta" + ], + "rsa.internal.messageid": "DELETE", + "rsa.misc.action": [ + "DELETE", + "deny" + ], + "rsa.misc.content_type": "uameiu", + "rsa.misc.result_code": "porinc", + "rsa.network.domain": "mail.example.com", + "rsa.network.network_service": "umdo", + "rsa.time.event_time": "2019-09-19T03:09:05.000Z", + "rsa.web.alias_host": "mail.example.com", + "rsa.web.web_ref_domain": "api.example.org", + "rsa.web.web_ref_query": "reeufu=umexe", + "server.domain": "mail.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "mail", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 4857, + "source.ip": [ + "10.249.101.177" + ], + "source.port": 4465, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "mail.example.com", + "url.original": "https://mail.example.com/umdol/rerepr.txt?emipsumq=orinr#ineavol", + "url.path": "https://api.example.org", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", + "user.name": "upta", + "user_agent.device.name": "Samsung SM-A260G", + "user_agent.name": "Chrome Mobile WebView", + "user_agent.original": "Mozilla/5.0 (Linux; Android 8.1.0; SM-A260G Build/OPR6; rv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Rocket/2.1.17(19420) Chrome/81.0.4044.138 Mobile Safari/537.36", + "user_agent.os.full": "Android 8.1.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "8.1.0", + "user_agent.version": "81.0.4044.138" + }, + { + "@timestamp": "2019-10-03T10:11:40.000Z", + "destination.ip": [ + "10.73.218.58" + ], + "event.action": "block", + "event.code": "TRACE", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.140.170.171 773 [03/Oct/2019:8:11:40 deom] \"TRACE https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup erspici\" 10.73.218.58 quidol tinv \"Utenima\" nse umq 1831 \"https://mail.example.org/meaquei/snisiu.htm?atev=vento#litsed\" \"Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36\" block", + "file.name": "Utenima", + "fileset.name": "log", + "http.request.referrer": "https://mail.example.org/meaquei/snisiu.htm?atev=vento#litsed", + "input.type": "log", + "log.offset": 37549, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "mail.example.org", + "internal.example.com" + ], + "related.ip": [ + "10.140.170.171", + "10.73.218.58" + ], + "related.user": [ + "tinv" + ], + "rsa.internal.messageid": "TRACE", + "rsa.misc.action": [ + "block", + "TRACE" + ], + "rsa.misc.content_type": "umq", + "rsa.misc.result_code": "nse", + "rsa.network.domain": "internal.example.com", + "rsa.network.network_service": "erspici", + "rsa.time.event_time": "2019-10-03T10:11:40.000Z", + "rsa.web.alias_host": "internal.example.com", + "rsa.web.web_ref_domain": "mail.example.org", + "rsa.web.web_ref_query": "atev=vento", + "server.domain": "internal.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "internal", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 1831, + "source.ip": [ + "10.140.170.171" + ], + "source.port": 773, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "internal.example.com", + "url.original": "https://internal.example.com/rautod/onorumet.htm?mvo=agnidol#nevolup", + "url.path": "https://mail.example.org", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", + "user.name": "tinv", + "user_agent.device.name": "U307AS", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", + "user_agent.os.full": "Android 9", + "user_agent.os.name": "Android", + "user_agent.os.version": "9", + "user_agent.version": "83.0.4103.83" + }, + { + "@timestamp": "2019-10-18T05:14:14.000Z", + "destination.ip": [ + "10.67.148.40" + ], + "event.action": "deny", + "event.code": "OPTIONS", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.248.156.138 2125 [18/Oct/2019:3:14:14 smodit] \"OPTIONS https://example.net/dun/xce.jpg?nsequat=mvol#asiar eiu\" 10.67.148.40 tcons squamest \"ction\" emveleum siuta 2155 \"https://example.com/epteur/onproi.txt?imveniam=sunte#exerc\" \"Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16\" deny", + "file.name": "ction", + "fileset.name": "log", + "http.request.referrer": "https://example.com/epteur/onproi.txt?imveniam=sunte#exerc", + "input.type": "log", + "log.offset": 37919, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "example.com", + "example.net" + ], + "related.ip": [ + "10.248.156.138", + "10.67.148.40" + ], + "related.user": [ + "squamest" + ], + "rsa.internal.messageid": "OPTIONS", + "rsa.misc.action": [ + "OPTIONS", + "deny" + ], + "rsa.misc.content_type": "siuta", + "rsa.misc.result_code": "emveleum", + "rsa.network.domain": "example.net", + "rsa.network.network_service": "eiu", + "rsa.time.event_time": "2019-10-18T05:14:14.000Z", + "rsa.web.alias_host": "example.net", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "imveniam=sunte", + "server.domain": "example.net", + "server.registered_domain": "example.net", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 2155, + "source.ip": [ + "10.248.156.138" + ], + "source.port": 2125, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "example.net", + "url.original": "https://example.net/dun/xce.jpg?nsequat=mvol#asiar", + "url.path": "https://example.com", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", + "user.name": "squamest", + "user_agent.device.name": "Generic Smartphone", + "user_agent.name": "Opera Mini", + "user_agent.original": "Opera/9.80 (Series 60; Opera Mini/7.1.32444/174.101; U; ru) Presto/2.12.423 Version/12.16", + "user_agent.os.name": "Symbian OS", + "user_agent.version": "7.1.32444" + }, + { + "@timestamp": "2019-11-01T12:16:48.000Z", + "destination.ip": [ + "10.37.33.179" + ], + "event.action": "accept", + "event.code": "UNLOCK", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.83.154.75 4260 [01/Nov/2019:10:16:48 explicab] \"UNLOCK https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu orumetMa\" 10.37.33.179 taed eatae \"siutali\" oloremq sum 6106 \"https://www.example.org/ulamc/doe.txt?remquela=toreve#squirat\" \"Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30\" accept", + "file.name": "siutali", + "fileset.name": "log", + "http.request.referrer": "https://www.example.org/ulamc/doe.txt?remquela=toreve#squirat", + "input.type": "log", + "log.offset": 38247, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www.example.org", + "api.example.com" + ], + "related.ip": [ + "10.37.33.179", + "10.83.154.75" + ], + "related.user": [ + "eatae" + ], + "rsa.internal.messageid": "UNLOCK", + "rsa.misc.action": [ + "UNLOCK", + "accept" + ], + "rsa.misc.content_type": "sum", + "rsa.misc.result_code": "oloremq", + "rsa.network.domain": "api.example.com", + "rsa.network.network_service": "orumetMa", + "rsa.time.event_time": "2019-11-01T12:16:48.000Z", + "rsa.web.alias_host": "api.example.com", + "rsa.web.web_ref_domain": "www.example.org", + "rsa.web.web_ref_query": "remquela=toreve", + "server.domain": "api.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "api", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 6106, + "source.ip": [ + "10.83.154.75" + ], + "source.port": 4260, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.original": "https://api.example.com/teiru/mquamei.jpg?pta=uradi#sequu", + "url.path": "https://www.example.org", + "url.registered_domain": "example.com", + "url.subdomain": "api", + "url.top_level_domain": "com", + "user.name": "eatae", + "user_agent.device.name": "Meizu M6", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 7.0; MEIZU M6 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Mobile Safari/537.36 YaApp_Android/10.30 YaSearchBrowser/10.30", + "user_agent.os.full": "Android 7.0", + "user_agent.os.name": "Android", + "user_agent.os.version": "7.0", + "user_agent.version": "77.0.3865.120" + }, + { + "@timestamp": "2019-11-15T07:19:22.000Z", + "destination.ip": [ + "10.84.107.38" + ], + "event.action": "deny", + "event.code": "MKOL", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.14.29.202 7842 [15/Nov/2019:5:19:22 modoco] \"MKOL https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo nimv\" 10.84.107.38 tutla usmod \"ine\" qui itse 2097 \"https://www5.example.org/tasn/exeaco.html?metc=aincidu#reprehe\" \"Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10\" deny", + "file.name": "ine", + "fileset.name": "log", + "http.request.referrer": "https://www5.example.org/tasn/exeaco.html?metc=aincidu#reprehe", + "input.type": "log", + "log.offset": 38676, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "www5.example.org", + "www5.example.net" + ], + "related.ip": [ + "10.14.29.202", + "10.84.107.38" + ], + "related.user": [ + "usmod" + ], + "rsa.internal.messageid": "MKOL", + "rsa.misc.action": [ + "deny", + "MKOL" + ], + "rsa.misc.content_type": "itse", + "rsa.misc.result_code": "qui", + "rsa.network.domain": "www5.example.net", + "rsa.network.network_service": "nimv", + "rsa.time.event_time": "2019-11-15T07:19:22.000Z", + "rsa.web.alias_host": "www5.example.net", + "rsa.web.web_ref_domain": "www5.example.org", + "rsa.web.web_ref_query": "metc=aincidu", + "server.domain": "www5.example.net", + "server.registered_domain": "example.net", + "server.subdomain": "www5", + "server.top_level_domain": "net", + "service.type": "squid", + "source.bytes": 2097, + "source.ip": [ + "10.14.29.202" + ], + "source.port": 7842, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "www5.example.net", + "url.original": "https://www5.example.net/dtempor/rroquisq.gif?liquid=uidex#umdolo", + "url.path": "https://www5.example.org", + "url.registered_domain": "example.net", + "url.subdomain": "www5", + "url.top_level_domain": "net", + "user.name": "usmod", + "user_agent.device.name": "Samsung SM-A305FN", + "user_agent.name": "YandexSearch", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A305FN Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/78.0.3904.96 Mobile Safari/537.36 YandexSearch/8.10 YandexSearchBrowser/8.10", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "8.10" + }, + { + "@timestamp": "2019-11-30T14:21:57.000Z", + "destination.ip": [ + "10.204.223.184" + ], + "event.action": "deny", + "event.code": "POST", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.221.86.133 6682 [30/Nov/2019:12:21:57 edi] \"POST https://api.example.com/ore/adeser.htm?pre=aute#rchite rcit\" 10.204.223.184 oinve ptasnul \"utaliqui\" mcorpor rerepr 6861 \"https://example.com/tuserror/agnama.jpg?deritq=boreetdo#teni\" \"Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]\" deny", + "file.name": "utaliqui", + "fileset.name": "log", + "http.request.referrer": "https://example.com/tuserror/agnama.jpg?deritq=boreetdo#teni", + "input.type": "log", + "log.offset": 39122, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.com", + "example.com" + ], + "related.ip": [ + "10.204.223.184", + "10.221.86.133" + ], + "related.user": [ + "ptasnul" + ], + "rsa.internal.messageid": "POST", + "rsa.investigations.ec_subject": "NetworkComm", + "rsa.investigations.ec_theme": "ALM", + "rsa.misc.action": [ + "deny", + "POST" + ], + "rsa.misc.content_type": "rerepr", + "rsa.misc.result_code": "mcorpor", + "rsa.network.domain": "api.example.com", + "rsa.network.network_service": "rcit", + "rsa.time.event_time": "2019-11-30T14:21:57.000Z", + "rsa.web.alias_host": "api.example.com", + "rsa.web.web_ref_domain": "example.com", + "rsa.web.web_ref_query": "deritq=boreetdo", + "server.domain": "api.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "api", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 6861, + "source.ip": [ + "10.221.86.133" + ], + "source.port": 6682, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.original": "https://api.example.com/ore/adeser.htm?pre=aute#rchite", + "url.path": "https://example.com", + "url.registered_domain": "example.com", + "url.subdomain": "api", + "url.top_level_domain": "com", + "user.name": "ptasnul", + "user_agent.device.name": "Samsung SM-A715F", + "user_agent.name": "Facebook", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; SM-A715F Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.83 Mobile Safari/537.36 [FB_IAB/Orca-Android;FBAV/266.0.0.16.117;]", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "266.0.0" + }, + { + "@timestamp": "2019-12-14T09:24:31.000Z", + "destination.ip": [ + "10.229.39.190" + ], + "event.action": "deny", + "event.code": "PUT", + "event.dataset": "squid.log", + "event.module": "squid", + "event.original": "10.195.4.70 3844 [14/Dec/2019:7:24:31 mfugiat] \"PUT https://api.example.com/liqu/dolor.htm?ess=umdo#aer quela\" 10.229.39.190 Nequepo edictas \"emac\" rmagnido exeaco 2574 \"https://api.example.org/loremi/nven.htm?usan=ugiatn#squa\" \"Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91\" deny", + "file.name": "emac", + "fileset.name": "log", + "http.request.referrer": "https://api.example.org/loremi/nven.htm?usan=ugiatn#squa", + "input.type": "log", + "log.offset": 39568, + "observer.product": "Proxy", + "observer.type": "Proxies", + "observer.vendor": "Squid", + "related.hosts": [ + "api.example.org", + "api.example.com" + ], + "related.ip": [ + "10.195.4.70", + "10.229.39.190" + ], + "related.user": [ + "edictas" + ], + "rsa.internal.messageid": "PUT", + "rsa.misc.action": [ + "PUT", + "deny" + ], + "rsa.misc.content_type": "exeaco", + "rsa.misc.result_code": "rmagnido", + "rsa.network.domain": "api.example.com", + "rsa.network.network_service": "quela", + "rsa.time.event_time": "2019-12-14T09:24:31.000Z", + "rsa.web.alias_host": "api.example.com", + "rsa.web.web_ref_domain": "api.example.org", + "rsa.web.web_ref_query": "usan=ugiatn", + "server.domain": "api.example.com", + "server.registered_domain": "example.com", + "server.subdomain": "api", + "server.top_level_domain": "com", + "service.type": "squid", + "source.bytes": 2574, + "source.ip": [ + "10.195.4.70" + ], + "source.port": 3844, + "tags": [ + "squid.log", + "forwarded" + ], + "url.domain": "api.example.com", + "url.original": "https://api.example.com/liqu/dolor.htm?ess=umdo#aer", + "url.path": "https://api.example.org", + "url.registered_domain": "example.com", + "url.subdomain": "api", + "url.top_level_domain": "com", + "user.name": "edictas", + "user_agent.device.name": "STK-L21", + "user_agent.name": "Chrome Mobile", + "user_agent.original": "Mozilla/5.0 (Linux; Android 10; STK-L21 Build/HUAWEISTK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36 YaApp_Android/10.91 YaSearchBrowser/10.91", + "user_agent.os.full": "Android 10", + "user_agent.os.name": "Android", + "user_agent.os.version": "10", + "user_agent.version": "83.0.4103.83" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml b/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml index fa29b00e92d4..e7c69b9dea77 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml +++ b/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/symantec/endpointprotection/config/liblogparser.js b/x-pack/filebeat/module/symantec/endpointprotection/config/liblogparser.js index 6cdb48abb268..cec99a043e86 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/config/liblogparser.js +++ b/x-pack/filebeat/module/symantec/endpointprotection/config/liblogparser.js @@ -1012,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -1020,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -1030,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -1038,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1094,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1119,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -2014,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { diff --git a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml index cf257ba5d64c..f445847ac9d9 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml @@ -57,22 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' - - append: - field: related.hosts - value: '{{host.hostname}}' - allow_duplicates: false - if: ctx?.host?.hostname != null && ctx.host?.hostname != '' - - append: - field: related.hosts - value: '{{source.address}}' - allow_duplicates: false - if: ctx?.source?.address != null && ctx.source?.address != '' - - append: - field: related.hosts - value: '{{destination.address}}' - allow_duplicates: false - if: ctx?.destination?.address != null && ctx.destination?.address != