From cda8736b193e1c37043e38c9cd67bfed068d6993 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 1 Jun 2021 16:54:54 +0200 Subject: [PATCH 1/6] update juniper ECS version and add event.original options --- .../_dev/test/pipeline/test-common-config.yml | 5 + .../_dev/test/pipeline/test-generated.log | 100 ++ .../pipeline/test-generated.log-expected.json | 1204 +++++++++++++++++ .../junos/agent/stream/stream.yml.hbs | 9 +- .../junos/agent/stream/tcp.yml.hbs | 9 +- .../junos/agent/stream/udp.yml.hbs | 9 +- .../elasticsearch/ingest_pipeline/default.yml | 93 +- .../juniper/data_stream/junos/manifest.yml | 30 +- .../_dev/test/pipeline/test-common-config.yml | 5 + .../_dev/test/pipeline/test-generated.log | 100 ++ .../pipeline/test-generated.log-expected.json | 1204 +++++++++++++++++ .../netscreen/agent/stream/logfile.yml.hbs | 9 +- .../netscreen/agent/stream/tcp.yml.hbs | 9 +- .../netscreen/agent/stream/udp.yml.hbs | 9 +- .../elasticsearch/ingest_pipeline/default.yml | 92 +- .../data_stream/netscreen/manifest.yml | 30 +- .../test/pipeline/test-atp.log-config.yml | 2 - .../test/pipeline/test-atp.log-expected.json | 44 +- .../_dev/test/pipeline/test-common-config.yml | 5 + .../test/pipeline/test-flow.log-config.yml | 2 - .../test/pipeline/test-flow.log-expected.json | 250 +++- .../test/pipeline/test-idp.log-config.yml | 2 - .../test/pipeline/test-idp.log-expected.json | 70 +- .../test/pipeline/test-ids.log-config.yml | 2 - .../test/pipeline/test-ids.log-expected.json | 198 ++- .../pipeline/test-secintel.log-config.yml | 2 - .../pipeline/test-secintel.log-expected.json | 20 +- .../test/pipeline/test-utm.log-config.yml | 2 - .../test/pipeline/test-utm.log-expected.json | 156 ++- .../srx/agent/stream/logfile.yml.hbs | 9 +- .../data_stream/srx/agent/stream/tcp.yml.hbs | 9 +- .../data_stream/srx/agent/stream/udp.yml.hbs | 9 +- .../elasticsearch/ingest_pipeline/default.yml | 486 +++---- packages/juniper/data_stream/srx/manifest.yml | 24 + 34 files changed, 3639 insertions(+), 570 deletions(-) create mode 100644 packages/juniper/data_stream/junos/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log create mode 100644 packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json create mode 100644 packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log create mode 100644 packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json delete mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-config.yml create mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-common-config.yml delete mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-config.yml delete mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-config.yml delete mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-config.yml delete mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-config.yml delete mode 100644 packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-config.yml diff --git a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-common-config.yml b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..e74affa452f --- /dev/null +++ b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event \ No newline at end of file diff --git a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log new file mode 100644 index 00000000000..e8663f48748 --- /dev/null +++ b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log @@ -0,0 +1,100 @@ +Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049) +Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed +Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success +Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace> node: dqu +Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367 +Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown +Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono +May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure +May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068 +Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing +Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain +Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd +Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav +Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed +Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown +Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown +Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown +Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed +Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest +Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa +Nov 10 03:01:24 kmd: restart +Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test +Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test +Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357 +Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita +Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown +Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425 +Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693 +Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita +Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure +Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure +Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316 +Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura +May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow' +May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic +Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure +Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable +Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown +Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe +Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176 +Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal +Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown +Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884 +Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146 +Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing +Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex +Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu +Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'. +Dec 15 08:13:24 COS: restart : Received FC->Q map, caecat +Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success +Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les) +Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed +Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file +Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown +Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis +Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur +Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci +Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal +May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure +May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain +Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown +Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification +Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal +Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown +Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere +Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593 +Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown +Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success +Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [ +Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID +Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694 +Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita +Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing +Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure +Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown +Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host +Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen +Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch +Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown +Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339 +Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex +Apr 1 00:38:14 /kmd: +Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown +Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success +May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully +May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success +Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq' +Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server +Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace> BCHIP: : cannot write ucode mask reg +Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown +Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB' +Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure +Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success +Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure +Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse +Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success +Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown +Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed +Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193 +Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure diff --git a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json new file mode 100644 index 00000000000..bde0d947c15 --- /dev/null +++ b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json @@ -0,0 +1,1204 @@ +{ + "expected": [ + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049)", + "event": { + "ingested": "2021-06-01T14:54:19.526804600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed", + "event": { + "ingested": "2021-06-01T14:54:19.526830900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success", + "event": { + "ingested": "2021-06-01T14:54:19.526838800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace\u003e node: dqu", + "event": { + "ingested": "2021-06-01T14:54:19.526846600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367", + "event": { + "ingested": "2021-06-01T14:54:19.526852400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown", + "event": { + "ingested": "2021-06-01T14:54:19.526857500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono", + "event": { + "ingested": "2021-06-01T14:54:19.526863200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure", + "event": { + "ingested": "2021-06-01T14:54:19.526868100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068", + "event": { + "ingested": "2021-06-01T14:54:19.526872800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing", + "event": { + "ingested": "2021-06-01T14:54:19.526877400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain", + "event": { + "ingested": "2021-06-01T14:54:19.526883800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd", + "event": { + "ingested": "2021-06-01T14:54:19.526888700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav", + "event": { + "ingested": "2021-06-01T14:54:19.526893300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed", + "event": { + "ingested": "2021-06-01T14:54:19.526898100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown", + "event": { + "ingested": "2021-06-01T14:54:19.526902900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown", + "event": { + "ingested": "2021-06-01T14:54:19.526907700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown", + "event": { + "ingested": "2021-06-01T14:54:19.526912700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed", + "event": { + "ingested": "2021-06-01T14:54:19.526917200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest", + "event": { + "ingested": "2021-06-01T14:54:19.526921500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa", + "event": { + "ingested": "2021-06-01T14:54:19.526926400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Nov 10 03:01:24 kmd: restart ", + "event": { + "ingested": "2021-06-01T14:54:19.526931300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test", + "event": { + "ingested": "2021-06-01T14:54:19.526937100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test", + "event": { + "ingested": "2021-06-01T14:54:19.526942400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357", + "event": { + "ingested": "2021-06-01T14:54:19.526947600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita", + "event": { + "ingested": "2021-06-01T14:54:19.526952900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown", + "event": { + "ingested": "2021-06-01T14:54:19.526959Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425", + "event": { + "ingested": "2021-06-01T14:54:19.526965100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693", + "event": { + "ingested": "2021-06-01T14:54:19.526970500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita", + "event": { + "ingested": "2021-06-01T14:54:19.526975200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure", + "event": { + "ingested": "2021-06-01T14:54:19.526980100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure", + "event": { + "ingested": "2021-06-01T14:54:19.526985400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316", + "event": { + "ingested": "2021-06-01T14:54:19.526990400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura", + "event": { + "ingested": "2021-06-01T14:54:19.526995100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow'", + "event": { + "ingested": "2021-06-01T14:54:19.527002100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic", + "event": { + "ingested": "2021-06-01T14:54:19.527006700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure", + "event": { + "ingested": "2021-06-01T14:54:19.527011300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable", + "event": { + "ingested": "2021-06-01T14:54:19.527015900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527020500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe", + "event": { + "ingested": "2021-06-01T14:54:19.527025200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176", + "event": { + "ingested": "2021-06-01T14:54:19.527030200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal", + "event": { + "ingested": "2021-06-01T14:54:19.527034800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527039500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884", + "event": { + "ingested": "2021-06-01T14:54:19.527044200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146", + "event": { + "ingested": "2021-06-01T14:54:19.527048900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing", + "event": { + "ingested": "2021-06-01T14:54:19.527053600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex", + "event": { + "ingested": "2021-06-01T14:54:19.527058200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu", + "event": { + "ingested": "2021-06-01T14:54:19.527063100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'.", + "event": { + "ingested": "2021-06-01T14:54:19.527067700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Dec 15 08:13:24 COS: restart : Received FC-\u003eQ map, caecat", + "event": { + "ingested": "2021-06-01T14:54:19.527072100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success", + "event": { + "ingested": "2021-06-01T14:54:19.527076800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les)", + "event": { + "ingested": "2021-06-01T14:54:19.527081400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed", + "event": { + "ingested": "2021-06-01T14:54:19.527086700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file", + "event": { + "ingested": "2021-06-01T14:54:19.527091400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527096100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis", + "event": { + "ingested": "2021-06-01T14:54:19.527100800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur", + "event": { + "ingested": "2021-06-01T14:54:19.527105400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci", + "event": { + "ingested": "2021-06-01T14:54:19.527110500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal", + "event": { + "ingested": "2021-06-01T14:54:19.527115800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure", + "event": { + "ingested": "2021-06-01T14:54:19.527120700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain", + "event": { + "ingested": "2021-06-01T14:54:19.527125600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527130200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification", + "event": { + "ingested": "2021-06-01T14:54:19.527134900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal", + "event": { + "ingested": "2021-06-01T14:54:19.527139600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527144200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere", + "event": { + "ingested": "2021-06-01T14:54:19.527148900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593", + "event": { + "ingested": "2021-06-01T14:54:19.527153600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527158400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success", + "event": { + "ingested": "2021-06-01T14:54:19.527163600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [", + "event": { + "ingested": "2021-06-01T14:54:19.527169Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID", + "event": { + "ingested": "2021-06-01T14:54:19.527173800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694", + "event": { + "ingested": "2021-06-01T14:54:19.527178300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita", + "event": { + "ingested": "2021-06-01T14:54:19.527183Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing", + "event": { + "ingested": "2021-06-01T14:54:19.527188200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure", + "event": { + "ingested": "2021-06-01T14:54:19.527192800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527198100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host", + "event": { + "ingested": "2021-06-01T14:54:19.527203Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen", + "event": { + "ingested": "2021-06-01T14:54:19.527207700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch", + "event": { + "ingested": "2021-06-01T14:54:19.527212600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527217400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339", + "event": { + "ingested": "2021-06-01T14:54:19.527236600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex", + "event": { + "ingested": "2021-06-01T14:54:19.527243800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 1 00:38:14 /kmd: ", + "event": { + "ingested": "2021-06-01T14:54:19.527249400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527254500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success", + "event": { + "ingested": "2021-06-01T14:54:19.527259300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully", + "event": { + "ingested": "2021-06-01T14:54:19.527265100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success", + "event": { + "ingested": "2021-06-01T14:54:19.527270400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq'", + "event": { + "ingested": "2021-06-01T14:54:19.527275100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server", + "event": { + "ingested": "2021-06-01T14:54:19.527279900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace\u003e BCHIP: : cannot write ucode mask reg", + "event": { + "ingested": "2021-06-01T14:54:19.527284800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527289600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB'", + "event": { + "ingested": "2021-06-01T14:54:19.527294200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure", + "event": { + "ingested": "2021-06-01T14:54:19.527299Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success", + "event": { + "ingested": "2021-06-01T14:54:19.527303700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure", + "event": { + "ingested": "2021-06-01T14:54:19.527308300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse", + "event": { + "ingested": "2021-06-01T14:54:19.527312900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success", + "event": { + "ingested": "2021-06-01T14:54:19.527317600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown", + "event": { + "ingested": "2021-06-01T14:54:19.527322400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed", + "event": { + "ingested": "2021-06-01T14:54:19.527327200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193", + "event": { + "ingested": "2021-06-01T14:54:19.527332Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure", + "event": { + "ingested": "2021-06-01T14:54:19.527336600Z" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs index aa837e27e28..59f3b2ae486 100644 --- a/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs @@ -4,8 +4,11 @@ paths: {{/each}} exclude_files: [".gz$"] tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} fields_under_root: true fields: @@ -12565,7 +12568,3 @@ processors: target_subdomain_field: url.subdomain target_etld_field: url.top_level_domain - add_locale: ~ -- add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs index d76030f6e2f..b93246a0915 100644 --- a/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs @@ -1,8 +1,11 @@ tcp: host: "{{tcp_host}}:{{tcp_port}}" tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} fields_under_root: true fields: @@ -12562,7 +12565,3 @@ processors: target_subdomain_field: url.subdomain target_etld_field: url.top_level_domain - add_locale: ~ -- add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs index 5c3c4a7e316..752928a3b3b 100644 --- a/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs @@ -1,8 +1,11 @@ udp: host: "{{udp_host}}:{{udp_port}}" tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} fields_under_root: true fields: @@ -12562,7 +12565,3 @@ processors: target_subdomain_field: url.subdomain target_etld_field: url.top_level_domain - add_locale: ~ -- add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/juniper/data_stream/junos/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/data_stream/junos/elasticsearch/ingest_pipeline/default.yml index 9199755b6ac..6f5de72d78b 100644 --- a/packages/juniper/data_stream/junos/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper/data_stream/junos/elasticsearch/ingest_pipeline/default.yml @@ -4,61 +4,68 @@ description: Pipeline for Juniper JUNOS processors: # ECS event.ingested - set: - field: event.ingested - value: '{{_ingest.timestamp}}' + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: "1.10.0" # User agent - user_agent: - field: user_agent.original - ignore_missing: true + field: user_agent.original + ignore_missing: true # IP Geolocation Lookup - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true + field: source.ip + target_field: source.geo + ignore_missing: true - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - + field: destination.ip + target_field: destination.geo + ignore_missing: true # IP Autonomous System (AS) Lookup - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true + field: source.as.asn + target_field: source.as.number + ignore_missing: true - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true on_failure: - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/juniper/data_stream/junos/manifest.yml b/packages/juniper/data_stream/junos/manifest.yml index dcace6ff341..8b938814398 100644 --- a/packages/juniper/data_stream/junos/manifest.yml +++ b/packages/juniper/data_stream/junos/manifest.yml @@ -12,7 +12,7 @@ streams: title: Tags multi: true required: true - show_user: false + show_user: true default: - juniper-junos - forwarded @@ -54,6 +54,14 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false - input: tcp title: Juniper JUNOS logs description: Collect Juniper JUNOS logs @@ -64,7 +72,7 @@ streams: title: Tags multi: true required: true - show_user: false + show_user: true default: - juniper-junos - forwarded @@ -106,6 +114,14 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false - input: logfile enabled: false title: Juniper JUNOS logs @@ -124,7 +140,7 @@ streams: title: Tags multi: true required: true - show_user: false + show_user: true default: - juniper-junos - forwarded @@ -152,3 +168,11 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false \ No newline at end of file diff --git a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-common-config.yml b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..e74affa452f --- /dev/null +++ b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event \ No newline at end of file diff --git a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log new file mode 100644 index 00000000000..3d8481ffa94 --- /dev/null +++ b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log @@ -0,0 +1,100 @@ +modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59) +luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33) +deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF) +untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect +eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044) +eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 . +rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo) +intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated +numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33) +ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu +atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet +dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74 +acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50) +tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25) +etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175 +ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi. +umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre +tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese +smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87 +ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50) +mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state +isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added +isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu +bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation +iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51 +orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu +enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User "ntiumto" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883 +ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin +mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid +orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed +ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07) +quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru +emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations +scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita +equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet. +iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable +rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem. +orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet. +eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo +imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam) +ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50) +orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24) +ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51 +umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu > nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)< +inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe +nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 . +uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15) +sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration. +etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima +giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58) +magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32) +tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06) +laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe. +nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266 +ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49) +adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24) +emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added +giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-> untrust-vr: exer +lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat +accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router "asper" used by OSPF, BGP routing instances id has been uninitialized. (dictasun) +itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list +int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49) +mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times +inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110 +tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32) +qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica +udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi +isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15) +utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped. +agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna +ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan +catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure +cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06) +chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success +vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state +rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding +upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065 +ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57) +ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted +luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users. +iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce) +dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun +ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49) +iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23) +qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success +eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31) +veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA +reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed +ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae +archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected! +remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA +llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57) +quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59 +lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA +preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40) +avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed +eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin +texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22) +elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57) +toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change diff --git a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json new file mode 100644 index 00000000000..a867a6aa120 --- /dev/null +++ b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json @@ -0,0 +1,1204 @@ +{ + "expected": [ + { + "ecs": { + "version": "1.10.0" + }, + "message": "modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59)", + "event": { + "ingested": "2021-06-01T14:54:20.281964Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33)", + "event": { + "ingested": "2021-06-01T14:54:20.282023200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF)", + "event": { + "ingested": "2021-06-01T14:54:20.282035800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect", + "event": { + "ingested": "2021-06-01T14:54:20.282041900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044)", + "event": { + "ingested": "2021-06-01T14:54:20.282046600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 .", + "event": { + "ingested": "2021-06-01T14:54:20.282050900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo)", + "event": { + "ingested": "2021-06-01T14:54:20.282055300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated", + "event": { + "ingested": "2021-06-01T14:54:20.282059200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33)", + "event": { + "ingested": "2021-06-01T14:54:20.282063400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu", + "event": { + "ingested": "2021-06-01T14:54:20.282067200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet", + "event": { + "ingested": "2021-06-01T14:54:20.282071100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74", + "event": { + "ingested": "2021-06-01T14:54:20.282075300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50)", + "event": { + "ingested": "2021-06-01T14:54:20.282079300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25)", + "event": { + "ingested": "2021-06-01T14:54:20.282083300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175", + "event": { + "ingested": "2021-06-01T14:54:20.282088500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi.", + "event": { + "ingested": "2021-06-01T14:54:20.282093100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre", + "event": { + "ingested": "2021-06-01T14:54:20.282097700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese", + "event": { + "ingested": "2021-06-01T14:54:20.282102800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87", + "event": { + "ingested": "2021-06-01T14:54:20.282107100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50)", + "event": { + "ingested": "2021-06-01T14:54:20.282111300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state", + "event": { + "ingested": "2021-06-01T14:54:20.282119900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added", + "event": { + "ingested": "2021-06-01T14:54:20.282124500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu", + "event": { + "ingested": "2021-06-01T14:54:20.282129Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation", + "event": { + "ingested": "2021-06-01T14:54:20.282133300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51", + "event": { + "ingested": "2021-06-01T14:54:20.282137700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu", + "event": { + "ingested": "2021-06-01T14:54:20.282142100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User \"ntiumto\" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883", + "event": { + "ingested": "2021-06-01T14:54:20.282147Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin", + "event": { + "ingested": "2021-06-01T14:54:20.282153300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid", + "event": { + "ingested": "2021-06-01T14:54:20.282157900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed", + "event": { + "ingested": "2021-06-01T14:54:20.282162500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07)", + "event": { + "ingested": "2021-06-01T14:54:20.282166900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru", + "event": { + "ingested": "2021-06-01T14:54:20.282170900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", + "event": { + "ingested": "2021-06-01T14:54:20.282175500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita", + "event": { + "ingested": "2021-06-01T14:54:20.282179700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet.", + "event": { + "ingested": "2021-06-01T14:54:20.282184400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable", + "event": { + "ingested": "2021-06-01T14:54:20.282188400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem.", + "event": { + "ingested": "2021-06-01T14:54:20.282192600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet.", + "event": { + "ingested": "2021-06-01T14:54:20.282196700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo", + "event": { + "ingested": "2021-06-01T14:54:20.282201200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam)", + "event": { + "ingested": "2021-06-01T14:54:20.282205300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50)", + "event": { + "ingested": "2021-06-01T14:54:20.282209100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24)", + "event": { + "ingested": "2021-06-01T14:54:20.282215400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51", + "event": { + "ingested": "2021-06-01T14:54:20.282219800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu \u003e nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)\u003c\u003ccolabori\u003e", + "event": { + "ingested": "2021-06-01T14:54:20.282223900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe", + "event": { + "ingested": "2021-06-01T14:54:20.282228400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 .", + "event": { + "ingested": "2021-06-01T14:54:20.282232600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15)", + "event": { + "ingested": "2021-06-01T14:54:20.282237500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration.", + "event": { + "ingested": "2021-06-01T14:54:20.282241900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima", + "event": { + "ingested": "2021-06-01T14:54:20.282245900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58)", + "event": { + "ingested": "2021-06-01T14:54:20.282250100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32)", + "event": { + "ingested": "2021-06-01T14:54:20.282254200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06)", + "event": { + "ingested": "2021-06-01T14:54:20.282258300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe.", + "event": { + "ingested": "2021-06-01T14:54:20.282262400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266", + "event": { + "ingested": "2021-06-01T14:54:20.282266500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49)", + "event": { + "ingested": "2021-06-01T14:54:20.282270400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24)", + "event": { + "ingested": "2021-06-01T14:54:20.282274300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added", + "event": { + "ingested": "2021-06-01T14:54:20.282278400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-\u003e untrust-vr: exer", + "event": { + "ingested": "2021-06-01T14:54:20.282282400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat", + "event": { + "ingested": "2021-06-01T14:54:20.282286300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router \"asper\" used by OSPF, BGP routing instances id has been