diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 854eb4e1672..8a33ea80e69 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -183,6 +183,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add ECS related fields to CEF module {issue}16157[16157] {pull}16338[16338] - Improve ECS categorization field mappings in suricata module. {issue}16181[16181] {pull}16843[16843] - Release ActiveMQ module as GA. {issue}17047[17047] {pull}17049[17049] +- Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637] *Heartbeat* diff --git a/x-pack/filebeat/module/iptables/log/ingest/pipeline.json b/x-pack/filebeat/module/iptables/log/ingest/pipeline.json deleted file mode 100644 index d5a36988e18..00000000000 --- a/x-pack/filebeat/module/iptables/log/ingest/pipeline.json +++ /dev/null @@ -1,244 +0,0 @@ -{ - "description" : "Pipeline for IPTables", - "processors" : [ - { - "grok": { - "field": "message", - "patterns": [ - "%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}\\[%{UBIQUITI_LABEL}\\]%{IPTABLES}%{SPACE}", - "%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}%{IPTABLES}%{SPACE}", - "%{GREEDYDATA}\\[%{UBIQUITI_LABEL}\\]%{IPTABLES}%{SPACE}", - "%{GREEDYDATA}%{IPTABLES}%{SPACE}" - ], - "pattern_definitions": { - "UNSIGNED_INT": "[0-9]+", - "ETHTYPE": "(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2})", - "ETHTYPE_DISCARD": "(?::[A-Fa-f0-9]{2})*", - "NETFILTERMAC": "(?:%{MAC:destination.mac}:%{MAC:source.mac}:%{ETHTYPE:iptables.ether_type}?%{ETHTYPE_DISCARD}|%{MAC:destination.mac}%{ETHTYPE_DISCARD}:%{ETHTYPE:iptables.ether_type}?)", - "IPTABLES_ETHERNET": "IN=%{DATA:iptables.input_device} OUT=%{DATA:iptables.output_device}?(?: MAC=%{NETFILTERMAC})?", - "IPTABLES_PORT_PAIR": "SPT=%{UNSIGNED_INT:source.port:int} DPT=%{UNSIGNED_INT:destination.port:int}", - "IPTABLES_TCP_FLAGS": "((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))*", - "IPTABLES_TCP_SEQ": "SEQ=%{UNSIGNED_INT:iptables.tcp.seq:int} ACK=%{UNSIGNED_INT:iptables.tcp.ack:int}", - "IPTABLES_TCP_DETAILS": "(?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:iptables.tcp.window:int} RES=0x%{BASE16NUM:iptables.tcp_reserved_bits} %{IPTABLES_TCP_FLAGS:iptables.tcp.flags}", - "IPTABLES_INCOMPLETE_PACKET": "INCOMPLETE \\[%{UNSIGNED_INT:iptables.incomplete_bytes:int} bytes\\]", - "IPTABLES_UDP_DETAILS": "LEN=%{UNSIGNED_INT:iptables.udp.length:int}", - "IPTABLES_ICMP_EXTRA_ECHO": "ID=%{UNSIGNED_INT:iptables.icmp.id:int} SEQ=%{UNSIGNED_INT:iptables.icmp.seq:int}", - "IPTABLES_ICMP_EXTRA_PARAM": "PARAMETER=%{UNSIGNED_INT:iptables.icmp.parameter:int}", - "IPTABLES_ICMP_EXTRA_REDIRECT": "GATEWAY=%{IP:iptables.icmp.redirect}", - "IPTABLES_ICMP_EXTRA": "( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*", - "IPTABLES_ICMP_DETAILS": "TYPE=%{UNSIGNED_INT:iptables.icmp.type:int} CODE=%{UNSIGNED_INT:iptables.icmp.code:int}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA})", - "IPTABLES_PROTOCOL": "PROTO=(?[a-zA-Z0-9]+)", - "IPTABLES_IP_PAYLOAD": "%{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?", - "IPTABLES_IP_FRAGFLAG": "((?<= )(CE|DF|MF))*", - "IPTABLES_IP_START": "SRC=%{IPV4:source.ip} DST=%{IPV4:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} TOS=0x%{BASE16NUM:iptables.tos} PREC=0x%{BASE16NUM:iptables.precedence_bits} TTL=%{UNSIGNED_INT:iptables.ttl:int} ID=%{UNSIGNED_INT:iptables.id:int}(?: %{IPTABLES_IP_FRAGFLAG:iptables.fragment_flags})?(?: FRAG: %{UNSIGNED_INT:iptables.fragment_offset:int})?", - "IPTABLES_IP": "%{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}", - "IPTABLES_IPV6_START": "SRC=%{IPV6:source.ip} DST=%{IPV6:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} TC=%{UNSIGNED_INT:iptables.tos} HOPLIMIT=%{UNSIGNED_INT:iptables.ttl:int} FLOWLBL=%{UNSIGNED_INT:iptables.flow_label:int}", - "IPTABLES_IPV6": "%{IPTABLES_IPV6_START} %{IPTABLES_IP_PAYLOAD}", - "IPTABLES": "%{IPTABLES_ETHERNET} (:?