diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
index 8a61ea2b57a..fffec3d17de 100644
--- a/filebeat/docs/fields.asciidoc
+++ b/filebeat/docs/fields.asciidoc
@@ -34359,9 +34359,9 @@ type: text
*`cyberarkpas.audit.rfc5424`*::
+
--
-Whether the syslog format complies with RFC5424 (yes or no).
+Whether the syslog format complies with RFC5424.
-type: keyword
+type: boolean
example: True
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml b/x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml
index 0342b338397..9dcb53669fd 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml
+++ b/x-pack/filebeat/module/cyberarkpas/audit/_meta/fields.yml
@@ -67,8 +67,8 @@
description: The reason entered by the user.
norms: false
- name: rfc5424
- type: keyword
- description: Whether the syslog format complies with RFC5424 (yes or no).
+ type: boolean
+ description: Whether the syslog format complies with RFC5424.
example: yes
- name: safe
type: keyword
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml b/x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml
index 90a02f519d6..2a27502a365 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/cyberarkpas/audit/ingest/pipeline.yml
@@ -291,6 +291,16 @@ processors:
}
ctx.cyberarkpas.audit = keys_to_snake_case_recursive(ctx.cyberarkpas.audit);
+ #
+ # Convert rfc5424 field to boolean.
+ #
+ - script:
+ description: 'Converts the rfc5424 audit field to a boolean'
+ lang: painless
+ source: >
+ def value = ctx.cyberarkpas.audit.rfc5424;
+ ctx.cyberarkpas.audit["rfc5424"] = value == 'yes';
+
########################################################
# ECS enrichment
#
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json
index c9652d2fcc4..713d0730107 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/105_add_file_category.log-expected.json
@@ -10,7 +10,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add File Category",
"cyberarkpas.audit.reason": "Value=[Address]",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -56,7 +56,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:54Z",
"cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain",
"cyberarkpas.audit.message": "Add File Category",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -106,7 +106,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:48Z",
"cyberarkpas.audit.issuer": "PSMApp_VAGRANT",
"cyberarkpas.audit.message": "Add File Category",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -157,7 +157,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add File Category",
"cyberarkpas.audit.reason": "Value=[ASR-CYBERARK-WI]",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -207,7 +207,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z",
"cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
"cyberarkpas.audit.message": "Add File Category",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -258,7 +258,7 @@
"cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
"cyberarkpas.audit.message": "Add File Category",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 105\n Add File Category\n Info\n PSMPApp_VAGRANT\n Add File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n _PSMLiveSessions_1\n \n \n \n Add File Category\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json
index d60d31896e5..b84e56e08dd 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/106_update_file_category.log-expected.json
@@ -10,7 +10,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Update File Category",
"cyberarkpas.audit.reason": "Value=[components] Old Value=[Address]",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -56,7 +56,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:48Z",
"cyberarkpas.audit.issuer": "PSMApp_VAGRANT",
"cyberarkpas.audit.message": "Update File Category",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -106,7 +106,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z",
"cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
"cyberarkpas.audit.message": "Update File Category",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -157,7 +157,7 @@
"cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
"cyberarkpas.audit.message": "Update File Category",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_VAGRANT\n Update File Category\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.session\n 81.32.170.205\n \n PSMStatus\n \n \n \n Update File Category\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMRecordings",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -208,7 +208,7 @@
"cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
"cyberarkpas.audit.message": "Update File Category",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMApp_ASR-WIN\n Update File Category\n \n \n PSMLiveSessions\n Root\\PSM-ASR-CYBERARK-WI.LiveSessions\n 34.66.114.180\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.66.114.180",
@@ -259,7 +259,7 @@
"cyberarkpas.audit.issuer": "PSMPApp_SSH",
"cyberarkpas.audit.message": "Update File Category",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:38\n 2021-03-14T13:49:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_SSH\n Update File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json
index 396e6e86e87..262c670a528 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/107_delete_file_category.log-expected.json
@@ -11,7 +11,7 @@
"cyberarkpas.audit.message": "Delete File Category",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:22:24\n 2021-03-15T10:22:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 107\n Delete File Category\n Info\n Administrator\n Delete File Category\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n LastFailDate\n \n Old Value=[1615803137]\n \n Delete File Category\n 10.0.1.20\n \n\n",
"cyberarkpas.audit.reason": "Old Value=[1615803137]",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json
index d40591446c1..0b008d88f7a 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/124_rename_file.log-expected.json
@@ -9,7 +9,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Rename File",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 124\n Rename File\n Info\n Administrator\n Rename File\n \n \n PSM\n Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json
index d4f8eb4ea30..9f23e422362 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/125_rename_file_cont.log-expected.json
@@ -9,7 +9,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Rename File (Cont.)",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 125\n Rename File (Cont.)\n Info\n Administrator\n Rename File (Cont.)\n \n \n PSM\n Operating System-UnixSSH-34.71.250.247-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File (Cont.)\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json
index 4d1984021c0..76a9cffafb9 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/126_unlock_file.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:33:34Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Unlock File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json
index ca4b7d403dd..0f598e7e3f3 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/130_cpm_disable_password.log-expected.json
@@ -25,7 +25,7 @@
"cyberarkpas.audit.message": "CPM Disable Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 130\n CPM Disable Password\n Error\n PasswordManager\n CPM Disable Password\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Disable Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json
index 7cf51a87fa6..0b5f7793f35 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/178_get_user_s_details.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Get User's Details",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:45:23\n 2021-03-11T18:45:23Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 178\n Get User's Details\n Error\n Administrator\n Get User's Details\n Master\n \n \n \n 127.0.0.1\n \n \n \n \n \n Get User's Details\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.source_user": "Master",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json
index f744915e9e0..28d15b6fb3d 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/180_add_user.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMPApp_localhost.localdomain",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -65,7 +65,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMPGW_localhost.localdomain",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -124,7 +124,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:35Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMP_ADB_localhost.localdomain",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -183,7 +183,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:19Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMApp_VAGRANT",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -242,7 +242,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:27Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMGw_VAGRANT",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -301,7 +301,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:06Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMApp_ASR-WIN",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -360,7 +360,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:15Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMGw_ASR-WIN",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -420,7 +420,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMPApp_VAGRANT",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -480,7 +480,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMPGW_VAGRANT",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -540,7 +540,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMPGW_SSH",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -600,7 +600,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMPApp_SSH",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -660,7 +660,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add User",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMP_ADB_asr-cyberark-psm-ssh",
"cyberarkpas.audit.station": "34.71.250.247",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json
index 07906dea3f7..d32e6ebae7d 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/181_update_safe.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:15:44Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Update Safe",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json
index 00351194295..120cff5e1c4 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/185_add_safe.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Safe",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -54,7 +54,7 @@
"cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
"cyberarkpas.audit.message": "Add Safe",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 185\n Add Safe\n Info\n PSMPApp_VAGRANT\n Add Safe\n \n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Add Safe\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMRecordings",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json
index d6de9086ab1..e8857870f2e 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/187_add_folder.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:40Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Folder",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPADBridgeConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -57,7 +57,7 @@
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Add Folder",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:01:14\n 2021-03-11T18:01:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 187\n Add Folder\n Info\n PVWAAppUser\n Add Folder\n \n \n PSMUnmanagedSessionAccounts\n Root\\2\\\n 10.0.1.20\n \n \n \n \n \n Add Folder\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMUnmanagedSessionAccounts",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json
index d676047158b..f8bc6e3e850 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/19_full_gateway_connection.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:07:51Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Full Gateway Connection",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWUser",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -65,7 +65,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T08:32:51Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Full Gateway Connection",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWUser",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -131,7 +131,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T10:14:58Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Full Gateway Connection",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWUser",
"cyberarkpas.audit.station": "37.223.7.45",
@@ -197,7 +197,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T08:31:50Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Full Gateway Connection",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWUser",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -254,7 +254,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:37:00Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Full Gateway Connection",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWUser",
"cyberarkpas.audit.station": "10.0.1.10",
@@ -313,7 +313,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Full Gateway Connection",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:05\n 2021-03-11T17:38:05Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 127.0.0.1\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMPGW_VAGRANT",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -380,7 +380,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Full Gateway Connection",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:48:22\n 2021-03-11T17:48:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 10.0.2.2\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMPGW_VAGRANT",
