Skip to content

Commit

Permalink
x-pack/filebeat/module/sophos/xg: fix kv field separation and add sup…
Browse files Browse the repository at this point in the history
…port for timestamped log line (#29331)

This change also needed changes in the cisco asa module's test expect files
to bring timestamp handling during testing up to date.

(cherry picked from commit 0ea9581)
  • Loading branch information
efd6 authored and mergify-bot committed Jan 4, 2022
1 parent f99aa9e commit 12cd829
Show file tree
Hide file tree
Showing 30 changed files with 411 additions and 478 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

- aws-s3: Stop trying to increase SQS message visibility after ReceiptHandleIsInvalid errors. {pull}29480[29480]
- Fix handling of IPv6 addresses in netflow flow events. {issue}19210[19210] {pull}29383[29383]
- Fix `sophos` KV splitting and syslog header handling {issue}24237[24237] {pull}29331[29331]
- Undo deletion of endpoint config from cloudtrail fileset in {pull}29415[29415]. {pull}29450[29450]

*Heartbeat*
Expand Down
10 changes: 10 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -143278,6 +143278,16 @@ type: keyword
The related XSS caught by the WAF


type: keyword

--

*`sophos.xg.ether_type`*::
+
--
The ethernet frame type


type: keyword

--
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -181,12 +181,12 @@
"event.code": 609002,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T17:51:17.000-02:00",
"event.end": "2022-05-05T17:51:17.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00",
"event.severity": 7,
"event.start": "2021-05-05T19:51:17.000Z",
"event.start": "2022-05-05T19:51:17.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -701,12 +701,12 @@
"event.code": 609002,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T18:24:31.000-02:00",
"event.end": "2022-05-05T18:24:31.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00",
"event.severity": 7,
"event.start": "2021-05-05T20:24:31.000Z",
"event.start": "2022-05-05T20:24:31.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -849,13 +849,13 @@
"event.code": 302014,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T18:29:32.000-02:00",
"event.end": "2022-05-05T18:29:32.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I",
"event.reason": "TCP Reset-I",
"event.severity": 6,
"event.start": "2021-05-05T20:29:32.000Z",
"event.start": "2022-05-05T20:29:32.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -966,12 +966,12 @@
"event.code": 305012,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T18:29:32.000-02:00",
"event.end": "2022-05-05T18:29:32.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00",
"event.severity": 6,
"event.start": "2021-05-05T20:29:32.000Z",
"event.start": "2022-05-05T20:29:32.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -1175,12 +1175,12 @@
"event.code": 302016,
"event.dataset": "cisco.asa",
"event.duration": 124000000000,
"event.end": "2021-05-05T18:40:50.000-02:00",
"event.end": "2022-05-05T18:40:50.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585",
"event.severity": 2,
"event.start": "2021-05-05T20:38:46.000Z",
"event.start": "2022-05-05T20:38:46.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -1812,13 +1812,13 @@
"event.code": 302023,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T19:02:58.000-02:00",
"event.end": "2022-05-05T19:02:58.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner",
"event.reason": "Cluster flow with CLU closed on owner",
"event.severity": 6,
"event.start": "2021-05-05T21:02:58.000Z",
"event.start": "2022-05-05T21:02:58.000Z",
"event.timezone": "-02:00",
"event.type": [
"info"
Expand Down Expand Up @@ -1868,13 +1868,13 @@
"event.code": 302023,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T19:02:58.000-02:00",
"event.end": "2022-05-05T19:02:58.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow",
"event.reason": "Forwarding or redirect flow removed to create director or backup flow",
"event.severity": 6,
"event.start": "2021-05-05T21:02:58.000Z",
"event.start": "2022-05-05T21:02:58.000Z",
"event.timezone": "-02:00",
"event.type": [
"info"
Expand Down Expand Up @@ -2687,13 +2687,13 @@
"event.code": 302304,
"event.dataset": "cisco.asa",
"event.duration": 3602000000000,
"event.end": "2021-04-27T04:12:23.000-02:00",
"event.end": "2022-04-27T04:12:23.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.143/54242 to server.deflan:67.43.156.12/9101 duration 1:00:02 bytes 245 Connection timeout",
"event.reason": "Connection timeout",
"event.severity": 6,
"event.start": "2021-04-27T05:12:21.000Z",
"event.start": "2022-04-27T05:12:21.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -3228,13 +3228,13 @@
"event.code": 113019,
"event.dataset": "cisco.asa",
"event.duration": 1936000000000,
"event.end": "2021-04-27T02:03:03.000-02:00",
"event.end": "2022-04-27T02:03:03.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-113019: Group = 81.2.69.143, Username = 81.2.69.143, IP = 81.2.69.143, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested",
"event.reason": "User Requested",
"event.severity": 4,
"event.start": "2021-04-27T03:30:47.000Z",
"event.start": "2022-04-27T03:30:47.000Z",
"event.timezone": "-02:00",
"event.type": [
"info"
Expand Down
Loading

0 comments on commit 12cd829

Please sign in to comment.