Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cisco_aironet: add ECS mapping for event.severity #11105

Merged
merged 6 commits into from
Dec 6, 2024
Merged

cisco_aironet: add ECS mapping for event.severity #11105

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
810beba
Add ECS mapping for event.severity
zmoog Sep 11, 2024
607fc48
Update changelog and version
zmoog Sep 12, 2024
8b89ab0
Update packages/cisco_aironet/changelog.yml
zmoog Sep 17, 2024
b0f92da
convert event.severity to long via grok
andrewkroh Nov 4, 2024
1790b8e
rebuild package
andrewkroh Nov 4, 2024
0666ac8
Merge remote-tracking branch 'elastic/main' into zmoog/fix-ecs-mappin…
andrewkroh Nov 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/cisco_aironet/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.14.2"
changes:
- description: Fix the event.severity ECS field mapping.
type: bugfix
link: https://github.com/elastic/integrations/pull/11105
- version: "1.14.1"
changes:
- description: Fix the destination.port ECS field mapping.
Expand Down
72 changes: 36 additions & 36 deletions .../cisco_aironet/data_stream/log/_dev/test/pipeline/test-aironet-messages.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"original": "<132>WLC001: *Dot1x_NW_MsgTask_4: Sep 06 23:08:09.371: %LOG-4-Q_IND: [PA]dtl_net.c:3393 STA(Target MAC Address) [2c:6d:c1:f5:0c:80, 192.168.2.2] ARP (op ARP REQUEST) received with invalid SPA(Source IP Address) 169.254.161.111/TPA(Destination IP Address) 192.168.2.2",
"provider": "LOG",
"reason": "ARP (op ARP REQUEST) received with invalid SPA",
"severity": "4"
"severity": 4
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -56,7 +56,7 @@
"original": "<132>WLC001: *dtlArpTask: Sep 06 22:42:10.514: %DTL-4-ARP_ORPHANPKT_DETECTED: [PA]dtl_net.c:3174 STA(Target MAC Address) [66:7c:de:ef:d9:18, 0.0.0.0] ARP (op ARP REQUEST) received with invalid SPA(Source IP Address) 192.168.1.3/TPA(Destination IP Address) 192.168.2.2",
"provider": "DTL",
"reason": "ARP (op ARP REQUEST) received with invalid SPA",
"severity": "4"
"severity": 4
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -122,7 +122,7 @@
"action": "USER_NAME_DELETED",
"original": "<134>WLC001: *haSSOServiceTask0: Sep 06 21:53:55.930: %APF-6-USER_NAME_DELETED: [SS]apf_ms.c:8798 Username entry (WildDogOne) is deleted for mobile 28:6f:7f:f8:64:e0",
"provider": "APF",
"severity": "6"
"severity": 6
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -162,7 +162,7 @@
"action": "USER_NAME_CREATED",
"original": "<134>WLC001: *haSSOServiceTask0: Sep 06 21:46:20.390: %APF-6-USER_NAME_CREATED: [SS]apf_ms.c:8996 Username entry (WildDogOne) with length (4) created for mobile 28:6f:7f:f8:64:e0",
"provider": "APF",
"severity": "6"
"severity": 6
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -207,7 +207,7 @@
"action": "ENTRY_CREATED",
"original": "<134>WLC001: *sisfSwitcherTask: Aug 20 11:26:35.845: %SISF-6-ENTRY_CREATED: sisf_shim_utils.c:485 Entry created A=fe80::1e24:cdff:fe11:2f90 V=0 I=wired:1 P=0000 M=",
"provider": "SISF",
"severity": "6"
"severity": 6
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -249,7 +249,7 @@
"action": "ENTRY_DELETED",
"original": "<134>WLC001: *SISF BT Process: Aug 20 11:25:50.157: %SISF-6-ENTRY_DELETED: sisf_shim_utils.c:482 Entry deleted A=fe80::aee2:d3ff:feba:56a4 V=0 I=wired:1 P=0000 M=",
"provider": "SISF",
"severity": "6"
"severity": 6
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -292,7 +292,7 @@
