From 9f238afa31656f380b14f61dc13ae1bb1e6b672c Mon Sep 17 00:00:00 2001 From: Vinit Chauhan Date: Mon, 12 Aug 2024 06:06:45 -0400 Subject: [PATCH] [filebeat][decode_cef] Allow hyphens in extension key (#40427) This adds support for hyphens (`-`) in extension keys. The CEF spec says that extension keys alphanumeric. So this is a deviation, but a minor one that is inline with past deviations to allow dots in extension keys. I have also added .ri file to gitignore file as they are intermediate files generated by regel. Closes #40348 --- CHANGELOG.next.asciidoc | 2 + .../processors/decode_cef/cef/.gitignore | 1 + .../filebeat/processors/decode_cef/cef/cef.rl | 2 +- .../processors/decode_cef/cef/cef_test.go | 21 + .../processors/decode_cef/cef/parser.go | 64 +-- .../decode_cef/cef/parser_recover.go | 375 ++++++++++-------- .../processors/decode_cef/decode_cef.go | 5 +- .../processors/decode_cef/decode_cef_test.go | 31 ++ .../decode_cef/testdata/samples.log | 1 + .../testdata/samples.log.golden.json | 156 +++++++- 10 files changed, 450 insertions(+), 208 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2555fdf2c011..5a27a9980ead 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -38,10 +38,12 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Implement Elastic Agent status and health reporting for Winlog Filebeat input. {pull}40163[40163] - Fix filestream's registry GC: registry entries will never be removed if clean_inactive is set to "-1". {pull}40258[40258] - Added `ignore_empty_values` flag in `decode_cef` Filebeat processor. {pull}40268[40268] +- Added support for hyphens in extension keys in `decode_cef` Filebeat processor. {pull}40427[40427] - Journald: removed configuration options `include_matches.or`, `include_matches.and`, `backoff`, `max_backoff`, `cursor_seek_fallback`. {pull}40061[40061] - Journald: `include_matches.match` now behaves in the same way as matchers in `journalctl`. Users should carefully update their input configuration. {pull}40061[40061] - Journald: `seek` and `since` behaviour have been simplified, if there is a cursor (state) `seek` and `since` are ignored and the cursor is used. {pull}40061[40061] + *Heartbeat* diff --git a/x-pack/filebeat/processors/decode_cef/cef/.gitignore b/x-pack/filebeat/processors/decode_cef/cef/.gitignore index 36e411946259..94c8b0e3dfc2 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/.gitignore +++ b/x-pack/filebeat/processors/decode_cef/cef/.gitignore @@ -1,2 +1,3 @@ *.svg *.dot +*.ri diff --git a/x-pack/filebeat/processors/decode_cef/cef/cef.rl b/x-pack/filebeat/processors/decode_cef/cef/cef.rl index 507a251d7b88..e83b0c08ebf2 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/cef.rl +++ b/x-pack/filebeat/processors/decode_cef/cef/cef.rl @@ -32,7 +32,7 @@ # Only alnum is defined in the CEF spec. The other characters allow # non-conforming extension keys to be parsed. extension_key_start_chars = alnum | '_'; - extension_key_chars = extension_key_start_chars | '.' | ',' | '[' | ']'; + extension_key_chars = extension_key_start_chars | '.' | ',' | '[' | ']' | '-'; extension_key_pattern = extension_key_start_chars extension_key_chars*; extension_value_chars_nospace = extension_value_escapes | (any -- equal -- escape -- space); diff --git a/x-pack/filebeat/processors/decode_cef/cef/cef_test.go b/x-pack/filebeat/processors/decode_cef/cef/cef_test.go index ec593ddfa533..a269aeea9dfb 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/cef_test.go +++ b/x-pack/filebeat/processors/decode_cef/cef/cef_test.go @@ -60,6 +60,8 @@ const ( noValueInExtension = `CEF:26|security|threat=manager|1.0|100|trojan successfully stopped|10|src= dst=12.121.122.82 spt=` + hyphenInExtensionKey = `CEF:26|security|threatmanager|1.0|100|trojan successfully stopped|10|Some-Key=123456` + // Found by fuzzing but minimised by hand. fuzz0 = `CEF:0|a=\\ b|` fuzz1 = `CEF:0|\|a=|b=` @@ -87,6 +89,7 @@ var testMessages = []string{ escapedMessage, truncatedHeader, noValueInExtension, + hyphenInExtensionKey, fuzz0, fuzz1, fuzz2, @@ -180,6 +183,24 @@ func TestEventUnpack(t *testing.T) { }, e.Extensions) }) + t.Run("hyphenInExtensionKey", func(t *testing.T) { + var e Event + err := e.Unpack(hyphenInExtensionKey) + assert.NoError(t, err) + assert.Equal(t, 26, e.Version) + assert.Equal(t, "security", e.DeviceVendor) + assert.Equal(t, "threatmanager", e.DeviceProduct) + assert.Equal(t, "1.0", e.DeviceVersion) + assert.Equal(t, "100", e.DeviceEventClassID) + assert.Equal(t, "trojan successfully stopped", e.Name) + assert.Equal(t, "10", e.Severity) + assert.Equal(t, map[string]*Field{ + "Some-Key": { + String: "123456", + }, + }, e.Extensions) + }) + t.Run("equalsSignInHeader", func(t *testing.T) { var e Event err := e.Unpack(equalsSignInHeader) diff --git a/x-pack/filebeat/processors/decode_cef/cef/parser.go b/x-pack/filebeat/processors/decode_cef/cef/parser.go index 9aff2fd656b7..cfcb4fadae19 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/parser.go +++ b/x-pack/filebeat/processors/decode_cef/cef/parser.go @@ -14,7 +14,7 @@ import ( "go.uber.org/multierr" ) -//line parser.go:16 +//line parser.go:14 var _cef_eof_actions []byte = []byte{ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -51,12 +51,12 @@ func (e *Event) unpack(data string) error { e.init(data) -//line parser.go:56 +//line parser.go:52 { cs = cef_start } -//line parser.go:61 +//line parser.go:56 { if (p) == (pe) { goto _test_eof @@ -343,10 +343,6 @@ func (e *Event) unpack(data string) error { goto tr1 case 30: switch data[(p)] { - case 44: - goto tr64 - case 46: - goto tr64 case 61: goto tr65 case 93: @@ -355,12 +351,17 @@ func (e *Event) unpack(data string) error { goto tr64 } switch { - case data[(p)] < 65: - if 48 <= data[(p)] && data[(p)] <= 57 { + case data[(p)] < 48: + if 44 <= data[(p)] && data[(p)] <= 46 { goto tr64 } - case data[(p)] > 91: - if 97 <= data[(p)] && data[(p)] <= 122 { + case data[(p)] > 57: + switch { + case data[(p)] > 91: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr64 + } + case data[(p)] >= 65: goto tr64 } default: @@ -426,10 +427,6 @@ func (e *Event) unpack(data string) error { switch data[(p)] { case 32: goto tr81 - case 44: - goto tr84 - case 46: - goto tr84 case 61: goto tr85 case 92: @@ -439,7 +436,12 @@ func (e *Event) unpack(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr84 + } + case data[(p)] >= 9: goto tr80 } case data[(p)] > 57: @@ -514,10 +516,6 @@ func (e *Event) unpack(data string) error { switch data[(p)] { case 32: goto tr92 - case 44: - goto tr95 - case 46: - goto tr95 case 61: goto tr85 case 92: @@ -527,7 +525,12 @@ func (e *Event) unpack(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr95 + } + case data[(p)] >= 9: goto tr91 } case data[(p)] > 57: @@ -622,10 +625,6 @@ func (e *Event) unpack(data string) error { switch data[(p)] { case 32: goto tr70 - case 44: - goto tr71 - case 46: - goto tr71 case 61: goto tr72 case 93: @@ -634,12 +633,17 @@ func (e *Event) unpack(data string) error { goto tr71 } switch { - case data[(p)] < 65: - if 48 <= data[(p)] && data[(p)] <= 57 { + case data[(p)] < 48: + if 44 <= data[(p)] && data[(p)] <= 46 { goto tr71 } - case data[(p)] > 91: - if 97 <= data[(p)] && data[(p)] <= 122 { + case data[(p)] > 57: + switch { + case data[(p)] > 91: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr71 + } + case data[(p)] >= 65: goto tr71 } default: @@ -1358,7 +1362,7 @@ func (e *Event) unpack(data string) error { state.reset() } -//line parser.go:1156 +//line parser.go:1155 } } diff --git a/x-pack/filebeat/processors/decode_cef/cef/parser_recover.go b/x-pack/filebeat/processors/decode_cef/cef/parser_recover.go index 384fb238a081..2bac12d81d89 100644 --- a/x-pack/filebeat/processors/decode_cef/cef/parser_recover.go +++ b/x-pack/filebeat/processors/decode_cef/cef/parser_recover.go @@ -14,7 +14,7 @@ import ( "go.uber.org/multierr" ) -//line parser_recover.go:16 +//line parser_recover.go:14 var _cef_recover_eof_actions []byte = []byte{ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -65,12 +65,12 @@ func (e *Event) recoverExtensions(data string) error { // e was