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/symantec/endpointprotection/manifest.yml b/x-pack/filebeat/module/symantec/endpointprotection/manifest.yml index 84ea3fb0f0cc..a91a80284fb2 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/manifest.yml +++ b/x-pack/filebeat/module/symantec/endpointprotection/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9534 + default: 9550 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json index 0c6eccf2dccb..eedb469b267a 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json +++ b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json @@ -13,7 +13,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "exe7309.internal.local" + "exe7309.internal.local", + "reprehe", + "byC4864.www.host" ], "rsa.internal.event_desc": "rsitam", "rsa.internal.messageid": "302776834", @@ -22,6 +24,9 @@ "rsa.misc.severity": "high", "rsa.network.domain": "byC4864.www.host", "server.domain": "byC4864.www.host", + "server.registered_domain": "www.host", + "server.subdomain": "byC4864", + "server.top_level_domain": "host", "service.type": "symantec", "source.address": "exe7309.internal.local", "tags": [ @@ -45,8 +50,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "llam2073.internal.localdomain", - "sitas4259.mail.corp" + "sitas4259.mail.corp", + "iumto", + "rumet5772.mail.corp", + "llam2073.internal.localdomain" ], "rsa.internal.event_desc": "aboreetd", "rsa.internal.messageid": "303235083", @@ -59,6 +66,9 @@ ], "rsa.network.domain": "rumet5772.mail.corp", "server.domain": "rumet5772.mail.corp", + "server.registered_domain": "mail.corp", + "server.subdomain": "rumet5772", + "server.top_level_domain": "corp", "service.type": "symantec", "source.address": "sitas4259.mail.corp", "tags": [ @@ -80,6 +90,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ + "tectobe", + "equa3653.internal.host", "olupt3702.www.localhost" ], "rsa.internal.event_desc": "colabor", @@ -89,6 +101,9 @@ "rsa.misc.severity": "medium", "rsa.network.domain": "equa3653.internal.host", "server.domain": "equa3653.internal.host", + "server.registered_domain": "internal.host", + "server.subdomain": "equa3653", + "server.top_level_domain": "host", "service.type": "symantec", "source.address": "olupt3702.www.localhost", "tags": [ @@ -110,8 +125,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "onse254.www5.localdomain", - "tat6349.internal.lan" + "tat6349.internal.lan", + "onse254.www5.localdomain" ], "rsa.db.index": "uiineavo", "rsa.internal.event_desc": "Invalid log record", @@ -161,6 +176,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ + "numqu3768.internal.lan", + "den", "mdolore2062.mail.host" ], "rsa.internal.event_desc": "tutla", @@ -170,6 +187,9 @@ "rsa.misc.severity": "medium", "rsa.network.domain": "numqu3768.internal.lan", "server.domain": "numqu3768.internal.lan", + "server.registered_domain": "internal.lan", + "server.subdomain": "numqu3768", + "server.top_level_domain": "lan", "service.type": "symantec", "source.address": "mdolore2062.mail.host", "tags": [ @@ -229,7 +249,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "dutp6197.www.test" + "siut", + "dutp6197.www.test", + "billo2947.internal.localhost" ], "rsa.internal.event_desc": "tconsect", "rsa.internal.messageid": "303235076", @@ -238,6 +260,9 @@ "rsa.misc.severity": "medium", "rsa.network.domain": "billo2947.internal.localhost", "server.domain": "billo2947.internal.localhost", + "server.registered_domain": "internal.localhost", + "server.subdomain": "billo2947", + "server.top_level_domain": "localhost", "service.type": "symantec", "source.address": "dutp6197.www.test", "tags": [ @@ -261,8 +286,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "umSe1918.local", - "nBCSedut1502.www5.example" + "fugia", + "nBCSedut1502.www5.example", + "nea2083.www5.localhost", + "umSe1918.local" ], "rsa.internal.event_desc": "oditautf", "rsa.internal.messageid": "302449410", @@ -275,6 +302,9 @@ ], "rsa.network.domain": "nea2083.www5.localhost", "server.domain": "nea2083.www5.localhost", + "server.registered_domain": "www5.localhost", + "server.subdomain": "nea2083", + "server.top_level_domain": "localhost", "service.type": "symantec", "source.address": "nBCSedut1502.www5.example", "tags": [ @@ -298,8 +328,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "olupt2189.lan", - "temporin7150.mail.local" + "rationev", + "oreetd7668.www5.localdomain", + "temporin7150.mail.local", + "olupt2189.lan" ], "rsa.internal.event_desc": "rem", "rsa.internal.messageid": "302449169", @@ -312,6 +344,9 @@ ], "rsa.network.domain": "oreetd7668.www5.localdomain", "server.domain": "oreetd7668.www5.localdomain", + "server.registered_domain": "www5.localdomain", + "server.subdomain": "oreetd7668", + "server.top_level_domain": "localdomain", "service.type": "symantec", "source.address": "temporin7150.mail.local", "tags": [ @@ -371,7 +406,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "Except6889.www.corp" + "Except6889.www.corp", + "asper", + "utfug7095.api.corp" ], "rsa.internal.event_desc": "umq", "rsa.internal.messageid": "302452736", @@ -380,6 +417,9 @@ "rsa.misc.severity": "high", "rsa.network.domain": "utfug7095.api.corp", "server.domain": "utfug7095.api.corp", + "server.registered_domain": "api.corp", + "server.subdomain": "utfug7095", + "server.top_level_domain": "corp", "service.type": "symantec", "source.address": "Except6889.www.corp", "tags": [ @@ -401,6 +441,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ + "orroqu472.www.localhost", + "iruredol", "quatD1370.invalid" ], "rsa.internal.event_desc": "veniamqu", @@ -410,6 +452,9 @@ "rsa.misc.severity": "medium", "rsa.network.domain": "orroqu472.www.localhost", "server.domain": "orroqu472.www.localhost", + "server.registered_domain": "www.localhost", + "server.subdomain": "orroqu472", + "server.top_level_domain": "localhost", "service.type": "symantec", "source.address": "quatD1370.invalid", "tags": [ @@ -433,8 +478,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "iatqu6203.mail.corp", - "quaeab2653.mail.localdomain" + "quaeab2653.mail.localdomain", + "olup", + "mides4759.api.local", + "iatqu6203.mail.corp" ], "rsa.db.index": "itat", "rsa.internal.event_desc": "aco", @@ -452,6 +499,9 @@ ], "rsa.network.domain": "mides4759.api.local", "server.domain": "mides4759.api.local", + "server.registered_domain": "api.local", + "server.subdomain": "mides4759", + "server.top_level_domain": "local", "service.type": "symantec", "source.address": "quaeab2653.mail.localdomain", "tags": [ @@ -473,7 +523,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "redol124.mail.invalid" + "litesseq6785.host", + "redol124.mail.invalid", + "ctetu" ], "rsa.internal.event_desc": "orinrep", "rsa.internal.messageid": "302450688", @@ -482,6 +534,8 @@ "rsa.misc.severity": "low", "rsa.network.domain": "litesseq6785.host", "server.domain": "litesseq6785.host", + "server.registered_domain": "litesseq6785.host", + "server.top_level_domain": "host", "service.type": "symantec", "source.address": "redol124.mail.invalid", "tags": [ @@ -503,7 +557,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "enim5999.mail.localhost" + "prehe1037.api.example", + "enim5999.mail.localhost", + "iame" ], "rsa.internal.event_desc": "orroquis", "rsa.internal.messageid": "303169538", @@ -512,6 +568,9 @@ "rsa.misc.severity": "low", "rsa.network.domain": "prehe1037.api.example", "server.domain": "prehe1037.api.example", + "server.registered_domain": "api.example", + "server.subdomain": "prehe1037", + "server.top_level_domain": "example", "service.type": "symantec", "source.address": "enim5999.mail.localhost", "tags": [ @@ -535,8 +594,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "reseosqu1629.mail.lan", - "rsitvolu3596.www.test" + "rsitvolu3596.www.test", + "adm", + "CSe4501.example", + "reseosqu1629.mail.lan" ], "rsa.internal.event_desc": "gelitsed", "rsa.internal.messageid": "302449410", @@ -549,6 +610,8 @@ ], "rsa.network.domain": "CSe4501.example", "server.domain": "CSe4501.example", + "server.registered_domain": "CSe4501.example", + "server.top_level_domain": "example", "service.type": "symantec", "source.address": "rsitvolu3596.www.test", "tags": [ @@ -570,7 +633,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "tan3170.api.example" + "etdol", + "tan3170.api.example", + "nisiuta7623.www.local" ], "rsa.internal.event_desc": "dolorsi", "rsa.internal.messageid": "303235081", @@ -580,6 +645,9 @@ "rsa.misc.severity": "high", "rsa.network.domain": "nisiuta7623.www.local", "server.domain": "nisiuta7623.www.local", + "server.registered_domain": "www.local", + "server.subdomain": "nisiuta7623", + "server.top_level_domain": "local", "service.type": "symantec", "source.address": "tan3170.api.example", "tags": [ @@ -601,8 +669,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "eseruntm4247.mail.local", - "magnaal5792.www5.domain" + "magnaal5792.www5.domain", + "eseruntm4247.mail.local" ], "rsa.counters.dclass_c1": 7519, "rsa.counters.dclass_c1_str": "Number of Virus Cleaned.", @@ -633,7 +701,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "itatio6735.api.example" + "rsin", + "itatio6735.api.example", + "emullam7151.lan" ], "rsa.internal.event_desc": "rumSec", "rsa.internal.messageid": "302452801", @@ -642,6 +712,8 @@ "rsa.misc.severity": "high", "rsa.network.domain": "emullam7151.lan", "server.domain": "emullam7151.lan", + "server.registered_domain": "emullam7151.lan", + "server.top_level_domain": "lan", "service.type": "symantec", "source.address": "itatio6735.api.example", "tags": [ @@ -663,7 +735,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "radip163.mail.invalid" + "radip163.mail.invalid", + "ainc", + "iti7029.www.test" ], "rsa.internal.event_desc": "miurerep", "rsa.internal.messageid": "302449166", @@ -672,6 +746,9 @@ "rsa.misc.severity": "high", "rsa.network.domain": "iti7029.www.test", "server.domain": "iti7029.www.test", + "server.registered_domain": "www.test", + "server.subdomain": "iti7029", + "server.top_level_domain": "test", "service.type": "symantec", "source.address": "radip163.mail.invalid", "tags": [ @@ -700,13 +777,14 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "vol866.api.domain", - "bore5546.www.local" + "rere228.invalid", + "bore5546.www.local", + "vol866.api.domain" ], "related.ip": [ - "10.175.83.138", "10.7.164.113", - "10.207.125.114" + "10.207.125.114", + "10.175.83.138" ], "related.user": [ "remip" @@ -724,6 +802,8 @@ "rsa.time.event_time_str": "10:03:59", "rsa.time.starttime": "2016-11-24T12:03:59.000Z", "server.domain": "rere228.invalid", + "server.registered_domain": "rere228.invalid", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "bore5546.www.local", "source.ip": [ @@ -751,8 +831,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "inc5923.www.test", - "tatemseq5797.home" + "oremip", + "tatemseq5797.home", + "asnulap2567.www5.invalid", + "inc5923.www.test" ], "rsa.internal.event_desc": "eufugi", "rsa.internal.messageid": "302452817", @@ -765,6 +847,9 @@ ], "rsa.network.domain": "asnulap2567.www5.invalid", "server.domain": "asnulap2567.www5.invalid", + "server.registered_domain": "www5.invalid", + "server.subdomain": "asnulap2567", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "tatemseq5797.home", "tags": [ @@ -792,8 +877,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "enima7673.api.localhost", - "sequ6424.www.invalid" + "sequ6424.www.invalid", + "quiavolu6301.www5.localhost", + "enima7673.api.localhost" ], "related.ip": [ "10.139.207.36", @@ -814,6 +900,9 @@ "rsa.time.event_time_str": "00:09:07", "rsa.time.starttime": "2016-12-23T14:09:07.000Z", "server.domain": "quiavolu6301.www5.localhost", + "server.registered_domain": "www5.localhost", + "server.subdomain": "quiavolu6301", + "server.top_level_domain": "localhost", "service.type": "symantec", "source.address": "sequ6424.www.invalid", "source.ip": [ @@ -846,8 +935,9 @@ "process.parent.name": "mquis", "process.ppid": 5040, "related.hosts": [ - "tnulapa7580.www.domain", - "madminim6826.www.host" + "madminim6826.www.host", + "tatemse4493.mail.local", + "tnulapa7580.www.domain" ], "related.ip": [ "10.249.243.41" @@ -876,6 +966,9 @@ "rsa.time.starttime": "2017-01-06T07:11:41.000Z", "rule.name": "nesci", "server.domain": "tatemse4493.mail.local", + "server.registered_domain": "mail.local", + "server.subdomain": "tatemse4493", + "server.top_level_domain": "local", "service.type": "symantec", "source.address": "madminim6826.www.host", "source.domain": "mquisnos", @@ -904,8 +997,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "ici182.invalid", - "caecat4678.www.home" + "eumfu2149.internal.home", + "caecat4678.www.home", + "quisn", + "ici182.invalid" ], "rsa.internal.event_desc": "rem", "rsa.internal.messageid": "302449415", @@ -918,6 +1013,9 @@ ], "rsa.network.domain": "eumfu2149.internal.home", "server.domain": "eumfu2149.internal.home", + "server.registered_domain": "internal.home", + "server.subdomain": "eumfu2149", + "server.top_level_domain": "home", "service.type": "symantec", "source.address": "caecat4678.www.home", "tags": [ @@ -939,6 +1037,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ + "boreet2051.internal.localdomain", + "qua", "beat2952.internal.localhost" ], "rsa.internal.event_desc": "iarchite", @@ -948,6 +1048,9 @@ "rsa.misc.severity": "very-high", "rsa.network.domain": "boreet2051.internal.localdomain", "server.domain": "boreet2051.internal.localdomain", + "server.registered_domain": "internal.localdomain", + "server.subdomain": "boreet2051", + "server.top_level_domain": "localdomain", "service.type": "symantec", "source.address": "beat2952.internal.localhost", "tags": [ @@ -971,8 +1074,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "ured3428.www.corp", - "uames7663.internal.local" + "imip7160.www.invalid", + "uames7663.internal.local", + "oreeu", + "ured3428.www.corp" ], "rsa.internal.event_desc": "taspe", "rsa.internal.messageid": "302776321", @@ -985,6 +1090,9 @@ ], "rsa.network.domain": "imip7160.www.invalid", "server.domain": "imip7160.www.invalid", + "server.registered_domain": "www.invalid", + "server.subdomain": "imip7160", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "uames7663.internal.local", "tags": [ @@ -1006,7 +1114,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "velillum6639.www5.local" + "qua948.mail.local", + "velillum6639.www5.local", + "Mal" ], "rsa.internal.event_desc": "itinvo", "rsa.internal.messageid": "302449153", @@ -1015,6 +1125,9 @@ "rsa.misc.severity": "high", "rsa.network.domain": "qua948.mail.local", "server.domain": "qua948.mail.local", + "server.registered_domain": "mail.local", + "server.subdomain": "qua948", + "server.top_level_domain": "local", "service.type": "symantec", "source.address": "velillum6639.www5.local", "tags": [ @@ -1038,8 +1151,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "dictasun3408.internal.invalid", - "onoru5767.internal.domain" + "onoru5767.internal.domain", + "tiu3570.www.invalid", + "dipisciv", + "dictasun3408.internal.invalid" ], "rsa.internal.event_desc": "uam", "rsa.internal.messageid": "303235079", @@ -1052,6 +1167,9 @@ ], "rsa.network.domain": "tiu3570.www.invalid", "server.domain": "tiu3570.www.invalid", + "server.registered_domain": "www.invalid", + "server.subdomain": "tiu3570", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "onoru5767.internal.domain", "tags": [ @@ -1104,9 +1222,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "uipe6805.www5.domain", + "Duis583.api.local", + "tqui1142.www5.domain", "atisu6579.test", - "tqui1142.www5.domain" + "uipe6805.www5.domain" ], "related.ip": [ "10.209.205.25", @@ -1137,6 +1256,9 @@ "rsa.time.starttime": "2017-04-16T08:29:41.000Z", "rule.name": "nula", "server.domain": "Duis583.api.local", + "server.registered_domain": "api.local", + "server.subdomain": "Duis583", + "server.top_level_domain": "local", "service.type": "symantec", "source.address": "atisu6579.test", "source.domain": "samvol", @@ -1198,9 +1320,10 @@ "observer.vendor": "Symantec", "observer.version": "1.7457", "related.hosts": [ - "udexerci6630.mail.test", + "deomn904.www.home", + "quinesc4724.www5.host", "isiut4530.localdomain", - "deomn904.www.home" + "udexerci6630.mail.test" ], "related.ip": [ "10.202.55.203", @@ -1232,6 +1355,9 @@ "rsa.time.endtime": "2017-05-14T22:34:50.000Z", "rsa.time.starttime": "2017-05-14T22:34:50.000Z", "server.domain": "quinesc4724.www5.host", + "server.registered_domain": "www5.host", + "server.subdomain": "quinesc4724", + "server.top_level_domain": "host", "service.type": "symantec", "source.address": "isiut4530.localdomain", "source.domain": "lupta", @@ -1261,8 +1387,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "niamqui7696.mail.test", - "taliqu701.www.localhost" + "taliqu701.www.localhost", + "niamqui7696.mail.test" ], "rsa.internal.event_desc": "Traffic Redirection disabled.", "rsa.internal.messageid": "Traffic", @@ -1297,8 +1423,9 @@ "process.parent.name": "onnu", "process.ppid": 724, "related.hosts": [ - "ngelits6213.internal.test", - "lumd4298.mail.localdomain" + "cteturad6288.api.home", + "lumd4298.mail.localdomain", + "ngelits6213.internal.test" ], "related.ip": [ "10.139.89.148" @@ -1327,6 +1454,9 @@ "rsa.time.starttime": "2017-06-12T12:39:58.000Z", "rule.name": "lumdol", "server.domain": "cteturad6288.api.home", + "server.registered_domain": "api.home", + "server.subdomain": "cteturad6288", + "server.top_level_domain": "home", "service.type": "symantec", "source.address": "lumd4298.mail.localdomain", "source.domain": "iad", @@ -1383,12 +1513,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ + "uaera2917.internal.test", "tuserror810.www5.corp", "uptate5787.api.local" ], "related.ip": [ - "10.247.21.74", - "10.87.92.95" + "10.87.92.95", + "10.247.21.74" ], "related.user": [ "Sedutper" @@ -1408,6 +1539,9 @@ "rsa.time.endtime": "2017-07-11T02:45:07.000Z", "rsa.time.starttime": "2017-07-11T02:45:07.000Z", "server.domain": "uaera2917.internal.test", + "server.registered_domain": "internal.test", + "server.subdomain": "uaera2917", + "server.top_level_domain": "test", "service.type": "symantec", "source.address": "tuserror810.www5.corp", "source.domain": "ati", @@ -1437,8 +1571,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "ruredolo7392.internal.host", - "mipsu3757.www5.home" + "mipsu3757.www5.home", + "quaUt", + "etd4695.mail.lan", + "ruredolo7392.internal.host" ], "rsa.db.index": "oris", "rsa.internal.event_desc": "labor", @@ -1452,6 +1588,9 @@ ], "rsa.network.domain": "etd4695.mail.lan", "server.domain": "etd4695.mail.lan", + "server.registered_domain": "mail.lan", + "server.subdomain": "etd4695", + "server.top_level_domain": "lan", "service.type": "symantec", "source.address": "mipsu3757.www5.home", "tags": [ @@ -1493,7 +1632,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "ntmo4076.lan" + "ntmo4076.lan", + "ationula", + "mvele7557.corp" ], "rsa.internal.event_desc": "doconse", "rsa.internal.messageid": "302449158", @@ -1502,6 +1643,8 @@ "rsa.misc.severity": "high", "rsa.network.domain": "mvele7557.corp", "server.domain": "mvele7557.corp", + "server.registered_domain": "mvele7557.corp", + "server.top_level_domain": "corp", "service.type": "symantec", "source.address": "ntmo4076.lan", "tags": [ @@ -1545,8 +1688,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "amni48.internal.localdomain", - "alo6036.www5.local" + "alo6036.www5.local", + "mdolore", + "henderit3374.internal.invalid", + "amni48.internal.localdomain" ], "rsa.internal.event_desc": "ita", "rsa.internal.messageid": "302710785", @@ -1559,6 +1704,9 @@ ], "rsa.network.domain": "henderit3374.internal.invalid", "server.domain": "henderit3374.internal.invalid", + "server.registered_domain": "internal.invalid", + "server.subdomain": "henderit3374", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "alo6036.www5.local", "tags": [ @@ -1582,8 +1730,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "tenatus4129.www.local", - "uredo4613.home" + "upi", + "uredo4613.home", + "ingelit3629.mail.domain", + "tenatus4129.www.local" ], "rsa.internal.event_desc": "olupta", "rsa.internal.messageid": "303235082", @@ -1596,6 +1746,9 @@ ], "rsa.network.domain": "ingelit3629.mail.domain", "server.domain": "ingelit3629.mail.domain", + "server.registered_domain": "mail.domain", + "server.subdomain": "ingelit3629", + "server.top_level_domain": "domain", "service.type": "symantec", "source.address": "uredo4613.home", "tags": [ @@ -1637,7 +1790,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "mini3181.api.test" + "uovo5035.api.example", + "mini3181.api.test", + "ommodoc" ], "rsa.internal.event_desc": "mwrit", "rsa.internal.messageid": "302452819", @@ -1646,6 +1801,9 @@ "rsa.misc.severity": "high", "rsa.network.domain": "uovo5035.api.example", "server.domain": "uovo5035.api.example", + "server.registered_domain": "api.example", + "server.subdomain": "uovo5035", + "server.top_level_domain": "example", "service.type": "symantec", "source.address": "mini3181.api.test", "tags": [ @@ -1675,8 +1833,10 @@ "observer.version": "1.3638", "process.name": "remap", "related.hosts": [ - "rsitam2337.mail.localdomain", - "iduntu7302.www.invalid" + "iduntu7302.www.invalid", + "elitsedd", + "ema7531.api.example", + "rsitam2337.mail.localdomain" ], "related.ip": [ "10.8.143.229" @@ -1702,14 +1862,17 @@ "rsa.misc.version": "1.3638", "rsa.misc.virusname": "isqu", "rsa.network.alias_host": [ - "assit1598.www5.invalid", - "rsitam2337.mail.localdomain" + "rsitam2337.mail.localdomain", + "assit1598.www5.invalid" ], "rsa.network.domain": "ema7531.api.example", "rsa.threat.threat_category": "isqu", "rsa.time.endtime": "2017-11-16T08:08:15.000Z", "rsa.time.recorded_time": "2017-11-16T08:08:15.000Z", "server.domain": "ema7531.api.example", + "server.registered_domain": "api.example", + "server.subdomain": "ema7531", + "server.top_level_domain": "example", "service.type": "symantec", "source.address": "iduntu7302.www.invalid", "source.ip": [ @@ -1735,6 +1898,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ + "icero1297.internal.domain", + "non", "equu7361.www5.localdomain" ], "rsa.internal.event_desc": "pta", @@ -1744,6 +1909,9 @@ "rsa.misc.severity": "medium", "rsa.network.domain": "icero1297.internal.domain", "server.domain": "icero1297.internal.domain", + "server.registered_domain": "internal.domain", + "server.subdomain": "icero1297", + "server.top_level_domain": "domain", "service.type": "symantec", "source.address": "equu7361.www5.localdomain", "tags": [ @@ -1772,8 +1940,9 @@ "process.parent.name": "ipsum", "process.ppid": 885, "related.hosts": [ - "uisno4545.www5.corp", - "iono5777.invalid" + "bor5601.www.invalid", + "iono5777.invalid", + "uisno4545.www5.corp" ], "related.ip": [ "10.137.5.67" @@ -1802,6 +1971,9 @@ "rsa.time.starttime": "2017-12-15T08:13:24.000Z", "rule.name": "moditemp", "server.domain": "bor5601.www.invalid", + "server.registered_domain": "www.invalid", + "server.subdomain": "bor5601", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "iono5777.invalid", "source.domain": "doloremi", @@ -1879,12 +2051,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ + "edictasu3521.invalid", "adminima6097.corp", "agnamali3222.example" ], "related.ip": [ - "10.66.203.117", - "10.92.93.236" + "10.92.93.236", + "10.66.203.117" ], "related.user": [ "uisa" @@ -1905,6 +2078,8 @@ "rsa.time.endtime": "2018-01-27T05:21:06.000Z", "rsa.time.starttime": "2018-01-27T05:21:06.000Z", "server.domain": "edictasu3521.invalid", + "server.registered_domain": "edictasu3521.invalid", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "adminima6097.corp", "source.domain": "umquidol", @@ -1934,8 +2109,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "equ2353.internal.local", - "eratv6521.example" + "tlaboree", + "eratv6521.example", + "seosqui7376.internal.home", + "equ2353.internal.local" ], "rsa.internal.event_desc": "dolorsi", "rsa.internal.messageid": "302452807", @@ -1948,6 +2125,9 @@ ], "rsa.network.domain": "seosqui7376.internal.home", "server.domain": "seosqui7376.internal.home", + "server.registered_domain": "internal.home", + "server.subdomain": "seosqui7376", + "server.top_level_domain": "home", "service.type": "symantec", "source.address": "eratv6521.example", "tags": [ @@ -1971,8 +2151,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "bori7611.invalid", - "iset1992.internal.example" + "pre865.www5.home", + "iset1992.internal.example", + "ffic", + "bori7611.invalid" ], "rsa.internal.event_desc": "imadmini", "rsa.internal.messageid": "302776321", @@ -1985,6 +2167,9 @@ ], "rsa.network.domain": "pre865.www5.home", "server.domain": "pre865.www5.home", + "server.registered_domain": "www5.home", + "server.subdomain": "pre865", + "server.top_level_domain": "home", "service.type": "symantec", "source.address": "iset1992.internal.example", "tags": [ @@ -2025,7 +2210,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "ntin2655.www.localdomain" + "itasper", + "ntin2655.www.localdomain", + "iste5901.mail.localhost" ], "rsa.internal.event_desc": "epo", "rsa.internal.messageid": "302449413", @@ -2034,6 +2221,9 @@ "rsa.misc.severity": "very-high", "rsa.network.domain": "iste5901.mail.localhost", "server.domain": "iste5901.mail.localhost", + "server.registered_domain": "mail.localhost", + "server.subdomain": "iste5901", + "server.top_level_domain": "localhost", "service.type": "symantec", "source.address": "ntin2655.www.localdomain", "tags": [ @@ -2055,7 +2245,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "siuta395.home" + "dolor1769.lan", + "siuta395.home", + "fugiat" ], "rsa.internal.event_desc": "iumdolor", "rsa.internal.messageid": "302449414", @@ -2064,6 +2256,8 @@ "rsa.misc.severity": "high", "rsa.network.domain": "dolor1769.lan", "server.domain": "dolor1769.lan", + "server.registered_domain": "dolor1769.lan", + "server.top_level_domain": "lan", "service.type": "symantec", "source.address": "siuta395.home", "tags": [ @@ -2113,8 +2307,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "tisund4302.www5.local", - "vel1911.lan" + "vel1911.lan", + "obeata796.www.localhost", + "itaspern", + "tisund4302.www5.local" ], "related.ip": [ "10.147.225.53" @@ -2143,6 +2339,9 @@ "rsa.threat.threat_category": "lupta", "rsa.time.recorded_time": "2018-05-07T06:39:06.000Z", "server.domain": "obeata796.www.localhost", + "server.registered_domain": "www.localhost", + "server.subdomain": "obeata796", + "server.top_level_domain": "localhost", "service.type": "symantec", "source.address": "vel1911.lan", "source.ip": [ @@ -2210,8 +2409,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "evelites2448.www.host", - "quisnost7124.api.domain" + "emipsum4052.internal.invalid", + "uidexea", + "quisnost7124.api.domain", + "evelites2448.www.host" ], "rsa.internal.event_desc": "odtem", "rsa.internal.messageid": "303169540", @@ -2224,6 +2425,9 @@ ], "rsa.network.domain": "emipsum4052.internal.invalid", "server.domain": "emipsum4052.internal.invalid", + "server.registered_domain": "internal.invalid", + "server.subdomain": "emipsum4052", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "quisnost7124.api.domain", "tags": [ @@ -2258,13 +2462,14 @@ "observer.vendor": "Symantec", "observer.version": "1.132", "related.hosts": [ - "iatquovo4868.test", + "edi6108.internal.domain", + "ita2191.www5.invalid", "madmi2948.internal.lan", - "edi6108.internal.domain" + "iatquovo4868.test" ], "related.ip": [ - "10.132.171.142", - "10.72.200.11" + "10.72.200.11", + "10.132.171.142" ], "related.user": [ "ero" @@ -2293,6 +2498,9 @@ "rsa.time.endtime": "2018-07-03T10:49:23.000Z", "rsa.time.starttime": "2018-07-03T10:49:23.000Z", "server.domain": "ita2191.www5.invalid", + "server.registered_domain": "www5.invalid", + "server.subdomain": "ita2191", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "madmi2948.internal.lan", "source.domain": "iusmodi", @@ -2360,7 +2568,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "lillumq4387.www5.localhost" + "lillumq4387.www5.localhost", + "turExce", + "tec4011.mail.home" ], "rsa.internal.event_desc": "sse", "rsa.internal.messageid": "302452743", @@ -2369,6 +2579,9 @@ "rsa.misc.severity": "very-high", "rsa.network.domain": "tec4011.mail.home", "server.domain": "tec4011.mail.home", + "server.registered_domain": "mail.home", + "server.subdomain": "tec4011", + "server.top_level_domain": "home", "service.type": "symantec", "source.address": "lillumq4387.www5.localhost", "tags": [ @@ -2428,8 +2641,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "uptatemU1147.mail.corp", - "mqu3327.internal.host" + "mqu3327.internal.host", + "uptatemU1147.mail.corp" ], "rsa.internal.event_desc": "Connection reset.", "rsa.internal.messageid": "Connection", @@ -2460,8 +2673,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "emp42.mail.test", - "ecatcupi4759.internal.local" + "ecatcupi4759.internal.local", + "tenb", + "sit3373.api.localdomain", + "emp42.mail.test" ], "rsa.internal.event_desc": "ritati", "rsa.internal.messageid": "302452736", @@ -2474,6 +2689,9 @@ ], "rsa.network.domain": "sit3373.api.localdomain", "server.domain": "sit3373.api.localdomain", + "server.registered_domain": "api.localdomain", + "server.subdomain": "sit3373", + "server.top_level_domain": "localdomain", "service.type": "symantec", "source.address": "ecatcupi4759.internal.local", "tags": [ @@ -2516,6 +2734,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ + "lamc", + "antiu4203.www.host", "ipsu7538.www5.host" ], "rsa.internal.event_desc": "squa", @@ -2525,6 +2745,9 @@ "rsa.misc.severity": "low", "rsa.network.domain": "antiu4203.www.host", "server.domain": "antiu4203.www.host", + "server.registered_domain": "www.host", + "server.subdomain": "antiu4203", + "server.top_level_domain": "host", "service.type": "symantec", "source.address": "ipsu7538.www5.host", "tags": [ @@ -2576,11 +2799,12 @@ "observer.vendor": "Symantec", "related.hosts": [ "iusmo5734.internal.invalid", - "dita2048.www5.home" + "dita2048.www5.home", + "upta3770.internal.localhost" ], "related.ip": [ - "10.40.133.90", - "10.171.13.85" + "10.171.13.85", + "10.40.133.90" ], "related.user": [ "bor" @@ -2603,6 +2827,9 @@ "rsa.time.starttime": "2018-11-09T02:12:32.000Z", "rule.name": "Block all other IP traffic and log", "server.domain": "upta3770.internal.localhost", + "server.registered_domain": "internal.localhost", + "server.subdomain": "upta3770", + "server.top_level_domain": "localhost", "service.type": "symantec", "source.address": "iusmo5734.internal.invalid", "source.domain": "piscinge", @@ -2652,8 +2879,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "ngelits2743.www5.host", - "inrepr7369.www.domain" + "inrepr7369.www.domain", + "omm3591.internal.invalid", + "lore", + "ngelits2743.www5.host" ], "rsa.internal.event_desc": "tatemac", "rsa.internal.messageid": "302452816", @@ -2666,6 +2895,9 @@ ], "rsa.network.domain": "omm3591.internal.invalid", "server.domain": "omm3591.internal.invalid", + "server.registered_domain": "internal.invalid", + "server.subdomain": "omm3591", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "inrepr7369.www.domain", "tags": [ @@ -2689,8 +2921,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "olupt717.invalid", - "alorum1804.mail.test" + "sed1665.internal.local", + "psum", + "alorum1804.mail.test", + "olupt717.invalid" ], "rsa.internal.event_desc": "ano", "rsa.internal.messageid": "302452808", @@ -2703,6 +2937,9 @@ ], "rsa.network.domain": "sed1665.internal.local", "server.domain": "sed1665.internal.local", + "server.registered_domain": "internal.local", + "server.subdomain": "sed1665", + "server.top_level_domain": "local", "service.type": "symantec", "source.address": "alorum1804.mail.test", "tags": [ @@ -2791,12 +3028,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "upidat1328.internal.localhost", - "urExcep6087.www5.localhost" + "ictas1247.www5.example", + "urExcep6087.www5.localhost", + "upidat1328.internal.localhost" ], "related.ip": [ - "10.31.231.57", - "10.155.163.6" + "10.155.163.6", + "10.31.231.57" ], "related.user": [ "norumetM" @@ -2819,6 +3057,9 @@ "rsa.time.starttime": "2019-02-02T20:27:57.000Z", "rule.name": "mdolo", "server.domain": "ictas1247.www5.example", + "server.registered_domain": "www5.example", + "server.subdomain": "ictas1247", + "server.top_level_domain": "example", "service.type": "symantec", "source.address": "upidat1328.internal.localhost", "source.domain": "iac", @@ -2867,7 +3108,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "tesseci33.internal.example" + "met", + "tesseci33.internal.example", + "nisiut1750.internal.invalid" ], "rsa.internal.event_desc": "nost", "rsa.internal.messageid": "302452816", @@ -2876,6 +3119,9 @@ "rsa.misc.severity": "high", "rsa.network.domain": "nisiut1750.internal.invalid", "server.domain": "nisiut1750.internal.invalid", + "server.registered_domain": "internal.invalid", + "server.subdomain": "nisiut1750", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "tesseci33.internal.example", "tags": [ @@ -2897,7 +3143,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "alo7567.www5.test" + "alo7567.www5.test", + "ptasnula2158.internal.host", + "proident" ], "rsa.internal.event_desc": "quisnos", "rsa.internal.messageid": "302452736", @@ -2906,6 +3154,9 @@ "rsa.misc.severity": "very-high", "rsa.network.domain": "ptasnula2158.internal.host", "server.domain": "ptasnula2158.internal.host", + "server.registered_domain": "internal.host", + "server.subdomain": "ptasnula2158", + "server.top_level_domain": "host", "service.type": "symantec", "source.address": "alo7567.www5.test", "tags": [ @@ -2965,9 +3216,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "exer3621.www5.test", + "emvel4391.localhost", + "its1301.www.test", "tisetqua6007.api.home", - "its1301.www.test" + "exer3621.www5.test" ], "related.ip": [ "10.134.6.246", @@ -2996,6 +3248,8 @@ "rsa.time.starttime": "2019-04-15T07:40:49.000Z", "rule.name": "iatisund", "server.domain": "emvel4391.localhost", + "server.registered_domain": "emvel4391.localhost", + "server.top_level_domain": "localhost", "service.type": "symantec", "source.address": "tisetqua6007.api.home", "source.domain": "oquisqua", @@ -3029,8 +3283,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "ventorev7571.www5.corp", - "Remote:" + "Remote:", + "atnu2000.internal.corp", + "ventorev7571.www5.corp" ], "related.ip": [ "10.202.96.232" @@ -3050,6 +3305,9 @@ "rsa.time.endtime": "2019-04-29T04:43:23.000Z", "rsa.time.starttime": "2019-04-29T04:43:23.000Z", "server.domain": "atnu2000.internal.corp", + "server.registered_domain": "internal.corp", + "server.subdomain": "atnu2000", + "server.top_level_domain": "corp", "service.type": "symantec", "source.address": "Remote:", "source.port": 4012, @@ -3076,8 +3334,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "umSectio5136.www.local", - "untexpli391.internal.domain" + "untexpli391.internal.domain", + "num", + "uamestqu7272.internal.host", + "umSectio5136.www.local" ], "rsa.internal.event_desc": "ipitlabo", "rsa.internal.messageid": "302449156", @@ -3090,6 +3350,9 @@ ], "rsa.network.domain": "uamestqu7272.internal.host", "server.domain": "uamestqu7272.internal.host", + "server.registered_domain": "internal.host", + "server.subdomain": "uamestqu7272", + "server.top_level_domain": "host", "service.type": "symantec", "source.address": "untexpli391.internal.domain", "tags": [ @@ -3122,9 +3385,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "quide2790.mail.invalid", "eniamqu1863.api.lan", - "quipex2615.www5.localhost" + "quipex2615.www5.localhost", + "cepteur6876.internal.host", + "quide2790.mail.invalid" ], "related.ip": [ "10.56.95.160", @@ -3155,6 +3419,9 @@ "rsa.time.starttime": "2019-05-28T04:48:31.000Z", "rule.name": "Block all other IP traffic and log", "server.domain": "cepteur6876.internal.host", + "server.registered_domain": "internal.host", + "server.subdomain": "cepteur6876", + "server.top_level_domain": "host", "service.type": "symantec", "source.address": "eniamqu1863.api.lan", "source.domain": "nby", @@ -3194,13 +3461,14 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "ugia146.www5.corp", + "remipsum5485.api.local", "tionul7555.www5.lan", - "remipsum5485.api.local" + "tationul5346.internal.localdomain", + "ugia146.www5.corp" ], "related.ip": [ - "10.173.98.74", - "10.70.185.238" + "10.70.185.238", + "10.173.98.74" ], "related.user": [ "tenby" @@ -3226,6 +3494,9 @@ "rsa.time.starttime": "2019-06-11T11:51:06.000Z", "rule.name": "Block all other IP traffic and log", "server.domain": "tationul5346.internal.localdomain", + "server.registered_domain": "internal.localdomain", + "server.subdomain": "tationul5346", + "server.top_level_domain": "localdomain", "service.type": "symantec", "source.address": "tionul7555.www5.lan", "source.domain": "aaliqu", @@ -3292,8 +3563,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "giatquo3267.www.lan", - "quiado6095.mail.localhost" + "quiado6095.mail.localhost", + "giatquo3267.www.lan" ], "rsa.internal.event_desc": "Connected to Management Server", "rsa.internal.messageid": "Connected", @@ -3324,8 +3595,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "odite7850.internal.corp", - "cidun7605.www5.example" + "rinrepre", + "asnula6304.internal.example", + "cidun7605.www5.example", + "odite7850.internal.corp" ], "related.ip": [ "10.201.112.171" @@ -3355,6 +3628,9 @@ "rsa.threat.threat_category": "modicons", "rsa.time.recorded_time": "2019-07-24T08:58:48.000Z", "server.domain": "asnula6304.internal.example", + "server.registered_domain": "internal.example", + "server.subdomain": "asnula6304", + "server.top_level_domain": "example", "service.type": "symantec", "source.address": "cidun7605.www5.example", "source.ip": [ @@ -3380,6 +3656,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ + "laboru6211.mail.local", + "ssitaspe", "ssitasp7492.test" ], "rsa.internal.event_desc": "eserun", @@ -3389,6 +3667,9 @@ "rsa.misc.severity": "medium", "rsa.network.domain": "laboru6211.mail.local", "server.domain": "laboru6211.mail.local", + "server.registered_domain": "mail.local", + "server.subdomain": "laboru6211", + "server.top_level_domain": "local", "service.type": "symantec", "source.address": "ssitasp7492.test", "tags": [ @@ -3412,8 +3693,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "estq2131.api.localdomain", - "rem6392.internal.domain" + "rem6392.internal.domain", + "upt", + "ntiumtot6232.api.corp", + "estq2131.api.localdomain" ], "rsa.internal.event_desc": "did", "rsa.internal.messageid": "302452802", @@ -3426,6 +3709,9 @@ ], "rsa.network.domain": "ntiumtot6232.api.corp", "server.domain": "ntiumtot6232.api.corp", + "server.registered_domain": "api.corp", + "server.subdomain": "ntiumtot6232", + "server.top_level_domain": "corp", "service.type": "symantec", "source.address": "rem6392.internal.domain", "tags": [ @@ -3449,8 +3735,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "giatq7007.www.domain", - "upi3.www.home" + "ree4785.internal.localdomain", + "iquaUt", + "upi3.www.home", + "giatq7007.www.domain" ], "rsa.internal.event_desc": "caecatc", "rsa.internal.messageid": "303235079", @@ -3463,6 +3751,9 @@ ], "rsa.network.domain": "ree4785.internal.localdomain", "server.domain": "ree4785.internal.localdomain", + "server.registered_domain": "internal.localdomain", + "server.subdomain": "ree4785", + "server.top_level_domain": "localdomain", "service.type": "symantec", "source.address": "upi3.www.home", "tags": [ @@ -3487,12 +3778,14 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "itess2258.api.lan", - "ianonnu4387.www.domain" + "eprehend3993.internal.test", + "5", + "ianonnu4387.www.domain", + "itess2258.api.lan" ], "related.ip": [ - "10.90.66.238", - "10.59.140.108" + "10.59.140.108", + "10.90.66.238" ], "related.user": [ "nulap" @@ -3509,13 +3802,14 @@ ], "rsa.misc.disposition": "sequines", "rsa.misc.event_source": "5", - "rsa.misc.virusname": "", "rsa.network.alias_host": [ "itess2258.api.lan" ], "rsa.network.domain": "eprehend3993.internal.test", - "rsa.threat.threat_category": "", "server.domain": "eprehend3993.internal.test", + "server.registered_domain": "internal.test", + "server.subdomain": "eprehend3993", + "server.top_level_domain": "test", "service.type": "symantec", "source.address": "ianonnu4387.www.domain", "source.ip": [ @@ -3554,13 +3848,14 @@ "observer.vendor": "Symantec", "observer.version": "1.6400", "related.hosts": [ - "epteur5858.www5.local", + "tdo6940.mail.local", "rin5257.www5.test", - "ess3012.mail.test" + "ess3012.mail.test", + "epteur5858.www5.local" ], "related.ip": [ - "10.38.136.160", - "10.45.116.216" + "10.45.116.216", + "10.38.136.160" ], "related.user": [ "epr" @@ -3586,6 +3881,9 @@ "rsa.time.endtime": "2019-10-03T20:11:40.000Z", "rsa.time.starttime": "2019-10-03T20:11:40.000Z", "server.domain": "tdo6940.mail.local", + "server.registered_domain": "mail.local", + "server.subdomain": "tdo6940", + "server.top_level_domain": "local", "service.type": "symantec", "source.address": "rin5257.www5.test", "source.domain": "citat", @@ -3615,7 +3913,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "aed3193.api.lan" + "sunti", + "aed3193.api.lan", + "eumfug6647.home" ], "rsa.internal.event_desc": "equa", "rsa.internal.messageid": "302449409", @@ -3624,6 +3924,8 @@ "rsa.misc.severity": "low", "rsa.network.domain": "eumfug6647.home", "server.domain": "eumfug6647.home", + "server.registered_domain": "eumfug6647.home", + "server.top_level_domain": "home", "service.type": "symantec", "source.address": "aed3193.api.lan", "tags": [ @@ -3665,7 +3967,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "rumSec5271.home" + "lillumqu7256.www5.invalid", + "rumSec5271.home", + "evolupt" ], "rsa.internal.event_desc": "unt", "rsa.internal.messageid": "302449166", @@ -3674,6 +3978,9 @@ "rsa.misc.severity": "low", "rsa.network.domain": "lillumqu7256.www5.invalid", "server.domain": "lillumqu7256.www5.invalid", + "server.registered_domain": "www5.invalid", + "server.subdomain": "lillumqu7256", + "server.top_level_domain": "invalid", "service.type": "symantec", "source.address": "rumSec5271.home", "tags": [ @@ -3735,8 +4042,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "related.hosts": [ - "oNem5850.www.example", - "gnama2349.mail.domain" + "mol400.domain", + "ntiu", + "gnama2349.mail.domain", + "oNem5850.www.example" ], "rsa.internal.event_desc": "ccusan", "rsa.internal.messageid": "302449409", @@ -3749,6 +4058,8 @@ ], "rsa.network.domain": "mol400.domain", "server.domain": "mol400.domain", + "server.registered_domain": "mol400.domain", + "server.top_level_domain": "domain", "service.type": "symantec", "source.address": "gnama2349.mail.domain", "tags": [ diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml index 098e63ef3868..7cf2dd7ce0af 100644 --- a/x-pack/filebeat/module/tomcat/log/config/input.yml +++ b/x-pack/filebeat/module/tomcat/log/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/tomcat/log/config/liblogparser.js +++ b/x-pack/filebeat/module/tomcat/log/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml index 64e1d82943a6..ca97aa661d1a 100644 --- a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml @@ -55,19 +55,9 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{rsa.web.fqdn}}' + value: '{{host.name}}' allow_duplicates: false - if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' - - append: - field: related.hosts - value: '{{rsa.web.web_ref_domain}}' - allow_duplicates: false - if: ctx?.rsa?.web?.web_ref_domain != null && ctx.rsa?.web?.web_ref_domain != '' - - append: - field: related.hosts - value: '{{url.domain}}' - allow_duplicates: false - if: ctx?.url?.domain != null && ctx.url?.domain != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/tomcat/log/manifest.yml b/x-pack/filebeat/module/tomcat/log/manifest.yml index 22d091842cfb..5df417cde249 100644 --- a/x-pack/filebeat/module/tomcat/log/manifest.yml +++ b/x-pack/filebeat/module/tomcat/log/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9501 + default: 9523 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json index 51d46cc753a9..b137d676da9b 100644 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -15,9 +15,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.com/illumqui/ventore.html?min=ite#utl", "mail.example.net", - "example.com" + "example.com", + "https://example.com/illumqui/ventore.html?min=ite#utl" ], "related.ip": [ "10.251.224.219" @@ -49,6 +49,8 @@ ], "url.domain": "example.com", "url.query": "amremap", + "url.registered_domain": "example.com", + "url.top_level_domain": "com", "user.name": "rci", "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", @@ -74,9 +76,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", "mail.example.com", - "www5.example.net" + "www5.example.net", + "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev" ], "related.ip": [ "10.196.153.12" @@ -108,6 +110,9 @@ ], "url.domain": "www5.example.net", "url.query": "uii", + "url.registered_domain": "example.net", + "url.subdomain": "www5", + "url.top_level_domain": "net", "user.name": "abo", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", @@ -132,9 +137,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", "www.example.com", - "internal.example.com" + "internal.example.com", + "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "ctetur5806.api.home" ], "related.ip": [ "10.156.194.38" @@ -168,6 +174,9 @@ ], "url.domain": "internal.example.com", "url.query": "aer", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", "user.name": "enatus", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", @@ -227,6 +236,9 @@ ], "url.domain": "www5.example.org", "url.query": "con", + "url.registered_domain": "example.org", + "url.subdomain": "www5", + "url.top_level_domain": "org", "user.name": "tur", "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", @@ -252,9 +264,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", "internal.example.net", - "internal.example.com" + "internal.example.com", + "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn" ], "related.ip": [ "10.246.209.145" @@ -286,6 +298,9 @@ ], "url.domain": "internal.example.com", "url.query": "eos", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", "user.name": "llu", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", @@ -311,9 +326,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "internal.example.com", "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", - "www5.example.org", - "internal.example.com" + "www5.example.org" ], "related.ip": [ "10.114.191.225" @@ -345,6 +360,9 @@ ], "url.domain": "internal.example.com", "url.query": "occ", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", "user.name": "tempo", "user_agent.device.name": "QMobile X700 PRO II", "user_agent.name": "Chrome Mobile", @@ -373,7 +391,8 @@ "related.hosts": [ "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", "api.example.com", - "www5.example.net" + "www5.example.net", + "erep2696.www.home" ], "related.ip": [ "10.38.77.13" @@ -407,6 +426,9 @@ ], "url.domain": "www5.example.net", "url.query": "ipis", + "url.registered_domain": "example.net", + "url.subdomain": "www5", + "url.top_level_domain": "net", "user.name": "liqu", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", @@ -433,9 +455,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "www.example.org", "mail.example.org", - "www.example.org" + "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "mUt2398.invalid" ], "related.ip": [ "10.11.201.109" @@ -469,6 +492,9 @@ ], "url.domain": "www.example.org", "url.query": "deomni", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "ugits", "user_agent.device.name": "Lenovo A2016a40 ", "user_agent.name": "Chrome Mobile", @@ -494,9 +520,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", "example.org", - "api.example.org" + "api.example.org", + "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan" ], "related.ip": [ "10.182.166.181" @@ -528,6 +554,9 @@ ], "url.domain": "api.example.org", "url.query": "ollit", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", "user.name": "mol", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", @@ -553,9 +582,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", "internal.example.com", - "mail.example.net" + "mail.example.net", + "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq" ], "related.ip": [ "10.185.126.247" @@ -587,6 +616,9 @@ ], "url.domain": "mail.example.net", "url.query": "smo", + "url.registered_domain": "example.net", + "url.subdomain": "mail", + "url.top_level_domain": "net", "user.name": "quu", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", @@ -611,9 +643,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", "mail.example.net", - "example.com" + "example.com", + "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "siuta2896.www.localhost" ], "related.ip": [ "10.72.114.23" @@ -647,6 +680,8 @@ ], "url.domain": "example.com", "url.query": "strude", + "url.registered_domain": "example.com", + "url.top_level_domain": "com", "user.name": "nsequu", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", @@ -675,7 +710,8 @@ "related.hosts": [ "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", "internal.example.net", - "example.net" + "example.net", + "oin6316.www5.host" ], "related.ip": [ "10.129.241.147" @@ -709,6 +745,8 @@ ], "url.domain": "example.net", "url.query": "luptat", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "lapariat", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", @@ -735,9 +773,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "www5.example.com", "internal.example.net", - "www5.example.com" + "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "tionemu7691.www.local" ], "related.ip": [ "10.185.101.76" @@ -771,6 +810,9 @@ ], "url.domain": "www5.example.com", "url.query": "colabor", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", "user.name": "des", "user_agent.device.name": "Android", "user_agent.name": "Chrome Mobile", @@ -796,9 +838,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "example.net", "www.example.org", - "example.net" + "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati" ], "related.ip": [ "10.57.170.140" @@ -830,6 +872,8 @@ ], "url.domain": "example.net", "url.query": "giatquov", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "onse", "user_agent.device.name": "QMobile X700 PRO II", "user_agent.name": "Chrome Mobile", @@ -889,6 +933,9 @@ ], "url.domain": "internal.example.com", "url.query": "emeumfu", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", "user.name": "atquovo", "user_agent.device.name": "STK-L21", "user_agent.name": "Chrome Mobile", @@ -915,8 +962,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "internal.example.net", "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", - "internal.example.net" + "conse2991.internal.lan" ], "related.ip": [ "10.116.104.101" @@ -950,6 +998,9 @@ ], "url.domain": "internal.example.net", "url.query": "iades", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", "user.name": "tat", "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", @@ -976,8 +1027,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", - "example.com", - "internal.example.com" + "internal.example.com", + "example.com" ], "related.ip": [ "10.202.194.67" @@ -1009,6 +1060,9 @@ ], "url.domain": "internal.example.com", "url.query": "nsectet", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", "user.name": "ittenbyC", "user_agent.device.name": "ZTE Blade V1000RU", "user_agent.name": "Chrome Mobile", @@ -1035,9 +1089,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "www5.example.com", "www.example.com", - "www5.example.com" + "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "wri2784.api.domain" ], "related.ip": [ "10.153.111.103" @@ -1071,6 +1126,9 @@ ], "url.domain": "www5.example.com", "url.query": "occae", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", "user.name": "modocon", "user_agent.device.name": "Samsung GT-P3100 ", "user_agent.name": "Android", @@ -1130,6 +1188,9 @@ ], "url.domain": "www5.example.org", "url.query": "tmo", + "url.registered_domain": "example.org", + "url.subdomain": "www5", + "url.top_level_domain": "org", "user.name": "doloreme", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", @@ -1158,7 +1219,8 @@ "related.hosts": [ "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", "example.net", - "www.example.org" + "www.example.org", + "oquisqu2937.mail.domain" ], "related.ip": [ "10.209.182.237" @@ -1192,6 +1254,9 @@ ], "url.domain": "www.example.org", "url.query": "eprehend", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "olor", "user_agent.device.name": "iPhone", "user_agent.name": "Facebook", @@ -1218,9 +1283,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "mail.example.net", "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", "api.example.org", - "mail.example.net" + "dolore1287.internal.lan" ], "related.ip": [ "10.63.194.87" @@ -1254,6 +1320,9 @@ ], "url.domain": "mail.example.net", "url.query": "bore", + "url.registered_domain": "example.net", + "url.subdomain": "mail", + "url.top_level_domain": "net", "user.name": "sin", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", @@ -1279,8 +1348,8 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", "www5.example.org", + "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", "www.example.org" ], "related.ip": [ @@ -1313,6 +1382,9 @@ ], "url.domain": "www.example.org", "url.query": "dtemp", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "orporiss", "user_agent.device.name": "STK-L21", "user_agent.name": "Chrome Mobile", @@ -1338,9 +1410,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", "example.org", - "example.net" + "example.net", + "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer" ], "related.ip": [ "10.238.164.29" @@ -1372,6 +1444,8 @@ ], "url.domain": "example.net", "url.query": "quidolor", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "utlabor", "user_agent.device.name": "Meizu M6", "user_agent.name": "Chrome Mobile", @@ -1397,9 +1471,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", "example.com", - "internal.example.com" + "internal.example.com", + "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius" ], "related.ip": [ "10.155.230.17" @@ -1431,6 +1505,9 @@ ], "url.domain": "internal.example.com", "url.query": "tet", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", "user.name": "ionevo", "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", @@ -1457,9 +1534,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.net/officiad/itam.html?madmi=tur#roi", "mail.example.net", - "example.net" + "https://example.net/officiad/itam.html?madmi=tur#roi", + "example.net", + "ide2767.www5.local" ], "related.ip": [ "10.102.229.102" @@ -1493,6 +1571,8 @@ ], "url.domain": "example.net", "url.query": "orem", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "tenbyCi", "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", @@ -1521,7 +1601,8 @@ "related.hosts": [ "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", "www5.example.org", - "mail.example.org" + "mail.example.org", + "sBon1759.invalid" ], "related.ip": [ "10.194.14.7" @@ -1555,6 +1636,9 @@ ], "url.domain": "mail.example.org", "url.query": "ios", + "url.registered_domain": "example.org", + "url.subdomain": "mail", + "url.top_level_domain": "org", "user.name": "vita", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", @@ -1580,9 +1664,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", + "api.example.net", "example.com", - "api.example.net" + "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp" ], "related.ip": [ "10.99.0.226" @@ -1614,6 +1698,9 @@ ], "url.domain": "api.example.net", "url.query": "ema", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", "user.name": "uidol", "user_agent.device.name": "Pixel 3", "user_agent.name": "Chrome Mobile", @@ -1640,8 +1727,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", - "api.example.org", - "www.example.net" + "www.example.net", + "api.example.org" ], "related.ip": [ "10.107.174.213" @@ -1673,6 +1760,9 @@ ], "url.domain": "www.example.net", "url.query": "ctet", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", "user.name": "minimav", "user_agent.device.name": "QMobile X700 PRO II", "user_agent.name": "Chrome Mobile", @@ -1699,9 +1789,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "mail.example.org", "www.example.org", - "mail.example.org" + "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "idunt4707.host" ], "related.ip": [ "10.84.25.23" @@ -1735,6 +1826,9 @@ ], "url.domain": "mail.example.org", "url.query": "borios", + "url.registered_domain": "example.org", + "url.subdomain": "mail", + "url.top_level_domain": "org", "user.name": "isnost", "user_agent.device.name": "Lenovo A2016a40 ", "user_agent.name": "Chrome Mobile", @@ -1760,9 +1854,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "www.example.org", "api.example.com", - "www.example.org" + "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab" ], "related.ip": [ "10.193.143.108" @@ -1794,6 +1888,9 @@ ], "url.domain": "www.example.org", "url.query": "ofdeFin", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "luptate", "user_agent.device.name": "ZTE Blade V1000RU", "user_agent.name": "Chrome Mobile", @@ -1821,8 +1918,9 @@ "observer.vendor": "Apache", "related.hosts": [ "https://example.com/mexe/its.htm?ice=oles#edic", + "example.com", "example.org", - "example.com" + "emquia1497.www5.lan" ], "related.ip": [ "10.190.51.22" @@ -1856,6 +1954,8 @@ ], "url.domain": "example.com", "url.query": "tutlab", + "url.registered_domain": "example.com", + "url.top_level_domain": "com", "user.name": "siut", "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", @@ -1882,9 +1982,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www.example.com/velitess/naali.htm?nre=veli#volupta", "www5.example.com", - "www.example.com" + "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "www.example.com", + "riat3854.www5.home" ], "related.ip": [ "10.194.90.130" @@ -1918,6 +2019,9 @@ ], "url.domain": "www.example.com", "url.query": "elitse", + "url.registered_domain": "example.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "tconsect", "user_agent.device.name": "Other", "user_agent.name": "Other", @@ -1973,6 +2077,9 @@ ], "url.domain": "www.example.org", "url.query": "uptate", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "psum", "user_agent.device.name": "iPhone", "user_agent.name": "Facebook", @@ -1999,9 +2106,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", "mail.example.net", - "api.example.org" + "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "api.example.org", + "aboreetd5461.host" ], "related.ip": [ "10.52.125.9" @@ -2035,6 +2143,9 @@ ], "url.domain": "api.example.org", "url.query": "mvele", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", "user.name": "urv", "user_agent.device.name": "iPhone", "user_agent.name": "Facebook", @@ -2094,6 +2205,9 @@ ], "url.domain": "api.example.net", "url.query": "tincu", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", "user.name": "mve", "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", @@ -2121,8 +2235,9 @@ "observer.vendor": "Apache", "related.hosts": [ "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "mail.example.org", "api.example.com", - "mail.example.org" + "iquidexe304.mail.test" ], "related.ip": [ "10.195.64.5" @@ -2156,6 +2271,9 @@ ], "url.domain": "mail.example.org", "url.query": "rsita", + "url.registered_domain": "example.org", + "url.subdomain": "mail", + "url.top_level_domain": "org", "user.name": "uat", "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", @@ -2182,9 +2300,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", "mail.example.com", - "internal.example.com" + "internal.example.com", + "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "remips4828.www5.host" ], "related.ip": [ "10.209.77.194" @@ -2218,6 +2337,9 @@ ], "url.domain": "internal.example.com", "url.query": "dat", + "url.registered_domain": "example.com", + "url.subdomain": "internal", + "url.top_level_domain": "com", "user.name": "itesseq", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", @@ -2243,9 +2365,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", + "example.net", "mail.example.org", - "example.net" + "https://example.net/ites/isetq.gif?nisiut=tur#avolupt" ], "related.ip": [ "10.168.6.90" @@ -2277,6 +2399,8 @@ ], "url.domain": "example.net", "url.query": "rer", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "amvolupt", "user_agent.device.name": "Android", "user_agent.name": "Chrome Mobile", @@ -2302,9 +2426,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "mail.example.com", "api.example.org", - "mail.example.com" + "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu" ], "related.ip": [ "10.89.137.238" @@ -2336,6 +2460,9 @@ ], "url.domain": "mail.example.com", "url.query": "uptatemU", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", "user.name": "ore", "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", @@ -2361,9 +2488,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "example.org", "www5.example.net", - "example.org" + "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat" ], "related.ip": [ "10.246.61.213" @@ -2395,6 +2522,8 @@ ], "url.domain": "example.org", "url.query": "tconsec", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", "user.name": "iusmodte", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", @@ -2421,9 +2550,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "www.example.org", "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", "www5.example.net", - "www.example.org" + "orin5238.host" ], "related.ip": [ "10.117.44.138" @@ -2457,6 +2587,9 @@ ], "url.domain": "www.example.org", "url.query": "emvele", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "rcit", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", @@ -2482,9 +2615,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", "www.example.net", - "example.net" + "example.net", + "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov" ], "related.ip": [ "10.69.30.196" @@ -2516,6 +2649,8 @@ ], "url.domain": "example.net", "url.query": "urmag", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "elits", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", @@ -2539,9 +2674,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "api.example.com", "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", - "example.org", - "api.example.com" + "example.org" ], "related.ip": [ "10.135.91.88" @@ -2573,6 +2708,9 @@ ], "url.domain": "api.example.com", "url.query": "urExce", + "url.registered_domain": "example.com", + "url.subdomain": "api", + "url.top_level_domain": "com", "user.name": "eporroq", "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", @@ -2599,9 +2737,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "example.net", "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", "api.example.org", - "example.net" + "agnaaliq1829.mail.test" ], "related.ip": [ "10.81.45.174" @@ -2635,6 +2774,8 @@ ], "url.domain": "example.net", "url.query": "erun", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "fugitse", "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", @@ -2660,8 +2801,8 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", - "www.example.org" + "www.example.org", + "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae" ], "related.ip": [ "10.87.179.233" @@ -2693,6 +2834,9 @@ ], "url.domain": "www.example.org", "url.query": "uia", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "avolu", "user_agent.device.name": "Samsung SM-S337TL", "user_agent.name": "Chrome Mobile", @@ -2718,9 +2862,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", "example.com", - "api.example.net" + "api.example.net", + "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir" ], "related.ip": [ "10.198.57.130" @@ -2752,6 +2896,9 @@ ], "url.domain": "api.example.net", "url.query": "emip", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", "user.name": "henderit", "user_agent.device.name": "U20", "user_agent.name": "Chrome Mobile", @@ -2777,8 +2924,8 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", "www.example.org", + "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", "www.example.net" ], "related.ip": [ @@ -2811,6 +2958,9 @@ ], "url.domain": "www.example.net", "url.query": "quasiar", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", "user.name": "econs", "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", @@ -2837,9 +2987,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", "example.com", - "mail.example.com" + "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", + "mail.example.com", + "iatqu7310.api.home" ], "related.ip": [ "10.123.199.198" @@ -2873,6 +3024,9 @@ ], "url.domain": "mail.example.com", "url.query": "eratv", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", "user.name": "illumqui", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", @@ -2899,9 +3053,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", "example.org", - "internal.example.net" + "internal.example.net", + "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "uamnihil6127.api.domain" ], "related.ip": [ "10.29.119.245" @@ -2935,6 +3090,9 @@ ], "url.domain": "internal.example.net", "url.query": "taliqui", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", "user.name": "leumiur", "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", @@ -2963,7 +3121,8 @@ "related.hosts": [ "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", "www.example.org", - "mail.example.net" + "mail.example.net", + "uov1629.internal.invalid" ], "related.ip": [ "10.130.175.17" @@ -2997,6 +3156,9 @@ ], "url.domain": "mail.example.net", "url.query": "atnulapa", + "url.registered_domain": "example.net", + "url.subdomain": "mail", + "url.top_level_domain": "net", "user.name": "quaU", "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", @@ -3022,9 +3184,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", "internal.example.org", - "mail.example.net" + "mail.example.net", + "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat" ], "related.ip": [ "10.166.90.130" @@ -3056,6 +3218,9 @@ ], "url.domain": "mail.example.net", "url.query": "npr", + "url.registered_domain": "example.net", + "url.subdomain": "mail", + "url.top_level_domain": "net", "user.name": "eosquira", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", @@ -3084,7 +3249,8 @@ "related.hosts": [ "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", "internal.example.org", - "api.example.org" + "api.example.org", + "orumw5960.www5.home" ], "related.ip": [ "10.248.111.207" @@ -3118,6 +3284,9 @@ ], "url.domain": "api.example.org", "url.query": "incidid", + "url.registered_domain": "example.org", + "url.subdomain": "api", + "url.top_level_domain": "org", "user.name": "tiumto", "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", @@ -3143,9 +3312,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", "api.example.net", - "internal.example.net" + "internal.example.net", + "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore" ], "related.ip": [ "10.185.37.32" @@ -3177,6 +3346,9 @@ ], "url.domain": "internal.example.net", "url.query": "sinto", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", "user.name": "tesseq", "user_agent.device.name": "ZTE Blade V1000RU", "user_agent.name": "Chrome Mobile", @@ -3202,9 +3374,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.org/pisc/urEx.html?rautod=olest#eataev", "internal.example.com", - "example.org" + "example.org", + "https://example.org/pisc/urEx.html?rautod=olest#eataev" ], "related.ip": [ "10.5.194.202" @@ -3236,6 +3408,8 @@ ], "url.domain": "example.org", "url.query": "atem", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", "user.name": "ntmo", "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", @@ -3262,9 +3436,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", "www.example.org", - "www5.example.com" + "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", + "www5.example.com", + "deriti6952.mail.domain" ], "related.ip": [ "10.183.34.1" @@ -3298,6 +3473,9 @@ ], "url.domain": "www5.example.com", "url.query": "piciatis", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", "user.name": "isn", "user_agent.device.name": "Samsung GT-P3100 ", "user_agent.name": "Android", @@ -3357,6 +3535,9 @@ ], "url.domain": "mail.example.net", "url.query": "ptatems", + "url.registered_domain": "example.net", + "url.subdomain": "mail", + "url.top_level_domain": "net", "user.name": "nBCSe", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", @@ -3383,9 +3564,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "www5.example.com", "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", "internal.example.com", - "www5.example.com" + "nse3421.mail.localhost" ], "related.ip": [ "10.216.188.152" @@ -3419,6 +3601,9 @@ ], "url.domain": "www5.example.com", "url.query": "iumdolo", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", "user.name": "ugitsedq", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", @@ -3445,8 +3630,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", - "mail.example.net", - "www5.example.org" + "www5.example.org", + "mail.example.net" ], "related.ip": [ "10.94.140.77" @@ -3478,6 +3663,9 @@ ], "url.domain": "www5.example.org", "url.query": "lumqu", + "url.registered_domain": "example.org", + "url.subdomain": "www5", + "url.top_level_domain": "org", "user.name": "isnisiu", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", @@ -3502,8 +3690,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", - "mail.example.org", - "www.example.com" + "www.example.com", + "mail.example.org" ], "related.ip": [ "10.223.205.204" @@ -3535,6 +3723,9 @@ ], "url.domain": "www.example.com", "url.query": "imaveni", + "url.registered_domain": "example.