From 7bcdf531920dd70729f0fe05e7674acc55171ece Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Thu, 16 May 2019 12:00:48 -0400 Subject: [PATCH 01/34] Shorewall module: Initial commit Run make create-module MODULE=shorewall from the X-Pack's filebeat root directory --- .../module/shorewall/_meta/config.yml | 8 ++++ .../module/shorewall/_meta/docs.asciidoc | 47 +++++++++++++++++++ .../module/shorewall/_meta/fields.yml | 9 ++++ x-pack/filebeat/module/shorewall/module.yml | 1 + 4 files changed, 65 insertions(+) create mode 100644 x-pack/filebeat/module/shorewall/_meta/config.yml create mode 100644 x-pack/filebeat/module/shorewall/_meta/docs.asciidoc create mode 100644 x-pack/filebeat/module/shorewall/_meta/fields.yml create mode 100644 x-pack/filebeat/module/shorewall/module.yml diff --git a/x-pack/filebeat/module/shorewall/_meta/config.yml b/x-pack/filebeat/module/shorewall/_meta/config.yml new file mode 100644 index 000000000000..459cc89f2ae9 --- /dev/null +++ b/x-pack/filebeat/module/shorewall/_meta/config.yml @@ -0,0 +1,8 @@ +- module: shorewall + # All logs + {fileset}: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: diff --git a/x-pack/filebeat/module/shorewall/_meta/docs.asciidoc b/x-pack/filebeat/module/shorewall/_meta/docs.asciidoc new file mode 100644 index 000000000000..d4109d11ada5 --- /dev/null +++ b/x-pack/filebeat/module/shorewall/_meta/docs.asciidoc @@ -0,0 +1,47 @@ +:modulename: shorewall +:has-dashboards: true + +== shorewall module + +This is the shorewall module. + +include::../include/what-happens.asciidoc[] + +[float] +=== Compatibility + +TODO: document with what versions of the software is this tested + + +include::../include/running-modules.asciidoc[] + +[float] +=== Example dashboard + +This module comes with a sample dashboard. For example: + +TODO: include an image of a sample dashboard. If you do not include a dashboard, +remove this section and set `:has-dashboards: false` at the top of this file. + +include::../include/configuring-intro.asciidoc[] + +TODO: provide an example configuration + +:fileset_ex: {fileset} + +include::../include/config-option-intro.asciidoc[] + +TODO: document the variables from each fileset. If you're describing a variable +that's common to other modules, you can reuse shared descriptions by including +the relevant file. For example: + +[float] +==== `{fileset}` log fileset settings + +include::../include/var-paths.asciidoc[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: diff --git a/x-pack/filebeat/module/shorewall/_meta/fields.yml b/x-pack/filebeat/module/shorewall/_meta/fields.yml new file mode 100644 index 000000000000..4418e8deb609 --- /dev/null +++ b/x-pack/filebeat/module/shorewall/_meta/fields.yml @@ -0,0 +1,9 @@ +- key: shorewall + title: "shorewall" + description: > + shorewall Module + fields: + - name: shorewall + type: group + description: > + fields: diff --git a/x-pack/filebeat/module/shorewall/module.yml b/x-pack/filebeat/module/shorewall/module.yml new file mode 100644 index 000000000000..ad3cb984c701 --- /dev/null +++ b/x-pack/filebeat/module/shorewall/module.yml @@ -0,0 +1 @@ +dashboards: From 5385157cd0ee06f79725ea7b3eae6d6fe96756b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Thu, 16 May 2019 13:37:06 -0400 Subject: [PATCH 02/34] Run 'make create-fileset MODULE=shorewall FILESET=log' to initialise the file to parse (the shorewall log) --- x-pack/filebeat/module/shorewall/log/config/log.yml | 6 ++++++ .../module/shorewall/log/ingest/pipeline.json | 11 +++++++++++ x-pack/filebeat/module/shorewall/log/manifest.yml | 13 +++++++++++++ x-pack/filebeat/module/shorewall/module.yml | 2 ++ 4 files changed, 32 insertions(+) create mode 100644 x-pack/filebeat/module/shorewall/log/config/log.yml create mode 100644 x-pack/filebeat/module/shorewall/log/ingest/pipeline.json create mode 100644 x-pack/filebeat/module/shorewall/log/manifest.yml diff --git a/x-pack/filebeat/module/shorewall/log/config/log.yml b/x-pack/filebeat/module/shorewall/log/config/log.yml new file mode 100644 index 000000000000..0afd17317d4f --- /dev/null +++ b/x-pack/filebeat/module/shorewall/log/config/log.yml @@ -0,0 +1,6 @@ +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json new file mode 100644 index 000000000000..5e01c6ce8546 --- /dev/null +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -0,0 +1,11 @@ +{ + "description": "Pipeline for parsing shorewall log logs", + "processors": [ + ], + "on_failure" : [{ + "set" : { + "field" : "error.message", + "value" : "{{ _ingest.on_failure_message }}" + } + }] +} diff --git a/x-pack/filebeat/module/shorewall/log/manifest.yml b/x-pack/filebeat/module/shorewall/log/manifest.yml new file mode 100644 index 000000000000..1cadad226e8c --- /dev/null +++ b/x-pack/filebeat/module/shorewall/log/manifest.yml @@ -0,0 +1,13 @@ +module_version: 1.0 + +var: + - name: paths + default: + - /example/test.log* + os.darwin: + - /usr/local/example/test.log* + os.windows: + - c:/programdata/example/logs/test.log* + +ingest_pipeline: ingest/pipeline.json +input: config/log.yml diff --git a/x-pack/filebeat/module/shorewall/module.yml b/x-pack/filebeat/module/shorewall/module.yml index ad3cb984c701..d29140862d1e 100644 --- a/x-pack/filebeat/module/shorewall/module.yml +++ b/x-pack/filebeat/module/shorewall/module.yml @@ -1 +1,3 @@ dashboards: +- id: Filebeat-shorewall-log-Dashboard + file: Filebeat-shorewall-log.json From a0c854551f4423734b7e7c16771dad970072ce33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Thu, 16 May 2019 14:22:11 -0400 Subject: [PATCH 03/34] Define GROK expression to parse Shorewall It reuses existing Logstash pattern: https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/firewalls#L87 --- .../module/shorewall/log/ingest/pipeline.json | 27 +++++++++++++------ 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 5e01c6ce8546..813869f47ad1 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -1,11 +1,22 @@ { - "description": "Pipeline for parsing shorewall log logs", - "processors": [ + "description": "Pipeline for parsing Shorewall firewall. Requires the geoip plugin.", + "processors": [ + { + "grok": { + "field": "message", + "patterns": [ + "%{SHOREWALL}" + ], + "ignore_missing": false + } + } ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] + "on_failure": [ + { + "set": { + "field": "error.message", + "value": "{{ _ingest.on_failure_message }}" + } + } + ] } From 4d22a582e0ca263762196a3f14733326627a6eb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Thu, 16 May 2019 14:22:24 -0400 Subject: [PATCH 04/34] Update default file to parse --- x-pack/filebeat/module/shorewall/log/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/shorewall/log/manifest.yml b/x-pack/filebeat/module/shorewall/log/manifest.yml index 1cadad226e8c..aa4741544d61 100644 --- a/x-pack/filebeat/module/shorewall/log/manifest.yml +++ b/x-pack/filebeat/module/shorewall/log/manifest.yml @@ -3,7 +3,7 @@ module_version: 1.0 var: - name: paths default: - - /example/test.log* + - /var/log/shorewall.log os.darwin: - /usr/local/example/test.log* os.windows: From 98904d9733d02db0ce8aaec1e496b7bea0ea7aa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Thu, 16 May 2019 14:22:47 -0400 Subject: [PATCH 05/34] Add shorewall log example for tests --- x-pack/filebeat/module/shorewall/log/test/default.log | 1 + 1 file changed, 1 insertion(+) create mode 100644 x-pack/filebeat/module/shorewall/log/test/default.log diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log b/x-pack/filebeat/module/shorewall/log/test/default.log new file mode 100644 index 000000000000..7e4ae440dcb6 --- /dev/null +++ b/x-pack/filebeat/module/shorewall/log/test/default.log @@ -0,0 +1 @@ +May 28 17:23:25 myHost kernel: [3124658.791874] Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=1.2.3.4 DST=1.2.3.4 LEN=141 TOS=0x00 PREC=0x00 TTL=63 ID=55251 PROTO=UDP SPT=5353 DPT=5353 LEN=121 From e4282d20112f73cdb7a8a99ec56079c481fc9168 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Thu, 16 May 2019 15:16:11 -0400 Subject: [PATCH 06/34] Add expected JSON after running tests The command used to execute the tests is: TESTING_FILEBEAT_MODULES=shorewall INTEGRATION_TESTS=1 GENERATE=1 BEAT_STRICT_PERMS=false nosetests -v -d -s tests/system/test_modules.py --- .../log/test/default.log-expected.json | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 x-pack/filebeat/module/shorewall/log/test/default.log-expected.json diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json new file mode 100644 index 000000000000..ffa392c92693 --- /dev/null +++ b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json @@ -0,0 +1,29 @@ +[ + { + "@timestamp": "2019-05-16T19:11:12.360Z", + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.module": "shorewall", + "fileset.name": "log", + "input.type": "log", + "log.offset": 0, + "message": "May 28 17:23:25 myHost kernel: [3124658.791874] Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=1.2.3.4 DST=1.2.3.4 LEN=141 TOS=0x00 PREC=0x00 TTL=63 ID=55251 PROTO=UDP SPT=5353 DPT=5353 LEN=121", + "nf_action1": "FORWARD", + "nf_action2": "REJECT", + "nf_dst_ip": "1.2.3.4", + "nf_dst_port": "5353", + "nf_host": "myHost", + "nf_id": "55251", + "nf_in_interface": "eth2", + "nf_len": "141", + "nf_out_interface": "eth2", + "nf_prec": "0x00", + "nf_protocol": "UDP", + "nf_src_ip": "1.2.3.4", + "nf_src_port": "5353", + "nf_tos": "0x00", + "nf_ttl": "63", + "service.type": "shorewall", + "timestamp": "May 28 17:23:25" + } +] \ No newline at end of file From 0359a796178dc5c67949ce5c7315f8845b1d7c32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 09:29:19 -0400 Subject: [PATCH 07/34] Use grok expression instead of its grok word This change is required because the test execution is the responsible of generating the expected output for tests, which seems a bit weird from testing prespective to run a test to obtains the expected output. Maybe adding a check phase for this validation could help --- x-pack/filebeat/module/shorewall/log/ingest/pipeline.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 813869f47ad1..35544a480464 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "%{SHOREWALL}" + "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)" ], "ignore_missing": false } From 1754755cfc496722a985c979ac584b84470cde62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 09:30:16 -0400 Subject: [PATCH 08/34] Convert one field (nf_src_port) to integer --- x-pack/filebeat/module/shorewall/_meta/fields.yml | 2 ++ x-pack/filebeat/module/shorewall/log/ingest/pipeline.json | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/shorewall/_meta/fields.yml b/x-pack/filebeat/module/shorewall/_meta/fields.yml index 4418e8deb609..dc719dffb4e9 100644 --- a/x-pack/filebeat/module/shorewall/_meta/fields.yml +++ b/x-pack/filebeat/module/shorewall/_meta/fields.yml @@ -7,3 +7,5 @@ type: group description: > fields: + - name: nf_src_port + type: integer \ No newline at end of file diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 35544a480464..276e5dbec626 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port}?.*DPT=%{INT:nf_dst_port}?.*)" + "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port:int}?.*DPT=%{INT:nf_dst_port}?.*)" ], "ignore_missing": false } From 41c8c0c5fb7432b50b82a553028d2c20eaba595c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 09:32:09 -0400 Subject: [PATCH 09/34] Update expected test output after running tests The test command is: TESTING_FILEBEAT_MODULES=shorewall INTEGRATION_TESTS=1 GENERATE=1 BEAT_STRICT_PERMS=false nosetests -v -d -s tests/system/test_modules.py --- .../module/shorewall/log/test/default.log-expected.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json index ffa392c92693..d9da4607cfaf 100644 --- a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json +++ b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2019-05-16T19:11:12.360Z", + "@timestamp": "2019-05-17T13:30:53.027Z", "ecs.version": "1.0.0", "event.dataset": "shorewall.log", "event.module": "shorewall", @@ -20,7 +20,7 @@ "nf_prec": "0x00", "nf_protocol": "UDP", "nf_src_ip": "1.2.3.4", - "nf_src_port": "5353", + "nf_src_port": 5353, "nf_tos": "0x00", "nf_ttl": "63", "service.type": "shorewall", From 4fc87ec07241d10a2b5de1757527eb6178fff328 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 09:40:18 -0400 Subject: [PATCH 10/34] Convert all integer fields --- x-pack/filebeat/module/shorewall/_meta/fields.yml | 8 ++++++++ .../filebeat/module/shorewall/log/ingest/pipeline.json | 2 +- .../shorewall/log/test/default.log-expected.json | 10 +++++----- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/_meta/fields.yml b/x-pack/filebeat/module/shorewall/_meta/fields.yml index dc719dffb4e9..95ed37d51527 100644 --- a/x-pack/filebeat/module/shorewall/_meta/fields.yml +++ b/x-pack/filebeat/module/shorewall/_meta/fields.yml @@ -7,5 +7,13 @@ type: group description: > fields: + - name: nf_dst_port + type: integer + - name: nf_id + type: integer + - name: nf_len + type: integer - name: nf_src_port + type: integer + - name: nf_ttl type: integer \ No newline at end of file diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 276e5dbec626..96ee62fedcae 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl}).?*ID=(%{INT:nf_id}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port:int}?.*DPT=%{INT:nf_dst_port}?.*)" + "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len:int}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl:int}).?*ID=(%{INT:nf_id:int}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port:int}?.*DPT=%{INT:nf_dst_port:int}?.*)" ], "ignore_missing": false } diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json index d9da4607cfaf..83ce1a342939 100644 --- a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json +++ b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2019-05-17T13:30:53.027Z", + "@timestamp": "2019-05-17T13:36:04.167Z", "ecs.version": "1.0.0", "event.dataset": "shorewall.log", "event.module": "shorewall", @@ -11,18 +11,18 @@ "nf_action1": "FORWARD", "nf_action2": "REJECT", "nf_dst_ip": "1.2.3.4", - "nf_dst_port": "5353", + "nf_dst_port": 5353, "nf_host": "myHost", - "nf_id": "55251", + "nf_id": 55251, "nf_in_interface": "eth2", - "nf_len": "141", + "nf_len": 141, "nf_out_interface": "eth2", "nf_prec": "0x00", "nf_protocol": "UDP", "nf_src_ip": "1.2.3.4", "nf_src_port": 5353, "nf_tos": "0x00", - "nf_ttl": "63", + "nf_ttl": 63, "service.type": "shorewall", "timestamp": "May 28 17:23:25" } From c565d6d35273311f3d8e9aa62b866a6c17d23e57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 13:56:45 -0400 Subject: [PATCH 11/34] Convert timestamp field into Elasticsearch's @timestamp identifier As Shorewall log comes without Year in each line's timestamp, we will assume that the Year of the log is current year --- x-pack/filebeat/module/shorewall/log/ingest/pipeline.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 96ee62fedcae..ab6e6a772973 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -9,6 +9,14 @@ ], "ignore_missing": false } + }, + { + "date": { + "field": "timestamp", + "target_field": "@timestamp", + "formats": ["MMM dd HH:mm:ss"], + "ignore_failure": false + } } ], "on_failure": [ From fd1fd0496787adc4b1723d0a595f4996cf4072e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 13:59:00 -0400 Subject: [PATCH 12/34] Remove old timestamp field in favour of ES's defaults @timestamp --- x-pack/filebeat/module/shorewall/log/ingest/pipeline.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index ab6e6a772973..6a26717fb976 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -17,6 +17,11 @@ "formats": ["MMM dd HH:mm:ss"], "ignore_failure": false } + }, + { + "remove": { + "field": "timestamp" + } } ], "on_failure": [ From 9b4518fe694b6ec028590da672e2557b63c96fe8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 14:15:07 -0400 Subject: [PATCH 13/34] Update expected log for timestamp --- .../module/shorewall/log/test/default.log-expected.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json index 83ce1a342939..7dcaca71c420 100644 --- a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json +++ b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2019-05-17T13:36:04.167Z", + "@timestamp": "2019-05-28T17:23:25.000Z", "ecs.version": "1.0.0", "event.dataset": "shorewall.log", "event.module": "shorewall", @@ -23,7 +23,6 @@ "nf_src_port": 5353, "nf_tos": "0x00", "nf_ttl": 63, - "service.type": "shorewall", - "timestamp": "May 28 17:23:25" + "service.type": "shorewall" } ] \ No newline at end of file From 624078e1967a0db3ccbb065a85303f7fe601745b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 16:41:24 -0400 Subject: [PATCH 14/34] Use sneakcase for fields --- x-pack/filebeat/module/shorewall/log/ingest/pipeline.json | 2 +- .../module/shorewall/log/test/default.log-expected.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 6a26717fb976..3bafc76efedd 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action1})?:(%{WORD:nf_action2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len:int}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl:int}).?*ID=(%{INT:nf_id:int}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port:int}?.*DPT=%{INT:nf_dst_port:int}?.