uninitialized. (dictasun)", + "event": { + "ingested": "2021-06-01T14:54:20.282292900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list", + "event": { + "ingested": "2021-06-01T14:54:20.282301100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49)", + "event": { + "ingested": "2021-06-01T14:54:20.282305600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times", + "event": { + "ingested": "2021-06-01T14:54:20.282309700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110", + "event": { + "ingested": "2021-06-01T14:54:20.282313900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32)", + "event": { + "ingested": "2021-06-01T14:54:20.282318800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica", + "event": { + "ingested": "2021-06-01T14:54:20.282323100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi", + "event": { + "ingested": "2021-06-01T14:54:20.282327200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15)", + "event": { + "ingested": "2021-06-01T14:54:20.282331300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped.", + "event": { + "ingested": "2021-06-01T14:54:20.282335800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna", + "event": { + "ingested": "2021-06-01T14:54:20.282340100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan", + "event": { + "ingested": "2021-06-01T14:54:20.282346900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure", + "event": { + "ingested": "2021-06-01T14:54:20.282352200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06)", + "event": { + "ingested": "2021-06-01T14:54:20.282356600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success", + "event": { + "ingested": "2021-06-01T14:54:20.282360600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state", + "event": { + "ingested": "2021-06-01T14:54:20.282365300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding", + "event": { + "ingested": "2021-06-01T14:54:20.282375100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065", + "event": { + "ingested": "2021-06-01T14:54:20.282379100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57)", + "event": { + "ingested": "2021-06-01T14:54:20.282383Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted", + "event": { + "ingested": "2021-06-01T14:54:20.282386800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users.", + "event": { + "ingested": "2021-06-01T14:54:20.282390400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce)", + "event": { + "ingested": "2021-06-01T14:54:20.282394200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun", + "event": { + "ingested": "2021-06-01T14:54:20.282397900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49)", + "event": { + "ingested": "2021-06-01T14:54:20.282401600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23)", + "event": { + "ingested": "2021-06-01T14:54:20.282405400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success", + "event": { + "ingested": "2021-06-01T14:54:20.282409400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31)", + "event": { + "ingested": "2021-06-01T14:54:20.282413100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA", + "event": { + "ingested": "2021-06-01T14:54:20.282416700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", + "event": { + "ingested": "2021-06-01T14:54:20.282428400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae", + "event": { + "ingested": "2021-06-01T14:54:20.282435500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected!", + "event": { + "ingested": "2021-06-01T14:54:20.282440500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA", + "event": { + "ingested": "2021-06-01T14:54:20.282444500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57)", + "event": { + "ingested": "2021-06-01T14:54:20.282448300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59", + "event": { + "ingested": "2021-06-01T14:54:20.282452100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA", + "event": { + "ingested": "2021-06-01T14:54:20.282456100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40)", + "event": { + "ingested": "2021-06-01T14:54:20.282460Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed", + "event": { + "ingested": "2021-06-01T14:54:20.282463700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin", + "event": { + "ingested": "2021-06-01T14:54:20.282467500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22)", + "event": { + "ingested": "2021-06-01T14:54:20.282471100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57)", + "event": { + "ingested": "2021-06-01T14:54:20.282474900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change", + "event": { + "ingested": "2021-06-01T14:54:20.282478500Z" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs index 2d89259e44d..a57fa9d780a 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs @@ -4,8 +4,11 @@ paths: {{/each}} exclude_files: [".gz$"] tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} fields_under_root: true fields: @@ -26350,7 +26353,3 @@ processors: target_subdomain_field: url.subdomain target_etld_field: url.top_level_domain - add_locale: ~ -- add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs index ac74f7db40d..348f0421210 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs @@ -1,8 +1,11 @@ tcp: host: "{{tcp_host}}:{{tcp_port}}" tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} fields_under_root: true fields: @@ -26347,7 +26350,3 @@ processors: target_subdomain_field: url.subdomain target_etld_field: url.top_level_domain - add_locale: ~ -- add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs index 349cf529249..4508abca9a8 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs @@ -1,8 +1,11 @@ udp: host: "{{udp_host}}:{{udp_port}}" tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} fields_under_root: true fields: @@ -26347,7 +26350,3 @@ processors: target_subdomain_field: url.subdomain target_etld_field: url.top_level_domain - add_locale: ~ -- add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/juniper/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml index 74d2f3cc11a..c98bbe47230 100644 --- a/packages/juniper/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper/data_stream/netscreen/elasticsearch/ingest_pipeline/default.yml @@ -4,61 +4,69 @@ description: Pipeline for Netscreen processors: # ECS event.ingested - set: - field: event.ingested - value: '{{_ingest.timestamp}}' + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: "1.10.0" # User agent - user_agent: - field: user_agent.original - ignore_missing: true + field: user_agent.original + ignore_missing: true # IP Geolocation Lookup - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true + field: source.ip + target_field: source.geo + ignore_missing: true - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true + field: destination.ip + target_field: destination.geo + ignore_missing: true # IP Autonomous System (AS) Lookup - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true + field: source.as.asn + target_field: source.as.number + ignore_missing: true - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true on_failure: - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/juniper/data_stream/netscreen/manifest.yml b/packages/juniper/data_stream/netscreen/manifest.yml index f42a8b44e89..078bbfaf446 100644 --- a/packages/juniper/data_stream/netscreen/manifest.yml +++ b/packages/juniper/data_stream/netscreen/manifest.yml @@ -12,7 +12,7 @@ streams: title: Tags multi: true required: true - show_user: false + show_user: true default: - juniper-netscreen - forwarded @@ -54,6 +54,14 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false - input: tcp title: Netscreen logs description: Collect Netscreen logs @@ -64,7 +72,7 @@ streams: title: Tags multi: true required: true - show_user: false + show_user: true default: - juniper-netscreen - forwarded @@ -106,6 +114,14 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false - input: logfile enabled: false title: Netscreen logs @@ -125,7 +141,7 @@ streams: title: Tags multi: true required: true - show_user: false + show_user: true default: - juniper-netscreen - forwarded @@ -153,3 +169,11 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-config.yml b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json index 6e4b0a8a3cc..542aae6c705 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json @@ -52,6 +52,9 @@ "url": { "domain": "www.mytest.com" }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "6" }, @@ -68,6 +71,9 @@ } }, "@timestamp": "2013-12-14T16:06:59.134Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "user1" @@ -86,8 +92,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:53.885214344Z", - "original": "http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"", + "ingested": "2021-06-01T14:54:21.479336300Z", + "original": "\u003c14\u003e1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"]", "kind": "alert", "module": "juniper", "action": "malware_detected", @@ -112,6 +118,9 @@ "vendor": "Juniper" }, "@timestamp": "2016-09-20T17:43:30.330Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "admin" @@ -146,8 +155,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:53.885217270Z", - "original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"", + "ingested": "2021-06-01T14:54:21.479359800Z", + "original": "\u003c14\u003e1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"]", "kind": "alert", "module": "juniper", "action": "malware_detected", @@ -162,7 +171,10 @@ ], "dataset": "juniper.srx", "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "observer": { @@ -172,6 +184,9 @@ "vendor": "Juniper" }, "@timestamp": "2016-09-20T17:40:30.050Z", + "ecs": { + "version": "1.10.0" + }, "related": { "hosts": [ "host.example.com" @@ -203,8 +218,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:53:53.885218583Z", - "original": "timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"", + "ingested": "2021-06-01T14:54:21.479365500Z", + "original": "\u003c11\u003e1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", "kind": "alert", "module": "juniper", "category": [ @@ -217,7 +232,10 @@ ], "dataset": "juniper.srx", "outcome": "success" - } + }, + "tags": [ + "preserve_original_event" + ] }, { "server": { @@ -268,6 +286,9 @@ "tag": "AAMW_ACTION_LOG" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "6" }, @@ -284,6 +305,9 @@ } }, "@timestamp": "2007-02-15T09:17:15.719Z", + "ecs": { + "version": "1.10.0" + }, "related": { "hosts": [ "dummy_host" @@ -299,8 +323,8 @@ }, "event": { "severity": 165, - "ingested": "2021-04-23T12:53:53.885219718Z", - "original": "hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"", + "ingested": "2021-06-01T14:54:21.479370400Z", + "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", "kind": "event", "module": "juniper", "category": [ diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-common-config.yml b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..e74affa452f --- /dev/null +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-config.yml b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json index 1bf8e3cfa7d..016fa5dcb01 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json @@ -40,6 +40,9 @@ "service_name": "icmp" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "1" }, @@ -59,6 +62,9 @@ } }, "@timestamp": "2019-11-14T08:37:51.184Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.0.0.1", @@ -74,8 +80,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:54.642169965Z", - "original": "source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "ingested": "2021-06-01T14:54:22.141868Z", + "original": "\u003c14\u003e1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", "module": "juniper", @@ -122,6 +128,9 @@ "tag": "RT_FLOW_SESSION_DENY" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "17" }, @@ -141,6 +150,9 @@ } }, "@timestamp": "2019-11-14T10:12:46.573Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.0.0.26", @@ -153,8 +165,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:54.642173450Z", - "original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "ingested": "2021-06-01T14:54:22.141888700Z", + "original": "\u003c14\u003e1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", "module": "juniper", @@ -224,6 +236,9 @@ "encrypted": "No " } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "6" }, @@ -243,6 +258,9 @@ } }, "@timestamp": "2014-05-01T08:26:51.179Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "1.2.3.4", @@ -255,8 +273,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:54.642174806Z", - "original": "source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"", + "ingested": "2021-06-01T14:54:22.141893300Z", + "original": "\u003c14\u003e1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"]", "kind": "event", "module": "juniper", "action": "flow_deny", @@ -343,6 +361,9 @@ "encrypted": "No " } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 94, "iana_number": "17", @@ -364,6 +385,9 @@ } }, "@timestamp": "2014-05-01T08:28:10.933Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "1.2.3.4", @@ -381,7 +405,7 @@ }, "event": { "severity": 14, - "original": "reason=\"unset\" source-address=\"1.2.3.4\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"1.2.3.4\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"", + "original": "\u003c14\u003e1 2014-05-01T08:28:10.933Z fw01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason=\"unset\" source-address=\"1.2.3.4\" source-port=\"63456\" destination-address=\"5.6.7.8\" destination-port=\"902\" service-name=\"None\" nat-source-address=\"1.2.3.4\" nat-source-port=\"63456\" nat-destination-address=\"5.6.7.8\" nat-destination-port=\"902\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"17\" policy-name=\"mngmt-to-vcenter\" source-zone-name=\"mngmt\" destination-zone-name=\"intra\" session-id-32=\"15353\" packets-from-client=\"1\" bytes-from-client=\"94\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"60\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth3.5\" encrypted=\"No \"]", "kind": "event", "module": "juniper", "start": "2014-05-01T08:28:10.933Z", @@ -391,7 +415,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-04-23T12:53:54.642175997Z", + "ingested": "2021-06-01T14:54:22.141896700Z", "action": "flow_close", "end": "2014-05-01T08:29:10.933Z", "category": [ @@ -457,6 +481,9 @@ "service_name": "icmp" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "1" }, @@ -476,6 +503,9 @@ } }, "@timestamp": "2013-11-04T16:23:09.264Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "50.0.0.100", @@ -491,8 +521,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:54.642177194Z", - "original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", + "ingested": "2021-06-01T14:54:22.141899900Z", + "original": "\u003c14\u003e1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "module": "juniper", "action": "flow_started", @@ -555,6 +585,9 @@ "service_name": "icmp" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "1" }, @@ -574,6 +607,9 @@ } }, "@timestamp": "2010-09-30T06:55:04.323Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.0.2.1", @@ -590,8 +626,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:54.642178357Z", - "original": "source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"", + "ingested": "2021-06-01T14:54:22.141903100Z", + "original": "\u003c14\u003e1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "module": "juniper", "action": "flow_started", @@ -661,6 +697,9 @@ "service_name": "icmp" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 168, "iana_number": "1", @@ -682,6 +721,9 @@ } }, "@timestamp": "2010-09-30T06:55:07.188Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.0.2.1", @@ -700,7 +742,7 @@ }, "event": { "severity": 14, - "original": "reason=\"response received\" source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"", + "original": "\u003c14\u003e1 2010-09-30T14:55:07.188+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2626.192.0.2.1.40 reason=\"response received\" source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packets-from-client=\"1\" bytes-from-client=\"84\" packets-from-server=\"1\" bytes-from-server=\"84\" elapsed-time=\"0\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "module": "juniper", "start": "2010-09-30T06:55:07.188Z", @@ -710,7 +752,7 @@ "connection" ], "duration": 0, - "ingested": "2021-04-23T12:53:54.642179516Z", + "ingested": "2021-06-01T14:54:22.141906Z", "action": "flow_close", "end": "2010-09-30T06:55:07.188Z", "category": [ @@ -788,6 +830,9 @@ "src_nat_rule_type": "source rule" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 872, "iana_number": "6", @@ -809,6 +854,9 @@ } }, "@timestamp": "2019-04-12T14:29:06.576Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.3.255.203", @@ -827,7 +875,7 @@ }, "event": { "severity": 14, - "original": "reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"8.23.224.110\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"8.23.224.110\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"", + "original": "\u003c14\u003e1 2019-04-12T14:29:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"TCP FIN\" source-address=\"10.3.255.203\" source-port=\"47776\" destination-address=\"8.23.224.110\" destination-port=\"80\" connection-tag=\"0\" service-name=\"junos-http\" nat-source-address=\"10.3.136.49\" nat-source-port=\"19162\" nat-destination-address=\"8.23.224.110\" nat-destination-port=\"80\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"nat1\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit_all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"5\" packets-from-client=\"6\" bytes-from-client=\"337\" packets-from-server=\"4\" bytes-from-server=\"535\" elapsed-time=\"1\" application=\"HTTP\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/0.0\" encrypted=\"No\" application-category=\"Web\" application-sub-category=\"N/A\" application-risk=\"4\" application-characteristics=\"Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling;\"]", "risk_score": 4.0, "kind": "event", "module": "juniper", @@ -838,7 +886,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-04-23T12:53:54.642180699Z", + "ingested": "2021-06-01T14:54:22.141909700Z", "action": "flow_close", "end": "2019-04-12T14:29:07.576Z", "category": [ @@ -893,6 +941,9 @@ "service_name": "junos-smb" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 5849, "iana_number": "6", @@ -914,6 +965,9 @@ } }, "@timestamp": "2019-04-13T14:33:06.576Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.2.164", @@ -931,7 +985,7 @@ }, "event": { "severity": 14, - "original": "reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"", + "original": "\u003c14\u003e1 2019-04-13T14:33:06.576Z cixi RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.58 reason=\"TCP RST\" source-address=\"192.168.2.164\" source-port=\"53232\" destination-address=\"172.16.1.19\" destination-port=\"445\" service-name=\"junos-smb\" nat-source-address=\"192.168.2.164\" nat-source-port=\"53232\" nat-destination-address=\"172.16.1.19\" nat-destination-port=\"445\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"35\" source-zone-name=\"Trust\" destination-zone-name=\"Trust\" session-id-32=\"206\" packets-from-client=\"13\" bytes-from-client=\"4274\" packets-from-server=\"9\" bytes-from-server=\"1575\" elapsed-time=\"16\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/2.0\"]", "kind": "event", "module": "juniper", "start": "2019-04-13T14:33:06.576Z", @@ -941,7 +995,7 @@ "connection" ], "duration": 16000000000, - "ingested": "2021-04-23T12:53:54.642181857Z", + "ingested": "2021-06-01T14:54:22.141912800Z", "action": "flow_close", "end": "2019-04-13T14:33:22.576Z", "category": [ @@ -1031,6 +1085,9 @@ "src_nat_rule_type": "source rule" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 208, "iana_number": "17", @@ -1052,6 +1109,9 @@ } }, "@timestamp": "2018-10-07T01:32:20.898Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "100.73.10.92", @@ -1070,7 +1130,7 @@ }, "event": { "severity": 14, - "original": "reason=\"idle Timeout\" source-address=\"100.73.10.92\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"", + "original": "\u003c14\u003e1 2018-10-07T01:32:20.898Z TestFW2 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.34 reason=\"idle Timeout\" source-address=\"100.73.10.92\" source-port=\"52890\" destination-address=\"58.68.126.198\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"58.78.140.131\" nat-source-port=\"11152\" nat-destination-address=\"58.68.126.198\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"NAT_S\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"NAT\" source-zone-name=\"Gi_nat\" destination-zone-name=\"Internet\" session-id-32=\"220368889\" packets-from-client=\"1\" bytes-from-client=\"72\" packets-from-server=\"1\" bytes-from-server=\"136\" elapsed-time=\"8\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.108\" encrypted=\"UNKNOWN\"]", "kind": "event", "module": "juniper", "start": "2018-10-07T01:32:20.898Z", @@ -1080,7 +1140,7 @@ "connection" ], "duration": 8000000000, - "ingested": "2021-04-23T12:53:54.642183044Z", + "ingested": "2021-06-01T14:54:22.141915600Z", "action": "flow_close", "end": "2018-10-07T01:32:28.898Z", "category": [ @@ -1152,6 +1212,9 @@ "src_nat_rule_type": "source rule" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 183, "iana_number": "17", @@ -1173,6 +1236,9 @@ } }, "@timestamp": "2018-06-30T02:17:22.753Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.255.2", @@ -1191,7 +1257,7 @@ }, "event": { "severity": 14, - "original": "reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"", + "original": "\u003c14\u003e1 2018-06-30T02:17:22.753Z fw0001 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason=\"idle Timeout\" source-address=\"192.168.255.2\" source-port=\"62047\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" nat-source-address=\"192.168.0.47\" nat-source-port=\"20215\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"rule001\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"trust-to-untrust-001\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"9621\" packets-from-client=\"1\" bytes-from-client=\"67\" packets-from-server=\"1\" bytes-from-server=\"116\" elapsed-time=\"3\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"fe-0/0/1.0\" encrypted=\"UNKNOWN\"]", "kind": "event", "module": "juniper", "start": "2018-06-30T02:17:22.753Z", @@ -1201,7 +1267,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-04-23T12:53:54.642184220Z", + "ingested": "2021-06-01T14:54:22.141918700Z", "action": "flow_close", "end": "2018-06-30T02:17:25.753Z", "category": [ @@ -1259,6 +1325,9 @@ "tag": "RT_FLOW_SESSION_CLOSE" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 0, "iana_number": "6", @@ -1280,6 +1349,9 @@ } }, "@timestamp": "2015-09-25T14:19:53.846Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.164.110.223", @@ -1299,7 +1371,7 @@ }, "event": { "severity": 14, - "original": "reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"", + "original": "\u003c14\u003e1 2015-09-25T14:19:53.846Z VPNBox-A RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason=\"application failure or action\" source-address=\"10.164.110.223\" source-port=\"9057\" destination-address=\"10.104.12.161\" destination-port=\"21\" service-name=\"junos-ftp\" nat-source-address=\"10.9.1.150\" nat-source-port=\"58020\" nat-destination-address=\"10.12.70.1\" nat-destination-port=\"21\" src-nat-rule-name=\"SNAT-Policy5\" dst-nat-rule-name=\"NAT-Policy10\" protocol-id=\"6\" policy-name=\"FW-FTP\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"24311\" packets-from-client=\"0\" bytes-from-client=\"0\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"1\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth0.0\" encrypted=\"No \"]", "kind": "event", "module": "juniper", "start": "2015-09-25T14:19:53.846Z", @@ -1309,7 +1381,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-04-23T12:53:54.642185557Z", + "ingested": "2021-06-01T14:54:22.141921700Z", "action": "flow_close", "end": "2015-09-25T14:19:54.846Z", "category": [ @@ -1391,6 +1463,9 @@ "service_name": "junos-ftp" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "6" }, @@ -1407,6 +1482,9 @@ } }, "@timestamp": "2013-01-19T15:18:17.040Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.224.30", @@ -1423,8 +1501,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:54.642186785Z", - "original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "ingested": "2021-06-01T14:54:22.141925Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "module": "juniper", "action": "flow_started", @@ -1518,6 +1596,9 @@ "service_name": "junos-ftp" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 48, "iana_number": "6", @@ -1536,6 +1617,9 @@ } }, "@timestamp": "2013-01-19T15:18:17.040Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.224.30", @@ -1554,7 +1638,7 @@ }, "event": { "severity": 14, - "original": "source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.41 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"1\" bytes-from-client=\"48\" packets-from-server=\"0\" bytes-from-server=\"0\" elapsed-time=\"0\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "module": "juniper", "start": "2013-01-19T15:18:17.040Z", @@ -1564,7 +1648,7 @@ "connection" ], "duration": 0, - "ingested": "2021-04-23T12:53:54.642187923Z", + "ingested": "2021-06-01T14:54:22.141928100Z", "action": "flow_started", "end": "2013-01-19T15:18:17.040Z", "category": [ @@ -1654,6 +1738,9 @@ "tag": "APPTRACK_SESSION_CLOSE" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 248, "iana_number": "6", @@ -1672,6 +1759,9 @@ } }, "@timestamp": "2013-01-19T15:18:17.040Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.224.30", @@ -1690,7 +1780,7 @@ }, "event": { "severity": 14, - "original": "reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"", + "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.41 reason=\"application failure or action\" source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"FTP\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" packets-from-client=\"3\" bytes-from-client=\"144\" packets-from-server=\"2\" bytes-from-server=\"104\" elapsed-time=\"1\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "module": "juniper", "start": "2013-01-19T15:18:17.040Z", @@ -1700,7 +1790,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-04-23T12:53:54.642189088Z", + "ingested": "2021-06-01T14:54:22.141931100Z", "action": "flow_close", "end": "2013-01-19T15:18:18.040Z", "category": [ @@ -1792,6 +1882,9 @@ "nested_application": "FACEBOOK-SOCIALRSS" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 706024, "iana_number": "6", @@ -1813,6 +1906,9 @@ } }, "@timestamp": "2013-01-19T15:18:18.040Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "user1" @@ -1833,7 +1929,7 @@ }, "event": { "severity": 14, - "original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”", + "original": "\u003c14\u003e1 2013-01-19T15:18:18.040 SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" packets-from-client=\"371\" bytes-from-client=\"19592\" packets-from-server=\"584\" bytes-from-server=\"686432\" elapsed-time=\"60\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "module": "juniper", "start": "2013-01-19T15:18:18.040Z", @@ -1843,7 +1939,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-04-23T12:53:54.642198613Z", + "ingested": "2021-06-01T14:54:22.141934Z", "action": "flow_started", "end": "2013-01-19T15:19:18.040Z", "category": [ @@ -1932,6 +2028,9 @@ "nested_application": "FACEBOOK-SOCIALRSS" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "6" }, @@ -1951,6 +2050,9 @@ } }, "@timestamp": "2013-01-19T15:18:19.040Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "user1" @@ -1969,8 +2071,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:54.642200518Z", - "original": "source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”", + "ingested": "2021-06-01T14:54:22.141936800Z", + "original": "\u003c14\u003e1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "module": "juniper", "action": "flow_started", @@ -2067,6 +2169,9 @@ "tag": "APPTRACK_SESSION_CLOSE" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 1038, "iana_number": "6", @@ -2088,6 +2193,9 @@ } }, "@timestamp": "2013-01-19T15:18:20.040Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "user1" @@ -2108,7 +2216,7 @@ }, "event": { "severity": 14, - "original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”", + "original": "\u003c14\u003e1 2013-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "module": "juniper", "start": "2013-01-19T15:18:20.040Z", @@ -2118,7 +2226,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-04-23T12:53:54.642201959Z", + "ingested": "2021-06-01T14:54:22.141940100Z", "action": "flow_close", "end": "2013-01-19T15:18:23.040Z", "category": [ @@ -2184,6 +2292,9 @@ "service_name": "icmp" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "1" }, @@ -2203,6 +2314,9 @@ } }, "@timestamp": "2020-11-04T16:23:09.264Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "50.0.0.100", @@ -2218,8 +2332,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:54.642203225Z", - "original": "source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"", + "ingested": "2021-06-01T14:54:22.141943Z", + "original": "\u003c14\u003e1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "module": "juniper", "action": "flow_started", @@ -2265,6 +2379,9 @@ "tag": "RT_FLOW_SESSION_DENY_LS" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "17" }, @@ -2284,6 +2401,9 @@ } }, "@timestamp": "2020-11-14T10:12:46.573Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.0.0.26", @@ -2296,8 +2416,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:54.642204441Z", - "original": "source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"", + "ingested": "2021-06-01T14:54:22.141945900Z", + "original": "\u003c14\u003e1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", "module": "juniper", @@ -2394,6 +2514,9 @@ "tag": "APPTRACK_SESSION_CLOSE_LS" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 1038, "iana_number": "6", @@ -2415,6 +2538,9 @@ } }, "@timestamp": "2020-01-19T15:18:20.040Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "user1" @@ -2435,7 +2561,7 @@ }, "event": { "severity": 14, - "original": "reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”", + "original": "\u003c14\u003e1 2020-01-19T15:18:20.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE_LS [junos@2636.1.1.1.2.129 reason=\"TCP CLIENT RST\" source-address=\"4.0.0.1\" source-port=\"48873\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"4.0.0.1\" nat-source-port=\"48873\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"32\" packets-from-client=\"5\" bytes-from-client=\"392\" packets-from-server=\"3\" bytes-from-server=\"646\" elapsed-time=\"3\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "module": "juniper", "start": "2020-01-19T15:18:20.040Z", @@ -2445,7 +2571,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-04-23T12:53:54.642205775Z", + "ingested": "2021-06-01T14:54:22.141948700Z", "action": "flow_close", "end": "2020-01-19T15:18:23.040Z", "category": [ @@ -2519,6 +2645,9 @@ "service_name": "junos-http" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 4454, "iana_number": "6", @@ -2540,6 +2669,9 @@ } }, "@timestamp": "2020-07-14T14:17:11.928Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.1.1.100", @@ -2558,7 +2690,7 @@ }, "event": { "severity": 14, - "original": "source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"46.165.154.241\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"46.165.154.241\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "original": "\u003c14\u003e1 2020-07-14T14:17:11.928Z SRX100HM RT_FLOW - APPTRACK_SESSION_VOL_UPDATE [junos@2636.1.1.1.2.129 source-address=\"10.1.1.100\" source-port=\"58943\" destination-address=\"46.165.154.241\" destination-port=\"80\" service-name=\"junos-http\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"6018\" nat-destination-address=\"46.165.154.241\" nat-destination-port=\"80\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"16118\" packets-from-client=\"42\" bytes-from-client=\"2322\" packets-from-server=\"34\" bytes-from-server=\"2132\" elapsed-time=\"60\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" destination-interface-name=\"ge-0/0/0.0\" category=\"N/A\" sub-category=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "kind": "event", "module": "juniper", "start": "2020-07-14T14:17:11.928Z", @@ -2568,7 +2700,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-04-23T12:53:54.642207037Z", + "ingested": "2021-06-01T14:54:22.141951600Z", "action": "flow_started", "end": "2020-07-14T14:18:11.928Z", "category": [ @@ -2651,6 +2783,9 @@ "src_nat_rule_type": "source rule" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 19200, "iana_number": "6", @@ -2672,6 +2807,9 @@ } }, "@timestamp": "2020-07-13T16:43:05.041Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.1.1.100", @@ -2690,7 +2828,7 @@ }, "event": { "severity": 14, - "original": "reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"91.228.167.172\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"91.228.167.172\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "original": "\u003c14\u003e1 2020-07-13T16:43:05.041Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"idle Timeout\" source-address=\"10.1.1.100\" source-port=\"64720\" destination-address=\"91.228.167.172\" destination-port=\"8883\" connection-tag=\"0\" service-name=\"None\" nat-source-address=\"172.19.34.100\" nat-source-port=\"24519\" nat-destination-address=\"91.228.167.172\" nat-destination-port=\"8883\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"3851\" packets-from-client=\"161\" bytes-from-client=\"9530\" packets-from-server=\"96\" bytes-from-server=\"9670\" elapsed-time=\"23755\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" secure-web-proxy-session-type=\"NA\" peer-session-id=\"0\" peer-source-address=\"0.0.0.0\" peer-source-port=\"0\" peer-destination-address=\"0.0.0.0\" peer-destination-port=\"0\" hostname=\"NA NA\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", "module": "juniper", @@ -2701,7 +2839,7 @@ "connection" ], "duration": 23755000000000, - "ingested": "2021-04-23T12:53:54.642208304Z", + "ingested": "2021-06-01T14:54:22.141954500Z", "action": "flow_close", "end": "2020-07-13T23:19:00.041Z", "category": [ @@ -2768,6 +2906,9 @@ "src_nat_rule_type": "source rule" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "17" }, @@ -2787,6 +2928,9 @@ } }, "@timestamp": "2020-07-13T16:12:05.530Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.1.1.100", @@ -2803,8 +2947,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:53:54.642209672Z", - "original": "source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "ingested": "2021-06-01T14:54:22.141957300Z", + "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", "module": "juniper", @@ -2886,6 +3030,9 @@ "tag": "APPTRACK_SESSION_CLOSE" } }, + "tags": [ + "preserve_original_event" + ], "network": { "bytes": 148, "iana_number": "17", @@ -2907,6 +3054,9 @@ } }, "@timestamp": "2020-07-13T16:12:05.530Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.1.1.100", @@ -2925,7 +3075,7 @@ }, "event": { "severity": 14, - "original": "reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"", + "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - APPTRACK_SESSION_CLOSE [junos@2636.1.1.1.2.129 reason=\"Closed by junos-alg\" source-address=\"10.1.1.100\" source-port=\"63381\" destination-address=\"8.8.8.8\" destination-port=\"53\" service-name=\"junos-dns-udp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"172.19.34.100\" nat-source-port=\"26764\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15361\" packets-from-client=\"1\" bytes-from-client=\"66\" packets-from-server=\"1\" bytes-from-server=\"82\" elapsed-time=\"3\" username=\"N/A\" roles=\"N/A\" encrypted=\"No\" profile-name=\"N/A\" rule-name=\"N/A\" routing-instance=\"default\" destination-interface-name=\"ge-0/0/0.0\" uplink-incoming-interface-name=\"N/A\" uplink-tx-bytes=\"0\" uplink-rx-bytes=\"0\" category=\"N/A\" sub-category=\"N/A\" apbr-policy-name=\"N/A\" multipath-rule-name=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "kind": "event", "module": "juniper", "start": "2020-07-13T16:12:05.530Z", @@ -2935,7 +3085,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-04-23T12:53:54.642210884Z", + "ingested": "2021-06-01T14:54:22.141960300Z", "action": "flow_close", "end": "2020-07-13T16:12:08.530Z", "category": [ diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-config.yml b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json index 991d34e555f..2a86115ce3a 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json @@ -60,6 +60,9 @@ "epoch_time": "1583190783" } }, + "tags": [ + "preserve_original_event" + ], "network": { "protocol": "TCP" }, @@ -82,6 +85,9 @@ } }, "@timestamp": "2020-03-02T23:13:03.193Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "unknown-user" @@ -104,7 +110,7 @@ }, "event": { "severity": 165, - "original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", + "original": "\u003c165\u003e1 2020-03-02T23:13:03.193Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"HTTP:MISC:GENERIC-DIR-TRAVERSAL\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", "kind": "alert", "module": "juniper", "start": "2020-03-02T23:13:03.193Z", @@ -114,7 +120,7 @@ "connection" ], "duration": 0, - "ingested": "2021-04-23T12:54:02.069698343Z", + "ingested": "2021-06-01T14:54:26.593230900Z", "action": "security_threat", "end": "2020-03-02T23:13:03.193Z", "category": [ @@ -185,6 +191,9 @@ "epoch_time": "1583190783" } }, + "tags": [ + "preserve_original_event" + ], "network": { "protocol": "TCP" }, @@ -207,6 +216,9 @@ } }, "@timestamp": "2020-03-02T23:13:03.197Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "unknown-user" @@ -229,7 +241,7 @@ }, "event": { "severity": 165, - "original": "epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"", + "original": "\u003c165\u003e1 2020-03-02T23:13:03.197Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.28 epoch-time=\"1583190783\" message-type=\"SIG\" source-address=\"10.11.11.1\" source-port=\"12345\" destination-address=\"187.188.188.10\" destination-port=\"123\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"3\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"20175\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"CRITICAL\" attack-name=\"TCP:C2S:AMBIG:C2S-SYN-DATA\" nat-source-address=\"0.0.0.0\" nat-source-port=\"13312\" nat-destination-address=\"3.3.10.11\" nat-destination-port=\"9757\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"UNTRUST\" source-interface-name=\"reth1.24\" destination-zone-name=\"DMZ\" destination-interface-name=\"reth2.21\" packet-log-id=\"0\" alert=\"no\" username=\"unknown-user\" roles=\"N/A\" index=\"cnm\" type=\"idp\" message=\"-\"]", "kind": "alert", "module": "juniper", "start": "2020-03-02T23:13:03.197Z", @@ -239,7 +251,7 @@ "connection" ], "duration": 0, - "ingested": "2021-04-23T12:54:02.069702133Z", + "ingested": "2021-06-01T14:54:26.593251500Z", "action": "security_threat", "end": "2020-03-02T23:13:03.197Z", "category": [ @@ -305,6 +317,9 @@ "epoch_time": "1507845354" } }, + "tags": [ + "preserve_original_event" + ], "network": { "protocol": "TCP" }, @@ -327,6 +342,9 @@ } }, "@timestamp": "2007-02-15T09:17:15.719Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "183.78.180.27", @@ -346,7 +364,7 @@ }, "event": { "severity": 165, - "original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.111.