elastic · efd6 · Jun 28, 2023 · May 26, 2023 · May 26, 2023 · May 26, 2023
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -12,6 +12,7 @@
 /packages/apache @elastic/obs-infraobs-integrations
 /packages/apache_spark @elastic/obs-infraobs-integrations
 /packages/apache_tomcat @elastic/obs-infraobs-integrations
+/packages/arista_ngfw @elastic/security-external-integrations
 /packages/atlassian_bitbucket @elastic/security-external-integrations
 /packages/atlassian_confluence @elastic/security-external-integrations
 /packages/atlassian_jira @elastic/security-external-integrations

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]
@@ -0,0 +1,29 @@
+# Arista NG Firewall
+
+This integration is for [Arista NG Firewall](https://edge.arista.com/ng-firewall/) (previously Untangle NG Firewall) event logs and metrics. The package processes syslog messages from Arista NG Firewall devices.
+
+## Configuration
+
+Arista NG Firewall supports several syslog output rules that may be configured on the [Events](https://wiki.edge.arista.com/index.php/Events) tab in the firewall's configuration. 
+
+## Supported Event types:
+
+* Admin Login Event
+* Firewall Event
+* HTTP Request Event
+* HTTP Response Event
+* Interface Stat Event
+* Intrusion Prevention Log Event
+* Session Event
+* System Stat Event
+* Web Filter Event
+
+## Logs
+
+### Arista NG Firewall
+
+The `log` dataset collects the Arista NG Firewall logs.
+
+{{event "log"}}
+
+{{fields "log"}}
@@ -0,0 +1,12 @@
+version: "2.3"
+services:
+  arista-ngfw-tcp:
+    image: docker.elastic.co/observability/stream:v0.6.2
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=tcp /sample_logs/*.log
+  arista-ngfw-udp:
+    image: docker.elastic.co/observability/stream:v0.6.2
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9514 -p=udp /sample_logs/*.log
@@ -0,0 +1,10 @@
+<174>May 24 13:09:53 INFO  uvm[0]:  {"timeStamp":"2023-05-24 13:09:53.477","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true}
+<174>May 23 10:06:57 INFO  uvm[0]:  {"timeStamp":"2023-05-23 10:06:57.518","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true}
+<174>May 23 13:35:42 INFO  uvm[0]:  {"timeStamp":"2023-05-23 13:35:42.611","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true}
+<174>May 22 13:47:59 INFO  uvm[0]:  {"timeStamp":"2023-05-22 13:47:59.495","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true}
+<174>May 21 09:58:40 INFO  uvm[0]:  {"timeStamp":"2023-05-21 09:58:40.25","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true}
+<174>May 20 08:12:47 INFO  uvm[0]:  {"timeStamp":"2023-05-20 08:12:47.018","reason":"U","login":"admin","clientAddress":"10.0.1.5","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":false}
+<174>May 18 15:08:14 INFO  uvm[0]:  {"timeStamp":"2023-05-18 15:08:14.224","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true}
+<174>May 18 06:58:38 INFO  uvm[0]:  {"timeStamp":"2023-05-18 06:58:38.36","login":"admin","clientAddress":"10.0.1.144","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true}
+<174>May 17 15:04:03 INFO  uvm[0]:  {"timeStamp":"2023-05-17 15:04:03.772","login":"admin","clientAddress":"10.0.1.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true}
+<174>May 12 09:09:40 INFO  uvm[0]:  {"timeStamp":"2023-05-12 09:09:40.787","login":"admin","clientAddress":"10.0.0.21","class":"class com.untangle.uvm.event.AdminLoginEvent","local":false,"succeeded":true}
@@ -0,0 +1,20 @@
+<174>May 22 16:32:28 INFO  uvm[0]:  {"timeStamp":"2023-05-22 16:32:28.771","flagged":false,"blocked":false,"sessionId":110221865377229,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 22 16:32:28 INFO  uvm[0]:  {"timeStamp":"2023-05-22 16:32:28.194","flagged":false,"blocked":false,"sessionId":110221865377228,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 22 16:32:27 INFO  uvm[0]:  {"timeStamp":"2023-05-22 16:32:27.875","flagged":false,"blocked":false,"sessionId":110221865377227,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 22 16:32:26 INFO  uvm[0]:  {"timeStamp":"2023-05-22 16:32:26.743","flagged":false,"blocked":false,"sessionId":110221865377226,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 22 16:32:26 INFO  uvm[0]:  {"timeStamp":"2023-05-22 16:32:26.686","flagged":false,"blocked":false,"sessionId":110221865377225,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 22 16:32:25 INFO  uvm[0]:  {"timeStamp":"2023-05-22 16:32:25.504","flagged":false,"blocked":false,"sessionId":110221865377221,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:15 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:15.43","flagged":false,"blocked":false,"sessionId":110221865772671,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:14 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:14.164","flagged":false,"blocked":false,"sessionId":110221865772670,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:12 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:12.916","flagged":false,"blocked":false,"sessionId":110221865772669,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:11 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:11.806","flagged":false,"blocked":false,"sessionId":110221865772668,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:11 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:11.718","flagged":false,"blocked":false,"sessionId":110221865772667,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:11 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:11.699","flagged":false,"blocked":false,"sessionId":110221865772666,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:11 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:11.348","flagged":false,"blocked":false,"sessionId":110221865772664,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:11 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:11.214","flagged":false,"blocked":false,"sessionId":110221865772663,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:11 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:11.123","flagged":false,"blocked":false,"sessionId":110221865772662,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:10 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:10.907","flagged":false,"blocked":false,"sessionId":110221865772661,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:10 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:10.382","flagged":false,"blocked":false,"sessionId":110221865772657,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:09 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:09.861","flagged":false,"blocked":false,"sessionId":110221865772656,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:09 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:09.807","flagged":false,"blocked":false,"sessionId":110221865772655,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