*)" + "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action_1})?:(%{WORD:nf_action_2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len:int}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl:int}).?*ID=(%{INT:nf_id:int}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port:int}?.*DPT=%{INT:nf_dst_port:int}?.*)" ], "ignore_missing": false } diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json index 7dcaca71c420..8a6f6f7ae8d8 100644 --- a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json +++ b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json @@ -8,8 +8,8 @@ "input.type": "log", "log.offset": 0, "message": "May 28 17:23:25 myHost kernel: [3124658.791874] Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=1.2.3.4 DST=1.2.3.4 LEN=141 TOS=0x00 PREC=0x00 TTL=63 ID=55251 PROTO=UDP SPT=5353 DPT=5353 LEN=121", - "nf_action1": "FORWARD", - "nf_action2": "REJECT", + "nf_action_1": "FORWARD", + "nf_action_2": "REJECT", "nf_dst_ip": "1.2.3.4", "nf_dst_port": 5353, "nf_host": "myHost", From 2bc9ca45aa20eafe7fd87d7ace8a2488114ce76e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 17:34:06 -0400 Subject: [PATCH 15/34] Use Elastic Common Schema (ECS) for existing fields --- .../module/shorewall/log/ingest/pipeline.json | 2 +- .../log/test/default.log-expected.json | 19 +++++++++---------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 3bafc76efedd..75a948ffecd9 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:nf_host}) kernel:.*Shorewall:(%{WORD:nf_action_1})?:(%{WORD:nf_action_2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:nf_dst_mac}):(%{COMMONMAC:nf_src_mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:nf_src_ip}).*DST=(%{IPV4:nf_dst_ip}).*LEN=(%{WORD:nf_len:int}).?*TOS=(%{WORD:nf_tos}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl:int}).?*ID=(%{INT:nf_id:int}).?*PROTO=(%{WORD:nf_protocol}).?*SPT=(%{INT:nf_src_port:int}?.*DPT=%{INT:nf_dst_port:int}?.*)" + "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:host.hostname}) kernel:.*Shorewall:(%{WORD:action_1})?:(%{WORD:action_2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:destination.mac}):(%{COMMONMAC:source.mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:source.ip}).*DST=(%{IPV4:destination.ip}).*LEN=(%{WORD:nf_len:int}).?*TOS=(%{WORD:service.type}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl:int}).?*ID=(%{INT:nf_id:int}).?*PROTO=(%{WORD:network.protocol}).?*SPT=(%{INT:source.port:int}?.*DPT=%{INT:destination.port:int}?.*)" ], "ignore_missing": false } diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json index 8a6f6f7ae8d8..077aa90f56c8 100644 --- a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json +++ b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json @@ -1,28 +1,27 @@ [ { "@timestamp": "2019-05-28T17:23:25.000Z", + "action_1": "FORWARD", + "action_2": "REJECT", + "destination.ip": "1.2.3.4", + "destination.port": 5353, "ecs.version": "1.0.0", "event.dataset": "shorewall.log", "event.module": "shorewall", "fileset.name": "log", + "host.hostname": "myHost", "input.type": "log", "log.offset": 0, "message": "May 28 17:23:25 myHost kernel: [3124658.791874] Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=1.2.3.4 DST=1.2.3.4 LEN=141 TOS=0x00 PREC=0x00 TTL=63 ID=55251 PROTO=UDP SPT=5353 DPT=5353 LEN=121", - "nf_action_1": "FORWARD", - "nf_action_2": "REJECT", - "nf_dst_ip": "1.2.3.4", - "nf_dst_port": 5353, - "nf_host": "myHost", + "network.protocol": "UDP", "nf_id": 55251, "nf_in_interface": "eth2", "nf_len": 141, "nf_out_interface": "eth2", "nf_prec": "0x00", - "nf_protocol": "UDP", - "nf_src_ip": "1.2.3.4", - "nf_src_port": 5353, - "nf_tos": "0x00", "nf_ttl": 63, - "service.type": "shorewall" + "service.type": "0x00", + "source.ip": "1.2.3.4", + "source.port": 5353 } ] \ No newline at end of file From 3a899dd9af1ba606f5edd1413798e49e2ba313dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 17:39:57 -0400 Subject: [PATCH 16/34] Update action fields to denote they are shorewall specifics --- x-pack/filebeat/module/shorewall/log/ingest/pipeline.json | 2 +- .../module/shorewall/log/test/default.log-expected.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 75a948ffecd9..51ab5ff0ca29 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:host.hostname}) kernel:.*Shorewall:(%{WORD:action_1})?:(%{WORD:action_2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:destination.mac}):(%{COMMONMAC:source.mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:source.ip}).*DST=(%{IPV4:destination.ip}).*LEN=(%{WORD:nf_len:int}).?*TOS=(%{WORD:service.type}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl:int}).?*ID=(%{INT:nf_id:int}).?*PROTO=(%{WORD:network.protocol}).?*SPT=(%{INT:source.port:int}?.*DPT=%{INT:destination.port:int}?.*)" + "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:host.hostname}) kernel:.*Shorewall:(%{WORD:shorewall.action.1})?:(%{WORD:shorewall.action.2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:destination.mac}):(%{COMMONMAC:source.mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:source.ip}).*DST=(%{IPV4:destination.ip}).*LEN=(%{WORD:nf_len:int}).?*TOS=(%{WORD:service.type}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl:int}).?*ID=(%{INT:nf_id:int}).?*PROTO=(%{WORD:network.protocol}).?*SPT=(%{INT:source.port:int}?.*DPT=%{INT:destination.port:int}?.*)" ], "ignore_missing": false } diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json index 077aa90f56c8..af77aefad572 100644 --- a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json +++ b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json @@ -1,8 +1,6 @@ [ { "@timestamp": "2019-05-28T17:23:25.000Z", - "action_1": "FORWARD", - "action_2": "REJECT", "destination.ip": "1.2.3.4", "destination.port": 5353, "ecs.version": "1.0.0", @@ -21,6 +19,8 @@ "nf_prec": "0x00", "nf_ttl": 63, "service.type": "0x00", + "shorewall.action.1": "FORWARD", + "shorewall.action.2": "REJECT", "source.ip": "1.2.3.4", "source.port": 5353 } From 037c84de82135a67233bbb0fe37d108f5d24845e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 23:29:05 -0400 Subject: [PATCH 17/34] Move field documentation to the proper location: the fileset --- .../module/shorewall/_meta/fields.yml | 17 +---------- .../module/shorewall/log/_meta/fields.yml | 29 +++++++++++++++++++ 2 files changed, 30 insertions(+), 16 deletions(-) create mode 100644 x-pack/filebeat/module/shorewall/log/_meta/fields.yml diff --git a/x-pack/filebeat/module/shorewall/_meta/fields.yml b/x-pack/filebeat/module/shorewall/_meta/fields.yml index 95ed37d51527..071c01b8f52f 100644 --- a/x-pack/filebeat/module/shorewall/_meta/fields.yml +++ b/x-pack/filebeat/module/shorewall/_meta/fields.yml @@ -1,19 +1,4 @@ - key: shorewall title: "shorewall" description: > - shorewall Module - fields: - - name: shorewall - type: group - description: > - fields: - - name: nf_dst_port - type: integer - - name: nf_id - type: integer - - name: nf_len - type: integer - - name: nf_src_port - type: integer - - name: nf_ttl - type: integer \ No newline at end of file + shorewall Module \ No newline at end of file diff --git a/x-pack/filebeat/module/shorewall/log/_meta/fields.yml b/x-pack/filebeat/module/shorewall/log/_meta/fields.yml new file mode 100644 index 000000000000..0570f7bf4a8b --- /dev/null +++ b/x-pack/filebeat/module/shorewall/log/_meta/fields.yml @@ -0,0 +1,29 @@ +- key: shorewall + title: "shorewall" + description: > + shorewall Module + fields: + - name: shorewall + type: group + description: > + fields: + - name: destination.ip + type: source.ip + - name: destination.port + type: integer + - name: shorewall_action_1 + type: keyword + - name: shorewall_action_2 + type: keyword + - name: shorewall_in_interface + type: keyword + - name: shorewall_out_interface + type: keyword + - name: shorewall_precedence + type: keyword + - name: shorewall_ttl + type: integer + - name: source.ip + type: source.ip + - name: source.port + type: integer \ No newline at end of file From e55ad2cb6b4e0b5603909fac085d139191753825 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 23:30:16 -0400 Subject: [PATCH 18/34] Remove ECS fields from docs, are they are not needed --- x-pack/filebeat/module/shorewall/log/_meta/fields.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/_meta/fields.yml b/x-pack/filebeat/module/shorewall/log/_meta/fields.yml index 0570f7bf4a8b..6a5e13666bfd 100644 --- a/x-pack/filebeat/module/shorewall/log/_meta/fields.yml +++ b/x-pack/filebeat/module/shorewall/log/_meta/fields.yml @@ -7,10 +7,6 @@ type: group description: > fields: - - name: destination.ip - type: source.ip - - name: destination.port - type: integer - name: shorewall_action_1 type: keyword - name: shorewall_action_2 @@ -22,8 +18,4 @@ - name: shorewall_precedence type: keyword - name: shorewall_ttl - type: integer - - name: source.ip - type: source.ip - - name: source.port type: integer \ No newline at end of file From 329ca15b34f0a295767a0b2f0f55fab05e1142e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Fri, 17 May 2019 23:42:50 -0400 Subject: [PATCH 19/34] Use proper shared field definition for shorewall I followed NATS example, so that here I define the parent field froup (shorewall) and the children fields will be defined at the fileset level --- x-pack/filebeat/module/shorewall/_meta/fields.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/shorewall/_meta/fields.yml b/x-pack/filebeat/module/shorewall/_meta/fields.yml index 071c01b8f52f..93bf4d612f3f 100644 --- a/x-pack/filebeat/module/shorewall/_meta/fields.yml +++ b/x-pack/filebeat/module/shorewall/_meta/fields.yml @@ -1,4 +1,10 @@ - key: shorewall title: "shorewall" description: > - shorewall Module \ No newline at end of file + Module for parsing Shorewall log files. + fields: + - name: shorewall + type: group + description: > + Fields from Shorewall logs. + fields: \ No newline at end of file From ff07455d142226d33e7016031d0469545cb918b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Sat, 18 May 2019 00:12:59 -0400 Subject: [PATCH 20/34] Use Elastic Common Schema (ECS) for more fields --- x-pack/filebeat/module/shorewall/log/ingest/pipeline.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 51ab5ff0ca29..efe848a0c6f7 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:host.hostname}) kernel:.*Shorewall:(%{WORD:shorewall.action.1})?:(%{WORD:shorewall.action.2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:destination.mac}):(%{COMMONMAC:source.mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:source.ip}).*DST=(%{IPV4:destination.ip}).*LEN=(%{WORD:nf_len:int}).?*TOS=(%{WORD:service.type}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl:int}).?*ID=(%{INT:nf_id:int}).?*PROTO=(%{WORD:network.protocol}).?*SPT=(%{INT:source.port:int}?.*DPT=%{INT:destination.port:int}?.*)" + "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:host.hostname}) kernel:.*Shorewall:(%{WORD:shorewall.action_1})?:(%{WORD:shorewall.action_2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:destination.mac}):(%{COMMONMAC:source.mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:source.ip}).*DST=(%{IPV4:destination.ip}).*LEN=(%{WORD:network.packets:int}).?*TOS=(%{WORD:service.type}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl:int}).?*ID=(%{INT:event.id:int}).?*PROTO=(%{WORD:network.protocol}).?*SPT=(%{INT:source.port:int}?.*DPT=%{INT:destination.port:int}?.*)" ], "ignore_missing": false } From 5c011926b4853952f5f585c864388d2be9bcc168 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Sat, 18 May 2019 00:57:22 -0400 Subject: [PATCH 21/34] Represent shorewall specific fields using dot notation for children elements --- .../module/shorewall/log/_meta/fields.yml | 41 +++++++++++-------- .../module/shorewall/log/ingest/pipeline.json | 2 +- 2 files changed, 24 insertions(+), 19 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/_meta/fields.yml b/x-pack/filebeat/module/shorewall/log/_meta/fields.yml index 6a5e13666bfd..8dd9552d62ad 100644 --- a/x-pack/filebeat/module/shorewall/log/_meta/fields.yml +++ b/x-pack/filebeat/module/shorewall/log/_meta/fields.yml @@ -1,21 +1,26 @@ -- key: shorewall - title: "shorewall" +- name: network + type: group description: > - shorewall Module + Shorewal log files fields: - - name: shorewall - type: group + - name: in + type: keywork + - name: out + type: keyword +- name: action + type: group + description: > + Shorewal network log files + fields: + - name: one + type: keywork + description: > + Action one + - name: two + type: keyword description: > - fields: - - name: shorewall_action_1 - type: keyword - - name: shorewall_action_2 - type: keyword - - name: shorewall_in_interface - type: keyword - - name: shorewall_out_interface - type: keyword - - name: shorewall_precedence - type: keyword - - name: shorewall_ttl - type: integer \ No newline at end of file + Action two +- name: precedence + type: keyword +- name: ttl + type: integer \ No newline at end of file diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index efe848a0c6f7..d2b47070fec2 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:host.hostname}) kernel:.*Shorewall:(%{WORD:shorewall.action_1})?:(%{WORD:shorewall.action_2})?.*IN=(%{USERNAME:nf_in_interface})?.*(OUT= *MAC=(%{COMMONMAC:destination.mac}):(%{COMMONMAC:source.mac})?|OUT=%{USERNAME:nf_out_interface}).*SRC=(%{IPV4:source.ip}).*DST=(%{IPV4:destination.ip}).*LEN=(%{WORD:network.packets:int}).?*TOS=(%{WORD:service.type}).?*PREC=(%{WORD:nf_prec}).?*TTL=(%{INT:nf_ttl:int}).?*ID=(%{INT:event.id:int}).?*PROTO=(%{WORD:network.protocol}).?*SPT=(%{INT:source.port:int}?.*DPT=%{INT:destination.port:int}?.*)" + "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:host.hostname}) kernel:.*Shorewall:(%{WORD:shorewall.action.one})?:(%{WORD:shorewall.action.two})?.*IN=(%{USERNAME:shorewall.network.in})?.*(OUT= *MAC=(%{COMMONMAC:destination.mac}):(%{COMMONMAC:source.mac})?|OUT=%{USERNAME:shorewall.network.out}).*SRC=(%{IPV4:source.ip}).*DST=(%{IPV4:destination.ip}).*LEN=(%{WORD:network.packets:int}).?*TOS=(%{WORD:service.type}).?*PREC=(%{WORD:shorewall.precedence}).?*TTL=(%{INT:shorewall.ttl:int}).?*ID=(%{INT:event.id:int}).?*PROTO=(%{WORD:network.protocol}).?*SPT=(%{INT:source.port:int}?.*DPT=%{INT:destination.port:int}?.*)" ], "ignore_missing": false } From 0359d433fe10e34a520cb854144b516c181da2f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Sat, 18 May 2019 00:58:24 -0400 Subject: [PATCH 22/34] Update expected log after tests run --- .../shorewall/log/test/default.log-expected.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json index af77aefad572..eb390d802bd8 100644 --- a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json +++ b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json @@ -5,22 +5,22 @@ "destination.port": 5353, "ecs.version": "1.0.0", "event.dataset": "shorewall.log", + "event.id": 55251, "event.module": "shorewall", "fileset.name": "log", "host.hostname": "myHost", "input.type": "log", "log.offset": 0, "message": "May 28 17:23:25 myHost kernel: [3124658.791874] Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=1.2.3.4 DST=1.2.3.4 LEN=141 TOS=0x00 PREC=0x00 TTL=63 ID=55251 PROTO=UDP SPT=5353 DPT=5353 LEN=121", + "network.packets": 141, "network.protocol": "UDP", - "nf_id": 55251, - "nf_in_interface": "eth2", - "nf_len": 141, - "nf_out_interface": "eth2", - "nf_prec": "0x00", - "nf_ttl": 63, "service.type": "0x00", - "shorewall.action.1": "FORWARD", - "shorewall.action.2": "REJECT", + "shorewall.action.one": "FORWARD", + "shorewall.action.two": "REJECT", + "shorewall.network.in": "eth2", + "shorewall.network.out": "eth2", + "shorewall.precedence": "0x00", + "shorewall.ttl": 63, "source.ip": "1.2.3.4", "source.port": 5353 } From 8e5cc487543d06f74a4b8794d04cc6e6951ee6cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Sat, 18 May 2019 01:11:50 -0400 Subject: [PATCH 23/34] Use proper type for LEN field The LEN field represents "Total length of IP packet in bytes" --- x-pack/filebeat/module/shorewall/log/ingest/pipeline.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index d2b47070fec2..e2d23e620af6 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:host.hostname}) kernel:.*Shorewall:(%{WORD:shorewall.action.one})?:(%{WORD:shorewall.action.two})?.*IN=(%{USERNAME:shorewall.network.in})?.*(OUT= *MAC=(%{COMMONMAC:destination.mac}):(%{COMMONMAC:source.mac})?|OUT=%{USERNAME:shorewall.network.out}).*SRC=(%{IPV4:source.ip}).*DST=(%{IPV4:destination.ip}).*LEN=(%{WORD:network.packets:int}).?*TOS=(%{WORD:service.type}).?*PREC=(%{WORD:shorewall.precedence}).?*TTL=(%{INT:shorewall.ttl:int}).?*ID=(%{INT:event.id:int}).?*PROTO=(%{WORD:network.protocol}).?*SPT=(%{INT:source.port:int}?.*DPT=%{INT:destination.port:int}?.*)" + "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:host.hostname}) kernel:.*Shorewall:(%{WORD:shorewall.action.one})?:(%{WORD:shorewall.action.two})?.*IN=(%{USERNAME:shorewall.network.in})?.*(OUT= *MAC=(%{COMMONMAC:destination.mac}):(%{COMMONMAC:source.mac})?|OUT=%{USERNAME:shorewall.network.out}).*SRC=(%{IPV4:source.ip}).*DST=(%{IPV4:destination.ip}).*LEN=(%{INT:network.packets:int}).?*TOS=(%{WORD:service.type}).?*PREC=(%{WORD:shorewall.precedence}).?*TTL=(%{INT:shorewall.ttl:int}).?*ID=(%{INT:event.id:int}).?*PROTO=(%{WORD:network.protocol}).?*SPT=(%{INT:source.port:int}?.*DPT=%{INT:destination.port:int}?.