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", + "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.111.1\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.19.13.11\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", "kind": "alert", "module": "juniper", "start": "2007-02-15T09:17:15.719Z", @@ -356,7 +374,7 @@ "connection" ], "duration": 0, - "ingested": "2021-04-23T12:54:02.069703787Z", + "ingested": "2021-06-01T14:54:26.593255800Z", "action": "security_threat", "end": "2007-02-15T09:17:15.719Z", "category": [ @@ -422,6 +440,9 @@ "epoch_time": "1507845354" } }, + "tags": [ + "preserve_original_event" + ], "network": { "protocol": "TCP" }, @@ -444,6 +465,9 @@ } }, "@timestamp": "2017-10-12T21:55:55.792Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "183.78.180.27", @@ -463,7 +487,7 @@ }, "event": { "severity": 165, - "original": "epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.30.11\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"", + "original": "\u003c165\u003e1 2017-10-13T08:55:55.792+11:00 idp1 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.135 epoch-time=\"1507845354\" message-type=\"SIG\" source-address=\"183.78.180.27\" source-port=\"45610\" destination-address=\"118.127.30.11\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"SERVICE_IDP\" application-name=\"HTTP\" rule-name=\"9\" rulebase-name=\"IPS\" policy-name=\"Recommended\" export-id=\"15229\" repeat-count=\"0\" action=\"DROP\" threat-severity=\"HIGH\" attack-name=\"TROJAN:ZMEU-BOT-SCAN\" nat-source-address=\"0.0.0.0\" nat-source-port=\"0\" nat-destination-address=\"172.16.1.10\" nat-destination-port=\"0\" elapsed-time=\"0\" inbound-bytes=\"0\" outbound-bytes=\"0\" inbound-packets=\"0\" outbound-packets=\"0\" source-zone-name=\"sec-zone-name-internet\" source-interface-name=\"reth0.11\" destination-zone-name=\"dst-sec-zone1-outside\" destination-interface-name=\"reth1.1\" packet-log-id=\"0\" alert=\"no\" username=\"N/A\" roles=\"N/A\" message=\"-\"]", "kind": "alert", "module": "juniper", "start": "2017-10-12T21:55:55.792Z", @@ -473,7 +497,7 @@ "connection" ], "duration": 0, - "ingested": "2021-04-23T12:54:02.069705216Z", + "ingested": "2021-06-01T14:54:26.593258800Z", "action": "security_threat", "end": "2017-10-12T21:55:55.792Z", "category": [ @@ -512,6 +536,9 @@ } }, "message": "Connection rate exceeded limit 60", + "tags": [ + "preserve_original_event" + ], "network": { "protocol": "TCP" }, @@ -528,6 +555,9 @@ } }, "@timestamp": "2011-10-23T02:06:26.544Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "172.27.14.203" @@ -535,8 +565,8 @@ }, "event": { "severity": 165, - "ingested": "2021-04-23T12:54:02.069706609Z", - "original": "epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"", + "ingested": "2021-06-01T14:54:26.593262Z", + "original": "\u003c165\u003e1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", "action": "application_ddos", @@ -593,6 +623,9 @@ "time_period": "60" } }, + "tags": [ + "preserve_original_event" + ], "network": { "protocol": "TCP" }, @@ -615,6 +648,9 @@ } }, "@timestamp": "2011-10-23T16:28:31.696Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "192.168.14.214", @@ -627,8 +663,8 @@ }, "event": { "severity": 165, - "ingested": "2021-04-23T12:54:02.069708001Z", - "original": "epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "ingested": "2021-06-01T14:54:26.593264700Z", + "original": "\u003c165\u003e1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", "action": "application_ddos", @@ -685,6 +721,9 @@ "time_period": "60" } }, + "tags": [ + "preserve_original_event" + ], "network": { "protocol": "TCP" }, @@ -707,6 +746,9 @@ } }, "@timestamp": "2012-10-23T17:28:31.696Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "193.168.14.214", @@ -719,8 +761,8 @@ }, "event": { "severity": 165, - "ingested": "2021-04-23T12:54:02.069709442Z", - "original": "epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"", + "ingested": "2021-06-01T14:54:26.593267300Z", + "original": "\u003c165\u003e1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", "action": "application_ddos", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-config.yml b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json index cd5555132e2..b14a275e88d 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json @@ -56,6 +56,9 @@ "tag": "RT_SCREEN_TCP" } }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "rtr199", "ingress": { @@ -69,6 +72,9 @@ "vendor": "Juniper" }, "@timestamp": "2018-07-19T23:17:02.309Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "113.113.17.17", @@ -81,8 +87,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302172051Z", - "original": "attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", + "ingested": "2021-06-01T14:54:27.839593400Z", + "original": "\u003c11\u003e1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", "action": "sweep_detected", @@ -123,6 +129,9 @@ "tag": "RT_SCREEN_TCP" } }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "rtr199", "ingress": { @@ -136,6 +145,9 @@ "vendor": "Juniper" }, "@timestamp": "2018-07-19T23:18:02.309Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "2000:0000:0000:0000:0000:0000:0000:0002", @@ -148,8 +160,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302175793Z", - "original": "attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"", + "ingested": "2021-06-01T14:54:27.839609100Z", + "original": "\u003c11\u003e1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", "action": "attack_detected", @@ -220,6 +232,9 @@ "tag": "RT_SCREEN_TCP" } }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "rtr199", "ingress": { @@ -233,6 +248,9 @@ "vendor": "Juniper" }, "@timestamp": "2018-07-19T23:19:02.309Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "1.1.1.2", @@ -245,8 +263,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302177391Z", - "original": "attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "ingested": "2021-06-01T14:54:27.839613500Z", + "original": "\u003c11\u003e1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", "action": "flood_detected", @@ -317,6 +335,9 @@ "tag": "RT_SCREEN_UDP" } }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "rtr199", "ingress": { @@ -330,6 +351,9 @@ "vendor": "Juniper" }, "@timestamp": "2018-07-19T23:22:02.309Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "111.1.1.3", @@ -342,8 +366,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302178856Z", - "original": "attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "ingested": "2021-06-01T14:54:27.839616600Z", + "original": "\u003c11\u003e1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", "action": "flood_detected", @@ -411,6 +435,9 @@ "tag": "RT_SCREEN_ICMP" } }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "rtr199", "ingress": { @@ -424,6 +451,9 @@ "vendor": "Juniper" }, "@timestamp": "2018-07-19T23:25:02.309Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "111.1.1.3", @@ -435,8 +465,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302180243Z", - "original": "attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "ingested": "2021-06-01T14:54:27.839619700Z", + "original": "\u003c11\u003e1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", "action": "fragment_detected", @@ -504,6 +534,9 @@ "tag": "RT_SCREEN_IP" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "1" }, @@ -520,6 +553,9 @@ "vendor": "Juniper" }, "@timestamp": "2018-07-19T23:26:02.309Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "111.1.1.3", @@ -531,8 +567,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302181632Z", - "original": "attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "ingested": "2021-06-01T14:54:27.839622600Z", + "original": "\u003c11\u003e1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", "category": [ @@ -569,6 +605,9 @@ "tag": "RT_SCREEN_IP" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "1" }, @@ -585,6 +624,9 @@ "vendor": "Juniper" }, "@timestamp": "2018-07-19T23:27:02.309Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "1212::12", @@ -596,8 +638,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302183056Z", - "original": "attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "ingested": "2021-06-01T14:54:27.839625Z", + "original": "\u003c11\u003e1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", "action": "tunneling_screen", @@ -659,6 +701,9 @@ "tag": "RT_SCREEN_IP" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "1" }, @@ -675,6 +720,9 @@ "vendor": "Juniper" }, "@timestamp": "2018-07-19T23:28:02.309Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "12.12.12.1", @@ -686,8 +734,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302184434Z", - "original": "attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "ingested": "2021-06-01T14:54:27.839628Z", + "original": "\u003c11\u003e1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", "action": "tunneling_screen", @@ -708,24 +756,6 @@ "server": { "ip": "2.2.2.2" }, - "observer": { - "name": "rtr199", - "ingress": { - "interface": { - "name": "ge-0/0/1.0" - }, - "zone": "trustZone" - }, - "product": "SRX", - "type": "firewall", - "vendor": "Juniper" - }, - "@timestamp": "2018-07-20T00:19:02.309Z", - "related": { - "ip": [ - "2.2.2.2" - ] - }, "log": { "level": "error" }, @@ -755,10 +785,34 @@ "tag": "RT_SCREEN_TCP_DST_IP" } }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2018-07-20T00:19:02.309Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "2.2.2.2" + ] + }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302185815Z", - "original": "attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", + "ingested": "2021-06-01T14:54:27.839630600Z", + "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "module": "juniper", "action": "flood_detected", @@ -776,30 +830,9 @@ } }, { - "observer": { - "name": "rtr199", - "ingress": { - "interface": { - "name": "ge-0/0/1.0" - }, - "zone": "trustZone" - }, - "product": "SRX", - "type": "firewall", - "vendor": "Juniper" - }, - "@timestamp": "2018-07-20T00:19:02.309Z", - "related": { - "ip": [ - "111.1.1.3" - ] - }, "log": { "level": "error" }, - "client": { - "ip": "111.1.1.3" - }, "source": { "geo": { "continent_name": "Asia", @@ -829,10 +862,37 @@ "tag": "RT_SCREEN_TCP_SRC_IP" } }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "name": "rtr199", + "ingress": { + "interface": { + "name": "ge-0/0/1.0" + }, + "zone": "trustZone" + }, + "product": "SRX", + "type": "firewall", + "vendor": "Juniper" + }, + "@timestamp": "2018-07-20T00:19:02.309Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "111.1.1.3" + ] + }, + "client": { + "ip": "111.1.1.3" + }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302187215Z", - "original": "attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"", + "ingested": "2021-06-01T14:54:27.839633400Z", + "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "module": "juniper", "action": "flood_detected", @@ -873,6 +933,9 @@ "tag": "RT_SCREEN_TCP" } }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "rtr199", "ingress": { @@ -886,6 +949,9 @@ "vendor": "Juniper" }, "@timestamp": "2020-07-17T07:54:43.912Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.1.1.100", @@ -898,8 +964,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302188620Z", - "original": "attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "ingested": "2021-06-01T14:54:27.839636500Z", + "original": "\u003c11\u003e1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", "action": "scan_detected", @@ -940,6 +1006,9 @@ "tag": "RT_SCREEN_TCP" } }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "rtr199", "ingress": { @@ -953,6 +1022,9 @@ "vendor": "Juniper" }, "@timestamp": "2020-07-17T08:01:43.006Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.1.1.100", @@ -965,8 +1037,8 @@ }, "event": { "severity": 11, - "ingested": "2021-04-23T12:54:04.302190272Z", - "original": "attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"", + "ingested": "2021-06-01T14:54:27.839666600Z", + "original": "\u003c11\u003e1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", "action": "illegal_tcp_flag_detected", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-config.yml b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json index bf06f39237f..d1825c8ec2b 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json @@ -46,6 +46,9 @@ "feed_name": "Tor_Exit_Nodes" } }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "1" }, @@ -62,6 +65,9 @@ } }, "@timestamp": "2016-10-17T15:18:11.618Z", + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "5.196.121.161", @@ -74,8 +80,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:54:06.934280910Z", - "original": "category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"", + "ingested": "2021-06-01T14:54:29.220452Z", + "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"]", "kind": "alert", "module": "juniper", "action": "malware_detected", @@ -143,6 +149,9 @@ "url": { "domain": "dummy_host" }, + "tags": [ + "preserve_original_event" + ], "network": { "iana_number": "6" }, @@ -159,6 +168,9 @@ } }, "@timestamp": "2016-10-17T15:18:11.618Z", + "ecs": { + "version": "1.10.0" + }, "related": { "hosts": [ "dummy_host" @@ -174,8 +186,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:54:06.934284676Z", - "original": "category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"", + "ingested": "2021-06-01T14:54:29.220468800Z", + "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", "kind": "alert", "module": "juniper", "action": "malware_detected", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-config.yml b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json index 3f6abe398d6..83514b50359 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json @@ -47,6 +47,9 @@ "path": "/", "domain": "www.baidu.com" }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "utm-srx550-b", "product": "SRX", @@ -54,6 +57,9 @@ "vendor": "Juniper" }, "@timestamp": "2016-02-18T01:32:50.391Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "user01" @@ -72,8 +78,8 @@ }, "event": { "severity": 12, - "ingested": "2021-04-23T12:54:07.575345063Z", - "original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", + "ingested": "2021-06-01T14:54:29.561863400Z", + "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", "action": "web_filter", @@ -136,6 +142,9 @@ "path": "/css/homepage2012.css", "domain": "www.checkpoint.com" }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "utm-srx550-b", "product": "SRX", @@ -143,6 +152,9 @@ "vendor": "Juniper" }, "@timestamp": "2016-02-18T01:32:50.391Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "user02" @@ -161,8 +173,8 @@ }, "event": { "severity": 12, - "ingested": "2021-04-23T12:54:07.575348954Z", - "original": "source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"", + "ingested": "2021-06-01T14:54:29.561877300Z", + "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"]", "kind": "event", "module": "juniper", "category": [ @@ -218,6 +230,9 @@ "url": { "domain": "EICAR-Test-File" }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "SRX650-1", "ingress": { @@ -231,6 +246,9 @@ "file": { "name": "www.eicar.org/download/eicar.com" }, + "ecs": { + "version": "1.10.0" + }, "related": { "hosts": [ "EICAR-Test-File" @@ -246,8 +264,8 @@ }, "event": { "severity": 12, - "ingested": "2021-04-23T12:54:07.575350663Z", - "original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", + "ingested": "2021-06-01T14:54:29.561880400Z", + "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "module": "juniper", "action": "virus_detected", @@ -303,6 +321,9 @@ "tag": "AV_SCANNER_DROP_FILE_MT" } }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "SRX650-1", "product": "SRX", @@ -313,6 +334,9 @@ "file": { "name": "www.google.com/" }, + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "74.125.155.147", @@ -325,8 +349,8 @@ }, "event": { "severity": 12, - "ingested": "2021-04-23T12:54:07.575352265Z", - "original": "source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"", + "ingested": "2021-06-01T14:54:29.561899700Z", + "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"]", "kind": "event", "module": "juniper", "category": [ @@ -362,6 +386,9 @@ "tag": "AV_HUGE_FILE_DROPPED_MT" } }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "SRX650-1", "product": "SRX", @@ -372,6 +399,9 @@ "file": { "name": "10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz" }, + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "10.2.1.101", @@ -384,8 +414,8 @@ }, "event": { "severity": 12, - "ingested": "2021-04-23T12:54:07.575353759Z", - "original": "source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"", + "ingested": "2021-06-01T14:54:29.561905900Z", + "original": "\u003c12\u003e1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"]", "kind": "event", "module": "juniper", "category": [ @@ -400,6 +430,27 @@ } }, { + "log": { + "level": "informational" + }, + "source": { + "user": { + "name": "user01" + }, + "ip": "10.10.10.1" + }, + "juniper": { + "srx": { + "profile_name": "antispam01", + "reason": "Match local blacklist", + "action": "drop", + "process": "RT_UTM", + "tag": "ANTISPAM_SPAM_DETECTED_MT" + } + }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "utm-srx550-b", "ingress": { @@ -413,6 +464,9 @@ } }, "@timestamp": "2016-02-18T01:33:50.391Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "user01" @@ -421,31 +475,13 @@ "10.10.10.1" ] }, - "log": { - "level": "informational" - }, "client": { "ip": "10.10.10.1" }, - "source": { - "user": { - "name": "user01" - }, - "ip": "10.10.10.1" - }, - "juniper": { - "srx": { - "profile_name": "antispam01", - "reason": "Match local blacklist", - "action": "drop", - "process": "RT_UTM", - "tag": "ANTISPAM_SPAM_DETECTED_MT" - } - }, "event": { "severity": 14, - "ingested": "2021-04-23T12:54:07.575355238Z", - "original": "source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"", + "ingested": "2021-06-01T14:54:29.561912400Z", + "original": "\u003c14\u003e1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", "action": "antispam_filter", @@ -490,6 +526,9 @@ "tag": "CONTENT_FILTERING_BLOCKED_MT" } }, + "tags": [ + "preserve_original_event" + ], "network": { "protocol": "http" }, @@ -509,6 +548,9 @@ "file": { "name": "test.cmd" }, + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "user01@testuser.com" @@ -524,8 +566,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:54:07.575356672Z", - "original": "source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"", + "ingested": "2021-06-01T14:54:29.561915600Z", + "original": "\u003c14\u003e1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"]", "kind": "alert", "module": "juniper", "action": "content_filter", @@ -589,6 +631,9 @@ "path": "/", "domain": "www.baidu.com" }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "utm-srx550-b", "product": "SRX", @@ -596,6 +641,9 @@ "vendor": "Juniper" }, "@timestamp": "2016-02-19T01:32:50.391Z", + "ecs": { + "version": "1.10.0" + }, "related": { "user": [ "user01" @@ -614,8 +662,8 @@ }, "event": { "severity": 12, - "ingested": "2021-04-23T12:54:07.575358109Z", - "original": "source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"", + "ingested": "2021-06-01T14:54:29.561918200Z", + "original": "\u003c12\u003e1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", "action": "web_filter", @@ -674,6 +722,9 @@ "url": { "domain": "EICAR-Test-File" }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "SRX650-1", "ingress": { @@ -687,6 +738,9 @@ "file": { "name": "www.eicar.org/download/eicar.com" }, + "ecs": { + "version": "1.10.0" + }, "related": { "hosts": [ "EICAR-Test-File" @@ -702,8 +756,8 @@ }, "event": { "severity": 12, - "ingested": "2021-04-23T12:54:07.575359541Z", - "original": "source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"", + "ingested": "2021-06-01T14:54:29.561920600Z", + "original": "\u003c12\u003e1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "module": "juniper", "action": "virus_detected", @@ -765,6 +819,9 @@ "path": "/", "domain": "datawrapper.dwcdn.net" }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "SRX650-1", "ingress": { @@ -778,6 +835,9 @@ } }, "@timestamp": "2020-07-14T14:16:18.345Z", + "ecs": { + "version": "1.10.0" + }, "related": { "hosts": [ "datawrapper.dwcdn.net" @@ -793,8 +853,8 @@ }, "event": { "severity": 14, - "ingested": "2021-04-23T12:54:07.575360980Z", - "original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"", + "ingested": "2021-06-01T14:54:29.561923200Z", + "original": "\u003c14\u003e1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"]", "risk_score": 0.0, "kind": "event", "module": "juniper", @@ -854,6 +914,9 @@ "path": "/", "domain": "dsp.adfarm1.adition.com" }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "SRX650-1", "ingress": { @@ -867,6 +930,9 @@ } }, "@timestamp": "2020-07-14T14:16:29.541Z", + "ecs": { + "version": "1.10.0" + }, "related": { "hosts": [ "dsp.adfarm1.adition.com" @@ -882,8 +948,8 @@ }, "event": { "severity": 12, - "ingested": "2021-04-23T12:54:07.575362434Z", - "original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"", + "ingested": "2021-06-01T14:54:29.561926Z", + "original": "\u003c12\u003e1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"]", "risk_score": 3.0, "kind": "alert", "module": "juniper", @@ -942,6 +1008,9 @@ "tag": "AV_FILE_NOT_SCANNED_DROPPED_MT" } }, + "tags": [ + "preserve_original_event" + ], "observer": { "name": "SRX650-1", "ingress": { @@ -958,6 +1027,9 @@ "file": { "name": "download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar" }, + "ecs": { + "version": "1.10.0" + }, "related": { "ip": [ "23.209.86.45", @@ -970,8 +1042,8 @@ }, "event": { "severity": 12, - "ingested": "2021-04-23T12:54:07.575364033Z", - "original": "source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"", + "ingested": "2021-06-01T14:54:29.561928700Z", + "original": "\u003c12\u003e1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", "kind": "event", "module": "juniper", "category": [ diff --git a/packages/juniper/data_stream/srx/agent/stream/logfile.yml.hbs b/packages/juniper/data_stream/srx/agent/stream/logfile.yml.hbs index 465fc316450..49a10088a8a 100644 --- a/packages/juniper/data_stream/srx/agent/stream/logfile.yml.hbs +++ b/packages/juniper/data_stream/srx/agent/stream/logfile.yml.hbs @@ -4,15 +4,14 @@ paths: {{/each}} exclude_files: [".gz$"] tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} {{#contains tags "forwarded"}} publisher_pipeline.disable_host: true {{/contains}} processors: - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/juniper/data_stream/srx/agent/stream/tcp.yml.hbs b/packages/juniper/data_stream/srx/agent/stream/tcp.yml.hbs index bb96363500f..2f09ef55729 100644 --- a/packages/juniper/data_stream/srx/agent/stream/tcp.yml.hbs +++ b/packages/juniper/data_stream/srx/agent/stream/tcp.yml.hbs @@ -1,14 +1,13 @@ host: "{{syslog_host}}:{{syslog_port}}" tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} {{#contains tags "forwarded"}} publisher_pipeline.disable_host: true {{/contains}} processors: - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/juniper/data_stream/srx/agent/stream/udp.yml.hbs b/packages/juniper/data_stream/srx/agent/stream/udp.yml.hbs index bb96363500f..2f09ef55729 100644 --- a/packages/juniper/data_stream/srx/agent/stream/udp.yml.hbs +++ b/packages/juniper/data_stream/srx/agent/stream/udp.yml.hbs @@ -1,14 +1,13 @@ host: "{{syslog_host}}:{{syslog_port}}" tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} {{#contains tags "forwarded"}} publisher_pipeline.disable_host: true {{/contains}} processors: - add_locale: ~ - - add_fields: - target: '' - fields: - ecs.version: 1.9.0 diff --git a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml index 7266216d3b1..693eaff6a0c 100644 --- a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml @@ -3,202 +3,210 @@ # https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/structured-data-edit-system.html description: Pipeline for parsing junipersrx firewall logs processors: -- grok: - field: message - patterns: - - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:log.original}\]$' + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - set: + field: ecs.version + value: "1.10.0" + - rename: + field: message + target_field: event.original + ignore_missing: true + - grok: + field: event.original + patterns: + - '^<%{POSINT:syslog_pri}>(\d{1,3}\s)?(?:%{TIMESTAMP_ISO8601:_temp_.raw_date})\s%{SYSLOGHOST:syslog_hostname}\s%{PROG:syslog_program}\s(?:%{POSINT:syslog_pid}|-)?\s%{WORD:log_type}\s\[.+?\s%{GREEDYDATA:log.original}\]$' # split Juniper-SRX fields -- kv: - field: log.original - field_split: " (?=[a-z0-9\\_\\-]+=)" - value_split: "=" - prefix: "juniper.srx." - ignore_missing: true - ignore_failure: false - trim_value: "\"" + - kv: + field: log.original + field_split: " (?=[a-z0-9\\_\\-]+=)" + value_split: "=" + prefix: "juniper.srx." + ignore_missing: true + ignore_failure: false + trim_value: "\"" # Converts all kebab-case key names to snake_case -- script: - lang: painless - source: >- - ctx.juniper.srx = ctx?.juniper?.srx.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('-', '_'), e -> e.getValue())); + - script: + lang: painless + source: >- + ctx.juniper.srx = ctx?.juniper?.srx.entrySet().stream().collect(Collectors.toMap(e -> e.getKey().replace('-', '_'), e -> e.getValue())); # # Parse the date # -- date: - if: "ctx?.event?.timezone == null" - field: _temp_.raw_date - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss z - - yyyy-MM-dd HH:mm:ss Z - - ISO8601 -- date: - if: "ctx?.event?.timezone != null" - timezone: "{{ event.timezone }}" - field: _temp_.raw_date - target_field: "@timestamp" - formats: - - yyyy-MM-dd HH:mm:ss - - yyyy-MM-dd HH:mm:ss z - - yyyy-MM-dd HH:mm:ss Z - - ISO8601 - -- set: - field: event.ingested - value: '{{_ingest.timestamp}}' + - date: + if: "ctx?.event?.timezone == null" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + - date: + if: "ctx?.event?.timezone != null" + timezone: "{{ event.timezone }}" + field: _temp_.raw_date + target_field: "@timestamp" + formats: + - yyyy-MM-dd HH:mm:ss + - yyyy-MM-dd HH:mm:ss z + - yyyy-MM-dd HH:mm:ss Z + - ISO8601 + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' # Can possibly be omitted if there is a solution for the equal signs and the calculation of the start time. # -> juniper.srx.elapsed_time -- rename: - field: juniper.srx.elapsed_time - target_field: juniper.srx.duration - if: "ctx?.juniper?.srx?.elapsed_time != null" + - rename: + field: juniper.srx.elapsed_time + target_field: juniper.srx.duration + if: "ctx?.juniper?.srx?.elapsed_time != null" # Sets starts, end and duration when start and duration is known -- script: - lang: painless - if: ctx?.juniper?.srx?.duration != null - source: >- - ctx.event.duration = Integer.parseInt(ctx.juniper.srx.duration) * 1000000000L; - ctx.event.start = ctx['@timestamp']; - ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); - ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); + - script: + lang: painless + if: ctx?.juniper?.srx?.duration != null + source: >- + ctx.event.duration = Integer.parseInt(ctx.juniper.srx.duration) * 1000000000L; + ctx.event.start = ctx['@timestamp']; + ZonedDateTime start = ZonedDateTime.parse(ctx.event.start); + ctx.event.end = start.plus(ctx.event.duration, ChronoUnit.NANOS); # Removes all empty fields -- script: - lang: painless - params: - values: - - "None" - - "UNKNOWN" - - "N/A" - - "-" - source: >- - ctx?.juniper?.srx.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - script: + lang: painless + params: + values: + - "None" + - "UNKNOWN" + - "N/A" + - "-" + source: >- + ctx?.juniper?.srx.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); ####################### ## ECS Event Mapping ## ####################### -- set: - field: event.module - value: juniper -- set: - field: event.dataset - value: juniper.srx -- convert: - field: syslog_pri - type: long - target_field: event.severity - ignore_failure: true -- rename: - field: log.original - target_field: event.original - ignore_missing: true + - set: + field: event.module + value: juniper + - set: + field: event.dataset + value: juniper.srx + - convert: + field: syslog_pri + type: long + target_field: event.severity + ignore_failure: true + - remove: + field: log.original + ignore_missing: true ##################### ## ECS Log Mapping ## ##################### # https://www.juniper.net/documentation/en_US/junos/topics/reference/general/syslog-interpreting-msg-generated-structured-data-format.html#fac_sev_codes -- set: - field: "log.level" - if: '["0", "8", "16", "24", "32", "40", "48", "56", "64", "72", "80", "88", "96", "104", "112", "128", "136", "144", "152", "160", "168", "176", "184"].contains(ctx.syslog_pri)' - value: emergency -- set: - field: "log.level" - if: '["1", "9", "17", "25", "33", "41", "49", "57", "65", "73", "81", "89", "97", "105", "113", "129", "137", "145", "153", "161", "169", "177", "185"].contains(ctx.syslog_pri)' - value: alert -- set: - field: "log.level" - if: '["2", "10", "18", "26", "34", "42", "50", "58", "66", "74", "82", "90", "98", "106", "114", "130", "138", "146", "154", "162", "170", "178", "186"].contains(ctx.syslog_pri)' - value: critical -- set: - field: "log.level" - if: '["3", "11", "19", "27", "35", "43", "51", "59", "67", "75", "83", "91", "99", "107", "115", "131", "139", "147", "155", "163", "171", "179", "187"].contains(ctx.syslog_pri)' - value: error -- set: - field: "log.level" - if: '["4", "12", "20", "28", "36", "44", "52", "60", "68", "76", "84", "92", "100", "108", "116", "132", "140", "148", "156", "164", "172", "180", "188"].contains(ctx.syslog_pri)' - value: warning -- set: - field: "log.level" - if: '["5", "13", "21", "29", "37", "45", "53", "61", "69", "77", "85", "93", "101", "109", "117", "133", "141", "149", "157", "165", "173", "181", "189"].contains(ctx.syslog_pri)' - value: notification -- set: - field: "log.level" - if: '["6", "14", "22", "30", "38", "46", "54", "62", "70", "78", "86", "94", "102", "110", "118", "134", "142", "150", "158", "166", "174", "182", "190"].contains(ctx.syslog_pri)' - value: informational -- set: - field: "log.level" - if: '["7", "15", "23", "31", "39", "47", "55", "63", "71", "79", "87", "95", "103", "111", "119", "135", "143", "151", "159", "167", "175", "183", "191"].contains(ctx.syslog_pri)' - value: debug + - set: + field: "log.level" + if: '["0", "8", "16", "24", "32", "40", "48", "56", "64", "72", "80", "88", "96", "104", "112", "128", "136", "144", "152", "160", "168", "176", "184"].contains(ctx.syslog_pri)' + value: emergency + - set: + field: "log.level" + if: '["1", "9", "17", "25", "33", "41", "49", "57", "65", "73", "81", "89", "97", "105", "113", "129", "137", "145", "153", "161", "169", "177", "185"].contains(ctx.syslog_pri)' + value: alert + - set: + field: "log.level" + if: '["2", "10", "18", "26", "34", "42", "50", "58", "66", "74", "82", "90", "98", "106", "114", "130", "138", "146", "154", "162", "170", "178", "186"].contains(ctx.syslog_pri)' + value: critical + - set: + field: "log.level" + if: '["3", "11", "19", "27", "35", "43", "51", "59", "67", "75", "83", "91", "99", "107", "115", "131", "139", "147", "155", "163", "171", "179", "187"].contains(ctx.syslog_pri)' + value: error + - set: + field: "log.level" + if: '["4", "12", "20", "28", "36", "44", "52", "60", "68", "76", "84", "92", "100", "108", "116", "132", "140", "148", "156", "164", "172", "180", "188"].contains(ctx.syslog_pri)' + value: warning + - set: + field: "log.level" + if: '["5", "13", "21", "29", "37", "45", "53", "61", "69", "77", "85", "93", "101", "109", "117", "133", "141", "149", "157", "165", "173", "181", "189"].contains(ctx.syslog_pri)' + value: notification + - set: + field: "log.level" + if: '["6", "14", "22", "30", "38", "46", "54", "62", "70", "78", "86", "94", "102", "110", "118", "134", "142", "150", "158", "166", "174", "182", "190"].contains(ctx.syslog_pri)' + value: informational + - set: + field: "log.level" + if: '["7", "15", "23", "31", "39", "47", "55", "63", "71", "79", "87", "95", "103", "111", "119", "135", "143", "151", "159", "167", "175", "183", "191"].contains(ctx.syslog_pri)' + value: debug ########################## ## ECS Observer Mapping ## ########################## -- set: - field: observer.vendor - value: Juniper -- set: - field: observer.product - value: SRX -- set: - field: observer.type - value: firewall -- rename: - field: syslog_hostname - target_field: observer.name - ignore_missing: true -- rename: - field: juniper.srx.packet_incoming_interface - target_field: observer.ingress.interface.name - ignore_missing: true -- rename: - field: juniper.srx.destination_interface_name - target_field: observer.egress.interface.name - ignore_missing: true -- rename: - field: juniper.srx.source_interface_name - target_field: observer.ingress.interface.name - ignore_missing: true -- rename: - field: juniper.srx.interface_name - target_field: observer.ingress.interface.name - ignore_missing: true -- rename: - field: juniper.srx.source_zone_name - target_field: observer.ingress.zone - ignore_missing: true -- rename: - field: juniper.srx.source_zone - target_field: observer.ingress.zone - ignore_missing: true -- rename: - field: juniper.srx.destination_zone_name - target_field: observer.egress.zone - ignore_missing: true -- rename: - field: juniper.srx.destination_zone - target_field: observer.egress.zone - ignore_missing: true -- rename: - field: syslog_program - target_field: juniper.srx.process - ignore_missing: true -- rename: - field: log_type - target_field: juniper.srx.tag - ignore_missing: true + - set: + field: observer.vendor + value: Juniper + - set: + field: observer.product + value: SRX + - set: + field: observer.type + value: firewall + - rename: + field: syslog_hostname + target_field: observer.name + ignore_missing: true + - rename: + field: juniper.srx.packet_incoming_interface + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.destination_interface_name + target_field: observer.egress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.source_interface_name + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.interface_name + target_field: observer.ingress.interface.name + ignore_missing: true + - rename: + field: juniper.srx.source_zone_name + target_field: observer.ingress.zone + ignore_missing: true + - rename: + field: juniper.srx.source_zone + target_field: observer.ingress.zone + ignore_missing: true + - rename: + field: juniper.srx.destination_zone_name + target_field: observer.egress.zone + ignore_missing: true + - rename: + field: juniper.srx.destination_zone + target_field: observer.egress.zone + ignore_missing: true + - rename: + field: syslog_program + target_field: juniper.srx.process + ignore_missing: true + - rename: + field: log_type + target_field: juniper.srx.tag + ignore_missing: true ############# ## Cleanup ## ############# -- remove: - field: + - remove: + field: - message - _temp_ - juniper.srx.duration @@ -207,89 +215,89 @@ processors: - juniper.srx.dstzone - juniper.srx.duration - syslog_pri - ignore_missing: true + ignore_missing: true ################################ ## Product Specific Pipelines ## ################################ -- pipeline: - name: '{{ IngestPipeline "flow" }}' - if: "ctx.juniper?.srx?.process == 'RT_FLOW'" -- pipeline: - name: '{{ IngestPipeline "utm" }}' - if: "ctx.juniper?.srx?.process == 'RT_UTM'" -- pipeline: - name: '{{ IngestPipeline "idp" }}' - if: "ctx.juniper?.srx?.process == 'RT_IDP'" -- pipeline: - name: '{{ IngestPipeline "ids" }}' - if: "ctx.juniper?.srx?.process == 'RT_IDS'" -- pipeline: - name: '{{ IngestPipeline "atp" }}' - if: "ctx.juniper?.srx?.process == 'RT_AAMW'" -- pipeline: - name: '{{ IngestPipeline "secintel" }}' - if: "ctx.juniper?.srx?.process == 'RT_SECINTEL'" + - pipeline: + name: '{{ IngestPipeline "flow" }}' + if: "ctx.juniper?.srx?.process == 'RT_FLOW'" + - pipeline: + name: '{{ IngestPipeline "utm" }}' + if: "ctx.juniper?.srx?.process == 'RT_UTM'" + - pipeline: + name: '{{ IngestPipeline "idp" }}' + if: "ctx.juniper?.srx?.process == 'RT_IDP'" + - pipeline: + name: '{{ IngestPipeline "ids" }}' + if: "ctx.juniper?.srx?.process == 'RT_IDS'" + - pipeline: + name: '{{ IngestPipeline "atp" }}' + if: "ctx.juniper?.srx?.process == 'RT_AAMW'" + - pipeline: + name: '{{ IngestPipeline "secintel" }}' + if: "ctx.juniper?.srx?.process == 'RT_SECINTEL'" ######################### ## ECS Related Mapping ## ######################### -- append: - if: 'ctx.source?.ip != null' - field: related.ip - value: '{{source.ip}}' - ignore_failure: true - allow_duplicates: false -- append: - if: 'ctx.destination?.ip != null' - field: related.ip - value: '{{destination.ip}}' - ignore_failure: true - allow_duplicates: false -- append: - if: 'ctx.source?.nat?.ip != null' - field: related.ip - value: '{{source.nat.ip}}' - ignore_failure: true - allow_duplicates: false -- append: - if: 'ctx?.destination?.nat?.ip != null' - field: related.ip - value: '{{destination.nat.ip}}' - ignore_failure: true - allow_duplicates: false -- append: - if: 'ctx.url?.domain != null' - field: related.hosts - value: '{{url.domain}}' - ignore_failure: true - allow_duplicates: false -- append: - if: 'ctx.source?.domain != null' - field: related.hosts - value: '{{source.domain}}' - ignore_failure: true - allow_duplicates: false -- append: - if: 'ctx.destination?.domain != null' - field: related.hosts - value: '{{destination.domain}}' - ignore_failure: true - allow_duplicates: false -- append: - if: 'ctx?.source?.user?.name != null' - field: related.user - value: '{{source.user.name}}' - ignore_failure: true - allow_duplicates: false -- append: - if: 'ctx?.destination?.user?.name != null' - field: related.user - value: '{{destination.user.name}}' - ignore_failure: true - allow_duplicates: false + - append: + if: 'ctx.source?.ip != null' + field: related.ip + value: '{{source.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.destination?.ip != null' + field: related.ip + value: '{{destination.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.source?.nat?.ip != null' + field: related.ip + value: '{{source.nat.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx?.destination?.nat?.ip != null' + field: related.ip + value: '{{destination.nat.ip}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.url?.domain != null' + field: related.hosts + value: '{{url.domain}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.source?.domain != null' + field: related.hosts + value: '{{source.domain}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx.destination?.domain != null' + field: related.hosts + value: '{{destination.domain}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx?.source?.user?.name != null' + field: related.user + value: '{{source.user.name}}' + ignore_failure: true + allow_duplicates: false + - append: + if: 'ctx?.destination?.user?.name != null' + field: related.user + value: '{{destination.user.name}}' + ignore_failure: true + allow_duplicates: false on_failure: -- set: - field: error.message - value: '{{ _ingest.on_failure_message }}' + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/packages/juniper/data_stream/srx/manifest.yml b/packages/juniper/data_stream/srx/manifest.yml index fb397abb86e..6fdcb15302b 100644 --- a/packages/juniper/data_stream/srx/manifest.yml +++ b/packages/juniper/data_stream/srx/manifest.yml @@ -27,6 +27,14 @@ streams: default: - juniper.srx - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false template_path: tcp.yml.hbs title: Juniper SRX logs description: Collect Juniper SRX logs via TCP @@ -55,6 +63,14 @@ streams: default: - juniper.srx - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false template_path: udp.yml.hbs title: Juniper SRX logs description: Collect Juniper SRX logs via UDP @@ -78,6 +94,14 @@ streams: default: - juniper.srx - forwarded + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false template_path: logfile.yml.hbs title: Juniper SRX logs description: Read Juniper SRX logs from a file From 5ad98ac5a7c36b89f917f2ef0419c19280d6e7e3 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 1 Jun 2021 16:57:21 +0200 Subject: [PATCH 2/6] update manifest, changelog and linting --- packages/juniper/changelog.yml | 5 + .../_dev/test/pipeline/test-common-config.yml | 2 +- .../pipeline/test-generated.log-expected.json | 200 +++++++++--------- .../juniper/data_stream/junos/manifest.yml | 2 +- .../_dev/test/pipeline/test-common-config.yml | 2 +- .../pipeline/test-generated.log-expected.json | 200 +++++++++--------- .../data_stream/netscreen/manifest.yml | 2 +- .../test/pipeline/test-atp.log-expected.json | 8 +- .../_dev/test/pipeline/test-common-config.yml | 2 +- .../test/pipeline/test-flow.log-expected.json | 50 ++--- .../test/pipeline/test-idp.log-expected.json | 14 +- .../test/pipeline/test-ids.log-expected.json | 24 +-- .../pipeline/test-secintel.log-expected.json | 4 +- .../test/pipeline/test-utm.log-expected.json | 24 +-- packages/juniper/manifest.yml | 2 +- 15 files changed, 273 insertions(+), 268 deletions(-) diff --git a/packages/juniper/changelog.yml b/packages/juniper/changelog.yml index 71b66f63a69..65c443e1ac6 100644 --- a/packages/juniper/changelog.yml +++ b/packages/juniper/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.5.2" + changes: + - description: update to ECS 1.10.0 and add event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/853 - version: "0.5.1" changes: - description: update to ECS 1.9.0 diff --git a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-common-config.yml b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-common-config.yml index e74affa452f..5622947e4b8 100644 --- a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-common-config.yml +++ b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-common-config.yml @@ -2,4 +2,4 @@ dynamic_fields: event.ingested: ".