From ee6ee40ac0ce330cf8a3b70dd39ed9dd8934e73c Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Wed, 26 Feb 2020 12:58:15 -0600 Subject: [PATCH] Improve ECS categorization in iptables module - event.category - event.kind - event.type - related.ip - convert pipeline to yaml Closes #16166 --- CHANGELOG.next.asciidoc | 1 + .../module/iptables/log/ingest/pipeline.json | 244 ------------------ .../module/iptables/log/ingest/pipeline.yml | 226 ++++++++++++++++ .../filebeat/module/iptables/log/manifest.yml | 2 +- .../iptables/log/test/geo.log-expected.json | 11 +- .../iptables/log/test/icmp.log-expected.json | 9 + .../log/test/iptables.log-expected.json | 90 +++++++ .../iptables/log/test/ipv6.log-expected.json | 99 +++++++ .../log/test/ubiquiti.log-expected.json | 55 +++- 9 files changed, 486 insertions(+), 251 deletions(-) delete mode 100644 x-pack/filebeat/module/iptables/log/ingest/pipeline.json create mode 100644 x-pack/filebeat/module/iptables/log/ingest/pipeline.yml diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index a2cf0514d0e..f9f406d0f46 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -181,6 +181,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization, host field mappings in elasticsearch module. {issue}16160[16160] {pull}16469[16469] - Add ECS related fields to CEF module {issue}16157[16157] {pull}16338[16338] - Improve ECS categorization field mappings in suricata module. {issue}16181[16181] {pull}16843[16843] +- Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637] *Heartbeat* diff --git a/x-pack/filebeat/module/iptables/log/ingest/pipeline.json b/x-pack/filebeat/module/iptables/log/ingest/pipeline.json deleted file mode 100644 index d5a36988e18..00000000000 --- a/x-pack/filebeat/module/iptables/log/ingest/pipeline.json +++ /dev/null @@ -1,244 +0,0 @@ -{ - "description" : "Pipeline for IPTables", - "processors" : [ - { - "grok": { - "field": "message", - "patterns": [ - "%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}\\[%{UBIQUITI_LABEL}\\]%{IPTABLES}%{SPACE}", - "%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}%{IPTABLES}%{SPACE}", - "%{GREEDYDATA}\\[%{UBIQUITI_LABEL}\\]%{IPTABLES}%{SPACE}", - "%{GREEDYDATA}%{IPTABLES}%{SPACE}" - ], - "pattern_definitions": { - "UNSIGNED_INT": "[0-9]+", - "ETHTYPE": "(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2})", - "ETHTYPE_DISCARD": "(?::[A-Fa-f0-9]{2})*", - "NETFILTERMAC": "(?:%{MAC:destination.mac}:%{MAC:source.mac}:%{ETHTYPE:iptables.ether_type}?%{ETHTYPE_DISCARD}|%{MAC:destination.mac}%{ETHTYPE_DISCARD}:%{ETHTYPE:iptables.ether_type}?)", - "IPTABLES_ETHERNET": "IN=%{DATA:iptables.input_device} OUT=%{DATA:iptables.output_device}?(?: MAC=%{NETFILTERMAC})?", - "IPTABLES_PORT_PAIR": "SPT=%{UNSIGNED_INT:source.port:int} DPT=%{UNSIGNED_INT:destination.port:int}", - "IPTABLES_TCP_FLAGS": "((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))*", - "IPTABLES_TCP_SEQ": "SEQ=%{UNSIGNED_INT:iptables.tcp.seq:int} ACK=%{UNSIGNED_INT:iptables.tcp.ack:int}", - "IPTABLES_TCP_DETAILS": "(?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:iptables.tcp.window:int} RES=0x%{BASE16NUM:iptables.tcp_reserved_bits} %{IPTABLES_TCP_FLAGS:iptables.tcp.flags}", - "IPTABLES_INCOMPLETE_PACKET": "INCOMPLETE \\[%{UNSIGNED_INT:iptables.incomplete_bytes:int} bytes\\]", - "IPTABLES_UDP_DETAILS": "LEN=%{UNSIGNED_INT:iptables.udp.length:int}", - "IPTABLES_ICMP_EXTRA_ECHO": "ID=%{UNSIGNED_INT:iptables.icmp.id:int} SEQ=%{UNSIGNED_INT:iptables.icmp.seq:int}", - "IPTABLES_ICMP_EXTRA_PARAM": "PARAMETER=%{UNSIGNED_INT:iptables.icmp.parameter:int}", - "IPTABLES_ICMP_EXTRA_REDIRECT": "GATEWAY=%{IP:iptables.icmp.redirect}", - "IPTABLES_ICMP_EXTRA": "( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))*", - "IPTABLES_ICMP_DETAILS": "TYPE=%{UNSIGNED_INT:iptables.icmp.type:int} CODE=%{UNSIGNED_INT:iptables.icmp.code:int}(( %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA})", - "IPTABLES_PROTOCOL": "PROTO=(?