*)" ], "ignore_missing": false } From 007b0cb7e664e93ba8a7f8dcd792ee6889055927 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Mon, 20 May 2019 10:18:29 +0200 Subject: [PATCH 24/34] Run "make update" to autogenerate docs for fields This command will: - format and normalise code - include new module into the existing list of Filebeat modules --- x-pack/filebeat/filebeat.reference.yml | 10 ++++++++ x-pack/filebeat/include/list.go | 1 + x-pack/filebeat/module/shorewall/fields.go | 23 +++++++++++++++++++ .../filebeat/modules.d/shorewall.yml.disabled | 11 +++++++++ 4 files changed, 45 insertions(+) create mode 100644 x-pack/filebeat/module/shorewall/fields.go create mode 100644 x-pack/filebeat/modules.d/shorewall.yml.disabled diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 8b33b9351ecc..00fc6b730277 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -470,6 +470,16 @@ filebeat.modules: # Filebeat will choose the the default path. #var.paths: +#------------------------------ Shorewall Module ------------------------------ +- module: shorewall + # All logs + {fileset}: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: + #------------------------------- Suricata Module ------------------------------- - module: suricata # All logs diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 3265bfe6f8f7..cece7758d95c 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -16,6 +16,7 @@ import ( _ "github.com/elastic/beats/x-pack/filebeat/module/netflow" _ "github.com/elastic/beats/x-pack/filebeat/module/palo_alto" _ "github.com/elastic/beats/x-pack/filebeat/module/rabbitmq" + _ "github.com/elastic/beats/x-pack/filebeat/module/shorewall" _ "github.com/elastic/beats/x-pack/filebeat/module/suricata" _ "github.com/elastic/beats/x-pack/filebeat/module/zeek" ) diff --git a/x-pack/filebeat/module/shorewall/fields.go b/x-pack/filebeat/module/shorewall/fields.go new file mode 100644 index 000000000000..2b6e8370dc51 --- /dev/null +++ b/x-pack/filebeat/module/shorewall/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package shorewall + +import ( + "github.com/elastic/beats/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "shorewall", asset.ModuleFieldsPri, AssetShorewall); err != nil { + panic(err) + } +} + +// AssetShorewall returns asset data. +// This is the base64 encoded gzipped contents of module/shorewall. +func AssetShorewall() string { + return "eJyskcFugzAQRO/+ilHu6Qf4UKmX3nrqFyC8UAvHa9mLEH9fGcWJCSkKUuc4MPt21mcMNGukH440Nc4pQKw40jjdvJMCDKU22iCWvca7AoAvNqMjdBwRmpis7/FdInDco7OO0psCOkvOJL2kzvDNhdbELJkDafSRx3B1niCzPpdh6CJf1rwFlVXjaqQnmTgON/8ZdAecVYD3ftXnR27Ntn5lF/RA88NK9wiPspMxm3pNmzf+l3bXSx1uyZ5errm7SdbH0mczs7Bk4pfOc4RVzyycEKklQ76lzWn/egkRt/nXeqGeovoNAAD//4KB5vc=" +} diff --git a/x-pack/filebeat/modules.d/shorewall.yml.disabled b/x-pack/filebeat/modules.d/shorewall.yml.disabled new file mode 100644 index 000000000000..9e661ee6598e --- /dev/null +++ b/x-pack/filebeat/modules.d/shorewall.yml.disabled @@ -0,0 +1,11 @@ +# Module: shorewall +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-shorewall.html + +- module: shorewall + # All logs + {fileset}: + enabled: true + + # Set custom paths for the log files. If left empty, + # Filebeat will choose the paths depending on your OS. + #var.paths: From e0deca03817187a2e689243584f79e23cd0d0395 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Mon, 20 May 2019 10:31:19 +0200 Subject: [PATCH 25/34] Run "make update" from OSS directory to autogenerate docs for fields, include new module into the existing list of Filebeat modules --- filebeat/docs/fields.asciidoc | 77 ++++++++++++++++++++++++ filebeat/docs/modules/shorewall.asciidoc | 60 ++++++++++++++++++ filebeat/docs/modules_list.asciidoc | 2 + 3 files changed, 139 insertions(+) create mode 100644 filebeat/docs/modules/shorewall.asciidoc diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 472d9817b349..0c2b7f3f35b6 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -46,6 +46,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -12486,6 +12487,82 @@ Hash of process executable. -- +[[exported-fields-shorewall]] +== shorewall fields + +Module for parsing Shorewall log files. + + + +[float] +== shorewall fields + +Fields from Shorewall logs. + + + +[float] +== network fields + +Shorewal log files + + + +*`shorewall.network.in`*:: ++ +-- +type: keywork + +-- + +*`shorewall.network.out`*:: ++ +-- +type: keyword + +-- + +[float] +== action fields + +Shorewal network log files + + + +*`shorewall.action.one`*:: ++ +-- +type: keywork + +Action one + + +-- + +*`shorewall.action.two`*:: ++ +-- +type: keyword + +Action two + + +-- + +*`shorewall.precedence`*:: ++ +-- +type: keyword + +-- + +*`shorewall.ttl`*:: ++ +-- +type: integer + +-- + [[exported-fields-suricata]] == Suricata fields diff --git a/filebeat/docs/modules/shorewall.asciidoc b/filebeat/docs/modules/shorewall.asciidoc new file mode 100644 index 000000000000..163ec3e3a9a2 --- /dev/null +++ b/filebeat/docs/modules/shorewall.asciidoc @@ -0,0 +1,60 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-shorewall]] +:modulename: shorewall +:has-dashboards: true + +== shorewall module + +This is the shorewall module. + +include::../include/what-happens.asciidoc[] + +[float] +=== Compatibility + +TODO: document with what versions of the software is this tested + + +include::../include/running-modules.asciidoc[] + +[float] +=== Example dashboard + +This module comes with a sample dashboard. For example: + +TODO: include an image of a sample dashboard. If you do not include a dashboard, +remove this section and set `:has-dashboards: false` at the top of this file. + +include::../include/configuring-intro.asciidoc[] + +TODO: provide an example configuration + +:fileset_ex: {fileset} + +include::../include/config-option-intro.asciidoc[] + +TODO: document the variables from each fileset. If you're describing a variable +that's common to other modules, you can reuse shared descriptions by including +the relevant file. For example: + +[float] +==== `{fileset}` log fileset settings + +include::../include/var-paths.asciidoc[] + +:has-dashboards!: + +:fileset_ex!: + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index 461df2631f91..27dc8ef5ca6e 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -27,6 +27,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -60,6 +61,7 @@ include::modules/postgresql.asciidoc[] include::modules/rabbitmq.asciidoc[] include::modules/redis.asciidoc[] include::modules/santa.asciidoc[] +include::modules/shorewall.asciidoc[] include::modules/suricata.asciidoc[] include::modules/system.asciidoc[] include::modules/traefik.asciidoc[] From db763af03a94a1c8af0fa64ef9d4e32ad7f5612f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Mon, 20 May 2019 14:24:06 +0200 Subject: [PATCH 26/34] Move specific log fields to the parent level We found a bug in mage when collecting fields from x-path modules --- .../module/shorewall/_meta/fields.yml | 28 ++++++++++++++++++- .../module/shorewall/log/_meta/fields.yml | 26 ----------------- 2 files changed, 27 insertions(+), 27 deletions(-) delete mode 100644 x-pack/filebeat/module/shorewall/log/_meta/fields.yml diff --git a/x-pack/filebeat/module/shorewall/_meta/fields.yml b/x-pack/filebeat/module/shorewall/_meta/fields.yml index 93bf4d612f3f..c47cf49b9dd1 100644 --- a/x-pack/filebeat/module/shorewall/_meta/fields.yml +++ b/x-pack/filebeat/module/shorewall/_meta/fields.yml @@ -7,4 +7,30 @@ type: group description: > Fields from Shorewall logs. - fields: \ No newline at end of file + fields: + - name: network + type: group + description: > + Shorewal log files + fields: + - name: in + type: keywork + - name: out + type: keyword + - name: action + type: group + description: > + Shorewal network log files + fields: + - name: one + type: keywork + description: > + Action one + - name: two + type: keyword + description: > + Action two + - name: precedence + type: keyword + - name: ttl + type: integer \ No newline at end of file diff --git a/x-pack/filebeat/module/shorewall/log/_meta/fields.yml b/x-pack/filebeat/module/shorewall/log/_meta/fields.yml deleted file mode 100644 index 8dd9552d62ad..000000000000 --- a/x-pack/filebeat/module/shorewall/log/_meta/fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: network - type: group - description: > - Shorewal log files - fields: - - name: in - type: keywork - - name: out - type: keyword -- name: action - type: group - description: > - Shorewal network log files - fields: - - name: one - type: keywork - description: > - Action one - - name: two - type: keyword - description: > - Action two -- name: precedence - type: keyword -- name: ttl - type: integer \ No newline at end of file From 0535c399fa4ba563e622ae5cdfaed3ae974011ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Mon, 20 May 2019 18:41:30 +0200 Subject: [PATCH 27/34] Add more log examples from a real firewall --- .../module/shorewall/log/test/default.log | 190 +++++++++++++++++- 1 file changed, 189 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log b/x-pack/filebeat/module/shorewall/log/test/default.log index 7e4ae440dcb6..3528c092fd60 100644 --- a/x-pack/filebeat/module/shorewall/log/test/default.log +++ b/x-pack/filebeat/module/shorewall/log/test/default.log @@ -1 +1,189 @@ -May 28 17:23:25 myHost kernel: [3124658.791874] Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=1.2.3.4 DST=1.2.3.4 LEN=141 TOS=0x00 PREC=0x00 TTL=63 ID=55251 PROTO=UDP SPT=5353 DPT=5353 LEN=121 +May 20 06:25:04 myHost kernel: [5665774.433812] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8108 PROTO=TCP SPT=50371 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:25:07 myHost kernel: [5665777.620517] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=56740 PROTO=UDP SPT=58761 DPT=443 LEN=1358 +May 20 06:25:07 myHost kernel: [5665777.621095] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=411 TOS=0x00 PREC=0x00 TTL=63 ID=1452 PROTO=UDP SPT=58761 DPT=443 LEN=391 +May 20 06:25:10 myHost kernel: [5665780.629574] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13568 PROTO=TCP SPT=55651 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:25:14 myHost kernel: [5665784.796963] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=3097 DF PROTO=TCP SPT=60391 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 +May 20 06:25:14 myHost kernel: [5665784.807881] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=12465 DF PROTO=TCP SPT=60525 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:25:15 myHost kernel: [5665785.711972] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9741 PROTO=TCP SPT=46896 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:25:22 myHost kernel: [5665792.533866] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=29417 PROTO=TCP SPT=41131 DPT=60561 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:25:25 myHost kernel: [5665795.346806] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4615 PROTO=TCP SPT=60423 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:25:25 myHost kernel: [5665795.391942] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19852 PROTO=UDP SPT=62976 DPT=62976 LEN=325 +May 20 06:25:27 myHost kernel: [5665797.609158] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62477 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:25:27 myHost kernel: [5665797.609464] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62478 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:25:27 myHost kernel: [5665797.801696] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62479 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:25:28 myHost kernel: [5665798.736156] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=54649 PROTO=TCP SPT=41131 DPT=61929 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:25:29 myHost kernel: [5665799.665870] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=252 ID=60378 DF PROTO=TCP SPT=61113 DPT=8291 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:25:32 myHost kernel: [5665802.156520] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=101 TOS=0x00 PREC=0x00 TTL=116 ID=24468 PROTO=UDP SPT=7718 DPT=18377 LEN=81 MARK=0x3 +May 20 06:25:34 myHost kernel: [5665804.111364] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8832 PROTO=TCP SPT=39229 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:25:38 myHost kernel: [5665808.647159] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=61638 PROTO=TCP SPT=8080 DPT=33396 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:25:40 myHost kernel: [5665810.425471] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28391 DF PROTO=TCP SPT=56642 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:25:40 myHost kernel: [5665810.466469] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28398 DF PROTO=TCP SPT=56643 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:25:40 myHost kernel: [5665810.492512] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28402 DF PROTO=TCP SPT=56644 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:25:40 myHost kernel: [5665810.517875] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28409 DF PROTO=TCP SPT=56645 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:25:41 myHost kernel: [5665811.550988] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8119 PROTO=TCP SPT=50372 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:25:42 myHost kernel: [5665812.814869] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=15595 DF PROTO=UDP SPT=58973 DPT=443 LEN=1358 +May 20 06:25:42 myHost kernel: [5665812.814907] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=386 TOS=0x00 PREC=0x00 TTL=127 ID=15596 DF PROTO=UDP SPT=58973 DPT=443 LEN=366 +May 20 06:25:43 myHost kernel: [5665813.094960] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=2832 PROTO=TCP SPT=41131 DPT=58772 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:25:48 myHost kernel: [5665818.708387] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13578 PROTO=TCP SPT=35540 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:25:53 myHost kernel: [5665823.838331] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=170 DF PROTO=UDP SPT=37876 DPT=123 LEN=56 +May 20 06:25:55 myHost kernel: [5665825.551009] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19854 PROTO=UDP SPT=62976 DPT=62976 LEN=325 +May 20 06:25:55 myHost kernel: [5665825.808201] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9751 PROTO=TCP SPT=46897 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:25:59 myHost kernel: [5665829.270149] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=83 TOS=0x00 PREC=0x00 TTL=63 ID=63893 DF PROTO=TCP SPT=48338 DPT=443 WINDOW=1453 RES=0x00 ACK PSH URGP=0 +May 20 06:25:59 myHost kernel: [5665829.275316] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=63894 DF PROTO=TCP SPT=48338 DPT=443 WINDOW=1453 RES=0x00 ACK FIN URGP=0 +May 20 06:25:59 myHost kernel: [5665829.282743] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48586 DF PROTO=TCP SPT=59914 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:26:03 myHost kernel: [5665833.634545] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4628 PROTO=TCP SPT=60424 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:26:06 myHost kernel: [5665836.622479] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=43325 PROTO=TCP SPT=8080 DPT=4000 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:26:07 myHost kernel: [5665837.859827] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=36238 PROTO=UDP SPT=61330 DPT=443 LEN=1358 +May 20 06:26:07 myHost kernel: [5665837.860199] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=442 TOS=0x00 PREC=0x00 TTL=63 ID=22277 PROTO=UDP SPT=61330 DPT=443 LEN=422 +May 20 06:26:07 myHost kernel: [5665837.860223] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=150 TOS=0x00 PREC=0x00 TTL=63 ID=8101 PROTO=UDP SPT=61330 DPT=443 LEN=130 +May 20 06:26:09 myHost kernel: [5665839.818545] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=7051 DF PROTO=TCP SPT=60526 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:26:12 myHost kernel: [5665842.372077] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8844 PROTO=TCP SPT=39230 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:26:13 myHost kernel: [5665843.902992] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=32586 DF PROTO=UDP SPT=64806 DPT=443 LEN=1358 +May 20 06:26:17 myHost kernel: [5665847.730485] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8129 PROTO=TCP SPT=50373 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:26:22 myHost kernel: [5665852.790852] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13588 PROTO=TCP SPT=35541 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:26:25 myHost kernel: [5665855.713411] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19856 PROTO=UDP SPT=62976 DPT=62976 LEN=325 +May 20 06:26:30 myHost kernel: [5665860.305453] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=31944 PROTO=TCP SPT=48293 DPT=49495 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:26:30 myHost kernel: [5665860.904274] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9761 PROTO=TCP SPT=60773 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:26:38 myHost kernel: [5665868.905177] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4641 PROTO=TCP SPT=60425 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:26:44 