*" fields: tags: - - preserve_original_event \ No newline at end of file + - preserve_original_event diff --git a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json index bde0d947c15..d26faf11c02 100644 --- a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049)", "event": { - "ingested": "2021-06-01T14:54:19.526804600Z" + "ingested": "2021-06-01T14:56:52.713530800Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed", "event": { - "ingested": "2021-06-01T14:54:19.526830900Z" + "ingested": "2021-06-01T14:56:52.713556800Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success", "event": { - "ingested": "2021-06-01T14:54:19.526838800Z" + "ingested": "2021-06-01T14:56:52.713564300Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace\u003e node: dqu", "event": { - "ingested": "2021-06-01T14:54:19.526846600Z" + "ingested": "2021-06-01T14:56:52.713593600Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367", "event": { - "ingested": "2021-06-01T14:54:19.526852400Z" + "ingested": "2021-06-01T14:56:52.713600300Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown", "event": { - "ingested": "2021-06-01T14:54:19.526857500Z" + "ingested": "2021-06-01T14:56:52.713606100Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono", "event": { - "ingested": "2021-06-01T14:54:19.526863200Z" + "ingested": "2021-06-01T14:56:52.713612700Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure", "event": { - "ingested": "2021-06-01T14:54:19.526868100Z" + "ingested": "2021-06-01T14:56:52.713618600Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068", "event": { - "ingested": "2021-06-01T14:54:19.526872800Z" + "ingested": "2021-06-01T14:56:52.713624Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing", "event": { - "ingested": "2021-06-01T14:54:19.526877400Z" + "ingested": "2021-06-01T14:56:52.713629600Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain", "event": { - "ingested": "2021-06-01T14:54:19.526883800Z" + "ingested": "2021-06-01T14:56:52.713636100Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd", "event": { - "ingested": "2021-06-01T14:54:19.526888700Z" + "ingested": "2021-06-01T14:56:52.713641500Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav", "event": { - "ingested": "2021-06-01T14:54:19.526893300Z" + "ingested": "2021-06-01T14:56:52.713646900Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed", "event": { - "ingested": "2021-06-01T14:54:19.526898100Z" + "ingested": "2021-06-01T14:56:52.713652100Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown", "event": { - "ingested": "2021-06-01T14:54:19.526902900Z" + "ingested": "2021-06-01T14:56:52.713657200Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown", "event": { - "ingested": "2021-06-01T14:54:19.526907700Z" + "ingested": "2021-06-01T14:56:52.713661900Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown", "event": { - "ingested": "2021-06-01T14:54:19.526912700Z" + "ingested": "2021-06-01T14:56:52.713667100Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed", "event": { - "ingested": "2021-06-01T14:54:19.526917200Z" + "ingested": "2021-06-01T14:56:52.713672100Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest", "event": { - "ingested": "2021-06-01T14:54:19.526921500Z" + "ingested": "2021-06-01T14:56:52.713684Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa", "event": { - "ingested": "2021-06-01T14:54:19.526926400Z" + "ingested": "2021-06-01T14:56:52.713689300Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "Nov 10 03:01:24 kmd: restart ", "event": { - "ingested": "2021-06-01T14:54:19.526931300Z" + "ingested": "2021-06-01T14:56:52.713694300Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test", "event": { - "ingested": "2021-06-01T14:54:19.526937100Z" + "ingested": "2021-06-01T14:56:52.713699800Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test", "event": { - "ingested": "2021-06-01T14:54:19.526942400Z" + "ingested": "2021-06-01T14:56:52.713706600Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357", "event": { - "ingested": "2021-06-01T14:54:19.526947600Z" + "ingested": "2021-06-01T14:56:52.713744100Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita", "event": { - "ingested": "2021-06-01T14:54:19.526952900Z" + "ingested": "2021-06-01T14:56:52.713751100Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown", "event": { - "ingested": "2021-06-01T14:54:19.526959Z" + "ingested": "2021-06-01T14:56:52.713756700Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425", "event": { - "ingested": "2021-06-01T14:54:19.526965100Z" + "ingested": "2021-06-01T14:56:52.713761800Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693", "event": { - "ingested": "2021-06-01T14:54:19.526970500Z" + "ingested": "2021-06-01T14:56:52.713767700Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita", "event": { - "ingested": "2021-06-01T14:54:19.526975200Z" + "ingested": "2021-06-01T14:56:52.713772600Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure", "event": { - "ingested": "2021-06-01T14:54:19.526980100Z" + "ingested": "2021-06-01T14:56:52.713777400Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure", "event": { - "ingested": "2021-06-01T14:54:19.526985400Z" + "ingested": "2021-06-01T14:56:52.713782300Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316", "event": { - "ingested": "2021-06-01T14:54:19.526990400Z" + "ingested": "2021-06-01T14:56:52.713786900Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura", "event": { - "ingested": "2021-06-01T14:54:19.526995100Z" + "ingested": "2021-06-01T14:56:52.713791Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow'", "event": { - "ingested": "2021-06-01T14:54:19.527002100Z" + "ingested": "2021-06-01T14:56:52.713797800Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic", "event": { - "ingested": "2021-06-01T14:54:19.527006700Z" + "ingested": "2021-06-01T14:56:52.713807100Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure", "event": { - "ingested": "2021-06-01T14:54:19.527011300Z" + "ingested": "2021-06-01T14:56:52.713811900Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable", "event": { - "ingested": "2021-06-01T14:54:19.527015900Z" + "ingested": "2021-06-01T14:56:52.713815900Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown", "event": { - "ingested": "2021-06-01T14:54:19.527020500Z" + "ingested": "2021-06-01T14:56:52.713820Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe", "event": { - "ingested": "2021-06-01T14:54:19.527025200Z" + "ingested": "2021-06-01T14:56:52.713823900Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176", "event": { - "ingested": "2021-06-01T14:54:19.527030200Z" + "ingested": "2021-06-01T14:56:52.713828100Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal", "event": { - "ingested": "2021-06-01T14:54:19.527034800Z" + "ingested": "2021-06-01T14:56:52.713832300Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown", "event": { - "ingested": "2021-06-01T14:54:19.527039500Z" + "ingested": "2021-06-01T14:56:52.713836200Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884", "event": { - "ingested": "2021-06-01T14:54:19.527044200Z" + "ingested": "2021-06-01T14:56:52.713840600Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146", "event": { - "ingested": "2021-06-01T14:54:19.527048900Z" + "ingested": "2021-06-01T14:56:52.713844900Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing", "event": { - "ingested": "2021-06-01T14:54:19.527053600Z" + "ingested": "2021-06-01T14:56:52.713849300Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex", "event": { - "ingested": "2021-06-01T14:54:19.527058200Z" + "ingested": "2021-06-01T14:56:52.713853600Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu", "event": { - "ingested": "2021-06-01T14:54:19.527063100Z" + "ingested": "2021-06-01T14:56:52.713857800Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'.", "event": { - "ingested": "2021-06-01T14:54:19.527067700Z" + "ingested": "2021-06-01T14:56:52.713862Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "Dec 15 08:13:24 COS: restart : Received FC-\u003eQ map, caecat", "event": { - "ingested": "2021-06-01T14:54:19.527072100Z" + "ingested": "2021-06-01T14:56:52.713866100Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success", "event": { - "ingested": "2021-06-01T14:54:19.527076800Z" + "ingested": "2021-06-01T14:56:52.713870200Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les)", "event": { - "ingested": "2021-06-01T14:54:19.527081400Z" + "ingested": "2021-06-01T14:56:52.713874500Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed", "event": { - "ingested": "2021-06-01T14:54:19.527086700Z" + "ingested": "2021-06-01T14:56:52.713878600Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file", "event": { - "ingested": "2021-06-01T14:54:19.527091400Z" + "ingested": "2021-06-01T14:56:52.713882600Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown", "event": { - "ingested": "2021-06-01T14:54:19.527096100Z" + "ingested": "2021-06-01T14:56:52.713886700Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis", "event": { - "ingested": "2021-06-01T14:54:19.527100800Z" + "ingested": "2021-06-01T14:56:52.713890700Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur", "event": { - "ingested": "2021-06-01T14:54:19.527105400Z" + "ingested": "2021-06-01T14:56:52.713894900Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci", "event": { - "ingested": "2021-06-01T14:54:19.527110500Z" + "ingested": "2021-06-01T14:56:52.713899100Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal", "event": { - "ingested": "2021-06-01T14:54:19.527115800Z" + "ingested": "2021-06-01T14:56:52.713903300Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure", "event": { - "ingested": "2021-06-01T14:54:19.527120700Z" + "ingested": "2021-06-01T14:56:52.713907300Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain", "event": { - "ingested": "2021-06-01T14:54:19.527125600Z" + "ingested": "2021-06-01T14:56:52.713911300Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown", "event": { - "ingested": "2021-06-01T14:54:19.527130200Z" + "ingested": "2021-06-01T14:56:52.713915400Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification", "event": { - "ingested": "2021-06-01T14:54:19.527134900Z" + "ingested": "2021-06-01T14:56:52.713920600Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal", "event": { - "ingested": "2021-06-01T14:54:19.527139600Z" + "ingested": "2021-06-01T14:56:52.713924800Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown", "event": { - "ingested": "2021-06-01T14:54:19.527144200Z" + "ingested": "2021-06-01T14:56:52.713928900Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere", "event": { - "ingested": "2021-06-01T14:54:19.527148900Z" + "ingested": "2021-06-01T14:56:52.713933Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593", "event": { - "ingested": "2021-06-01T14:54:19.527153600Z" + "ingested": "2021-06-01T14:56:52.713936800Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown", "event": { - "ingested": "2021-06-01T14:54:19.527158400Z" + "ingested": "2021-06-01T14:56:52.713940800Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success", "event": { - "ingested": "2021-06-01T14:54:19.527163600Z" + "ingested": "2021-06-01T14:56:52.713944600Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [", "event": { - "ingested": "2021-06-01T14:54:19.527169Z" + "ingested": "2021-06-01T14:56:52.713948500Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID", "event": { - "ingested": "2021-06-01T14:54:19.527173800Z" + "ingested": "2021-06-01T14:56:52.713952500Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694", "event": { - "ingested": "2021-06-01T14:54:19.527178300Z" + "ingested": "2021-06-01T14:56:52.713956200Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita", "event": { - "ingested": "2021-06-01T14:54:19.527183Z" + "ingested": "2021-06-01T14:56:52.713960Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing", "event": { - "ingested": "2021-06-01T14:54:19.527188200Z" + "ingested": "2021-06-01T14:56:52.713993400Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure", "event": { - "ingested": "2021-06-01T14:54:19.527192800Z" + "ingested": "2021-06-01T14:56:52.713999600Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown", "event": { - "ingested": "2021-06-01T14:54:19.527198100Z" + "ingested": "2021-06-01T14:56:52.714005500Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host", "event": { - "ingested": "2021-06-01T14:54:19.527203Z" + "ingested": "2021-06-01T14:56:52.714009900Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen", "event": { - "ingested": "2021-06-01T14:54:19.527207700Z" + "ingested": "2021-06-01T14:56:52.714013700Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch", "event": { - "ingested": "2021-06-01T14:54:19.527212600Z" + "ingested": "2021-06-01T14:56:52.714017400Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown", "event": { - "ingested": "2021-06-01T14:54:19.527217400Z" + "ingested": "2021-06-01T14:56:52.714021200Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339", "event": { - "ingested": "2021-06-01T14:54:19.527236600Z" + "ingested": "2021-06-01T14:56:52.714025Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex", "event": { - "ingested": "2021-06-01T14:54:19.527243800Z" + "ingested": "2021-06-01T14:56:52.714028600Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "Apr 1 00:38:14 /kmd: ", "event": { - "ingested": "2021-06-01T14:54:19.527249400Z" + "ingested": "2021-06-01T14:56:52.714032400Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown", "event": { - "ingested": "2021-06-01T14:54:19.527254500Z" + "ingested": "2021-06-01T14:56:52.714036400Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success", "event": { - "ingested": "2021-06-01T14:54:19.527259300Z" + "ingested": "2021-06-01T14:56:52.714040900Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully", "event": { - "ingested": "2021-06-01T14:54:19.527265100Z" + "ingested": "2021-06-01T14:56:52.714046Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success", "event": { - "ingested": "2021-06-01T14:54:19.527270400Z" + "ingested": "2021-06-01T14:56:52.714050500Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq'", "event": { - "ingested": "2021-06-01T14:54:19.527275100Z" + "ingested": "2021-06-01T14:56:52.714054500Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server", "event": { - "ingested": "2021-06-01T14:54:19.527279900Z" + "ingested": "2021-06-01T14:56:52.714058500Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace\u003e BCHIP: : cannot write ucode mask reg", "event": { - "ingested": "2021-06-01T14:54:19.527284800Z" + "ingested": "2021-06-01T14:56:52.714062500Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown", "event": { - "ingested": "2021-06-01T14:54:19.527289600Z" + "ingested": "2021-06-01T14:56:52.714066300Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB'", "event": { - "ingested": "2021-06-01T14:54:19.527294200Z" + "ingested": "2021-06-01T14:56:52.714070200Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure", "event": { - "ingested": "2021-06-01T14:54:19.527299Z" + "ingested": "2021-06-01T14:56:52.714073900Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success", "event": { - "ingested": "2021-06-01T14:54:19.527303700Z" + "ingested": "2021-06-01T14:56:52.714077800Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure", "event": { - "ingested": "2021-06-01T14:54:19.527308300Z" + "ingested": "2021-06-01T14:56:52.714081600Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse", "event": { - "ingested": "2021-06-01T14:54:19.527312900Z" + "ingested": "2021-06-01T14:56:52.714085300Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success", "event": { - "ingested": "2021-06-01T14:54:19.527317600Z" + "ingested": "2021-06-01T14:56:52.714089100Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown", "event": { - "ingested": "2021-06-01T14:54:19.527322400Z" + "ingested": "2021-06-01T14:56:52.714093800Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed", "event": { - "ingested": "2021-06-01T14:54:19.527327200Z" + "ingested": "2021-06-01T14:56:52.714098100Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193", "event": { - "ingested": "2021-06-01T14:54:19.527332Z" + "ingested": "2021-06-01T14:56:52.714101800Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure", "event": { - "ingested": "2021-06-01T14:54:19.527336600Z" + "ingested": "2021-06-01T14:56:52.714105600Z" }, "tags": [ "preserve_original_event" diff --git a/packages/juniper/data_stream/junos/manifest.yml b/packages/juniper/data_stream/junos/manifest.yml index 8b938814398..5509ab4e801 100644 --- a/packages/juniper/data_stream/junos/manifest.yml +++ b/packages/juniper/data_stream/junos/manifest.yml @@ -175,4 +175,4 @@ streams: description: Preserves a raw copy of the original event, added to the field `event.original` type: bool multi: false - default: false \ No newline at end of file + default: false diff --git a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-common-config.yml b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-common-config.yml index e74affa452f..5622947e4b8 100644 --- a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-common-config.yml +++ b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-common-config.yml @@ -2,4 +2,4 @@ dynamic_fields: event.ingested: ".*" fields: tags: - - preserve_original_event \ No newline at end of file + - preserve_original_event diff --git a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json index a867a6aa120..f811804c072 100644 --- a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59)", "event": { - "ingested": "2021-06-01T14:54:20.281964Z" + "ingested": "2021-06-01T14:56:53.447099400Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33)", "event": { - "ingested": "2021-06-01T14:54:20.282023200Z" + "ingested": "2021-06-01T14:56:53.447149900Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF)", "event": { - "ingested": "2021-06-01T14:54:20.282035800Z" + "ingested": "2021-06-01T14:56:53.447167300Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect", "event": { - "ingested": "2021-06-01T14:54:20.282041900Z" + "ingested": "2021-06-01T14:56:53.447174700Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044)", "event": { - "ingested": "2021-06-01T14:54:20.282046600Z" + "ingested": "2021-06-01T14:56:53.447179600Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 .", "event": { - "ingested": "2021-06-01T14:54:20.282050900Z" + "ingested": "2021-06-01T14:56:53.447183400Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo)", "event": { - "ingested": "2021-06-01T14:54:20.282055300Z" + "ingested": "2021-06-01T14:56:53.447186900Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated", "event": { - "ingested": "2021-06-01T14:54:20.282059200Z" + "ingested": "2021-06-01T14:56:53.447190800Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33)", "event": { - "ingested": "2021-06-01T14:54:20.282063400Z" + "ingested": "2021-06-01T14:56:53.447194600Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu", "event": { - "ingested": "2021-06-01T14:54:20.282067200Z" + "ingested": "2021-06-01T14:56:53.447198700Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet", "event": { - "ingested": "2021-06-01T14:54:20.282071100Z" + "ingested": "2021-06-01T14:56:53.447202400Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74", "event": { - "ingested": "2021-06-01T14:54:20.282075300Z" + "ingested": "2021-06-01T14:56:53.447206400Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50)", "event": { - "ingested": "2021-06-01T14:54:20.282079300Z" + "ingested": "2021-06-01T14:56:53.447209900Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25)", "event": { - "ingested": "2021-06-01T14:54:20.282083300Z" + "ingested": "2021-06-01T14:56:53.447213200Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175", "event": { - "ingested": "2021-06-01T14:54:20.282088500Z" + "ingested": "2021-06-01T14:56:53.447253500Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi.", "event": { - "ingested": "2021-06-01T14:54:20.282093100Z" + "ingested": "2021-06-01T14:56:53.447261900Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre", "event": { - "ingested": "2021-06-01T14:54:20.282097700Z" + "ingested": "2021-06-01T14:56:53.447267200Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese", "event": { - "ingested": "2021-06-01T14:54:20.282102800Z" + "ingested": "2021-06-01T14:56:53.447271400Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87", "event": { - "ingested": "2021-06-01T14:54:20.282107100Z" + "ingested": "2021-06-01T14:56:53.447275200Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50)", "event": { - "ingested": "2021-06-01T14:54:20.282111300Z" + "ingested": "2021-06-01T14:56:53.447278900Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state", "event": { - "ingested": "2021-06-01T14:54:20.282119900Z" + "ingested": "2021-06-01T14:56:53.447282400Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added", "event": { - "ingested": "2021-06-01T14:54:20.282124500Z" + "ingested": "2021-06-01T14:56:53.447286Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu", "event": { - "ingested": "2021-06-01T14:54:20.282129Z" + "ingested": "2021-06-01T14:56:53.447289700Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation", "event": { - "ingested": "2021-06-01T14:54:20.282133300Z" + "ingested": "2021-06-01T14:56:53.447293300Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51", "event": { - "ingested": "2021-06-01T14:54:20.282137700Z" + "ingested": "2021-06-01T14:56:53.447297500Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu", "event": { - "ingested": "2021-06-01T14:54:20.282142100Z" + "ingested": "2021-06-01T14:56:53.447301700Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User \"ntiumto\" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883", "event": { - "ingested": "2021-06-01T14:54:20.282147Z" + "ingested": "2021-06-01T14:56:53.447306700Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin", "event": { - "ingested": "2021-06-01T14:54:20.282153300Z" + "ingested": "2021-06-01T14:56:53.447313100Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid", "event": { - "ingested": "2021-06-01T14:54:20.282157900Z" + "ingested": "2021-06-01T14:56:53.447317600Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed", "event": { - "ingested": "2021-06-01T14:54:20.282162500Z" + "ingested": "2021-06-01T14:56:53.447321800Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07)", "event": { - "ingested": "2021-06-01T14:54:20.282166900Z" + "ingested": "2021-06-01T14:56:53.447325800Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru", "event": { - "ingested": "2021-06-01T14:54:20.282170900Z" + "ingested": "2021-06-01T14:56:53.447330100Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", "event": { - "ingested": "2021-06-01T14:54:20.282175500Z" + "ingested": "2021-06-01T14:56:53.447334600Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita", "event": { - "ingested": "2021-06-01T14:54:20.282179700Z" + "ingested": "2021-06-01T14:56:53.447338500Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet.", "event": { - "ingested": "2021-06-01T14:54:20.282184400Z" + "ingested": "2021-06-01T14:56:53.447342800Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable", "event": { - "ingested": "2021-06-01T14:54:20.282188400Z" + "ingested": "2021-06-01T14:56:53.447346700Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem.", "event": { - "ingested": "2021-06-01T14:54:20.282192600Z" + "ingested": "2021-06-01T14:56:53.447350400Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet.", "event": { - "ingested": "2021-06-01T14:54:20.282196700Z" + "ingested": "2021-06-01T14:56:53.447354400Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo", "event": { - "ingested": "2021-06-01T14:54:20.282201200Z" + "ingested": "2021-06-01T14:56:53.447358700Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam)", "event": { - "ingested": "2021-06-01T14:54:20.282205300Z" + "ingested": "2021-06-01T14:56:53.447362600Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50)", "event": { - "ingested": "2021-06-01T14:54:20.282209100Z" + "ingested": "2021-06-01T14:56:53.447366Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24)", "event": { - "ingested": "2021-06-01T14:54:20.282215400Z" + "ingested": "2021-06-01T14:56:53.447371600Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51", "event": { - "ingested": "2021-06-01T14:54:20.282219800Z" + "ingested": "2021-06-01T14:56:53.447375200Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu \u003e nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)\u003c\u003ccolabori\u003e", "event": { - "ingested": "2021-06-01T14:54:20.282223900Z" + "ingested": "2021-06-01T14:56:53.447378800Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe", "event": { - "ingested": "2021-06-01T14:54:20.282228400Z" + "ingested": "2021-06-01T14:56:53.447382300Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 .", "event": { - "ingested": "2021-06-01T14:54:20.282232600Z" + "ingested": "2021-06-01T14:56:53.447385800Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15)", "event": { - "ingested": "2021-06-01T14:54:20.282237500Z" + "ingested": "2021-06-01T14:56:53.447390200Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration.", "event": { - "ingested": "2021-06-01T14:54:20.282241900Z" + "ingested": "2021-06-01T14:56:53.447393900Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima", "event": { - "ingested": "2021-06-01T14:54:20.282245900Z" + "ingested": "2021-06-01T14:56:53.447397400Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58)", "event": { - "ingested": "2021-06-01T14:54:20.282250100Z" + "ingested": "2021-06-01T14:56:53.447401Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32)", "event": { - "ingested": "2021-06-01T14:54:20.282254200Z" + "ingested": "2021-06-01T14:56:53.447404600Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06)", "event": { - "ingested": "2021-06-01T14:54:20.282258300Z" + "ingested": "2021-06-01T14:56:53.447408300Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe.", "event": { - "ingested": "2021-06-01T14:54:20.282262400Z" + "ingested": "2021-06-01T14:56:53.447411900Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266", "event": { - "ingested": "2021-06-01T14:54:20.282266500Z" + "ingested": "2021-06-01T14:56:53.447415600Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49)", "event": { - "ingested": "2021-06-01T14:54:20.282270400Z" + "ingested": "2021-06-01T14:56:53.447419Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24)", "event": { - "ingested": "2021-06-01T14:54:20.282274300Z" + "ingested": "2021-06-01T14:56:53.447422400Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added", "event": { - "ingested": "2021-06-01T14:54:20.282278400Z" + "ingested": "2021-06-01T14:56:53.447425900Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-\u003e untrust-vr: exer", "event": { - "ingested": "2021-06-01T14:54:20.282282400Z" + "ingested": "2021-06-01T14:56:53.447429400Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat", "event": { - "ingested": "2021-06-01T14:54:20.282286300Z" + "ingested": "2021-06-01T14:56:53.447433100Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router \"asper\" used by OSPF, BGP routing instances id has been uninitialized. (dictasun)", "event": { - "ingested": "2021-06-01T14:54:20.282292900Z" + "ingested": "2021-06-01T14:56:53.447436900Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list", "event": { - "ingested": "2021-06-01T14:54:20.282301100Z" + "ingested": "2021-06-01T14:56:53.447440600Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49)", "event": { - "ingested": "2021-06-01T14:54:20.282305600Z" + "ingested": "2021-06-01T14:56:53.447444400Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times", "event": { - "ingested": "2021-06-01T14:54:20.282309700Z" + "ingested": "2021-06-01T14:56:53.447448Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110", "event": { - "ingested": "2021-06-01T14:54:20.282313900Z" + "ingested": "2021-06-01T14:56:53.447451500Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32)", "event": { - "ingested": "2021-06-01T14:54:20.282318800Z" + "ingested": "2021-06-01T14:56:53.447455Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica", "event": { - "ingested": "2021-06-01T14:54:20.282323100Z" + "ingested": "2021-06-01T14:56:53.447458500Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi", "event": { - "ingested": "2021-06-01T14:54:20.282327200Z" + "ingested": "2021-06-01T14:56:53.447462300Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15)", "event": { - "ingested": "2021-06-01T14:54:20.282331300Z" + "ingested": "2021-06-01T14:56:53.447466100Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped.", "event": { - "ingested": "2021-06-01T14:54:20.282335800Z" + "ingested": "2021-06-01T14:56:53.447470Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna", "event": { - "ingested": "2021-06-01T14:54:20.282340100Z" + "ingested": "2021-06-01T14:56:53.447473500Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan", "event": { - "ingested": "2021-06-01T14:54:20.282346900Z" + "ingested": "2021-06-01T14:56:53.447481Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure", "event": { - "ingested": "2021-06-01T14:54:20.282352200Z" + "ingested": "2021-06-01T14:56:53.447485400Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06)", "event": { - "ingested": "2021-06-01T14:54:20.282356600Z" + "ingested": "2021-06-01T14:56:53.447489Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success", "event": { - "ingested": "2021-06-01T14:54:20.282360600Z" + "ingested": "2021-06-01T14:56:53.447492900Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state", "event": { - "ingested": "2021-06-01T14:54:20.282365300Z" + "ingested": "2021-06-01T14:56:53.447496800Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding", "event": { - "ingested": "2021-06-01T14:54:20.282375100Z" + "ingested": "2021-06-01T14:56:53.447500600Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065", "event": { - "ingested": "2021-06-01T14:54:20.282379100Z" + "ingested": "2021-06-01T14:56:53.447504500Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57)", "event": { - "ingested": "2021-06-01T14:54:20.282383Z" + "ingested": "2021-06-01T14:56:53.447511Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted", "event": { - "ingested": "2021-06-01T14:54:20.282386800Z" + "ingested": "2021-06-01T14:56:53.447516500Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users.", "event": { - "ingested": "2021-06-01T14:54:20.282390400Z" + "ingested": "2021-06-01T14:56:53.447520100Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce)", "event": { - "ingested": "2021-06-01T14:54:20.282394200Z" + "ingested": "2021-06-01T14:56:53.447523700Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun", "event": { - "ingested": "2021-06-01T14:54:20.282397900Z" + "ingested": "2021-06-01T14:56:53.447527300Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49)", "event": { - "ingested": "2021-06-01T14:54:20.282401600Z" + "ingested": "2021-06-01T14:56:53.447531Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23)", "event": { - "ingested": "2021-06-01T14:54:20.282405400Z" + "ingested": "2021-06-01T14:56:53.447534600Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success", "event": { - "ingested": "2021-06-01T14:54:20.282409400Z" + "ingested": "2021-06-01T14:56:53.447538200Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31)", "event": { - "ingested": "2021-06-01T14:54:20.282413100Z" + "ingested": "2021-06-01T14:56:53.447542100Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA", "event": { - "ingested": "2021-06-01T14:54:20.282416700Z" + "ingested": "2021-06-01T14:56:53.447545500Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", "event": { - "ingested": "2021-06-01T14:54:20.282428400Z" + "ingested": "2021-06-01T14:56:53.447549100Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae", "event": { - "ingested": "2021-06-01T14:54:20.282435500Z" + "ingested": "2021-06-01T14:56:53.447552700Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected!", "event": { - "ingested": "2021-06-01T14:54:20.282440500Z" + "ingested": "2021-06-01T14:56:53.447556800Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA", "event": { - "ingested": "2021-06-01T14:54:20.282444500Z" + "ingested": "2021-06-01T14:56:53.447560300Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57)", "event": { - "ingested": "2021-06-01T14:54:20.282448300Z" + "ingested": "2021-06-01T14:56:53.447563800Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59", "event": { - "ingested": "2021-06-01T14:54:20.282452100Z" + "ingested": "2021-06-01T14:56:53.447567200Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA", "event": { - "ingested": "2021-06-01T14:54:20.282456100Z" + "ingested": "2021-06-01T14:56:53.447570500Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40)", "event": { - "ingested": "2021-06-01T14:54:20.282460Z" + "ingested": "2021-06-01T14:56:53.447574100Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed", "event": { - "ingested": "2021-06-01T14:54:20.282463700Z" + "ingested": "2021-06-01T14:56:53.447577700Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin", "event": { - "ingested": "2021-06-01T14:54:20.282467500Z" + "ingested": "2021-06-01T14:56:53.447581300Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22)", "event": { - "ingested": "2021-06-01T14:54:20.282471100Z" + "ingested": "2021-06-01T14:56:53.447584600Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57)", "event": { - "ingested": "2021-06-01T14:54:20.282474900Z" + "ingested": "2021-06-01T14:56:53.447587900Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change", "event": { - "ingested": "2021-06-01T14:54:20.282478500Z" + "ingested": "2021-06-01T14:56:53.447591300Z" }, "tags": [ "preserve_original_event" diff --git a/packages/juniper/data_stream/netscreen/manifest.yml b/packages/juniper/data_stream/netscreen/manifest.yml index 078bbfaf446..9c9f0e82666 100644 --- a/packages/juniper/data_stream/netscreen/manifest.yml +++ b/packages/juniper/data_stream/netscreen/manifest.yml @@ -176,4 +176,4 @@ streams: description: Preserves a raw copy of the original event, added to the field `event.original` type: bool multi: false - default: false \ No newline at end of file + default: false diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json index 542aae6c705..6cb03718256 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json @@ -92,7 +92,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:21.479336300Z", + "ingested": "2021-06-01T14:56:54.719797800Z", "original": "\u003c14\u003e1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"]", "kind": "alert", "module": "juniper", @@ -155,7 +155,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:21.479359800Z", + "ingested": "2021-06-01T14:56:54.719836200Z", "original": "\u003c14\u003e1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"]", "kind": "alert", "module": "juniper", @@ -218,7 +218,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:21.479365500Z", + "ingested": "2021-06-01T14:56:54.719840500Z", "original": "\u003c11\u003e1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", "kind": "alert", "module": "juniper", @@ -323,7 +323,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-01T14:54:21.479370400Z", + "ingested": "2021-06-01T14:56:54.719843900Z", "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", "kind": "event", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-common-config.yml b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-common-config.yml index e74affa452f..5622947e4b8 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-common-config.yml +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-common-config.yml @@ -2,4 +2,4 @@ dynamic_fields: event.ingested: ".