"action": "ENTRY_CHANGED",
"original": "<134>WLC001: *SISF BT Process: Aug 22 16:55:06.121: %SISF-6-ENTRY_CHANGED: sisf_shim_utils.c:488 Entry changed A=fe80::72ee:50ff:fe56:9999 V=0 I=wireless:0 P=0005 M=70:ee:50:56:99:99",
"provider": "SISF",
"severity": "6"
"severity": 6
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -329,7 +329,7 @@
"action": "Q_IND",
"original": "<134>WLC001: *dtlArpTask: Sep 06 23:29:50.900: %LOG-6-Q_IND: [PA]apf_ms.c:8996 Username entry (E8-96-06-02-02-99) with length (253) created for mobile e8:96:06:02:02:99",
"provider": "LOG",
"severity": "6"
"severity": 6
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -374,7 +374,7 @@
"action": "Q_IND",
"original": "<134>WLC001: *SISF BT Process: Aug 22 07:10:46.332: %LOG-6-Q_IND: sisf_shim_utils.c:488 Entry changed A=fe80::48d:c1bc:6c01:6e85 V=0 I=wireless:0 P=0005 M=",
"provider": "LOG",
"severity": "6"
"severity": 6
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -429,7 +429,7 @@
"action": "AAA_AUTH_ADMIN_USER",
"original": "<133>WLC001: *emWeb: Aug 22 18:11:40.438: %AAA-5-AAA_AUTH_ADMIN_USER: aaa.c:3083 Authentication succeeded for admin user 'cisco' on 89.160.20.112",
"provider": "AAA",
"severity": "5"
"severity": 5
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -466,7 +466,7 @@
"action": "ADMIN_MODE_DISABLE",
"original": "<131>WLC001: *emWeb: Aug 22 18:14:03.172: %NIM-3-ADMIN_MODE_DISABLE: nim.c:1341 Port 3 Admin Mode is Disable!",
"provider": "NIM",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -517,7 +517,7 @@
"kind": "alert",
"original": "<132>WLC001: *idsTrackEventTask: Aug 22 18:14:24.672: %WPS-4-SIG_ALARM_OFF: sig_event.c:656 AP 28:6F:7F:F8:64:E0 : Alarm OFF, standard sig Deauth flood, track=per-Mac preced=9 hits=300 slot=0 channel=6",
"provider": "WPS",
"severity": "4"
"severity": 4
},
"host": {
"mac": "28-6F-7F-F8-64-E0",
Expand Down Expand Up @@ -556,7 +556,7 @@
"kind": "alert",
"original": "<132>WLC001: *idsTrackEventTask: Aug 22 18:14:24.672: %WPS-4-SIG_ALARM_OFF_CONT: sig_event.c:660 ...continue, source mac= 4A:B8:CB:63:1D:BD",
"provider": "WPS",
"severity": "4"
"severity": 4
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -594,7 +594,7 @@
"kind": "alert",
"original": "<132>WLC001: *spamApTask1: Aug 22 17:54:24.269: %LWAPP-4-SIG_INFO1: spam_lrad.c:56582 Signature information; AP 28:6f:7f:f8:64:e0, alarm ON, standard sig Deauth flood, track per-Macprecedence 9, hits 300, slot 0, channel 6, most offending MAC 4a:b8:cb:63:1d:bd",
"provider": "LWAPP",
"severity": "4"
"severity": 4
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -640,7 +640,7 @@
"action": "MAX_EAPOL_KEY_RETRANS",
"original": "<132>WLC001: *Dot1x_NW_MsgTask_4: Aug 21 22:15:34.710: %DOT1X-4-MAX_EAPOL_KEY_RETRANS: 1x_ptsm.c:550 Max EAPOL-key M3 retransmissions exceeded for client 80:7d:3a:9b:2f:fc",
"provider": "DOT1X",
"severity": "4"
"severity": 4
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -677,7 +677,7 @@
"action": "RRM_LOGMSG",
"original": "<131>WLC001: *RRM-DCLNT-5_0: Aug 21 20:12:58.040: %RRM-3-RRM_LOGMSG: rrmLrad.c:5135 RRM LOG: Client not found: CC:73:14:61:B0:8F",
"provider": "RRM",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -711,7 +711,7 @@
"action": "RRM_LOGMSG",
"original": "<131>WLC001: *apfMsConnTask_6: Aug 29 10:58:28.227: %RRM-3-RRM_LOGMSG: [PA]rrmLrad.c:5634 RRM LOG: Failed to lookup data rate for encoding 102237564, with channel width 20 on AP: de:fb:48:7c:4f:f7 (0)",