already initialised by the call to unpack. t := *e -//line parser_recover.go:70 +//line parser_recover.go:66 { cs = cef_recover_start } -//line parser_recover.go:75 +//line parser_recover.go:70 { if (p) == (pe) { goto _test_eof @@ -401,10 +401,6 @@ func (e *Event) recoverExtensions(data string) error { goto tr1 case 29: switch data[(p)] { - case 44: - goto tr60 - case 46: - goto tr60 case 61: goto tr61 case 93: @@ -413,12 +409,17 @@ func (e *Event) recoverExtensions(data string) error { goto tr60 } switch { - case data[(p)] < 65: - if 48 <= data[(p)] && data[(p)] <= 57 { + case data[(p)] < 48: + if 44 <= data[(p)] && data[(p)] <= 46 { goto tr60 } - case data[(p)] > 91: - if 97 <= data[(p)] && data[(p)] <= 122 { + case data[(p)] > 57: + switch { + case data[(p)] > 91: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr60 + } + case data[(p)] >= 65: goto tr60 } default: @@ -484,10 +485,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr106 - case 44: - goto tr109 - case 46: - goto tr109 case 61: goto tr110 case 92: @@ -497,7 +494,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr109 + } + case data[(p)] >= 9: goto tr105 } case data[(p)] > 57: @@ -572,10 +574,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr117 - case 44: - goto tr120 - case 46: - goto tr120 case 61: goto tr110 case 92: @@ -585,7 +583,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr120 + } + case data[(p)] >= 9: goto tr116 } case data[(p)] > 57: @@ -694,7 +697,7 @@ func (e *Event) recoverExtensions(data string) error { case 34: switch data[(p)] { case 45: - goto tr54 + goto tr65 case 61: goto tr61 case 91: @@ -750,10 +753,6 @@ func (e *Event) recoverExtensions(data string) error { goto tr44 case 36: switch data[(p)] { - case 44: - goto tr68 - case 46: - goto tr68 case 61: goto tr69 case 92: @@ -764,12 +763,17 @@ func (e *Event) recoverExtensions(data string) error { goto tr48 } switch { - case data[(p)] < 65: - if 48 <= data[(p)] && data[(p)] <= 57 { + case data[(p)] < 48: + if 44 <= data[(p)] && data[(p)] <= 46 { goto tr68 } - case data[(p)] > 93: - if 97 <= data[(p)] && data[(p)] <= 122 { + case data[(p)] > 57: + switch { + case data[(p)] > 93: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr68 + } + case data[(p)] >= 65: goto tr68 } default: @@ -841,10 +845,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr136 - case 44: - goto tr140 - case 46: - goto tr140 case 61: goto tr141 case 92: @@ -856,7 +856,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr140 + } + case data[(p)] >= 9: goto tr135 } case data[(p)] > 57: @@ -937,10 +942,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr149 - case 44: - goto tr153 - case 46: - goto tr153 case 61: goto tr141 case 92: @@ -952,7 +953,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr153 + } + case data[(p)] >= 9: goto tr148 } case data[(p)] > 57: @@ -1063,10 +1069,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr117 - case 44: - goto tr166 - case 46: - goto tr166 case 61: goto tr61 case 92: @@ -1076,7 +1078,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr166 + } + case data[(p)] >= 9: goto tr116 } case data[(p)] > 57: @@ -1157,7 +1164,7 @@ func (e *Event) recoverExtensions(data string) error { case 32: goto tr117 case 45: - goto tr160 + goto tr167 case 61: goto tr61 case 92: @@ -1289,10 +1296,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr106 - case 44: - goto tr180 - case 46: - goto tr180 case 61: goto tr61 case 92: @@ -1302,7 +1305,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr180 + } + case data[(p)] >= 9: goto tr105 } case data[(p)] > 57: @@ -1383,7 +1391,7 @@ func (e *Event) recoverExtensions(data string) error { case 32: goto tr106 case 45: - goto tr174 + goto tr181 case 61: goto tr61 case 92: @@ -1446,10 +1454,6 @@ func (e *Event) recoverExtensions(data string) error { goto tr35 case 40: switch data[(p)] { - case 44: - goto tr74 - case 46: - goto tr74 case 61: goto tr75 case 92: @@ -1460,12 +1464,17 @@ func (e *Event) recoverExtensions(data string) error { goto tr39 } switch { - case data[(p)] < 