*" fields: tags: - - preserve_original_event \ No newline at end of file + - preserve_original_event diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json index 016fa5dcb01..f839e80a97c 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json @@ -80,7 +80,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:22.141868Z", + "ingested": "2021-06-01T14:56:55.380098900Z", "original": "\u003c14\u003e1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -165,7 +165,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:22.141888700Z", + "ingested": "2021-06-01T14:56:55.380115700Z", "original": "\u003c14\u003e1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -273,7 +273,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:22.141893300Z", + "ingested": "2021-06-01T14:56:55.380119600Z", "original": "\u003c14\u003e1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"]", "kind": "event", "module": "juniper", @@ -415,7 +415,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-06-01T14:54:22.141896700Z", + "ingested": "2021-06-01T14:56:55.380122900Z", "action": "flow_close", "end": "2014-05-01T08:29:10.933Z", "category": [ @@ -521,7 +521,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:22.141899900Z", + "ingested": "2021-06-01T14:56:55.380125700Z", "original": "\u003c14\u003e1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "module": "juniper", @@ -626,7 +626,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:22.141903100Z", + "ingested": "2021-06-01T14:56:55.380128800Z", "original": "\u003c14\u003e1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "module": "juniper", @@ -752,7 +752,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:54:22.141906Z", + "ingested": "2021-06-01T14:56:55.380131200Z", "action": "flow_close", "end": "2010-09-30T06:55:07.188Z", "category": [ @@ -886,7 +886,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-06-01T14:54:22.141909700Z", + "ingested": "2021-06-01T14:56:55.380133700Z", "action": "flow_close", "end": "2019-04-12T14:29:07.576Z", "category": [ @@ -995,7 +995,7 @@ "connection" ], "duration": 16000000000, - "ingested": "2021-06-01T14:54:22.141912800Z", + "ingested": "2021-06-01T14:56:55.380136300Z", "action": "flow_close", "end": "2019-04-13T14:33:22.576Z", "category": [ @@ -1140,7 +1140,7 @@ "connection" ], "duration": 8000000000, - "ingested": "2021-06-01T14:54:22.141915600Z", + "ingested": "2021-06-01T14:56:55.380139Z", "action": "flow_close", "end": "2018-10-07T01:32:28.898Z", "category": [ @@ -1267,7 +1267,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-01T14:54:22.141918700Z", + "ingested": "2021-06-01T14:56:55.380141500Z", "action": "flow_close", "end": "2018-06-30T02:17:25.753Z", "category": [ @@ -1381,7 +1381,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-06-01T14:54:22.141921700Z", + "ingested": "2021-06-01T14:56:55.380144200Z", "action": "flow_close", "end": "2015-09-25T14:19:54.846Z", "category": [ @@ -1501,7 +1501,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:22.141925Z", + "ingested": "2021-06-01T14:56:55.380146700Z", "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "module": "juniper", @@ -1648,7 +1648,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:54:22.141928100Z", + "ingested": "2021-06-01T14:56:55.380149300Z", "action": "flow_started", "end": "2013-01-19T15:18:17.040Z", "category": [ @@ -1790,7 +1790,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-06-01T14:54:22.141931100Z", + "ingested": "2021-06-01T14:56:55.380151800Z", "action": "flow_close", "end": "2013-01-19T15:18:18.040Z", "category": [ @@ -1939,7 +1939,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-06-01T14:54:22.141934Z", + "ingested": "2021-06-01T14:56:55.380154600Z", "action": "flow_started", "end": "2013-01-19T15:19:18.040Z", "category": [ @@ -2071,7 +2071,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:22.141936800Z", + "ingested": "2021-06-01T14:56:55.380157300Z", "original": "\u003c14\u003e1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "module": "juniper", @@ -2226,7 +2226,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-01T14:54:22.141940100Z", + "ingested": "2021-06-01T14:56:55.380159900Z", "action": "flow_close", "end": "2013-01-19T15:18:23.040Z", "category": [ @@ -2332,7 +2332,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:22.141943Z", + "ingested": "2021-06-01T14:56:55.380162700Z", "original": "\u003c14\u003e1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "module": "juniper", @@ -2416,7 +2416,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:22.141945900Z", + "ingested": "2021-06-01T14:56:55.380165300Z", "original": "\u003c14\u003e1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -2571,7 +2571,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-01T14:54:22.141948700Z", + "ingested": "2021-06-01T14:56:55.380168500Z", "action": "flow_close", "end": "2020-01-19T15:18:23.040Z", "category": [ @@ -2700,7 +2700,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-06-01T14:54:22.141951600Z", + "ingested": "2021-06-01T14:56:55.380171200Z", "action": "flow_started", "end": "2020-07-14T14:18:11.928Z", "category": [ @@ -2839,7 +2839,7 @@ "connection" ], "duration": 23755000000000, - "ingested": "2021-06-01T14:54:22.141954500Z", + "ingested": "2021-06-01T14:56:55.380190600Z", "action": "flow_close", "end": "2020-07-13T23:19:00.041Z", "category": [ @@ -2947,7 +2947,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:22.141957300Z", + "ingested": "2021-06-01T14:56:55.380194700Z", "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -3085,7 +3085,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-01T14:54:22.141960300Z", + "ingested": "2021-06-01T14:56:55.380197800Z", "action": "flow_close", "end": "2020-07-13T16:12:08.530Z", "category": [ diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json index 2a86115ce3a..f61ea596a32 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json @@ -120,7 +120,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:54:26.593230900Z", + "ingested": "2021-06-01T14:56:59.804998900Z", "action": "security_threat", "end": "2020-03-02T23:13:03.193Z", "category": [ @@ -251,7 +251,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:54:26.593251500Z", + "ingested": "2021-06-01T14:56:59.805012400Z", "action": "security_threat", "end": "2020-03-02T23:13:03.197Z", "category": [ @@ -374,7 +374,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:54:26.593255800Z", + "ingested": "2021-06-01T14:56:59.805016200Z", "action": "security_threat", "end": "2007-02-15T09:17:15.719Z", "category": [ @@ -497,7 +497,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:54:26.593258800Z", + "ingested": "2021-06-01T14:56:59.805019Z", "action": "security_threat", "end": "2017-10-12T21:55:55.792Z", "category": [ @@ -565,7 +565,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-01T14:54:26.593262Z", + "ingested": "2021-06-01T14:56:59.805021500Z", "original": "\u003c165\u003e1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -663,7 +663,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-01T14:54:26.593264700Z", + "ingested": "2021-06-01T14:56:59.805024Z", "original": "\u003c165\u003e1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -761,7 +761,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-01T14:54:26.593267300Z", + "ingested": "2021-06-01T14:56:59.805027Z", "original": "\u003c165\u003e1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json index b14a275e88d..b8ac5d1fbb5 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json @@ -87,7 +87,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839593400Z", + "ingested": "2021-06-01T14:57:01.011143300Z", "original": "\u003c11\u003e1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -160,7 +160,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839609100Z", + "ingested": "2021-06-01T14:57:01.011158900Z", "original": "\u003c11\u003e1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -263,7 +263,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839613500Z", + "ingested": "2021-06-01T14:57:01.011162200Z", "original": "\u003c11\u003e1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -366,7 +366,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839616600Z", + "ingested": "2021-06-01T14:57:01.011164800Z", "original": "\u003c11\u003e1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -465,7 +465,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839619700Z", + "ingested": "2021-06-01T14:57:01.011167600Z", "original": "\u003c11\u003e1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -567,7 +567,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839622600Z", + "ingested": "2021-06-01T14:57:01.011182500Z", "original": "\u003c11\u003e1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -638,7 +638,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839625Z", + "ingested": "2021-06-01T14:57:01.011187500Z", "original": "\u003c11\u003e1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -734,7 +734,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839628Z", + "ingested": "2021-06-01T14:57:01.011190700Z", "original": "\u003c11\u003e1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -811,7 +811,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839630600Z", + "ingested": "2021-06-01T14:57:01.011193400Z", "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "module": "juniper", @@ -891,7 +891,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839633400Z", + "ingested": "2021-06-01T14:57:01.011196100Z", "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "module": "juniper", @@ -964,7 +964,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839636500Z", + "ingested": "2021-06-01T14:57:01.011198500Z", "original": "\u003c11\u003e1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -1037,7 +1037,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:54:27.839666600Z", + "ingested": "2021-06-01T14:57:01.011250100Z", "original": "\u003c11\u003e1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json index d1825c8ec2b..53cdc37b1f9 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json @@ -80,7 +80,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:29.220452Z", + "ingested": "2021-06-01T14:57:02.381526400Z", "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"]", "kind": "alert", "module": "juniper", @@ -186,7 +186,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:29.220468800Z", + "ingested": "2021-06-01T14:57:02.381541200Z", "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", "kind": "alert", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json index 83514b50359..0012de98c80 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json @@ -78,7 +78,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:54:29.561863400Z", + "ingested": "2021-06-01T14:57:02.705492600Z", "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -173,7 +173,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:54:29.561877300Z", + "ingested": "2021-06-01T14:57:02.705506700Z", "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"]", "kind": "event", "module": "juniper", @@ -264,7 +264,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:54:29.561880400Z", + "ingested": "2021-06-01T14:57:02.705509700Z", "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "module": "juniper", @@ -349,7 +349,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:54:29.561899700Z", + "ingested": "2021-06-01T14:57:02.705544900Z", "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"]", "kind": "event", "module": "juniper", @@ -414,7 +414,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:54:29.561905900Z", + "ingested": "2021-06-01T14:57:02.705552600Z", "original": "\u003c12\u003e1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"]", "kind": "event", "module": "juniper", @@ -480,7 +480,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:29.561912400Z", + "ingested": "2021-06-01T14:57:02.705567400Z", "original": "\u003c14\u003e1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -566,7 +566,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:29.561915600Z", + "ingested": "2021-06-01T14:57:02.705571500Z", "original": "\u003c14\u003e1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"]", "kind": "alert", "module": "juniper", @@ -662,7 +662,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:54:29.561918200Z", + "ingested": "2021-06-01T14:57:02.705574500Z", "original": "\u003c12\u003e1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -756,7 +756,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:54:29.561920600Z", + "ingested": "2021-06-01T14:57:02.705577100Z", "original": "\u003c12\u003e1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "module": "juniper", @@ -853,7 +853,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:54:29.561923200Z", + "ingested": "2021-06-01T14:57:02.705579400Z", "original": "\u003c14\u003e1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"]", "risk_score": 0.0, "kind": "event", @@ -948,7 +948,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:54:29.561926Z", + "ingested": "2021-06-01T14:57:02.705581700Z", "original": "\u003c12\u003e1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"]", "risk_score": 3.0, "kind": "alert", @@ -1042,7 +1042,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:54:29.561928700Z", + "ingested": "2021-06-01T14:57:02.705584Z", "original": "\u003c12\u003e1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", "kind": "event", "module": "juniper", diff --git a/packages/juniper/manifest.yml b/packages/juniper/manifest.yml index 62d69124a76..abede298e5a 100644 --- a/packages/juniper/manifest.yml +++ b/packages/juniper/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper title: Juniper -version: 0.5.1 +version: 0.5.2 description: Juniper Integration categories: ["network", "security"] release: experimental From 2235c5e5062550d1b2fae6aaa9f9f4154b7f331c Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 1 Jun 2021 16:57:53 +0200 Subject: [PATCH 3/6] update changelog link --- packages/juniper/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/juniper/changelog.yml b/packages/juniper/changelog.yml index 65c443e1ac6..010f59154ff 100644 --- a/packages/juniper/changelog.yml +++ b/packages/juniper/changelog.yml @@ -3,7 +3,7 @@ changes: - description: update to ECS 1.10.0 and add event.original options type: enhancement - link: https://github.com/elastic/integrations/pull/853 + link: https://github.com/elastic/integrations/pull/1058 - version: "0.5.1" changes: - description: update to ECS 1.9.0 From eb2ed343036a8575a83b985b3ee94ec549f10ca0 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Mon, 7 Jun 2021 15:09:06 +0200 Subject: [PATCH 4/6] update fields and linting --- packages/juniper/changelog.yml | 2 +- .../pipeline/test-generated.log-expected.json | 200 +++++++++--------- .../junos/agent/stream/stream.yml.hbs | 3 + .../junos/agent/stream/tcp.yml.hbs | 3 + .../junos/agent/stream/udp.yml.hbs | 3 + .../juniper/data_stream/junos/manifest.yml | 30 ++- .../pipeline/test-generated.log-expected.json | 200 +++++++++--------- .../netscreen/agent/stream/logfile.yml.hbs | 3 + .../netscreen/agent/stream/tcp.yml.hbs | 3 + .../netscreen/agent/stream/udp.yml.hbs | 3 + .../data_stream/netscreen/manifest.yml | 30 ++- .../test/pipeline/test-atp.log-expected.json | 8 +- .../test/pipeline/test-flow.log-expected.json | 50 ++--- .../test/pipeline/test-idp.log-expected.json | 14 +- .../test/pipeline/test-ids.log-expected.json | 24 +-- .../pipeline/test-secintel.log-expected.json | 4 +- .../test/pipeline/test-utm.log-expected.json | 24 +-- .../srx/agent/stream/logfile.yml.hbs | 5 +- .../data_stream/srx/agent/stream/tcp.yml.hbs | 5 +- .../data_stream/srx/agent/stream/udp.yml.hbs | 5 +- .../elasticsearch/ingest_pipeline/default.yml | 6 +- packages/juniper/data_stream/srx/manifest.yml | 30 ++- packages/juniper/manifest.yml | 4 +- 23 files changed, 381 insertions(+), 278 deletions(-) diff --git a/packages/juniper/changelog.yml b/packages/juniper/changelog.yml index 010f59154ff..55f7a524496 100644 --- a/packages/juniper/changelog.yml +++ b/packages/juniper/changelog.yml @@ -1,5 +1,5 @@ # newer versions go on top -- version: "0.5.2" +- version: "1.0.0" changes: - description: update to ECS 1.10.0 and add event.original options type: enhancement diff --git a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json index d26faf11c02..0a5ae78bd80 100644 --- a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049)", "event": { - "ingested": "2021-06-01T14:56:52.713530800Z" + "ingested": "2021-06-07T13:08:32.781532900Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed", "event": { - "ingested": "2021-06-01T14:56:52.713556800Z" + "ingested": "2021-06-07T13:08:32.781563400Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success", "event": { - "ingested": "2021-06-01T14:56:52.713564300Z" + "ingested": "2021-06-07T13:08:32.781571800Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace\u003e node: dqu", "event": { - "ingested": "2021-06-01T14:56:52.713593600Z" + "ingested": "2021-06-07T13:08:32.781579600Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367", "event": { - "ingested": "2021-06-01T14:56:52.713600300Z" + "ingested": "2021-06-07T13:08:32.781585400Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown", "event": { - "ingested": "2021-06-01T14:56:52.713606100Z" + "ingested": "2021-06-07T13:08:32.781590800Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono", "event": { - "ingested": "2021-06-01T14:56:52.713612700Z" + "ingested": "2021-06-07T13:08:32.781595900Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure", "event": { - "ingested": "2021-06-01T14:56:52.713618600Z" + "ingested": "2021-06-07T13:08:32.781601800Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068", "event": { - "ingested": "2021-06-01T14:56:52.713624Z" + "ingested": "2021-06-07T13:08:32.781607500Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing", "event": { - "ingested": "2021-06-01T14:56:52.713629600Z" + "ingested": "2021-06-07T13:08:32.781612600Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain", "event": { - "ingested": "2021-06-01T14:56:52.713636100Z" + "ingested": "2021-06-07T13:08:32.781618600Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd", "event": { - "ingested": "2021-06-01T14:56:52.713641500Z" + "ingested": "2021-06-07T13:08:32.781624Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav", "event": { - "ingested": "2021-06-01T14:56:52.713646900Z" + "ingested": "2021-06-07T13:08:32.781628900Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed", "event": { - "ingested": "2021-06-01T14:56:52.713652100Z" + "ingested": "2021-06-07T13:08:32.781634200Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown", "event": { - "ingested": "2021-06-01T14:56:52.713657200Z" + "ingested": "2021-06-07T13:08:32.781638900Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown", "event": { - "ingested": "2021-06-01T14:56:52.713661900Z" + "ingested": "2021-06-07T13:08:32.781643600Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown", "event": { - "ingested": "2021-06-01T14:56:52.713667100Z" + "ingested": "2021-06-07T13:08:32.781648600Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed", "event": { - "ingested": "2021-06-01T14:56:52.713672100Z" + "ingested": "2021-06-07T13:08:32.781653500Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest", "event": { - "ingested": "2021-06-01T14:56:52.713684Z" + "ingested": "2021-06-07T13:08:32.781658700Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa", "event": { - "ingested": "2021-06-01T14:56:52.713689300Z" + "ingested": "2021-06-07T13:08:32.781664100Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "Nov 10 03:01:24 kmd: restart ", "event": { - "ingested": "2021-06-01T14:56:52.713694300Z" + "ingested": "2021-06-07T13:08:32.781670200Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test", "event": { - "ingested": "2021-06-01T14:56:52.713699800Z" + "ingested": "2021-06-07T13:08:32.781675400Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test", "event": { - "ingested": "2021-06-01T14:56:52.713706600Z" + "ingested": "2021-06-07T13:08:32.781680800Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357", "event": { - "ingested": "2021-06-01T14:56:52.713744100Z" + "ingested": "2021-06-07T13:08:32.781686300Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita", "event": { - "ingested": "2021-06-01T14:56:52.713751100Z" + "ingested": "2021-06-07T13:08:32.781692200Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown", "event": { - "ingested": "2021-06-01T14:56:52.713756700Z" + "ingested": "2021-06-07T13:08:32.781697700Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425", "event": { - "ingested": "2021-06-01T14:56:52.713761800Z" + "ingested": "2021-06-07T13:08:32.781703200Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693", "event": { - "ingested": "2021-06-01T14:56:52.713767700Z" + "ingested": "2021-06-07T13:08:32.781708400Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita", "event": { - "ingested": "2021-06-01T14:56:52.713772600Z" + "ingested": "2021-06-07T13:08:32.781764200Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure", "event": { - "ingested": "2021-06-01T14:56:52.713777400Z" + "ingested": "2021-06-07T13:08:32.781779100Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure", "event": { - "ingested": "2021-06-01T14:56:52.713782300Z" + "ingested": "2021-06-07T13:08:32.781786100Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316", "event": { - "ingested": "2021-06-01T14:56:52.713786900Z" + "ingested": "2021-06-07T13:08:32.781792900Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura", "event": { - "ingested": "2021-06-01T14:56:52.713791Z" + "ingested": "2021-06-07T13:08:32.781799Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow'", "event": { - "ingested": "2021-06-01T14:56:52.713797800Z" + "ingested": "2021-06-07T13:08:32.781804300Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic", "event": { - "ingested": "2021-06-01T14:56:52.713807100Z" + "ingested": "2021-06-07T13:08:32.781811900Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure", "event": { - "ingested": "2021-06-01T14:56:52.713811900Z" + "ingested": "2021-06-07T13:08:32.781817100Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable", "event": { - "ingested": "2021-06-01T14:56:52.713815900Z" + "ingested": "2021-06-07T13:08:32.781822100Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown", "event": { - "ingested": "2021-06-01T14:56:52.713820Z" + "ingested": "2021-06-07T13:08:32.781826900Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe", "event": { - "ingested": "2021-06-01T14:56:52.713823900Z" + "ingested": "2021-06-07T13:08:32.781831900Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176", "event": { - "ingested": "2021-06-01T14:56:52.713828100Z" + "ingested": "2021-06-07T13:08:32.781837100Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal", "event": { - "ingested": "2021-06-01T14:56:52.713832300Z" + "ingested": "2021-06-07T13:08:32.781842300Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown", "event": { - "ingested": "2021-06-01T14:56:52.713836200Z" + "ingested": "2021-06-07T13:08:32.781847400Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884", "event": { - "ingested": "2021-06-01T14:56:52.713840600Z" + "ingested": "2021-06-07T13:08:32.781852900Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146", "event": { - "ingested": "2021-06-01T14:56:52.713844900Z" + "ingested": "2021-06-07T13:08:32.781857900Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing", "event": { - "ingested": "2021-06-01T14:56:52.713849300Z" + "ingested": "2021-06-07T13:08:32.781862500Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex", "event": { - "ingested": "2021-06-01T14:56:52.713853600Z" + "ingested": "2021-06-07T13:08:32.781867200Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu", "event": { - "ingested": "2021-06-01T14:56:52.713857800Z" + "ingested": "2021-06-07T13:08:32.781871800Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'.", "event": { - "ingested": "2021-06-01T14:56:52.713862Z" + "ingested": "2021-06-07T13:08:32.781876600Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "Dec 15 08:13:24 COS: restart : Received FC-\u003eQ map, caecat", "event": { - "ingested": "2021-06-01T14:56:52.713866100Z" + "ingested": "2021-06-07T13:08:32.781881400Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success", "event": { - "ingested": "2021-06-01T14:56:52.713870200Z" + "ingested": "2021-06-07T13:08:32.781886400Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les)", "event": { - "ingested": "2021-06-01T14:56:52.713874500Z" + "ingested": "2021-06-07T13:08:32.781891200Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed", "event": { - "ingested": "2021-06-01T14:56:52.713878600Z" + "ingested": "2021-06-07T13:08:32.781896Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file", "event": { - "ingested": "2021-06-01T14:56:52.713882600Z" + "ingested": "2021-06-07T13:08:32.781900700Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown", "event": { - "ingested": "2021-06-01T14:56:52.713886700Z" + "ingested": "2021-06-07T13:08:32.781905700Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis", "event": { - "ingested": "2021-06-01T14:56:52.713890700Z" + "ingested": "2021-06-07T13:08:32.781910800Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur", "event": { - "ingested": "2021-06-01T14:56:52.713894900Z" + "ingested": "2021-06-07T13:08:32.781915700Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci", "event": { - "ingested": "2021-06-01T14:56:52.713899100Z" + "ingested": "2021-06-07T13:08:32.781920300Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal", "event": { - "ingested": "2021-06-01T14:56:52.713903300Z" + "ingested": "2021-06-07T13:08:32.781925Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure", "event": { - "ingested": "2021-06-01T14:56:52.713907300Z" + "ingested": "2021-06-07T13:08:32.781929500Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain", "event": { - "ingested": "2021-06-01T14:56:52.713911300Z" + "ingested": "2021-06-07T13:08:32.781933900Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown", "event": { - "ingested": "2021-06-01T14:56:52.713915400Z" + "ingested": "2021-06-07T13:08:32.781938200Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification", "event": { - "ingested": "2021-06-01T14:56:52.713920600Z" + "ingested": "2021-06-07T13:08:32.781942600Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal", "event": { - "ingested": "2021-06-01T14:56:52.713924800Z" + "ingested": "2021-06-07T13:08:32.781946700Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown", "event": { - "ingested": "2021-06-01T14:56:52.713928900Z" + "ingested": "2021-06-07T13:08:32.781950700Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere", "event": { - "ingested": "2021-06-01T14:56:52.713933Z" + "ingested": "2021-06-07T13:08:32.781954700Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593", "event": { - "ingested": "2021-06-01T14:56:52.713936800Z" + "ingested": "2021-06-07T13:08:32.781958700Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown", "event": { - "ingested": "2021-06-01T14:56:52.713940800Z" + "ingested": "2021-06-07T13:08:32.781972600Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success", "event": { - "ingested": "2021-06-01T14:56:52.713944600Z" + "ingested": "2021-06-07T13:08:32.781976900Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [", "event": { - "ingested": "2021-06-01T14:56:52.713948500Z" + "ingested": "2021-06-07T13:08:32.781981Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID", "event": { - "ingested": "2021-06-01T14:56:52.713952500Z" + "ingested": "2021-06-07T13:08:32.781985Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694", "event": { - "ingested": "2021-06-01T14:56:52.713956200Z" + "ingested": "2021-06-07T13:08:32.781990100Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita", "event": { - "ingested": "2021-06-01T14:56:52.713960Z" + "ingested": "2021-06-07T13:08:32.781994100Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing", "event": { - "ingested": "2021-06-01T14:56:52.713993400Z" + "ingested": "2021-06-07T13:08:32.781998400Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure", "event": { - "ingested": "2021-06-01T14:56:52.713999600Z" + "ingested": "2021-06-07T13:08:32.782002400Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown", "event": { - "ingested": "2021-06-01T14:56:52.714005500Z" + "ingested": "2021-06-07T13:08:32.782007100Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host", "event": { - "ingested": "2021-06-01T14:56:52.714009900Z" + "ingested": "2021-06-07T13:08:32.782011100Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen", "event": { - "ingested": "2021-06-01T14:56:52.714013700Z" + "ingested": "2021-06-07T13:08:32.782015600Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch", "event": { - "ingested": "2021-06-01T14:56:52.714017400Z" + "ingested": "2021-06-07T13:08:32.782026600Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown", "event": { - "ingested": "2021-06-01T14:56:52.714021200Z" + "ingested": "2021-06-07T13:08:32.782030700Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339", "event": { - "ingested": "2021-06-01T14:56:52.714025Z" + "ingested": "2021-06-07T13:08:32.782034700Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex", "event": { - "ingested": "2021-06-01T14:56:52.714028600Z" + "ingested": "2021-06-07T13:08:32.782038800Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "Apr 1 00:38:14 /kmd: ", "event": { - "ingested": "2021-06-01T14:56:52.714032400Z" + "ingested": "2021-06-07T13:08:32.782042700Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown", "event": { - "ingested": "2021-06-01T14:56:52.714036400Z" + "ingested": "2021-06-07T13:08:32.782046700Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success", "event": { - "ingested": "2021-06-01T14:56:52.714040900Z" + "ingested": "2021-06-07T13:08:32.782050800Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully", "event": { - "ingested": "2021-06-01T14:56:52.714046Z" + "ingested": "2021-06-07T13:08:32.782054700Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success", "event": { - "ingested": "2021-06-01T14:56:52.714050500Z" + "ingested": "2021-06-07T13:08:32.782059800Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq'", "event": { - "ingested": "2021-06-01T14:56:52.714054500Z" + "ingested": "2021-06-07T13:08:32.782064Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server", "event": { - "ingested": "2021-06-01T14:56:52.714058500Z" + "ingested": "2021-06-07T13:08:32.782068500Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace\u003e BCHIP: : cannot write ucode mask reg", "event": { - "ingested": "2021-06-01T14:56:52.714062500Z" + "ingested": "2021-06-07T13:08:32.782072400Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown", "event": { - "ingested": "2021-06-01T14:56:52.714066300Z" + "ingested": "2021-06-07T13:08:32.782076200Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB'", "event": { - "ingested": "2021-06-01T14:56:52.714070200Z" + "ingested": "2021-06-07T13:08:32.782079900Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure", "event": { - "ingested": "2021-06-01T14:56:52.714073900Z" + "ingested": "2021-06-07T13:08:32.782083500Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success", "event": { - "ingested": "2021-06-01T14:56:52.714077800Z" + "ingested": "2021-06-07T13:08:32.782087200Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure", "event": { - "ingested": "2021-06-01T14:56:52.714081600Z" + "ingested": "2021-06-07T13:08:32.782091100Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse", "event": { - "ingested": "2021-06-01T14:56:52.714085300Z" + "ingested": "2021-06-07T13:08:32.782095300Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success", "event": { - "ingested": "2021-06-01T14:56:52.714089100Z" + "ingested": "2021-06-07T13:08:32.782099600Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown", "event": { - "ingested": "2021-06-01T14:56:52.714093800Z" + "ingested": "2021-06-07T13:08:32.782103500Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed", "event": { - "ingested": "2021-06-01T14:56:52.714098100Z" + "ingested": "2021-06-07T13:08:32.782107200Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193", "event": { - "ingested": "2021-06-01T14:56:52.714101800Z" + "ingested": "2021-06-07T13:08:32.782111200Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure", "event": { - "ingested": "2021-06-01T14:56:52.714105600Z" + "ingested": "2021-06-07T13:08:32.782115500Z" }, "tags": [ "preserve_original_event" diff --git a/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs index 59f3b2ae486..b1caf9962e9 100644 --- a/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/stream.yml.hbs @@ -21,6 +21,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: diff --git a/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs index b93246a0915..479da42527f 100644 --- a/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/tcp.yml.hbs @@ -18,6 +18,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: diff --git a/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs b/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs index 752928a3b3b..6bf15e01782 100644 --- a/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs +++ b/packages/juniper/data_stream/junos/agent/stream/udp.yml.hbs @@ -18,6 +18,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: diff --git a/packages/juniper/data_stream/junos/manifest.yml b/packages/juniper/data_stream/junos/manifest.yml index 5509ab4e801..8960964b3aa 100644 --- a/packages/juniper/data_stream/junos/manifest.yml +++ b/packages/juniper/data_stream/junos/manifest.yml @@ -12,7 +12,7 @@ streams: title: Tags multi: true required: true - show_user: true + show_user: false default: - juniper-junos - forwarded @@ -62,6 +62,14 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - input: tcp title: Juniper JUNOS logs description: Collect Juniper JUNOS logs @@ -72,7 +80,7 @@ streams: title: Tags multi: true required: true - show_user: true + show_user: false default: - juniper-junos - forwarded @@ -122,6 +130,14 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - input: logfile enabled: false title: Juniper JUNOS logs @@ -140,7 +156,7 @@ streams: title: Tags multi: true required: true - show_user: true + show_user: false default: - juniper-junos - forwarded @@ -176,3 +192,11 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json index f811804c072..c82594c80d4 100644 --- a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59)", "event": { - "ingested": "2021-06-01T14:56:53.447099400Z" + "ingested": "2021-06-07T13:08:33.483546300Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33)", "event": { - "ingested": "2021-06-01T14:56:53.447149900Z" + "ingested": "2021-06-07T13:08:33.483566100Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF)", "event": { - "ingested": "2021-06-01T14:56:53.447167300Z" + "ingested": "2021-06-07T13:08:33.483591300Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect", "event": { - "ingested": "2021-06-01T14:56:53.447174700Z" + "ingested": "2021-06-07T13:08:33.483598400Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044)", "event": { - "ingested": "2021-06-01T14:56:53.447179600Z" + "ingested": "2021-06-07T13:08:33.483603200Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 .", "event": { - "ingested": "2021-06-01T14:56:53.447183400Z" + "ingested": "2021-06-07T13:08:33.483607300Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo)", "event": { - "ingested": "2021-06-01T14:56:53.447186900Z" + "ingested": "2021-06-07T13:08:33.483611700Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated", "event": { - "ingested": "2021-06-01T14:56:53.447190800Z" + "ingested": "2021-06-07T13:08:33.483615400Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33)", "event": { - "ingested": "2021-06-01T14:56:53.447194600Z" + "ingested": "2021-06-07T13:08:33.483634400Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu", "event": { - "ingested": "2021-06-01T14:56:53.447198700Z" + "ingested": "2021-06-07T13:08:33.483641Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet", "event": { - "ingested": "2021-06-01T14:56:53.447202400Z" + "ingested": "2021-06-07T13:08:33.483645500Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74", "event": { - "ingested": "2021-06-01T14:56:53.447206400Z" + "ingested": "2021-06-07T13:08:33.483650Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50)", "event": { - "ingested": "2021-06-01T14:56:53.447209900Z" + "ingested": "2021-06-07T13:08:33.483654Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25)", "event": { - "ingested": "2021-06-01T14:56:53.447213200Z" + "ingested": "2021-06-07T13:08:33.483658400Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175", "event": { - "ingested": "2021-06-01T14:56:53.447253500Z" + "ingested": "2021-06-07T13:08:33.483661900Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi.", "event": { - "ingested": "2021-06-01T14:56:53.447261900Z" + "ingested": "2021-06-07T13:08:33.483665600Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre", "event": { - "ingested": "2021-06-01T14:56:53.447267200Z" + "ingested": "2021-06-07T13:08:33.483671200Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese", "event": { - "ingested": "2021-06-01T14:56:53.447271400Z" + "ingested": "2021-06-07T13:08:33.483675100Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87", "event": { - "ingested": "2021-06-01T14:56:53.447275200Z" + "ingested": "2021-06-07T13:08:33.483678800Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50)", "event": { - "ingested": "2021-06-01T14:56:53.447278900Z" + "ingested": "2021-06-07T13:08:33.483682500Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state", "event": { - "ingested": "2021-06-01T14:56:53.447282400Z" + "ingested": "2021-06-07T13:08:33.483686300Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added", "event": { - "ingested": "2021-06-01T14:56:53.447286Z" + "ingested": "2021-06-07T13:08:33.483690600Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu", "event": { - "ingested": "2021-06-01T14:56:53.447289700Z" + "ingested": "2021-06-07T13:08:33.483694700Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation", "event": { - "ingested": "2021-06-01T14:56:53.447293300Z" + "ingested": "2021-06-07T13:08:33.483698500Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51", "event": { - "ingested": "2021-06-01T14:56:53.447297500Z" + "ingested": "2021-06-07T13:08:33.483702500Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu", "event": { - "ingested": "2021-06-01T14:56:53.447301700Z" + "ingested": "2021-06-07T13:08:33.483706600Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User \"ntiumto\" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883", "event": { - "ingested": "2021-06-01T14:56:53.447306700Z" + "ingested": "2021-06-07T13:08:33.483773900Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin", "event": { - "ingested": "2021-06-01T14:56:53.447313100Z" + "ingested": "2021-06-07T13:08:33.483781500Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid", "event": { - "ingested": "2021-06-01T14:56:53.447317600Z" + "ingested": "2021-06-07T13:08:33.483786800Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed", "event": { - "ingested": "2021-06-01T14:56:53.447321800Z" + "ingested": "2021-06-07T13:08:33.483791400Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07)", "event": { - "ingested": "2021-06-01T14:56:53.447325800Z" + "ingested": "2021-06-07T13:08:33.483795800Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru", "event": { - "ingested": "2021-06-01T14:56:53.447330100Z" + "ingested": "2021-06-07T13:08:33.483800400Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", "event": { - "ingested": "2021-06-01T14:56:53.447334600Z" + "ingested": "2021-06-07T13:08:33.483804400Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita", "event": { - "ingested": "2021-06-01T14:56:53.447338500Z" + "ingested": "2021-06-07T13:08:33.483808400Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet.", "event": { - "ingested": "2021-06-01T14:56:53.447342800Z" + "ingested": "2021-06-07T13:08:33.483812900Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable", "event": { - "ingested": "2021-06-01T14:56:53.447346700Z" + "ingested": "2021-06-07T13:08:33.483817300Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem.", "event": { - "ingested": "2021-06-01T14:56:53.447350400Z" + "ingested": "2021-06-07T13:08:33.483821600Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet.", "event": { - "ingested": "2021-06-01T14:56:53.447354400Z" + "ingested": "2021-06-07T13:08:33.483825400Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo", "event": { - "ingested": "2021-06-01T14:56:53.447358700Z" + "ingested": "2021-06-07T13:08:33.483829200Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam)", "event": { - "ingested": "2021-06-01T14:56:53.447362600Z" + "ingested": "2021-06-07T13:08:33.483832900Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50)", "event": { - "ingested": "2021-06-01T14:56:53.447366Z" + "ingested": "2021-06-07T13:08:33.483837400Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24)", "event": { - "ingested": "2021-06-01T14:56:53.447371600Z" + "ingested": "2021-06-07T13:08:33.483841800Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51", "event": { - "ingested": "2021-06-01T14:56:53.447375200Z" + "ingested": "2021-06-07T13:08:33.483845900Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu \u003e nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)\u003c\u003ccolabori\u003e", "event": { - "ingested": "2021-06-01T14:56:53.447378800Z" + "ingested": "2021-06-07T13:08:33.483852Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe", "event": { - "ingested": "2021-06-01T14:56:53.447382300Z" + "ingested": "2021-06-07T13:08:33.483856100Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 .", "event": { - "ingested": "2021-06-01T14:56:53.447385800Z" + "ingested": "2021-06-07T13:08:33.483860900Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15)", "event": { - "ingested": "2021-06-01T14:56:53.447390200Z" + "ingested": "2021-06-07T13:08:33.483864800Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration.", "event": { - "ingested": "2021-06-01T14:56:53.447393900Z" + "ingested": "2021-06-07T13:08:33.483868700Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima", "event": { - "ingested": "2021-06-01T14:56:53.447397400Z" + "ingested": "2021-06-07T13:08:33.483872400Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58)", "event": { - "ingested": "2021-06-01T14:56:53.447401Z" + "ingested": "2021-06-07T13:08:33.483876500Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32)", "event": { - "ingested": "2021-06-01T14:56:53.447404600Z" + "ingested": "2021-06-07T13:08:33.483880400Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06)", "event": { - "ingested": "2021-06-01T14:56:53.447408300Z" + "ingested": "2021-06-07T13:08:33.483884Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe.", "event": { - "ingested": "2021-06-01T14:56:53.447411900Z" + "ingested": "2021-06-07T13:08:33.483887600Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266", "event": { - "ingested": "2021-06-01T14:56:53.447415600Z" + "ingested": "2021-06-07T13:08:33.483891200Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49)", "event": { - "ingested": "2021-06-01T14:56:53.447419Z" + "ingested": "2021-06-07T13:08:33.483894800Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24)", "event": { - "ingested": "2021-06-01T14:56:53.447422400Z" + "ingested": "2021-06-07T13:08:33.483898600Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added", "event": { - "ingested": "2021-06-01T14:56:53.447425900Z" + "ingested": "2021-06-07T13:08:33.483902600Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-\u003e