"provider": "RRM",
"severity": "3"
"severity": 3
},
"host": {
"mac": "DE-FB-48-7C-4F-F7",
Expand Down Expand Up @@ -750,7 +750,7 @@
"original": "<131>WLC001: *Dot1x_NW_MsgTask_0: Aug 29 10:46:48.939: %DOT1X-3-ABORT_AUTH: [PA]1x_bauth_sm.c:487 Authentication Aborted for client de:fb:48:7c:4f:f7 Abort Reason:DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM",
"provider": "DOT1X",
"reason": "DOT1X RESTARTED DUE TO EAPOL-START/CLIENT ROAM",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -794,7 +794,7 @@
"action": "Q_IND",
"original": "<131>WLC001: *Dot1x_NW_MsgTask_1: Aug 29 10:55:30.862: %LOG-3-Q_IND: [PA]1x_eapkey.c:3026 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client de:fb:48:7c:4f:f7[...It occurred 3 times.!]",
"provider": "LOG",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -831,7 +831,7 @@
"action": "Q_IND",
"original": "<131>WLC001: *Dot1x_NW_MsgTask_3: Aug 29 10:55:30.850: %LOG-3-Q_IND: [PA]1x_eapkey.c:458 Invalid replay counter from client de:fb:48:7c:4f:f7 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01[...It occurred 3 times.!]",
"provider": "LOG",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -875,7 +875,7 @@
"action": "INVALID_WPA_KEY_STATE",
"original": "<131>WLC001: *Dot1x_NW_MsgTask_3: Aug 29 10:55:38.289: %DOT1X-3-INVALID_WPA_KEY_STATE: [PA]1x_eapkey.c:3026 Received EAPOL-key message while in invalid state (4) - version 1, type 3, descriptor 2, client de:fb:48:7c:4f:f7",
"provider": "DOT1X",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -912,7 +912,7 @@
"action": "WPA_SEND_STATE_ERR",
"original": "<131>WLC001: *dot1xMsgTask: Aug 29 10:58:54.242: %DOT1X-3-WPA_SEND_STATE_ERR: [PA]1x_kxsm.c:1736 Unable to send EAPOL-key msg - invalid WPA state (0) - client de:fb:48:7c:4f:f7",
"provider": "DOT1X",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -949,7 +949,7 @@
"action": "INVALID_REPLAY_CTR",
"original": "<131>WLC001: *Dot1x_NW_MsgTask_7: Aug 29 10:58:19.828: %DOT1X-3-INVALID_REPLAY_CTR: [PA]1x_eapkey.c:458 Invalid replay counter from client de:fb:48:7c:4f:f7 - got 00 00 00 00 00 00 00 00, expected 00 00 00 00 00 00 00 01",
"provider": "DOT1X",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -983,7 +983,7 @@
"action": "REPLAY_ERR",
"original": "<131>WLC001: *spamApTask1: Aug 29 10:47:25.944: %LWAPP-3-REPLAY_ERR: [PA]spam_lrad.c:49337 The system has received replay error on slot 0, WLAN ID 1, count 1 from AP de:fb:48:7c:4f:f7",
"provider": "LWAPP",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -1020,7 +1020,7 @@
"action": "CLIENT_NOT_FOUND",
"original": "<131>WLC001: *Dot1x_NW_MsgTask_2: Aug 29 10:52:56.103: %DOT1X-3-CLIENT_NOT_FOUND: [PA]dot1x_msg_task.c:1847 Unable to process 802.1X 1 msg - client de:fb:48:7c:4f:f7 not found Previous message occurred 2 times.",
"provider": "DOT1X",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -1054,7 +1054,7 @@
"action": "SIG_ALARM_OFF",
"original": "<6>1216: AP:a0e0.af8a.5c20: *Aug 22 18:14:24.651: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:9 Channel:6",
"provider": "WIDS",
"severity": "6"
"severity": 6
},
"host": {
"mac": "A0-E0-AF-8A-5C-20"
Expand Down Expand Up @@ -1085,7 +1085,7 @@
"action": "INVALID_REQUEST",
"original": "<131>WLC001: *radiusTransportThread: Aug 29 10:58:58.000: %AAA-3-INVALID_REQUEST: [PA]radius_db.c:3923 Invalid AAA request. unknown",
"provider": "AAA",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -1122,7 +1122,7 @@