%{IPTABLES_IP}|%{IPTABLES_IPV6})", - "UBIQUITI_FIELD": "[^-\\]]*", - "UBIQUITI_RULESET_NAME": "[^\\]]*", - "UBIQUITI_LABEL": "%{UBIQUITI_RULESET_NAME:iptables.ubiquiti.rule_set}-%{UBIQUITI_FIELD:iptables.ubiquiti.rule_number}-%{UBIQUITI_FIELD:event.outcome}" - } - } - }, - { - "rename": { - "field": "message", - "target_field": "log.original" - } - }, - { - "grok": { - "field": "iptables.ubiquiti.rule_set", - "ignore_missing": true, - "ignore_failure": true, - "patterns": [ - "%{UBIQUITI_FIELD:iptables.ubiquiti.input_zone}-%{UBIQUITI_FIELD:iptables.ubiquiti.output_zone}" - ], - "pattern_definitions": { - "UBIQUITI_FIELD": "[^-]*" - } - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "iptables.raw_date", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "iptables.raw_date", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "iptables.raw_date", - "ignore_missing": true - } - }, - - { - "lowercase": { - "field": "network.transport", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "destination.ip", - "target_field": "destination.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "destination.ip", - "target_field": "destination.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.asn", - "target_field": "destination.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.organization_name", - "target_field": "destination.as.organization.name", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "params": { - "mappings": [ - { - "source": { - "object": "iptables", - "key": "ether_type" - }, - "destination": { - "object": "network", - "key": "type" - }, - "map": { - "08:00": "ipv4", - "86:dd": "ipv6" - } - }, - { - "source": { - "object": "event", - "key": "outcome" - }, - "destination": { - "object": "event", - "key": "outcome" - }, - "map": { - "D": "deny", - "A": "allow" - } - }, - { - "source": { - "object": "network", - "key": "transport" - }, - "destination": { - "object": "network", - "key": "transport" - }, - "map": { - "icmpv6": "ipv6-icmp" - } - } - ] - }, - "source": "for (action in params.mappings) { def src = ctx[action.source.object]; if (src != null) { Map map = action.map; String key = src[action.source.key]; String mapping = map[key]; if (mapping != null) { Map dst = ctx[action.destination.object]; if (dst == null) { dst = new HashMap(); ctx[action.destination.object] = dst;} dst[action.destination.key] = mapping; } } }" - } - }, - { - "script": { - "lang": "painless", - "params": { - "hex_fields_to_convert": [ - "ether_type", - "tos", - "precedence_bits", - "tcp_reserved_bits" - ] - }, - "source": "def iptables = ctx['iptables']; if (iptables != null) { for (key in params.hex_fields_to_convert) { long value = 0; def field = iptables[key]; if (field == null) continue; char[] hex = field.toLowerCase().toCharArray(); for (chr in hex) { long v = -1; if (chr >= (char)'a' && chr <= (char)'f') v = (long)chr - (char)'a' + 10; else if (chr >= (char)'0' && chr <= (char)'9') v = (long)chr - (char)'0'; if (v >= 0) {value = value*16 + v;} } iptables[key] = value; } }" - } - }, - { - "rename": { - "field": "iptables.tcp_reserved_bits", - "target_field": "iptables.tcp.reserved_bits", - "ignore_missing": true - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml new file mode 100644 index 00000000000..68b4c62f6ae --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml @@ -0,0 +1,259 @@ +description: Pipeline for IPTables +processors: +- grok: + field: message + patterns: + - '%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}' + - '%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}%{IPTABLES}%{SPACE}' + - '%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}' + - '%{GREEDYDATA}%{IPTABLES}%{SPACE}' + pattern_definitions: + UNSIGNED_INT: '[0-9]+' + ETHTYPE: (?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}) + ETHTYPE_DISCARD: (?::[A-Fa-f0-9]{2})* + NETFILTERMAC: (?:%{MAC:destination.mac}:%{MAC:source.mac}:%{ETHTYPE:iptables.ether_type}?%{ETHTYPE_DISCARD}|%{MAC:destination.mac}%{ETHTYPE_DISCARD}:%{ETHTYPE:iptables.ether_type}?) + IPTABLES_ETHERNET: 'IN=%{DATA:iptables.input_device} OUT=%{DATA:iptables.output_device}?