"cyberarkpas.audit.station": "10.0.2.2",
@@ -447,7 +447,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Full Gateway Connection",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:02:57\n 2021-03-11T18:02:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PVWAGWUser\n \n \n \n 35.192.121.42\n \n \n \n \n \n Full Gateway Connection\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWUser",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -514,7 +514,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Full Gateway Connection",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_SSH\n \n \n \n 81.32.170.205\n \n \n \n \n \n Full Gateway Connection\n 34.71.250.247\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMPGW_SSH",
"cyberarkpas.audit.station": "81.32.170.205",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json
index 187424444bf..8e24b5e0d54 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/202_old_backup_files_deletion_start.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Old Backup Files Deletion Start",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 09 02:17:54",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json
index 0c6950e2c69..0c1dbfbdb61 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/203_old_backup_files_deletion_end.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Old Backup Files Deletion End",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 09 02:17:54",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json
index c1d6023a048..3c54667a525 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/20_partial_gateway_connection.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.issuer": "PSMGw_COMP01",
"cyberarkpas.audit.message": "Partial Gateway Connection",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 05:20:07\n 2021-03-25T09:20:07Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 20\n Partial Gateway Connection\n Info\n PSMGw_COMP01\n Partial Gateway Connection\n Administrator\n \n \n \n 10.0.0.15\n \n \n \n \n \n Partial Gateway Connection\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Administrator",
"cyberarkpas.audit.station": "10.0.0.15",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json
index 3ef4d4eae08..1f63733c63f 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/22_cpm_verify_password.log-expected.json
@@ -20,7 +20,7 @@
"cyberarkpas.audit.message": "CPM Verify Password",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\n 10.2.0.4\n \n \n \n ImmediateTask\n address=radiussrv.cyberark.local;username=test12;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n",
"cyberarkpas.audit.reason": "ImmediateTask",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "Linux",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.4",
@@ -89,7 +89,7 @@
"cyberarkpas.audit.message": "CPM Verify Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:22:44\n 2021-03-15T10:22:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask\n address=34.123.103.115;username=testark;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json
index f37963d7d87..db7c77b19f9 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/23_action_on_closed_safe.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Action On Closed Safe",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -55,7 +55,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Action On Closed Safe",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:07:27\n 2021-03-14T12:07:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n PasswordManager\n Action On Closed Safe\n \n \n AccountsFeedADAccounts\n \n 10.0.1.20\n \n \n \n \n \n Action On Closed Safe\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "AccountsFeedADAccounts",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -96,7 +96,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Action On Closed Safe",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n Administrator\n Action On Closed Safe\n \n \n PSMPConf\n \n 34.71.250.247\n \n \n \n \n \n Action On Closed Safe\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "34.71.250.247",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json
index 1dca3acf005..3cf879a9996 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/24_cpm_change_password.log-expected.json
@@ -21,7 +21,7 @@
"cyberarkpas.audit.message": "CPM Change Password",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 24\n CPM Change Password\n Info\n PasswordManager\n CPM Change Password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\n 10.2.0.4\n \n \n \n ImmediateTask\n address=radiussrv.cyberark.local;username=test12;\n CPM Change Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n",
"cyberarkpas.audit.reason": "ImmediateTask",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "Linux",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.4",
@@ -91,7 +91,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "CPM Change Password",
"cyberarkpas.audit.reason": "ImmediateTask",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -165,7 +165,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "CPM Change Password",
"cyberarkpas.audit.reason": "ImmediateTask",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -240,7 +240,7 @@
"cyberarkpas.audit.message": "CPM Change Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:12:24\n 2021-03-15T10:12:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 24\n CPM Change Password\n Info\n PasswordManager\n CPM Change Password\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\n 10.0.1.20\n \n \n \n ImmediateTask\n address=components;username=x_accountA;\n CPM Change Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json
index c531dd20d62..7cdae291f0c 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/259_add_update_group.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:21Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add/Update Group",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMMaster",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -53,7 +53,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:21Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add/Update Group",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMAppUsers",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -100,7 +100,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:35Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add/Update Group",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -147,7 +147,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:29Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add/Update Group",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMLiveSessionTerminators",
"cyberarkpas.audit.station": "81.32.170.205",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json
index 18bfc362d73..60a962e4971 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/265_add_group_member.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:22Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMAppUsers",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -54,7 +54,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:22Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWAccounts",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -102,7 +102,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:35Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -150,7 +150,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:58:01Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMMaster",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -198,7 +198,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:29Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMAppUsers",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -246,7 +246,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:30Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWAccounts",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -294,7 +294,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:15Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMMaster",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -342,7 +342,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:16Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMAppUsers",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -390,7 +390,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:16Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWAccounts",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -439,7 +439,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMAppUsers",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -488,7 +488,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWAccounts",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -537,7 +537,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWAccounts",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -586,7 +586,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMAppUsers",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -635,7 +635,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Group Member",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMP_ADB_AppUsers\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
"cyberarkpas.audit.station": "34.71.250.247",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json
index 94d3aa9a340..169410b786e 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/266_remove_group_member.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:48Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Remove Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMMaster",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -54,7 +54,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:23Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Remove Group Member",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMMaster",
"cyberarkpas.audit.station": "35.192.121.42",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json
index a0fa48e17a6..96b6c9cd87c 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/273_remove_owner.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:33Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Remove Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Administrator",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json
index 5ab4e63830a..4cfd55c4722 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/278_add_rule.log-expected.json
@@ -9,7 +9,7 @@
"cyberarkpas.audit.message": "Add Rule",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:01:14\n 2021-03-11T18:01:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 278\n Add Rule\n Info\n PVWAAppUser\n Add Rule\n Administrator\n \n PSMUnmanagedSessionAccounts\n Root\\2\n 10.0.1.20\n \n \n \n Allow\n \n Add Rule\n \n \n\n",
"cyberarkpas.audit.reason": "Allow",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMUnmanagedSessionAccounts",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Administrator",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json
index 4e01629a5e4..0ed48dfb9c0 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-05T11:00:06Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Auto Clear Users History start",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 05 03:00:06",
@@ -43,7 +43,7 @@
"cyberarkpas.audit.desc": "Auto Clear Users History start",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Auto Clear Users History start",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"event.action": "auto clear users history start",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json
index 5fdd7f932e5..4476ba0f803 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-05T11:00:06Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Auto Clear Users History end",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 05 03:00:06",
@@ -43,7 +43,7 @@
"cyberarkpas.audit.desc": "Auto Clear Users History end",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Auto Clear Users History end",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"event.action": "auto clear users history end",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json
index da93458c347..0feb0516dab 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/290_auto_clear_safes_history_start.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T09:00:47Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Auto Clear Safes History start",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 09 01:00:47",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json
index 4521146186f..0e37b256a45 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/291_auto_clear_safes_history_end.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T09:00:47Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Auto Clear Safes History end",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 09 01:00:47",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json
index 718804d560b..753a431e5e6 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/294_store_password.log-expected.json