65: - if 48 <= data[(p)] && data[(p)] <= 57 { + case data[(p)] < 48: + if 44 <= data[(p)] && data[(p)] <= 46 { goto tr74 } - case data[(p)] > 93: - if 97 <= data[(p)] && data[(p)] <= 122 { + case data[(p)] > 57: + switch { + case data[(p)] > 93: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr74 + } + case data[(p)] >= 65: goto tr74 } default: @@ -1537,10 +1546,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr189 - case 44: - goto tr193 - case 46: - goto tr193 case 61: goto tr194 case 92: @@ -1552,7 +1557,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr193 + } + case data[(p)] >= 9: goto tr188 } case data[(p)] > 57: @@ -1633,10 +1643,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr202 - case 44: - goto tr206 - case 46: - goto tr206 case 61: goto tr194 case 92: @@ -1648,7 +1654,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr206 + } + case data[(p)] >= 9: goto tr201 } case data[(p)] > 57: @@ -1759,10 +1770,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr149 - case 44: - goto tr216 - case 46: - goto tr216 case 61: goto tr69 case 92: @@ -1774,7 +1781,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr216 + } + case data[(p)] >= 9: goto tr148 } case data[(p)] > 57: @@ -1885,10 +1897,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr136 - case 44: - goto tr226 - case 46: - goto tr226 case 61: goto tr69 case 92: @@ -1900,7 +1908,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr226 + } + case data[(p)] >= 9: goto tr135 } case data[(p)] > 57: @@ -1942,10 +1955,6 @@ func (e *Event) recoverExtensions(data string) error { goto tr26 case 44: switch data[(p)] { - case 44: - goto tr80 - case 46: - goto tr80 case 61: goto tr81 case 92: @@ -1956,12 +1965,17 @@ func (e *Event) recoverExtensions(data string) error { goto tr30 } switch { - case data[(p)] < 65: - if 48 <= data[(p)] && data[(p)] <= 57 { + case data[(p)] < 48: + if 44 <= data[(p)] && data[(p)] <= 46 { goto tr80 } - case data[(p)] > 93: - if 97 <= data[(p)] && data[(p)] <= 122 { + case data[(p)] > 57: + switch { + case data[(p)] > 93: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr80 + } + case data[(p)] >= 65: goto tr80 } default: @@ -2033,10 +2047,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr234 - case 44: - goto tr238 - case 46: - goto tr238 case 61: goto tr239 case 92: @@ -2048,7 +2058,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr238 + } + case data[(p)] >= 9: goto tr233 } case data[(p)] > 57: @@ -2129,10 +2144,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr247 - case 44: - goto tr251 - case 46: - goto tr251 case 61: goto tr239 case 92: @@ -2144,7 +2155,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr251 + } + case data[(p)] >= 9: goto tr246 } case data[(p)] > 57: @@ -2255,10 +2271,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr202 - case 44: - goto tr261 - case 46: - goto tr261 case 61: goto tr75 case 92: @@ -2270,7 +2282,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr261 + } + case data[(p)] >= 9: goto tr201 } case data[(p)] > 57: @@ -2381,10 +2398,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr189 - case 44: - goto tr271 - case 46: - goto tr271 case 61: goto tr75 case 92: @@ -2396,7 +2409,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr271 + } + case data[(p)] >= 9: goto tr188 } case data[(p)] > 57: @@ -2438,10 +2456,6 @@ func (e *Event) recoverExtensions(data string) error { goto tr17 case 48: switch data[(p)] { - case 44: - goto tr86 - case 46: - goto tr86 case 61: goto tr87 case 92: @@ -2452,12 +2466,17 @@ func (e *Event) recoverExtensions(data string) error { goto tr21 } switch { - case data[(p)] < 65: - if 48 <= data[(p)] && data[(p)] <= 57 { + case data[(p)] < 48: + if 44 <= data[(p)] && data[(p)] <= 46 { goto tr86 } - case data[(p)] > 93: - if 97 <= data[(p)] && data[(p)] <= 122 { + case data[(p)] > 57: + switch { + case data[(p)] > 93: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr86 + } + case data[(p)] >= 65: goto tr86 } default: @@ -2529,10 +2548,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr279 - case 44: - goto tr283 - case 46: - goto tr283 case 61: goto tr284 case 92: @@ -2544,7 +2559,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr283 + } + case data[(p)] >= 9: goto tr278 } case data[(p)] > 57: @@ -2625,10 +2645,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr292 - case 44: - goto tr296 - case 46: - goto tr296 case 61: goto tr284 case 92: @@ -2640,7 +2656,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr296 + } + case data[(p)] >= 9: goto tr291 } case data[(p)] > 57: @@ -2751,10 +2772,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr247 - case 44: - goto tr306 - case 46: - goto tr306 case 61: goto tr81 case 92: @@ -2766,7 +2783,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr306 + } + case data[(p)] >= 9: goto tr246 } case data[(p)] > 57: @@ -2877,10 +2899,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr234 - case 44: - goto tr316 - case 46: - goto tr316 case 61: goto tr81 case 92: @@ -2892,7 +2910,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr316 + } + case data[(p)] >= 9: goto tr233 } case data[(p)] > 57: @@ -2934,10 +2957,6 @@ func (e *Event) recoverExtensions(data string) error { goto tr8 case 52: switch data[(p)] { - case 44: - goto tr92 - case 46: - goto tr92 case 61: goto tr93 case 92: @@ -2948,12 +2967,17 @@ func (e *Event) recoverExtensions(data string) error { goto tr12 } switch { - case data[(p)] < 65: - if 48 <= data[(p)] && data[(p)] <= 57 { + case data[(p)] < 48: + if 44 <= data[(p)] && data[(p)] <= 46 { goto tr92 } - case data[(p)] > 93: - if 97 <= data[(p)] && data[(p)] <= 122 { + case data[(p)] > 57: + switch { + case data[(p)] > 93: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr92 + } + case data[(p)] >= 65: goto tr92 } default: @@ -3025,10 +3049,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr324 - case 44: - goto tr328 - case 46: - goto tr328 case 61: goto tr329 case 92: @@ -3040,7 +3060,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr328 + } + case data[(p)] >= 9: goto tr323 } case data[(p)] > 57: @@ -3121,10 +3146,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr337 - case 44: - goto tr341 - case 46: - goto tr341 case 61: goto tr329 case 92: @@ -3136,7 +3157,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr341 + } + case data[(p)] >= 9: goto tr336 } case data[(p)] > 57: @@ -3247,10 +3273,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr292 - case 44: - goto tr351 - case 46: - goto tr351 case 61: goto tr87 case 92: @@ -3262,7 +3284,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr351 + } + case data[(p)] >= 9: goto tr291 } case data[(p)] > 57: @@ -3373,10 +3400,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr279 - case 44: - goto tr361 - case 46: - goto tr361 case 61: goto tr87 case 92: @@ -3388,7 +3411,12 @@ func (e *Event) recoverExtensions(data string) error { } switch { case data[(p)] < 48: - if 9 <= data[(p)] && data[(p)] <= 13 { + switch { + case data[(p)] > 13: + if 44 <= data[(p)] && data[(p)] <= 46 { + goto tr361 + } + case data[(p)] >= 9: goto tr278 } case data[(p)] > 57: @@ -3433,10 +3461,6 @@ func (e *Event) recoverExtensions(data string) error { switch data[(p)] { case 32: goto tr97 - case 44: - goto tr98 - case 46: - goto tr98 case 61: goto tr99 case 93: @@ -3445,12 +3469,17 @@ func (e *Event) recoverExtensions(data string) error { goto tr98 } switch { - case data[(p)] < 65: - if 48 <= data[(p)] && data[(p)] <= 57 { + case data[(p)] < 48: + if 44 <= data[(p)] && data[(p)] <= 46 { goto tr98 } - case data[(p)] > 91: - if 97 <= data[(p)] && data[(p)] <= 122 { + case data[(p)] > 57: + switch { + case data[(p)] > 91: + if 97 <= data[(p)] && data[(p)] <= 122 { + goto tr98 + } + case data[(p)] >= 65: goto tr98 } default: @@ -4799,7 +4828,7 @@ func (e *Event) recoverExtensions(data string) error { state.reset() } -//line parser_recover.go:4081 +//line parser_recover.go:4105 } } diff --git a/x-pack/filebeat/processors/decode_cef/decode_cef.go b/x-pack/filebeat/processors/decode_cef/decode_cef.go index f07f59a44cb1..4a4ca9c59caf 100644 --- a/x-pack/filebeat/processors/decode_cef/decode_cef.go +++ b/x-pack/filebeat/processors/decode_cef/decode_cef.go @@ -92,9 +92,8 @@ func (p *processor) Run(event *beat.Event) (*beat.Event, error) { if p.IgnoreFailure { return event, nil } - if err != nil { - err = fmt.Errorf("decode_cef failed to parse message: %w", err) - } + + err = fmt.Errorf("decode_cef failed to parse message: %w", err) return event, err } diff --git a/x-pack/filebeat/processors/decode_cef/decode_cef_test.go b/x-pack/filebeat/processors/decode_cef/decode_cef_test.go index e9bade08de52..a73ff7034147 100644 --- a/x-pack/filebeat/processors/decode_cef/decode_cef_test.go +++ b/x-pack/filebeat/processors/decode_cef/decode_cef_test.go @@ -86,6 +86,37 @@ func TestProcessorRun(t *testing.T) { "observer.version": "1.2.3", }, }, + "key_with_dash": { + config: func() config { + c := defaultConfig() + c.TargetField = "" + c.IgnoreEmptyValues = true + return c + }, + message: "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|src=127.0.0.1 dst=0.0.0.0 PanOSX-Forwarded-ForIP=0.0.0.0 ", + fields: mapstr.M{ + "version": "0", + "device.event_class_id": "TRAFFIC", + "device.product": "LF", + "device.vendor": "Palo Alto Networks", + "device.version": "2.0", + "severity": "3", + "event.severity": 3, + "extensions.sourceAddress": "127.0.0.1", + "extensions.destinationAddress": "0.0.0.0", + "extensions.PanOSX-Forwarded-ForIP": "0.0.0.0", + "name": "end", + + // ECS + "event.code": "TRAFFIC", + "destination.ip": "0.0.0.0", + "message": "end", + "observer.product": "LF", + "observer.vendor": "Palo Alto Networks", + "observer.version": "2.0", + "source.ip": "127.0.0.1", + }, + }, "parse_errors": { message: "CEF:0|Trend Micro|Deep Security Manager|1.2.3|600|User Signed In|Low|msg=User signed in with =xyz", fields: mapstr.M{ diff --git a/x-pack/filebeat/processors/decode_cef/testdata/samples.log b/x-pack/filebeat/processors/decode_cef/testdata/samples.log index 2c89563571ba..3e4c1feaeb9f 100644 --- a/x-pack/filebeat/processors/decode_cef/testdata/samples.log +++ b/x-pack/filebeat/processors/decode_cef/testdata/samples.log @@ -21,3 +21,4 @@ CEF:0|ArcSight|ArcSight|7.0.5.7132.1|agent:016|Device connection up|Low| eventId CEF:0|ArcSight|ArcSight|7.0.5.7132.1|agent:030|Agent [NAT] type [sdkrfilereader] started|Low| eventId=2 mrt=1410524500493 categorySignificance=/Normal categoryBehavior=/Execute/Start categoryDeviceGroup=/Application catdt=Security Mangement categoryOutcome=/Success categoryObject=/Host/Application/Service art=1410624402535 cat=/Agent/Started deviceSeverity=Warning rt=1410543500432 fileType=Agent cs2= cs2Label=Configuration Resource ahost=VirtualXP agt=192.168.1.56 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 av=7.0.5.7132.1 atz=Europe/Prague aid=4Pz6paUgBABCAAudQNx1w0w\=\= at=sdkrfilereader dvchost=VirtualXP dvc=192.168.0.65 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dtz=Europe/Prague _cefVer=0.1 CEF:0|ArcSight|ArcSight|7.0.5.7132.1|agent:044|File processing started|Low| eventId=6 mrt=1410524500502 catdt=Security Mangement art=1410524502535 cat=/LogFile/Processing/Started deviceSeverity=Warning rt=1410524500502 fname=C:\\Documents and Settings\\XPMUser\\Desktop\\Logs\\NAT_Log ahost=VirtualXP agt=192.168.131.65 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 av=7.0.5.7132.0 atz=Europe/Prague aid=3Pz6paUgBABCAAudQNx1w0w\=\= at=sdkrfilereader dvchost=VirtualXP dvc=192.168.131.65 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dtz=Europe/Prague _cefVer=0.1 CEF:0|ArcSight|ArcSight|7.0.5.7132.1|agent:031|Agent [NAT] type [sdkrfilereader] shutting down|Very-High| eventId=7 msg=Process Stopped by User mrt=1410524535833 categorySignificance=/Normal categoryBehavior=/Execute/Stop categoryDeviceGroup=/Application catdt=Security Mangement categoryOutcome=/Success categoryObject=/Host/Application/Service art=1410524535843 cat=/Agent/ShuttingDown deviceSeverity=Warning rt=1410524535833 fileType=Agent cs2= cs2Label=Configuration Resource ahost=VirtualXP agt=192.168.131.65 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 