myHost kernel: [5665874.640128] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8856 PROTO=TCP SPT=39231 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:26:50 myHost kernel: [5665880.272050] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=1224 DF PROTO=TCP SPT=38769 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:26:50 myHost kernel: [5665880.916295] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=31010 PROTO=TCP SPT=41131 DPT=59830 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:26:52 myHost kernel: [5665882.101246] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8140 PROTO=TCP SPT=50374 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:26:55 myHost kernel: [5665885.867369] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19858 PROTO=UDP SPT=62976 DPT=62976 LEN=325 +May 20 06:26:56 myHost kernel: [5665886.872870] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13598 PROTO=TCP SPT=35542 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:26:58 myHost kernel: [5665888.837986] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=34778 PROTO=TCP SPT=49514 DPT=3291 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:26:59 myHost kernel: [5665889.708842] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60038 DF PROTO=TCP SPT=57121 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:27:00 myHost kernel: [5665890.633270] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=44244 PROTO=TCP SPT=48293 DPT=46462 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:27:04 myHost kernel: [5665895.011208] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9771 PROTO=TCP SPT=60774 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:27:05 myHost kernel: [5665895.443186] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62480 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:27:07 myHost kernel: [5665897.853344] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=2997 DF PROTO=UDP SPT=61074 DPT=443 LEN=1358 +May 20 06:27:07 myHost kernel: [5665897.853903] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=533 TOS=0x00 PREC=0x00 TTL=127 ID=2998 DF PROTO=UDP SPT=61074 DPT=443 LEN=513 +May 20 06:27:07 myHost kernel: [5665897.853924] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=177 TOS=0x00 PREC=0x00 TTL=127 ID=2999 DF PROTO=UDP SPT=61074 DPT=443 LEN=157 +May 20 06:27:08 myHost kernel: [5665898.619970] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=42012 PROTO=UDP SPT=54438 DPT=443 LEN=1358 +May 20 06:27:08 myHost kernel: [5665898.620495] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=412 TOS=0x00 PREC=0x00 TTL=63 ID=25900 PROTO=UDP SPT=54438 DPT=443 LEN=392 +May 20 06:27:13 myHost kernel: [5665903.167952] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4654 PROTO=TCP SPT=60426 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:27:15 myHost kernel: [5665905.929948] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=54364 DF PROTO=UDP SPT=45541 DPT=123 LEN=56 +May 20 06:27:16 myHost kernel: [5665906.191334] Shorewall:net_dnat:DNAT:IN=eth3 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=100 ID=14934 PROTO=TCP SPT=46284 DPT=80 WINDOW=62920 RES=0x00 SYN URGP=0 MARK=0x2 +May 20 06:27:19 myHost kernel: [5665909.755990] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=38606 DF PROTO=TCP SPT=38240 DPT=443 WINDOW=431 RES=0x00 ACK RST URGP=0 +May 20 06:27:19 myHost kernel: [5665909.911069] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8868 PROTO=TCP SPT=39232 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:27:21 myHost kernel: [5665911.686689] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=47360 PROTO=UDP SPT=59192 DPT=443 LEN=1358 +May 20 06:27:21 myHost kernel: [5665911.687076] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=446 TOS=0x00 PREC=0x00 TTL=63 ID=30044 PROTO=UDP SPT=59192 DPT=443 LEN=426 +May 20 06:27:21 myHost kernel: [5665911.806450] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=26478 PROTO=UDP SPT=123 DPT=123 LEN=56 +May 20 06:27:21 myHost kernel: [5665911.840839] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=60981 PROTO=UDP SPT=123 DPT=123 LEN=56 +May 20 06:27:21 myHost kernel: [5665911.881137] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=44073 PROTO=UDP SPT=123 DPT=123 LEN=56 +May 20 06:27:25 myHost kernel: [5665916.048593] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19860 PROTO=UDP SPT=62976 DPT=62976 LEN=325 +May 20 06:27:27 myHost kernel: [5665917.377574] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8150 PROTO=TCP SPT=50375 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:27:27 myHost kernel: [5665917.611542] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62481 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:27:28 myHost kernel: [5665918.663884] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=6888 DF PROTO=TCP SPT=60527 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:27:36 myHost kernel: [5665926.954899] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13608 PROTO=TCP SPT=35543 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:27:41 myHost kernel: [5665931.409341] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=7064 DF PROTO=TCP SPT=60528 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:27:43 myHost kernel: [5665933.108273] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9781 PROTO=TCP SPT=60775 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:27:43 myHost kernel: [5665933.843105] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=15608 DF PROTO=UDP SPT=49618 DPT=443 LEN=1358 +May 20 06:27:43 myHost kernel: [5665933.843134] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=386 TOS=0x00 PREC=0x00 TTL=127 ID=15609 DF PROTO=UDP SPT=49618 DPT=443 LEN=366 +May 20 06:27:50 myHost kernel: [5665940.288037] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=41776 PROTO=UDP SPT=63129 DPT=443 LEN=1358 +May 20 06:27:50 myHost kernel: [5665940.391265] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=33504 PROTO=UDP SPT=58864 DPT=443 LEN=1358 +May 20 06:27:50 myHost kernel: [5665940.421000] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=24133 PROTO=UDP SPT=58864 DPT=443 LEN=1358 +May 20 06:27:50 myHost kernel: [5665940.444005] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4667 PROTO=TCP SPT=60427 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:27:53 myHost kernel: [5665943.272863] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=17727 DF PROTO=TCP SPT=1991 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 +May 20 06:27:53 myHost kernel: [5665943.643038] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=27195 DF PROTO=TCP SPT=711 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 +May 20 06:27:53 myHost kernel: [5665943.787828] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=19622 DF PROTO=TCP SPT=1372 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 +May 20 06:27:54 myHost kernel: [5665944.317910] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=12474 DF PROTO=TCP SPT=60525 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 +May 20 06:27:54 myHost kernel: [5665944.345621] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=3098 DF PROTO=TCP SPT=60529 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:27:55 myHost kernel: [5665945.223595] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=37429 DF PROTO=TCP SPT=45640 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:27:56 myHost kernel: [5665946.204223] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19862 PROTO=UDP SPT=62976 DPT=62976 LEN=325 +May 20 06:27:56 myHost kernel: [5665946.518251] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=23222 DF PROTO=TCP SPT=2017 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 +May 20 06:27:57 myHost kernel: [5665947.744034] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=25280 DF PROTO=TCP SPT=803 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 +May 20 06:27:57 myHost kernel: [5665948.054796] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=1220 DF PROTO=TCP SPT=2264 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 +May 20 06:27:58 myHost kernel: [5665949.033645] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=8559 DF PROTO=TCP SPT=2111 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 +May 20 06:27:59 myHost kernel: [5665949.184901] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8880 PROTO=TCP SPT=39233 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:28:02 myHost kernel: [5665952.767539] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=22426 DF PROTO=TCP SPT=60530 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:28:06 myHost kernel: [5665956.741703] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=40105 PROTO=TCP SPT=43212 DPT=1081 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:28:07 myHost kernel: [5665958.021665] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8161 PROTO=TCP SPT=51764 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:28:08 myHost kernel: [5665958.821724] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=55182 DF PROTO=UDP SPT=60697 DPT=123 LEN=56 +May 20 06:28:08 myHost kernel: [5665958.832244] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=11972 PROTO=UDP SPT=58074 DPT=443 LEN=1358 +May 20 06:28:08 myHost kernel: [5665958.833527] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=409 TOS=0x00 PREC=0x00 TTL=63 ID=44039 PROTO=UDP SPT=58074 DPT=443 LEN=389 +May 20 06:28:09 myHost kernel: [5665959.912607] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=8726 DF PROTO=TCP SPT=37157 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:28:11 myHost kernel: [5665961.822969] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=131 TOS=0x00 PREC=0x00 TTL=118 ID=20754 PROTO=UDP SPT=55056 DPT=26085 LEN=111 MARK=0x3 +May 20 06:28:14 myHost kernel: [5665964.096590] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13618 PROTO=TCP SPT=35544 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:28:14 myHost kernel: [5665964.588937] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=5568 DF PROTO=TCP SPT=60531 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:28:16 myHost kernel: [5665966.475560] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=40745 DF PROTO=TCP SPT=57381 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:28:19 myHost kernel: [5665969.204330] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9791 PROTO=TCP SPT=60776 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:28:26 myHost kernel: [5665976.359216] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19864 PROTO=UDP SPT=62976 DPT=62976 LEN=325 +May 20 06:28:28 myHost kernel: [5665978.719782] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4680 PROTO=TCP SPT=60428 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:28:30 myHost kernel: [5665980.282111] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=16798 DF PROTO=UDP SPT=58596 DPT=443 LEN=1358 +May 20 06:28:30 myHost kernel: [5665980.297709] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=16799 DF PROTO=UDP SPT=58596 DPT=443 LEN=1358 +May 20 06:28:30 myHost kernel: [5665980.472382] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=16805 DF PROTO=UDP SPT=58597 DPT=443 LEN=1358 +May 20 06:28:30 myHost kernel: [5665980.487481] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=16806 DF PROTO=UDP SPT=58597 DPT=443 LEN=1358 +May 20 06:28:32 myHost kernel: [5665982.131274] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=408 TOS=0x00 PREC=0x00 TTL=246 ID=28624 PROTO=UDP SPT=500 DPT=500 LEN=388 MARK=0x3 +May 20 06:28:34 myHost kernel: [5665984.448439] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8892 PROTO=TCP SPT=39234 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:28:34 myHost kernel: [5665984.768815] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=132 TOS=0x00 PREC=0x00 TTL=119 ID=51569 PROTO=UDP SPT=50978 DPT=26085 LEN=112 MARK=0x3 +May 20 06:28:38 myHost kernel: [5665989.026605] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=35290 PROTO=TCP SPT=47034 DPT=47833 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:28:40 myHost kernel: [5665990.125563] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=408 TOS=0x00 PREC=0x00 TTL=246 ID=24734 PROTO=UDP SPT=500 DPT=500 LEN=388 MARK=0x3 +May 20 06:28:44 myHost kernel: [5665994.319700] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8172 PROTO=TCP SPT=51765 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:28:48 myHost kernel: [5665998.125453] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=408 TOS=0x00 PREC=0x00 TTL=246 ID=5789 PROTO=UDP SPT=500 DPT=500 LEN=388 MARK=0x3 +May 20 06:28:49 myHost kernel: [5665999.245161] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13628 PROTO=TCP SPT=35545 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:28:49 myHost kernel: [5665999.605456] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62482 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:28:51 myHost kernel: [5666001.814177] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62467 DPT=443 WINDOW=2047 RES=0x00 ACK RST URGP=0 +May 20 06:28:51 myHost kernel: [5666001.822228] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62483 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:28:52 myHost kernel: [5666002.873806] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=27728 PROTO=TCP SPT=29767 DPT=23 WINDOW=25685 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:28:53 myHost kernel: [5666004.042304] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=171 DF PROTO=UDP SPT=37876 DPT=123 LEN=56 +May 20 06:28:56 myHost kernel: [5666006.125378] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=408 TOS=0x00 PREC=0x00 TTL=246 ID=187 PROTO=UDP SPT=500 DPT=500 LEN=388 MARK=0x3 +May 20 06:28:56 myHost kernel: [5666006.523417] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19866 PROTO=UDP SPT=62976 DPT=62976 LEN=325 +May 20 06:28:58 myHost kernel: [5666008.363330] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9801 PROTO=TCP SPT=60777 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:28:59 myHost kernel: [5666009.710130] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=81.22.45.242 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=18392 PROTO=TCP SPT=48367 DPT=19191 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:29:01 myHost kernel: [5666011.685919] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=92.119.160.40 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=3709 PROTO=TCP SPT=53999 DPT=14002 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:29:05 myHost kernel: [5666015.104436] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4693 PROTO=TCP SPT=60429 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:29:07 myHost kernel: [5666017.815304] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=3007 DF PROTO=UDP SPT=58603 DPT=443 LEN=1358 +May 20 06:29:07 myHost kernel: [5666017.815340] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=533 TOS=0x00 PREC=0x00 TTL=127 ID=3008 DF PROTO=UDP SPT=58603 DPT=443 LEN=513 +May 20 06:29:08 myHost kernel: [5666018.766308] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=53802 PROTO=UDP SPT=58665 DPT=443 LEN=1358 +May 20 06:29:08 myHost kernel: [5666018.766498] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=411 TOS=0x00 PREC=0x00 TTL=63 ID=43390 PROTO=UDP SPT=58665 DPT=443 LEN=391 +May 20 06:29:08 myHost kernel: [5666018.880332] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=25115 DF PROTO=TCP SPT=60532 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:29:09 myHost kernel: [5666019.081571] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=2910 DF PROTO=TCP SPT=60533 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:29:09 myHost kernel: [5666019.125443] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24786 DF PROTO=TCP SPT=60534 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:29:09 myHost kernel: [5666019.246934] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24792 DF PROTO=TCP SPT=60535 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:29:09 myHost kernel: [5666019.246971] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24793 DF PROTO=TCP SPT=60536 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:29:09 myHost kernel: [5666019.247018] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24794 DF PROTO=TCP SPT=60537 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:29:09 myHost kernel: [5666019.252537] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=24796 DF PROTO=TCP SPT=60538 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:29:09 myHost kernel: [5666019.281282] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=32180 DF PROTO=TCP SPT=60539 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 +May 20 06:29:13 myHost kernel: [5666023.714730] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8904 PROTO=TCP SPT=39235 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:29:18 myHost kernel: [5666028.908405] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=35326 PROTO=TCP SPT=8080 DPT=200 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:29:19 myHost kernel: [5666029.546288] Shorewall:net_dnat:DNAT:IN=eth3 