@@ -13,7 +13,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T10:19:42Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Store password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -55,7 +55,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:49Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Store password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -117,7 +117,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T19:20:02Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Store password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -164,7 +164,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T14:38:57Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Store password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -205,7 +205,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:58:06Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Store password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -254,7 +254,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:26Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Store password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -320,7 +320,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T23:39:25Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Store password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -368,7 +368,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Store password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 04:48:26\n 2021-03-14T11:48:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Groups\\WindowsGroup\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -427,7 +427,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Store password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:12:21\n 2021-03-15T10:12:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -482,7 +482,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Store password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:13:01\n 2021-03-15T13:13:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n Administrator\n Store password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n \n \n \n \n Store password\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json
index 342eab8ede4..e3afb5cf05a 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/295_retrieve_password.log-expected.json
@@ -16,7 +16,7 @@
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 295\n Retrieve password\n Info\n Prov_PVWA\n Retrieve password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.3\n \n \n \n AIM password request\n \n Retrieve password\n \n \n \n \n \n \n \n \n \n \n \n",
"cyberarkpas.audit.reason": "AIM password request",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "Linux",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.3",
@@ -87,7 +87,7 @@
"cyberarkpas.audit.pvwa_details.retrieve_reason.general.retrieve_action": "Show Password",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 295\n Retrieve password\n Info\n adm2\n Retrieve password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.6\n \n \n \n (Action: Show Password)\n \n \n Show Password\n \n\n \n Retrieve password\n 10.2.0.3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n",
"cyberarkpas.audit.reason": "(Action: Show Password)",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "Windows",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.6",
@@ -150,7 +150,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.reason": "testing",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -227,7 +227,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.reason": "CPM",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -292,7 +292,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.reason": "CPM",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -362,7 +362,7 @@
"cyberarkpas.audit.issuer": "Prov_COMPONENTS",
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.reason": "Application provider background refresh job",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -425,7 +425,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.reason": "test",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -490,7 +490,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.reason": "test",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -569,7 +569,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.reason": "CPM",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -634,7 +634,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.reason": "CPM",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -694,7 +694,7 @@
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:41:21\n 2021-03-11T16:41:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n Administrator\n Retrieve password\n \n \n PSM\n Root\\PSMAdmin\n 127.0.0.1\n \n \n \n lksajdflkasdf\n \n Retrieve password\n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "lksajdflkasdf",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -759,7 +759,7 @@
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:50:28\n 2021-03-11T16:50:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n PVWAAppUser\n Retrieve password\n \n \n PSM\n Root\\PSMServer\n 10.0.1.20\n \n \n \n \n \n Retrieve password\n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -826,7 +826,7 @@
"cyberarkpas.audit.message": "Retrieve password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:54:20\n 2021-03-11T16:54:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n Administrator\n Retrieve password\n \n \n PSM\n Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\n 127.0.0.1\n \n \n \n sdfsdf\n \n Retrieve password\n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "sdfsdf",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json
index ae66ffcd4de..28962b3bcb7 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/300_psm_connect.log-expected.json
@@ -23,7 +23,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "Linux",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.7",
@@ -92,7 +92,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:20\n 2021-03-11T17:38:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -175,7 +175,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:46:56\n 2021-03-11T17:46:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -258,7 +258,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:48:34\n 2021-03-11T17:48:34Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -341,7 +341,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:54:56\n 2021-03-11T17:54:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -424,7 +424,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:56:37\n 2021-03-11T17:56:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -507,7 +507,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 12:23:25\n 2021-03-11T20:23:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -596,7 +596,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:37\n 2021-03-14T13:49:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -693,7 +693,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:50:43\n 2021-03-14T13:50:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -788,7 +788,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:31:56\n 2021-03-15T10:31:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -883,7 +883,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:33:39\n 2021-03-15T10:33:39Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -978,7 +978,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:35:00\n 2021-03-15T10:35:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -1069,7 +1069,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:18:31\n 2021-03-15T13:18:31Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -1160,7 +1160,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:08:06\n 2021-03-15T14:08:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -1259,7 +1259,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:08:28\n 2021-03-15T14:08:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -1358,7 +1358,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:11:09\n 2021-03-15T14:11:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -1457,7 +1457,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Connect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 16 03:04:51\n 2021-03-16T10:04:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json
index 249345852e7..4785084bcee 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/302_psm_disconnect.log-expected.json
@@ -24,7 +24,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "Linux",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.7",
@@ -95,7 +95,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -180,7 +180,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:47:01\n 2021-03-11T17:47:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -265,7 +265,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:48:40\n 2021-03-11T17:48:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -350,7 +350,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:55:02\n 2021-03-11T17:55:02Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -435,7 +435,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:56:42\n 2021-03-11T17:56:42Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -520,7 +520,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 12:23:30\n 2021-03-11T20:23:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -611,7 +611,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:54\n 2021-03-14T13:49:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -710,7 +710,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:51:35\n 2021-03-14T13:51:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -807,7 +807,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:33:30\n 2021-03-15T10:33:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -904,7 +904,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:34:50\n 2021-03-15T10:34:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -1001,7 +1001,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 04:12:09\n 2021-03-15T11:12:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -1094,7 +1094,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:18:36\n 2021-03-15T13:18:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -1187,7 +1187,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:08:11\n 2021-03-15T14:08:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -1288,7 +1288,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:08:36\n 2021-03-15T14:08:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -1389,7 +1389,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "PSM Disconnect",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 08:00:21\n 2021-03-15T15:00:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json
index 58dc61fda2e..14603f0592b 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/304_psm_upload_recording.log-expected.json
@@ -16,7 +16,7 @@
"cyberarkpas.audit.issuer": "PSMApp_COMP01",
"cyberarkpas.audit.message": "PSM Upload Recording",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 05:20:56\n 2021-03-25T09:20:56Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 304\n PSM Upload Recording\n Info\n PSMApp_COMP01\n PSM Upload Recording\n \n \n PSMRecordings\n Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\n 10.0.0.15\n \n \n \n \n DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\n PSM Upload Recording\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMRecordings",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json
index 3b63af9a4b4..a2125afe5c1 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/308_use_password.log-expected.json
@@ -22,7 +22,7 @@
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 308\n Use Password\n Info\n adm2\n Use Password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.6\n \n \n \n (Action: Connect)\n \n Use Password\n 10.2.0.3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n",
"cyberarkpas.audit.reason": "(Action: Connect)",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "Windows",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.6",
@@ -86,7 +86,7 @@
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:12\n 2021-03-11T17:38:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "fun and profit",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -163,7 +163,7 @@
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:46:49\n 2021-03-11T17:46:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n FOR FUN.\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "FOR FUN.",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -240,7 +240,7 @@
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:48:27\n 2021-03-11T17:48:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n For fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "For fun and profit",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.2.2",
@@ -317,7 +317,7 @@
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:54:49\n 2021-03-11T17:54:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n Because I say so\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "Because I say so",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.2.2",
@@ -394,7 +394,7 @@
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:56:30\n 2021-03-11T17:56:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n for fun\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "for fun",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.2.2",
@@ -471,7 +471,7 @@
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 12:23:17\n 2021-03-11T20:23:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n testing\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "testing",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.2.2",