av=7.0.5.7132.0 atz=Europe/Prague aid=3Pz6paUgBABCAAudQNx1w0w\=\= at=sdkrfilereader dvchost=VirtualXP dvc=192.168.131.65 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 192.168.0.0-192.168.255.255 dtz=Europe/Prague _cefVer=0.1 +CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|dtz=UTC rt=Jul 04 2024 09:03:48 deviceExternalId=no-serial PanOSConfigVersion=10.2 start=Jul 04 2024 09:03:39 src=127.0.0.1 dst=0.0.0.0 sourceTranslatedAddress=0.0.0.0 destinationTranslatedAddress= cs1=intrazone-default cs1Label=Rule suser= duser= app=unknown-udp cs3=vsys1 cs3Label=VirtualLocation cs4=untrust cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/1 cs6=Cortex Data Lake cs6Label=LogSetting cn1=574297 cn1Label=SessionID cnt=1 spt=13442 dpt=500 sourceTranslatedPort=0 destinationTranslatedPort=0 proto=udp act=allow PanOSBytes=82 out=82 in=0 cn2=1 cn2Label=PacketsTotal PanOSSessionStartTime=Jul 04 2024 09:03:05 cn3=0 cn3Label=SessionDuration cs2=any cs2Label=URLCategory externalId=7361339208201408573 PanOSSourceLocation=DE PanOSDestinationLocation=US PanOSPacketsSent=1 PanOSPacketsReceived=0 reason=aged-out PanOSDGHierarchyLevel1=65544 PanOSDGHierarchyLevel2=65545 PanOSDGHierarchyLevel3=65546 PanOSDGHierarchyLevel4=65550 PanOSVirtualSystemName= dvchost=GP cloud service cat=from-policy PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSEndpointAssociationID=0 PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSRuleUUID=40b8842f-eec3-4e04-b760-6a2ce4698fde PanOSHTTP2Connection=0 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID= PanOSEndpointSerialNumber= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner= PanOSTimeGeneratedHighResolution=Jul 04 2024 09:03:39 PanOSNSSAINetworkSliceType= PanOSNSSAINetworkSliceDifferentiator= diff --git a/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json b/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json index 58d419bf8ea5..c846095536a7 100644 --- a/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json +++ b/x-pack/filebeat/processors/decode_cef/testdata/samples.log.golden.json @@ -1321,5 +1321,159 @@ "vendor": "ArcSight", "version": "7.0.5.7132.1" } + }, + { + "cef": { + "device": { + "event_class_id": "TRAFFIC", + "product": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" + }, + "extensions": { + "PanOSBytes": "82", + "PanOSChunksReceived": "0", + "PanOSChunksSent": "0", + "PanOSChunksTotal": "0", + "PanOSConfigVersion": "10.2", + "PanOSContainerID": "", + "PanOSContainerName": "", + "PanOSContainerNameSpace": "", + "PanOSDGHierarchyLevel1": "65544", + "PanOSDGHierarchyLevel2": "65545", + "PanOSDGHierarchyLevel3": "65546", + "PanOSDGHierarchyLevel4": "65550", + "PanOSDestinationDeviceCategory": "", + "PanOSDestinationDeviceHost": "", + "PanOSDestinationDeviceMac": "", + "PanOSDestinationDeviceModel": "", + "PanOSDestinationDeviceOSFamily": "", + "PanOSDestinationDeviceOSVersion": "", + "PanOSDestinationDeviceProfile": "", + "PanOSDestinationDeviceVendor": "", + "PanOSDestinationDynamicAddressGroup": "", + "PanOSDestinationEDL": "", + "PanOSDestinationLocation": "US", + "PanOSDestinationUUID": "", + "PanOSDynamicUserGroupName": "", + "PanOSEndpointAssociationID": "0", + "PanOSEndpointSerialNumber": "", + "PanOSGPHostID": "", + "PanOSHASessionOwner": "", + "PanOSHTTP2Connection": "0", + "PanOSIMEI": "", + "PanOSIMSI": "0", + "PanOSLinkChangeCount": "0", + "PanOSLinkSwitches": "", + "PanOSNSSAINetworkSliceType": "", + "PanOSPacketsReceived": "0", + "PanOSPacketsSent": "1", + "PanOSParentSessionID": "0", + "PanOSParentStarttime": "Jan 01 1970 00:00:00", + "PanOSRuleUUID": "40b8842f-eec3-4e04-b760-6a2ce4698fde", + "PanOSSDWANCluster": "", + "PanOSSDWANClusterType": "", + "PanOSSDWANDeviceType": "", + "PanOSSDWANPolicyName": "", + "PanOSSDWANSite": "", + "PanOSSessionStartTime": "Jul 04 2024 