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=107 ID=32057 DF PROTO=TCP SPT=2400 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x2 +May 20 06:29:19 myHost kernel: [5666029.658824] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8182 PROTO=TCP SPT=51766 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:29:24 myHost kernel: [5666034.324746] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13638 PROTO=TCP SPT=35546 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:29:26 myHost kernel: [5666036.640711] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62484 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:29:26 myHost kernel: [5666036.678298] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19868 PROTO=UDP SPT=62976 DPT=62976 LEN=325 +May 20 06:29:26 myHost kernel: [5666036.861859] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62485 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:29:29 myHost kernel: [5666039.521037] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9811 PROTO=TCP SPT=60778 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:29:34 myHost kernel: [5666044.864142] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=22716 DF PROTO=TCP SPT=48498 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 +May 20 06:29:36 myHost kernel: [5666046.469015] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4706 PROTO=TCP SPT=60430 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:29:39 myHost kernel: [5666049.297110] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=40292 PROTO=TCP SPT=8080 DPT=80 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:29:42 myHost kernel: [5666052.560708] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=3253 DF PROTO=TCP SPT=56676 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:29:42 myHost kernel: [5666052.629096] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=3261 DF PROTO=TCP SPT=56677 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:29:42 myHost kernel: [5666052.655066] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=3265 DF PROTO=TCP SPT=56678 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:29:42 myHost kernel: [5666052.680180] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=3270 DF PROTO=TCP SPT=56679 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:29:42 myHost kernel: [5666052.986365] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8916 PROTO=TCP SPT=39236 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:29:43 myHost kernel: [5666053.655642] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=75 TOS=0x00 PREC=0x00 TTL=63 ID=1291 DF PROTO=TCP SPT=55869 DPT=443 WINDOW=398 RES=0x00 ACK PSH URGP=0 +May 20 06:29:43 myHost kernel: [5666053.850317] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=75 TOS=0x00 PREC=0x00 TTL=63 ID=1292 DF PROTO=TCP SPT=55869 DPT=443 WINDOW=398 RES=0x00 ACK PSH URGP=0 +May 20 06:29:43 myHost kernel: [5666054.075775] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=75 TOS=0x00 PREC=0x00 TTL=63 ID=1293 DF PROTO=TCP SPT=55869 DPT=443 WINDOW=398 RES=0x00 ACK PSH URGP=0 +May 20 06:29:44 myHost kernel: [5666054.496438] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=75 TOS=0x00 PREC=0x00 TTL=63 ID=1294 DF PROTO=TCP SPT=55869 DPT=443 WINDOW=398 RES=0x00 ACK PSH URGP=0 +May 20 06:29:44 myHost kernel: [5666054.814710] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=15620 DF PROTO=UDP SPT=60042 DPT=443 LEN=1358 +May 20 06:29:44 myHost kernel: [5666054.815126] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=386 TOS=0x00 PREC=0x00 TTL=127 ID=15621 DF PROTO=UDP SPT=60042 DPT=443 LEN=366 +May 20 06:29:45 myHost kernel: [5666055.334196] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=75 TOS=0x00 PREC=0x00 TTL=63 ID=1295 DF PROTO=TCP SPT=55869 DPT=443 WINDOW=398 RES=0x00 ACK PSH URGP=0 +May 20 06:29:46 myHost kernel: [5666056.933812] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=27355 DF PROTO=UDP SPT=50126 DPT=123 LEN=56 +May 20 06:29:46 myHost kernel: [5666057.017490] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=75 TOS=0x00 PREC=0x00 TTL=63 ID=1296 DF PROTO=TCP SPT=55869 DPT=443 WINDOW=398 RES=0x00 ACK PSH URGP=0 +May 20 06:29:51 myHost kernel: [5666061.856579] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8192 PROTO=TCP SPT=51767 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:29:53 myHost kernel: [5666063.836217] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=20756 DF PROTO=TCP SPT=54115 DPT=26085 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:29:53 myHost kernel: [5666063.840364] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=20755 PROTO=UDP SPT=55056 DPT=26085 LEN=28 MARK=0x3 +May 20 06:29:56 myHost kernel: [5666066.407621] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13648 PROTO=TCP SPT=35547 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:29:56 myHost kernel: [5666066.835583] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19870 PROTO=UDP SPT=62976 DPT=62976 LEN=325 +May 20 06:29:56 myHost kernel: [5666066.838645] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=20757 DF PROTO=TCP SPT=54115 DPT=26085 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:29:57 myHost kernel: [5666067.116760] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=20758 PROTO=UDP SPT=55056 DPT=26085 LEN=28 MARK=0x3 +May 20 06:30:02 myHost kernel: [5666072.676962] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9821 PROTO=TCP SPT=60779 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 +May 20 06:30:02 myHost kernel: [5666072.835857] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=118 ID=20759 DF PROTO=TCP SPT=54115 DPT=26085 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x3 +May 20 06:30:03 myHost kernel: [5666073.174044] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=20760 PROTO=UDP SPT=55056 DPT=26085 LEN=28 MARK=0x3 +May 20 06:30:07 myHost kernel: [5666077.823948] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=32593 DF PROTO=UDP SPT=58876 DPT=443 LEN=1358 +May 20 06:30:09 myHost kernel: [5666079.712144] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=8453 PROTO=UDP SPT=63790 DPT=443 LEN=1358 +May 20 06:30:09 myHost kernel: [5666079.712648] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=408 TOS=0x00 PREC=0x00 TTL=63 ID=49685 PROTO=UDP SPT=63790 DPT=443 LEN=388 +May 20 06:30:09 myHost kernel: [5666079.712677] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=183 TOS=0x00 PREC=0x00 TTL=63 ID=48705 PROTO=UDP SPT=63790 DPT=443 LEN=163 +May 20 06:30:11 myHost kernel: [5666081.798880] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4719 PROTO=TCP SPT=60431 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 +May 20 06:30:12 myHost kernel: [5666082.413104] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=35821 DF PROTO=TCP SPT=51742 DPT=443 WINDOW=1052 RES=0x00 ACK FIN URGP=0 \ No newline at end of file From 63dbeda30e2c8666509ccda661fa0ff0f6373700 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Mon, 20 May 2019 18:41:53 +0200 Subject: [PATCH 28/34] Improve patterns covering the new file --- x-pack/filebeat/module/shorewall/log/ingest/pipeline.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index e2d23e620af6..3d03d3b5992b 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "(%{SYSLOGTIMESTAMP:timestamp}) (%{WORD:host.hostname}) kernel:.*Shorewall:(%{WORD:shorewall.action.one})?:(%{WORD:shorewall.action.two})?.*IN=(%{USERNAME:shorewall.network.in})?.*(OUT= *MAC=(%{COMMONMAC:destination.mac}):(%{COMMONMAC:source.mac})?|OUT=%{USERNAME:shorewall.network.out}).*SRC=(%{IPV4:source.ip}).*DST=(%{IPV4:destination.ip}).*LEN=(%{INT:network.packets:int}).?*TOS=(%{WORD:service.type}).?*PREC=(%{WORD:shorewall.precedence}).?*TTL=(%{INT:shorewall.ttl:int}).?*ID=(%{INT:event.id:int}).?*PROTO=(%{WORD:network.protocol}).?*SPT=(%{INT:source.port:int}?.*DPT=%{INT:destination.port:int}?.*)" + "(%{SYSLOGTIMESTAMP:timestamp}).*(%{WORD:host.hostname}).*kernel:.*\\[(%{INT:shorewall.time1:int}).(%{INT:shorewall.time2:int})\\].*Shorewall:(%{USERNAME:network.name}):(%{WORD:shorewall.action.one}):(%{WORD:shorewall.action.two})=(%{USERNAME:shorewall.network.in}).*OUT=.*MAC=(%{MAC:destination.mac})?:(%{MAC:source.mac})?:(%{NOTSPACE:shorewall.frame_type})?.*SRC=(%{IPV4:source.ip})?.*DST=(%{IPV4:destination.ip})?.*LEN=(%{INT:network.packets:int})?.*TOS=(%{WORD:service.type})?.*PREC=(%{WORD:shorewall.precedence})?.*TTL=(%{INT:shorewall.ttl:int})?.*ID=(%{INT:event.id:int})?.*PROTO=(%{WORD:network.protocol})?.*SPT=(%{INT:source.port:int})?.*DPT=(%{INT:destination.port:int})?.*(WINDOW=(%{NUMBER:shorewall.window:int}))?.*(RES=(%{WORD:shorewall.res})?)?.*(SYN)?.*(URGP=(%{INT:shorewall.urgp:int})?)?" ], "ignore_missing": false } From cea3267d3afa9946ee22eaed507e3fa1504880de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Mon, 20 May 2019 18:42:18 +0200 Subject: [PATCH 29/34] List new fields into the docs --- x-pack/filebeat/module/shorewall/_meta/fields.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/x-pack/filebeat/module/shorewall/_meta/fields.yml b/x-pack/filebeat/module/shorewall/_meta/fields.yml index c47cf49b9dd1..1164dcba2cc1 100644 --- a/x-pack/filebeat/module/shorewall/_meta/fields.yml +++ b/x-pack/filebeat/module/shorewall/_meta/fields.yml @@ -30,7 +30,19 @@ type: keyword description: > Action two + - name: frame_type + type: keyword - name: precedence type: keyword + - name: res + type: keyword + - name: time1 + type: integer + - name: time2 + type: integer - name: ttl + type: integer + - name: urgp + type: integer + - name: window type: integer \ No newline at end of file From b13e4a689d5cdef96c3c679bde73faba6153ed1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Mon, 20 May 2019 18:43:30 +0200 Subject: [PATCH 30/34] Update expected log for tests --- .../log/test/default.log-expected.json | 2993 ++++++++++++++++- 1 file changed, 2984 insertions(+), 9 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json index eb390d802bd8..d9d65c7d4883 100644 --- a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json +++ b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json @@ -1,27 +1,3002 @@ [ { - "@timestamp": "2019-05-28T17:23:25.000Z", + "@timestamp": "2019-05-20T06:25:04.000Z", "destination.ip": "1.2.3.4", - "destination.port": 5353, + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, "ecs.version": "1.0.0", "event.dataset": "shorewall.log", - "event.id": 55251, + "event.id": 8108, "event.module": "shorewall", "fileset.name": "log", "host.hostname": "myHost", "input.type": "log", "log.offset": 0, - "message": "May 28 17:23:25 myHost kernel: [3124658.791874] Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=1.2.3.4 DST=1.2.3.4 LEN=141 TOS=0x00 PREC=0x00 TTL=63 ID=55251 PROTO=UDP SPT=5353 DPT=5353 LEN=121", - "network.packets": 141, + "message": "May 20 06:25:04 myHost kernel: [5665774.433812] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:62:a7:46:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8108 PROTO=TCP SPT=50371 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665774, + "shorewall.time2": 433812, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:62:a7:46", + "source.port": 50371 + }, + { + "@timestamp": "2019-05-20T06:25:07.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 56740, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 258, + "message": "May 20 06:25:07 myHost kernel: [5665777.620517] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=56740 PROTO=UDP SPT=58761 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665777, + "shorewall.time2": 620517, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 58761 + }, + { + "@timestamp": "2019-05-20T06:25:07.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 1452, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 502, + "message": "May 20 06:25:07 myHost kernel: [5665777.621095] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=411 TOS=0x00 PREC=0x00 TTL=63 ID=1452 PROTO=UDP SPT=58761 DPT=443 LEN=391 ", + "network.name": "wif-net", + "network.packets": 411, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665777, + "shorewall.time2": 621095, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 58761 + }, + { + "@timestamp": "2019-05-20T06:25:10.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 13568, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 743, + "message": "May 20 06:25:10 myHost kernel: [5665780.629574] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:3e:72:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13568 PROTO=TCP SPT=55651 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665780, + "shorewall.time2": 629574, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:68:3e:72", + "source.port": 55651 + }, + { + "@timestamp": "2019-05-20T06:25:14.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 3097, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 1002, + "message": "May 20 06:25:14 myHost kernel: [5665784.796963] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=3097 DF PROTO=TCP SPT=60391 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 ", + "network.name": "wif-net", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665784, + "shorewall.time2": 796963, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 60391 + }, + { + "@timestamp": "2019-05-20T06:25:14.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 12465, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 1271, + "message": "May 20 06:25:14 myHost kernel: [5665784.807881] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=12465 DF PROTO=TCP SPT=60525 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665784, + "shorewall.time2": 807881, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 60525 + }, + { + "@timestamp": "2019-05-20T06:25:15.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 9741, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 1541, + "message": "May 20 06:25:15 myHost kernel: [5665785.711972] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:30:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9741 PROTO=TCP SPT=46896 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665785, + "shorewall.time2": 711972, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:68:30:1a", + "source.port": 46896 + }, + { + "@timestamp": "2019-05-20T06:25:22.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 60561, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 29417, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 1799, + "message": "May 20 06:25:22 myHost kernel: [5665792.533866] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=29417 PROTO=TCP SPT=41131 DPT=60561 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665792, + "shorewall.time2": 533866, + "shorewall.ttl": 251, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 41131 + }, + { + "@timestamp": "2019-05-20T06:25:25.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 4615, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 2067, + "message": "May 20 06:25:25 myHost kernel: [5665795.346806] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:c9:bc:f0:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4615 PROTO=TCP SPT=60423 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665795, + "shorewall.time2": 346806, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "80:2a:a8:c9:bc:f0", + "source.port": 60423 + }, + { + "@timestamp": "2019-05-20T06:25:25.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "ff:ff:ff:ff:ff:ff", + "destination.port": 62976, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 19852, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 2326, + "message": "May 20 06:25:25 myHost kernel: [5665795.391942] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19852 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", + "network.name": "lan-fw", + "network.packets": 345, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665795, + "shorewall.time2": 391942, + "shorewall.ttl": 30, + "source.ip": "1.2.3.44", + "source.mac": "ec:22:80:c0:b6:40", + "source.port": 62976 + }, + { + "@timestamp": "2019-05-20T06:25:27.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 0, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 2564, + "message": "May 20 06:25:27 myHost kernel: [5665797.609158] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62477 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 64, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665797, + "shorewall.time2": 609158, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 62477 + }, + { + "@timestamp": "2019-05-20T06:25:27.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 0, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 2829, + "message": "May 20 06:25:27 myHost kernel: [5665797.609464] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62478 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 64, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665797, + "shorewall.time2": 609464, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 62478 + }, + { + "@timestamp": "2019-05-20T06:25:27.