diff --git a/packages/infoblox/changelog.yml b/packages/infoblox/changelog.yml index 93cc130d53c..30cddb79b98 100644 --- a/packages/infoblox/changelog.yml +++ b/packages/infoblox/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: update to ECS 1.10.0 and adding event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1056 - version: "0.1.4" changes: - description: update to ECS 1.9.0 diff --git a/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-common-config.yml b/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-generated.log b/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-generated.log new file mode 100644 index 00000000000..642df296f5e --- /dev/null +++ b/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-generated.log @@ -0,0 +1,100 @@ +January 29 06:09:59 doeiu3942.localdomain -:rc executing eporr start +February 12 13:12:33 tia7019.www.invalid :diskcheck quis +February 26 20:15:08 dolo1720.api.example 10.250.162.122 logger: com +March 12 03:17:42 ratio1111.localdomain -:diskcheck atio +March 26 10:20:16 tconsec5932.mail.domain shutdown[uam]: shutting down for system reboot +April 9 17:22:51 llu4762.mail.localdomain snmptrapd[scivel]: NET-SNMP version 1.5695 aperi +April 24 00:25:25 estqui6557.www.localhost -:syslog-ng equuntu +May 08 07:27:59 mcolabor1656.www5.corp netauto_discovery[giatq]: quid:fug(uatDuis)10.68.114.91/veri: SNMP Credentials: Failed to authenticate +May 22 14:30:33 exercit4665.internal.domain -:scheduled_ftp_backups Scheduled backup to the eetd was successful - Backup file eip +June 5 21:33:08 iutal13.api.localdomain python[eacomm]: Utenimad: nibusBon.ehend [ueipsaqu]: Populated uidolore niamqu222.localdomain DnsView=tevelit +June 20 04:35:42 boree6686.www5.host ntpd[iinea]: ipit +July 4 11:38:16 itlabori2344.mail.invalid -:openvpn-member OpenVPN 1.4105 [icmp] [aper] essequ +July 18 18:40:50 tessec3539.home nsect: rc6 ntutl +August 2 01:43:25 siuta2896.www.localhost -:ntpd ntpd exiting on signal 2946 +August 16 08:45:59 strude910.internal.local pidof[ittenbyC]: can't read sid from aperi +August 30 15:48:33 lores1409.www.home :sSMTP etc +September 13 22:51:07 nimadmin1493.www5.example rc3[lpa]: entsu +September 28 05:53:42 mqui4683.www.localhost tasuntex: kernel sunt +October 12 12:56:16 incidi2966.www.test controld[olupt]: Distribution Complete +October 26 19:58:50 ugiatnu5252.internal.localdomain -:syslog erc +November 10 03:01:24 aperia4409.www5.invalid :controld Distribution Started +November 24 10:03:59 emagnama4259.example 10.206.136.206 dhcpd: Average suntinc dynamic DNS update latency: success micro seconds +December 8 17:06:33 isno2228.home nnu: smart_check_io dolo +December 23 00:09:07 amvolup7700.www5.corp 10.19.194.101 rsyncd: rsync on orinrepr from conse2991.internal.lan (10.116.104.101) +January 6 07:11:41 tat7551.internal.local rc6[itinvo]: mdolore +January 20 14:14:16 siarchi2289.mail.lan debug_mount[olupta]: mount mipsumd +February 3 21:16:50 remi2114.local ionevo: ntpd ntpd exiting on signal 3219 +February 18 04:19:24 dolor2707.api.localhost httpd[commod]: 2017-2-18 4:19:24.adol [doloremi]: Login_Denied - - to=luptasn ip=10.153.111.103 info=itquiin +March 4 11:21:59 que651.www5.host init[etconse]: tincu +Mar 18 18:24:33 asun1250.api.localdomain DIS[oluptate]: onseq:serunt: Deviceaquaeabi/10.171.157.74login failurefailure +April 2 01:27:07 ento4488.www5.localhost :rc6 eriamea +April 16 08:29:41 pisciv7108.lan 10.140.136.44 named: client 10.31.14.36#2285/key dhcp_updater_default: signer "vitaedi" approved +April 30 15:32:16 veniamq1608.www.localdomain colab: diskcheck ommodico +May 14 22:34:50 tin183.api.corp netauto_discovery[sperna]: eabilloi:estia(tper)10.163.5.243/osqui: SNMP Credentials: Failed to authenticate +May 29 05:37:24 fdeFi1123.api.domain INFOBLOX-Grid[etdol]: Started distribution on member with IP address 10.177.36.38 +June 12 12:39:58 aevit37.www5.test ati: kernel Linux version 1.6668 (gel) (lorsitam) mpo +June 26 19:42:33 aliquam1364.api.corp -:syslog eratv +July 11 02:45:07 uir1374.mail.domain -:smart_check_io quiratio +July 25 09:47:41 nse2256.www.localdomain equat: db_jnld Resolved conflict for replicated delete of TXT "derit" in zone "dexea" +August 8 16:50:15 lapar1024.www5.local intocc: sSMTP Unable to locate liqu2936.api.localdomain. +August 22 23:52:50 tDuisaut3296.www.invalid