@@ -553,7 +553,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -641,7 +641,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:31:54\n 2021-03-15T10:31:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -733,7 +733,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:08:26\n 2021-03-15T14:08:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -825,7 +825,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Use Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 16 03:04:49\n 2021-03-16T10:04:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json
index a1cd48d3242..30198346cee 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/309_undefined_user_logon.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:31:52Z",
"cyberarkpas.audit.issuer": "adriansr",
"cyberarkpas.audit.message": "Undefined User Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 08 10:31:52",
@@ -61,7 +61,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:32:03Z",
"cyberarkpas.audit.issuer": "adriansra",
"cyberarkpas.audit.message": "Undefined User Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 08 10:32:03",
@@ -115,7 +115,7 @@
"cyberarkpas.audit.issuer": "PSMAdmin",
"cyberarkpas.audit.message": "Undefined User Logon",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:43:26\n 2021-03-11T16:43:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n PSMAdmin\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 11 08:43:26",
@@ -174,7 +174,7 @@
"cyberarkpas.audit.issuer": "adrian",
"cyberarkpas.audit.message": "Undefined User Logon",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:46:28\n 2021-03-11T17:46:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n adrian\n Undefined User Logon\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Undefined User Logon\n 81.32.170.205\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 11 09:46:28",
@@ -237,7 +237,7 @@
"cyberarkpas.audit.issuer": "testark",
"cyberarkpas.audit.message": "Undefined User Logon",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:28:00\n 2021-03-14T13:28:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n testark\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n 34.71.250.247\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 14 06:28:00",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json
index 098015d2631..5b958288c53 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Monitor DR Replication start",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 04 11:10:01",
@@ -43,7 +43,7 @@
"cyberarkpas.audit.desc": "Monitor DR Replication start",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Monitor DR Replication start",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"event.action": "monitor dr replication start",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json
index 2355b46110a..e4999439bea 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Monitor DR Replication end",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 04 11:10:01",
@@ -43,7 +43,7 @@
"cyberarkpas.audit.desc": "Monitor DR Replication end",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Monitor DR Replication end",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"event.action": "monitor dr replication end",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json
index 88d7954aecc..69d0c37dab4 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/316_reset_user_password_detailed_information.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Reset User Password Detailed Information",
"cyberarkpas.audit.reason": "Password changed",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMGw_VAGRANT",
"cyberarkpas.audit.station": "81.32.170.205",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json
index 7fda7b95dcb..4a37960e278 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/317_reset_user_password.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:45Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Reset User Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMGw_VAGRANT",
"cyberarkpas.audit.station": "81.32.170.205",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json
index b0440616498..60aaf45b24e 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/31_cpm_reconcile_password.log-expected.json
@@ -23,7 +23,7 @@
"cyberarkpas.audit.message": "CPM Reconcile Password",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 31\n CPM Reconcile Password\n Info\n PasswordManager\n CPM Reconcile Password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.4\n \n \n \n ImmediateTask\n address=dbserver.cyberark.local;username=Administrator2;\n CPM Reconcile Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n",
"cyberarkpas.audit.reason": "ImmediateTask",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "Windows",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.4",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json
index 0495519b84a..c488fa9349d 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/326_cpm_auto_detection_start.log-expected.json
@@ -11,7 +11,7 @@
"cyberarkpas.audit.message": "CPM Auto-detection Start",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:21:37\n 2021-03-11T16:21:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 326\n CPM Auto-detection Start\n Info\n PasswordManager\n CPM Auto-detection Start\n \n \n PasswordManager_info\n \n 10.0.1.20\n \n \n \n \n ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\n CPM Auto-detection Start\n \n \n\n",
"cyberarkpas.audit.reason": " ",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PasswordManager_info",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json
index ba347d7f013..5c67acde9f2 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/327_cpm_auto_detection_end.log-expected.json
@@ -11,7 +11,7 @@
"cyberarkpas.audit.message": "CPM Auto-detection End",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:21:37\n 2021-03-11T16:21:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 327\n CPM Auto-detection End\n Info\n PasswordManager\n CPM Auto-detection End\n \n \n PasswordManager_info\n \n 10.0.1.20\n \n \n \n \n ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\n CPM Auto-detection End\n \n \n\n",
"cyberarkpas.audit.reason": " ",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PasswordManager_info",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json
index 83219226628..67f6151c5f9 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/32_add_owner.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Master",
@@ -68,7 +68,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Administrator",
@@ -129,7 +129,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Batch",
@@ -191,7 +191,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Operators",
@@ -253,7 +253,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Backup Users",
@@ -315,7 +315,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Auditors",
@@ -377,7 +377,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "DR Users",
@@ -439,7 +439,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:20Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Notification Engines",
@@ -501,7 +501,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:22Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMPApp_localhost.localdomain",
@@ -563,7 +563,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:23Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMAppUsers",
@@ -625,7 +625,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:23Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Vault Admins",
@@ -687,7 +687,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:23Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAAppUsers",
@@ -749,7 +749,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:36Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPADBUserProfile",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAGWAccounts",
@@ -811,7 +811,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:37Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPADBridgeConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMP_ADB_localhost.localdomain",
@@ -873,7 +873,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:38Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPADBridgeCustom",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMP_ADB_AppUsers",
@@ -935,7 +935,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:59:32Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Add Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMApp_VAGRANT",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json
index 3d0bab9e356..e39878f6e40 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/33_update_owner.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:49Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Update Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAAppUsers",
@@ -68,7 +68,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:50Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Update Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMApp_VAGRANT",
@@ -130,7 +130,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:51Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Update Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMAppUsers",
@@ -192,7 +192,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:51Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Update Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PSMMaster",
@@ -254,7 +254,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:16:53Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Update Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMUniversalConnectors",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Vault Admins",
@@ -316,7 +316,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:19:18Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Update Owner",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "PVWAAppUsers",
@@ -379,7 +379,7 @@
"cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
"cyberarkpas.audit.message": "Update Owner",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:14\n 2021-03-11T17:38:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 33\n Update Owner\n Info\n PSMPApp_VAGRANT\n Update Owner\n Auditors\n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Update Owner\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMRecordings",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.source_user": "Auditors",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json
index e04a8498de6..4cecbceb396 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/355_monitor_license_expiration_date_start.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Monitor License Expiration Date start",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 09 02:17:54",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json
index 9fd5b5d3694..181d9a733e7 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/356_monitor_license_expiration_date_end.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T10:17:54Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Monitor License Expiration Date end",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 09 02:17:54",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json
index 58d809f5a37..a3b04bd34cf 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Monitor FW rules start",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 04 11:10:01",
@@ -43,7 +43,7 @@
"cyberarkpas.audit.desc": "Monitor FW rules start",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Monitor FW rules start",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"event.action": "monitor fw rules start",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json
index 32d1995c8ef..a5af60dcea0 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Monitor FW Rules end",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 04 11:10:01",
@@ -43,7 +43,7 @@
"cyberarkpas.audit.desc": "Monitor FW Rules end",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Monitor FW Rules end",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
"event.action": "monitor fw rules end",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json
index d3c16912a52..aae4123d3cb 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/359_sql_command.log-expected.json
@@ -33,7 +33,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "SQL Command",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Oracle",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
@@ -118,7 +118,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "SQL Command",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=BEGIN DBMS_OUTPUT.DISABLE\\; END\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Oracle",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
@@ -203,7 +203,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "SQL Command",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Oracle",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
@@ -288,7 +288,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "SQL Command",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Oracle",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
@@ -373,7 +373,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "SQL Command",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Oracle",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
@@ -458,7 +458,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "SQL Command",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:45\n 2021-03-25T14:56:45Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Oracle",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