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 0, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 3094, + "message": "May 20 06:25:27 myHost kernel: [5665797.801696] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62479 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 64, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665797, + "shorewall.time2": 801696, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 62479 + }, + { + "@timestamp": "2019-05-20T06:25:28.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 61929, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 54649, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 3359, + "message": "May 20 06:25:28 myHost kernel: [5665798.736156] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=54649 PROTO=TCP SPT=41131 DPT=61929 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665798, + "shorewall.time2": 736156, + "shorewall.ttl": 251, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 41131 + }, + { + "@timestamp": "2019-05-20T06:25:29.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 8291, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 60378, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 3627, + "message": "May 20 06:25:29 myHost kernel: [5665799.665870] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=252 ID=60378 DF PROTO=TCP SPT=61113 DPT=8291 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665799, + "shorewall.time2": 665870, + "shorewall.ttl": 252, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 61113 + }, + { + "@timestamp": "2019-05-20T06:25:32.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 18377, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 24468, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 3898, + "message": "May 20 06:25:32 myHost kernel: [5665802.156520] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=101 TOS=0x00 PREC=0x00 TTL=116 ID=24468 PROTO=UDP SPT=7718 DPT=18377 LEN=81 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 101, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665802, + "shorewall.time2": 156520, + "shorewall.ttl": 116, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 7718 + }, + { + "@timestamp": "2019-05-20T06:25:34.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8832, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 4141, + "message": "May 20 06:25:34 myHost kernel: [5665804.111364] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:50:b6:3d:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8832 PROTO=TCP SPT=39229 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665804, + "shorewall.time2": 111364, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "80:2a:a8:50:b6:3d", + "source.port": 39229 + }, + { + "@timestamp": "2019-05-20T06:25:38.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 33396, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 61638, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 4400, + "message": "May 20 06:25:38 myHost kernel: [5665808.647159] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=61638 PROTO=TCP SPT=8080 DPT=33396 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665808, + "shorewall.time2": 647159, + "shorewall.ttl": 248, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 8080 + }, + { + "@timestamp": "2019-05-20T06:25:40.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 28391, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 4667, + "message": "May 20 06:25:40 myHost kernel: [5665810.425471] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28391 DF PROTO=TCP SPT=56642 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665810, + "shorewall.time2": 425471, + "shorewall.ttl": 121, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 56642 + }, + { + "@timestamp": "2019-05-20T06:25:40.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 28398, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 4938, + "message": "May 20 06:25:40 myHost kernel: [5665810.466469] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28398 DF PROTO=TCP SPT=56643 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665810, + "shorewall.time2": 466469, + "shorewall.ttl": 121, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 56643 + }, + { + "@timestamp": "2019-05-20T06:25:40.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 28402, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 5208, + "message": "May 20 06:25:40 myHost kernel: [5665810.492512] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28402 DF PROTO=TCP SPT=56644 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665810, + "shorewall.time2": 492512, + "shorewall.ttl": 121, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 56644 + }, + { + "@timestamp": "2019-05-20T06:25:40.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 28409, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 5479, + "message": "May 20 06:25:40 myHost kernel: [5665810.517875] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28409 DF PROTO=TCP SPT=56645 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665810, + "shorewall.time2": 517875, + "shorewall.ttl": 121, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 56645 + }, + { + "@timestamp": "2019-05-20T06:25:41.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8119, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 5749, + "message": "May 20 06:25:41 myHost kernel: [5665811.550988] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:62:a7:46:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8119 PROTO=TCP SPT=50372 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665811, + "shorewall.time2": 550988, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:62:a7:46", + "source.port": 50372 + }, + { + "@timestamp": "2019-05-20T06:25:42.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 15595, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 6007, + "message": "May 20 06:25:42 myHost kernel: [5665812.814869] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=15595 DF PROTO=UDP SPT=58973 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665812, + "shorewall.time2": 814869, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 58973 + }, + { + "@timestamp": "2019-05-20T06:25:42.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 15596, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 6255, + "message": "May 20 06:25:42 myHost kernel: [5665812.814907] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=386 TOS=0x00 PREC=0x00 TTL=127 ID=15596 DF PROTO=UDP SPT=58973 DPT=443 LEN=366 ", + "network.name": "wif-net", + "network.packets": 386, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665812, + "shorewall.time2": 814907, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 58973 + }, + { + "@timestamp": "2019-05-20T06:25:43.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 58772, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 2832, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 6501, + "message": "May 20 06:25:43 myHost kernel: [5665813.094960] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=2832 PROTO=TCP SPT=41131 DPT=58772 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665813, + "shorewall.time2": 94960, + "shorewall.ttl": 251, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 41131 + }, + { + "@timestamp": "2019-05-20T06:25:48.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 13578, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 6768, + "message": "May 20 06:25:48 myHost kernel: [5665818.708387] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:3e:72:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13578 PROTO=TCP SPT=35540 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665818, + "shorewall.time2": 708387, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:68:3e:72", + "source.port": 35540 + }, + { + "@timestamp": "2019-05-20T06:25:53.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 123, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 170, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 7027, + "message": "May 20 06:25:53 myHost kernel: [5665823.838331] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:ac:cc:8e:59:43:c4:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=170 DF PROTO=UDP SPT=37876 DPT=123 LEN=56 ", + "network.name": "wif-net", + "network.packets": 76, + "network.protocol": "UDP", + "service.type": "0x10", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665823, + "shorewall.time2": 838331, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "ac:cc:8e:59:43:c4", + "source.port": 37876 + }, + { + "@timestamp": "2019-05-20T06:25:55.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "ff:ff:ff:ff:ff:ff", + "destination.port": 62976, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 19854, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 7268, + "message": "May 20 06:25:55 myHost kernel: [5665825.551009] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19854 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", + "network.name": "lan-fw", + "network.packets": 345, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665825, + "shorewall.time2": 551009, + "shorewall.ttl": 30, + "source.ip": "1.2.3.44", + "source.mac": "ec:22:80:c0:b6:40", + "source.port": 62976 + }, + { + "@timestamp": "2019-05-20T06:25:55.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 9751, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 7506, + "message": "May 20 06:25:55 myHost kernel: [5665825.808201] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:30:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9751 PROTO=TCP SPT=46897 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665825, + "shorewall.time2": 808201, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:68:30:1a", + "source.port": 46897 + }, + { + "@timestamp": "2019-05-20T06:25:59.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 63893, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 7764, + "message": "May 20 06:25:59 myHost kernel: [5665829.270149] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f8:32:e4:e3:ae:c5:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=83 TOS=0x00 PREC=0x00 TTL=63 ID=63893 DF PROTO=TCP SPT=48338 DPT=443 WINDOW=1453 RES=0x00 ACK PSH URGP=0 ", + "network.name": "wif-net", + "network.packets": 83, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665829, + "shorewall.time2": 270149, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f8:32:e4:e3:ae:c5", + "source.port": 48338 + }, + { + "@timestamp": "2019-05-20T06:25:59.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 63894, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 8036, + "message": "May 20 06:25:59 myHost kernel: [5665829.275316] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f8:32:e4:e3:ae:c5:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=63894 DF PROTO=TCP SPT=48338 DPT=443 WINDOW=1453 RES=0x00 ACK FIN URGP=0 ", + "network.name": "wif-net", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665829, + "shorewall.time2": 275316, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f8:32:e4:e3:ae:c5", + "source.port": 48338 + }, + { + "@timestamp": "2019-05-20T06:25:59.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 48586, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 8308, + "message": "May 20 06:25:59 myHost kernel: [5665829.282743] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f8:32:e4:e3:ae:c5:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48586 DF PROTO=TCP SPT=59914 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665829, + "shorewall.time2": 282743, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f8:32:e4:e3:ae:c5", + "source.port": 59914 + }, + { + "@timestamp": "2019-05-20T06:26:03.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 4628, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 8577, + "message": "May 20 06:26:03 myHost kernel: [5665833.634545] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:c9:bc:f0:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4628 PROTO=TCP SPT=60424 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665833, + "shorewall.time2": 634545, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "80:2a:a8:c9:bc:f0", + "source.port": 60424 + }, + { + "@timestamp": "2019-05-20T06:26:06.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 4000, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 43325, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 8836, + "message": "May 20 06:26:06 myHost kernel: [5665836.622479] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=43325 PROTO=TCP SPT=8080 DPT=4000 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665836, + "shorewall.time2": 622479, + "shorewall.ttl": 248, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 8080 + }, + { + "@timestamp": "2019-05-20T06:26:07.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 36238, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 9102, + "message": "May 20 06:26:07 myHost kernel: [5665837.859827] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=36238 PROTO=UDP SPT=61330 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665837, + "shorewall.time2": 859827, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 61330 + }, + { + "@timestamp": "2019-05-20T06:26:07.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 22277, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 9346, + "message": "May 20 06:26:07 myHost kernel: [5665837.860199] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=442 TOS=0x00 PREC=0x00 TTL=63 ID=22277 PROTO=UDP SPT=61330 DPT=443 LEN=422 ", + "network.name": "wif-net", + "network.packets": 442, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665837, + "shorewall.time2": 860199, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 61330 + }, + { + "@timestamp": "2019-05-20T06:26:07.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8101, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 9588, + "message": "May 20 06:26:07 myHost kernel: [5665837.860223] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=150 TOS=0x00 PREC=0x00 TTL=63 ID=8101 PROTO=UDP SPT=61330 DPT=443 LEN=130 ", + "network.name": "wif-net", + "network.packets": 150, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665837, + "shorewall.time2": 860223, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 61330 + }, + { + "@timestamp": "2019-05-20T06:26:09.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 7051, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 9829, + "message": "May 20 06:26:09 myHost kernel: [5665839.818545] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=7051 DF PROTO=TCP SPT=60526 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665839, + "shorewall.time2": 818545, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 60526 + }, + { + "@timestamp": "2019-05-20T06:26:12.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8844, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 10098, + "message": "May 20 06:26:12 myHost kernel: [5665842.372077] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:50:b6:3d:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8844 PROTO=TCP SPT=39230 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665842, + "shorewall.time2": 372077, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "80:2a:a8:50:b6:3d", + "source.port": 39230 + }, + { + "@timestamp": "2019-05-20T06:26:13.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 32586, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 10357, + "message": "May 20 06:26:13 myHost kernel: [5665843.902992] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=32586 DF PROTO=UDP SPT=64806 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665843, + "shorewall.time2": 902992, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 64806 + }, + { + "@timestamp": "2019-05-20T06:26:17.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8129, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 10605, + "message": "May 20 06:26:17 myHost kernel: [5665847.730485] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:62:a7:46:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8129 PROTO=TCP SPT=50373 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665847, + "shorewall.time2": 730485, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:62:a7:46", + "source.port": 50373 + }, + { + "@timestamp": "2019-05-20T06:26:22.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 13588, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 10863, + "message": "May 20 06:26:22 myHost kernel: [5665852.790852] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:3e:72:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13588 PROTO=TCP SPT=35541 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665852, + "shorewall.time2": 790852, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:68:3e:72", + "source.port": 35541 + }, + { + "@timestamp": "2019-05-20T06:26:25.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "ff:ff:ff:ff:ff:ff", + "destination.port": 62976, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 19856, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 11122, + "message": "May 20 06:26:25 myHost kernel: [5665855.713411] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19856 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", + "network.name": "lan-fw", + "network.packets": 345, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665855, + "shorewall.time2": 713411, + "shorewall.ttl": 30, + "source.ip": "1.2.3.44", + "source.mac": "ec:22:80:c0:b6:40", + "source.port": 62976 + }, + { + "@timestamp": "2019-05-20T06:26:30.