scheduled_ftp_backups[imvenia]: Scheduled backup to the spi was successful - Backup file stquido +September 6 06:55:24 upta3300.www.home 10.233.48.103 diskcheck: leumiur +September 20 13:57:58 vita2681.www5.local tobea: controld Distribution Complete +October 4 21:00:32 ersp3536.www5.lan 10.93.90.240 rsyncd: sent 1792 bytes received 7387 bytes total size tes +Oct 19 04:03:07 tnulapa7592.www.local DIS[eriti]: litessec: itas: Attempting discover-now for 10.251.106.205 on mporin, using session ID +November 2 11:05:41 roid6604.www.test -:syslog Nemoenim +November 16 18:08:15 nihil657.domain validate_dhcpd[rsitv]: iciade +December 1 01:10:49 ven660.api.lan amnih: watchdog cancel, pid = 3981 +December 15 08:13:24 atatn7364.internal.localdomain debug_mount[ofdeFin]: mount essequam +December 29 15:15:58 umqu301.internal.home init[inesci]: isnisi +January 12 22:18:32 riamea1540.www.host -:ntpd_initres ntpd exiting on signal 15 +January 27 05:21:06 siut5663.local piscinge: rcsysinit fsck from 1.271 +February 10 12:23:41 cinge7339.api.corp -:diskcheck vitaedi +February 24 19:26:15 dolore7072.www5.localhost ect: logger modocons +March 11 02:28:49 odoconse228.mail.localdomain -:syslog-ng veli +March 25 09:31:24 labo267.internal.localhost httpd[etdo]: 2018-3-25 9:31:24.par [lorin]: Login_Denied - - to=pitl ip=10.204.128.215 info=ama +Apr 8 16:33:58 roidents6540.internal.corp -:debug tametcon +April 22 23:36:32 miurerep1152.internal.domain pidof[utlab]: can't read sid from emUteni +May 07 06:39:06 inimve2352.lan :captured_dns_uploader mco +May 21 13:41:41 amcorp1275.www5.host netauto_core[liqua]: netautoctl:olo +Jun 04 20:44:15 fdeF593.internal.lan DIS[niamq]: lapariat: remagn: Attempting discover-now for 10.238.140.186 on tiaec, using session ID +June 19 03:46:49 upt4986.mail.corp ntpdate[idunt]: luptat +July 3 10:49:23 lillum7809.mail.local taedicta: logger ritt +July 17 17:51:58 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv +August 1 00:54:32 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi +August 15 07:57:06 atcupi2332.mail.localdomain -:INFOBLOX-Grid Upgrade to ore +August 29 14:59:40 luptatem6874.mail.test purge_scheduled_tasks[dat]: Scheduled tasks have been purged +September 12 22:02:15 tame4953.mail.localhost prehen: restarting ntutlabo +September 27 05:04:49 sequa1715.www5.domain sshd[eirure]: Accepted password for root from 10.210.113.252 port 4184 udp +October 11 12:07:23 tconsec5315.internal.example :kernel Linux version 1.341 (fugi) (labo) nostrud +October 25 19:09:57 cupi1867.www5.test :rcsysinit orroq +November 9 02:12:32 rcit2043.api.home 10.107.45.175 smart_check_io: ssecil +November 23 09:15:06 mes4801.internal.test 10.243.121.97 python: cancel: FQDN='illu4875.api.host', View='tatevel' +December 7 16:17:40 its7867.internal.invalid 10.44.115.94 debug_mount: mount isn +Dec 21 23:20:14 equ4808.www.localhost DIS[siuta]: urmagn:dquia: Devicetemporin/10.46.166.75login failuresuccess +Jan 05 06:22:49 idi7668.www5.test rum: captured_dns_uploader eataevi +January 19 13:25:23 iqu4614.www5.example 10.60.211.199 init: modocon +February 2 20:27:57 agnaaliq1829.mail.test :ntpd_initres ntpd exiting on signal 15 +February 17 03:30:32 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807 +March 3 10:33:06 mipsamvo4282.api.home reetdo: init oreveri +March 17 17:35:40 Except6889.www.corp -:rc3 umetMal +Apr 1 00:38:14 umq1309.api.test uae: debug mve +April 15 07:40:49 tatem4180.www.home 10.102.166.19 python: deny: FQDN='eritatis6343.api.local', View='mquisn' +April 29 14:43:23 quir7168.api.localdomain labore: syslog uela +May 13 21:45:57 iuntNequ7202.api.domain -:controld Distribution Complete +May 28 04:48:31 veniamq1236.invalid emo: radiusd itq +June 11 11:51:06 nderiti409.api.domain -:syslog Cic +June 25 18:53:40 tatem6156.www.local :dhcpd received shutdown -/-/ success +July 10 01:56:14 uamnihil6127.api.domain 10.29.119.245 python: accept: 'olli3116.internal.example' in view 'rsp'. +Jul 24 08:58:48 roquisqu1205.api.domain netauto_core[nim]: utaliqu: Attempting CLI on devicersiwith interface not in table, ip10.118.155.14 +August 7 16:01:23 suntex5169.www.example phonehome[esci]: uov +August 21 23:03:57 fici5161.www5.example olup: debug_mount mount aco +September 5 06:06:31 orsi7617.www5.corp lorsita: shutdown shutting down for system reboot +September 19 13:09:05 osamnis4912.mail.host npr: radiusd etconsec +Oct 03 20:11:40 urExcept6809.www5.corp captured_dns_uploader[atcupida]: tessequa +Oct 18 03:14:14 icab3519.localdomain dhcpdv6[plicaboN]: Encapsulated Renew message from 2001:db8::b1f51444:f88dd359 port 2496 from client DUID acommo, transaction ID isi +November 1 10:16:48 abor4353.www5.host ame: python tesseq +November 15 17:19:22 olorem290.api.lan sshd[culpaqui]: deny: logout() unknown +November 30 00:21:57 ventore3612.www.home purge_scheduled_tasks[emp]: Scheduled tasks have been purged +Dec 14 07:24:31 uptatem4483.localhost tacacs_acct[inrepr]: mol: Server 10.111.52.69 port 6073: asperna diff --git a/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-generated.log-expected.json b/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-generated.log-expected.json new file mode 100644 index 00000000000..27bedb1a02b --- /dev/null +++ b/packages/infoblox/data_stream/nios/_dev/test/pipeline/test-generated.log-expected.json @@ -0,0 +1,1204 @@ +{ + "expected": [ + { + "ecs": { + "version": "1.10.0" + }, + "message": "January 29 06:09:59 doeiu3942.localdomain -:rc executing eporr start", + "event": { + "ingested": "2021-06-09T11:22:12.539379200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "February 12 13:12:33 tia7019.www.invalid :diskcheck quis", + "event": { + "ingested": "2021-06-09T11:22:12.539402700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "February 26 20:15:08 dolo1720.api.example 10.250.162.122 logger: com", + "event": { + "ingested": "2021-06-09T11:22:12.539410100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "March 12 03:17:42 ratio1111.localdomain -:diskcheck atio", + "event": { + "ingested": "2021-06-09T11:22:12.539418100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "March 26 10:20:16 tconsec5932.mail.domain shutdown[uam]: shutting down for system reboot", + "event": { + "ingested": "2021-06-09T11:22:12.539424200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "April 9 17:22:51 llu4762.mail.localdomain snmptrapd[scivel]: NET-SNMP version 1.5695 aperi", + "event": { + "ingested": "2021-06-09T11:22:12.539429600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "April 24 00:25:25 estqui6557.www.localhost -:syslog-ng equuntu", + "event": { + "ingested": "2021-06-09T11:22:12.539435200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 08 07:27:59 mcolabor1656.www5.corp netauto_discovery[giatq]: quid:fug(uatDuis)10.68.114.91/veri: SNMP Credentials: Failed to authenticate", + "event": { + "ingested": "2021-06-09T11:22:12.539440300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 22 14:30:33 exercit4665.internal.domain -:scheduled_ftp_backups Scheduled backup to the eetd was successful - Backup file eip", + "event": { + "ingested": "2021-06-09T11:22:12.539445200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "June 5 21:33:08 iutal13.api.localdomain python[eacomm]: Utenimad: nibusBon.ehend [ueipsaqu]: Populated uidolore niamqu222.localdomain DnsView=tevelit", + "event": { + "ingested": "2021-06-09T11:22:12.539450100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "June 20 04:35:42 boree6686.www5.host ntpd[iinea]: ipit", + "event": { + "ingested": "2021-06-09T11:22:12.539456300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "July 4 11:38:16 itlabori2344.mail.invalid -:openvpn-member OpenVPN 1.4105 [icmp] [aper] essequ", + "event": { + "ingested": "2021-06-09T11:22:12.539461500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "July 18 18:40:50 tessec3539.home nsect: rc6 ntutl", + "event": { + "ingested": "2021-06-09T11:22:12.539466400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "August 2 01:43:25 siuta2896.www.localhost -:ntpd ntpd exiting on signal 2946", + "event": { + "ingested": "2021-06-09T11:22:12.539471300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "August 16 08:45:59 strude910.internal.local pidof[ittenbyC]: can't read sid from aperi", + "event": { + "ingested": "2021-06-09T11:22:12.539476200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "August 30 15:48:33 lores1409.www.home :sSMTP etc", + "event": { + "ingested": "2021-06-09T11:22:12.539480900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "September 13 22:51:07 nimadmin1493.www5.example rc3[lpa]: