-
Notifications
You must be signed in to change notification settings - Fork 464
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Arista NG Firewall] Initial Release (#6347)
- Loading branch information
Showing
57 changed files
with
14,520 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| dependencies: | ||
| ecs: | ||
| reference: [email protected] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| # Arista NG Firewall | ||
|
|
||
| This integration is for [Arista NG Firewall](https://edge.arista.com/ng-firewall/) (previously Untangle NG Firewall) event logs and metrics. The package processes syslog messages from Arista NG Firewall devices. | ||
|
|
||
| ## Configuration | ||
|
|
||
| Arista NG Firewall supports several syslog output rules that may be configured on the [Events](https://wiki.edge.arista.com/index.php/Events) tab in the firewall's configuration. | ||
|
|
||
| ## Supported Event types: | ||
|
|
||
| * Admin Login Event | ||
| * Firewall Event | ||
| * HTTP Request Event | ||
| * HTTP Response Event | ||
| * Interface Stat Event | ||
| * Intrusion Prevention Log Event | ||
| * Session Event | ||
| * System Stat Event | ||
| * Web Filter Event | ||
|
|
||
| ## Logs | ||
|
|
||
| ### Arista NG Firewall | ||
|
|
||
| The `log` dataset collects the Arista NG Firewall logs. | ||
|
|
||
| {{event "log"}} | ||
|
|
||
| {{fields "log"}} |
12 changes: 12 additions & 0 deletions
12
packages/arista_ngfw/_dev/deploy/docker/docker-compose.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| version: "2.3" | ||
| services: | ||
| arista-ngfw-tcp: | ||
| image: docker.elastic.co/observability/stream:v0.6.2 | ||
| volumes: | ||
| - ./sample_logs:/sample_logs:ro | ||
| command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=tcp /sample_logs/*.log | ||
| arista-ngfw-udp: | ||
| image: docker.elastic.co/observability/stream:v0.6.2 | ||
| volumes: | ||
| - ./sample_logs:/sample_logs:ro | ||
| command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/*.log |
10 changes: 10 additions & 0 deletions
10
packages/arista_ngfw/_dev/deploy/docker/sample_logs/admin-login.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| <174>May 24 13:09:53 INFO uvm[0]: {"timeStamp":"2023-05-24 13:09:53.477","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true} | ||
| <174>May 23 10:06:57 INFO uvm[0]: {"timeStamp":"2023-05-23 10:06:57.518","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true} | ||
| <174>May 23 13:35:42 INFO uvm[0]: {"timeStamp":"2023-05-23 13:35:42.611","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true} | ||
| <174>May 22 13:47:59 INFO uvm[0]: {"timeStamp":"2023-05-22 13:47:59.495","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true} | ||
| <174>May 21 09:58:40 INFO uvm[0]: {"timeStamp":"2023-05-21 09:58:40.25","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true} | ||
| <174>May 20 08:12:47 INFO uvm[0]: {"timeStamp":"2023-05-20 08:12:47.018","reason":"U","login":"admin","clientAddress":"10.0.1.5","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":false} | ||
| <174>May 18 15:08:14 INFO uvm[0]: {"timeStamp":"2023-05-18 15:08:14.224","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true} | ||
| <174>May 18 06:58:38 INFO uvm[0]: {"timeStamp":"2023-05-18 06:58:38.36","login":"admin","clientAddress":"10.0.1.144","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true} | ||
| <174>May 17 15:04:03 INFO uvm[0]: {"timeStamp":"2023-05-17 15:04:03.772","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true} | ||
| <174>May 12 09:09:40 INFO uvm[0]: {"timeStamp":"2023-05-12 09:09:40.787","login":"admin","clientAddress":"10.0.0.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true} |
20 changes: 20 additions & 0 deletions
20
packages/arista_ngfw/_dev/deploy/docker/sample_logs/firewall-event.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| <174>May 22 16:32:28 INFO uvm[0]: {"timeStamp":"2023-05-22 16:32:28.771","flagged":false,"blocked":false,"sessionId":110221865377229,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 22 16:32:28 INFO uvm[0]: {"timeStamp":"2023-05-22 16:32:28.194","flagged":false,"blocked":false,"sessionId":110221865377228,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 22 16:32:27 INFO uvm[0]: {"timeStamp":"2023-05-22 16:32:27.875","flagged":false,"blocked":false,"sessionId":110221865377227,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 22 16:32:26 INFO uvm[0]: {"timeStamp":"2023-05-22 16:32:26.743","flagged":false,"blocked":false,"sessionId":110221865377226,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 22 16:32:26 INFO uvm[0]: {"timeStamp":"2023-05-22 16:32:26.686","flagged":false,"blocked":false,"sessionId":110221865377225,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 22 16:32:25 INFO uvm[0]: {"timeStamp":"2023-05-22 16:32:25.504","flagged":false,"blocked":false,"sessionId":110221865377221,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:15 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:15.43","flagged":false,"blocked":false,"sessionId":110221865772671,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:14 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:14.164","flagged":false,"blocked":false,"sessionId":110221865772670,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:12 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:12.916","flagged":false,"blocked":false,"sessionId":110221865772669,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:11 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:11.806","flagged":false,"blocked":false,"sessionId":110221865772668,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:11 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:11.718","flagged":false,"blocked":false,"sessionId":110221865772667,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:11 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:11.699","flagged":false,"blocked":false,"sessionId":110221865772666,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:11 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:11.348","flagged":false,"blocked":false,"sessionId":110221865772664,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:11 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:11.214","flagged":false,"blocked":false,"sessionId":110221865772663,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:11 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:11.123","flagged":false,"blocked":false,"sessionId":110221865772662,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:10 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:10.907","flagged":false,"blocked":false,"sessionId":110221865772661,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:10 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:10.382","flagged":false,"blocked":false,"sessionId":110221865772657,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:09 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:09.861","flagged":false,"blocked":false,"sessionId":110221865772656,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:09 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:09.807","flagged":false,"blocked":false,"sessionId":110221865772655,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} | ||