@@ -543,7 +543,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "SQL Command",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:56:54\n 2021-03-25T14:56:54Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Oracle",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
@@ -628,7 +628,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "SQL Command",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:58:02\n 2021-03-25T14:58:02Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Oracle",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
@@ -713,7 +713,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "SQL Command",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:57:05\n 2021-03-25T14:57:05Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Oracle",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
@@ -798,7 +798,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "SQL Command",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 10:58:44\n 2021-03-25T14:58:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Oracle",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json
index 97edadcd573..77b675324c6 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/361_keystroke_logging.log-expected.json
@@ -26,7 +26,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Keystroke logging",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "Linux",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.7",
@@ -103,7 +103,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Keystroke logging",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:49\n 2021-03-14T13:49:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -200,7 +200,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Keystroke logging",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:32:04\n 2021-03-15T10:32:04Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -297,7 +297,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Keystroke logging",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:33:47\n 2021-03-15T10:33:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -394,7 +394,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Keystroke logging",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:35:08\n 2021-03-15T10:35:08Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -495,7 +495,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Keystroke logging",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:11:18\n 2021-03-15T14:11:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
@@ -596,7 +596,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Keystroke logging",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:45:51\n 2021-03-15T14:45:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json
index 6c379fe2239..afc569ca43a 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/385_blservice_audit_record.log-expected.json
@@ -9,7 +9,7 @@
"cyberarkpas.audit.location": "UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy",
"cyberarkpas.audit.message": "BLService Audit Record",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:31:13\n 2021-03-11T16:31:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 11 08:31:13",
@@ -54,7 +54,7 @@
"cyberarkpas.audit.location": "UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy",
"cyberarkpas.audit.message": "BLService Audit Record",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:31:23\n 2021-03-11T16:31:23Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 11 08:31:23",
@@ -99,7 +99,7 @@
"cyberarkpas.audit.location": "UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy",
"cyberarkpas.audit.message": "BLService Audit Record",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 11:40:52\n 2021-03-11T19:40:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 11 11:40:52",
@@ -144,7 +144,7 @@
"cyberarkpas.audit.location": "UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy",
"cyberarkpas.audit.message": "BLService Audit Record",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:04:35\n 2021-03-14T12:04:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 14 05:04:35",
@@ -189,7 +189,7 @@
"cyberarkpas.audit.location": "UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy",
"cyberarkpas.audit.message": "BLService Audit Record",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:04:53\n 2021-03-14T12:04:53Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 14 05:04:53",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json
index f9e0b062d32..6b6497a81c9 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/38_cpm_verify_password_failed.log-expected.json
@@ -23,7 +23,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:19:58\n 2021-03-15T13:19:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -108,7 +108,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:25:32\n 2021-03-15T13:25:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n\n address=34.66.114.180;username=bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -192,7 +192,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:33:26\n 2021-03-15T13:33:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -277,7 +277,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 08:04:11\n 2021-03-15T15:04:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -362,7 +362,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 09:35:01\n 2021-03-15T16:35:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -445,7 +445,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 09:56:29\n 2021-03-15T16:56:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -520,7 +520,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:01:07\n 2021-03-15T17:01:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -595,7 +595,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:05:47\n 2021-03-15T17:05:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -670,7 +670,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:10:25\n 2021-03-15T17:10:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -746,7 +746,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:28:07\n 2021-03-15T17:28:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -824,7 +824,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:33:17\n 2021-03-15T17:33:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -902,7 +902,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 10:38:27\n 2021-03-15T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -980,7 +980,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 11:00:07\n 2021-03-15T18:00:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -1055,7 +1055,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 11:05:16\n 2021-03-15T18:05:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -1140,7 +1140,7 @@
"cyberarkpas.audit.message": "CPM Verify Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 16 02:50:19\n 2021-03-16T09:50:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json
index 2d8a16b3ed2..365c217d660 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/411_window_title.log-expected.json
@@ -32,7 +32,7 @@
"cyberarkpas.audit.issuer": "adm2",
"cyberarkpas.audit.message": "Window Title",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 411\n Window Title\n Info\n adm2\n Window Title\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.5\n \n \n \n \n Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\n Window Title\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "Windows",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.5",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json
index 2c5da6460a8..685a4a0586a 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/412_keystroke_logging.log-expected.json
@@ -32,7 +32,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Keystroke logging",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 07:29:37\n 2021-03-25T11:29:37Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 412\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n MSSQL\n Root\\Database-MSSql-epmsvr01.cybr.com-sa\n 10.0.0.15\n \n \n \n \n Command=SHOW DATABASES\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "MSSQL",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json
index 73b1b5aee4a..fe2d5aedaf7 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/414_cpm_verify_ssh_key.log-expected.json
@@ -27,7 +27,7 @@
"cyberarkpas.audit.message": "CPM Verify SSH Key",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 06:04:06\n 2021-03-25T10:04:06Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 414\n CPM Verify SSH Key\n Info\n PasswordManager\n CPM Verify SSH Key\n \n \n Linux SSH Keys\n Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\n 10.0.0.15\n \n \n \n VerificationPeriod\n address=rhel7.cybr.com;username=firecall1;\n CPM Verify SSH Key\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "VerificationPeriod",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Linux SSH Keys",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.0.15",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json
index 4d06a1dd722..50385a481b0 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/427_store_ssh_key.log-expected.json
@@ -9,7 +9,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Store SSH Key",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:50:17\n 2021-03-11T16:50:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 427\n Store SSH Key\n Info\n Administrator\n Store SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n \n \n Store SSH Key\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json
index 563c79138bd..d5b684eb931 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/428_retrieve_ssh_key.log-expected.json
@@ -17,7 +17,7 @@
"cyberarkpas.audit.pvwa_details.retrieve_reason.general.user_reason": "for fun and profit",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:43:44\n 2021-03-11T17:43:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)for fun and profit\n \n \n for fun and profit\n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "(Action: Retrieve SSH key)for fun and profit",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -98,7 +98,7 @@
"cyberarkpas.audit.pvwa_details.retrieve_reason.general.user_reason": "testing",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 13:08:48\n 2021-03-11T21:08:48Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Connect)testing(Connection to address: 34.123.103.115)\n \n \n testing\n Connect\n \n \n 34.123.103.115\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -177,7 +177,7 @@
"cyberarkpas.audit.pvwa_details.retrieve_reason.general.retrieve_action": "Retrieve SSH key",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:18:52\n 2021-03-15T13:18:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)\n \n \n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "(Action: Retrieve SSH key)",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json
index 811c18dcec2..17b939fab90 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/449_create_discovery_succeeded.log-expected.json
@@ -8,7 +8,7 @@
"cyberarkpas.audit.message": "Create Discovery Succeeded",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:06:35\n 2021-03-14T12:06:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 449\n Create Discovery Succeeded\n Info\n Administrator\n Create Discovery Succeeded\n \n \n \n \n 10.0.1.20\n \n \n \n Status:Success; Discovery:; Reason:;\n \n Create Discovery Succeeded\n \n \n\n",
"cyberarkpas.audit.reason": "Status:Success; Discovery:; Reason:;",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 14 05:06:35",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json
index a6c307ca075..d607b784f41 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/459_general_audit.log-expected.json
@@ -24,7 +24,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "General Audit",
"cyberarkpas.audit.reason": "Dual account rotation",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -82,7 +82,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "General Audit",
"cyberarkpas.audit.reason": "Dual account rotation",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -141,7 +141,7 @@
"cyberarkpas.audit.message": "General Audit",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 04:48:26\n 2021-03-14T11:48:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 459\n General Audit\n Info\n PasswordManager\n General Audit\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\n 10.0.1.20\n \n \n \n Dual account rotation\n DualAccountStatus=Active;Index=2;\n General Audit\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "Dual account rotation",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json
index 315c4e78d86..18f132b64b3 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/467_the_component_public_key_for_jwt_authentication_was_updated.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:14:35Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "The component public key for JWT authentication was updated",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 10 10:14:35",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json
index 265f3f289d0..e127969e7f2 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:01Z",
"cyberarkpas.audit.issuer": "Builtin",
"cyberarkpas.audit.message": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "0.0.0.0",
"cyberarkpas.audit.timestamp": "Mar 04 11:10:01",
@@ -44,7 +44,7 @@
"cyberarkpas.audit.desc": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.",
"cyberarkpas.audit.issuer": "Builtin",