entsu", + "event": { + "ingested": "2021-06-09T11:22:12.539485700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "September 28 05:53:42 mqui4683.www.localhost tasuntex: kernel sunt", + "event": { + "ingested": "2021-06-09T11:22:12.539490400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "October 12 12:56:16 incidi2966.www.test controld[olupt]: Distribution Complete", + "event": { + "ingested": "2021-06-09T11:22:12.539495200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "October 26 19:58:50 ugiatnu5252.internal.localdomain -:syslog erc", + "event": { + "ingested": "2021-06-09T11:22:12.539500300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "November 10 03:01:24 aperia4409.www5.invalid :controld Distribution Started", + "event": { + "ingested": "2021-06-09T11:22:12.539505400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "November 24 10:03:59 emagnama4259.example 10.206.136.206 dhcpd: Average suntinc dynamic DNS update latency: success micro seconds", + "event": { + "ingested": "2021-06-09T11:22:12.539510400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "December 8 17:06:33 isno2228.home nnu: smart_check_io dolo", + "event": { + "ingested": "2021-06-09T11:22:12.539515100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "December 23 00:09:07 amvolup7700.www5.corp 10.19.194.101 rsyncd: rsync on orinrepr from conse2991.internal.lan (10.116.104.101)", + "event": { + "ingested": "2021-06-09T11:22:12.539520700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "January 6 07:11:41 tat7551.internal.local rc6[itinvo]: mdolore", + "event": { + "ingested": "2021-06-09T11:22:12.539525900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "January 20 14:14:16 siarchi2289.mail.lan debug_mount[olupta]: mount mipsumd", + "event": { + "ingested": "2021-06-09T11:22:12.539530900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "February 3 21:16:50 remi2114.local ionevo: ntpd ntpd exiting on signal 3219", + "event": { + "ingested": "2021-06-09T11:22:12.539536Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "February 18 04:19:24 dolor2707.api.localhost httpd[commod]: 2017-2-18 4:19:24.adol [doloremi]: Login_Denied - - to=luptasn ip=10.153.111.103 info=itquiin", + "event": { + "ingested": "2021-06-09T11:22:12.539541700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "March 4 11:21:59 que651.www5.host init[etconse]: tincu", + "event": { + "ingested": "2021-06-09T11:22:12.539546700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Mar 18 18:24:33 asun1250.api.localdomain DIS[oluptate]: onseq:serunt: Deviceaquaeabi/10.171.157.74login failurefailure", + "event": { + "ingested": "2021-06-09T11:22:12.539551800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "April 2 01:27:07 ento4488.www5.localhost :rc6 eriamea", + "event": { + "ingested": "2021-06-09T11:22:12.539557300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "April 16 08:29:41 pisciv7108.lan 10.140.136.44 named: client 10.31.14.36#2285/key dhcp_updater_default: signer \"vitaedi\" approved", + "event": { + "ingested": "2021-06-09T11:22:12.539562200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "April 30 15:32:16 veniamq1608.www.localdomain colab: diskcheck ommodico", + "event": { + "ingested": "2021-06-09T11:22:12.539566900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 14 22:34:50 tin183.api.corp netauto_discovery[sperna]: eabilloi:estia(tper)10.163.5.243/osqui: SNMP Credentials: Failed to authenticate", + "event": { + "ingested": "2021-06-09T11:22:12.539574Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 29 05:37:24 fdeFi1123.api.domain INFOBLOX-Grid[etdol]: Started distribution on member with IP address 10.177.36.38", + "event": { + "ingested": "2021-06-09T11:22:12.539579200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "June 12 12:39:58 aevit37.www5.test ati: kernel Linux version 1.6668 (gel) (lorsitam) mpo", + "event": { + "ingested": "2021-06-09T11:22:12.539584Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "June 26 19:42:33 aliquam1364.api.corp -:syslog eratv", + "event": { + "ingested": "2021-06-09T11:22:12.539588700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "July 11 02:45:07 uir1374.mail.domain -:smart_check_io quiratio", + "event": { + "ingested": "2021-06-09T11:22:12.539593300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "July 25 09:47:41 nse2256.www.localdomain equat: db_jnld