09:03:05", + "PanOSSourceDeviceCategory": "", + "PanOSSourceDeviceHost": "", + "PanOSSourceDeviceMac": "", + "PanOSSourceDeviceModel": "", + "PanOSSourceDeviceOSFamily": "", + "PanOSSourceDeviceOSVersion": "", + "PanOSSourceDeviceProfile": "", + "PanOSSourceDeviceVendor": "", + "PanOSSourceDynamicAddressGroup": "", + "PanOSSourceEDL": "", + "PanOSSourceLocation": "DE", + "PanOSSourceUUID": "", + "PanOSTimeGeneratedHighResolution": "Jul 04 2024 09:03:39", + "PanOSTunnel": "N/A", + "PanOSVirtualSystemName": "", + "PanOSX-Forwarded-ForIP": "", + "Reason": "aged-out", + "applicationProtocol": "unknown-udp", + "baseEventCount": 1, + "bytesIn": 0, + "bytesOut": 82, + "destinationAddress": "0.0.0.0", + "destinationPort": 500, + "destinationTranslatedPort": 0, + "deviceAction": "allow", + "deviceCustomNumber1": 574297, + "deviceCustomNumber1Label": "SessionID", + "deviceCustomNumber2": 1, + "deviceCustomNumber2Label": "PacketsTotal", + "deviceCustomNumber3": 0, + "deviceCustomNumber3Label": "SessionDuration", + "deviceCustomString1": "intrazone-default", + "deviceCustomString1Label": "Rule", + "deviceCustomString2": "any", + "deviceCustomString2Label": "URLCategory", + "deviceCustomString3": "vsys1", + "deviceCustomString3Label": "VirtualLocation", + "deviceCustomString4": "untrust", + "deviceCustomString4Label": "FromZone", + "deviceCustomString5": "untrust", + "deviceCustomString5Label": "ToZone", + "deviceCustomString6": "Cortex Data Lake", + "deviceCustomString6Label": "LogSetting", + "deviceEventCategory": "from-policy", + "deviceExternalId": "no-serial", + "deviceHostName": "GP cloud service", + "deviceInboundInterface": "ethernet1/1", + "deviceOutboundInterface": "ethernet1/1", + "deviceReceiptTime": "2024-07-04T09:03:48.000Z", + "deviceTimeZone": "UTC", + "externalId": "7361339208201408573", + "sourceAddress": "127.0.0.1", + "sourcePort": 13442, + "sourceTranslatedAddress": "0.0.0.0", + "sourceTranslatedPort": 0, + "startTime": "2024-07-04T09:03:39.000Z", + "transportProtocol": "udp" + }, + "name": "end", + "severity": "3", + "version": "0" + }, + "destination": { + "bytes": 82, + "ip": "0.0.0.0", + "nat": { + "port": 0 + }, + "port": 500 + }, + "event": { + "action": "allow", + "code": "TRAFFIC", + "original": "CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|dtz=UTC rt=Jul 04 2024 09:03:48 deviceExternalId=no-serial PanOSConfigVersion=10.2 start=Jul 04 2024 09:03:39 src=127.0.0.1 dst=0.0.0.0 sourceTranslatedAddress=0.0.0.0 destinationTranslatedAddress= cs1=intrazone-default cs1Label=Rule suser= duser= app=unknown-udp cs3=vsys1 cs3Label=VirtualLocation cs4=untrust cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/1 cs6=Cortex Data Lake cs6Label=LogSetting cn1=574297 cn1Label=SessionID cnt=1 spt=13442 dpt=500 sourceTranslatedPort=0 destinationTranslatedPort=0 proto=udp act=allow PanOSBytes=82 out=82 in=0 cn2=1 cn2Label=PacketsTotal PanOSSessionStartTime=Jul 04 2024 09:03:05 cn3=0 cn3Label=SessionDuration cs2=any cs2Label=URLCategory externalId=7361339208201408573 PanOSSourceLocation=DE PanOSDestinationLocation=US PanOSPacketsSent=1 PanOSPacketsReceived=0 reason=aged-out PanOSDGHierarchyLevel1=65544 PanOSDGHierarchyLevel2=65545 PanOSDGHierarchyLevel3=65546 PanOSDGHierarchyLevel4=65550 PanOSVirtualSystemName= dvchost=GP cloud service cat=from-policy PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSEndpointAssociationID=0 PanOSChunksTotal=0 PanOSChunksSent=0 PanOSChunksReceived=0 PanOSRuleUUID=40b8842f-eec3-4e04-b760-6a2ce4698fde PanOSHTTP2Connection=0 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID= PanOSEndpointSerialNumber= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner= PanOSTimeGeneratedHighResolution=Jul 04 2024 09:03:39 PanOSNSSAINetworkSliceType= PanOSNSSAINetworkSliceDifferentiator=", + "severity": 3, + "start": "2024-07-04T09:03:39.000Z", + "timezone": "UTC" + }, + "message": "end", + "network": { + "application": "unknown-udp", + "transport": "udp" + }, + "observer": { + "hostname": "GP cloud service", + "product": "LF", + "vendor": "Palo Alto Networks", + "version": "2.0" + }, + "source": { + "bytes": 0, + "ip": "127.0.0.1", + "nat": { + "ip": "0.0.0.0", + "port": 0 + }, + "port": 13442 + } } -] +] \ No newline at end of file