[a-zA-Z0-9]+)", - "IPTABLES_IP_PAYLOAD": "%{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?", - "IPTABLES_IP_FRAGFLAG": "((?<= )(CE|DF|MF))*", - "IPTABLES_IP_START": "SRC=%{IPV4:source.ip} DST=%{IPV4:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} TOS=0x%{BASE16NUM:iptables.tos} PREC=0x%{BASE16NUM:iptables.precedence_bits} TTL=%{UNSIGNED_INT:iptables.ttl:int} ID=%{UNSIGNED_INT:iptables.id:int}(?: %{IPTABLES_IP_FRAGFLAG:iptables.fragment_flags})?(?: FRAG: %{UNSIGNED_INT:iptables.fragment_offset:int})?", - "IPTABLES_IP": "%{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}", - "IPTABLES_IPV6_START": "SRC=%{IPV6:source.ip} DST=%{IPV6:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} TC=%{UNSIGNED_INT:iptables.tos} HOPLIMIT=%{UNSIGNED_INT:iptables.ttl:int} FLOWLBL=%{UNSIGNED_INT:iptables.flow_label:int}", - "IPTABLES_IPV6": "%{IPTABLES_IPV6_START} %{IPTABLES_IP_PAYLOAD}", - "IPTABLES": "%{IPTABLES_ETHERNET} (:?%{IPTABLES_IP}|%{IPTABLES_IPV6})", - "UBIQUITI_FIELD": "[^-\\]]*", - "UBIQUITI_RULESET_NAME": "[^\\]]*", - "UBIQUITI_LABEL": "%{UBIQUITI_RULESET_NAME:iptables.ubiquiti.rule_set}-%{UBIQUITI_FIELD:iptables.ubiquiti.rule_number}-%{UBIQUITI_FIELD:event.outcome}" - } - } - }, - { - "rename": { - "field": "message", - "target_field": "log.original" - } - }, - { - "grok": { - "field": "iptables.ubiquiti.rule_set", - "ignore_missing": true, - "ignore_failure": true, - "patterns": [ - "%{UBIQUITI_FIELD:iptables.ubiquiti.input_zone}-%{UBIQUITI_FIELD:iptables.ubiquiti.output_zone}" - ], - "pattern_definitions": { - "UBIQUITI_FIELD": "[^-]*" - } - } - }, - { - "date": { - "if": "ctx.event.timezone == null", - "field": "iptables.raw_date", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss" - ], - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "date": { - "if": "ctx.event.timezone != null", - "field": "iptables.raw_date", - "formats": [ - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss" - ], - "timezone": "{{ event.timezone }}", - "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}] - } - }, - { - "remove": { - "field": "iptables.raw_date", - "ignore_missing": true - } - }, - - { - "lowercase": { - "field": "network.transport", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "destination.ip", - "target_field": "destination.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "destination.ip", - "target_field": "destination.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.asn", - "target_field": "destination.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.organization_name", - "target_field": "destination.as.organization.name", - "ignore_missing": true - } - }, - { - "script": { - "lang": "painless", - "params": { - "mappings": [ - { - "source": { - "object": "iptables", - "key": "ether_type" - }, - "destination": { - "object": "network", - "key": "type" - }, - "map": { - "08:00": "ipv4", - "86:dd": "ipv6" - } - }, - { - "source": { - "object": "event", - "key": "outcome" - }, - "destination": { - "object": "event", - "key": "outcome" - }, - "map": { - "D": "deny", - "A": "allow" - } - }, - { - "source": { - "object": "network", - "key": "transport" - }, - "destination": { - "object": "network", - "key": "transport" - }, - "map": { - "icmpv6": "ipv6-icmp" - } - } - ] - }, - "source": "for (action in params.mappings) { def src = ctx[action.source.object]; if (src != null) { Map map = action.map; String key = src[action.source.key]; String mapping = map[key]; if (mapping != null) { Map dst = ctx[action.destination.object]; if (dst == null) { dst = new HashMap(); ctx[action.destination.object] = dst;} dst[action.destination.key] = mapping; } } }" - } - }, - { - "script": { - "lang": "painless", - "params": { - "hex_fields_to_convert": [ - "ether_type", - "tos", - "precedence_bits", - "tcp_reserved_bits" - ] - }, - "source": "def iptables = ctx['iptables']; if (iptables != null) { for (key in params.hex_fields_to_convert) { long value = 0; def field = iptables[key]; if (field == null) continue; char[] hex = field.toLowerCase().toCharArray(); for (chr in hex) { long v = -1; if (chr >= (char)'a' && chr <= (char)'f') v = (long)chr - (char)'a' + 10; else if (chr >= (char)'0' && chr <= (char)'9') v = (long)chr - (char)'0'; if (v >= 0) {value = value*16 + v;} } iptables[key] = value; } }" - } - }, - { - "rename": { - "field": "iptables.tcp_reserved_bits", - "target_field": "iptables.tcp.reserved_bits", - "ignore_missing": true - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml new file mode 100644 index 00000000000..12ce3ecd8af --- /dev/null +++ b/x-pack/filebeat/module/iptables/log/ingest/pipeline.yml @@ -0,0 +1,226 @@ +description: Pipeline for IPTables +processors: +- grok: + field: message + patterns: + - '%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}' + - '%{SYSLOGTIMESTAMP:iptables.raw_date}%{GREEDYDATA}%{IPTABLES}%{SPACE}' + - '%{GREEDYDATA}\[%{UBIQUITI_LABEL}\]%{IPTABLES}%{SPACE}' + - '%{GREEDYDATA}%{IPTABLES}%{SPACE}' + pattern_definitions: + UNSIGNED_INT: '[0-9]+' + ETHTYPE: (?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}) + ETHTYPE_DISCARD: (?::[A-Fa-f0-9]{2})* + NETFILTERMAC: (?:%{MAC:destination.mac}:%{MAC:source.mac}:%{ETHTYPE:iptables.ether_type}?%{ETHTYPE_DISCARD}|%{MAC:destination.mac}%{ETHTYPE_DISCARD}:%{ETHTYPE:iptables.ether_type}?) + IPTABLES_ETHERNET: 'IN=%{DATA:iptables.input_device} OUT=%{DATA:iptables.output_device}?(?: + MAC=%{NETFILTERMAC})?' + IPTABLES_PORT_PAIR: SPT=%{UNSIGNED_INT:source.port:int} DPT=%{UNSIGNED_INT:destination.port:int} + IPTABLES_TCP_FLAGS: ((?<= )(CWR|ECE|URG|ACK|PSH|RST|SYN|FIN))* + IPTABLES_TCP_SEQ: SEQ=%{UNSIGNED_INT:iptables.tcp.seq:int} ACK=%{UNSIGNED_INT:iptables.tcp.ack:int} + IPTABLES_TCP_DETAILS: (?:%{IPTABLES_TCP_SEQ} )?WINDOW=%{UNSIGNED_INT:iptables.tcp.window:int} + RES=0x%{BASE16NUM:iptables.tcp_reserved_bits} %{IPTABLES_TCP_FLAGS:iptables.tcp.flags} + IPTABLES_INCOMPLETE_PACKET: INCOMPLETE \[%{UNSIGNED_INT:iptables.incomplete_bytes:int} + bytes\] + IPTABLES_UDP_DETAILS: LEN=%{UNSIGNED_INT:iptables.udp.length:int} + IPTABLES_ICMP_EXTRA_ECHO: ID=%{UNSIGNED_INT:iptables.icmp.id:int} SEQ=%{UNSIGNED_INT:iptables.icmp.seq:int} + IPTABLES_ICMP_EXTRA_PARAM: PARAMETER=%{UNSIGNED_INT:iptables.icmp.parameter:int} + IPTABLES_ICMP_EXTRA_REDIRECT: GATEWAY=%{IP:iptables.icmp.redirect} + IPTABLES_ICMP_EXTRA: ( (?:%{IPTABLES_ICMP_EXTRA_ECHO}|%{IPTABLES_ICMP_EXTRA_PARAM}|%{IPTABLES_ICMP_EXTRA_REDIRECT}))* + IPTABLES_ICMP_DETAILS: TYPE=%{UNSIGNED_INT:iptables.icmp.type:int} CODE=%{UNSIGNED_INT:iptables.icmp.code:int}(( + %{IPTABLES_INCOMPLETE_PACKET})|%{IPTABLES_ICMP_EXTRA}) + IPTABLES_PROTOCOL: PROTO=(?[a-zA-Z0-9]+) + IPTABLES_IP_PAYLOAD: '%{IPTABLES_PROTOCOL}( %{IPTABLES_PORT_PAIR})?( (%{IPTABLES_TCP_DETAILS}|%{IPTABLES_UDP_DETAILS}|%{IPTABLES_ICMP_DETAILS}|%{IPTABLES_INCOMPLETE_PACKET}))?' + IPTABLES_IP_FRAGFLAG: ((?<= )(CE|DF|MF))* + IPTABLES_IP_START: 'SRC=%{IPV4:source.ip} DST=%{IPV4:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} + TOS=0x%{BASE16NUM:iptables.tos} PREC=0x%{BASE16NUM:iptables.precedence_bits} + TTL=%{UNSIGNED_INT:iptables.ttl:int} ID=%{UNSIGNED_INT:iptables.id:int}(?: + %{IPTABLES_IP_FRAGFLAG:iptables.fragment_flags})?(?: FRAG: %{UNSIGNED_INT:iptables.fragment_offset:int})?' + IPTABLES_IP: '%{IPTABLES_IP_START} %{IPTABLES_IP_PAYLOAD}' + IPTABLES_IPV6_START: SRC=%{IPV6:source.ip} DST=%{IPV6:destination.ip} LEN=%{UNSIGNED_INT:iptables.length:int} + TC=%{UNSIGNED_INT:iptables.tos} HOPLIMIT=%{UNSIGNED_INT:iptables.ttl:int} + FLOWLBL=%{UNSIGNED_INT:iptables.flow_label:int} + IPTABLES_IPV6: '%{IPTABLES_IPV6_START} %{IPTABLES_IP_PAYLOAD}' + IPTABLES: '%{IPTABLES_ETHERNET} (:?