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "ccaec", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", @@ -3561,9 +3752,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "mail.example.org", "example.com", - "mail.example.org" + "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "tautfug689.localdomain" ], "related.ip": [ "10.85.137.156" @@ -3597,6 +3789,9 @@ ], "url.domain": "mail.example.org", "url.query": "itametc", + "url.registered_domain": "example.org", + "url.subdomain": "mail", + "url.top_level_domain": "org", "user.name": "serror", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", @@ -3625,7 +3820,8 @@ "related.hosts": [ "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", "www5.example.net", - "mail.example.com" + "mail.example.com", + "totam6886.api.localhost" ], "related.ip": [ "10.12.54.142" @@ -3659,6 +3855,9 @@ ], "url.domain": "mail.example.com", "url.query": "riatur", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", "user.name": "liquam", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", @@ -3685,8 +3884,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://example.net/labori/porai.gif?utali=sed#xeac", - "internal.example.org", - "example.net" + "example.net", + "internal.example.org" ], "related.ip": [ "10.158.6.52" @@ -3718,6 +3917,8 @@ ], "url.domain": "example.net", "url.query": "lumdo", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "sed", "user_agent.device.name": "XiaoMi Redmi 4X", "user_agent.name": "MiuiBrowser", @@ -3746,7 +3947,8 @@ "related.hosts": [ "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", "example.com", - "www5.example.org" + "www5.example.org", + "tquo854.api.domain" ], "related.ip": [ "10.195.160.182" @@ -3780,6 +3982,9 @@ ], "url.domain": "www5.example.org", "url.query": "umfugi", + "url.registered_domain": "example.org", + "url.subdomain": "www5", + "url.top_level_domain": "org", "user.name": "urerepre", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", @@ -3805,9 +4010,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", "example.net", - "mail.example.com" + "mail.example.com", + "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat" ], "related.ip": [ "10.20.68.117" @@ -3839,6 +4044,9 @@ ], "url.domain": "mail.example.com", "url.query": "archi", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", "user.name": "quas", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", @@ -3866,8 +4074,9 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", + "www5.example.com", "www5.example.org", - "www5.example.com" + "venia6656.api.domain" ], "related.ip": [ "10.94.136.235" @@ -3901,6 +4110,9 @@ ], "url.domain": "www5.example.com", "url.query": "upta", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", "user.name": "iti", "user_agent.device.name": "Lenovo A2016a40 ", "user_agent.name": "Chrome Mobile", @@ -3928,8 +4140,9 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "www.example.net", "example.com", - "www.example.net" + "veniam1216.www5.invalid" ], "related.ip": [ "10.152.11.26" @@ -3963,6 +4176,9 @@ ], "url.domain": "www.example.net", "url.query": "veleumi", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", "user.name": "ugiat", "user_agent.device.name": "Spider", "user_agent.name": "Other", @@ -3986,7 +4202,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", - "www5.example.com" + "www5.example.com", + "runtm5729.invalid" ], "related.ip": [ "10.82.118.95" @@ -4020,6 +4237,9 @@ ], "url.domain": "www5.example.com", "url.query": "Utenimad", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", "user.name": "ptate", "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", @@ -4046,8 +4266,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", - "www5.example.net", - "www.example.net" + "www.example.net", + "www5.example.net" ], "related.ip": [ "10.187.152.213" @@ -4079,6 +4299,9 @@ ], "url.domain": "www.example.net", "url.query": "aqui", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", "user.name": "ventor", "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", @@ -4105,9 +4328,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "www.example.net", "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", "internal.example.net", - "www.example.net" + "pta6012.www.local" ], "related.ip": [ "10.98.71.45" @@ -4141,6 +4365,9 @@ ], "url.domain": "www.example.net", "url.query": "civelits", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", "user.name": "fugitse", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", @@ -4200,6 +4427,9 @@ ], "url.domain": "www5.example.net", "url.query": "Utenima", + "url.registered_domain": "example.net", + "url.subdomain": "www5", + "url.top_level_domain": "net", "user.name": "meum", "user_agent.device.name": "XiaoMi Redmi 4X", "user_agent.name": "MiuiBrowser", @@ -4225,9 +4455,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "www5.example.net", "api.example.net", - "www5.example.net" + "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi" ], "related.ip": [ "10.6.112.183" @@ -4259,6 +4489,9 @@ ], "url.domain": "www5.example.net", "url.query": "oremip", + "url.registered_domain": "example.net", + "url.subdomain": "www5", + "url.top_level_domain": "net", "user.name": "oluptat", "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", @@ -4287,7 +4520,8 @@ "related.hosts": [ "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", "www5.example.org", - "example.net" + "example.net", + "orsi2109.internal.home" ], "related.ip": [ "10.227.156.143" @@ -4321,6 +4555,8 @@ ], "url.domain": "example.net", "url.query": "tatevel", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "idolo", "user_agent.device.name": "Spider", "user_agent.name": "Other", @@ -4343,9 +4579,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", "example.net", - "example.org" + "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", + "example.org", + "quaeabil2539.www5.lan" ], "related.ip": [ "10.124.129.248" @@ -4379,6 +4616,8 @@ ], "url.domain": "example.org", "url.query": "hilmole", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", "user.name": "quide", "user_agent.device.name": "ZTE BLADE V7", "user_agent.name": "Chrome Mobile", @@ -4405,9 +4644,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", "www5.example.net", - "www5.example.org" + "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "www5.example.org", + "aal1598.mail.host" ], "related.ip": [ "10.173.125.112" @@ -4441,6 +4681,9 @@ ], "url.domain": "www5.example.org", "url.query": "itaedict", + "url.registered_domain": "example.org", + "url.subdomain": "www5", + "url.top_level_domain": "org", "user.name": "upta", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", @@ -4466,9 +4709,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", "api.example.net", - "www.example.org" + "www.example.org", + "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit" ], "related.ip": [ "10.37.156.140" @@ -4500,6 +4743,9 @@ ], "url.domain": "www.example.org", "url.query": "iss", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "olores", "user_agent.device.name": "Generic Smartphone", "user_agent.name": "Opera Mini", @@ -4523,8 +4769,8 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", "www5.example.org", + "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", "example.com" ], "related.ip": [ @@ -4557,6 +4803,8 @@ ], "url.domain": "example.com", "url.query": "miurere", + "url.registered_domain": "example.com", + "url.top_level_domain": "com", "user.name": "cin", "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", @@ -4582,9 +4830,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "www.example.org", "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", - "mail.example.net", - "www.example.org" + "mail.example.net" ], "related.ip": [ "10.123.68.56" @@ -4616,6 +4864,9 @@ ], "url.domain": "www.example.org", "url.query": "itautfu", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "olore", "user_agent.device.name": "Asus X01BDA", "user_agent.name": "Chrome Mobile", @@ -4642,9 +4893,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://api.example.net/itesse/expl.html?prehende=lup#tpers", "mail.example.net", - "api.example.net" + "api.example.net", + "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "oid218.api.invalid" ], "related.ip": [ "10.63.56.164" @@ -4678,6 +4930,9 @@ ], "url.domain": "api.example.net", "url.query": "temseq", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", "user.name": "evo", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", @@ -4706,7 +4961,8 @@ "related.hosts": [ "https://example.net/deritinv/evelite.html?iav=odico#rsint", "example.com", - "example.net" + "example.net", + "sectetur2674.www5.test" ], "related.ip": [ "10.62.10.137" @@ -4740,6 +4996,8 @@ ], "url.domain": "example.net", "url.query": "ttenb", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "deomnisi", "user_agent.device.name": "Samsung SM-A305FN", "user_agent.name": "YandexSearch", @@ -4768,7 +5026,8 @@ "related.hosts": [ "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", "api.example.net", - "example.org" + "example.org", + "sequatD4487.internal.localhost" ], "related.ip": [ "10.89.154.115" @@ -4802,6 +5061,8 @@ ], "url.domain": "example.org", "url.query": "citation", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", "user.name": "nimv", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", @@ -4827,9 +5088,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", "api.example.org", - "www5.example.com" + "www5.example.com", + "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus" ], "related.ip": [ "10.122.252.130" @@ -4861,6 +5122,9 @@ ], "url.domain": "www5.example.com", "url.query": "luptasnu", + "url.registered_domain": "example.com", + "url.subdomain": "www5", + "url.top_level_domain": "com", "user.name": "mmo", "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", @@ -4887,8 +5151,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", - "www.example.net", - "api.example.com" + "api.example.com", + "www.example.net" ], "related.ip": [ "10.195.152.53" @@ -4920,6 +5184,9 @@ ], "url.domain": "api.example.com", "url.query": "olupta", + "url.registered_domain": "example.com", + "url.subdomain": "api", + "url.top_level_domain": "com", "user.name": "ute", "user_agent.device.name": "Other", "user_agent.name": "Other", @@ -4942,8 +5209,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "mail.example.com", "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", - "mail.example.com" + "nul5107.www5.domain" ], "related.ip": [ "10.9.255.204" @@ -4977,6 +5245,9 @@ ], "url.domain": "mail.example.com", "url.query": "urEx", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", "user.name": "emUtenim", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", @@ -5003,9 +5274,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", "internal.example.net", - "www.example.org" + "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", + "www.example.org", + "nimadmin5630.localdomain" ], "related.ip": [ "10.214.235.133" @@ -5039,6 +5311,9 @@ ], "url.domain": "www.example.org", "url.query": "cillumdo", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "nulapari", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", @@ -5067,7 +5342,8 @@ "related.hosts": [ "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", "api.example.org", - "api.example.com" + "api.example.com", + "sequuntu3563.internal.test" ], "related.ip": [ "10.5.134.204" @@ -5101,6 +5377,9 @@ ], "url.domain": "api.example.com", "url.query": "eumfu", + "url.registered_domain": "example.com", + "url.subdomain": "api", + "url.top_level_domain": "com", "user.name": "iarchit", "user_agent.device.name": "Android", "user_agent.name": "Chrome Mobile", @@ -5160,6 +5439,8 @@ ], "url.domain": "example.org", "url.query": "tDuisau", + "url.registered_domain": "example.org", + "url.top_level_domain": "org", "user.name": "vento", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", @@ -5185,9 +5466,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.net/adm/snostr.jpg?tec=itaspe#con", "www.example.com", - "example.net" + "example.net", + "https://example.net/adm/snostr.jpg?tec=itaspe#con" ], "related.ip": [ "10.122.0.80" @@ -5219,6 +5500,8 @@ ], "url.domain": "example.net", "url.query": "antium", + "url.registered_domain": "example.net", + "url.top_level_domain": "net", "user.name": "ola", "user_agent.device.name": "XiaoMi Redmi 4X", "user_agent.name": "MiuiBrowser", @@ -5245,9 +5528,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "mail.example.com", "www.example.net", - "mail.example.com" + "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "tdolo2150.www.example" ], "related.ip": [ "10.165.33.19" @@ -5281,6 +5565,9 @@ ], "url.domain": "mail.example.com", "url.query": "namaliqu", + "url.registered_domain": "example.com", + "url.subdomain": "mail", + "url.top_level_domain": "com", "user.name": "iusmodi", "user_agent.device.name": "LG-$2", "user_agent.name": "Chrome Mobile", @@ -5307,9 +5594,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "mail.example.org", "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", "internal.example.org", - "mail.example.org" + "cinge6032.api.local" ], "related.ip": [ "10.87.92.17" @@ -5343,6 +5631,9 @@ ], "url.domain": "mail.example.org", "url.query": "ctionofd", + "url.registered_domain": "example.org", + "url.subdomain": "mail", + "url.top_level_domain": "org", "user.name": "tamr", "user_agent.device.name": "Samsung SM-S337TL", "user_agent.name": "Chrome Mobile", @@ -5368,8 +5659,8 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", "internal.example.org", + "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", "example.com" ], "related.ip": [ @@ -5402,6 +5693,8 @@ ], "url.domain": "example.com", "url.query": "arch", + "url.registered_domain": "example.com", + "url.top_level_domain": "com", "user.name": "itame", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", @@ -5428,8 +5721,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "internal.example.net", "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", - "internal.example.net" + "ende6053.local" ], "related.ip": [ "10.0.211.86" @@ -5463,6 +5757,9 @@ ], "url.domain": "internal.example.net", "url.query": "ursintoc", + "url.registered_domain": "example.net", + "url.subdomain": "internal", + "url.top_level_domain": "net", "user.name": "imipsa", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", @@ -5488,9 +5785,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "mail.example.net", "example.net", - "mail.example.net" + "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet" ], "related.ip": [ "10.106.34.244" @@ -5522,6 +5819,9 @@ ], "url.domain": "mail.example.net", "url.query": "ssequamn", + "url.registered_domain": "example.net", + "url.subdomain": "mail", + "url.top_level_domain": "net", "user.name": "nim", "user_agent.device.name": "Samsung SM-S337TL", "user_agent.name": "Chrome Mobile", @@ -5547,9 +5847,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", "example.net", - "www.example.org" + "www.example.org", + "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu" ], "related.ip": [ "10.191.210.188" @@ -5581,6 +5881,9 @@ ], "url.domain": "www.example.org", "url.query": "abill", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "ruredol", "user_agent.device.name": "Micromax P410i", "user_agent.name": "Chrome Mobile", @@ -5607,8 +5910,8 @@ "observer.vendor": "Apache", "related.hosts": [ "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", - "www.example.org", - "www.example.com" + "www.example.com", + "www.example.org" ], "related.ip": [ "10.2.38.49" @@ -5640,6 +5943,9 @@ ], "url.domain": "www.example.com", "url.query": "Duis", + "url.registered_domain": "example.com", + "url.subdomain": "www", + "url.top_level_domain": "com", "user.name": "lor", "user_agent.device.name": "Other", "user_agent.name": "Other", @@ -5662,9 +5968,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "example.com", "mail.example.com", - "example.com" + "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "didun1193.example" ], "related.ip": [ "10.66.92.90" @@ -5698,6 +6005,8 @@ ], "url.domain": "example.com", "url.query": "tlab", + "url.registered_domain": "example.com", + "url.top_level_domain": "com", "user.name": "atisu", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", @@ -5724,9 +6033,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "example.com", "mail.example.com", - "example.com" + "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "apari2660.www5.lan" ], "related.ip": [ "10.97.108.108" @@ -5760,6 +6070,8 @@ ], "url.domain": "example.com", "url.query": "olor", + "url.registered_domain": "example.com", + "url.top_level_domain": "com", "user.name": "teirured", "user_agent.device.name": "XiaoMi Redmi 4X", "user_agent.name": "MiuiBrowser", @@ -5786,9 +6098,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "api.example.net", "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", "www5.example.org", - "api.example.net" + "nvolupta238.www.host" ], "related.ip": [ "10.147.147.248" @@ -5822,6 +6135,9 @@ ], "url.domain": "api.example.net", "url.query": "aborio", + "url.registered_domain": "example.net", + "url.subdomain": "api", + "url.top_level_domain": "net", "user.name": "uira", "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", @@ -5848,9 +6164,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "www.example.org", "api.example.com", - "www.example.org" + "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "icer123.mail.example" ], "related.ip": [ "10.152.190.61" @@ -5884,6 +6201,9 @@ ], "url.domain": "www.example.org", "url.query": "atione", + "url.registered_domain": "example.org", + "url.subdomain": "www", + "url.top_level_domain": "org", "user.name": "culp", "user_agent.device.name": "VS996", "user_agent.name": "Chrome Mobile", @@ -5910,9 +6230,10 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ + "www.example.net", "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", "api.example.org", - "www.example.net" + "lumqui6488.api.example" ], "related.ip": [ "10.129.232.105" @@ -5946,6 +6267,9 @@ ], "url.domain": "www.example.net", "url.query": "eturadi", + "url.registered_domain": "example.net", + "url.subdomain": "www", + "url.top_level_domain": "net", "user.name": "deFini", "user_agent.device.name": "Samsung SM-A260G", "user_agent.name": "Chrome Mobile WebView", @@ -5971,9 +6295,9 @@ "observer.type": "Web", "observer.vendor": "Apache", "related.hosts": [ - "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", "api.example.net", - "internal.example.org" + "internal.example.org", + "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui" ], "related.ip": [ "10.12.173.112" @@ -6005,6 +6329,9 @@ ], "url.domain": "internal.example.org", "url.query": "nidol", + "url.registered_domain": "example.org", + "url.subdomain": "internal", + "url.top_level_domain": "org", "user.name": "mco", "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml index 22ebe2c5704a..c24ac2c43d08 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/input.yml +++ b/x-pack/filebeat/module/zscaler/zia/config/input.yml @@ -39,6 +39,48 @@ processors: {{ if .community_id }} - community_id: ~ {{ end }} +- registered_domain: + ignore_missing: true + ignore_failure: true + field: dns.question.name + target_field: dns.question.registered_domain + target_subdomain_field: dns.question.subdomain + target_etld_field: dns.question.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: client.domain + target_field: client.registered_domain + target_subdomain_field: client.subdomain + target_etld_field: client.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: server.domain + target_field: server.registered_domain + target_subdomain_field: server.subdomain + target_etld_field: server.