untrust-vr: exer", "event": { - "ingested": "2021-06-01T14:56:53.447429400Z" + "ingested": "2021-06-07T13:08:33.483906200Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat", "event": { - "ingested": "2021-06-01T14:56:53.447433100Z" + "ingested": "2021-06-07T13:08:33.483909800Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router \"asper\" used by OSPF, BGP routing instances id has been uninitialized. (dictasun)", "event": { - "ingested": "2021-06-01T14:56:53.447436900Z" + "ingested": "2021-06-07T13:08:33.483913400Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list", "event": { - "ingested": "2021-06-01T14:56:53.447440600Z" + "ingested": "2021-06-07T13:08:33.483916900Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49)", "event": { - "ingested": "2021-06-01T14:56:53.447444400Z" + "ingested": "2021-06-07T13:08:33.483920600Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times", "event": { - "ingested": "2021-06-01T14:56:53.447448Z" + "ingested": "2021-06-07T13:08:33.483924800Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110", "event": { - "ingested": "2021-06-01T14:56:53.447451500Z" + "ingested": "2021-06-07T13:08:33.483928500Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32)", "event": { - "ingested": "2021-06-01T14:56:53.447455Z" + "ingested": "2021-06-07T13:08:33.483932Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica", "event": { - "ingested": "2021-06-01T14:56:53.447458500Z" + "ingested": "2021-06-07T13:08:33.483935500Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi", "event": { - "ingested": "2021-06-01T14:56:53.447462300Z" + "ingested": "2021-06-07T13:08:33.483939100Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15)", "event": { - "ingested": "2021-06-01T14:56:53.447466100Z" + "ingested": "2021-06-07T13:08:33.483943800Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped.", "event": { - "ingested": "2021-06-01T14:56:53.447470Z" + "ingested": "2021-06-07T13:08:33.483948100Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna", "event": { - "ingested": "2021-06-01T14:56:53.447473500Z" + "ingested": "2021-06-07T13:08:33.483951700Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan", "event": { - "ingested": "2021-06-01T14:56:53.447481Z" + "ingested": "2021-06-07T13:08:33.483955300Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure", "event": { - "ingested": "2021-06-01T14:56:53.447485400Z" + "ingested": "2021-06-07T13:08:33.483959Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06)", "event": { - "ingested": "2021-06-01T14:56:53.447489Z" + "ingested": "2021-06-07T13:08:33.483963800Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success", "event": { - "ingested": "2021-06-01T14:56:53.447492900Z" + "ingested": "2021-06-07T13:08:33.483995600Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state", "event": { - "ingested": "2021-06-01T14:56:53.447496800Z" + "ingested": "2021-06-07T13:08:33.484002200Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding", "event": { - "ingested": "2021-06-01T14:56:53.447500600Z" + "ingested": "2021-06-07T13:08:33.484006700Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065", "event": { - "ingested": "2021-06-01T14:56:53.447504500Z" + "ingested": "2021-06-07T13:08:33.484010800Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57)", "event": { - "ingested": "2021-06-01T14:56:53.447511Z" + "ingested": "2021-06-07T13:08:33.484015Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted", "event": { - "ingested": "2021-06-01T14:56:53.447516500Z" + "ingested": "2021-06-07T13:08:33.484018700Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users.", "event": { - "ingested": "2021-06-01T14:56:53.447520100Z" + "ingested": "2021-06-07T13:08:33.484022600Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce)", "event": { - "ingested": "2021-06-01T14:56:53.447523700Z" + "ingested": "2021-06-07T13:08:33.484026900Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun", "event": { - "ingested": "2021-06-01T14:56:53.447527300Z" + "ingested": "2021-06-07T13:08:33.484030500Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49)", "event": { - "ingested": "2021-06-01T14:56:53.447531Z" + "ingested": "2021-06-07T13:08:33.484034200Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23)", "event": { - "ingested": "2021-06-01T14:56:53.447534600Z" + "ingested": "2021-06-07T13:08:33.484037800Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success", "event": { - "ingested": "2021-06-01T14:56:53.447538200Z" + "ingested": "2021-06-07T13:08:33.484041500Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31)", "event": { - "ingested": "2021-06-01T14:56:53.447542100Z" + "ingested": "2021-06-07T13:08:33.484045200Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA", "event": { - "ingested": "2021-06-01T14:56:53.447545500Z" + "ingested": "2021-06-07T13:08:33.484049400Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", "event": { - "ingested": "2021-06-01T14:56:53.447549100Z" + "ingested": "2021-06-07T13:08:33.484053Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae", "event": { - "ingested": "2021-06-01T14:56:53.447552700Z" + "ingested": "2021-06-07T13:08:33.484056600Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected!", "event": { - "ingested": "2021-06-01T14:56:53.447556800Z" + "ingested": "2021-06-07T13:08:33.484060200Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA", "event": { - "ingested": "2021-06-01T14:56:53.447560300Z" + "ingested": "2021-06-07T13:08:33.484063700Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57)", "event": { - "ingested": "2021-06-01T14:56:53.447563800Z" + "ingested": "2021-06-07T13:08:33.484070700Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59", "event": { - "ingested": "2021-06-01T14:56:53.447567200Z" + "ingested": "2021-06-07T13:08:33.484076Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA", "event": { - "ingested": "2021-06-01T14:56:53.447570500Z" + "ingested": "2021-06-07T13:08:33.484079900Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40)", "event": { - "ingested": "2021-06-01T14:56:53.447574100Z" + "ingested": "2021-06-07T13:08:33.484083900Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed", "event": { - "ingested": "2021-06-01T14:56:53.447577700Z" + "ingested": "2021-06-07T13:08:33.484087700Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin", "event": { - "ingested": "2021-06-01T14:56:53.447581300Z" + "ingested": "2021-06-07T13:08:33.484091400Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22)", "event": { - "ingested": "2021-06-01T14:56:53.447584600Z" + "ingested": "2021-06-07T13:08:33.484095700Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57)", "event": { - "ingested": "2021-06-01T14:56:53.447587900Z" + "ingested": "2021-06-07T13:08:33.484099400Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change", "event": { - "ingested": "2021-06-01T14:56:53.447591300Z" + "ingested": "2021-06-07T13:08:33.484103200Z" }, "tags": [ "preserve_original_event" diff --git a/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs index a57fa9d780a..8c66ed684a1 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/logfile.yml.hbs @@ -21,6 +21,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: diff --git a/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs index 348f0421210..b6303cb4b3f 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/tcp.yml.hbs @@ -18,6 +18,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: diff --git a/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs b/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs index 4508abca9a8..4350f5e4bed 100644 --- a/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs +++ b/packages/juniper/data_stream/netscreen/agent/stream/udp.yml.hbs @@ -18,6 +18,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: diff --git a/packages/juniper/data_stream/netscreen/manifest.yml b/packages/juniper/data_stream/netscreen/manifest.yml index 9c9f0e82666..6440670d417 100644 --- a/packages/juniper/data_stream/netscreen/manifest.yml +++ b/packages/juniper/data_stream/netscreen/manifest.yml @@ -12,7 +12,7 @@ streams: title: Tags multi: true required: true - show_user: true + show_user: false default: - juniper-netscreen - forwarded @@ -62,6 +62,14 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - input: tcp title: Netscreen logs description: Collect Netscreen logs @@ -72,7 +80,7 @@ streams: title: Tags multi: true required: true - show_user: true + show_user: false default: - juniper-netscreen - forwarded @@ -122,6 +130,14 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - input: logfile enabled: false title: Netscreen logs @@ -141,7 +157,7 @@ streams: title: Tags multi: true required: true - show_user: true + show_user: false default: - juniper-netscreen - forwarded @@ -177,3 +193,11 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json index 6cb03718256..bf99dc9693e 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json @@ -92,7 +92,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:54.719797800Z", + "ingested": "2021-06-07T13:08:34.678556200Z", "original": "\u003c14\u003e1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"]", "kind": "alert", "module": "juniper", @@ -155,7 +155,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:54.719836200Z", + "ingested": "2021-06-07T13:08:34.678574300Z", "original": "\u003c14\u003e1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"]", "kind": "alert", "module": "juniper", @@ -218,7 +218,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:56:54.719840500Z", + "ingested": "2021-06-07T13:08:34.678579200Z", "original": "\u003c11\u003e1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", "kind": "alert", "module": "juniper", @@ -323,7 +323,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-01T14:56:54.719843900Z", + "ingested": "2021-06-07T13:08:34.678583100Z", "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", "kind": "event", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json index f839e80a97c..0de1d5ea74f 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json @@ -80,7 +80,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:55.380098900Z", + "ingested": "2021-06-07T13:08:35.353179500Z", "original": "\u003c14\u003e1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -165,7 +165,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:55.380115700Z", + "ingested": "2021-06-07T13:08:35.353200900Z", "original": "\u003c14\u003e1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -273,7 +273,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:55.380119600Z", + "ingested": "2021-06-07T13:08:35.353206200Z", "original": "\u003c14\u003e1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"]", "kind": "event", "module": "juniper", @@ -415,7 +415,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-06-01T14:56:55.380122900Z", + "ingested": "2021-06-07T13:08:35.353210300Z", "action": "flow_close", "end": "2014-05-01T08:29:10.933Z", "category": [ @@ -521,7 +521,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:55.380125700Z", + "ingested": "2021-06-07T13:08:35.353214700Z", "original": "\u003c14\u003e1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "module": "juniper", @@ -626,7 +626,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:55.380128800Z", + "ingested": "2021-06-07T13:08:35.353218600Z", "original": "\u003c14\u003e1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "module": "juniper", @@ -752,7 +752,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:56:55.380131200Z", + "ingested": "2021-06-07T13:08:35.353222Z", "action": "flow_close", "end": "2010-09-30T06:55:07.188Z", "category": [ @@ -886,7 +886,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-06-01T14:56:55.380133700Z", + "ingested": "2021-06-07T13:08:35.353225400Z", "action": "flow_close", "end": "2019-04-12T14:29:07.576Z", "category": [ @@ -995,7 +995,7 @@ "connection" ], "duration": 16000000000, - "ingested": "2021-06-01T14:56:55.380136300Z", + "ingested": "2021-06-07T13:08:35.353228800Z", "action": "flow_close", "end": "2019-04-13T14:33:22.576Z", "category": [ @@ -1140,7 +1140,7 @@ "connection" ], "duration": 8000000000, - "ingested": "2021-06-01T14:56:55.380139Z", + "ingested": "2021-06-07T13:08:35.353232200Z", "action": "flow_close", "end": "2018-10-07T01:32:28.898Z", "category": [ @@ -1267,7 +1267,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-01T14:56:55.380141500Z", + "ingested": "2021-06-07T13:08:35.353235600Z", "action": "flow_close", "end": "2018-06-30T02:17:25.753Z", "category": [ @@ -1381,7 +1381,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-06-01T14:56:55.380144200Z", + "ingested": "2021-06-07T13:08:35.353239300Z", "action": "flow_close", "end": "2015-09-25T14:19:54.846Z", "category": [ @@ -1501,7 +1501,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:55.380146700Z", + "ingested": "2021-06-07T13:08:35.353242600Z", "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "module": "juniper", @@ -1648,7 +1648,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:56:55.380149300Z", + "ingested": "2021-06-07T13:08:35.353246Z", "action": "flow_started", "end": "2013-01-19T15:18:17.040Z", "category": [ @@ -1790,7 +1790,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-06-01T14:56:55.380151800Z", + "ingested": "2021-06-07T13:08:35.353249500Z", "action": "flow_close", "end": "2013-01-19T15:18:18.040Z", "category": [ @@ -1939,7 +1939,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-06-01T14:56:55.380154600Z", + "ingested": "2021-06-07T13:08:35.353252900Z", "action": "flow_started", "end": "2013-01-19T15:19:18.040Z", "category": [ @@ -2071,7 +2071,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:55.380157300Z", + "ingested": "2021-06-07T13:08:35.353256600Z", "original": "\u003c14\u003e1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "module": "juniper", @@ -2226,7 +2226,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-01T14:56:55.380159900Z", + "ingested": "2021-06-07T13:08:35.353260Z", "action": "flow_close", "end": "2013-01-19T15:18:23.040Z", "category": [ @@ -2332,7 +2332,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:55.380162700Z", + "ingested": "2021-06-07T13:08:35.353263700Z", "original": "\u003c14\u003e1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "module": "juniper", @@ -2416,7 +2416,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:55.380165300Z", + "ingested": "2021-06-07T13:08:35.353267Z", "original": "\u003c14\u003e1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -2571,7 +2571,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-01T14:56:55.380168500Z", + "ingested": "2021-06-07T13:08:35.353270400Z", "action": "flow_close", "end": "2020-01-19T15:18:23.040Z", "category": [ @@ -2700,7 +2700,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-06-01T14:56:55.380171200Z", + "ingested": "2021-06-07T13:08:35.353273900Z", "action": "flow_started", "end": "2020-07-14T14:18:11.928Z", "category": [ @@ -2839,7 +2839,7 @@ "connection" ], "duration": 23755000000000, - "ingested": "2021-06-01T14:56:55.380190600Z", + "ingested": "2021-06-07T13:08:35.353277200Z", "action": "flow_close", "end": "2020-07-13T23:19:00.041Z", "category": [ @@ -2947,7 +2947,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:56:55.380194700Z", + "ingested": "2021-06-07T13:08:35.353281200Z", "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -3085,7 +3085,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-01T14:56:55.380197800Z", + "ingested": "2021-06-07T13:08:35.353284500Z", "action": "flow_close", "end": "2020-07-13T16:12:08.530Z", "category": [ diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json index f61ea596a32..9c6fa06bed2 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json @@ -120,7 +120,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:56:59.804998900Z", + "ingested": "2021-06-07T13:08:39.769798100Z", "action": "security_threat", "end": "2020-03-02T23:13:03.193Z", "category": [ @@ -251,7 +251,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:56:59.805012400Z", + "ingested": "2021-06-07T13:08:39.769815700Z", "action": "security_threat", "end": "2020-03-02T23:13:03.197Z", "category": [ @@ -374,7 +374,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:56:59.805016200Z", + "ingested": "2021-06-07T13:08:39.769819500Z", "action": "security_threat", "end": "2007-02-15T09:17:15.719Z", "category": [ @@ -497,7 +497,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-01T14:56:59.805019Z", + "ingested": "2021-06-07T13:08:39.769822500Z", "action": "security_threat", "end": "2017-10-12T21:55:55.792Z", "category": [ @@ -565,7 +565,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-01T14:56:59.805021500Z", + "ingested": "2021-06-07T13:08:39.769826100Z", "original": "\u003c165\u003e1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -663,7 +663,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-01T14:56:59.805024Z", + "ingested": "2021-06-07T13:08:39.769828900Z", "original": "\u003c165\u003e1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -761,7 +761,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-01T14:56:59.805027Z", + "ingested": "2021-06-07T13:08:39.769831800Z", "original": "\u003c165\u003e1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json index b8ac5d1fbb5..4c5762b420d 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json @@ -87,7 +87,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011143300Z", + "ingested": "2021-06-07T13:08:40.967672600Z", "original": "\u003c11\u003e1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -160,7 +160,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011158900Z", + "ingested": "2021-06-07T13:08:40.967689600Z", "original": "\u003c11\u003e1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -263,7 +263,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011162200Z", + "ingested": "2021-06-07T13:08:40.967693500Z", "original": "\u003c11\u003e1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -366,7 +366,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011164800Z", + "ingested": "2021-06-07T13:08:40.967696800Z", "original": "\u003c11\u003e1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -465,7 +465,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011167600Z", + "ingested": "2021-06-07T13:08:40.967700100Z", "original": "\u003c11\u003e1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -567,7 +567,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011182500Z", + "ingested": "2021-06-07T13:08:40.967702700Z", "original": "\u003c11\u003e1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -638,7 +638,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011187500Z", + "ingested": "2021-06-07T13:08:40.967705400Z", "original": "\u003c11\u003e1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -734,7 +734,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011190700Z", + "ingested": "2021-06-07T13:08:40.967708600Z", "original": "\u003c11\u003e1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -811,7 +811,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011193400Z", + "ingested": "2021-06-07T13:08:40.967711100Z", "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "module": "juniper", @@ -891,7 +891,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011196100Z", + "ingested": "2021-06-07T13:08:40.967713500Z", "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "module": "juniper", @@ -964,7 +964,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011198500Z", + "ingested": "2021-06-07T13:08:40.967716Z", "original": "\u003c11\u003e1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -1037,7 +1037,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-01T14:57:01.011250100Z", + "ingested": "2021-06-07T13:08:40.967718800Z", "original": "\u003c11\u003e1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json index 53cdc37b1f9..2edca360067 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json @@ -80,7 +80,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:57:02.381526400Z", + "ingested": "2021-06-07T13:08:42.350489400Z", "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"]", "kind": "alert", "module": "juniper", @@ -186,7 +186,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:57:02.381541200Z", + "ingested": "2021-06-07T13:08:42.350504300Z", "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", "kind": "alert", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json index 0012de98c80..7f930ee4ede 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json @@ -78,7 +78,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:57:02.705492600Z", + "ingested": "2021-06-07T13:08:42.672829200Z", "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -173,7 +173,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:57:02.705506700Z", + "ingested": "2021-06-07T13:08:42.672842900Z", "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"]", "kind": "event", "module": "juniper", @@ -264,7 +264,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:57:02.705509700Z", + "ingested": "2021-06-07T13:08:42.672846Z", "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "module": "juniper", @@ -349,7 +349,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:57:02.705544900Z", + "ingested": "2021-06-07T13:08:42.672873700Z", "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"]", "kind": "event", "module": "juniper", @@ -414,7 +414,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:57:02.705552600Z", + "ingested": "2021-06-07T13:08:42.672879800Z", "original": "\u003c12\u003e1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"]", "kind": "event", "module": "juniper", @@ -480,7 +480,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:57:02.705567400Z", + "ingested": "2021-06-07T13:08:42.672894900Z", "original": "\u003c14\u003e1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -566,7 +566,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:57:02.705571500Z", + "ingested": "2021-06-07T13:08:42.672899600Z", "original": "\u003c14\u003e1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"]", "kind": "alert", "module": "juniper", @@ -662,7 +662,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:57:02.705574500Z", + "ingested": "2021-06-07T13:08:42.672902600Z", "original": "\u003c12\u003e1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -756,7 +756,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:57:02.705577100Z", + "ingested": "2021-06-07T13:08:42.672905Z", "original": "\u003c12\u003e1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "module": "juniper", @@ -853,7 +853,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-01T14:57:02.705579400Z", + "ingested": "2021-06-07T13:08:42.672907800Z", "original": "\u003c14\u003e1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"]", "risk_score": 0.0, "kind": "event", @@ -948,7 +948,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:57:02.705581700Z", + "ingested": "2021-06-07T13:08:42.672910100Z", "original": "\u003c12\u003e1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"]", "risk_score": 3.0, "kind": "alert", @@ -1042,7 +1042,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-01T14:57:02.705584Z", + "ingested": "2021-06-07T13:08:42.672912600Z", "original": "\u003c12\u003e1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", "kind": "event", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/agent/stream/logfile.yml.hbs b/packages/juniper/data_stream/srx/agent/stream/logfile.yml.hbs index 49a10088a8a..9773f38e68e 100644 --- a/packages/juniper/data_stream/srx/agent/stream/logfile.yml.hbs +++ b/packages/juniper/data_stream/srx/agent/stream/logfile.yml.hbs @@ -14,4 +14,7 @@ tags: publisher_pipeline.disable_host: true {{/contains}} processors: - - add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ diff --git a/packages/juniper/data_stream/srx/agent/stream/tcp.yml.hbs b/packages/juniper/data_stream/srx/agent/stream/tcp.yml.hbs index 2f09ef55729..824cc425d19 100644 --- a/packages/juniper/data_stream/srx/agent/stream/tcp.yml.hbs +++ b/packages/juniper/data_stream/srx/agent/stream/tcp.yml.hbs @@ -10,4 +10,7 @@ tags: publisher_pipeline.disable_host: true {{/contains}} processors: - - add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ diff --git a/packages/juniper/data_stream/srx/agent/stream/udp.yml.hbs b/packages/juniper/data_stream/srx/agent/stream/udp.yml.hbs index 2f09ef55729..824cc425d19 100644 --- a/packages/juniper/data_stream/srx/agent/stream/udp.yml.hbs +++ b/packages/juniper/data_stream/srx/agent/stream/udp.yml.hbs @@ -10,4 +10,7 @@ tags: publisher_pipeline.disable_host: true {{/contains}} processors: - - add_locale: ~ +{{#if processors}} +{{processors}} +{{/if}} +- add_locale: ~ diff --git a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml index 693eaff6a0c..7a029828180 100644 --- a/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml +++ b/packages/juniper/data_stream/srx/elasticsearch/ingest_pipeline/default.yml @@ -296,7 +296,11 @@ processors: value: '{{destination.user.name}}' ignore_failure: true allow_duplicates: false - + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true on_failure: - set: field: error.message diff --git a/packages/juniper/data_stream/srx/manifest.yml b/packages/juniper/data_stream/srx/manifest.yml index 6fdcb15302b..c04ae5cbae6 100644 --- a/packages/juniper/data_stream/srx/manifest.yml +++ b/packages/juniper/data_stream/srx/manifest.yml @@ -25,7 +25,7 @@ streams: required: true show_user: false default: - - juniper.srx + - juniper-srx - forwarded - name: preserve_original_event required: true @@ -35,6 +35,14 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. template_path: tcp.yml.hbs title: Juniper SRX logs description: Collect Juniper SRX logs via TCP @@ -61,7 +69,7 @@ streams: required: true show_user: false default: - - juniper.srx + - juniper-srx - forwarded - name: preserve_original_event required: true @@ -71,6 +79,14 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. template_path: udp.yml.hbs title: Juniper SRX logs description: Collect Juniper SRX logs via UDP @@ -92,7 +108,7 @@ streams: required: true show_user: false default: - - juniper.srx + - juniper-srx - forwarded - name: preserve_original_event required: true @@ -102,6 +118,14 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. template_path: logfile.yml.hbs title: Juniper SRX logs description: Read Juniper SRX logs from a file diff --git a/packages/juniper/manifest.yml b/packages/juniper/manifest.yml index abede298e5a..0aa4abcc085 100644 --- a/packages/juniper/manifest.yml +++ b/packages/juniper/manifest.yml @@ -1,14 +1,14 @@ format_version: 1.0.0 name: juniper title: Juniper -version: 0.5.2 +version: 1.0.0 description: Juniper Integration categories: ["network", "security"] release: experimental license: basic type: integration conditions: - kibana.version: "^7.9.0" + kibana.version: "^7.13.0" policy_templates: - name: juniper title: Juniper logs From 2d4f85ea4f4a53d803eede3a0aa80f3faf2218a4 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Mon, 7 Jun 2021 15:09:21 +0200 Subject: [PATCH 5/6] linting --- packages/juniper/data_stream/junos/manifest.yml | 6 ++++-- packages/juniper/data_stream/netscreen/manifest.yml | 6 ++++-- packages/juniper/data_stream/srx/manifest.yml | 3 +++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/packages/juniper/data_stream/junos/manifest.yml b/packages/juniper/data_stream/junos/manifest.yml index 8960964b3aa..21a652b50e3 100644 --- a/packages/juniper/data_stream/junos/manifest.yml +++ b/packages/juniper/data_stream/junos/manifest.yml @@ -70,6 +70,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp title: Juniper JUNOS logs description: Collect Juniper JUNOS logs @@ -138,6 +139,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile enabled: false title: Juniper JUNOS logs @@ -198,5 +200,5 @@ streams: multi: false required: false show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/juniper/data_stream/netscreen/manifest.yml b/packages/juniper/data_stream/netscreen/manifest.yml index 6440670d417..c091c6e06ec 100644 --- a/packages/juniper/data_stream/netscreen/manifest.yml +++ b/packages/juniper/data_stream/netscreen/manifest.yml @@ -70,6 +70,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp title: Netscreen logs description: Collect Netscreen logs @@ -138,6 +139,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile enabled: false title: Netscreen logs @@ -199,5 +201,5 @@ streams: multi: false required: false show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. \ No newline at end of file + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/juniper/data_stream/srx/manifest.yml b/packages/juniper/data_stream/srx/manifest.yml index c04ae5cbae6..b97bbc44d97 100644 --- a/packages/juniper/data_stream/srx/manifest.yml +++ b/packages/juniper/data_stream/srx/manifest.yml @@ -43,6 +43,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + template_path: tcp.yml.hbs title: Juniper SRX logs description: Collect Juniper SRX logs via TCP @@ -87,6 +88,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + template_path: udp.yml.hbs title: Juniper SRX logs description: Collect Juniper SRX logs via UDP @@ -126,6 +128,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + template_path: logfile.yml.hbs title: Juniper SRX logs description: Read Juniper SRX logs from a file From 6f3c9a235ba3b2ea24796113d2658336a83ab053 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Wed, 9 Jun 2021 13:30:49 +0200 Subject: [PATCH 6/6] update version and linting --- packages/juniper/changelog.yml | 2 +- .../pipeline/test-generated.log-expected.json | 200 +++++++++--------- .../pipeline/test-generated.log-expected.json | 200 +++++++++--------- .../test/pipeline/test-atp.log-expected.json | 8 +- .../test/pipeline/test-flow.log-expected.json | 50 ++--- .../test/pipeline/test-idp.log-expected.json | 14 +- .../test/pipeline/test-ids.log-expected.json | 24 +-- .../pipeline/test-secintel.log-expected.json | 4 +- .../test/pipeline/test-utm.log-expected.json | 24 +-- packages/juniper/manifest.yml | 2 +- 10 files changed, 264 insertions(+), 264 deletions(-) diff --git a/packages/juniper/changelog.yml b/packages/juniper/changelog.yml index 55f7a524496..6d2d6cc713c 100644 --- a/packages/juniper/changelog.yml +++ b/packages/juniper/changelog.yml @@ -1,5 +1,5 @@ # newer versions go on top -- version: "1.0.0" +- version: "0.6.0" changes: - description: update to ECS 1.10.0 and add event.original options type: enhancement diff --git a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json index 0a5ae78bd80..b7210b55983 100644 --- a/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/junos/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "Jan 29 06:09:59 ceroinBC.exe[6713]: RPD_SCHED_TASK_LONGRUNTIME: : exe ran for 7309(5049)", "event": { - "ingested": "2021-06-07T13:08:32.781532900Z" + "ingested": "2021-06-09T11:29:56.469676200Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "Feb 12 13:12:33 DCD_FILTER_LIB_ERROR message repeated [7608]: llu: Filter library initialization failed", "event": { - "ingested": "2021-06-07T13:08:32.781563400Z" + "ingested": "2021-06-09T11:29:56.469699700Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "Feb 26 20:15:08 MIB2D_TRAP_SEND_FAILURE: restart [6747]: sum: uaerat: cancel: success", "event": { - "ingested": "2021-06-07T13:08:32.781571800Z" + "ingested": "2021-06-09T11:29:56.469707800Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "Mar 12 03:17:42 seq olorema6148.www.localdomain: fug5500.www.domain IFP trace\u003e node: dqu", "event": { - "ingested": "2021-06-07T13:08:32.781579600Z" + "ingested": "2021-06-09T11:29:56.469735Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "Mar 26 10:20:16 ssb SNMPD_CONTEXT_ERROR: [7400]: emq: isiu: success in 6237 context 5367", "event": { - "ingested": "2021-06-07T13:08:32.781585400Z" + "ingested": "2021-06-09T11:29:56.469741900Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "Apr 9 17:22:51 RPD_KRT_IFL_CELL_RELAY_MODE_UNSPECIFIED: restart [7618]: ionul: ifl : nibus, unknown", "event": { - "ingested": "2021-06-07T13:08:32.781590800Z" + "ingested": "2021-06-09T11:29:56.469747700Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "Apr 24 00:25:25 CHASSISD_SNMP_TRAP10 message repeated [1284]: ume: SNMP trap: failure: ono", "event": { - "ingested": "2021-06-07T13:08:32.781595900Z" + "ingested": "2021-06-09T11:29:56.469753900Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "May 8 07:27:59 sunt prehen6218.www.localhost: onse.exe[254]: RPD_KRT_IFL_CELL_RELAY_MODE_INVALID: : ifl : inibusBo, failure", "event": { - "ingested": "2021-06-07T13:08:32.781601800Z" + "ingested": "2021-06-09T11:29:56.469759500Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "May 22 14:30:33 iamquis quirat6972.www5.lan: isc.exe[3237]: SNMPD_USER_ERROR: : conseq: unknown in 6404 user 'atiset' 4068", "event": { - "ingested": "2021-06-07T13:08:32.781607500Z" + "ingested": "2021-06-09T11:29:56.469764800Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "Jun 5 21:33:08 fpc9 RPD_TASK_REINIT: [4621]: lita: Reinitializing", "event": { - "ingested": "2021-06-07T13:08:32.781612600Z" + "ingested": "2021-06-09T11:29:56.469770Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "Jun 20 04:35:42 fpc4 LOGIN_FAILED: [2227]: oinBC: Login failed for user quameius from host ipsumdol4488.api.localdomain", "event": { - "ingested": "2021-06-07T13:08:32.781618600Z" + "ingested": "2021-06-09T11:29:56.469776Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "Jul 4 11:38:16 NASD_PPP_SEND_PARTIAL: restart [3994]: aper: Unable to send all of message: santiumd", "event": { - "ingested": "2021-06-07T13:08:32.781624Z" + "ingested": "2021-06-09T11:29:56.469781200Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "Jul 18 18:40:50 UI_COMMIT_AT_FAILED message repeated [7440]: temqu: success, minimav", "event": { - "ingested": "2021-06-07T13:08:32.781628900Z" + "ingested": "2021-06-09T11:29:56.469786100Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "Aug 2 01:43:25 rnatur ofdeFin7811.lan: emipsumd.exe[5020]: BOOTPD_NEW_CONF: : New configuration installed", "event": { - "ingested": "2021-06-07T13:08:32.781634200Z" + "ingested": "2021-06-09T11:29:56.469791Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "Aug 16 08:45:59 RPD_RIP_JOIN_MULTICAST message repeated [60]: onemulla: Unable to join multicast group enp0s4292: unknown", "event": { - "ingested": "2021-06-07T13:08:32.781638900Z" + "ingested": "2021-06-09T11:29:56.469795800Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "Aug 30 15:48:33 FSAD_TERMINATED_CONNECTION: restart [6703]: xea: Open file ites` closed due to unknown", "event": { - "ingested": "2021-06-07T13:08:32.781643600Z" + "ingested": "2021-06-09T11:29:56.469800500Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "Sep 13 22:51:07 RPD_KRT_IFL_GENERATION message repeated [5539]: eri: ifl lo2169 generation mismatch -- unknown", "event": { - "ingested": "2021-06-07T13:08:32.781648600Z" + "ingested": "2021-06-09T11:29:56.469805500Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "Sep 28 05:53:42 cfeb UI_COMMIT_ROLLBACK_FAILED: [3453]: avolu: Automatic rollback failed", "event": { - "ingested": "2021-06-07T13:08:32.781653500Z" + "ingested": "2021-06-09T11:29:56.469810100Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "Oct 12 12:56:16 mquisn.exe[3993]: RMOPD_usage : failure: midest", "event": { - "ingested": "2021-06-07T13:08:32.781658700Z" + "ingested": "2021-06-09T11:29:56.469820500Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "Oct 26 19:58:50 undeomni.exe[4938]: RPD_ISIS_LSPCKSUM: : IS-IS 715 LSP checksum error, interface enp0s1965, LSP id tasun, sequence 3203, checksum eratv, lifetime ipsa", "event": { - "ingested": "2021-06-07T13:08:32.781664100Z" + "ingested": "2021-06-09T11:29:56.469825400Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "Nov 10 03:01:24 kmd: restart ", "event": { - "ingested": "2021-06-07T13:08:32.781670200Z" + "ingested": "2021-06-09T11:29:56.469830Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "Nov 24 10:03:59 ever.exe[6463]: LOGIN_FAILED: : Login failed for user atq from host erspi4926.www5.test", "event": { - "ingested": "2021-06-07T13:08:32.781675400Z" + "ingested": "2021-06-09T11:29:56.469835200Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "Dec 8 17:06:33 CHASSISD_MBUS_ERROR message repeated [72]: iadese: nisiu imad: management bus failed sanity test", "event": { - "ingested": "2021-06-07T13:08:32.781680800Z" + "ingested": "2021-06-09T11:29:56.469841800Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "Dec 23 00:09:07 niamquis.exe[1471]: TFTPD_NAK_ERR : nak error ptatems, 357", "event": { - "ingested": "2021-06-07T13:08:32.781686300Z" + "ingested": "2021-06-09T11:29:56.469847400Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "Jan 6 07:11:41 UI_DUPLICATE_UID: restart [3350]: atqu: Users naturau have the same UID olorsita", "event": { - "ingested": "2021-06-07T13:08:32.781692200Z" + "ingested": "2021-06-09T11:29:56.469852900Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "Jan 20 14:14:16 piscivel.exe[4753]: TFTPD_CREATE_ERR: : check_space unknown", "event": { - "ingested": "2021-06-07T13:08:32.781697700Z" + "ingested": "2021-06-09T11:29:56.469857800Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "Feb 3 21:16:50 fpc4 RPD_START: [1269]: riat: Start 181 version version built 7425", "event": { - "ingested": "2021-06-07T13:08:32.781703200Z" + "ingested": "2021-06-09T11:29:56.469863Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "Feb 18 04:19:24 fpc2 COSMAN: : uptasnul: delete class_to_ifl table 2069, ifl 3693", "event": { - "ingested": "2021-06-07T13:08:32.781708400Z" + "ingested": "2021-06-09T11:29:56.469871100Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "Mar 4 11:21:59 orum oinBCSed3073.www.lan: ilm.exe[3193]: SNMPD_TRAP_QUEUE_MAX_ATTEMPTS: : fugiatqu: after 4003 attempts, deleting 4568 traps queued to exercita", "event": { - "ingested": "2021-06-07T13:08:32.781764200Z" + "ingested": "2021-06-09T11:29:56.469875600Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "Mar 18 18:24:33 TFTPD_BIND_ERR: restart [1431]: ntut: bind: failure", "event": { - "ingested": "2021-06-07T13:08:32.781779100Z" + "ingested": "2021-06-09T11:29:56.469879700Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "Apr 2 01:27:07 lite ugia517.api.host: doei.exe[7073]: RPD_LDP_SESSIONDOWN: : LDP session 10.88.126.165 is down, failure", "event": { - "ingested": "2021-06-07T13:08:32.781786100Z" + "ingested": "2021-06-09T11:29:56.469885200Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "Apr 16 08:29:41 fpc6 SNMPD_CONTEXT_ERROR: [180]: eturadip: ent: unknown in 5848 context 316", "event": { - "ingested": "2021-06-07T13:08:32.781792900Z" + "ingested": "2021-06-09T11:29:56.469889600Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "Apr 30 15:32:16 NASD_CHAP_INVALID_CHAP_IDENTIFIER message repeated [796]: iumdo: lo2721: received aturv expected CHAP ID: ectetura", "event": { - "ingested": "2021-06-07T13:08:32.781799Z" + "ingested": "2021-06-09T11:29:56.469893800Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "May 14 22:34:50 UI_LOAD_EVENT message repeated [6342]: seq: User 'moll' is performing a 'allow'", "event": { - "ingested": "2021-06-07T13:08:32.781804300Z" + "ingested": "2021-06-09T11:29:56.469900800Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "May 29 05:37:24 fdeFin.exe[4053]: SNMP_TRAP_TRACE_ROUTE_TEST_FAILED : traceRouteCtlOwnerIndex = 1450, traceRouteCtlTestName = edic", "event": { - "ingested": "2021-06-07T13:08:32.781811900Z" + "ingested": "2021-06-09T11:29:56.469905300Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "Jun 12 12:39:58 SNMPD_RTSLIB_ASYNC_EVENT: restart [508]: uae: oremip: sequence mismatch failure", "event": { - "ingested": "2021-06-07T13:08:32.781817100Z" + "ingested": "2021-06-09T11:29:56.469909700Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "Jun 26 19:42:33 tesse