| <174>May 23 15:17:09 INFO uvm[0]: {"timeStamp":"2023-05-23 15:17:09.738","flagged":false,"blocked":false,"sessionId":110221865772654,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"} |
10 changes: 10 additions & 0 deletions
10
packages/arista_ngfw/_dev/deploy/docker/sample_logs/http-request.log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| <174>May 25 09:07:44 INFO uvm[0]: {"timeStamp":"2023-05-25 09:07:44.093","method":"GET","requestId":110221859354811,"domain":"amer.ng.msg.teams.microsoft.com","host":"amer.ng.msg.teams.microsoft.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"D23613W10","CServerPort":443,"protocolName":"TCP","serverLatitude":37.3388,"localAddr":"192.168.201.21","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.21","serverCountry":"US","sessionId":110221866487132,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":59560,"timeStamp":"2023-05-25 09:07:44.062","serverLongitude":-121.8914,"clientIntf":2,"policyId":1,"SClientPort":13485,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","username":"johndoe","tagsString":""}} | ||
| <174>May 25 09:07:34 INFO uvm[0]: {"timeStamp":"2023-05-25 09:07:34.395","method":"GET","requestId":110221859354809,"domain":"mozilla.cloudflare-dns.com","host":"mozilla.cloudflare-dns.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"RemoteApp1","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.200.50","SServerAddr":"81.2.69.142","remoteAddr":"81.2.69.142","serverIntf":1,"CClientAddr":"192.168.200.50","serverCountry":"US","sessionId":110221866487106,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":16040,"timeStamp":"2023-05-25 09:07:34.386","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":15128,"bypassed":false,"SServerPort":443,"CServerAddr":"81.2.69.142","tagsString":""}} | ||
| <174>May 25 09:07:33 INFO uvm[0]: {"timeStamp":"2023-05-25 09:07:33.314","method":"GET","requestId":110221859354806,"domain":"sb.scorecardresearch.com","host":"sb.scorecardresearch.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487103,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":51598,"timeStamp":"2023-05-25 09:07:33.273","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":45333,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}} | ||
| <174>May 25 09:07:30 INFO uvm[0]: {"timeStamp":"2023-05-25 09:07:30.333","method":"GET","requestId":110221859354805,"domain":"www.gstatic.com","host":"www.gstatic.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487093,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":50548,"timeStamp":"2023-05-25 09:07:30.316","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":39662,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}} | ||
| <174>May 25 09:07:30 INFO uvm[0]: {"timeStamp":"2023-05-25 09:07:30.118","method":"GET","requestId":110221859354804,"domain":"inapps.appsflyer.com","host":"inapps.appsflyer.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487086,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":36398,"timeStamp":"2023-05-25 09:07:30.072","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":40425,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}} | ||
| <174>May 25 09:07:29 INFO uvm[0]: {"timeStamp":"2023-05-25 09:07:29.775","method":"GET","requestId":110221859354791,"domain":"data.pendo.io","host":"data.pendo.io","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":39.1028,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487071,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":40596,"timeStamp":"2023-05-25 09:07:29.763","serverLongitude":-94.5778,"clientIntf":2,"policyId":1,"SClientPort":32984,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}} | ||
| <174>May 25 09:07:28 INFO uvm[0]: {"timeStamp":"2023-05-25 09:07:28.758","method":"GET","requestId":110221859354783,"domain":"telemetry.elastic.co","host":"telemetry.elastic.co","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Elastic","CServerPort":443,"protocolName":"TCP","serverLatitude":39.1028,"localAddr":"192.168.200.15","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.200.15","serverCountry":"US","sessionId":110221866487052,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":52762,"timeStamp":"2023-05-25 09:07:28.754","serverLongitude":-94.5778,"clientIntf":2,"policyId":1,"SClientPort":30035,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}} | ||
| <174>May 25 09:07:28 INFO uvm[0]: {"timeStamp":"2023-05-25 09:07:28.187","method":"GET","requestId":110221859354760,"domain":"wn0.rumble.com","host":"wn0.rumble.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"XU","sessionId":110221866487028,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":57482,"timeStamp":"2023-05-25 09:07:28.157","clientIntf":2,"policyId":1,"SClientPort":13556,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}} | ||
| <174>May 25 09:07:27 INFO uvm[0]: {"timeStamp":"2023-05-25 09:07:27.517","method":"GET","requestId":110221859354759,"domain":"play-fe.googleapis.com","host":"play-fe.googleapis.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487026,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":60308,"timeStamp":"2023-05-25 09:07:27.498","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":21706,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}} | ||
| <174>May 25 09:07:27 INFO uvm[0]: {"timeStamp":"2023-05-25 09:07:27.295","method":"GET","requestId":110221859354758,"domain":"api.accuweather.com","host":"api.accuweather.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487024,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":48988,"timeStamp":"2023-05-25 09:07:27.284","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":48278,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}} |
Oops, something went wrong.