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: destination.domain + target_field: destination.registered_domain + target_subdomain_field: destination.subdomain + target_etld_field: destination.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: source.domain + target_field: source.registered_domain + target_subdomain_field: source.subdomain + target_etld_field: source.top_level_domain +- registered_domain: + ignore_missing: true + ignore_failure: true + field: url.domain + target_field: url.registered_domain + target_subdomain_field: url.subdomain + target_etld_field: url.top_level_domain - add_fields: target: '' fields: diff --git a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js index c8cf5e2ee06a..cec99a043e86 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js +++ b/x-pack/filebeat/module/zscaler/zia/config/liblogparser.js @@ -187,6 +187,29 @@ function match(id, src, pattern, on_success) { }; } +function match_copy(id, src, dst, on_success) { + dst = FIELDS_PREFIX + dst; + if (dst === FIELDS_PREFIX || dst === src) { + return function (evt) { + if (debug) { + console.debug("noop OK: " + id + " field:" + src); + console.debug(" input: <<" + evt.Get(src) + ">>"); + } + if (on_success != null) on_success(evt); + } + } + return function (evt) { + var msg = evt.Get(src); + evt.Put(dst, msg); + if (debug) { + console.debug("copy OK: " + id + " field:" + src); + console.debug(" target: '" + dst + "'"); + console.debug(" input: <<" + msg + ">>"); + } + if (on_success != null) on_success(evt); + } +} + function cleanup_flags(processor) { return function(evt) { processor(evt); @@ -912,6 +935,57 @@ function root(dst, src) { return url_wrapper(dst, src, extract_root); } +function tagval(id, src, cfg, keys, on_success) { + var fail = function(evt) { + evt.Put(FLAG_FIELD, "tagval_parsing_error"); + } + if (cfg.kv_separator.length !== 1) { + throw("Invalid TAGVALMAP ValueDelimiter (must have 1 character)"); + } + var quotes_len = cfg.open_quote.length > 0 && cfg.close_quote.length > 0? + cfg.open_quote.length + cfg.close_quote.length : 0; + var kv_regex = new RegExp('^*([^' + cfg.kv_separator + ']*)*' + cfg.kv_separator + '*(.*)*$'); + return function(evt) { + var msg = evt.Get(src); + if (msg === undefined) { + console.warn("tagval: input field is missing"); + return fail(evt); + } + var pairs = msg.split(cfg.pair_separator); + var i; + var success = false; + var prev = ""; + for (i=0; i 0 && + value.length >= cfg.open_quote.length + cfg.close_quote.length && + value.substr(0, cfg.open_quote.length) === cfg.open_quote && + value.substr(value.length - cfg.close_quote.length) === cfg.close_quote) { + value = value.substr(cfg.open_quote.length, value.length - quotes_len); + } + evt.Put(FIELDS_PREFIX + field, value); + success = true; + } + if (!success) { + return fail(evt); + } + if (on_success != null) { + on_success(evt); + } + } +} + var ecs_mappings = { "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, @@ -938,7 +1012,7 @@ var ecs_mappings = { "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, + "dhost": {to:[{field: "destination.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, "direction": {to:[{field: "network.direction", setter: fld_set}]}, "directory": {to:[{field: "file.directory", setter: fld_set}]}, @@ -946,7 +1020,7 @@ var ecs_mappings = { "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, + "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0},{field: "related.hosts", setter: fld_append}]}, "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, @@ -956,6 +1030,7 @@ var ecs_mappings = { "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, + "event_source": {to:[{field: "related.hosts", setter: fld_append}]}, "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, @@ -964,9 +1039,10 @@ var ecs_mappings = { "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, "filepath": {to:[{field: "file.path", setter: fld_set}]}, "filetype": {to:[{field: "file.type", setter: fld_set}]}, + "fqdn": {to:[{field: "related.hosts", setter: fld_append}]}, "group": {to:[{field: "group.name", setter: fld_set}]}, "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, + "host": {to:[{field: "host.name", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, @@ -1020,7 +1096,7 @@ var ecs_mappings = { "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, + "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set},{field: "related.hosts", setter: fld_append}]}, "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, @@ -1045,9 +1121,10 @@ var ecs_mappings = { "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, + "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1},{field: "related.hosts", setter: fld_append}]}, "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, + "web_ref_domain": {to:[{field: "related.hosts", setter: fld_append}]}, "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, "web_root": {to:[{field: "url.path", setter: fld_set}]}, "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, @@ -1940,6 +2017,7 @@ function do_populate(evt, base, targets) { var mapping = targets[key]; if (mapping === undefined) continue; var value = base[key]; + if (value === "") continue; if (mapping.convert !== undefined) { value = mapping.convert(value); if (value === undefined) { @@ -1975,6 +2053,7 @@ function test() { test_url(); test_calls(); test_assumptions(); + test_tvm(); console = saved; } @@ -2342,3 +2421,94 @@ function test_assumptions() { throw("Number conversion accepts extra chars"); } } + +// Tests the TAGVALMAP feature. +function test_tvm() { + var tests = [ + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation", + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "key_b=value for=B, key a = [http://example.com/] ,Operation=[COPY],other stuff=null,,ignore", + expected: { + "nwparser.url": "http://example.com/", + "nwparser.b": "value for=B", + "nwparser.operation": "COPY", + "nwparser.d": "value for=B", + "log.flags": null, + } + }, + { + config: { + pair_separator: ',', + kv_separator: '=', + open_quote: '[', + close_quote: ']' + }, + mappings: { + "key a": "url", + "key_b": "b", + "Operation": "operation" + }, + on_success: processor_chain([ + setf("d","b") + ]), + message: "nothing to see here", + expected: { + "nwparser.url": null, + "nwparser.d": null, + "log.flags": "tagval_parsing_error", + } + }, + { + config: { + pair_separator: ' ', + kv_separator: ':', + open_quote: '"', + close_quote: '"' + }, + mappings: { + "ICMP Type": "icmp_type", + "ICMP Code": "icmp_code", + "Operation": "operation", + }, + on_success: processor_chain([ + setc("success","true") + ]), + message: "Operation:drop ICMP Type:5 ICMP Code:1 ", + expected: { + "nwparser.icmp_code": "1", + "nwparser.icmp_type": "5", + "nwparser.operation": "drop", + "nwparser.success": "true", + "log.flags": null, + } + }, + ]; + var assertEqual = function(evt, key, expected) { + var value = evt.Get(key); + if (value !== expected) + throw("failed for " + key + ": expected:'" + expected + "' got:'" + value + "'"); + }; + tests.forEach(function (test, idx) { + var processor = tagval("test", "message", test.config, test.mappings, test.on_success); + var evt = new Event({ + "message": test.message, + }); + processor(evt); + for (var key in test.expected) { + assertEqual(evt, key, test.expected[key]); + } + }); +} diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml index f60a8a2e9dea..b6105a0fddd8 100644 --- a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml @@ -53,16 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true - - append: - field: related.hosts - value: '{{rsa.web.fqdn}}' - allow_duplicates: false - if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' - append: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null && ctx.host?.name != '' + if: ctx.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/zscaler/zia/manifest.yml b/x-pack/filebeat/module/zscaler/zia/manifest.yml index 471000ba66f4..b7d00ea2957f 100644 --- a/x-pack/filebeat/module/zscaler/zia/manifest.yml +++ b/x-pack/filebeat/module/zscaler/zia/manifest.yml @@ -7,7 +7,7 @@ var: - name: syslog_host default: localhost - name: syslog_port - default: 9521 + default: 9538 - name: input default: udp - name: community_id diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 7e79d153b0fe..72cb8302750c 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -23,7 +23,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "rci737.www5.example", "rci737.www5.example" ], "related.ip": [ @@ -98,12 +97,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "eosquir5191.www.example", "eosquir5191.www.example" ], "related.ip": [ - "10.173.22.152", - "10.26.46.95" + "10.26.46.95", + "10.173.22.152" ], "related.user": [ "eataevi" @@ -175,12 +173,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "orsitame3262.domain", "orsitame3262.domain" ], "related.ip": [ - "10.254.146.57", - "10.204.86.149" + "10.204.86.149", + "10.254.146.57" ], "related.user": [ "tenima" @@ -252,12 +249,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "tempor4496.www.localdomain", "tempor4496.www.localdomain" ], "related.ip": [ - "10.252.125.53", - "10.103.246.190" + "10.103.246.190", + "10.252.125.53" ], "related.user": [ "equun" @@ -329,7 +325,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "ore2933.www.test", "ore2933.www.test" ], "related.ip": [ @@ -406,12 +401,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "ollit4105.mail.localdomain", "ollit4105.mail.localdomain" ], "related.ip": [ - "10.66.250.92", - "10.183.16.166" + "10.183.16.166", + "10.66.250.92" ], "related.user": [ "tessec" @@ -425,8 +419,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "Allowed", - "ist" + "ist", + "Allowed" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -483,7 +477,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "cup1793.local", "cup1793.local" ], "related.ip": [ @@ -560,7 +553,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "icab4668.local", "icab4668.local" ], "related.ip": [ @@ -637,7 +629,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "aperia4409.www5.invalid", "aperia4409.www5.invalid" ], "related.ip": [ @@ -714,7 +705,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "sitvolup368.internal.host", "sitvolup368.internal.host" ], "related.ip": [ @@ -791,12 +781,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "ite2026.www.invalid", "ite2026.www.invalid" ], "related.ip": [ - "10.223.247.86", - "10.19.145.131" + "10.19.145.131", + "10.223.247.86" ], "related.user": [ "tNequepo" @@ -810,8 +799,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "sci", "rsa.misc.action": [ - "Allowed", - "emseq" + "emseq", + "Allowed" ], "rsa.misc.category": "exercit", "rsa.misc.filter": "taevit", @@ -868,12 +857,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "radipisc7020.home", "radipisc7020.home" ], "related.ip": [ - "10.2.53.125", - "10.181.80.139" + "10.181.80.139", + "10.2.53.125" ], "related.user": [ "ihilmo" @@ -945,12 +933,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "uamei2493.www.test", "uamei2493.www.test" ], "related.ip": [ - "10.167.98.76", - "10.31.240.6" + "10.31.240.6", + "10.167.98.76" ], "related.user": [ "ratvolu" @@ -1022,7 +1009,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "piscin6866.internal.host", "piscin6866.internal.host" ], "related.ip": [ @@ -1041,8 +1027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "ionevo", - "Allowed" + "Allowed", + "ionevo" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1099,12 +1085,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "spi3544.www.host", "spi3544.www.host" ], "related.ip": [ - "10.63.250.128", - "10.111.187.12" + "10.111.187.12", + "10.63.250.128" ], "related.user": [ "saute" @@ -1176,12 +1161,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "tlab5981.www.host", "tlab5981.www.host" ], "related.ip": [ - "10.252.124.150", - "10.5.126.127" + "10.5.126.127", + "10.252.124.150" ], "related.user": [ "inibusB" @@ -1195,8 +1179,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "Allowed", - "xeacomm" + "xeacomm", + "Allowed" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1253,7 +1237,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "upida508.example", "upida508.example" ], "related.ip": [ @@ -1272,8 +1255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "umdo", "rsa.misc.action": [ - "Blocked", - "orumSe" + "orumSe", + "Blocked" ], "rsa.misc.category": "tanimid", "rsa.misc.filter": "itam", @@ -1330,7 +1313,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "oditem5255.api.localdomain", "oditem5255.api.localdomain" ], "related.ip": [ @@ -1349,8 +1331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "itecto", - "Allowed" + "Allowed", + "itecto" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1407,12 +1389,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "uamei2389.internal.example", "uamei2389.internal.example" ], "related.ip": [ - "10.215.205.216", - "10.31.198.58" + "10.31.198.58", + "10.215.205.216" ], "related.user": [ "aturve" @@ -1484,12 +1465,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "eacommod1930.internal.lan", "eacommod1930.internal.lan" ], "related.ip": [ - "10.229.83.165", - "10.29.155.171" + "10.29.155.171", + "10.229.83.165" ], "related.user": [ "ulapar" @@ -1561,12 +1541,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "tem6984.www5.domain", "tem6984.www5.domain" ], "related.ip": [ - "10.161.148.64", - "10.129.192.145" + "10.129.192.145", + "10.161.148.64" ], "related.user": [ "lor" @@ -1580,8 +1559,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uaUten", "rsa.misc.action": [ - "amcorp", - "Blocked" + "Blocked", + "amcorp" ], "rsa.misc.category": "umdolor", "rsa.misc.filter": "velillu", @@ -1638,12 +1617,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "lapariat7287.internal.host", "lapariat7287.internal.host" ], "related.ip": [ - "10.7.200.140", - "10.203.65.161" + "10.203.65.161", + "10.7.200.140" ], "related.user": [ "snost" @@ -1715,12 +1693,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "licabo1493.api.corp", "licabo1493.api.corp" ], "related.ip": [ - "10.218.98.29", - "10.86.22.67" + "10.86.22.67", + "10.218.98.29" ], "related.user": [ "olori" @@ -1734,8 +1711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "Blocked", - "atcupi" + "atcupi", + "Blocked" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1792,7 +1769,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "stenatu4844.www.invalid", "stenatu4844.www.invalid" ], "related.ip": [ @@ -1869,7 +1845,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "sitam5077.internal.host", "sitam5077.internal.host" ], "related.ip": [ @@ -1946,12 +1921,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "dquia107.www.test", "dquia107.www.test" ], "related.ip": [ - "10.88.172.34", - "10.128.173.19" + "10.128.173.19", + "10.88.172.34" ], "related.user": [ "agnaaliq" @@ -1965,8 +1939,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntNeq", "rsa.misc.action": [ - "Blocked", - "dtempo" + "dtempo", + "Blocked" ], "rsa.misc.category": "ipsu", "rsa.misc.filter": "iqu", @@ -2023,12 +1997,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "lloin4019.www.localhost", "lloin4019.www.localhost" ], "related.ip": [ - "10.238.224.49", - "10.130.241.232" + "10.130.241.232", + "10.238.224.49" ], "related.user": [ "onse" @@ -2100,7 +2073,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "tamet6317.www.host", "tamet6317.www.host" ], "related.ip": [ @@ -2119,8 +2091,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "tatem", - "Allowed" + "Allowed", + "tatem" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2177,12 +2149,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "saquaea6344.www.invalid", "saquaea6344.www.invalid" ], "related.ip": [ - "10.101.38.213", - "10.204.214.251" + "10.204.214.251", + "10.101.38.213" ], "related.user": [ "ueipsa" @@ -2254,7 +2225,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "utaliqu4248.www.localhost", "utaliqu4248.www.localhost" ], "related.ip": [ @@ -2331,12 +2301,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "mdolore473.internal.test", "mdolore473.internal.test" ], "related.ip": [ - "10.87.100.240", - "10.242.182.193" + "10.242.182.193", + "10.87.100.240" ], "related.user": [ "stenatus" @@ -2408,7 +2377,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "tatio6513.www.invalid", "tatio6513.www.invalid" ], "related.ip": [ @@ -2427,8 +2395,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdolore", "rsa.misc.action": [ - "Blocked", - "onproide" + "onproide", + "Blocked" ], "rsa.misc.category": "tvolup", "rsa.misc.filter": "niam", @@ -2485,12 +2453,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "lapar1599.www.lan", "lapar1599.www.lan" ], "related.ip": [ - "10.193.66.155", - "10.106.77.138" + "10.106.77.138", + "10.193.66.155" ], "related.user": [ "iusmodt" @@ -2504,8 +2471,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Allowed", - "Section" + "Section", + "Allowed" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2562,7 +2529,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "aquioff3853.www.localdomain", "aquioff3853.www.localdomain" ], "related.ip": [ @@ -2581,8 +2547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "tatema", - "Allowed" + "Allowed", + "tatema" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2639,12 +2605,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "ura675.mail.localdomain", "ura675.mail.localdomain" ], "related.ip": [ - "10.49.242.174", - "10.131.246.134" + "10.131.246.134", + "10.49.242.174" ], "related.user": [ "umdolo" @@ -2716,7 +2681,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "iamea478.www5.host", "iamea478.www5.host" ], "related.ip": [ @@ -2793,12 +2757,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "eaque6543.api.domain", "eaque6543.api.domain" ], "related.ip": [ - "10.128.184.241", - "10.138.188.201" + "10.138.188.201", + "10.128.184.241" ], "related.user": [ "etur" @@ -2812,8 +2775,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issu", "rsa.misc.action": [ - "sed", - "Allowed" + "Allowed", + "sed" ], "rsa.misc.category": "atur", "rsa.misc.filter": "iciadese", @@ -2870,12 +2833,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "eufug1756.mail.corp", "eufug1756.mail.corp" ], "related.ip": [ - "10.53.101.131", - "10.213.57.165" + "10.213.57.165", + "10.53.101.131" ], "related.user": [ "isau" @@ -2947,7 +2909,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "orp5697.www.invalid", "orp5697.www.invalid" ], "related.ip": [ @@ -3024,7 +2985,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "pariatur7238.www5.invalid", "pariatur7238.www5.invalid" ], "related.ip": [ @@ -3101,7 +3061,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "fficia2304.www5.home", "fficia2304.www5.home" ], "related.ip": [ @@ -3178,12 +3137,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "mquisnos7453.home", "mquisnos7453.home" ], "related.ip": [ - "10.134.128.27", - "10.118.177.136" + "10.118.177.136", + "10.134.128.27" ], "related.user": [ "Utenima" @@ -3197,8 +3155,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "olor", - "Allowed" + "Allowed", + "olor" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3255,7 +3213,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "aquio748.www.localhost", "aquio748.www.localhost" ], "related.ip": [ @@ -3274,8 +3231,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "amni", "rsa.misc.action": [ - "edutp", - "Allowed" + "Allowed", + "edutp" ], "rsa.misc.category": "ames", "rsa.misc.filter": "dmi", @@ -3332,7 +3289,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "remagnam796.mail.corp", "remagnam796.mail.corp" ], "related.ip": [ @@ -3351,8 +3307,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "Blocked", - "mwrit" + "mwrit", + "Blocked" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3409,7 +3365,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "etdolore4227.internal.corp", "etdolore4227.internal.corp" ], "related.ip": [ @@ -3486,7 +3441,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "rors1935.api.domain", "rors1935.api.domain" ], "related.ip": [ @@ -3563,12 +3517,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "idexeac1655.internal.test", "idexeac1655.internal.test" ], "related.ip": [ - "10.141.195.13", - "10.180.150.47" + "10.180.150.47", + "10.141.195.13" ], "related.user": [ "taliq" @@ -3640,7 +3593,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "laboree3880.api.invalid", "laboree3880.api.invalid" ], "related.ip": [ @@ -3659,8 +3611,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mipsumq", "rsa.misc.action": [ - "citation", - "Allowed" + "Allowed", + "citation" ], "rsa.misc.category": "usant", "rsa.misc.filter": "Nem", @@ -3715,7 +3667,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "tecto708.www5.example", "tecto708.www5.example" ], "related.ip": [ @@ -3792,7 +3743,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "ine3181.www.invalid", "ine3181.www.invalid" ], "related.ip": [ @@ -3811,8 +3761,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "tinvolup", - "Blocked" + "Blocked", + "tinvolup" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3869,7 +3819,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "tsunt3403.www5.test", "tsunt3403.www5.test" ], "related.ip": [ @@ -3944,7 +3893,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "pitl6126.www.localdomain", "pitl6126.www.localdomain" ], "related.ip": [ @@ -3963,8 +3911,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "etquasia", - "Allowed" + "Allowed", + "etquasia" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -4017,7 +3965,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "remaper3297.internal.test", "remaper3297.internal.test" ], "related.ip": [ @@ -4094,7 +4041,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "tamr1693.api.home", "tamr1693.api.home" ], "related.ip": [ @@ -4113,8 +4059,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "Blocked", - "emp" + "emp", + "Blocked" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -4171,12 +4117,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "cia5990.api.localdomain", "cia5990.api.localdomain" ], "related.ip": [ - "10.89.41.97", - "10.91.2.225" + "10.91.2.225", + "10.89.41.97" ], "related.user": [ "tem" @@ -4190,8 +4135,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iuntN", "rsa.misc.action": [ - "Allowed", - "nim" + "nim", + "Allowed" ], "rsa.misc.category": "etco", "rsa.misc.filter": "autodita", @@ -4248,7 +4193,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "riatu2467.lan", "riatu2467.lan" ], "related.ip": [ @@ -4267,8 +4211,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iadeseru", "rsa.misc.action": [ - "epreh", - "Allowed" + "Allowed", + "epreh" ], "rsa.misc.category": "ruredol", "rsa.misc.filter": "atquo", @@ -4325,7 +4269,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "pici1525.www5.corp", "pici1525.www5.corp" ], "related.ip": [ @@ -4344,8 +4287,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inimve", "rsa.misc.action": [ - "Allowed", - "niam" + "niam", + "Allowed" ], "rsa.misc.category": "perspici", "rsa.misc.filter": "uipe", @@ -4402,7 +4345,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "dolo6418.internal.host", "dolo6418.internal.host" ], "related.ip": [ @@ -4477,12 +4419,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "imveni193.www5.host", "imveni193.www5.host" ], "related.ip": [ - "10.55.38.153", - "10.112.190.154" + "10.112.190.154", + "10.55.38.153" ], "related.user": [ "oremeu" @@ -4496,8 +4437,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tin", "rsa.misc.action": [ - "Allowed", - "urau" + "urau", + "Allowed" ], "rsa.misc.category": "isiut", "rsa.misc.filter": "cons", @@ -4554,7 +4495,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "ionu3320.api.localhost", "ionu3320.api.localhost" ], "related.ip": [ @@ -4631,12 +4571,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "remips1499.www.local", "remips1499.www.local" ], "related.ip": [ - "10.252.164.230", - "10.60.52.219" + "10.60.52.219", + "10.252.164.230" ], "related.user": [ "gnamali" @@ -4650,8 +4589,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "fdeFin", - "Blocked" + "Blocked", + "fdeFin" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4704,12 +4643,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "mdoloree96.domain", "mdoloree96.domain" ], "related.ip": [ - "10.122.102.156", - "10.187.16.73" + "10.187.16.73", + "10.122.102.156" ], "related.user": [ "emoen" @@ -4781,7 +4719,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "iatnulap7662.internal.local", "iatnulap7662.internal.local" ], "related.ip": [ @@ -4800,8 +4737,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rema", "rsa.misc.action": [ - "uatDu", - "Allowed" + "Allowed", + "uatDu" ], "rsa.misc.category": "ent", "rsa.misc.filter": "iscivel", @@ -4856,7 +4793,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "sBonoru1929.example", "sBonoru1929.example" ], "related.ip": [ @@ -4933,7 +4869,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "onorumet4871.lan", "onorumet4871.lan" ], "related.ip": [ @@ -4952,8 +4887,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vento", "rsa.misc.action": [ - "reh", - "Blocked" + "Blocked", + "reh" ], "rsa.misc.category": "atev", "rsa.misc.filter": "umq", @@ -5010,7 +4945,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "onproi4354.www5.invalid", "onproi4354.www5.invalid" ], "related.ip": [ @@ -5087,7 +5021,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "beataevi7552.api.test", "beataevi7552.api.test" ], "related.ip": [ @@ -5106,8 +5039,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "Blocked", - "dqu" + "dqu", + "Blocked" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -5164,12 +5097,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "rvelill1981.www.invalid", "rvelill1981.www.invalid" ], "related.ip": [ - "10.26.115.88", - "10.12.130.224" + "10.12.130.224", + "10.26.115.88" ], "related.user": [ "Nequepo" @@ -5241,7 +5173,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "quia7214.example", "quia7214.example" ], "related.ip": [ @@ -5318,12 +5249,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "aturExc7343.invalid", "aturExc7343.invalid" ], "related.ip": [ - "10.55.192.102", - "10.146.69.38" + "10.146.69.38", + "10.55.192.102" ], "related.user": [ "quia" @@ -5337,8 +5267,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnisi", "rsa.misc.action": [ - "Allowed", - "userro" + "userro", + "Allowed" ], "rsa.misc.category": "etd", "rsa.misc.filter": "loremeum", @@ -5395,7 +5325,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "olo7317.www5.localhost", "olo7317.www5.localhost" ], "related.ip": [ @@ -5472,7 +5401,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "uiin1342.mail.invalid", "uiin1342.mail.invalid" ], "related.ip": [ @@ -5549,7 +5477,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "agna5654.www.corp", "agna5654.www.corp" ], "related.ip": [ @@ -5626,12 +5553,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "ites5711.internal.host", "ites5711.internal.host" ], "related.ip": [ - "10.24.23.209", - "10.162.78.48" + "10.162.78.48", + "10.24.23.209" ], "related.user": [ "ntore" @@ -5703,7 +5629,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "oluptat2848.api.home", "oluptat2848.api.home" ], "related.ip": [ @@ -5780,7 +5705,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "ngelitse7535.internal.lan", "ngelitse7535.internal.lan" ], "related.ip": [ @@ -5857,7 +5781,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "tiumtot3611.internal.localdomain", "tiumtot3611.internal.localdomain" ], "related.ip": [ @@ -5934,7 +5857,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "gnaa4656.api.example", "gnaa4656.api.example" ], "related.ip": [ @@ -5953,8 +5875,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "ici", - "Blocked" + "Blocked", + "ici" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -6011,12 +5933,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "psaqu6066.www5.localhost", "psaqu6066.www5.localhost" ], "related.ip": [ - "10.164.190.2", - "10.223.11.164" + "10.223.11.164", + "10.164.190.2" ], "related.user": [ "ten" @@ -6030,8 +5951,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "officiad", "rsa.misc.action": [ - "Allowed", - "antium" + "antium", + "Allowed" ], "rsa.misc.category": "emoeni", "rsa.misc.filter": "itvo", @@ -6088,7 +6009,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "iavol5202.api.example", "iavol5202.api.example" ], "related.ip": [ @@ -6107,8 +6027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedic", "rsa.misc.action": [ - "Blocked", - "rinc" + "rinc", + "Blocked" ], "rsa.misc.category": "prehende", "rsa.misc.filter": "rume", @@ -6165,7 +6085,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "uame1361.api.local", "uame1361.api.local" ], "related.ip": [ @@ -6184,8 +6103,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tat", "rsa.misc.action": [ - "nia", - "Blocked" + "Blocked", + "nia" ], "rsa.misc.category": "turQuis", "rsa.misc.filter": "nonp", @@ -6242,12 +6161,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "rsitame4049.internal.corp", "rsitame4049.internal.corp" ], "related.ip": [ - "10.34.98.144", - "10.77.102.206" + "10.77.102.206", + "10.34.98.144" ], "related.user": [ "tectobe" @@ -6319,7 +6237,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "elit912.www5.test", "elit912.www5.test" ], "related.ip": [ @@ -6338,8 +6255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "essequa", "rsa.misc.action": [ - "odic", - "Blocked" + "Blocked", + "odic" ], "rsa.misc.category": "cto", "rsa.misc.filter": "odite", @@ -6396,12 +6313,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "tat6671.www.local", "tat6671.www.local" ], "related.ip": [ - "10.236.55.236", - "10.149.6.107" + "10.149.6.107", + "10.236.55.236" ], "related.user": [ "redolo" @@ -6473,12 +6389,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "uis5050.www.local", "uis5050.www.local" ], "related.ip": [ - "10.97.202.149", - "10.13.125.101" + "10.13.125.101", + "10.97.202.149" ], "related.user": [ "colab" @@ -6492,8 +6407,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atcupi", "rsa.misc.action": [ - "uaUten", - "Blocked" + "Blocked", + "uaUten" ], "rsa.misc.category": "modt", "rsa.misc.filter": "magnidol", @@ -6550,7 +6465,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "ficiad1312.api.host", "ficiad1312.api.host" ], "related.ip": [ @@ -6627,12 +6541,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "itaspe921.mail.invalid", "itaspe921.mail.invalid" ], "related.ip": [ - "10.10.25.145", - "10.224.249.228" + "10.224.249.228", + "10.10.25.145" ], "related.user": [ "mnisiuta" @@ -6646,8 +6559,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "Blocked", - "remap" + "remap", + "Blocked" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6704,7 +6617,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "archite4407.mail.invalid", "archite4407.mail.invalid" ], "related.ip": [ @@ -6781,12 +6693,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "aria1424.mail.home", "aria1424.mail.home" ], "related.ip": [ - "10.250.102.42", - "10.124.81.20" + "10.124.81.20", + "10.250.102.42" ], "related.user": [ "tNequ" @@ -6800,8 +6711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "tatisetq", - "Blocked" + "Blocked", + "tatisetq" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6858,12 +6769,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "Bonoru7444.www5.example", "Bonoru7444.www5.example" ], "related.ip": [ - "10.154.188.132", - "10.166.205.159" + "10.166.205.159", + "10.154.188.132" ], "related.user": [ "uptat" @@ -6931,12 +6841,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "icero1297.internal.domain", "icero1297.internal.domain" ], "related.ip": [ - "10.46.71.46", - "10.138.193.38" + "10.138.193.38", + "10.46.71.46" ], "related.user": [ "sintocca" @@ -6950,8 +6859,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "upta", "rsa.misc.action": [ - "Allowed", - "uovolup" + "uovolup", + "Allowed" ], "rsa.misc.category": "todit", "rsa.misc.filter": "atisetq", @@ -7004,12 +6913,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "oloremeu5047.www5.invalid", "oloremeu5047.www5.invalid" ], "related.ip": [ - "10.254.119.31", - "10.172.159.251" + "10.172.159.251", + "10.254.119.31" ], "related.user": [ "usm" @@ -7023,8 +6931,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "Blocked", - "tatemacc" + "tatemacc", + "Blocked" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -7081,7 +6989,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "edutpe1255.internal.lan", "edutpe1255.internal.lan" ], "related.ip": [ @@ -7158,12 +7065,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "nderit1171.www5.domain", "nderit1171.www5.domain" ], "related.ip": [ - "10.84.140.5", - "10.144.93.186" + "10.144.93.186", + "10.84.140.5" ], "related.user": [ "eroi" @@ -7177,8 +7083,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "nima", - "Blocked" + "Blocked", + "nima" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -7235,7 +7141,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "nos4114.api.lan", "nos4114.api.lan" ], "related.ip": [ @@ -7254,8 +7159,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tquovo", "rsa.misc.action": [ - "Allowed", - "qua" + "qua", + "Allowed" ], "rsa.misc.category": "ectet", "rsa.misc.filter": "lites", @@ -7312,7 +7217,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "oremeum4231.internal.host", "oremeum4231.internal.host" ], "related.ip": [ @@ -7331,8 +7235,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "Allowed", - "exe" + "exe", + "Allowed" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7389,12 +7293,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "ueip6097.api.host", "ueip6097.api.host" ], "related.ip": [ - "10.128.43.71", - "10.152.217.174" + "10.152.217.174", + "10.128.43.71" ], "related.user": [ "mquiado" @@ -7466,12 +7369,11 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "fugiatqu7793.www.localdomain", "fugiatqu7793.www.localdomain" ], "related.ip": [ - "10.217.193.148", - "10.26.149.221" + "10.26.149.221", + "10.217.193.148" ], "related.user": [ "uisa" @@ -7485,8 +7387,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "rehe", - "Blocked" + "Blocked", + "rehe" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7543,7 +7445,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "onsequ3168.www.corp", "onsequ3168.www.corp" ], "related.ip": [ @@ -7562,8 +7463,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "tassit", - "Blocked" + "Blocked", + "tassit" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", @@ -7620,7 +7521,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "oremquel3120.internal.localhost", "oremquel3120.internal.localhost" ], "related.ip": [ diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index b138a4f3b759..bdf9957b55dc 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -18,7 +18,6 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.hosts": [ - "", "" ], "related.user": [