"cyberarkpas.audit.message": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "0.0.0.0",
"event.action": "security warning - the signature hash algorithm of the vault certificate is sha1.",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json
index 68acb65c473..51dc1afc051 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/482_update_existing_add_account_bulk_operation_succeeded.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T08:31:49Z",
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Update existing Add Account Bulk Operation succeeded",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 10 00:31:49",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json
index 19491b22f8c..5f52c8abe27 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/4_user_authentication.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:42:36Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "User Authentication",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 10:42:36",
@@ -65,7 +65,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "User Authentication",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:03:43\n 2021-03-11T18:03:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 4\n User Authentication\n Error\n Administrator\n User Authentication\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n User Authentication\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 11 10:03:43",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json
index 79144d5b6d3..1e67b7fbef2 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/50_store_file.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:50Z",
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Store File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAPrivateUserPrefs",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -48,7 +48,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:21Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Store File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -97,7 +97,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:36:22Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Store File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -138,7 +138,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:56Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Store File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -188,7 +188,7 @@
"cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
"cyberarkpas.audit.message": "Store File",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:27\n 2021-03-11T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n PSMPApp_VAGRANT\n Store File\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\n 81.32.170.205\n \n \n \n \n \n Store File\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMRecordings",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -239,7 +239,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Store File",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n Administrator\n Store File\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Store File\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json
index af7d6d8eaf4..d6498eae71e 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/51_retrieve_file.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:05Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Retrieve File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PasswordManagerShared",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -48,7 +48,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:11:23Z",
"cyberarkpas.audit.issuer": "Prov_COMPONENTS",
"cyberarkpas.audit.message": "Retrieve File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "AppProviderConf",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json
index 1af95f40647..0b07338915f 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/52_delete_file.log-expected.json
@@ -13,7 +13,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:32:43Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Delete File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Test",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -65,7 +65,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:38:21Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Delete File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "VaultInternal",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -110,7 +110,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T19:20:04Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Delete File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PasswordManager_workspace",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -152,7 +152,7 @@
"cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
"cyberarkpas.audit.message": "Delete File",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 10:59:57\n 2021-03-11T18:59:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n PSMApp_ASR-WIN\n Delete File\n \n \n PSMSessions\n Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\n 35.192.121.42\n \n \n \n \n \n Delete File\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -207,7 +207,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Delete File",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 11:32:12\n 2021-03-11T19:32:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 127.0.0.1\n \n \n \n \n \n Delete File\n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -255,7 +255,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Delete File",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 13:06:40\n 2021-03-11T21:06:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\Operating System-WinDomain-35.192.121.42-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -305,7 +305,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Delete File",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 13:06:50\n 2021-03-11T21:06:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSM-ASR-CYBERARK-WI\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -355,7 +355,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Delete File",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:10:17\n 2021-03-14T12:10:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSMAdmin\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSM",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -409,7 +409,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Delete File",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 08:09:00\n 2021-03-15T15:09:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n partner\n Root\\Database-Oracle-10.128.0.7-adrian\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
@@ -463,7 +463,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Delete File",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 08:13:59\n 2021-03-15T15:13:59Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n partner\n Root\\Database-MySQL-10.128.0.7-adrian\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json
index f120fa61923..eaf206946a9 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/57_cpm_change_password_failed.log-expected.json
@@ -31,7 +31,7 @@
"cyberarkpas.audit.message": "CPM Change Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 25 08:00:08\n 2021-03-25T12:00:08Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 57\n CPM Change Password Failed\n Error\n PasswordManager\n CPM Change Password Failed\n \n \n Linux Accounts\n Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\n 10.0.0.15\n \n \n \n ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\n address=rhel7.cybr.com;username=firecall2;\n CPM Change Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "Linux Accounts",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.0.15",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json
index 99e9f3ec96b..21d71f71183 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:25:02Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Clear Safe History",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PasswordManager_workspace",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -44,7 +44,7 @@
"cyberarkpas.audit.desc": "Clear Safe History",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Clear Safe History",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "PasswordManager_workspace",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -81,7 +81,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T09:00:47Z",
"cyberarkpas.audit.issuer": "Batch",
"cyberarkpas.audit.message": "Clear Safe History",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "System",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "0.0.0.0",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json
index ae0a5d3f769..1a3d12f5882 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/60_cpm_reconcile_password_failed.log-expected.json
@@ -23,7 +23,7 @@
"cyberarkpas.audit.message": "CPM Reconcile Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 13:12:22\n 2021-03-11T21:12:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -109,7 +109,7 @@
"cyberarkpas.audit.message": "CPM Reconcile Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:18:15\n 2021-03-14T13:18:15Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -193,7 +193,7 @@
"cyberarkpas.audit.message": "CPM Reconcile Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:46:13\n 2021-03-14T13:46:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -279,7 +279,7 @@
"cyberarkpas.audit.message": "CPM Reconcile Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 07:49:11\n 2021-03-14T14:49:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -365,7 +365,7 @@
"cyberarkpas.audit.message": "CPM Reconcile Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:12:18\n 2021-03-15T10:12:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -450,7 +450,7 @@
"cyberarkpas.audit.message": "CPM Reconcile Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 03:12:19\n 2021-03-15T10:12:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -537,7 +537,7 @@
"cyberarkpas.audit.message": "CPM Reconcile Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -622,7 +622,7 @@
"cyberarkpas.audit.message": "CPM Reconcile Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 06:04:27\n 2021-03-15T13:04:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -709,7 +709,7 @@
"cyberarkpas.audit.message": "CPM Reconcile Password Failed",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 15 07:44:37\n 2021-03-15T14:44:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n",
"cyberarkpas.audit.reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "partner",
"cyberarkpas.audit.severity": "Error",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json
index 9b38648e520..e54e87c6c59 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/62_create_file_version.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:54Z",
"cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain",
"cyberarkpas.audit.message": "Create File Version",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -56,7 +56,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T17:58:05Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Create File Version",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMNotifications",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -105,7 +105,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:47Z",
"cyberarkpas.audit.issuer": "PSMApp_VAGRANT",
"cyberarkpas.audit.message": "Create File Version",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -154,7 +154,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z",
"cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
"cyberarkpas.audit.message": "Create File Version",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -204,7 +204,7 @@
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Create File Version",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:50:29\n 2021-03-11T16:50:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PVWAAppUser\n Create File Version\n \n \n PSMSessions\n Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\n 10.0.1.20\n \n \n \n \n \n Create File Version\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -246,7 +246,7 @@
"cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
"cyberarkpas.audit.message": "Create File Version",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_VAGRANT\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n \n \n \n \n Create File Version\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -297,7 +297,7 @@
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Create File Version",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:07:32\n 2021-03-14T12:07:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PasswordManager\n Create File Version\n \n \n AccountsFeedDiscoveryLogs\n Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\n 10.0.1.20\n \n \n \n \n \n Create File Version\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "AccountsFeedDiscoveryLogs",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -342,7 +342,7 @@
"cyberarkpas.audit.issuer": "PSMPApp_SSH",
"cyberarkpas.audit.message": "Create File Version",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:27\n 2021-03-14T12:57:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_SSH\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n \n \n \n \n Create File Version\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PSMPLiveSessions",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json
index 63d5491255c..57223388c5f 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/7_logon.log-expected.json