(?: + MAC=%{NETFILTERMAC})?' + IPTABLES_PORT_PAIR: SPT=%{UNSIGNED_INT:source.port:int} DPT=%{UNSIGNED_INT:destination.port:int} + IPTABLES_TCP_FLAGS: (CWR |ECE |URG |ACK |PSH |RST |SYN |FIN )* + IPTABLES_TCP_SEQ: SEQ=%{UNSIGNED_INT:iptables.tcp.seq:int} ACK=%{UNSIGNED_INT:iptables.tcp.ack:int} + IPTABLES_TCP_DETAILS: (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:iptables.tcp.window:int} + RES=0x%{BASE16NUM:iptables.tcp_reserved_bits} %{IPTABLES_TCP_FLAGS:iptables.tcp.flags} + IPTABLES_INCOMPLETE_PACKET: INCOMPLETE \[%{UNSIGNED_INT:iptables.incomplete_bytes:int} + bytes\] + IPTABLES_UDP_DETAILS: LEN=%{UNSIGNED_INT:iptables.udp.length:int} + IPTABLES_ICMP_EXTRA_ECHO: ID=%{UNSIGNED_INT:iptables.icmp.id:int} SEQ=%{UNSIGNED_INT:iptables.icmp.seq:int} + IPTABLES_ICMP_EXTRA_PARAM: PARAMETER=%{UNSIGNED_INT:iptables.icmp.parameter:int} + IPTABLES_ICMP_EXTRA_REDIRECT: GATEWAY=%{IP:iptables.icmp.redirect} + IPTABLES_ICMP_EXTRA: ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))* + IPTABLES_ICMP_DETAILS: TYPE=%{UNSIGNED_INT:iptables.icmp.type:int} CODE=%{UNSIGNED_INT:iptables.icmp.code:int}(( + %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA}) + IPTABLES_PROTOCOL: PROTO=(?[a-zA-Z0-9]+) + IPTABLES_IP_PAYLOAD: '%{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?' + IPTABLES_IP_FRAGFLAG: ((?<= )(CE|DF|MF))* + IPTABLES_IP_START: 'SRC=%{IPV4:source.ip} DST=%{IPV4:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} + TOS=0x%{BASE16NUM:iptables.tos} PREC=0x%{BASE16NUM:iptables.precedence_bits} + TTL=%{UNSIGNED_INT:iptables.ttl:int} ID=%{UNSIGNED_INT:iptables.id:int}(?: + %{IPTABLES_IP_FRAGFLAG:iptables.fragment_flags})?(?: FRAG: %{UNSIGNED_INT:iptables.fragment_offset:int})?' + IPTABLES_IP: '%{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}' + IPTABLES_IPV6_START: SRC=%{IPV6:source.ip} DST=%{IPV6:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} + TC=%{UNSIGNED_INT:iptables.tos} HOPLIMIT=%{UNSIGNED_INT:iptables.ttl:int} + FLOWLBL=%{UNSIGNED_INT:iptables.flow_label:int} + IPTABLES_IPV6: '%{IPTABLES_IPV6_START} %{IPTABLES_IP_PAYLOAD}' + IPTABLES: '%{IPTABLES_ETHERNET} (:?%{IPTABLES_IP}|%{IPTABLES_IPV6})' + UBIQUITI_FIELD: '[^-\]]*' + UBIQUITI_RULESET_NAME: '[^\]]*' + UBIQUITI_LABEL: '%{UBIQUITI_RULESET_NAME:iptables.ubiquiti.rule_set}-%{UBIQUITI_FIELD:iptables.ubiquiti.rule_number}-%{UBIQUITI_FIELD:event.action}' +- rename: + field: message + target_field: log.original +- grok: + field: iptables.ubiquiti.rule_set + ignore_missing: true + ignore_failure: true + patterns: + - '%{UBIQUITI_FIELD:iptables.ubiquiti.input_zone}-%{UBIQUITI_FIELD:iptables.ubiquiti.output_zone}' + pattern_definitions: + UBIQUITI_FIELD: '[^-]*' +- date: + if: ctx.event.timezone == null + field: iptables.raw_date + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' +- date: + if: ctx.event.timezone != null + field: iptables.raw_date + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + timezone: '{{ event.timezone }}' + on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' +- remove: + field: iptables.raw_date + ignore_missing: true +- lowercase: + field: network.transport + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + params: + mappings: + - source: + object: iptables + key: ether_type + destination: + object: network + key: type + map: + 08:00: ipv4 + 86:dd: ipv6 + - source: + object: event + key: action + destination: + object: event + key: action + map: + D: drop + A: accept + - source: + object: event + key: action + destination: + object: event + key: type + map: + drop: denied + accept: allowed + - source: + object: network + key: transport + destination: + object: network + key: transport + map: + icmpv6: ipv6-icmp + source: >- + for (action in params.mappings) { + def src = ctx[action.source.object]; + if (src != null) { + Map map = action.map; + String key = src[action.source.key]; + String mapping = map[key]; + if (mapping != null) { + Map dst = ctx[action.destination.object]; + if (dst == null) { + dst = new HashMap(); + ctx[action.destination.object] = dst; + } + dst[action.destination.key] = mapping; + } + } + } + +- script: + lang: painless + params: + hex_fields_to_convert: + - ether_type + - tos + - precedence_bits + - tcp_reserved_bits + source: >- + def iptables = ctx['iptables']; + if (iptables != null) { + for (key in params.hex_fields_to_convert) { + long value = 0; + def field = iptables[key]; + if (field == null) continue; + char[] hex = field.toLowerCase().toCharArray(); + for (chr in hex) { + long v = -1; + if (chr >= (char) 'a' && chr <= (char) 'f') v = (long) chr - (char) 'a' + 10; + else if (chr >= (char) '0' && chr <= (char) '9') v = (long) chr - (char) '0'; + if (v >= 0) { + value = value * 16 + v; + } + } + iptables[key] = value; + } + } + +- set: + field: event.kind + value: event +- append: + field: event.category + value: network +- append: + field: event.type + value: connection + if: "ctx?.source?.ip != null && ctx?.destination?.ip != null" +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- rename: + field: iptables.tcp_reserved_bits + target_field: iptables.tcp.reserved_bits + ignore_missing: true +- split: + field: iptables.tcp.flags + separator: "\\s+" + ignore_missing: true +- split: + field: iptables.fragment_flags + separator: "\\s+" + ignore_missing: true +- set: + field: observer.egress.zone + value: "{{iptables.ubiquiti.output_zone}}" + if: ctx?.iptables?.ubiquiti?.output_zone != null +- set: + field: observer.ingress.zone + value: "{{iptables.ubiquiti.input_zone}}" + if: ctx?.iptables?.ubiquiti?.input_zone != null +- set: + field: rule.id + value: "{{iptables.ubiquiti.rule_number}}" + if: ctx?.iptables?.ubiquiti?.rule_number != null +- set: + field: rule.name + value: "{{iptables.ubiquiti.rule_set}}" + if: ctx?.iptables?.ubiquiti?.rule_set != null +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/iptables/log/manifest.yml b/x-pack/filebeat/module/iptables/log/manifest.yml index adbe7e8fdb0..b93377397b9 100644 --- a/x-pack/filebeat/module/iptables/log/manifest.yml +++ b/x-pack/filebeat/module/iptables/log/manifest.yml @@ -15,7 +15,7 @@ var: - name: community_id default: true -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: ingest/pipeline.yml input: config/input.yml requires.processors: diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json index b16a17a05d2..19f0b2a7143 100644 --- a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json @@ -3,20 +3,32 @@ "destination.ip": "10.4.0.5", "destination.mac": "90:10:20:76:8d:20", "destination.port": 443, + "event.action": "drop", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "deny", "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 0, "iptables.input_device": "eth0", "iptables.length": 52, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "ACK", + "iptables.tcp.flags": [ + "ACK" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 2853, "iptables.tos": 0, @@ -30,6 +42,14 @@ "network.community_id": "1:RGJPRWtru8Lg2itNyFREDvoRkNA=", "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.zone": "lan", + "observer.ingress.zone": "wan", + "related.ip": [ + "158.109.0.1", + "10.4.0.5" + ], + "rule.id": "default", + "rule.name": "wan-lan", "service.type": "iptables", "source.as.number": 13041, "source.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", diff --git a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json index 85b61db612c..fc5e515461c 100644 --- a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json @@ -2,9 +2,16 @@ { "destination.ip": "192.0.2.83", "destination.mac": "90:10:28:5f:62:24", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -22,6 +29,10 @@ "network.community_id": "1:T79jBEYlbFhpnIGt2rOuzIv31hE=", "network.transport": "icmp", "network.type": "ipv4", + "related.ip": [ + "192.0.2.71", + "192.0.2.83" + ], "service.type": "iptables", "source.ip": "192.0.2.71", "source.mac": "90:10:18:5a:89:2a", diff --git a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json index 803a9e2b6ae..5589e8dc602 100644 --- a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json @@ -3,19 +3,30 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 15743, "iptables.input_device": "eth0", "iptables.length": 52, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "SYN", + "iptables.tcp.flags": [ + "SYN" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 8192, "iptables.tos": 0, @@ -25,6 +36,10 @@ "network.community_id": "1:VD3aeZ6cGYX6uwOAUQ9NuxbobMI=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "203.0.113.36", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "203.0.113.36", "source.mac": "90:10:9e:ec:2c:71", @@ -37,9 +52,16 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 1433, + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -48,7 +70,9 @@ "iptables.length": 40, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "SYN", + "iptables.tcp.flags": [ + "SYN" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 1024, "iptables.tos": 0, @@ -58,6 +82,10 @@ "network.community_id": "1:r9MnuXFtcWUKzbVQ2vXn7XSQ2Fg=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.198", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.198", "source.mac": "90:10:76:e0:e2:d5", @@ -70,19 +98,30 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 19619, "iptables.input_device": "eth0", "iptables.length": 52, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "SYN", + "iptables.tcp.flags": [ + "SYN" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 8192, "iptables.tos": 0, @@ -92,6 +131,10 @@ "network.community_id": "1:vgBSpDUKSSgxOm6Y52jw6tCgiN8=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "203.0.113.201", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "203.0.113.201", "source.mac": "90:10:9e:ec:2c:71", @@ -104,19 +147,30 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 80, + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 4255, "iptables.input_device": "eth0", "iptables.length": 40, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "SYN", + "iptables.tcp.flags": [ + "SYN" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 14600, "iptables.tos": 0, @@ -126,6 +180,10 @@ "network.community_id": "1:PCNGbo6CtVQoE5Hch+6oMfbeTP4=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "203.0.113.246", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "203.0.113.246", "source.mac": "90:10:9e:ec:2c:71", @@ -138,19 +196,30 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 27150, "iptables.input_device": "eth0", "iptables.length": 52, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "SYN", + "iptables.tcp.flags": [ + "SYN" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 8192, "iptables.tos": 0, @@ -160,6 +229,10 @@ "network.community_id": "1:Wb/3DTwtWE8C20/hm2JpmBAhsro=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "203.0.113.208", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "203.0.113.208", "source.mac": "90:10:76:e0:e2:d5", @@ -172,9 +245,16 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -183,7 +263,9 @@ "iptables.length": 40, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "SYN", + "iptables.tcp.flags": [ + "SYN" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 1024, "iptables.tos": 0, @@ -193,6 +275,10 @@ "network.community_id": "1:+s7vkEgPnzTAoksA2Q0gAzgymfI=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.160", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.160", "source.mac": "90:10:9e:ec:2c:71", @@ -205,19 +291,30 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 6101, "iptables.input_device": "eth0", "iptables.length": 52, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "SYN", + "iptables.tcp.flags": [ + "SYN" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 8192, "iptables.tos": 0, @@ -227,6 +324,10 @@ "network.community_id": "1:6Pvyzf2+vqgsRxWx+eU9MXEhAFE=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.115", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.115", "source.mac": "90:10:76:e0:e2:d5", @@ -239,19 +340,30 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 6319, "iptables.input_device": "eth0", "iptables.length": 52, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "SYN", + "iptables.tcp.flags": [ + "SYN" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 8192, "iptables.tos": 0, @@ -261,6 +373,10 @@ "network.community_id": "1:g+bRFDuqViJEc5vzlOapz2LPhFo=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.167", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.167", "source.mac": "90:10:76:e0:e2:d5", @@ -273,9 +389,16 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 139, + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -284,7 +407,9 @@ "iptables.length": 40, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "SYN", + "iptables.tcp.flags": [ + "SYN" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 1024, "iptables.tos": 0, @@ -294,6 +419,10 @@ "network.community_id": "1:a/4LVq88msR/LgVGzZeIkmlNXz4=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.19", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.19", "source.mac": "90:10:9e:ec:2c:71", @@ -306,9 +435,16 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 8088, + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -317,7 +453,9 @@ "iptables.length": 40, "iptables.output_device": "", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "SYN", + "iptables.tcp.flags": [ + "SYN" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 65535, "iptables.tos": 0, @@ -327,6 +465,10 @@ "network.community_id": "1:1l65fWlqrJCJB7vBaqSgHnJoMbQ=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.68", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.68", "source.mac": "90:10:76:e0:e2:d5", diff --git a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json index 0c79c9d6956..8bed25072d7 100644 --- a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json @@ -1,9 +1,16 @@ [ { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 868225, @@ -20,6 +27,10 @@ "log.original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -28,9 +39,16 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 770819, @@ -47,6 +65,10 @@ "log.original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459695] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=1 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -55,9 +77,16 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 868225, @@ -74,6 +103,10 @@ "log.original": "Jan 22 09:05:06 ubuntu-bionic kernel: [16572.482458] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=2 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -82,9 +115,16 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 770819, @@ -101,6 +141,10 @@ "log.original": "Jan 22 09:05:06 ubuntu-bionic kernel: [16572.482476] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=2 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -109,9 +153,16 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 868225, @@ -128,6 +179,10 @@ "log.original": "Jan 22 09:05:07 ubuntu-bionic kernel: [16573.506336] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=3 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -136,9 +191,16 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 770819, @@ -155,6 +217,10 @@ "log.original": "Jan 22 09:05:07 ubuntu-bionic kernel: [16573.506356] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=3 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -163,9 +229,16 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 868225, @@ -182,6 +255,10 @@ "log.original": "Jan 22 09:05:08 ubuntu-bionic kernel: [16574.533989] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=4 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -190,9 +267,16 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 770819, @@ -209,6 +293,10 @@ "log.original": "Jan 22 09:05:08 ubuntu-bionic kernel: [16574.534007] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=4 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -217,9 +305,16 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 868225, @@ -236,6 +331,10 @@ "log.original": "Jan 22 09:05:09 ubuntu-bionic kernel: [16575.553704] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=5 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -244,9 +343,16 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 770819, @@ -263,6 +369,10 @@ "log.original": "Jan 22 09:05:09 ubuntu-bionic kernel: [16575.553722] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=5 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -272,9 +382,16 @@ { "destination.ip": "ff02:0000:0000:0000:0000:0000:0000:0016", "destination.mac": "90:10:12:34:56:78", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 34525, @@ -291,6 +408,10 @@ "network.community_id": "1:XZrSeKYMvsI3xGPWG5JqrtsD87U=", "network.transport": "ipv6-icmp", "network.type": "ipv6", + "related.ip": [ + "fe80:0000:0000:0000:0084:88ff:feae:790a", + "ff02:0000:0000:0000:0000:0000:0000:0016" + ], "service.type": "iptables", "source.ip": "fe80:0000:0000:0000:0084:88ff:feae:790a", "source.mac": "90:10:aa:bb:cc:dd", diff --git a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json index b7d6aef99ec..486a34c850f 