"action": "AAA_AUTH_SEND_FAIL",
"original": "<131>WLC001: *Dot1x_NW_MsgTask_3: Aug 29 10:58:57.787: %DOT1X-3-AAA_AUTH_SEND_FAIL: [PA]1x_aaa.c:893 Unable to send AAA message for client de:fb:48:7c:4f:f7",
"provider": "DOT1X",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -1156,7 +1156,7 @@
"action": "MLD_INVALID_IPV6_PKT",
"original": "<132>WLC001: *bcastReceiveTask: Aug 20 14:55:28.577: %BCAST-4-MLD_INVALID_IPV6_PKT: bcastMld.c:2594 Received IPV6 packet which is not a valid MLD packet",
"provider": "BCAST",
"severity": "4"
"severity": 4
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -1190,7 +1190,7 @@
"action": "MOBILESTATION_NOT_FOUND",
"original": "<132>WLC001: *apfReceiveTask: Aug 22 10:24:20.959: %APF-4-MOBILESTATION_NOT_FOUND: apf_ms.c:8467 Could not find the mobile cc:73:14:61:b0:8f in internal database",
"provider": "APF",
"severity": "4"
"severity": 4
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -1224,7 +1224,7 @@
"action": "CLIENT_ADDED_TO_RUN_STATE",
"original": "<190>201477: Jan 4 17:25:42.866: %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: Chassis 2 R0/0: wncd: Username entry (00-00-00-00-00-00) joined with ssid (System-110) for device with MAC: 0000.0000.0000",
"provider": "CLIENT_ORCH_LOG",
"severity": "6"
"severity": 6
},
"log": {
"level": "informational",
Expand Down Expand Up @@ -1252,7 +1252,7 @@
"action": "Q_IND",
"original": "<132>WLC001: *spamReceiveTask: Dec 17 19:59:10.223: %LOG-3-Q_IND: mm_aplist.c:734 Could not delete an AP from the AP list.",
"provider": "LOG",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -1286,7 +1286,7 @@
"action": "Q_IND",
"original": "<132>WLC001: *spamApTask4: Jun 08 04:26:43.773: %LOG-3-Q_IND: spam_lrad.c:11366 Country code (CN ) not configured for AP 6c:99:89:b0:XX:XX[…It occurred 2 times.!]",
"provider": "LOG",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -1320,7 +1320,7 @@
"action": "Q_IND",
"original": "<132>WLC001: *emWeb: Jan 22 11:42:50.501: %LOG-3-Q_IND: spam_lrad.c:52448 The system is unable to find WLAN 1 to be deleted; AP XX:XX:XX:XX:XX:XX[...It occurred 3 times.!]",
"provider": "LOG",
"severity": "3"
"severity": 3
},
"host": {
"name": "WLC001"
Expand Down Expand Up @@ -1354,7 +1354,7 @@
"action": "CCMP_REPLAY",
"original": "<4>6642: AP:abcd.9876.0123: *Jul 9 09:06:15.007: %DOT11-4-CCMP_REPLAY: Client 1234.efab.11ab had 1 AES-CCMP TSC replays",
"provider": "DOT11",
"severity": "4"
"severity": 4
},
"host": {
"mac": "AB-CD-98-76-01-23"
Expand All @@ -1377,4 +1377,4 @@
]
}
]
}
}
4 changes: 2 additions & 2 deletions packages/cisco_aironet/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ processors:
field: _temp_.full_message
ignore_failure: true
patterns:
- "%{DATA:event.provider}-%{INT:event.severity}-%{DATA:event.action}: %{DATA}:%{INT} %{GREEDYDATA:message}"
- "%{DATA:event.provider}-%{INT:event.severity}-%{DATA:event.action}: %{GREEDYDATA:message}"
- "%{DATA:event.provider}-%{INT:event.severity:long}-%{DATA:event.action}: %{DATA}:%{INT} %{GREEDYDATA:message}"
- "%{DATA:event.provider}-%{INT:event.severity:long}-%{DATA:event.action}: %{GREEDYDATA:message}"
- grok:
field: _temp_.full_message
ignore_failure: true
Expand Down
2 changes: 2 additions & 0 deletions packages/cisco_aironet/data_stream/log/fields/ecs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,5 @@
name: threat.indicator.type
- external: ecs
name: observer.ingress.interface.id
- external: ecs
name: event.severity
Loading