@@ -8,7 +8,7 @@
"cyberarkpas.audit.issuer": "adm2",
"cyberarkpas.audit.message": "Logon",
"cyberarkpas.audit.raw": "\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 7\n Logon\n Info\n adm2\n Logon\n \n \n \n \n 10.2.0.6\n \n \n \n \n \n Logon\n 10.2.0.3\n \n",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.2.0.6",
"destination.address": "10.2.0.3",
@@ -58,7 +58,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:05Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 04 11:10:05",
@@ -108,7 +108,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:20Z",
"cyberarkpas.audit.issuer": "SCIM-user",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 04 11:10:20",
@@ -158,7 +158,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:11:20Z",
"cyberarkpas.audit.issuer": "PVWAGWUser",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 04 11:11:20",
@@ -208,7 +208,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:11:23Z",
"cyberarkpas.audit.issuer": "Prov_COMPONENTS",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 04 11:11:23",
@@ -258,7 +258,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-05T10:18:50Z",
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 05 02:18:50",
@@ -309,7 +309,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:07:51Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 08 10:07:51",
@@ -364,7 +364,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T08:32:51Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 09 00:32:51",
@@ -427,7 +427,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-09T10:14:58Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "37.223.7.45",
"cyberarkpas.audit.timestamp": "Mar 09 02:14:58",
@@ -489,7 +489,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:48Z",
"cyberarkpas.audit.issuer": "PSMP_ADB_localhost.localdomain",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 01:11:48",
@@ -547,7 +547,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:48Z",
"cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 01:11:48",
@@ -605,7 +605,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:49Z",
"cyberarkpas.audit.issuer": "PSMPGW_localhost.localdomain",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 01:11:49",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json
index cc6979b34c7..4a6304a3371 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:16:19Z",
"cyberarkpas.audit.issuer": "PVWAGWUser",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 04 11:16:19",
@@ -44,7 +44,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:16:19Z",
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 04 11:16:19",
@@ -81,7 +81,7 @@
"cyberarkpas.audit.desc": "Set Password",
"cyberarkpas.audit.issuer": "PVWAGWUser",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"event.action": "set password",
@@ -117,7 +117,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T08:29:19Z",
"cyberarkpas.audit.issuer": "Prov_COMPONENTS",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 10 00:29:19",
@@ -155,7 +155,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T08:29:28Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 10 00:29:28",
@@ -193,7 +193,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:52Z",
"cyberarkpas.audit.issuer": "PSMPApp_localhost.localdomain",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 01:11:52",
@@ -239,7 +239,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:52Z",
"cyberarkpas.audit.issuer": "PSMPGW_localhost.localdomain",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 01:11:52",
@@ -285,7 +285,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:55Z",
"cyberarkpas.audit.issuer": "PSMP_ADB_localhost.localdomain",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 01:11:55",
@@ -331,7 +331,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:47Z",
"cyberarkpas.audit.issuer": "PSMApp_VAGRANT",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 10:46:47",
@@ -377,7 +377,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:46:47Z",
"cyberarkpas.audit.issuer": "PSMGw_VAGRANT",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 10:46:47",
@@ -423,7 +423,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z",
"cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
"cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
@@ -469,7 +469,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:20:12Z",
"cyberarkpas.audit.issuer": "PSMGw_ASR-WIN",
"cyberarkpas.audit.message": "Set Password",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
"cyberarkpas.audit.timestamp": "Mar 10 14:20:12",
@@ -516,7 +516,7 @@
"cyberarkpas.audit.issuer": "PSMPApp_VAGRANT",
"cyberarkpas.audit.message": "Set Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:54\n 2021-03-11T16:59:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 11 08:59:54",
@@ -563,7 +563,7 @@
"cyberarkpas.audit.issuer": "PSMPGW_VAGRANT",
"cyberarkpas.audit.message": "Set Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 08:59:55\n 2021-03-11T16:59:55Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 11 08:59:55",
@@ -610,7 +610,7 @@
"cyberarkpas.audit.issuer": "PSMApp_ASR-WIN",
"cyberarkpas.audit.message": "Set Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMApp_ASR-WIN\n Set Password\n \n \n \n \n 34.66.114.180\n \n \n \n \n \n Set Password\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.66.114.180",
"cyberarkpas.audit.timestamp": "Mar 11 12:10:33",
@@ -657,7 +657,7 @@
"cyberarkpas.audit.issuer": "PSMPGW_SSH",
"cyberarkpas.audit.message": "Set Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
"cyberarkpas.audit.timestamp": "Mar 14 05:57:25",
@@ -704,7 +704,7 @@
"cyberarkpas.audit.issuer": "PSMPApp_SSH",
"cyberarkpas.audit.message": "Set Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
"cyberarkpas.audit.timestamp": "Mar 14 05:57:25",
@@ -751,7 +751,7 @@
"cyberarkpas.audit.issuer": "PSMP_ADB_asr-cyberark-psm-ssh",
"cyberarkpas.audit.message": "Set Password",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMP_ADB_asr-cyberark-psm-ssh\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
"cyberarkpas.audit.timestamp": "Mar 14 05:57:25",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json
index 37ce536ec29..32dcc1c6653 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/8_logoff.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:19:15Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logoff",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 08 10:19:15",
@@ -56,7 +56,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:59:23Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logoff",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 08 10:59:23",
@@ -106,7 +106,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:28Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Logoff",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 10 00:28:28",
@@ -156,7 +156,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:29Z",
"cyberarkpas.audit.issuer": "Prov_COMPONENTS",
"cyberarkpas.audit.message": "Logoff",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 10 00:28:29",
@@ -206,7 +206,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:30Z",
"cyberarkpas.audit.issuer": "PVWAGWUser",
"cyberarkpas.audit.message": "Logoff",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 10 00:28:30",
@@ -256,7 +256,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T08:28:30Z",
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Logoff",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 10 00:28:30",
@@ -306,7 +306,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:11:33Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logoff",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 01:11:33",
@@ -364,7 +364,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:12:20Z",
"cyberarkpas.audit.issuer": "PSMP_ADB_localhost.localdomain",
"cyberarkpas.audit.message": "Logoff",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 01:12:20",
@@ -422,7 +422,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T09:12:27Z",
"cyberarkpas.audit.issuer": "PSMPGW_localhost.localdomain",
"cyberarkpas.audit.message": "Logoff",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 10 01:12:27",
@@ -480,7 +480,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:27Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logoff",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
"cyberarkpas.audit.timestamp": "Mar 10 14:17:27",
@@ -540,7 +540,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logoff",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
"cyberarkpas.audit.timestamp": "Mar 11 09:38:13",
@@ -604,7 +604,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logoff",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:48:28\n 2021-03-11T17:48:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 10.0.2.2\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.2.2",
"cyberarkpas.audit.timestamp": "Mar 11 09:48:28",
@@ -667,7 +667,7 @@
"cyberarkpas.audit.issuer": "PSMPGW_VAGRANT",
"cyberarkpas.audit.message": "Logoff",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 09:49:06\n 2021-03-11T17:49:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n PSMPGW_VAGRANT\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 11 09:49:06",
@@ -726,7 +726,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logoff",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 05:57:20\n 2021-03-14T12:57:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Logoff\n \n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "34.71.250.247",
"cyberarkpas.audit.timestamp": "Mar 14 05:57:20",
@@ -786,7 +786,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Logoff",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 14 06:49:36\n 2021-03-14T13:49:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n 34.71.250.247\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
"cyberarkpas.audit.timestamp": "Mar 14 06:49:36",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json
index 5d8e5a2e69c..b0d96a096c2 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/98_open_file_write_only.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-08T18:24:50Z",
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Open File (Write Only)",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAPrivateUserPrefs",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -48,7 +48,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T18:44:08Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Open File (Write Only)",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "81.32.170.205",
@@ -97,7 +97,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-10T22:17:40Z",
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Open File (Write Only)",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "35.192.121.42",
@@ -148,7 +148,7 @@
"cyberarkpas.audit.issuer": "Administrator",
"cyberarkpas.audit.message": "Open File (Write Only)",
"cyberarkpas.audit.raw": "\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 98\n Open File (Write Only)\n Info\n Administrator\n Open File (Write Only)\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Open File (Write Only)\n 10.0.1.20\n \n\n",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "127.0.0.1",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json
index dcf6b4c6b5f..431b5c10a27 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/99_open_file.log-expected.json
@@ -7,7 +7,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T19:10:05Z",
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Open File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PVWAConfig",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json
index 84de7f98826..14b87c8867c 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.file": "Root\\Policies\\Policy-BusinessWebsite.ini",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Retrieve File",
- "cyberarkpas.audit.rfc5424": "no",
+ "cyberarkpas.audit.rfc5424": false,
"cyberarkpas.audit.safe": "PasswordManagerShared",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json
index b9afe62a042..f3c5e458aef 100644
--- a/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json
+++ b/x-pack/filebeat/module/cyberarkpas/audit/test/rfc5424syslog.log-expected.json
@@ -6,7 +6,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:14Z",
"cyberarkpas.audit.issuer": "PVWAGWUser",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 04 09:27:14",
@@ -56,7 +56,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:21Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 04 09:27:21",
@@ -107,7 +107,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:21Z",
"cyberarkpas.audit.issuer": "PasswordManager",
"cyberarkpas.audit.message": "Retrieve File",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.safe": "PasswordManagerShared",
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
@@ -147,7 +147,7 @@
"cyberarkpas.audit.iso_timestamp": "2021-03-04T17:27:33Z",
"cyberarkpas.audit.issuer": "PVWAAppUser",
"cyberarkpas.audit.message": "Logon",
- "cyberarkpas.audit.rfc5424": "yes",
+ "cyberarkpas.audit.rfc5424": true,
"cyberarkpas.audit.severity": "Info",
"cyberarkpas.audit.station": "10.0.1.20",
"cyberarkpas.audit.timestamp": "Mar 04 09:27:33",
diff --git a/x-pack/filebeat/module/cyberarkpas/fields.go b/x-pack/filebeat/module/cyberarkpas/fields.go
index ebdad1e586f..2e48ca8da6d 100644
--- a/x-pack/filebeat/module/cyberarkpas/fields.go
+++ b/x-pack/filebeat/module/cyberarkpas/fields.go
@@ -19,5 +19,5 @@ func init() {
// AssetCyberarkpas returns asset data.