100644 --- a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json @@ -3,10 +3,18 @@ "destination.ip": "255.55.174.225", "destination.mac": "90:10:92:6e:ea:a7", "destination.port": 48689, + "event.action": "accept", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "allow", "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -25,6 +33,12 @@ "network.community_id": "1:3qoibVBmc9hsnHpP4Ms5HO6ls7Q=", "network.transport": "udp", "network.type": "ipv4", + "related.ip": [ + "192.168.48.137", + "255.55.174.225" + ], + "rule.id": "default", + "rule.name": "LAN_LOCAL", "service.type": "iptables", "source.ip": "192.168.48.137", "source.mac": "90:10:73:ba:d6:77", @@ -37,20 +51,33 @@ "destination.ip": "192.0.2.25", "destination.mac": "90:10:20:76:8d:20", "destination.port": 443, + "event.action": "accept", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "allow", "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 51768, "iptables.input_device": "eth0", "iptables.length": 265, "iptables.output_device": "eth2", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "ACK", + "iptables.tcp.flags": [ + "ACK", + "PSH" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 159, "iptables.tos": 0, @@ -62,6 +89,12 @@ "network.community_id": "1:7bPQdYPL4yePwQJZt0I1dvVXLHc=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.134.158", + "192.0.2.25" + ], + "rule.id": "2000", + "rule.name": "WAN_OUT", "service.type": "iptables", "source.ip": "192.168.134.158", "source.mac": "90:10:24:67:f4:89", @@ -74,20 +107,32 @@ "destination.ip": "192.0.2.25", "destination.mac": "90:10:20:76:8d:20", "destination.port": 1443, + "event.action": "drop", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "deny", "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 0, "iptables.input_device": "eth0", "iptables.length": 52, "iptables.output_device": "eth2", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "ACK", + "iptables.tcp.flags": [ + "ACK" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 2857, "iptables.tos": 0, @@ -101,6 +146,14 @@ "network.community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", "network.transport": "tcp", "network.type": "ipv4", + "observer.egress.zone": "dest", + "observer.ingress.zone": "source", + "related.ip": [ + "192.168.110.116", + "192.0.2.25" + ], + "rule.id": "default", + "rule.name": "source-dest", "service.type": "iptables", "source.ip": "192.168.110.116", "source.mac": "90:10:65:29:b6:2a", @@ -113,20 +166,32 @@ "destination.ip": "192.0.2.25", "destination.mac": "90:10:20:76:8d:20", "destination.port": 1443, + "event.action": "accept", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "allow", "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 0, "iptables.input_device": "eth0", "iptables.length": 52, "iptables.output_device": "eth2", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "ACK", + "iptables.tcp.flags": [ + "ACK" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 2853, "iptables.tos": 0, @@ -138,6 +203,12 @@ "network.community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.110.116", + "192.0.2.25" + ], + "rule.id": "2000", + "rule.name": "WAN_OUT", "service.type": "iptables", "source.ip": "192.168.110.116", "source.mac": "90:10:65:29:b6:2a", @@ -150,20 +221,32 @@ "destination.ip": "192.0.2.25", "destination.mac": "90:10:20:76:8d:20", "destination.port": 1443, + "event.action": "accept", + "event.category": [ + "network" + ], "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "allow", "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, - "iptables.fragment_flags": "DF", + "iptables.fragment_flags": [ + "DF" + ], "iptables.id": 0, "iptables.input_device": "eth0", "iptables.length": 52, "iptables.output_device": "eth2", "iptables.precedence_bits": 0, - "iptables.tcp.flags": "ACK", + "iptables.tcp.flags": [ + "ACK" + ], "iptables.tcp.reserved_bits": 0, "iptables.tcp.window": 2850, "iptables.tos": 0, @@ -175,6 +258,12 @@ "network.community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.110.116", + "192.0.2.25" + ], + "rule.id": "2000", + "rule.name": "WAN_OUT", "service.type": "iptables", "source.ip": "192.168.110.116", "source.mac": "90:10:65:29:b6:2a",