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 49495, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 31944, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 11360, + "message": "May 20 06:26:30 myHost kernel: [5665860.305453] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=31944 PROTO=TCP SPT=48293 DPT=49495 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665860, + "shorewall.time2": 305453, + "shorewall.ttl": 246, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 48293 + }, + { + "@timestamp": "2019-05-20T06:26:30.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 9761, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 11628, + "message": "May 20 06:26:30 myHost kernel: [5665860.904274] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:30:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9761 PROTO=TCP SPT=60773 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665860, + "shorewall.time2": 904274, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:68:30:1a", + "source.port": 60773 + }, + { + "@timestamp": "2019-05-20T06:26:38.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 4641, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 11886, + "message": "May 20 06:26:38 myHost kernel: [5665868.905177] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:c9:bc:f0:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4641 PROTO=TCP SPT=60425 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665868, + "shorewall.time2": 905177, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "80:2a:a8:c9:bc:f0", + "source.port": 60425 + }, + { + "@timestamp": "2019-05-20T06:26:44.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8856, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 12145, + "message": "May 20 06:26:44 myHost kernel: [5665874.640128] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:50:b6:3d:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8856 PROTO=TCP SPT=39231 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665874, + "shorewall.time2": 640128, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "80:2a:a8:50:b6:3d", + "source.port": 39231 + }, + { + "@timestamp": "2019-05-20T06:26:50.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 1224, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 12404, + "message": "May 20 06:26:50 myHost kernel: [5665880.272050] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:c4:9f:4c:e8:ca:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=1224 DF PROTO=TCP SPT=38769 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665880, + "shorewall.time2": 272050, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "c4:9f:4c:e8:ca:1a", + "source.port": 38769 + }, + { + "@timestamp": "2019-05-20T06:26:50.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 59830, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 31010, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 12672, + "message": "May 20 06:26:50 myHost kernel: [5665880.916295] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=31010 PROTO=TCP SPT=41131 DPT=59830 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665880, + "shorewall.time2": 916295, + "shorewall.ttl": 251, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 41131 + }, + { + "@timestamp": "2019-05-20T06:26:52.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8140, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 12940, + "message": "May 20 06:26:52 myHost kernel: [5665882.101246] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:62:a7:46:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8140 PROTO=TCP SPT=50374 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665882, + "shorewall.time2": 101246, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:62:a7:46", + "source.port": 50374 + }, + { + "@timestamp": "2019-05-20T06:26:55.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "ff:ff:ff:ff:ff:ff", + "destination.port": 62976, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 19858, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 13198, + "message": "May 20 06:26:55 myHost kernel: [5665885.867369] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19858 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", + "network.name": "lan-fw", + "network.packets": 345, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665885, + "shorewall.time2": 867369, + "shorewall.ttl": 30, + "source.ip": "1.2.3.44", + "source.mac": "ec:22:80:c0:b6:40", + "source.port": 62976 + }, + { + "@timestamp": "2019-05-20T06:26:56.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 13598, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 13436, + "message": "May 20 06:26:56 myHost kernel: [5665886.872870] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:3e:72:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13598 PROTO=TCP SPT=35542 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665886, + "shorewall.time2": 872870, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:68:3e:72", + "source.port": 35542 + }, + { + "@timestamp": "2019-05-20T06:26:58.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 3291, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 34778, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 13695, + "message": "May 20 06:26:58 myHost kernel: [5665888.837986] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=34778 PROTO=TCP SPT=49514 DPT=3291 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665888, + "shorewall.time2": 837986, + "shorewall.ttl": 249, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 49514 + }, + { + "@timestamp": "2019-05-20T06:26:59.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 60038, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 13962, + "message": "May 20 06:26:59 myHost kernel: [5665889.708842] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:94:0e:6b:6f:4d:5b:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60038 DF PROTO=TCP SPT=57121 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665889, + "shorewall.time2": 708842, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "94:0e:6b:6f:4d:5b", + "source.port": 57121 + }, + { + "@timestamp": "2019-05-20T06:27:00.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 46462, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 44244, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 14230, + "message": "May 20 06:27:00 myHost kernel: [5665890.633270] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=44244 PROTO=TCP SPT=48293 DPT=46462 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665890, + "shorewall.time2": 633270, + "shorewall.ttl": 246, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 48293 + }, + { + "@timestamp": "2019-05-20T06:27:04.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 9771, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 14498, + "message": "May 20 06:27:04 myHost kernel: [5665895.011208] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:30:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9771 PROTO=TCP SPT=60774 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665895, + "shorewall.time2": 11208, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:68:30:1a", + "source.port": 60774 + }, + { + "@timestamp": "2019-05-20T06:27:05.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 0, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 14756, + "message": "May 20 06:27:05 myHost kernel: [5665895.443186] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62480 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 64, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665895, + "shorewall.time2": 443186, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 62480 + }, + { + "@timestamp": "2019-05-20T06:27:07.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 2997, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 15021, + "message": "May 20 06:27:07 myHost kernel: [5665897.853344] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=2997 DF PROTO=UDP SPT=61074 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665897, + "shorewall.time2": 853344, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 61074 + }, + { + "@timestamp": "2019-05-20T06:27:07.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 2998, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 15268, + "message": "May 20 06:27:07 myHost kernel: [5665897.853903] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=533 TOS=0x00 PREC=0x00 TTL=127 ID=2998 DF PROTO=UDP SPT=61074 DPT=443 LEN=513 ", + "network.name": "wif-net", + "network.packets": 533, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665897, + "shorewall.time2": 853903, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 61074 + }, + { + "@timestamp": "2019-05-20T06:27:07.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 2999, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 15513, + "message": "May 20 06:27:07 myHost kernel: [5665897.853924] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=177 TOS=0x00 PREC=0x00 TTL=127 ID=2999 DF PROTO=UDP SPT=61074 DPT=443 LEN=157 ", + "network.name": "wif-net", + "network.packets": 177, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665897, + "shorewall.time2": 853924, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 61074 + }, + { + "@timestamp": "2019-05-20T06:27:08.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 42012, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 15758, + "message": "May 20 06:27:08 myHost kernel: [5665898.619970] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=42012 PROTO=UDP SPT=54438 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665898, + "shorewall.time2": 619970, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 54438 + }, + { + "@timestamp": "2019-05-20T06:27:08.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 25900, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 16002, + "message": "May 20 06:27:08 myHost kernel: [5665898.620495] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=412 TOS=0x00 PREC=0x00 TTL=63 ID=25900 PROTO=UDP SPT=54438 DPT=443 LEN=392 ", + "network.name": "wif-net", + "network.packets": 412, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665898, + "shorewall.time2": 620495, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 54438 + }, + { + "@timestamp": "2019-05-20T06:27:13.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 4654, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 16244, + "message": "May 20 06:27:13 myHost kernel: [5665903.167952] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:c9:bc:f0:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4654 PROTO=TCP SPT=60426 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665903, + "shorewall.time2": 167952, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "80:2a:a8:c9:bc:f0", + "source.port": 60426 + }, + { + "@timestamp": "2019-05-20T06:27:15.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 123, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 54364, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 16503, + "message": "May 20 06:27:15 myHost kernel: [5665905.929948] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:ac:cc:8e:59:43:c4:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=54364 DF PROTO=UDP SPT=45541 DPT=123 LEN=56 ", + "network.name": "wif-net", + "network.packets": 76, + "network.protocol": "UDP", + "service.type": "0x10", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665905, + "shorewall.time2": 929948, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "ac:cc:8e:59:43:c4", + "source.port": 45541 + }, + { + "@timestamp": "2019-05-20T06:27:16.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:08:4a:a2", + "destination.port": 80, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 14934, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 16746, + "message": "May 20 06:27:16 myHost kernel: [5665906.191334] Shorewall:net_dnat:DNAT:IN=eth3 OUT= MAC=68:05:ca:08:4a:a2:34:b3:54:dd:cd:92:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=100 ID=14934 PROTO=TCP SPT=46284 DPT=80 WINDOW=62920 RES=0x00 SYN URGP=0 MARK=0x2 ", + "network.name": "net_dnat", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth3", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665906, + "shorewall.time2": 191334, + "shorewall.ttl": 100, + "source.ip": "1.2.3.4", + "source.mac": "34:b3:54:dd:cd:92", + "source.port": 46284 + }, + { + "@timestamp": "2019-05-20T06:27:19.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 38606, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 17014, + "message": "May 20 06:27:19 myHost kernel: [5665909.755990] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f8:95:c7:c2:49:5f:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=38606 DF PROTO=TCP SPT=38240 DPT=443 WINDOW=431 RES=0x00 ACK RST URGP=0 ", + "network.name": "wif-net", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665909, + "shorewall.time2": 755990, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f8:95:c7:c2:49:5f", + "source.port": 38240 + }, + { + "@timestamp": "2019-05-20T06:27:19.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8868, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 17285, + "message": "May 20 06:27:19 myHost kernel: [5665909.911069] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:50:b6:3d:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8868 PROTO=TCP SPT=39232 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665909, + "shorewall.time2": 911069, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "80:2a:a8:50:b6:3d", + "source.port": 39232 + }, + { + "@timestamp": "2019-05-20T06:27:21.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 47360, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 17544, + "message": "May 20 06:27:21 myHost kernel: [5665911.686689] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=47360 PROTO=UDP SPT=59192 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665911, + "shorewall.time2": 686689, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 59192 + }, + { + "@timestamp": "2019-05-20T06:27:21.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 30044, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 17788, + "message": "May 20 06:27:21 myHost kernel: [5665911.687076] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=446 TOS=0x00 PREC=0x00 TTL=63 ID=30044 PROTO=UDP SPT=59192 DPT=443 LEN=426 ", + "network.name": "wif-net", + "network.packets": 446, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665911, + "shorewall.time2": 687076, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 59192 + }, + { + "@timestamp": "2019-05-20T06:27:21.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 123, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 26478, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 18030, + "message": "May 20 06:27:21 myHost kernel: [5665911.806450] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=26478 PROTO=UDP SPT=123 DPT=123 LEN=56 ", + "network.name": "wif-net", + "network.packets": 76, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665911, + "shorewall.time2": 806450, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 123 + }, + { + "@timestamp": "2019-05-20T06:27:21.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 123, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 60981, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 18268, + "message": "May 20 06:27:21 myHost kernel: [5665911.840839] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=60981 PROTO=UDP SPT=123 DPT=123 LEN=56 ", + "network.name": "wif-net", + "network.packets": 76, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665911, + "shorewall.time2": 840839, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 123 + }, + { + "@timestamp": "2019-05-20T06:27:21.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 123, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 44073, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 18506, + "message": "May 20 06:27:21 myHost kernel: [5665911.881137] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=44073 PROTO=UDP SPT=123 DPT=123 LEN=56 ", + "network.name": "wif-net", + "network.packets": 76, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665911, + "shorewall.time2": 881137, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 123 + }, + { + "@timestamp": "2019-05-20T06:27:25.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "ff:ff:ff:ff:ff:ff", + "destination.port": 62976, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 19860, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 18744, + "message": "May 20 06:27:25 myHost kernel: [5665916.048593] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19860 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", + "network.name": "lan-fw", + "network.packets": 345, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665916, + "shorewall.time2": 48593, + "shorewall.ttl": 30, + "source.ip": "1.2.3.44", + "source.mac": "ec:22:80:c0:b6:40", + "source.port": 62976 + }, + { + "@timestamp": "2019-05-20T06:27:27.