// This is the base64 encoded gzipped contents of module/cyberarkpas.
func AssetCyberarkpas() string {
- return "eJy0V0tv2zgQvudXzDEF6iDPLqJDASPZoFnEiBF72+5ejDE1kohQpMChrOjfF9TDSWQpdeyUJ4uP+b55j0fwSGUAolySRfuYIR8AOOkUBXDlN8f2Eabj2QFASCyszJw0OoCvBwDw8hlEklTIRwfQ/AqqGyPQmFIXwC9XZhRAbE2eNTshRZgrt6jeBxChYmqOWpHN57NczEPp1rtvyugHrR9taNauq4Y3TK1cSUUxhTAWgphhRiK30pUw9hxe6N+ul3bY4C082qujlt0jlYWxYefsFcfxy08wEbiEalOAJWFseNQLKnCRWZORdZK4FztS6BxpehtdCJNrByk5DNHhEJij2NhyVx3nCa1lVCLhMDJ2vTWypNBRCF4f9E/4Uz8RL3V3Q7NDJwWsUOUELkEHoeRMYcmAw14QJiTup0NPzuIiJIdS7eGEWUZCRlLU8qCR1xcLAzwiqWgf31QuaeAc2phcJbIfLEZHBZaLypoDcS+z30HeTlvAgpaAWaakqORBiiKRmuBw+v3HeCAOEsPO/9pH6VbGZ5Aa8iwjH5DcURqAnjDNfAmd/De6up9M/53//dDLSbJZOJkSO0y76tfEQnRdxhus1hIqWreze5i3OxAZm6KDw4ebKzg7O7v8NMj19PjkbPRldHoxPzkOzv8KTi7/H+DMOdl9rPjdl2jImSwUiYHCGkfPYXsE80QySIacc1SqrI7WtzOyXicKq+119vf7XBkxHHBbsm2C+64RVZeh9ddg+QGQsTaWFrg0Kwrg/PjySxfKiEVVWHizU1UCdEhPfUeteikxY7xzRP+2jTAcsk9zqesw8teQfZD5m9fEom5yAxnX0FvILov3NQETEtxev6O0ZdaEuXAfWfQtZZaYtOOKRIMwAL8qPrLAd0q7r3DbGMFisasBvnYOAR6wgJ+TO19N6rSzMpYa1RtDh1/3WpXQGA6KhDT8nN3Nqz4BCTKEtMzjWOoYSONS0YaIP59ClpAH6oOjp24MbQRn/RxIO7IUwvK5WHVV0camvSTXTCJxcX56vqvTfiTkEqrdwyUrE7e1X5g0U5IYCukSeLi58jBwWBKDsaDNcEsoO2NiS5Ux+ujZYYbRwOzAtCI/Z+8D2Mp4RxFhk1tBC+/Kj1K10/fe1cn2npwia1Kfg5Zew0GB/EzlCG6MrWsME7Pva5/B+X5cSKVgWT+2hAqEkj6t29HrdtpPvPbvn7Kj559IkbypUz+vN8eubWeDV5PXZDKB62v49i2YTILZrMm/wez6J9dwegHttNXLckU6NDsbbotOVgP0m2hFlvf6l7oFeoXwyrFHB78CAAD//+YdqpM="
+ return "eJy0V0tv2zgQvudXzDEF6iDPLqJDASPZoFnEiBF72+5ejDE5kohQosChrOjfF9TDiWUpTeyUJ4uP+b55j0fwSGUAolySRfuYIR8AOOU0BXDlN8f2Eabj2QGAJBZWZU6ZNICvBwDw8hmEirTkowNofgXVjRGkmFAXwC9XZhRAZE2eNTuSQsy1W1TvAwhRMzVHrcjm81ku5lK59e6rMvpB60dbmrXrquENU6tWSlNEEsZCEDPMSORWuRLGnsML/dv10g5bvIVH2zhq2T1SWRgrO2cbHMcvP8GE4GKqTQGWhLHyqBdU4CKzJiPrFHEvdqjROUrpdXQhTJ46SMihRIdDYI4iY8tddZzHtJZRiYTD0Nj11siSRkcSvD7on/CnfiJe6u6GZodOCVihzglcjA6k4kxjyYDDXhBGEvfToSdncSHJodJ7OGGWkVChErU8aOT1xcIAj1Bp2sc3lUsaOIc2IleJ7AeL0FGB5aKy5kDcq+x3kLfTFrCgJWCWaSUqeZCgiFVKcDj9/mM8EAexYed/7aN0K+MzqBTyLCMfkNxRGoCeMMl8CZ38N7q6n0z/nf/90MtJsVk4lRA7TLrq18Qkui7jLVZrCRWt29k9zNsdCI1N0MHhw80VnJ2dXX4a5Hp6fHI2+jI6vZifHAfnfwUnl/8PcOac7D5W/O5LNORMForYQGGNo+ewPYJ5rBgUQ845al1WR+vbGVmvE8lqe539/T7XRgwH3BvZNsF914iqy9D6a7D8AKgoNZYWuDQrCuD8+PJLF8qIRVVYeLtTVQJSSU99R616CTFjtHNE/7aNMByyT3OV1mHkryH7IPM3r4lF3eQGMq6ht1BdFu9rAkYS3F6/o7Rl1shcuI8s+pYyS0yp44pEgzAAvyo+ssB3SruvcG8xgsViVwN87RwCPGABPyd3vprUaWdVpFLUrwwdft2nuoTGcFDElMLP2d286hMQI4OkZR5FKo2AUlxq2hLx51PIEvJAfXD01I2hreCsnwOljixJWD4Xq64qqbFJL8k1k1BcnJ+e91JZGqMJuzQ32PyIycVUu4dL1iZqa78wSaYVMRTKxfBwc+VhBttA2RkNW3qM4UfPCzMMB+YFphX52XofwFbGOwoHm9wKWnj3fZSqnV73ru6197QUWpP4vLO0CQcF8jOVI7gxtq4rTMy+l30G53twobSGZf3YEmoQWvlUbset22k/8dq/f8qOnn+sRPyqTv28Xh213joPbExbk8kErq/h27dgMglmsybnBrPrnzyF0wtoJ6xelitKpdnZcG/oXjVAv4lWZHmvf6ZvQK8QNhx7dPArAAD//75ppq4="
}