Resolved conflict for replicated delete of TXT \"derit\" in zone \"dexea\"", + "event": { + "ingested": "2021-06-09T11:22:12.539598Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "August 8 16:50:15 lapar1024.www5.local intocc: sSMTP Unable to locate liqu2936.api.localdomain.", + "event": { + "ingested": "2021-06-09T11:22:12.539602800Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "August 22 23:52:50 tDuisaut3296.www.invalid scheduled_ftp_backups[imvenia]: Scheduled backup to the spi was successful - Backup file stquido", + "event": { + "ingested": "2021-06-09T11:22:12.539607400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "September 6 06:55:24 upta3300.www.home 10.233.48.103 diskcheck: leumiur", + "event": { + "ingested": "2021-06-09T11:22:12.539612Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "September 20 13:57:58 vita2681.www5.local tobea: controld Distribution Complete", + "event": { + "ingested": "2021-06-09T11:22:12.539616700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "October 4 21:00:32 ersp3536.www5.lan 10.93.90.240 rsyncd: sent 1792 bytes received 7387 bytes total size tes", + "event": { + "ingested": "2021-06-09T11:22:12.539621500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 19 04:03:07 tnulapa7592.www.local DIS[eriti]: litessec: itas: Attempting discover-now for 10.251.106.205 on mporin, using session ID", + "event": { + "ingested": "2021-06-09T11:22:12.539626300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "November 2 11:05:41 roid6604.www.test -:syslog Nemoenim", + "event": { + "ingested": "2021-06-09T11:22:12.539631Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "November 16 18:08:15 nihil657.domain validate_dhcpd[rsitv]: iciade", + "event": { + "ingested": "2021-06-09T11:22:12.539635900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "December 1 01:10:49 ven660.api.lan amnih: watchdog cancel, pid = 3981", + "event": { + "ingested": "2021-06-09T11:22:12.539640600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "December 15 08:13:24 atatn7364.internal.localdomain debug_mount[ofdeFin]: mount essequam", + "event": { + "ingested": "2021-06-09T11:22:12.539645400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "December 29 15:15:58 umqu301.internal.home init[inesci]: isnisi", + "event": { + "ingested": "2021-06-09T11:22:12.539662500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "January 12 22:18:32 riamea1540.www.host -:ntpd_initres ntpd exiting on signal 15", + "event": { + "ingested": "2021-06-09T11:22:12.539668900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "January 27 05:21:06 siut5663.local piscinge: rcsysinit fsck from 1.271", + "event": { + "ingested": "2021-06-09T11:22:12.539674300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "February 10 12:23:41 cinge7339.api.corp -:diskcheck vitaedi", + "event": { + "ingested": "2021-06-09T11:22:12.539679300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "February 24 19:26:15 dolore7072.www5.localhost ect: logger modocons", + "event": { + "ingested": "2021-06-09T11:22:12.539684100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "March 11 02:28:49 odoconse228.mail.localdomain -:syslog-ng veli", + "event": { + "ingested": "2021-06-09T11:22:12.539688900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "March 25 09:31:24 labo267.internal.localhost httpd[etdo]: 2018-3-25 9:31:24.par [lorin]: Login_Denied - - to=pitl ip=10.204.128.215 info=ama", + "event": { + "ingested": "2021-06-09T11:22:12.539693700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 8 16:33:58 roidents6540.internal.corp -:debug tametcon", + "event": { + "ingested": "2021-06-09T11:22:12.539698300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "April 22 23:36:32 miurerep1152.internal.domain pidof[utlab]: can't read sid from emUteni", + "event": { + "ingested": "2021-06-09T11:22:12.539702600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 07 06:39:06 inimve2352.lan :captured_dns_uploader mco", + "event": { + "ingested": "2021-06-09T11:22:12.539707200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 21 13:41:41 amcorp1275.www5.host netauto_core[liqua]: netautoctl:olo", + "event": { + "ingested": "2021-06-09T11:22:12.539711900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jun 04 20:44:15 fdeF593.internal.lan DIS[niamq]: lapariat: remagn: Attempting discover-now for 10.238.140.186 on tiaec, using session ID", + "event": { + "ingested": "2021-06-09T11:22:12.539716700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "June 19 03:46:49 upt4986.mail.corp ntpdate[idunt]: luptat", + "event": { + "ingested": "2021-06-09T11:22:12.539721400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "July 3 10:49:23 lillum7809.mail.local taedicta: logger ritt", + "event": { + "ingested": "2021-06-09T11:22:12.539726100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "July 17 17:51:58 tetur2694.mail.local ipi: openvpn-member OpenVPN 1.7727 [ipv6-icmp] [uaeab] itinv", + "event": { + "ingested": "2021-06-09T11:22:12.539730600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "August 1 00:54:32 utaliqu6138.mail.localhost nvolupt: pidof can't read sid from oremi", + "event": { + "ingested": "2021-06-09T11:22:12.539735200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "August 15 07:57:06 atcupi2332.mail.localdomain -:INFOBLOX-Grid Upgrade to ore", + "event": { + "ingested": "2021-06-09T11:22:12.539739700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "August 29 14:59:40 luptatem6874.mail.test purge_scheduled_tasks[dat]: Scheduled tasks have been purged", + "event": { + "ingested": "2021-06-09T11:22:12.539744500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "September 12 22:02:15 tame4953.mail.localhost prehen: restarting ntutlabo", + "event": { + "ingested": "2021-06-09T11:22:12.539749700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "September 27 05:04:49 sequa1715.www5.domain sshd[eirure]: Accepted password for root from 10.210.113.252 port 4184 udp", + "event": { + "ingested": "2021-06-09T11:22:12.539754700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "October 11 12:07:23 tconsec5315.internal.example :kernel Linux version 1.341 (fugi) (labo) nostrud", + "event": { + "ingested": "2021-06-09T11:22:12.539759600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "October 25 19:09:57 cupi1867.www5.test :rcsysinit orroq", + "event": { + "ingested": "2021-06-09T11:22:12.539764600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "November 9 02:12:32 rcit2043.api.home 10.107.45.175 smart_check_io: ssecil", + "event": { + "ingested": "2021-06-09T11:22:12.539769400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "November 23 09:15:06 mes4801.internal.test 10.243.121.97 python: cancel: FQDN='illu4875.api.host', View='tatevel'", + "event": { + "ingested": "2021-06-09T11:22:12.539774100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "December 7 16:17:40 its7867.internal.invalid 10.44.115.94 debug_mount: mount isn", + "event": { + "ingested": "2021-06-09T11:22:12.539778900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Dec 21 23:20:14 equ4808.www.localhost DIS[siuta]: urmagn:dquia: Devicetemporin/10.46.166.75login failuresuccess", + "event": { + "ingested": "2021-06-09T11:22:12.539784100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jan 05 06:22:49 idi7668.www5.test rum: captured_dns_uploader eataevi", + "event": { + "ingested": "2021-06-09T11:22:12.539789300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "January 19 13:25:23 iqu4614.www5.example 10.60.211.199 init: modocon", + "event": { + "ingested": "2021-06-09T11:22:12.539794100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "February 2 20:27:57 agnaaliq1829.mail.test :ntpd_initres ntpd exiting on signal 15", + "event": { + "ingested": "2021-06-09T11:22:12.539798500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "February 17 03:30:32 col3570.www.invalid tinvolup: sSMTP Sent mail for tsed (inv) uid=rroq username=rcit outbytes=2807", + "event": { + "ingested": "2021-06-09T11:22:12.539803600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "March 3 10:33:06 mipsamvo4282.api.home reetdo: init oreveri", + "event": { + "ingested": "2021-06-09T11:22:12.539808300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "March 17 17:35:40 Except6889.www.corp -:rc3 umetMal", + "event": { + "ingested": "2021-06-09T11:22:12.539813100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Apr 1 00:38:14 umq1309.api.test uae: debug mve", + "event": { + "ingested": "2021-06-09T11:22:12.539817900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "April 15 07:40:49 tatem4180.www.home 10.102.166.19 python: deny: FQDN='eritatis6343.api.local', View='mquisn'", + "event": { + "ingested": "2021-06-09T11:22:12.539822700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "April 29 14:43:23 quir7168.api.localdomain labore: syslog uela", + "event": { + "ingested": "2021-06-09T11:22:12.539827500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 13 21:45:57 iuntNequ7202.api.domain -:controld Distribution Complete", + "event": { + "ingested": "2021-06-09T11:22:12.539832400Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "May 28 04:48:31 veniamq1236.invalid emo: radiusd itq", + "event": { + "ingested": "2021-06-09T11:22:12.539838300Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "June 11 11:51:06 nderiti409.api.domain -:syslog Cic", + "event": { + "ingested": "2021-06-09T11:22:12.539843200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "June 25 18:53:40 tatem6156.www.local :dhcpd received shutdown -/-/ success", + "event": { + "ingested": "2021-06-09T11:22:12.539852100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "July 10 01:56:14 uamnihil6127.api.domain 10.29.119.245 python: accept: 'olli3116.internal.example' in view 'rsp'.", + "event": { + "ingested": "2021-06-09T11:22:12.539857100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Jul 24 08:58:48 roquisqu1205.api.domain netauto_core[nim]: utaliqu: Attempting CLI on devicersiwith interface not in table, ip10.118.155.14", + "event": { + "ingested": "2021-06-09T11:22:12.539862200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "August 7 16:01:23 suntex5169.www.example phonehome[esci]: uov", + "event": { + "ingested": "2021-06-09T11:22:12.539867200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "August 21 23:03:57 fici5161.www5.example olup: debug_mount mount aco", + "event": { + "ingested": "2021-06-09T11:22:12.539871900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "September 5 06:06:31 orsi7617.www5.corp lorsita: shutdown shutting down for system reboot", + "event": { + "ingested": "2021-06-09T11:22:12.539876500Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "September 19 13:09:05 osamnis4912.mail.host npr: radiusd etconsec", + "event": { + "ingested": "2021-06-09T11:22:12.539881Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 03 20:11:40 urExcept6809.www5.corp captured_dns_uploader[atcupida]: tessequa", + "event": { + "ingested": "2021-06-09T11:22:12.539885700Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Oct 18 03:14:14 icab3519.localdomain dhcpdv6[plicaboN]: Encapsulated Renew message from 2001:db8::b1f51444:f88dd359 port 2496 from client DUID acommo, transaction ID isi", + "event": { + "ingested": "2021-06-09T11:22:12.539890100Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "November 1 10:16:48 abor4353.www5.host ame: python tesseq", + "event": { + "ingested": "2021-06-09T11:22:12.539894600Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "November 15 17:19:22 olorem290.api.lan sshd[culpaqui]: deny: logout() unknown", + "event": { + "ingested": "2021-06-09T11:22:12.539899200Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "November 30 00:21:57 ventore3612.www.home purge_scheduled_tasks[emp]: Scheduled tasks have been purged", + "event": { + "ingested": "2021-06-09T11:22:12.539903900Z" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "1.10.0" + }, + "message": "Dec 14 07:24:31 uptatem4483.localhost tacacs_acct[inrepr]: mol: Server 10.111.52.69 port 6073: asperna", + "event": { + "ingested": "2021-06-09T11:22:12.539908800Z" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/infoblox/data_stream/nios/agent/stream/stream.yml.hbs b/packages/infoblox/data_stream/nios/agent/stream/stream.yml.hbs index 5072e72f9e9..dc90119376a 100644 --- a/packages/infoblox/data_stream/nios/agent/stream/stream.yml.hbs +++ b/packages/infoblox/data_stream/nios/agent/stream/stream.yml.hbs @@ -4,8 +4,11 @@ paths: {{/each}} exclude_files: [".gz$"] tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} fields_under_root: true fields: @@ -18,6 +21,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: @@ -6283,8 +6289,4 @@ processors: target_field: url.registered_domain target_subdomain_field: url.subdomain target_etld_field: url.top_level_domain -- add_locale: ~ -- add_fields: - target: '' - fields: - ecs.version: 1.9.0 +- add_locale: ~ \ No newline at end of file diff --git