olupta2743.internal.localdomain: ine.exe[3181]: BOOTPD_TIMEOUT: : Timeout success unreasonable", "event": { - "ingested": "2021-06-07T13:08:32.781822100Z" + "ingested": "2021-06-09T11:29:56.469914Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "Jul 11 02:45:07 NASD_RADIUS_MESSAGE_UNEXPECTED message repeated [33]: abore: Unknown response from RADIUS server: unknown", "event": { - "ingested": "2021-06-07T13:08:32.781826900Z" + "ingested": "2021-06-09T11:29:56.469918Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "Jul 25 09:47:41 PWC_LOCKFILE_BAD_FORMAT: restart [3426]: illum: PID lock file has bad format: eprehe", "event": { - "ingested": "2021-06-07T13:08:32.781831900Z" + "ingested": "2021-06-09T11:29:56.469922100Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "Aug 8 16:50:15 snostr.exe[1613]: RPD_KRT_AFUNSUPRT : tec: received itaspe message with unsupported address family 4176", "event": { - "ingested": "2021-06-07T13:08:32.781837100Z" + "ingested": "2021-06-09T11:29:56.469926200Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "Aug 22 23:52:50 oreeufug.exe[6086]: PWC_PROCESS_FORCED_HOLD : Process plicaboN forcing hold down of child 619 until signal", "event": { - "ingested": "2021-06-07T13:08:32.781842300Z" + "ingested": "2021-06-09T11:29:56.469930100Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "Sep 6 06:55:24 MIB2D_IFL_IFINDEX_FAILURE message repeated [4115]: tiu: SNMP index assigned to wri changed from 3902 to unknown", "event": { - "ingested": "2021-06-07T13:08:32.781847400Z" + "ingested": "2021-06-09T11:29:56.469938100Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "Sep 20 13:57:58 mwr cia5990.api.localdomain: pitlabo.exe[3498]: UI_DBASE_MISMATCH_MAJOR: : Database header major version number mismatch for file 'ende': expecting 6053, got 4884", "event": { - "ingested": "2021-06-07T13:08:32.781852900Z" + "ingested": "2021-06-09T11:29:56.469942700Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "Oct 4 21:00:32 iuntN utfugi851.www5.invalid: nul.exe[1005]: SNMPD_VIEW_INSTALL_DEFAULT: : eetdo: success installing default 1243 view 5146", "event": { - "ingested": "2021-06-07T13:08:32.781857900Z" + "ingested": "2021-06-09T11:29:56.469946900Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "Oct 19 04:03:07 DCD_PARSE_STATE_EMERGENCY message repeated [2498]: uptatem: An unhandled state was encountered during interface parsing", "event": { - "ingested": "2021-06-07T13:08:32.781862500Z" + "ingested": "2021-06-09T11:29:56.469950900Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "Nov 2 11:05:41 loremagn acons3820.internal.home: ain.exe[7192]: LOGIN_PAM_MAX_RETRIES: : Too many retries while authenticating user iquipex", "event": { - "ingested": "2021-06-07T13:08:32.781867200Z" + "ingested": "2021-06-09T11:29:56.469954800Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "Nov 16 18:08:15 onorume.exe[3290]: BOOTPD_NO_BOOTSTRING : No boot string found for type veleu", "event": { - "ingested": "2021-06-07T13:08:32.781871800Z" + "ingested": "2021-06-09T11:29:56.469958700Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "Dec 1 01:10:49 eirured sequamn5243.mail.home: sshd: sshd: SSHD_LOGIN_FAILED: Login failed for user 'ciatisun' from host '10.252.209.246'.", "event": { - "ingested": "2021-06-07T13:08:32.781876600Z" + "ingested": "2021-06-09T11:29:56.469963200Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "Dec 15 08:13:24 COS: restart : Received FC-\u003eQ map, caecat", "event": { - "ingested": "2021-06-07T13:08:32.781881400Z" + "ingested": "2021-06-09T11:29:56.469966900Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "Dec 29 15:15:58 cgatool message repeated : nvolupta: generated address is success", "event": { - "ingested": "2021-06-07T13:08:32.781886400Z" + "ingested": "2021-06-09T11:29:56.469970700Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "Jan 12 22:18:32 CHASSISD_SNMP_TRAP6 message repeated [4667]: idolor: SNMP trap generated: success (les)", "event": { - "ingested": "2021-06-07T13:08:32.781891200Z" + "ingested": "2021-06-09T11:29:56.469974700Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "Jan 27 05:21:06 ssb FLOW_REASSEMBLE_SUCCEED: : Packet merged source 10.102.228.136 destination 10.151.136.250 ipid upt succeed", "event": { - "ingested": "2021-06-07T13:08:32.781896Z" + "ingested": "2021-06-09T11:29:56.469978700Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "Feb 10 12:23:41 DFWD_PARSE_FILTER_EMERGENCY message repeated [2037]: serrorsi: tsedquia encountered errors while parsing filter index file", "event": { - "ingested": "2021-06-07T13:08:32.781900700Z" + "ingested": "2021-06-09T11:29:56.469982400Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "Feb 24 19:26:15 remips laboreet5949.mail.test: tesse.exe[4358]: RPD_LDP_SESSIONDOWN: : LDP session 10.148.255.126 is down, unknown", "event": { - "ingested": "2021-06-07T13:08:32.781905700Z" + "ingested": "2021-06-09T11:29:56.469986100Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "Mar 11 02:28:49 fpc2 NASD_CHAP_REPLAY_ATTACK_DETECTED: [mipsumqu]: turad: eth680.6195: received doloremi unknown.iciatis", "event": { - "ingested": "2021-06-07T13:08:32.781910800Z" + "ingested": "2021-06-09T11:29:56.469989900Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "Mar 25 09:31:24 rema mcol7795.domain: mquis lsys_ssam_handler: : processing lsys root-logical-system tur", "event": { - "ingested": "2021-06-07T13:08:32.781915700Z" + "ingested": "2021-06-09T11:29:56.469993800Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "Apr 8 16:33:58 UI_LOST_CONN message repeated [7847]: loreeuf: Lost connection to daemon orainci", "event": { - "ingested": "2021-06-07T13:08:32.781920300Z" + "ingested": "2021-06-09T11:29:56.469997600Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "Apr 22 23:36:32 PWC_PROCESS_HOLD: restart [1791]: itse: Process lapari holding down child 2702 until signal", "event": { - "ingested": "2021-06-07T13:08:32.781925Z" + "ingested": "2021-06-09T11:29:56.470001300Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "May 7 06:39:06 undeo ficiade4365.mail.domain: norum.exe[4443]: LIBSERVICED_SOCKET_BIND: : dantium: unable to bind socket ors: failure", "event": { - "ingested": "2021-06-07T13:08:32.781929500Z" + "ingested": "2021-06-09T11:29:56.470004900Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "May 21 13:41:41 liq eleumiu2852.lan: mfugiat.exe[3946]: LOGIN_FAILED: : Login failed for user olu from host mSect5899.domain", "event": { - "ingested": "2021-06-07T13:08:32.781933900Z" + "ingested": "2021-06-09T11:29:56.470008500Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "Jun 4 20:44:15 idolo.exe[6535]: MIB2D_IFL_IFINDEX_FAILURE: : SNMP index assigned to deseru changed from 6460 to unknown", "event": { - "ingested": "2021-06-07T13:08:32.781938200Z" + "ingested": "2021-06-09T11:29:56.470012100Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "Jun 19 03:46:49 modtempo.exe[5276]: CHASSISD_RELEASE_MASTERSHIP: : Release mastership notification", "event": { - "ingested": "2021-06-07T13:08:32.781942600Z" + "ingested": "2021-06-09T11:29:56.470016100Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "Jul 3 10:49:23 fpc4 PWC_PROCESS_HOLD: [3450]: dexea: Process aturExc holding down child 7343 until signal", "event": { - "ingested": "2021-06-07T13:08:32.781946700Z" + "ingested": "2021-06-09T11:29:56.470019700Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "Jul 17 17:51:58 ame.exe[226]: SERVICED_RTSOCK_SEQUENCE : boreet: routing socket sequence error, unknown", "event": { - "ingested": "2021-06-07T13:08:32.781950700Z" + "ingested": "2021-06-09T11:29:56.470023600Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "Aug 1 00:54:32 consect6919.mail.localdomain iset.exe[940]: idpinfo: urere", "event": { - "ingested": "2021-06-07T13:08:32.781954700Z" + "ingested": "2021-06-09T11:29:56.470027400Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "Aug 15 07:57:06 RPD_KRT_NOIFD: restart [4822]: oreeufug: No device 5020 for interface lo4593", "event": { - "ingested": "2021-06-07T13:08:32.781958700Z" + "ingested": "2021-06-09T11:29:56.470031400Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "Aug 29 14:59:40 eprehen oinB3432.api.invalid: citatio.exe[5029]: craftd: , unknown", "event": { - "ingested": "2021-06-07T13:08:32.781972600Z" + "ingested": "2021-06-09T11:29:56.470035Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "Sep 12 22:02:15 ACCT_CU_RTSLIB_error message repeated [7583]: eetd: liquide getting class usage statistics for interface enp0s2674: success", "event": { - "ingested": "2021-06-07T13:08:32.781976900Z" + "ingested": "2021-06-09T11:29:56.470038800Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "Sep 27 05:04:49 userro oree nimadmi7341.www.home RT_FLOW - kmd [", "event": { - "ingested": "2021-06-07T13:08:32.781981Z" + "ingested": "2021-06-09T11:29:56.470042600Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "Oct 11 12:07:23 LOGIN_PAM_NONLOCAL_USER: restart [686]: rauto: User rese authenticated but has no local login ID", "event": { - "ingested": "2021-06-07T13:08:32.781985Z" + "ingested": "2021-06-09T11:29:56.470046300Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "Oct 25 19:09:57 doconse.exe[6184]: RPD_KRT_NOIFD : No device 5991 for interface enp0s7694", "event": { - "ingested": "2021-06-07T13:08:32.781990100Z" + "ingested": "2021-06-09T11:29:56.470050Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "Nov 9 02:12:32 quidolor1064.www.domain: uspinfo: : flow_print_session_summary_output received rcita", "event": { - "ingested": "2021-06-07T13:08:32.781994100Z" + "ingested": "2021-06-09T11:29:56.470053600Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "Nov 23 09:15:06 RPD_TASK_REINIT: restart [1810]: mfugi: Reinitializing", "event": { - "ingested": "2021-06-07T13:08:32.781998400Z" + "ingested": "2021-06-09T11:29:56.470057500Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "Dec 7 16:17:40 inibusBo.exe[2509]: ECCD_TRACE_FILE_OPEN_FAILED : allow: failure", "event": { - "ingested": "2021-06-07T13:08:32.782002400Z" + "ingested": "2021-06-09T11:29:56.470061300Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "Dec 21 23:20:14 ECCD_TRACE_FILE_OPEN_FAILED message repeated [2815]: rudexer: accept: unknown", "event": { - "ingested": "2021-06-07T13:08:32.782007100Z" + "ingested": "2021-06-09T11:29:56.470069Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "Jan 5 06:22:49 eseosqu oeius641.api.home: laud.exe[913]: LOGIN_FAILED: : Login failed for user turQ from host tod6376.mail.host", "event": { - "ingested": "2021-06-07T13:08:32.782011100Z" + "ingested": "2021-06-09T11:29:56.470073500Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "Jan 19 13:25:23 ine.exe[1578]: FSAD_CONNTIMEDOUT : Connection timed out to the client (oreve2538.www.localdomain, 10.44.24.103) having request type reprehen", "event": { - "ingested": "2021-06-07T13:08:32.782015600Z" + "ingested": "2021-06-09T11:29:56.470077800Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "Feb 2 20:27:57 UI_SCHEMA_SEQUENCE_ERROR: restart [734]: rinre: Schema sequence number mismatch", "event": { - "ingested": "2021-06-07T13:08:32.782026600Z" + "ingested": "2021-06-09T11:29:56.470081600Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "Feb 17 03:30:32 LIBJNX_EXEC_PIPE: restart [946]: olors: Unable to create pipes for command 'deny': unknown", "event": { - "ingested": "2021-06-07T13:08:32.782030700Z" + "ingested": "2021-06-09T11:29:56.470085400Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "Mar 3 10:33:06 UI_DBASE_MISMATCH_EXTENT: restart [4686]: isnost: Database header extent mismatch for file 'lumdolor': expecting 559, got 7339", "event": { - "ingested": "2021-06-07T13:08:32.782034700Z" + "ingested": "2021-06-09T11:29:56.470104200Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "Mar 17 17:35:40 NASD_usage message repeated [7744]: eumfu: unknown: quidex", "event": { - "ingested": "2021-06-07T13:08:32.782038800Z" + "ingested": "2021-06-09T11:29:56.470111700Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "Apr 1 00:38:14 /kmd: ", "event": { - "ingested": "2021-06-07T13:08:32.782042700Z" + "ingested": "2021-06-09T11:29:56.470118100Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "Apr 15 07:40:49 sshd message repeated : very-high: can't get client address: unknown", "event": { - "ingested": "2021-06-07T13:08:32.782046700Z" + "ingested": "2021-06-09T11:29:56.470123Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "Apr 29 14:43:23 fpc4 RPD_LDP_NBRUP: [4279]: stlaboru: LDP neighbor 10.248.68.242 (eth1282) is success", "event": { - "ingested": "2021-06-07T13:08:32.782050800Z" + "ingested": "2021-06-09T11:29:56.470128100Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "May 13 21:45:57 uun iduntutl4723.example: uel.exe[5770]: SNMPD_TRAP_QUEUE_DRAINED: : metco: traps queued to vel sent successfully", "event": { - "ingested": "2021-06-07T13:08:32.782054700Z" + "ingested": "2021-06-09T11:29:56.470132600Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "May 28 04:48:31 fpc8 ECCD_PCI_WRITE_FAILED: [4837]: radip: cancel: success", "event": { - "ingested": "2021-06-07T13:08:32.782059800Z" + "ingested": "2021-06-09T11:29:56.470151100Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "Jun 11 11:51:06 TFTPD_RECVCOMPLETE_INFO message repeated [7501]: piciatis: Received 3501 blocks of 5877 size for file 'tatisetq'", "event": { - "ingested": "2021-06-07T13:08:32.782064Z" + "ingested": "2021-06-09T11:29:56.470158700Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "Jun 25 18:53:40 usp_trace_ipc_reconnect message repeated illum.exe:USP trace client cannot reconnect to server", "event": { - "ingested": "2021-06-07T13:08:32.782068500Z" + "ingested": "2021-06-09T11:29:56.470163900Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "Jul 10 01:56:14 amnis atevelit2799.internal.host: tatiset.exe IFP trace\u003e BCHIP: : cannot write ucode mask reg", "event": { - "ingested": "2021-06-07T13:08:32.782072400Z" + "ingested": "2021-06-09T11:29:56.470168100Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "Jul 24 08:58:48 RPD_MPLS_LSP_DOWN message repeated [5094]: moditemp: MPLS LSP eth2042 unknown", "event": { - "ingested": "2021-06-07T13:08:32.782076200Z" + "ingested": "2021-06-09T11:29:56.470172200Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "Aug 7 16:01:23 CHASSISD_PARSE_INIT: restart [4153]: uatDuisa: Parsing configuration file 'usB'", "event": { - "ingested": "2021-06-07T13:08:32.782079900Z" + "ingested": "2021-06-09T11:29:56.470176100Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "Aug 21 23:03:57 RMOPD_ROUTING_INSTANCE_NO_INFO: restart [6922]: upidatat: No information for routing instance non: failure", "event": { - "ingested": "2021-06-07T13:08:32.782083500Z" + "ingested": "2021-06-09T11:29:56.470179800Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "Sep 5 06:06:31 Utenimad.exe[4305]: CHASSISD_TERM_SIGNAL: : Received SIGTERM request, success", "event": { - "ingested": "2021-06-07T13:08:32.782087200Z" + "ingested": "2021-06-09T11:29:56.470183600Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "Sep 19 13:09:05 tseddo.exe[484]: RPD_OSPF_NBRUP : OSPF neighbor 10.49.190.163 (lo50) aUteni due to failure", "event": { - "ingested": "2021-06-07T13:08:32.782091100Z" + "ingested": "2021-06-09T11:29:56.470187200Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "Oct 3 20:11:40 cfeb NASD_usage: [6968]: litseddo: failure: metconse", "event": { - "ingested": "2021-06-07T13:08:32.782095300Z" + "ingested": "2021-06-09T11:29:56.470190900Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "Oct 18 03:14:14 RPD_LDP_NBRDOWN message repeated [4598]: emu: LDP neighbor 10.101.99.109 (eth4282) is success", "event": { - "ingested": "2021-06-07T13:08:32.782099600Z" + "ingested": "2021-06-09T11:29:56.470194500Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "Nov 1 10:16:48 RPD_RDISC_NOMULTI message repeated [4764]: con: Ignoring interface 594 on lo7449 -- unknown", "event": { - "ingested": "2021-06-07T13:08:32.782103500Z" + "ingested": "2021-06-09T11:29:56.470198400Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "Nov 15 17:19:22 BOOTPD_NEW_CONF: restart [1768]: isquames: New configuration installed", "event": { - "ingested": "2021-06-07T13:08:32.782107200Z" + "ingested": "2021-06-09T11:29:56.470202100Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "Nov 30 00:21:57 SNMP_TRAP_LINK_DOWN message repeated [7368]: ngelit: ifIndex 4197, ifAdminStatus ons, ifOperStatus unknown, ifName lo3193", "event": { - "ingested": "2021-06-07T13:08:32.782111200Z" + "ingested": "2021-06-09T11:29:56.470205800Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "Dec 14 07:24:31 MIB2D_ATM_ERROR message repeated [4927]: udexerci: voluptat: failure", "event": { - "ingested": "2021-06-07T13:08:32.782115500Z" + "ingested": "2021-06-09T11:29:56.470209200Z" }, "tags": [ "preserve_original_event" diff --git a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json index c82594c80d4..c2dee954fa5 100644 --- a/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json +++ b/packages/juniper/data_stream/netscreen/_dev/test/pipeline/test-generated.log-expected.json @@ -6,7 +6,7 @@ }, "message": "modtempo: NetScreen device_id=olab system-low-00628(rci): audit log queue Event Alarm Log is overwritten (2016-1-29 06:09:59)", "event": { - "ingested": "2021-06-07T13:08:33.483546300Z" + "ingested": "2021-06-09T11:29:57.200924700Z" }, "tags": [ "preserve_original_event" @@ -18,7 +18,7 @@ }, "message": "luptat: NetScreen device_id=isiutal [moenimi]system-low-00620(gnaali): RTSYNC: Timer to purge the DRP backup routes is stopped. (2016-2-12 13:12:33)", "event": { - "ingested": "2021-06-07T13:08:33.483566100Z" + "ingested": "2021-06-09T11:29:57.201008Z" }, "tags": [ "preserve_original_event" @@ -30,7 +30,7 @@ }, "message": "deomni: NetScreen device_id=tquovol [ntsuntin]system-medium-00062(tatno): Track IP IP address 10.159.227.210 succeeded. (ofdeF)", "event": { - "ingested": "2021-06-07T13:08:33.483591300Z" + "ingested": "2021-06-09T11:29:57.201019Z" }, "tags": [ "preserve_original_event" @@ -42,7 +42,7 @@ }, "message": "untutlab: NetScreen device_id=tem [ons]system-medium-00004: DNS lookup time has been changed to start at ationu:ali with an interval of nsect", "event": { - "ingested": "2021-06-07T13:08:33.483598400Z" + "ingested": "2021-06-09T11:29:57.201024900Z" }, "tags": [ "preserve_original_event" @@ -54,7 +54,7 @@ }, "message": "eve: NetScreen device_id=tatiset [eprehen]system-medium-00034(piscing): Ethernet driver ran out of rx bd (port 1044)", "event": { - "ingested": "2021-06-07T13:08:33.483603200Z" + "ingested": "2021-06-09T11:29:57.201029300Z" }, "tags": [ "preserve_original_event" @@ -66,7 +66,7 @@ }, "message": "eomnisis: NetScreen device_id=mqui [civeli]system-high-00026: SCS: SCS has been tasuntex for enp0s5377 .", "event": { - "ingested": "2021-06-07T13:08:33.483607300Z" + "ingested": "2021-06-09T11:29:57.201033500Z" }, "tags": [ "preserve_original_event" @@ -78,7 +78,7 @@ }, "message": "rehender: NetScreen device_id=eporroqu [uat]system-high-00026(atquovo): SSH: Maximum number of PKA keys (suntinc) has been bound to user 'xeac' Key not bound. (Key ID nidolo)", "event": { - "ingested": "2021-06-07T13:08:33.483611700Z" + "ingested": "2021-06-09T11:29:57.201037400Z" }, "tags": [ "preserve_original_event" @@ -90,7 +90,7 @@ }, "message": "intoccae: NetScreen device_id=ents [pida]system-low-00535(idolor): PKCS #7 data cannot be decapsulated", "event": { - "ingested": "2021-06-07T13:08:33.483615400Z" + "ingested": "2021-06-09T11:29:57.201041300Z" }, "tags": [ "preserve_original_event" @@ -102,7 +102,7 @@ }, "message": "numqu: NetScreen device_id=qui [No Name]system-medium-00520: Active Server Switchover: New requests for equi server will try agnaali from now on. (2016-5-22 14:30:33)", "event": { - "ingested": "2021-06-07T13:08:33.483634400Z" + "ingested": "2021-06-09T11:29:57.201045300Z" }, "tags": [ "preserve_original_event" @@ -114,7 +114,7 @@ }, "message": "ipitla: NetScreen device_id=quae [maccusa]system-high-00072(rQuisau): NSRP: Unit idex of VSD group xerci aqu", "event": { - "ingested": "2021-06-07T13:08:33.483641Z" + "ingested": "2021-06-09T11:29:57.201049100Z" }, "tags": [ "preserve_original_event" @@ -126,7 +126,7 @@ }, "message": "atu: NetScreen device_id=umexerci [ern]system-low-00084(iadese): RTSYNC: NSRP route synchronization is nsectet", "event": { - "ingested": "2021-06-07T13:08:33.483645500Z" + "ingested": "2021-06-09T11:29:57.201052900Z" }, "tags": [ "preserve_original_event" @@ -138,7 +138,7 @@ }, "message": "dol: NetScreen device_id=leumiu [namali]system-medium-00527(atevel): MAC address 01:00:5e:11:0a:26 has detected an IP conflict and has declined address 10.90.127.74", "event": { - "ingested": "2021-06-07T13:08:33.483650Z" + "ingested": "2021-06-09T11:29:57.201057100Z" }, "tags": [ "preserve_original_event" @@ -150,7 +150,7 @@ }, "message": "acc: NetScreen device_id=amc [atur]system-low-00050(corp): Track IP enabled (2016-7-18 18:40:50)", "event": { - "ingested": "2021-06-07T13:08:33.483654Z" + "ingested": "2021-06-09T11:29:57.201061Z" }, "tags": [ "preserve_original_event" @@ -162,7 +162,7 @@ }, "message": "tper: NetScreen device_id=olor [Neque]system-medium-00524(xerc): SNMP request from an unknown SNMP community public at 10.61.30.190:2509 has been received. (2016-8-2 01:43:25)", "event": { - "ingested": "2021-06-07T13:08:33.483658400Z" + "ingested": "2021-06-09T11:29:57.201065Z" }, "tags": [ "preserve_original_event" @@ -174,7 +174,7 @@ }, "message": "etdol: NetScreen device_id=uela [boN]system-medium-00521: Can't connect to E-mail server 10.210.240.175", "event": { - "ingested": "2021-06-07T13:08:33.483661900Z" + "ingested": "2021-06-09T11:29:57.201082600Z" }, "tags": [ "preserve_original_event" @@ -186,7 +186,7 @@ }, "message": "ati: NetScreen device_id=tlabo [uames]system-medium-00553(mpo): SCAN-MGR: Set maximum content size to offi.", "event": { - "ingested": "2021-06-07T13:08:33.483665600Z" + "ingested": "2021-06-09T11:29:57.201089300Z" }, "tags": [ "preserve_original_event" @@ -198,7 +198,7 @@ }, "message": "umwr: NetScreen device_id=oluptate [issus]system-high-00005(uaUteni): SYN flood udantium has been changed to pre", "event": { - "ingested": "2021-06-07T13:08:33.483671200Z" + "ingested": "2021-06-09T11:29:57.201094100Z" }, "tags": [ "preserve_original_event" @@ -210,7 +210,7 @@ }, "message": "tate: NetScreen device_id=imvenia [spi]system-high-00038(etdo): OSPF routing instance in vrouter urerepr is ese", "event": { - "ingested": "2021-06-07T13:08:33.483675100Z" + "ingested": "2021-06-09T11:29:57.201098200Z" }, "tags": [ "preserve_original_event" @@ -222,7 +222,7 @@ }, "message": "smo: NetScreen device_id=etcons [iusmodi]system-medium-00012: ate Service group uiac has epte member idolo from host 10.170.139.87", "event": { - "ingested": "2021-06-07T13:08:33.483678800Z" + "ingested": "2021-06-09T11:29:57.201101900Z" }, "tags": [ "preserve_original_event" @@ -234,7 +234,7 @@ }, "message": "ersp: NetScreen device_id=tquov [diconseq]system-high-00551(mod): Rapid Deployment cannot start because gateway has undergone configuration changes. (2016-10-26 19:58:50)", "event": { - "ingested": "2021-06-07T13:08:33.483682500Z" + "ingested": "2021-06-09T11:29:57.201105400Z" }, "tags": [ "preserve_original_event" @@ -246,7 +246,7 @@ }, "message": "mquame: NetScreen device_id=nihilmol [xercita]system-medium-00071(tiumt): The local device reetdolo in the Virtual Security Device group norum changed state", "event": { - "ingested": "2021-06-07T13:08:33.483686300Z" + "ingested": "2021-06-09T11:29:57.201108900Z" }, "tags": [ "preserve_original_event" @@ -258,7 +258,7 @@ }, "message": "isnisi: NetScreen device_id=ritatise [uamei]system-medium-00057(quatur): uisa: static multicast route src=10.198.41.214, grp=cusant input ifp = lo2786 output ifp = eth3657 added", "event": { - "ingested": "2021-06-07T13:08:33.483690600Z" + "ingested": "2021-06-09T11:29:57.201112400Z" }, "tags": [ "preserve_original_event" @@ -270,7 +270,7 @@ }, "message": "isis: NetScreen device_id=uasiar [utlab]system-high-00075(loremqu): The local device dantium in the Virtual Security Device group lor velillu", "event": { - "ingested": "2021-06-07T13:08:33.483694700Z" + "ingested": "2021-06-09T11:29:57.201116200Z" }, "tags": [ "preserve_original_event" @@ -282,7 +282,7 @@ }, "message": "bor: NetScreen device_id=rauto [ationev]system-low-00039(mdol): BGP instance name created for vr itation", "event": { - "ingested": "2021-06-07T13:08:33.483698500Z" + "ingested": "2021-06-09T11:29:57.201121Z" }, "tags": [ "preserve_original_event" @@ -294,7 +294,7 @@ }, "message": "iaeco: NetScreen device_id=equaturv [siu]system-high-00262(veniamqu): Admin user rum has been rejected via the quaea server at 10.11.251.51", "event": { - "ingested": "2021-06-07T13:08:33.483702500Z" + "ingested": "2021-06-09T11:29:57.201125500Z" }, "tags": [ "preserve_original_event" @@ -306,7 +306,7 @@ }, "message": "orroq: NetScreen device_id=vitaedic [orin]system-high-00038(ons): OSPF routing instance in vrouter remagn ecillu", "event": { - "ingested": "2021-06-07T13:08:33.483706600Z" + "ingested": "2021-06-09T11:29:57.201129400Z" }, "tags": [ "preserve_original_event" @@ -318,7 +318,7 @@ }, "message": "enderit: NetScreen device_id=taut [tanimi]system-medium-00515(commodi): emporain Admin User \"ntiumto\" logged in for umetMalo(https) management (port 2206) from 10.80.237.27:2883", "event": { - "ingested": "2021-06-07T13:08:33.483773900Z" + "ingested": "2021-06-09T11:29:57.201146600Z" }, "tags": [ "preserve_original_event" @@ -330,7 +330,7 @@ }, "message": "ori: NetScreen device_id=tconsect [rum]system-high-00073(eporroq): NSRP: Unit ulla of VSD group iqu oin", "event": { - "ingested": "2021-06-07T13:08:33.483781500Z" + "ingested": "2021-06-09T11:29:57.201153100Z" }, "tags": [ "preserve_original_event" @@ -342,7 +342,7 @@ }, "message": "mipsum: NetScreen device_id=lmo [aliquamq]system-medium-00030: X509 certificate for ScreenOS image authentication is invalid", "event": { - "ingested": "2021-06-07T13:08:33.483786800Z" + "ingested": "2021-06-09T11:29:57.201157600Z" }, "tags": [ "preserve_original_event" @@ -354,7 +354,7 @@ }, "message": "orroqu: NetScreen device_id=elitsed [labore]system-medium-00034(erc): PPPoE Settings changed", "event": { - "ingested": "2021-06-07T13:08:33.483791400Z" + "ingested": "2021-06-09T11:29:57.201161700Z" }, "tags": [ "preserve_original_event" @@ -366,7 +366,7 @@ }, "message": "ntNe: NetScreen device_id=itanim [nesciun]system-medium-00612: Switch event: the status of ethernet port mollita changed to link down , duplex full , speed 10 M. (2017-4-2 01:27:07)", "event": { - "ingested": "2021-06-07T13:08:33.483795800Z" + "ingested": "2021-06-09T11:29:57.201166100Z" }, "tags": [ "preserve_original_event" @@ -378,7 +378,7 @@ }, "message": "quide: NetScreen device_id=quaU [undeomni]system-medium-00077(acomm): NSRP: local unit= iutali of VSD group itat stlaboru", "event": { - "ingested": "2021-06-07T13:08:33.483800400Z" + "ingested": "2021-06-09T11:29:57.201169700Z" }, "tags": [ "preserve_original_event" @@ -390,7 +390,7 @@ }, "message": "emq: NetScreen device_id=plicaboN [amc]system-high-00536(acommo): IKE 10.10.77.119: Dropped packet because remote gateway OK is not used in any VPN tunnel configurations", "event": { - "ingested": "2021-06-07T13:08:33.483804400Z" + "ingested": "2021-06-09T11:29:57.201173300Z" }, "tags": [ "preserve_original_event" @@ -402,7 +402,7 @@ }, "message": "scivel: NetScreen device_id=henderi [iusmodt]system-medium-00536(tquas): IKE 10.200.22.41: Received incorrect ID payload: IP address lorinr instead of IP address ercita", "event": { - "ingested": "2021-06-07T13:08:33.483808400Z" + "ingested": "2021-06-09T11:29:57.201177100Z" }, "tags": [ "preserve_original_event" @@ -414,7 +414,7 @@ }, "message": "equu: NetScreen device_id=sintoc [atae]system-medium-00203(tem): mestq lsa flood on interface eth82 has dropped a packet.", "event": { - "ingested": "2021-06-07T13:08:33.483812900Z" + "ingested": "2021-06-09T11:29:57.201181100Z" }, "tags": [ "preserve_original_event" @@ -426,7 +426,7 @@ }, "message": "iqui: NetScreen device_id=tesseci [tat]system-high-00011(cive): The virtual router nse has been made unsharable", "event": { - "ingested": "2021-06-07T13:08:33.483817300Z" + "ingested": "2021-06-09T11:29:57.201184700Z" }, "tags": [ "preserve_original_event" @@ -438,7 +438,7 @@ }, "message": "rroqui: NetScreen device_id=ursin [utemvel]system-medium-00002: ADMIN AUTH: Privilege requested for unknown user atu. Possible HA syncronization problem.", "event": { - "ingested": "2021-06-07T13:08:33.483821600Z" + "ingested": "2021-06-09T11:29:57.201188200Z" }, "tags": [ "preserve_original_event" @@ -450,7 +450,7 @@ }, "message": "orumSe: NetScreen device_id=dolor [isiut]system-high-00206(emagn): OSPF instance with router-id emulla received a Hello packet flood from neighbor (IP address 10.219.1.151, router ID mnihilm) on Interface enp0s3375 forcing the interface to drop the packet.", "event": { - "ingested": "2021-06-07T13:08:33.483825400Z" + "ingested": "2021-06-09T11:29:57.201191700Z" }, "tags": [ "preserve_original_event" @@ -462,7 +462,7 @@ }, "message": "eque: NetScreen device_id=eufug [est]system-medium-00075: The local device ntincul in the Virtual Security Device group reet tquo", "event": { - "ingested": "2021-06-07T13:08:33.483829200Z" + "ingested": "2021-06-09T11:29:57.201195900Z" }, "tags": [ "preserve_original_event" @@ -474,7 +474,7 @@ }, "message": "imadmini: NetScreen device_id=ide [edq]system-medium-00026(tise): SSH: Attempt to unbind PKA key from admin user 'ntut' (Key ID emullam)", "event": { - "ingested": "2021-06-07T13:08:33.483832900Z" + "ingested": "2021-06-09T11:29:57.201199700Z" }, "tags": [ "preserve_original_event" @@ -486,7 +486,7 @@ }, "message": "ihilmole: NetScreen device_id=saquaea [ons]system-high-00048(quas): Route map entry with sequence number gia in route map binck-ospf in virtual router itatio was porinc (2017-8-22 23:52:50)", "event": { - "ingested": "2021-06-07T13:08:33.483837400Z" + "ingested": "2021-06-09T11:29:57.201203700Z" }, "tags": [ "preserve_original_event" @@ -498,7 +498,7 @@ }, "message": "orum: NetScreen device_id=oinBCSed [orem]system-medium-00050(ilm): Track IP enabled (2017-9-6 06:55:24)", "event": { - "ingested": "2021-06-07T13:08:33.483841800Z" + "ingested": "2021-06-09T11:29:57.201209400Z" }, "tags": [ "preserve_original_event" @@ -510,7 +510,7 @@ }, "message": "ncididun: NetScreen device_id=hen [periamea]system-medium-00555: Vrouter ali PIMSM cannot process non-multicast address 10.158.18.51", "event": { - "ingested": "2021-06-07T13:08:33.483845900Z" + "ingested": "2021-06-09T11:29:57.201213300Z" }, "tags": [ "preserve_original_event" @@ -522,7 +522,7 @@ }, "message": "umwri: NetScreen device_id=odoc [atura]system-high-00030: SYSTEM CPU utilization is high (oreeu \u003e nvo ) iamqui times in tassita minute (2017-10-4 21:00:32)\u003c\u003ccolabori\u003e", "event": { - "ingested": "2021-06-07T13:08:33.483852Z" + "ingested": "2021-06-09T11:29:57.201217Z" }, "tags": [ "preserve_original_event" @@ -534,7 +534,7 @@ }, "message": "inc: NetScreen device_id=tect [uiad]system-low-00003: The console debug buffer has been roinBCSe", "event": { - "ingested": "2021-06-07T13:08:33.483856100Z" + "ingested": "2021-06-09T11:29:57.201220400Z" }, "tags": [ "preserve_original_event" @@ -546,7 +546,7 @@ }, "message": "nseq: NetScreen device_id=borumSec [tatemseq]system-medium-00026(dmi): SCS has been tam for eth7686 .", "event": { - "ingested": "2021-06-07T13:08:33.483860900Z" + "ingested": "2021-06-09T11:29:57.201224600Z" }, "tags": [ "preserve_original_event" @@ -558,7 +558,7 @@ }, "message": "uiineavo: NetScreen device_id=sistena [uidexeac]system-high-00620(amquisno): RTSYNC: Event posted to send all the DRP routes to backup device. (2017-11-16 18:08:15)", "event": { - "ingested": "2021-06-07T13:08:33.483864800Z" + "ingested": "2021-06-09T11:29:57.201228100Z" }, "tags": [ "preserve_original_event" @@ -570,7 +570,7 @@ }, "message": "sunt: NetScreen device_id=dquianon [urExc]system-high-00025(iamqui): PKI: The current device quide to save the certificate authority configuration.", "event": { - "ingested": "2021-06-07T13:08:33.483868700Z" + "ingested": "2021-06-09T11:29:57.201231600Z" }, "tags": [ "preserve_original_event" @@ -582,7 +582,7 @@ }, "message": "etdol: NetScreen device_id=Sed [oremeumf]system-high-00076: The local device etur in the Virtual Security Device group fugiatn enima", "event": { - "ingested": "2021-06-07T13:08:33.483872400Z" + "ingested": "2021-06-09T11:29:57.201234900Z" }, "tags": [ "preserve_original_event" @@ -594,7 +594,7 @@ }, "message": "giatquo: NetScreen device_id=lors [its]system-low-00524: SNMP request from an unknown SNMP community public at 10.46.217.155:76 has been received. (2017-12-29 15:15:58)", "event": { - "ingested": "2021-06-07T13:08:33.483876500Z" + "ingested": "2021-06-09T11:29:57.201238300Z" }, "tags": [ "preserve_original_event" @@ -606,7 +606,7 @@ }, "message": "magnaa: NetScreen device_id=sumquiad [No Name]system-high-00628: audit log queue Event Log is overwritten (2018-1-12 22:18:32)", "event": { - "ingested": "2021-06-07T13:08:33.483880400Z" + "ingested": "2021-06-09T11:29:57.201242Z" }, "tags": [ "preserve_original_event" @@ -618,7 +618,7 @@ }, "message": "tnulapa: NetScreen device_id=madmi [No Name]system-high-00628(adeser): audit log queue Event Log is overwritten (2018-1-27 05:21:06)", "event": { - "ingested": "2021-06-07T13:08:33.483884Z" + "ingested": "2021-06-09T11:29:57.201245400Z" }, "tags": [ "preserve_original_event" @@ -630,7 +630,7 @@ }, "message": "laboree: NetScreen device_id=udantiu [itametco]system-high-00556(stiaecon): UF-MGR: usBono CPA server port changed to rumexe.", "event": { - "ingested": "2021-06-07T13:08:33.483887600Z" + "ingested": "2021-06-09T11:29:57.201248800Z" }, "tags": [ "preserve_original_event" @@ -642,7 +642,7 @@ }, "message": "nturmag: NetScreen device_id=uredol [maliqua]system-medium-00058(mquia): PIMSM protocol configured on interface eth2266", "event": { - "ingested": "2021-06-07T13:08:33.483891200Z" + "ingested": "2021-06-09T11:29:57.201252200Z" }, "tags": [ "preserve_original_event" @@ -654,7 +654,7 @@ }, "message": "ueporroq: NetScreen device_id=ute [No Name]system-low-00625: Session (id tationu src-ip 10.142.21.251 dst-ip 10.154.16.147 dst port 6881) route is valid. (2018-3-11 02:28:49)", "event": { - "ingested": "2021-06-07T13:08:33.483894800Z" + "ingested": "2021-06-09T11:29:57.201255800Z" }, "tags": [ "preserve_original_event" @@ -666,7 +666,7 @@ }, "message": "adipi: NetScreen device_id=mquis [ratvo]system-low-00042(isno): Replay packet detected on IPSec tunnel on enp0s1170 with tunnel ID nderiti! From 10.105.212.51 to 10.119.53.68/1783, giatqu (2018-3-25 09:31:24)", "event": { - "ingested": "2021-06-07T13:08:33.483898600Z" + "ingested": "2021-06-09T11:29:57.201259900Z" }, "tags": [ "preserve_original_event" @@ -678,7 +678,7 @@ }, "message": "emvel: NetScreen device_id=pta [dolo]system-medium-00057(eacommod): uamqu: static multicast route src=10.174.2.175, grp=aparia input ifp = lo6813 output ifp = enp0s90 added", "event": { - "ingested": "2021-06-07T13:08:33.483902600Z" + "ingested": "2021-06-09T11:29:57.201263300Z" }, "tags": [ "preserve_original_event" @@ -690,7 +690,7 @@ }, "message": "giat: NetScreen device_id=ttenb [eirure]system-high-00549(rem): add-route-\u003e untrust-vr: exer", "event": { - "ingested": "2021-06-07T13:08:33.483906200Z" + "ingested": "2021-06-09T11:29:57.201266800Z" }, "tags": [ "preserve_original_event" @@ -702,7 +702,7 @@ }, "message": "lapari: NetScreen device_id=rcitat [cinge]system-high-00536(luptate): IKE gateway eritqu has been elites. pariat", "event": { - "ingested": "2021-06-07T13:08:33.483909800Z" + "ingested": "2021-06-09T11:29:57.201270100Z" }, "tags": [ "preserve_original_event" @@ -714,7 +714,7 @@ }, "message": "accus: NetScreen device_id=CSed [tiu]system-low-00049(upta): The router-id of virtual router \"asper\" used by OSPF, BGP routing instances id has been uninitialized. (dictasun)", "event": { - "ingested": "2021-06-07T13:08:33.483913400Z" + "ingested": "2021-06-09T11:29:57.201273700Z" }, "tags": [ "preserve_original_event" @@ -726,7 +726,7 @@ }, "message": "itanimi: NetScreen device_id=onoru [data]system-high-00064(eosqui): Can not create track-ip list", "event": { - "ingested": "2021-06-07T13:08:33.483916900Z" + "ingested": "2021-06-09T11:29:57.201277300Z" }, "tags": [ "preserve_original_event" @@ -738,7 +738,7 @@ }, "message": "int: NetScreen device_id=ionevo [llitani]system-high-00541(itametco): The system killed OSPF neighbor because the current router could not see itself in the hello packet. Neighbor changed state from etcons to etco state, (neighbor router-id 1iuntN, ip-address 10.89.179.48). (2018-6-19 03:46:49)", "event": { - "ingested": "2021-06-07T13:08:33.483920600Z" + "ingested": "2021-06-09T11:29:57.201280700Z" }, "tags": [ "preserve_original_event" @@ -750,7 +750,7 @@ }, "message": "mmodicon: NetScreen device_id=eetdo [mquisno]system-low-00017(lup): mipsamv From 10.57.108.5:5523 using protocol icmp on interface enp0s4987. The attack occurred 2282 times", "event": { - "ingested": "2021-06-07T13:08:33.483924800Z" + "ingested": "2021-06-09T11:29:57.201284100Z" }, "tags": [ "preserve_original_event" @@ -762,7 +762,7 @@ }, "message": "inimve: NetScreen device_id=aea [emipsumd]system-low-00263(ptat): Admin user saq has been accepted via the asiarch server at 10.197.10.110", "event": { - "ingested": "2021-06-07T13:08:33.483928500Z" + "ingested": "2021-06-09T11:29:57.201290200Z" }, "tags": [ "preserve_original_event" @@ -774,7 +774,7 @@ }, "message": "tlab: NetScreen device_id=vel [ionevo]system-high-00622: NHRP : NHRP instance in virtual router ptate is created. (2018-8-1 00:54:32)", "event": { - "ingested": "2021-06-07T13:08:33.483932Z" + "ingested": "2021-06-09T11:29:57.201296Z" }, "tags": [ "preserve_original_event" @@ -786,7 +786,7 @@ }, "message": "qui: NetScreen device_id=caboN [imipsam]system-high-00528(catcupid): SSH: Admin user 'ritquiin' at host 10.59.51.171 requested unsupported authentication method texplica", "event": { - "ingested": "2021-06-07T13:08:33.483935500Z" + "ingested": "2021-06-09T11:29:57.201299400Z" }, "tags": [ "preserve_original_event" @@ -798,7 +798,7 @@ }, "message": "udexerci: NetScreen device_id=uae [imveni]system-medium-00071(ptatemse): NSRP: Unit itationu of VSD group setquas nbyCi", "event": { - "ingested": "2021-06-07T13:08:33.483939100Z" + "ingested": "2021-06-09T11:29:57.201302700Z" }, "tags": [ "preserve_original_event" @@ -810,7 +810,7 @@ }, "message": "isno: NetScreen device_id=luptatev [occaeca]system-high-00018(urau): aeca Policy (oNem, itaedict ) was eroi from host 10.80.103.229 by admin fugitsed (2018-9-12 22:02:15)", "event": { - "ingested": "2021-06-07T13:08:33.483943800Z" + "ingested": "2021-06-09T11:29:57.201306300Z" }, "tags": [ "preserve_original_event" @@ -822,7 +822,7 @@ }, "message": "utlabore: NetScreen device_id=edquiano [mSecti]system-high-00207(tDuisaut): RIP database size limit exceeded for uel, RIP route dropped.", "event": { - "ingested": "2021-06-07T13:08:33.483948100Z" + "ingested": "2021-06-09T11:29:57.201309700Z" }, "tags": [ "preserve_original_event" @@ -834,7 +834,7 @@ }, "message": "agn: NetScreen device_id=iqu [quamqua]system-high-00075: NSRP: Unit equeporr of VSD group amremap oremagna", "event": { - "ingested": "2021-06-07T13:08:33.483951700Z" + "ingested": "2021-06-09T11:29:57.201313100Z" }, "tags": [ "preserve_original_event" @@ -846,7 +846,7 @@ }, "message": "ntium: NetScreen device_id=ide [quunturm]system-low-00040(isautem): High watermark for early aging has been changed to the default usan", "event": { - "ingested": "2021-06-07T13:08:33.483955300Z" + "ingested": "2021-06-09T11:29:57.201316500Z" }, "tags": [ "preserve_original_event" @@ -858,7 +858,7 @@ }, "message": "catcu: NetScreen device_id=quame [tionemu]system-low-00524(eursi): SNMP host 10.163.9.35 cannot be removed from community uatDu because failure", "event": { - "ingested": "2021-06-07T13:08:33.483959Z" + "ingested": "2021-06-09T11:29:57.201320700Z" }, "tags": [ "preserve_original_event" @@ -870,7 +870,7 @@ }, "message": "cteturad: NetScreen device_id=modi [No Name]system-low-00625(ecatcu): Session (id ntoccae src-ip 10.51.161.245 dst-ip 10.193.80.21 dst port 5657) route is valid. (2018-11-23 09:15:06)", "event": { - "ingested": "2021-06-07T13:08:33.483963800Z" + "ingested": "2021-06-09T11:29:57.201324Z" }, "tags": [ "preserve_original_event" @@ -882,7 +882,7 @@ }, "message": "chit: NetScreen device_id=iusmodit [lor]system-high-00524(adeserun): SNMP request has been received, but success", "event": { - "ingested": "2021-06-07T13:08:33.483995600Z" + "ingested": "2021-06-09T11:29:57.201327400Z" }, "tags": [ "preserve_original_event" @@ -894,7 +894,7 @@ }, "message": "vento: NetScreen device_id=litsed [ciun]system-medium-00072: The local device inrepr in the Virtual Security Device group lla changed state", "event": { - "ingested": "2021-06-07T13:08:33.484002200Z" + "ingested": "2021-06-09T11:29:57.201330900Z" }, "tags": [ "preserve_original_event" @@ -906,7 +906,7 @@ }, "message": "rissusci: NetScreen device_id=uaturQ [iusmod]system-medium-00533(mips): VIP server 10.41.222.7 is now responding", "event": { - "ingested": "2021-06-07T13:08:33.484006700Z" + "ingested": "2021-06-09T11:29:57.201334400Z" }, "tags": [ "preserve_original_event" @@ -918,7 +918,7 @@ }, "message": "upta: NetScreen device_id=ivel [tmollita]system-low-00070(deFinib): NSRP: nsrp control channel change to lo4065", "event": { - "ingested": "2021-06-07T13:08:33.484010800Z" + "ingested": "2021-06-09T11:29:57.201337900Z" }, "tags": [ "preserve_original_event" @@ -930,7 +930,7 @@ }, "message": "ommodic: NetScreen device_id=mmodic [essequam]system-low-00040(nihi): VPN 'xeaco' from 10.134.20.213 is eavolupt (2019-2-2 20:27:57)", "event": { - "ingested": "2021-06-07T13:08:33.484015Z" + "ingested": "2021-06-09T11:29:57.201341300Z" }, "tags": [ "preserve_original_event" @@ -942,7 +942,7 @@ }, "message": "ptasnul: NetScreen device_id=utaliqui [mcorpor]system-medium-00023(ostru): VIP/load balance server 10.110.144.189 cannot be contacted", "event": { - "ingested": "2021-06-07T13:08:33.484018700Z" + "ingested": "2021-06-09T11:29:57.201344600Z" }, "tags": [ "preserve_original_event" @@ -954,7 +954,7 @@ }, "message": "luptatem: NetScreen device_id=ing [hen]system-medium-00034(umquid): SCS: SCS has been olabo for tasnu with conse existing PKA keys already bound to ruredolo SSH users.", "event": { - "ingested": "2021-06-07T13:08:33.484022600Z" + "ingested": "2021-06-09T11:29:57.201348Z" }, "tags": [ "preserve_original_event" @@ -966,7 +966,7 @@ }, "message": "iat: NetScreen device_id=orain [equaturQ]system-low-00554: SCAN-MGR: Attempted to load AV pattern file created quia after the AV subscription expired. (Exp: Exce)", "event": { - "ingested": "2021-06-07T13:08:33.484026900Z" + "ingested": "2021-06-09T11:29:57.201351500Z" }, "tags": [ "preserve_original_event" @@ -978,7 +978,7 @@ }, "message": "dese: NetScreen device_id=ptasn [liqui]system-low-00541: ScreenOS invol serial # Loremips: Asset recovery has been cidun", "event": { - "ingested": "2021-06-07T13:08:33.484030500Z" + "ingested": "2021-06-09T11:29:57.201355Z" }, "tags": [ "preserve_original_event" @@ -990,7 +990,7 @@ }, "message": "ole: NetScreen device_id=odi [tper]system-medium-00628(ectetur): audit log queue Event Log is overwritten (2019-4-15 07:40:49)", "event": { - "ingested": "2021-06-07T13:08:33.484034200Z" + "ingested": "2021-06-09T11:29:57.201358300Z" }, "tags": [ "preserve_original_event" @@ -1002,7 +1002,7 @@ }, "message": "iadolo: NetScreen device_id=ecatcup [No Name]system-high-00628: audit log queue Traffic Log is overwritten (2019-4-29 14:43:23)", "event": { - "ingested": "2021-06-07T13:08:33.484037800Z" + "ingested": "2021-06-09T11:29:57.201361600Z" }, "tags": [ "preserve_original_event" @@ -1014,7 +1014,7 @@ }, "message": "qui: NetScreen device_id=iaecon [dminima]system-high-00538(psaquaea): NACN failed to register to Policy Manager eabillo because of success", "event": { - "ingested": "2021-06-07T13:08:33.484041500Z" + "ingested": "2021-06-09T11:29:57.201364800Z" }, "tags": [ "preserve_original_event" @@ -1026,7 +1026,7 @@ }, "message": "eosqu: NetScreen device_id=reetdolo [umquam]system-low-00075(enderi): The local device labore in the Virtual Security Device group uasiarch changed state from iamquisn to inoperable. (2019-5-28 04:48:31)", "event": { - "ingested": "2021-06-07T13:08:33.484045200Z" + "ingested": "2021-06-09T11:29:57.201368300Z" }, "tags": [ "preserve_original_event" @@ -1038,7 +1038,7 @@ }, "message": "veleumi: NetScreen device_id=volupt [equ]system-high-00535(ure): SCEP_FAILURE message has been received from the CA", "event": { - "ingested": "2021-06-07T13:08:33.484049400Z" + "ingested": "2021-06-09T11:29:57.201371700Z" }, "tags": [ "preserve_original_event" @@ -1050,7 +1050,7 @@ }, "message": "reseo: NetScreen device_id=entoreve [rudexer]system-medium-00026(iruredol): IKE iad: Missing heartbeats have exceeded the threshold. All Phase 1 and 2 SAs have been removed", "event": { - "ingested": "2021-06-07T13:08:33.484053Z" + "ingested": "2021-06-09T11:29:57.201375Z" }, "tags": [ "preserve_original_event" @@ -1062,7 +1062,7 @@ }, "message": "ptate: NetScreen device_id=oloreeu [imipsa]system-high-00038: OSPF routing instance in vrouter uame taevitae", "event": { - "ingested": "2021-06-07T13:08:33.484056600Z" + "ingested": "2021-06-09T11:29:57.201378400Z" }, "tags": [ "preserve_original_event" @@ -1074,7 +1074,7 @@ }, "message": "archi: NetScreen device_id=caboNe [ptate]system-high-00003(ius): Multiple authentication failures have been detected!", "event": { - "ingested": "2021-06-07T13:08:33.484060200Z" + "ingested": "2021-06-09T11:29:57.201381500Z" }, "tags": [ "preserve_original_event" @@ -1086,7 +1086,7 @@ }, "message": "remap: NetScreen device_id=ntium [veniamqu]system-high-00529: DNS entries have been refreshed by HA", "event": { - "ingested": "2021-06-07T13:08:33.484063700Z" + "ingested": "2021-06-09T11:29:57.201384800Z" }, "tags": [ "preserve_original_event" @@ -1098,7 +1098,7 @@ }, "message": "llumdo: NetScreen device_id=tot [itquii]system-high-00625(erspici): Session (id oreeu src-ip 10.126.150.15 dst-ip 10.185.50.112 dst port 7180) route is invalid. (2019-8-21 23:03:57)", "event": { - "ingested": "2021-06-07T13:08:33.484070700Z" + "ingested": "2021-06-09T11:29:57.201388100Z" }, "tags": [ "preserve_original_event" @@ -1110,7 +1110,7 @@ }, "message": "quepo: NetScreen device_id=tDuisa [iscive]system-medium-00521: Can't connect to E-mail server 10.152.90.59", "event": { - "ingested": "2021-06-07T13:08:33.484076Z" + "ingested": "2021-06-09T11:29:57.201391300Z" }, "tags": [ "preserve_original_event" @@ -1122,7 +1122,7 @@ }, "message": "lorem: NetScreen device_id=icons [hende]system-low-00077(usBonor): HA link disconnect. Begin to use second path of HA", "event": { - "ingested": "2021-06-07T13:08:33.484079900Z" + "ingested": "2021-06-09T11:29:57.201394600Z" }, "tags": [ "preserve_original_event" @@ -1134,7 +1134,7 @@ }, "message": "preh: NetScreen device_id=dol [No Name]system-low-00625: Session (id gnamal src-ip 10.119.181.171 dst-ip 10.166.144.66 dst port 3051) route is invalid. (2019-10-3 20:11:40)", "event": { - "ingested": "2021-06-07T13:08:33.484083900Z" + "ingested": "2021-06-09T11:29:57.201397900Z" }, "tags": [ "preserve_original_event" @@ -1146,7 +1146,7 @@ }, "message": "avolup: NetScreen device_id=litse [archit]system-high-00041(untutlab): A route-map name in virtual router estqu has been removed", "event": { - "ingested": "2021-06-07T13:08:33.484087700Z" + "ingested": "2021-06-09T11:29:57.201401200Z" }, "tags": [ "preserve_original_event" @@ -1158,7 +1158,7 @@ }, "message": "eddoeiu: NetScreen device_id=consect [eetdolo]system-medium-00038(remipsum): OSPF routing instance in vrouter ons emporin", "event": { - "ingested": "2021-06-07T13:08:33.484091400Z" + "ingested": "2021-06-09T11:29:57.201404500Z" }, "tags": [ "preserve_original_event" @@ -1170,7 +1170,7 @@ }, "message": "texpl: NetScreen device_id=isquames [No Name]system-low-00021: DIP port-translation stickiness was atio by utla via ntm from host 10.96.165.147 to 10.96.218.99:277 (2019-11-15 17:19:22)", "event": { - "ingested": "2021-06-07T13:08:33.484095700Z" + "ingested": "2021-06-09T11:29:57.201408Z" }, "tags": [ "preserve_original_event" @@ -1182,7 +1182,7 @@ }, "message": "elaudant: NetScreen device_id=ratvolu [odte]system-medium-00021(eum): DIP port-translation stickiness was uidol by repr via idu from host 10.201.72.59 to 10.230.29.67:7478 (2019-11-30 00:21:57)", "event": { - "ingested": "2021-06-07T13:08:33.484099400Z" + "ingested": "2021-06-09T11:29:57.201411400Z" }, "tags": [ "preserve_original_event" @@ -1194,7 +1194,7 @@ }, "message": "toc: NetScreen device_id=rau [sciuntN]system-low-00602: PIMSM Error in initializing interface state change", "event": { - "ingested": "2021-06-07T13:08:33.484103200Z" + "ingested": "2021-06-09T11:29:57.201414900Z" }, "tags": [ "preserve_original_event" diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json index bf99dc9693e..e74f5bfe0f5 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-atp.log-expected.json @@ -92,7 +92,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:34.678556200Z", + "ingested": "2021-06-09T11:29:58.390603500Z", "original": "\u003c14\u003e1 2013-12-14T16:06:59.134Z pinarello RT_AAMW - SRX_AAMW_ACTION_LOG [junos@xxx.x.x.x.x.28 http-host=\"www.mytest.com\" file-category=\"executable\" action=\"BLOCK\" verdict-number=\"8\" verdict-source=”cloud/blacklist/whitelist” source-address=\"10.10.10.1\" source-port=\"57116\" destination-address=\"187.19.188.200\" destination-port=\"80\" protocol-id=\"6\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" policy-name=\"argon_policy\" username=\"user1\" session-id-32=\"50000002\" source-zone-name=\"untrust\" destination-zone-name=\"trust\"]", "kind": "alert", "module": "juniper", @@ -155,7 +155,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:34.678574300Z", + "ingested": "2021-06-09T11:29:58.390639700Z", "original": "\u003c14\u003e1 2016-09-20T10:43:30.330-07:00 host-example RT_AAMW - AAMW_MALWARE_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" sample-sha256=\"ABC123\" client-ip=\"192.0.2.0\" verdict-number=\"9\" malware-info=\"Eicar:TestVirus\" username=\"admin\" hostname=\"host.example.com\"]", "kind": "alert", "module": "juniper", @@ -218,7 +218,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:34.678579200Z", + "ingested": "2021-06-09T11:29:58.390643800Z", "original": "\u003c11\u003e1 2016-09-20T10:40:30.050-07:00 host-example RT_AAMW - AAMW_HOST_INFECTED_EVENT_LOG [junos@xxxx.1.1.x.x.xxx timestamp=\"Thu Jun 23 09:55:38 2016\" tenant-id=\"ABC123456\" client-ip=\"192.0.2.0\" hostname=\"host.example.com\" status=\"in_progress\" policy-name=\"default\" th=\"7\" state=\"added\" reason=\"malware\" message=\"malware analysis detected host downloaded a malicious_file with score 9, sha256 ABC123\"]", "kind": "alert", "module": "juniper", @@ -323,7 +323,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-07T13:08:34.678583100Z", + "ingested": "2021-06-09T11:29:58.390647200Z", "original": "\u003c165\u003e1 2007-02-15T09:17:15.719Z aamw1 RT_AAMW - AAMW_ACTION_LOG [junos@2636.1.1.1.2.129 hostname=\"dummy_host\" file-category=\"executable\" verdict-number=\"10\" malware-info=\"Testfile\" action=\"PERMIT\" list-hit=\"N/A\" file-hash-lookup=\"FALSE\" source-address=\"1.1.1.1\" source-port=\"60148\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" policy-name=\"test-policy\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502156\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" sample-sha256=\"e038b5168d9209267058112d845341cae83d92b1d1af0a10b66830acb7529494\" file-name=\"dummy_file\" url=\"dummy_url\"]", "kind": "event", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json index 0de1d5ea74f..8b84c669e64 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-flow.log-expected.json @@ -80,7 +80,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:35.353179500Z", + "ingested": "2021-06-09T11:29:59.077729500Z", "original": "\u003c14\u003e1 2019-11-14T09:37:51.184+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.134 source-address=\"10.0.0.1\" source-port=\"594\" destination-address=\"10.128.0.1\" destination-port=\"10400\" connection-tag=\"0\" service-name=\"icmp\" nat-source-address=\"10.0.0.1\" nat-source-port=\"594\" nat-destination-address=\"10.128.0.1\" nat-destination-port=\"10400\" nat-connection-tag=\"0\" src-nat-rule-type=\"N/A\" src-nat-rule-name=\"N/A\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"1\" policy-name=\"vpn_trust_permit-all\" source-zone-name=\"vpn\" destination-zone-name=\"trust\" session-id-32=\"6093\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"st0.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -165,7 +165,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:35.353200900Z", + "ingested": "2021-06-09T11:29:59.077745700Z", "original": "\u003c14\u003e1 2019-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.134 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -273,7 +273,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:35.353206200Z", + "ingested": "2021-06-09T11:29:59.077749500Z", "original": "\u003c14\u003e1 2014-05-01T08:26:51.179Z fw01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address=\"1.2.3.4\" source-port=\"56639\" destination-address=\"5.6.7.8\" destination-port=\"2003\" service-name=\"None\" protocol-id=\"6\" icmp-type=\"0\" policy-name=\"log-all-else\" source-zone-name=\"campus\" destination-zone-name=\"mngmt\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth6.0\" encrypted=\"No \"]", "kind": "event", "module": "juniper", @@ -415,7 +415,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-06-07T13:08:35.353210300Z", + "ingested": "2021-06-09T11:29:59.077752700Z", "action": "flow_close", "end": "2014-05-01T08:29:10.933Z", "category": [ @@ -521,7 +521,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:35.353214700Z", + "ingested": "2021-06-09T11:29:59.077756Z", "original": "\u003c14\u003e1 2013-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.35 source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "module": "juniper", @@ -626,7 +626,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:35.353218600Z", + "ingested": "2021-06-09T11:29:59.077758700Z", "original": "\u003c14\u003e1 2010-09-30T14:55:04.323+08:00 mrpp-srx550-dut01 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2626.192.0.2.1.40 source-address=\"192.0.2.1\" source-port=\"1\" destination-address=\"198.51.100.12\" destination-port=\"46384\" service-name=\"icmp\" nat-source-address=\"192.0.2.1\" nat-source-port=\"1\" nat-destination-address=\"18.51.100.12\" nat-destination-port=\"46384\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"policy1\" source-zone-name=\"trustZone\" destination-zone-name=\"untrustZone\" session-id-32=\"41\" packet-incoming-interface=\"ge-0/0/1.0\"]", "kind": "event", "module": "juniper", @@ -752,7 +752,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-07T13:08:35.353222Z", + "ingested": "2021-06-09T11:29:59.077761300Z", "action": "flow_close", "end": "2010-09-30T06:55:07.188Z", "category": [ @@ -886,7 +886,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-06-07T13:08:35.353225400Z", + "ingested": "2021-06-09T11:29:59.077763900Z", "action": "flow_close", "end": "2019-04-12T14:29:07.576Z", "category": [ @@ -995,7 +995,7 @@ "connection" ], "duration": 16000000000, - "ingested": "2021-06-07T13:08:35.353228800Z", + "ingested": "2021-06-09T11:29:59.077766600Z", "action": "flow_close", "end": "2019-04-13T14:33:22.576Z", "category": [ @@ -1140,7 +1140,7 @@ "connection" ], "duration": 8000000000, - "ingested": "2021-06-07T13:08:35.353232200Z", + "ingested": "2021-06-09T11:29:59.077769200Z", "action": "flow_close", "end": "2018-10-07T01:32:28.898Z", "category": [ @@ -1267,7 +1267,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-07T13:08:35.353235600Z", + "ingested": "2021-06-09T11:29:59.077771700Z", "action": "flow_close", "end": "2018-06-30T02:17:25.753Z", "category": [ @@ -1381,7 +1381,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-06-07T13:08:35.353239300Z", + "ingested": "2021-06-09T11:29:59.077774400Z", "action": "flow_close", "end": "2015-09-25T14:19:54.846Z", "category": [ @@ -1501,7 +1501,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:35.353242600Z", + "ingested": "2021-06-09T11:29:59.077777Z", "original": "\u003c14\u003e1 2013-01-19T15:18:17.040 SRX100HM RT_FLOW - APPTRACK_SESSION_CREATE [junos@2636.1.1.1.2.41 source-address=\"192.168.224.30\" source-port=\"3129\" destination-address=\"207.17.137.56\" destination-port=\"21\" service-name=\"junos-ftp\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" nat-source-address=\"173.167.224.7\" nat-source-port=\"14406\" nat-destination-address=\"207.17.137.56\" nat-destination-port=\"21\" src-nat-rule-name=\"1\" dst-nat-rule-name=\"None\" protocol-id=\"6\" policy-name=\"General-Outbound\" source-zone-name=\"LAN\" destination-zone-name=\"Danger\" session-id-32=\"5058\" username=\"N/A\" roles=\"N/A\" encrypted=\"N/A\"]", "kind": "event", "module": "juniper", @@ -1648,7 +1648,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-07T13:08:35.353246Z", + "ingested": "2021-06-09T11:29:59.077779500Z", "action": "flow_started", "end": "2013-01-19T15:18:17.040Z", "category": [ @@ -1790,7 +1790,7 @@ "connection" ], "duration": 1000000000, - "ingested": "2021-06-07T13:08:35.353249500Z", + "ingested": "2021-06-09T11:29:59.077782100Z", "action": "flow_close", "end": "2013-01-19T15:18:18.040Z", "category": [ @@ -1939,7 +1939,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-06-07T13:08:35.353252900Z", + "ingested": "2021-06-09T11:29:59.077784600Z", "action": "flow_started", "end": "2013-01-19T15:19:18.040Z", "category": [ @@ -2071,7 +2071,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:35.353256600Z", + "ingested": "2021-06-09T11:29:59.077787300Z", "original": "\u003c14\u003e1 2013-01-19T15:18:19.040 SRX100HM RT_FLOW - APPTRACK_SESSION_ROUTE_UPDATE [junos@2636.1.1.1.2.129 source-address=\"4.0.0.1\" source-port=\"33040\" destination-address=\"5.0.0.1\" destination-port=\"80\" service-name=\"junos-http\" application=\"HTTP\" nested-application=\"FACEBOOK-SOCIALRSS\" nat-source-address=\"4.0.0.1\" nat-source-port=\"33040\" nat-destination-address=\"5.0.0.1\" nat-destination-port=\"80\" src-nat-rule-name=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"6\" policy-name=\"permit-all\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"28\" username=\"user1\" roles=\"DEPT1\" encrypted=\"No\" profile-name=”pf1” rule-name=”facebook1” routing-instance=”instance1” destination-interface-name=”st0.0” apbr-rule-type=”default”]", "kind": "event", "module": "juniper", @@ -2226,7 +2226,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-07T13:08:35.353260Z", + "ingested": "2021-06-09T11:29:59.077789900Z", "action": "flow_close", "end": "2013-01-19T15:18:23.040Z", "category": [ @@ -2332,7 +2332,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:35.353263700Z", + "ingested": "2021-06-09T11:29:59.077792400Z", "original": "\u003c14\u003e1 2020-11-04T16:23:09.264Z cixi RT_FLOW - RT_FLOW_SESSION_CREATE_LS [junos@2636.1.1.1.2.35 source-address=\"50.0.0.100\" source-port=\"24065\" destination-address=\"30.0.0.100\" destination-port=\"768\" service-name=\"icmp\" nat-source-address=\"50.0.0.100\" nat-source-port=\"24065\" nat-destination-address=\"30.0.0.100\" nat-destination-port=\"768\" src-nat-rule-name=\"None\" dst-nat-rule-name=\"None\" protocol-id=\"1\" policy-name=\"alg-policy\" source-zone-name=\"untrust\" destination-zone-name=\"trust\" session-id-32=\"100000165\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"reth2.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\"]", "kind": "event", "module": "juniper", @@ -2416,7 +2416,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:35.353267Z", + "ingested": "2021-06-09T11:29:59.077794900Z", "original": "\u003c14\u003e1 2020-11-14T11:12:46.573+01:00 SRX-GW1 RT_FLOW - RT_FLOW_SESSION_DENY_LS [junos@2636.1.1.1.2.134 source-address=\"10.0.0.26\" source-port=\"37233\" destination-address=\"10.128.0.1\" destination-port=\"161\" connection-tag=\"0\" service-name=\"None\" protocol-id=\"17\" icmp-type=\"0\" policy-name=\"MgmtAccess-trust-cleanup\" source-zone-name=\"trust\" destination-zone-name=\"junos-host\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\".local..0\" encrypted=\"No\" reason=\"Denied by policy\" session-id-32=\"7087\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -2571,7 +2571,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-07T13:08:35.353270400Z", + "ingested": "2021-06-09T11:29:59.077797900Z", "action": "flow_close", "end": "2020-01-19T15:18:23.040Z", "category": [ @@ -2700,7 +2700,7 @@ "connection" ], "duration": 60000000000, - "ingested": "2021-06-07T13:08:35.353273900Z", + "ingested": "2021-06-09T11:29:59.077800900Z", "action": "flow_started", "end": "2020-07-14T14:18:11.928Z", "category": [ @@ -2839,7 +2839,7 @@ "connection" ], "duration": 23755000000000, - "ingested": "2021-06-07T13:08:35.353277200Z", + "ingested": "2021-06-09T11:29:59.077803500Z", "action": "flow_close", "end": "2020-07-13T23:19:00.041Z", "category": [ @@ -2947,7 +2947,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:35.353281200Z", + "ingested": "2021-06-09T11:29:59.077806300Z", "original": "\u003c14\u003e1 2020-07-13T16:12:05.530Z SRX100HM RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.129 source-address=\"10.1.1.100\" source-port=\"49583\" destination-address=\"8.8.8.8\" destination-port=\"53\" connection-tag=\"0\" service-name=\"junos-dns-udp\" nat-source-address=\"172.19.34.100\" nat-source-port=\"30838\" nat-destination-address=\"8.8.8.8\" nat-destination-port=\"53\" nat-connection-tag=\"0\" src-nat-rule-type=\"source rule\" src-nat-rule-name=\"our-nat-rule\" dst-nat-rule-type=\"N/A\" dst-nat-rule-name=\"N/A\" protocol-id=\"17\" policy-name=\"default-permit\" source-zone-name=\"trust\" destination-zone-name=\"untrust\" session-id-32=\"15399\" username=\"N/A\" roles=\"N/A\" packet-incoming-interface=\"ge-0/0/1.0\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" encrypted=\"UNKNOWN\" application-category=\"N/A\" application-sub-category=\"N/A\" application-risk=\"1\" application-characteristics=\"N/A\" src-vrf-grp=\"N/A\" dst-vrf-grp=\"N/A\"]", "risk_score": 1.0, "kind": "event", @@ -3085,7 +3085,7 @@ "connection" ], "duration": 3000000000, - "ingested": "2021-06-07T13:08:35.353284500Z", + "ingested": "2021-06-09T11:29:59.077809200Z", "action": "flow_close", "end": "2020-07-13T16:12:08.530Z", "category": [ diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json index 9c6fa06bed2..c3cfd2f7ec0 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-idp.log-expected.json @@ -120,7 +120,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-07T13:08:39.769798100Z", + "ingested": "2021-06-09T11:30:03.593354Z", "action": "security_threat", "end": "2020-03-02T23:13:03.193Z", "category": [ @@ -251,7 +251,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-07T13:08:39.769815700Z", + "ingested": "2021-06-09T11:30:03.593368500Z", "action": "security_threat", "end": "2020-03-02T23:13:03.197Z", "category": [ @@ -374,7 +374,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-07T13:08:39.769819500Z", + "ingested": "2021-06-09T11:30:03.593371900Z", "action": "security_threat", "end": "2007-02-15T09:17:15.719Z", "category": [ @@ -497,7 +497,7 @@ "connection" ], "duration": 0, - "ingested": "2021-06-07T13:08:39.769822500Z", + "ingested": "2021-06-09T11:30:03.593374700Z", "action": "security_threat", "end": "2017-10-12T21:55:55.792Z", "category": [ @@ -565,7 +565,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-07T13:08:39.769826100Z", + "ingested": "2021-06-09T11:30:03.593377100Z", "original": "\u003c165\u003e1 2011-10-23T02:06:26.544 SRX34001 RT_IDP - IDP_APPDDOS_APP_STATE_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319367986\" ddos-application-name=\"Webserver\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" rulebase-name=\"DDOS\" policy-name=\"A DoS-Webserver\" repeat-count=\"0\" message=\"Connection rate exceeded limit 60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -663,7 +663,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-07T13:08:39.769828900Z", + "ingested": "2021-06-09T11:30:03.593379500Z", "original": "\u003c165\u003e1 2011-10-23T16:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT [junos@2636.1.1.1.2.35 epoch-time=\"1319419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth1.O\" source-address=\"192.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.0\" destination-address=\"172.27.14.203\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -761,7 +761,7 @@ }, "event": { "severity": 165, - "ingested": "2021-06-07T13:08:39.769831800Z", + "ingested": "2021-06-09T11:30:03.593381800Z", "original": "\u003c165\u003e1 2012-10-23T17:28:31.696 SRX34001 RT_IDP - IDP_APPDDOS_APP_ATTACK_EVENT_LS [junos@2636.1.1.1.2.35 epoch-time=\"1419419711\" ddos-application-name=\"Webserver\" source-zone-name=\"trust\" source-interface-name=\"reth3.0\" source-address=\"193.168.14.214\" source-port=\"50825\" destination-zone-name=\"untrust\" destination-interface-name=\"reth0.1\" destination-address=\"172.30.20.201\" destination-port=\"80\" protocol-name=\"TCP\" service-name=\"HTTP\" rule-name=\"1\" ruleebase-name=\"DDOS02\" policy-name=\"AppDoS-Webserver\" repeat-count=\"0\" action=\"NONE\" threat-severity=\"INFO\" connection-hit-rate=\"30\" context-name=\"http-get-url\" context-hit-rate=\"123\" context-value-hit-rate=\"0\" time-scope=\"PEER\" time-count=\"3\" time-period=\"60\" context-value=\"N/A\"]", "kind": "alert", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json index 4c5762b420d..a6f11cdeef5 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-ids.log-expected.json @@ -87,7 +87,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967672600Z", + "ingested": "2021-06-09T11:30:04.807005900Z", "original": "\u003c11\u003e1 2018-07-19T18:17:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name=\"TCP sweep!\" source-address=\"113.113.17.17\" source-port=\"6000\" destination-address=\"40.177.177.1\" destination-port=\"1433\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -160,7 +160,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967689600Z", + "ingested": "2021-06-09T11:30:04.807019900Z", "original": "\u003c11\u003e1 2018-07-19T18:18:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.36 attack-name=\"WinNuke attack!\" source-address=\"2000:0000:0000:0000:0000:0000:0000:0002\" source-port=\"3240\" destination-address=\"2001:0000:0000:0000:0000:0000:0000:0002\" destination-port=\"139\" source-zone-name=\"untrust\" interface-name=\"fe-0/0/2.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -263,7 +263,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967693500Z", + "ingested": "2021-06-09T11:30:04.807023100Z", "original": "\u003c11\u003e1 2018-07-19T18:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" source-address=\"1.1.1.2\" source-port=\"40001\" destination-address=\"2.2.2.2\" destination-port=\"50010\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -366,7 +366,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967696800Z", + "ingested": "2021-06-09T11:30:04.807025700Z", "original": "\u003c11\u003e1 2018-07-19T18:22:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_UDP [junos@2636.1.1.1.2.40 attack-name=\"UDP flood!\" source-address=\"111.1.1.3\" source-port=\"40001\" destination-address=\"3.4.2.2\" destination-port=\"53\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -465,7 +465,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967700100Z", + "ingested": "2021-06-09T11:30:04.807028Z", "original": "\u003c11\u003e1 2018-07-19T18:25:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_ICMP [junos@2636.1.1.1.2.40 attack-name=\"ICMP fragment!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -567,7 +567,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967702700Z", + "ingested": "2021-06-09T11:30:04.807030200Z", "original": "\u003c11\u003e1 2018-07-19T18:26:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Record Route IP option!\" source-address=\"111.1.1.3\" destination-address=\"3.4.2.2\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -638,7 +638,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967705400Z", + "ingested": "2021-06-09T11:30:04.807032400Z", "original": "\u003c11\u003e1 2018-07-19T18:27:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Tunnel GRE 6in6!\" source-address=\"1212::12\" destination-address=\"1111::11\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -734,7 +734,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967708600Z", + "ingested": "2021-06-09T11:30:04.807034600Z", "original": "\u003c11\u003e1 2018-07-19T18:28:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.40 attack-name=\"Tunnel GRE 4in4!\" source-address=\"12.12.12.1\" destination-address=\"11.11.11.1\" protocol-id=\"1\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -811,7 +811,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967711100Z", + "ingested": "2021-06-09T11:30:04.807036900Z", "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_DST_IP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" destination-address=\"2.2.2.2\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "module": "juniper", @@ -891,7 +891,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967713500Z", + "ingested": "2021-06-09T11:30:04.807039200Z", "original": "\u003c11\u003e1 2018-07-19T19:19:02.309-05:00 rtr199 RT_IDS - RT_SCREEN_TCP_SRC_IP [junos@2636.1.1.1.2.40 attack-name=\"SYN flood!\" source-address=\"111.1.1.3\" source-zone-name=\"trustZone\" interface-name=\"ge-0/0/1.0\" action=\"alarm-without-drop\"]", "kind": "alert", "module": "juniper", @@ -964,7 +964,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967716Z", + "ingested": "2021-06-09T11:30:04.807041300Z", "original": "\u003c11\u003e1 2020-07-17T09:54:43.912+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name=\"TCP port scan!\" source-address=\"10.1.1.100\" source-port=\"50630\" destination-address=\"10.1.1.1\" destination-port=\"10778\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", @@ -1037,7 +1037,7 @@ }, "event": { "severity": 11, - "ingested": "2021-06-07T13:08:40.967718800Z", + "ingested": "2021-06-09T11:30:04.807073600Z", "original": "\u003c11\u003e1 2020-07-17T10:01:43.006+02:00 rtr199 RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.129 attack-name=\"FIN but no ACK bit!\" source-address=\"10.1.1.100\" source-port=\"42799\" destination-address=\"10.1.1.1\" destination-port=\"7\" source-zone-name=\"trust\" interface-name=\"ge-0/0/1.0\" action=\"drop\"]", "kind": "alert", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json index 2edca360067..4e396f29b1b 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-secintel.log-expected.json @@ -80,7 +80,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:42.350489400Z", + "ingested": "2021-06-09T11:30:06.189564600Z", "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"Blacklist\" action=\"BLOCK\" action-detail=\"DROP\" http-host=\"N/A\" threat-severity=\"0\" source-address=\"5.196.121.161\" source-port=\"1\" destination-address=\"10.10.0.10\" destination-port=\"24039\" protocol-id=\"1\" application=\"N/A\" nested-application=\"N/A\" feed-name=\"Tor_Exit_Nodes\" policy-name=\"cc_policy\" profile-name=\"Blacklist\" username=\"N/A\" roles=\"N/A\" session-id-32=\"572564\" source-zone-name=\"Outside\" destination-zone-name=\"DMZ\"]", "kind": "alert", "module": "juniper", @@ -186,7 +186,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:42.350504300Z", + "ingested": "2021-06-09T11:30:06.189575800Z", "original": "\u003c14\u003e1 2016-10-17T15:18:11.618Z SRX-1500 RT_SECINTEL - SECINTEL_ACTION_LOG [junos@2636.1.1.1.2.129 category=\"secintel\" sub-category=\"CC\" action=\"BLOCK\" action-detail=\"CLOSE REDIRECT MSG\" http-host=\"dummy_host\" threat-severity=\"10\" source-address=\"1.1.1.1\" source-port=\"36612\" destination-address=\"10.0.0.1\" destination-port=\"80\" protocol-id=\"6\" application=\"HTTP\" nested-application=\"N/A\" feed-name=\"cc_url_data\" policy-name=\"test\" profile-name=\"test-profile\" username=\"N/A\" roles=\"N/A\" session-id-32=\"502362\" source-zone-name=\"Inside\" destination-zone-name=\"Outside\" occur-count=\"0\"]", "kind": "alert", "module": "juniper", diff --git a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json index 7f930ee4ede..d3e00ae3537 100644 --- a/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json +++ b/packages/juniper/data_stream/srx/_dev/test/pipeline/test-utm.log-expected.json @@ -78,7 +78,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-07T13:08:42.672829200Z", + "ingested": "2021-06-09T11:30:06.533936800Z", "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.86 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -173,7 +173,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-07T13:08:42.672842900Z", + "ingested": "2021-06-09T11:30:06.533949700Z", "original": "\u003c12\u003e1 2016-02-18T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.86 source-address=\"10.10.10.50\" source-port=\"1402\" destination-address=\"216.200.241.66\" destination-port=\"80\" category=\"N/A\" reason=\"BY_OTHER\" profile=\"wf-profile\" url=\"www.checkpoint.com\" obj=\"/css/homepage2012.css\" username=\"user02\" roles=\"N/A\"]", "kind": "event", "module": "juniper", @@ -264,7 +264,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-07T13:08:42.672846Z", + "ingested": "2021-06-09T11:30:06.533952400Z", "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT [junos@2636.1.1.1.2.40 source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "module": "juniper", @@ -349,7 +349,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-07T13:08:42.672873700Z", + "ingested": "2021-06-09T11:30:06.533967100Z", "original": "\u003c12\u003e1 2010-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_SCANNER_DROP_FILE_MT [junos@2636.1.1.1.2.40 source-address=\"74.125.155.147\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"33578\" filename=\"www.google.com/\" error-code=\"14\" error-message=\"scan engine is not ready\"]", "kind": "event", "module": "juniper", @@ -414,7 +414,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-07T13:08:42.672879800Z", + "ingested": "2021-06-09T11:30:06.533974500Z", "original": "\u003c12\u003e1 2010-01-29T10:59:59.660Z SRX650-1 RT_UTM - AV_HUGE_FILE_DROPPED_MT [junos@2636.1.1.1.2.40 source-address=\"10.2.1.101\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"51727\" filename=\"10.2.1.101/images/junos- srxsme-10.2-20100106.0-domestic.tgz\"]", "kind": "event", "module": "juniper", @@ -480,7 +480,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:42.672894900Z", + "ingested": "2021-06-09T11:30:06.533979300Z", "original": "\u003c14\u003e1 2016-02-18T01:33:50.391Z utm-srx550-b RT_UTM - ANTISPAM_SPAM_DETECTED_MT [junos@2636.1.1.1.2.86 source-zone=\"trust\" destination-zone=\"untrust\" source-name=\"N/A\" source-address=\"10.10.10.1\" profile-name=\"antispam01\" action=\"drop\" reason=\"Match local blacklist\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -566,7 +566,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:42.672899600Z", + "ingested": "2021-06-09T11:30:06.533982Z", "original": "\u003c14\u003e1 2016-02-18T01:34:50.391Z utm-srx550-b RT_UTM - CONTENT_FILTERING_BLOCKED_MT [junos@2636.1.1.1.2.86 source-zone=\"untrust\" destination-zone=\"trust\" protocol=\"http\" source-address=\"192.0.2.3\" source-port=\"58071\" destination-address=\"198.51.100.2\" destination-port=\"80\" profile-name=\"content02\" action=\"drop\" reason=\"blocked due to file extension block list\" username=\"user01@testuser.com\" roles=\"N/A\" filename=\"test.cmd\"]", "kind": "alert", "module": "juniper", @@ -662,7 +662,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-07T13:08:42.672902600Z", + "ingested": "2021-06-09T11:30:06.533984200Z", "original": "\u003c12\u003e1 2016-02-19T01:32:50.391Z utm-srx550-b RT_UTM - WEBFILTER_URL_BLOCKED_LS [junos@2636.1.1.1.2.86 source-address=\"192.168.1.100\" source-port=\"58071\" destination-address=\"103.235.46.39\" destination-port=\"80\" category=\"cat1\" reason=\"BY_BLACK_LIST\" profile=\"uf1\" url=\"www.baidu.com\" obj=\"/\" username=\"user01\" roles=\"N/A\"]", "kind": "alert", "module": "juniper", @@ -756,7 +756,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-07T13:08:42.672905Z", + "ingested": "2021-06-09T11:30:06.533986300Z", "original": "\u003c12\u003e1 2011-02-08T08:29:28.565Z SRX650-1 RT_UTM - AV_VIRUS_DETECTED_MT_LS [junos@2636.1.1.1.2.40 source-address=\"188.40.238.250\" source-port=\"80\" destination-address=\"10.1.1.103\" destination-port=\"47095\" source-zone-name=\"untrust\" filename=\"www.eicar.org/download/eicar.com\" temporary-filename=\"www.eicar.org/download/eicar.com\" name=\"EICAR-Test-File\" url=\"EICAR-Test-File\"]", "kind": "alert", "module": "juniper", @@ -853,7 +853,7 @@ }, "event": { "severity": 14, - "ingested": "2021-06-07T13:08:42.672907800Z", + "ingested": "2021-06-09T11:30:06.533988500Z", "original": "\u003c14\u003e1 2020-07-14T14:16:18.345Z SRX650-1 RT_UTM - WEBFILTER_URL_PERMITTED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"58974\" destination-address=\"104.26.15.142\" destination-port=\"443\" session-id=\"16297\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Information_Technology\" reason=\"BY_SITE_REPUTATION_MODERATELY_SAFE\" profile=\"WCF1\" url=\"datawrapper.dwcdn.net\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"0\"]", "risk_score": 0.0, "kind": "event", @@ -948,7 +948,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-07T13:08:42.672910100Z", + "ingested": "2021-06-09T11:30:06.533990900Z", "original": "\u003c12\u003e1 2020-07-14T14:16:29.541Z SRX650-1 RT_UTM - WEBFILTER_URL_BLOCKED [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"10.1.1.100\" source-port=\"59075\" destination-address=\"85.114.159.93\" destination-port=\"443\" session-id=\"16490\" application=\"UNKNOWN\" nested-application=\"UNKNOWN\" category=\"Enhanced_Advertisements\" reason=\"BY_SITE_REPUTATION_SUSPICIOUS\" profile=\"WCF1\" url=\"dsp.adfarm1.adition.com\" obj=\"/\" username=\"N/A\" roles=\"N/A\" application-sub-category=\"N/A\" urlcategory-risk=\"3\"]", "risk_score": 3.0, "kind": "alert", @@ -1042,7 +1042,7 @@ }, "event": { "severity": 12, - "ingested": "2021-06-07T13:08:42.672912600Z", + "ingested": "2021-06-09T11:30:06.533993700Z", "original": "\u003c12\u003e1 2020-07-14T14:17:04.733Z SRX650-1 RT_UTM - AV_FILE_NOT_SCANNED_DROPPED_MT [junos@2636.1.1.1.2.129 source-zone=\"trust\" destination-zone=\"untrust\" source-address=\"23.209.86.45\" source-port=\"80\" destination-address=\"10.1.1.100\" destination-port=\"58954\" profile-name=\"Custom-Sophos-Profile\" filename=\"download.cdn.mozilla.net/pub/firefox/releases/78.0.2/update/win64/de/firefox-78.0.2.complete.mar\" action=\"BLOCKED\" reason=\"exceeding maximum content size\" error-code=\"7\" username=\"N/A\" roles=\"N/A\"]", "kind": "event", "module": "juniper", diff --git a/packages/juniper/manifest.yml b/packages/juniper/manifest.yml index 0aa4abcc085..abb1271a8db 100644 --- a/packages/juniper/manifest.yml +++ b/packages/juniper/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: juniper title: Juniper -version: 1.0.0 +version: 0.6.0 description: Juniper Integration categories: ["network", "security"] release: experimental