%{IPTABLES_IP}|%{IPTABLES_IPV6})' + UBIQUITI_FIELD: '[^-\]]*' + UBIQUITI_RULESET_NAME: '[^\]]*' + UBIQUITI_LABEL: '%{UBIQUITI_RULESET_NAME:iptables.ubiquiti.rule_set}-%{UBIQUITI_FIELD:iptables.ubiquiti.rule_number}-%{UBIQUITI_FIELD:event.type}' +- rename: + field: message + target_field: log.original +- grok: + field: iptables.ubiquiti.rule_set + ignore_missing: true + ignore_failure: true + patterns: + - '%{UBIQUITI_FIELD:iptables.ubiquiti.input_zone}-%{UBIQUITI_FIELD:iptables.ubiquiti.output_zone}' + pattern_definitions: + UBIQUITI_FIELD: '[^-]*' +- date: + if: ctx.event.timezone == null + field: iptables.raw_date + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' +- date: + if: ctx.event.timezone != null + field: iptables.raw_date + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + timezone: '{{ event.timezone }}' + on_failure: + - append: + field: error.message + value: '{{ _ingest.on_failure_message }}' +- remove: + field: iptables.raw_date + ignore_missing: true +- lowercase: + field: network.transport + ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + params: + mappings: + - source: + object: iptables + key: ether_type + destination: + object: network + key: type + map: + 08:00: ipv4 + 86:dd: ipv6 + - source: + object: event + key: type + destination: + object: event + key: type + map: + D: denied + A: allowed + - source: + object: network + key: transport + destination: + object: network + key: transport + map: + icmpv6: ipv6-icmp + source: >- + for (action in params.mappings) { + def src = ctx[action.source.object]; + if (src != null) { + Map map = action.map; + String key = src[action.source.key]; + String mapping = map[key]; + if (mapping != null) { + Map dst = ctx[action.destination.object]; + if (dst == null) { + dst = new HashMap(); + ctx[action.destination.object] = dst; + } + dst[action.destination.key] = mapping; + } + } + } + +- script: + lang: painless + params: + hex_fields_to_convert: + - ether_type + - tos + - precedence_bits + - tcp_reserved_bits + source: >- + def iptables = ctx['iptables']; + if (iptables != null) { + for (key in params.hex_fields_to_convert) { + long value = 0; + def field = iptables[key]; + if (field == null) continue; + char[] hex = field.toLowerCase().toCharArray(); + for (chr in hex) { + long v = -1; + if (chr >= (char) 'a' && chr <= (char) 'f') v = (long) chr - (char) 'a' + 10; + else if (chr >= (char) '0' && chr <= (char) '9') v = (long) chr - (char) '0'; + if (v >= 0) { + value = value * 16 + v; + } + } + iptables[key] = value; + } + } + +- set: + field: event.kind + value: event +- set: + field: event.category + value: network +- append: + field: event.type + value: connection + if: "ctx?.source?.ip != null && ctx?.destination?.ip != null" +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx?.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx?.destination?.ip != null" +- rename: + field: iptables.tcp_reserved_bits + target_field: iptables.tcp.reserved_bits + ignore_missing: true +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/iptables/log/manifest.yml b/x-pack/filebeat/module/iptables/log/manifest.yml index adbe7e8fdb0..b93377397b9 100644 --- a/x-pack/filebeat/module/iptables/log/manifest.yml +++ b/x-pack/filebeat/module/iptables/log/manifest.yml @@ -15,7 +15,7 @@ var: - name: community_id default: true -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: ingest/pipeline.yml input: config/input.yml requires.processors: diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json index b16a17a05d2..40dc3a9b8f4 100644 --- a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json @@ -3,10 +3,15 @@ "destination.ip": "10.4.0.5", "destination.mac": "90:10:20:76:8d:20", "destination.port": 443, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "deny", "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -30,6 +35,10 @@ "network.community_id": "1:RGJPRWtru8Lg2itNyFREDvoRkNA=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "158.109.0.1", + "10.4.0.5" + ], "service.type": "iptables", "source.as.number": 13041, "source.as.organization.name": "Consorci de Serveis Universitaris de Catalunya", diff --git a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json index 85b61db612c..c5c3303a242 100644 --- a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json @@ -2,9 +2,14 @@ { "destination.ip": "192.0.2.83", "destination.mac": "90:10:28:5f:62:24", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -22,6 +27,10 @@ "network.community_id": "1:T79jBEYlbFhpnIGt2rOuzIv31hE=", "network.transport": "icmp", "network.type": "ipv4", + "related.ip": [ + "192.0.2.71", + "192.0.2.83" + ], "service.type": "iptables", "source.ip": "192.0.2.71", "source.mac": "90:10:18:5a:89:2a", diff --git a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json index 803a9e2b6ae..b806b6487bb 100644 --- a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json @@ -3,9 +3,14 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -25,6 +30,10 @@ "network.community_id": "1:VD3aeZ6cGYX6uwOAUQ9NuxbobMI=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "203.0.113.36", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "203.0.113.36", "source.mac": "90:10:9e:ec:2c:71", @@ -37,9 +46,14 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 1433, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -58,6 +72,10 @@ "network.community_id": "1:r9MnuXFtcWUKzbVQ2vXn7XSQ2Fg=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.198", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.198", "source.mac": "90:10:76:e0:e2:d5", @@ -70,9 +88,14 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -92,6 +115,10 @@ "network.community_id": "1:vgBSpDUKSSgxOm6Y52jw6tCgiN8=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "203.0.113.201", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "203.0.113.201", "source.mac": "90:10:9e:ec:2c:71", @@ -104,9 +131,14 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 80, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -126,6 +158,10 @@ "network.community_id": "1:PCNGbo6CtVQoE5Hch+6oMfbeTP4=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "203.0.113.246", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "203.0.113.246", "source.mac": "90:10:9e:ec:2c:71", @@ -138,9 +174,14 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -160,6 +201,10 @@ "network.community_id": "1:Wb/3DTwtWE8C20/hm2JpmBAhsro=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "203.0.113.208", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "203.0.113.208", "source.mac": "90:10:76:e0:e2:d5", @@ -172,9 +217,14 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -193,6 +243,10 @@ "network.community_id": "1:+s7vkEgPnzTAoksA2Q0gAzgymfI=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.160", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.160", "source.mac": "90:10:9e:ec:2c:71", @@ -205,9 +259,14 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -227,6 +286,10 @@ "network.community_id": "1:6Pvyzf2+vqgsRxWx+eU9MXEhAFE=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.115", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.115", "source.mac": "90:10:76:e0:e2:d5", @@ -239,9 +302,14 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 445, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -261,6 +329,10 @@ "network.community_id": "1:g+bRFDuqViJEc5vzlOapz2LPhFo=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.167", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.167", "source.mac": "90:10:76:e0:e2:d5", @@ -273,9 +345,14 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 139, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -294,6 +371,10 @@ "network.community_id": "1:a/4LVq88msR/LgVGzZeIkmlNXz4=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.19", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.19", "source.mac": "90:10:9e:ec:2c:71", @@ -306,9 +387,14 @@ "destination.ip": "172.16.54.114", "destination.mac": "90:10:35:5a:1e:3a", "destination.port": 8088, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -327,6 +413,10 @@ "network.community_id": "1:1l65fWlqrJCJB7vBaqSgHnJoMbQ=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "198.51.100.68", + "172.16.54.114" + ], "service.type": "iptables", "source.ip": "198.51.100.68", "source.mac": "90:10:76:e0:e2:d5", diff --git a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json index 0c79c9d6956..6ae4fde109e 100644 --- a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json @@ -1,9 +1,14 @@ [ { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 868225, @@ -20,6 +25,10 @@ "log.original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459614] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=1 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -28,9 +37,14 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 770819, @@ -47,6 +61,10 @@ "log.original": "Jan 22 09:05:05 ubuntu-bionic kernel: [16571.459695] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=1 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -55,9 +73,14 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 868225, @@ -74,6 +97,10 @@ "log.original": "Jan 22 09:05:06 ubuntu-bionic kernel: [16572.482458] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=2 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -82,9 +109,14 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 770819, @@ -101,6 +133,10 @@ "log.original": "Jan 22 09:05:06 ubuntu-bionic kernel: [16572.482476] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=2 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -109,9 +145,14 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 868225, @@ -128,6 +169,10 @@ "log.original": "Jan 22 09:05:07 ubuntu-bionic kernel: [16573.506336] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=3 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -136,9 +181,14 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 770819, @@ -155,6 +205,10 @@ "log.original": "Jan 22 09:05:07 ubuntu-bionic kernel: [16573.506356] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=3 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -163,9 +217,14 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 868225, @@ -182,6 +241,10 @@ "log.original": "Jan 22 09:05:08 ubuntu-bionic kernel: [16574.533989] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=4 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -190,9 +253,14 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 770819, @@ -209,6 +277,10 @@ "log.original": "Jan 22 09:05:08 ubuntu-bionic kernel: [16574.534007] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=4 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -217,9 +289,14 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 868225, @@ -236,6 +313,10 @@ "log.original": "Jan 22 09:05:09 ubuntu-bionic kernel: [16575.553704] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=868225 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3427 SEQ=5 ", "network.community_id": "1:u2vMS3HiWth2lIMKHB1fjELshpQ=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -244,9 +325,14 @@ }, { "destination.ip": "2001:0db8:0000:0000:0000:0000:0000:0002", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.flow_label": 770819, @@ -263,6 +349,10 @@ "log.original": "Jan 22 09:05:09 ubuntu-bionic kernel: [16575.553722] IN= OUT=lo SRC=2001:0db8:0000:0000:0000:0000:0000:0001 DST=2001:0db8:0000:0000:0000:0000:0000:0002 