Use Shorewall zone fields

elastic · May 21, 2019 · 5f84a65 · 5f84a65
1 parent b178dcf
commit 5f84a65
Show file tree

Hide file tree

Showing 4 changed files with 326 additions and 322 deletions.
diff --git a/x-pack/filebeat/module/shorewall/_meta/fields.yml b/x-pack/filebeat/module/shorewall/_meta/fields.yml
@@ -21,30 +21,21 @@
               type: keyword
               description: >
                 Name of the output network interface
-        - name: action
-          type: group
-          description: >
-            Shorewal network log files
-          fields:
-            - name: one
-              type: keywork
-              description: >
-                Specifies the action to be taken if the connection request matches
-                the rule. target must be one of the following values (ACCEPT, ACCEPT+,
-                ACCEPT!, ADD, AUDIT, A_ACCEPT, A_ACCEPT+, A_ACCEPT!, A_DROP, A_DROP!,
-                A_REJECT, A_REJECT!, ?COMMENT, CONMARK, CONTINUE, CONTINUE!, COUNT, DEL,
-                DNAT, DNAT-, DROP, DROP!, HELPER, INLINE, IPTABLES, IP6TABLES, LOG, MACRO,
-                MARK, NFLOG, NFQUEUE, NONAT, QUEUE, QUEUE!, REJECT, REJECT!, REDIRECT,
-                REDIRECT-, TARPIT, ULOG. See http://shorewall.net/manpages/shorewall-rules.html
-            - name: two
-              type: keyword
-              description: >
-                Action two
         - name: frame_type
           type: keyword
           description: >
             This field is part of the MAC address in the log. It indicates whether
             the ethernet frame carried an IPv4 datagram or not.
+        - name: packet_action
+          type: keywork
+          description: >
+            Specifies the action to be taken if the connection request matches
+            the rule. target must be one of the following values (ACCEPT, ACCEPT+,
+            ACCEPT!, ADD, AUDIT, A_ACCEPT, A_ACCEPT+, A_ACCEPT!, A_DROP, A_DROP!,
+            A_REJECT, A_REJECT!, ?COMMENT, CONMARK, CONTINUE, CONTINUE!, COUNT, DEL,
+            DNAT, DNAT-, DROP, DROP!, HELPER, INLINE, IPTABLES, IP6TABLES, LOG, MACRO,
+            MARK, NFLOG, NFQUEUE, NONAT, QUEUE, QUEUE!, REJECT, REJECT!, REDIRECT,
+            REDIRECT-, TARPIT, ULOG. See http://shorewall.net/manpages/shorewall-rules.html
         - name: precedence
           type: keyword
           description: >
@@ -74,4 +65,17 @@
             The TCP Receive Window size. This may be scaled by bit-shifting left
             by a number of bits specified in the "Window Scale" TCP option.
             If the host supports ECN, then the TCP Receive Window size will also
-            be controlled by that.
+            be controlled by that.
+        - name: zone
+          type: group
+          description: >
+            Shorewal Zone fields
+          fields:
+            - name: device
+              type: keyword
+              description: >
+                Name of the device for the zone
+            - name: name
+              type: keywork
+              description: >
+                Name of the zone
diff --git a/x-pack/filebeat/module/shorewall/fields.go b/x-pack/filebeat/module/shorewall/fields.go
diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json
@@ -5,7 +5,7 @@
             "grok": {
                 "field": "message",
                 "patterns": [
-                    "(%{SYSLOGTIMESTAMP:timestamp}).*(%{WORD:host.hostname}).*kernel:.*\\[(%{INT:shorewall.time1:int}).(%{INT:shorewall.time2:int})\\].*Shorewall:(%{USERNAME:network.name}):(%{WORD:shorewall.action.one}):(%{WORD:shorewall.action.two})=(%{USERNAME:shorewall.network.in}).*OUT=.*MAC=(%{MAC:destination.mac})?:(%{MAC:source.mac})?:(%{NOTSPACE:shorewall.frame_type})?.*SRC=(%{IPV4:source.ip})?.*DST=(%{IPV4:destination.ip})?.*LEN=(%{INT:network.packets:int})?.*TOS=(%{WORD:service.type})?.*PREC=(%{WORD:shorewall.precedence})?.*TTL=(%{INT:shorewall.ttl:int})?.*ID=(%{INT:event.id:int})?.*PROTO=(%{WORD:network.protocol})?.*SPT=(%{INT:source.port:int})?.*DPT=(%{INT:destination.port:int})?.*(WINDOW=(%{NUMBER:shorewall.window:int}))?.*(RES=(%{WORD:shorewall.res})?)?.*(SYN)?.*(URGP=(%{INT:shorewall.urgp:int})?)?"
+                    "(%{SYSLOGTIMESTAMP:timestamp}).*(%{WORD:host.hostname}).*kernel:.*\\[(%{INT:shorewall.time1:int}).(%{INT:shorewall.time2:int})\\].*Shorewall:(%{USERNAME:shorewall.zone.name}):(%{WORD:shorewall.packet_action}):(%{WORD:shorewall.zone.device})=(%{USERNAME:shorewall.network.in}).*OUT=.*MAC=(%{MAC:destination.mac})?:(%{MAC:source.mac})?:(%{NOTSPACE:shorewall.frame_type})?.*SRC=(%{IPV4:source.ip})?.*DST=(%{IPV4:destination.ip})?.*LEN=(%{INT:network.packets:int})?.*TOS=(%{WORD:service.type})?.*PREC=(%{WORD:shorewall.precedence})?.*TTL=(%{INT:shorewall.ttl:int})?.*ID=(%{INT:event.id:int})?.*PROTO=(%{WORD:network.protocol})?.*SPT=(%{INT:source.port:int})?.*DPT=(%{INT:destination.port:int})?.*(WINDOW=(%{NUMBER:shorewall.window:int}))?.*(RES=(%{WORD:shorewall.res})?)?.*(SYN)?.*(URGP=(%{INT:shorewall.urgp:int})?)?"
                 ],
                 "ignore_missing": false
             }