a/packages/infoblox/data_stream/nios/agent/stream/tcp.yml.hbs b/packages/infoblox/data_stream/nios/agent/stream/tcp.yml.hbs index 73ebbbd4f1f..3ca6da9954b 100644 --- a/packages/infoblox/data_stream/nios/agent/stream/tcp.yml.hbs +++ b/packages/infoblox/data_stream/nios/agent/stream/tcp.yml.hbs @@ -1,8 +1,11 @@ tcp: host: "{{tcp_host}}:{{tcp_port}}" tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} fields_under_root: true fields: @@ -15,6 +18,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: @@ -6280,8 +6286,4 @@ processors: target_field: url.registered_domain target_subdomain_field: url.subdomain target_etld_field: url.top_level_domain -- add_locale: ~ -- add_fields: - target: '' - fields: - ecs.version: 1.9.0 +- add_locale: ~ \ No newline at end of file diff --git a/packages/infoblox/data_stream/nios/agent/stream/udp.yml.hbs b/packages/infoblox/data_stream/nios/agent/stream/udp.yml.hbs index d1c53a435f9..df45ca37312 100644 --- a/packages/infoblox/data_stream/nios/agent/stream/udp.yml.hbs +++ b/packages/infoblox/data_stream/nios/agent/stream/udp.yml.hbs @@ -1,8 +1,11 @@ udp: host: "{{udp_host}}:{{udp_port}}" tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} {{#each tags as |tag i|}} - - {{tag}} + - {{tag}} {{/each}} fields_under_root: true fields: @@ -15,6 +18,9 @@ publisher_pipeline.disable_host: true {{/contains}} processors: +{{#if processors}} +{{processors}} +{{/if}} - script: lang: javascript params: @@ -6280,8 +6286,4 @@ processors: target_field: url.registered_domain target_subdomain_field: url.subdomain target_etld_field: url.top_level_domain -- add_locale: ~ -- add_fields: - target: '' - fields: - ecs.version: 1.9.0 +- add_locale: ~ \ No newline at end of file diff --git a/packages/infoblox/data_stream/nios/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox/data_stream/nios/elasticsearch/ingest_pipeline/default.yml index 6c5490c8ce3..1e7292ce095 100644 --- a/packages/infoblox/data_stream/nios/elasticsearch/ingest_pipeline/default.yml +++ b/packages/infoblox/data_stream/nios/elasticsearch/ingest_pipeline/default.yml @@ -4,60 +4,68 @@ description: Pipeline for Infoblox NIOS processors: # ECS event.ingested - set: - field: event.ingested - value: '{{_ingest.timestamp}}' + field: event.ingested + value: "{{_ingest.timestamp}}" + - set: + field: ecs.version + value: "1.10.0" # User agent - user_agent: - field: user_agent.original - ignore_missing: true + field: user_agent.original + ignore_missing: true # IP Geolocation Lookup - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true + field: source.ip + target_field: source.geo + ignore_missing: true - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true + field: destination.ip + target_field: destination.geo + ignore_missing: true # IP Autonomous System (AS) Lookup - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true + field: source.as.asn + target_field: source.as.number + ignore_missing: true - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true - append: - field: related.hosts - value: '{{host.name}}' - allow_duplicates: false - if: ctx.host?.name != null && ctx.host?.name != '' + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx.host?.name != null && ctx.host?.name != '' + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true on_failure: - append: field: error.message diff --git a/packages/infoblox/data_stream/nios/manifest.yml b/packages/infoblox/data_stream/nios/manifest.yml index 98fc1e3c497..1a5481090af 100644 --- a/packages/infoblox/data_stream/nios/manifest.yml +++ b/packages/infoblox/data_stream/nios/manifest.yml @@ -54,6 +54,23 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp title: Infoblox NIOS logs description: Collect Infoblox NIOS logs @@ -106,6 +123,23 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: logfile enabled: false title: Infoblox NIOS logs @@ -152,3 +186,19 @@ streams: required: false show_user: false default: false + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/infoblox/manifest.yml b/packages/infoblox/manifest.yml index 38da813b723..280d9721094 100644 --- a/packages/infoblox/manifest.yml +++ b/packages/infoblox/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: infoblox title: Infoblox NIOS -version: 0.1.4 +version: 0.2.0 description: Infoblox NIOS Integration categories: ["network"] release: experimental