Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x-pack/filebeat/module/sophos/xg: fix kv field separation and add support for timestamped log line #29331

Merged
merged 6 commits into from
Jan 4, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

- aws-s3: Stop trying to increase SQS message visibility after ReceiptHandleIsInvalid errors. {pull}29480[29480]
- Fix handling of IPv6 addresses in netflow flow events. {issue}19210[19210] {pull}29383[29383]
- Fix `sophos` KV splitting and syslog header handling {issue}24237[24237] {pull}29331[29331]
- Undo deletion of endpoint config from cloudtrail fileset in {pull}29415[29415]. {pull}29450[29450]

*Heartbeat*
Expand Down
2 changes: 1 addition & 1 deletion NOTICE.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
Elastic Beats
Copyright 2014-2021 Elasticsearch BV
Copyright 2014-2022 Elasticsearch BV

This product includes software developed by The Apache Software
Foundation (http://www.apache.org/).
Expand Down
10 changes: 10 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -143278,6 +143278,16 @@ type: keyword
The related XSS caught by the WAF


type: keyword

--

*`sophos.xg.ether_type`*::
+
--
The ethernet frame type


type: keyword

--
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -181,12 +181,12 @@
"event.code": 609002,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T17:51:17.000-02:00",
"event.end": "2022-05-05T17:51:17.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%FTD-7-609002: Teardown local-host net:192.168.2.2 duration 0:00:00",
"event.severity": 7,
"event.start": "2021-05-05T19:51:17.000Z",
"event.start": "2022-05-05T19:51:17.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -701,12 +701,12 @@
"event.code": 609002,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T18:24:31.000-02:00",
"event.end": "2022-05-05T18:24:31.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-7-609002: Teardown local-host identity:10.10.10.10 duration 0:00:00",
"event.severity": 7,
"event.start": "2021-05-05T20:24:31.000Z",
"event.start": "2022-05-05T20:24:31.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -849,13 +849,13 @@
"event.code": 302014,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T18:29:32.000-02:00",
"event.end": "2022-05-05T18:29:32.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302014: Teardown TCP connection 2960892904 for out111:10.10.10.10/443 to fw111:192.168.2.2/55225 duration 0:00:00 bytes 0 TCP Reset-I",
"event.reason": "TCP Reset-I",
"event.severity": 6,
"event.start": "2021-05-05T20:29:32.000Z",
"event.start": "2022-05-05T20:29:32.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -966,12 +966,12 @@
"event.code": 305012,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T18:29:32.000-02:00",
"event.end": "2022-05-05T18:29:32.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-305012: Teardown dynamic UDP translation from fw111:10.10.10.10/54230 to out111:192.168.2.2/54230 duration 0:00:00",
"event.severity": 6,
"event.start": "2021-05-05T20:29:32.000Z",
"event.start": "2022-05-05T20:29:32.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -1175,12 +1175,12 @@
"event.code": 302016,
"event.dataset": "cisco.asa",
"event.duration": 124000000000,
"event.end": "2021-05-05T18:40:50.000-02:00",
"event.end": "2022-05-05T18:40:50.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-2-302016: Teardown UDP connection 1671727 for intfacename:10.10.10.10/161 to net:192.186.2.2/53356 duration 0:02:04 bytes 64585",
"event.severity": 2,
"event.start": "2021-05-05T20:38:46.000Z",
"event.start": "2022-05-05T20:38:46.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -1812,13 +1812,13 @@
"event.code": 302023,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T19:02:58.000-02:00",
"event.end": "2022-05-05T19:02:58.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302023: Teardown stub TCP connection for fw111:10.10.10.10/39210 to net:192.168.2.2/10051 duration 0:00:00 forwarded bytes 0 Cluster flow with CLU closed on owner",
"event.reason": "Cluster flow with CLU closed on owner",
"event.severity": 6,
"event.start": "2021-05-05T21:02:58.000Z",
"event.start": "2022-05-05T21:02:58.000Z",
"event.timezone": "-02:00",
"event.type": [
"info"
Expand Down Expand Up @@ -1868,13 +1868,13 @@
"event.code": 302023,
"event.dataset": "cisco.asa",
"event.duration": 0,
"event.end": "2021-05-05T19:02:58.000-02:00",
"event.end": "2022-05-05T19:02:58.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302023: Teardown stub TCP connection for net:10.10.10.10/10051 to unknown:192.168.2.2/39222 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow",
"event.reason": "Forwarding or redirect flow removed to create director or backup flow",
"event.severity": 6,
"event.start": "2021-05-05T21:02:58.000Z",
"event.start": "2022-05-05T21:02:58.000Z",
"event.timezone": "-02:00",
"event.type": [
"info"
Expand Down Expand Up @@ -2687,13 +2687,13 @@
"event.code": 302304,
"event.dataset": "cisco.asa",
"event.duration": 3602000000000,
"event.end": "2021-04-27T04:12:23.000-02:00",
"event.end": "2022-04-27T04:12:23.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-6-302304: Teardown TCP state-bypass connection 2751765169 from server.deflan:81.2.69.143/54242 to server.deflan:67.43.156.12/9101 duration 1:00:02 bytes 245 Connection timeout",
"event.reason": "Connection timeout",
"event.severity": 6,
"event.start": "2021-04-27T05:12:21.000Z",
"event.start": "2022-04-27T05:12:21.000Z",
"event.timezone": "-02:00",
"event.type": [
"connection",
Expand Down Expand Up @@ -3228,13 +3228,13 @@
"event.code": 113019,
"event.dataset": "cisco.asa",
"event.duration": 1936000000000,
"event.end": "2021-04-27T02:03:03.000-02:00",
"event.end": "2022-04-27T02:03:03.000-02:00",
"event.kind": "event",
"event.module": "cisco",
"event.original": "%ASA-4-113019: Group = 81.2.69.143, Username = 81.2.69.143, IP = 81.2.69.143, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:32m:16s, Bytes xmt: 297103, Bytes rcv: 1216163, Reason: User Requested",
"event.reason": "User Requested",
"event.severity": 4,
"event.start": "2021-04-27T03:30:47.000Z",
"event.start": "2022-04-27T03:30:47.000Z",
"event.timezone": "-02:00",
"event.type": [
"info"
Expand Down
Loading