+<174>May 23 15:17:09 INFO  uvm[0]:  {"timeStamp":"2023-05-23 15:17:09.738","flagged":false,"blocked":false,"sessionId":110221865772654,"ruleId":0,"class":"class com.untangle.app.firewall.FirewallEvent"}
@@ -0,0 +1,10 @@
+<174>May 25 09:07:44 INFO  uvm[0]:  {"timeStamp":"2023-05-25 09:07:44.093","method":"GET","requestId":110221859354811,"domain":"amer.ng.msg.teams.microsoft.com","host":"amer.ng.msg.teams.microsoft.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"D23613W10","CServerPort":443,"protocolName":"TCP","serverLatitude":37.3388,"localAddr":"192.168.201.21","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.21","serverCountry":"US","sessionId":110221866487132,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":59560,"timeStamp":"2023-05-25 09:07:44.062","serverLongitude":-121.8914,"clientIntf":2,"policyId":1,"SClientPort":13485,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","username":"johndoe","tagsString":""}}
+<174>May 25 09:07:34 INFO  uvm[0]:  {"timeStamp":"2023-05-25 09:07:34.395","method":"GET","requestId":110221859354809,"domain":"mozilla.cloudflare-dns.com","host":"mozilla.cloudflare-dns.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"RemoteApp1","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.200.50","SServerAddr":"81.2.69.142","remoteAddr":"81.2.69.142","serverIntf":1,"CClientAddr":"192.168.200.50","serverCountry":"US","sessionId":110221866487106,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":16040,"timeStamp":"2023-05-25 09:07:34.386","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":15128,"bypassed":false,"SServerPort":443,"CServerAddr":"81.2.69.142","tagsString":""}}
+<174>May 25 09:07:33 INFO  uvm[0]:  {"timeStamp":"2023-05-25 09:07:33.314","method":"GET","requestId":110221859354806,"domain":"sb.scorecardresearch.com","host":"sb.scorecardresearch.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487103,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":51598,"timeStamp":"2023-05-25 09:07:33.273","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":45333,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}}
+<174>May 25 09:07:30 INFO  uvm[0]:  {"timeStamp":"2023-05-25 09:07:30.333","method":"GET","requestId":110221859354805,"domain":"www.gstatic.com","host":"www.gstatic.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487093,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":50548,"timeStamp":"2023-05-25 09:07:30.316","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":39662,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}}
+<174>May 25 09:07:30 INFO  uvm[0]:  {"timeStamp":"2023-05-25 09:07:30.118","method":"GET","requestId":110221859354804,"domain":"inapps.appsflyer.com","host":"inapps.appsflyer.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487086,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":36398,"timeStamp":"2023-05-25 09:07:30.072","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":40425,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}}
+<174>May 25 09:07:29 INFO  uvm[0]:  {"timeStamp":"2023-05-25 09:07:29.775","method":"GET","requestId":110221859354791,"domain":"data.pendo.io","host":"data.pendo.io","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":39.1028,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487071,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":40596,"timeStamp":"2023-05-25 09:07:29.763","serverLongitude":-94.5778,"clientIntf":2,"policyId":1,"SClientPort":32984,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}}
+<174>May 25 09:07:28 INFO  uvm[0]:  {"timeStamp":"2023-05-25 09:07:28.758","method":"GET","requestId":110221859354783,"domain":"telemetry.elastic.co","host":"telemetry.elastic.co","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Elastic","CServerPort":443,"protocolName":"TCP","serverLatitude":39.1028,"localAddr":"192.168.200.15","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.200.15","serverCountry":"US","sessionId":110221866487052,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":52762,"timeStamp":"2023-05-25 09:07:28.754","serverLongitude":-94.5778,"clientIntf":2,"policyId":1,"SClientPort":30035,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}}
+<174>May 25 09:07:28 INFO  uvm[0]:  {"timeStamp":"2023-05-25 09:07:28.187","method":"GET","requestId":110221859354760,"domain":"wn0.rumble.com","host":"wn0.rumble.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"XU","sessionId":110221866487028,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":57482,"timeStamp":"2023-05-25 09:07:28.157","clientIntf":2,"policyId":1,"SClientPort":13556,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}}
+<174>May 25 09:07:27 INFO  uvm[0]:  {"timeStamp":"2023-05-25 09:07:27.517","method":"GET","requestId":110221859354759,"domain":"play-fe.googleapis.com","host":"play-fe.googleapis.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487026,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":60308,"timeStamp":"2023-05-25 09:07:27.498","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":21706,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}}
+<174>May 25 09:07:27 INFO  uvm[0]:  {"timeStamp":"2023-05-25 09:07:27.295","method":"GET","requestId":110221859354758,"domain":"api.accuweather.com","host":"api.accuweather.com","contentLength":0,"requestUri":"/","class":"class com.untangle.app.http.HttpRequestEvent","sessionEvent":{"entitled":true,"protocol":6,"hostname":"Galaxy-S22","CServerPort":443,"protocolName":"TCP","serverLatitude":37.751,"localAddr":"192.168.201.6","SServerAddr":"67.43.156.12","remoteAddr":"67.43.156.12","serverIntf":1,"CClientAddr":"192.168.201.6","serverCountry":"US","sessionId":110221866487024,"SClientAddr":"1.128.0.1","clientCountry":"XL","policyRuleId":0,"CClientPort":48988,"timeStamp":"2023-05-25 09:07:27.284","serverLongitude":-97.822,"clientIntf":2,"policyId":1,"SClientPort":48278,"bypassed":false,"SServerPort":443,"CServerAddr":"67.43.156.12","tagsString":""}}