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=770819 PROTO=ICMPv6 TYPE=129 CODE=0 ID=3427 SEQ=5 ", "network.community_id": "1:YDcnf7YthUKAbDNo6Cs3rX4jq4w=", "network.transport": "ipv6-icmp", + "related.ip": [ + "2001:0db8:0000:0000:0000:0000:0000:0001", + "2001:0db8:0000:0000:0000:0000:0000:0002" + ], "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ @@ -272,9 +362,14 @@ { "destination.ip": "ff02:0000:0000:0000:0000:0000:0000:0016", "destination.mac": "90:10:12:34:56:78", + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", "event.timezone": "-02:00", + "event.type": [ + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 34525, @@ -291,6 +386,10 @@ "network.community_id": "1:XZrSeKYMvsI3xGPWG5JqrtsD87U=", "network.transport": "ipv6-icmp", "network.type": "ipv6", + "related.ip": [ + "fe80:0000:0000:0000:0084:88ff:feae:790a", + "ff02:0000:0000:0000:0000:0000:0000:0016" + ], "service.type": "iptables", "source.ip": "fe80:0000:0000:0000:0084:88ff:feae:790a", "source.mac": "90:10:aa:bb:cc:dd", diff --git a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json index b7d6aef99ec..db2e263945b 100644 --- a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json @@ -3,10 +3,15 @@ "destination.ip": "255.55.174.225", "destination.mac": "90:10:92:6e:ea:a7", "destination.port": 48689, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "allow", "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -25,6 +30,10 @@ "network.community_id": "1:3qoibVBmc9hsnHpP4Ms5HO6ls7Q=", "network.transport": "udp", "network.type": "ipv4", + "related.ip": [ + "192.168.48.137", + "255.55.174.225" + ], "service.type": "iptables", "source.ip": "192.168.48.137", "source.mac": "90:10:73:ba:d6:77", @@ -37,10 +46,15 @@ "destination.ip": "192.0.2.25", "destination.mac": "90:10:20:76:8d:20", "destination.port": 443, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "allow", "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -62,6 +76,10 @@ "network.community_id": "1:7bPQdYPL4yePwQJZt0I1dvVXLHc=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.134.158", + "192.0.2.25" + ], "service.type": "iptables", "source.ip": "192.168.134.158", "source.mac": "90:10:24:67:f4:89", @@ -74,10 +92,15 @@ "destination.ip": "192.0.2.25", "destination.mac": "90:10:20:76:8d:20", "destination.port": 1443, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "deny", "event.timezone": "-02:00", + "event.type": [ + "denied", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -101,6 +124,10 @@ "network.community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.110.116", + "192.0.2.25" + ], "service.type": "iptables", "source.ip": "192.168.110.116", "source.mac": "90:10:65:29:b6:2a", @@ -113,10 +140,15 @@ "destination.ip": "192.0.2.25", "destination.mac": "90:10:20:76:8d:20", "destination.port": 1443, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "allow", "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -138,6 +170,10 @@ "network.community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.110.116", + "192.0.2.25" + ], "service.type": "iptables", "source.ip": "192.168.110.116", "source.mac": "90:10:65:29:b6:2a", @@ -150,10 +186,15 @@ "destination.ip": "192.0.2.25", "destination.mac": "90:10:20:76:8d:20", "destination.port": 1443, + "event.category": "network", "event.dataset": "iptables.log", + "event.kind": "event", "event.module": "iptables", - "event.outcome": "allow", "event.timezone": "-02:00", + "event.type": [ + "allowed", + "connection" + ], "fileset.name": "log", "input.type": "log", "iptables.ether_type": 2048, @@ -175,6 +216,10 @@ "network.community_id": "1:6BwNFzns3BNljtYZJCwhPO5Qoq0=", "network.transport": "tcp", "network.type": "ipv4", + "related.ip": [ + "192.168.110.116", + "192.0.2.25" + ], "service.type": "iptables", "source.ip": "192.168.110.116", "source.mac": "90:10:65:29:b6:2a",