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8150, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 18982, + "message": "May 20 06:27:27 myHost kernel: [5665917.377574] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:62:a7:46:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8150 PROTO=TCP SPT=50375 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665917, + "shorewall.time2": 377574, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:62:a7:46", + "source.port": 50375 + }, + { + "@timestamp": "2019-05-20T06:27:27.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 0, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 19240, + "message": "May 20 06:27:27 myHost kernel: [5665917.611542] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62481 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 64, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665917, + "shorewall.time2": 611542, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 62481 + }, + { + "@timestamp": "2019-05-20T06:27:28.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 6888, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 19505, + "message": "May 20 06:27:28 myHost kernel: [5665918.663884] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=6888 DF PROTO=TCP SPT=60527 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665918, + "shorewall.time2": 663884, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 60527 + }, + { + "@timestamp": "2019-05-20T06:27:36.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 13608, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 19774, + "message": "May 20 06:27:36 myHost kernel: [5665926.954899] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:3e:72:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13608 PROTO=TCP SPT=35543 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665926, + "shorewall.time2": 954899, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:68:3e:72", + "source.port": 35543 + }, + { + "@timestamp": "2019-05-20T06:27:41.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 7064, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 20033, + "message": "May 20 06:27:41 myHost kernel: [5665931.409341] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=7064 DF PROTO=TCP SPT=60528 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665931, + "shorewall.time2": 409341, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 60528 + }, + { + "@timestamp": "2019-05-20T06:27:43.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 9781, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 20302, + "message": "May 20 06:27:43 myHost kernel: [5665933.108273] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:30:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9781 PROTO=TCP SPT=60775 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665933, + "shorewall.time2": 108273, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "44:d9:e7:68:30:1a", + "source.port": 60775 + }, + { + "@timestamp": "2019-05-20T06:27:43.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 15608, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 20560, + "message": "May 20 06:27:43 myHost kernel: [5665933.843105] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=15608 DF PROTO=UDP SPT=49618 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665933, + "shorewall.time2": 843105, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 49618 + }, + { + "@timestamp": "2019-05-20T06:27:43.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 15609, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 20808, + "message": "May 20 06:27:43 myHost kernel: [5665933.843134] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=386 TOS=0x00 PREC=0x00 TTL=127 ID=15609 DF PROTO=UDP SPT=49618 DPT=443 LEN=366 ", + "network.name": "wif-net", + "network.packets": 386, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665933, + "shorewall.time2": 843134, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 49618 + }, + { + "@timestamp": "2019-05-20T06:27:50.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 41776, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 21054, + "message": "May 20 06:27:50 myHost kernel: [5665940.288037] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=41776 PROTO=UDP SPT=63129 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665940, + "shorewall.time2": 288037, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 63129 + }, + { + "@timestamp": "2019-05-20T06:27:50.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 33504, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 21298, + "message": "May 20 06:27:50 myHost kernel: [5665940.391265] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=33504 PROTO=UDP SPT=58864 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665940, + "shorewall.time2": 391265, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 58864 + }, + { + "@timestamp": "2019-05-20T06:27:50.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 24133, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 21542, + "message": "May 20 06:27:50 myHost kernel: [5665940.421000] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=24133 PROTO=UDP SPT=58864 DPT=443 LEN=1358 ", + "network.name": "wif-net", + "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "FORWARD", - "shorewall.action.two": "REJECT", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665940, + "shorewall.time2": 421000, + "shorewall.ttl": 63, + "source.ip": "1.2.3.4", + "source.mac": "f4:0f:24:2f:71:df", + "source.port": 58864 + }, + { + "@timestamp": "2019-05-20T06:27:50.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 4667, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 21786, + "message": "May 20 06:27:50 myHost kernel: [5665940.444005] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:c9:bc:f0:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4667 PROTO=TCP SPT=60427 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", - "shorewall.network.out": "eth2", "shorewall.precedence": "0x00", + "shorewall.time1": 5665940, + "shorewall.time2": 444005, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "80:2a:a8:c9:bc:f0", + "source.port": 60427 + }, + { + "@timestamp": "2019-05-20T06:27:53.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 17727, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 22045, + "message": "May 20 06:27:53 myHost kernel: [5665943.272863] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=17727 DF PROTO=TCP SPT=1991 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x02", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665943, + "shorewall.time2": 272863, + "shorewall.ttl": 122, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 1991 + }, + { + "@timestamp": "2019-05-20T06:27:53.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 27195, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 22322, + "message": "May 20 06:27:53 myHost kernel: [5665943.643038] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=27195 DF PROTO=TCP SPT=711 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x02", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665943, + "shorewall.time2": 643038, + "shorewall.ttl": 122, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 711 + }, + { + "@timestamp": "2019-05-20T06:27:53.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 19622, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 22598, + "message": "May 20 06:27:53 myHost kernel: [5665943.787828] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=19622 DF PROTO=TCP SPT=1372 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x02", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665943, + "shorewall.time2": 787828, + "shorewall.ttl": 122, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 1372 + }, + { + "@timestamp": "2019-05-20T06:27:54.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 12474, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 22875, + "message": "May 20 06:27:54 myHost kernel: [5665944.317910] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=12474 DF PROTO=TCP SPT=60525 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 ", + "network.name": "wif-net", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665944, + "shorewall.time2": 317910, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 60525 + }, + { + "@timestamp": "2019-05-20T06:27:54.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 3098, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 23145, + "message": "May 20 06:27:54 myHost kernel: [5665944.345621] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=3098 DF PROTO=TCP SPT=60529 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665944, + "shorewall.time2": 345621, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 60529 + }, + { + "@timestamp": "2019-05-20T06:27:55.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 37429, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 23414, + "message": "May 20 06:27:55 myHost kernel: [5665945.223595] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:c4:9f:4c:e8:c9:bc:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=37429 DF PROTO=TCP SPT=45640 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665945, + "shorewall.time2": 223595, "shorewall.ttl": 63, "source.ip": "1.2.3.4", - "source.port": 5353 + "source.mac": "c4:9f:4c:e8:c9:bc", + "source.port": 45640 + }, + { + "@timestamp": "2019-05-20T06:27:56.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "ff:ff:ff:ff:ff:ff", + "destination.port": 62976, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 19862, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 23683, + "message": "May 20 06:27:56 myHost kernel: [5665946.204223] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19862 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", + "network.name": "lan-fw", + "network.packets": 345, + "network.protocol": "UDP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665946, + "shorewall.time2": 204223, + "shorewall.ttl": 30, + "source.ip": "1.2.3.44", + "source.mac": "ec:22:80:c0:b6:40", + "source.port": 62976 + }, + { + "@timestamp": "2019-05-20T06:27:56.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 23222, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 23921, + "message": "May 20 06:27:56 myHost kernel: [5665946.518251] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=23222 DF PROTO=TCP SPT=2017 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x02", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665946, + "shorewall.time2": 518251, + "shorewall.ttl": 122, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 2017 + }, + { + "@timestamp": "2019-05-20T06:27:57.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 25280, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 24198, + "message": "May 20 06:27:57 myHost kernel: [5665947.744034] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=25280 DF PROTO=TCP SPT=803 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x02", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665947, + "shorewall.time2": 744034, + "shorewall.ttl": 122, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 803 + }, + { + "@timestamp": "2019-05-20T06:27:57.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 1220, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 24474, + "message": "May 20 06:27:57 myHost kernel: [5665948.054796] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=1220 DF PROTO=TCP SPT=2264 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x02", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665948, + "shorewall.time2": 54796, + "shorewall.ttl": 122, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 2264 + }, + { + "@timestamp": "2019-05-20T06:27:58.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8559, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 24750, + "message": "May 20 06:27:58 myHost kernel: [5665949.033645] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=8559 DF PROTO=TCP SPT=2111 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", + "network.name": "net_dnat", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x02", + "shorewall.action.one": "DNAT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665949, + "shorewall.time2": 33645, + "shorewall.ttl": 122, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 2111 + }, + { + "@timestamp": "2019-05-20T06:27:59.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 8080, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 8880, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 25026, + "message": "May 20 06:27:59 myHost kernel: [5665949.184901] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:50:b6:3d:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8880 PROTO=TCP SPT=39233 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", + "network.name": "lan-fw", + "network.packets": 60, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth2", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665949, + "shorewall.time2": 184901, + "shorewall.ttl": 64, + "source.ip": "1.2.3.4", + "source.mac": "80:2a:a8:50:b6:3d", + "source.port": 39233 + }, + { + "@timestamp": "2019-05-20T06:28:02.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "68:05:ca:42:25:0c", + "destination.port": 443, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 22426, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 25285, + "message": "May 20 06:28:02 myHost kernel: [5665952.767539] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=22426 DF PROTO=TCP SPT=60530 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", + "network.name": "wif-net", + "network.packets": 52, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "ACCEPT", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "vlan1", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665952, + "shorewall.time2": 767539, + "shorewall.ttl": 127, + "source.ip": "1.2.3.4", + "source.mac": "e4:b3:18:44:92:1a", + "source.port": 60530 + }, + { + "@timestamp": "2019-05-20T06:28:06.000Z", + "destination.ip": "1.2.3.4", + "destination.mac": "6c:b3:11:1b:d9:7a", + "destination.port": 1081, + "ecs.version": "1.0.0", + "event.dataset": "shorewall.log", + "event.id": 40105, + "event.module": "shorewall", + "fileset.name": "log", + "host.hostname": "myHost", + "input.type": "log", + "log.offset": 25555, + "message": "May 20 06:28:06 myHost kernel: [5665956.741703] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=40105 PROTO=TCP SPT=43212 DPT=1081 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", + "network.name": "net-fw", + "network.packets": 40, + "network.protocol": "TCP", + "service.type": "0x00", + "shorewall.action.one": "DROP", + "shorewall.action.two": "IN", + "shorewall.frame_type": "08:00", + "shorewall.network.in": "eth5", + "shorewall.precedence": "0x00", + "shorewall.time1": 5665956, + "shorewall.time2": 741703, + "shorewall.ttl": 244, + "source.ip": "1.2.3.4", + "source.mac": "28:c0:da:b7:eb:3e", + "source.port": 43212 } ] \ No newline at end of file From c7cb5c994a4a71577649472f1ea40a9f77393d4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Mon, 20 May 2019 18:43:16 +0200 Subject: [PATCH 31/34] Document fields with "make update" We used: - https://logi.cc/en/2010/07/netfilter-log-format/ - http://shorewall.net --- filebeat/docs/fields.asciidoc | 68 ++++++++++++++++++- .../module/shorewall/_meta/fields.yml | 33 ++++++++- x-pack/filebeat/module/shorewall/fields.go | 2 +- 3 files changed, 99 insertions(+), 4 deletions(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 0c2b7f3f35b6..6540c34f72ee 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -12513,6 +12513,9 @@ Shorewal log files -- type: keywork +Name of the input network interface + + -- *`shorewall.network.out`*:: @@ -12520,6 +12523,9 @@ type: keywork -- type: keyword +Name of the output network interface + + -- [float] @@ -12534,7 +12540,7 @@ Shorewal network log files -- type: keywork -Action one +Specifies the action to be taken if the connection request matches the rule. target must be one of the following values (ACCEPT, ACCEPT+, ACCEPT!, ADD, AUDIT, A_ACCEPT, A_ACCEPT+, A_ACCEPT!, A_DROP, A_DROP!, A_REJECT, A_REJECT!, ?COMMENT, CONMARK, CONTINUE, CONTINUE!, COUNT, DEL, DNAT, DNAT-, DROP, DROP!, HELPER, INLINE, IPTABLES, IP6TABLES, LOG, MACRO, MARK, NFLOG, NFQUEUE, NONAT, QUEUE, QUEUE!, REJECT, REJECT!, REDIRECT, REDIRECT-, TARPIT, ULOG. See http://shorewall.net/manpages/shorewall-rules.html -- @@ -12547,6 +12553,16 @@ type: keyword Action two +-- + +*`shorewall.frame_type`*:: ++ +-- +type: keyword + +This field is part of the MAC address in the log. It indicates whether the ethernet frame carried an IPv4 datagram or not. + + -- *`shorewall.precedence`*:: @@ -12554,6 +12570,33 @@ Action two -- type: keyword +Type Of Service, and it's increasingly being replaced by DS and ECN. + + +-- + +*`shorewall.res`*:: ++ +-- +type: keyword + +Reserved bits. The ECN flags "CWR" and "ECNE" will show up in the two least significant bits of this field. + + +-- + +*`shorewall.time1`*:: ++ +-- +type: integer + +-- + +*`shorewall.time2`*:: ++ +-- +type: integer + -- *`shorewall.ttl`*:: @@ -12561,6 +12604,29 @@ type: keyword -- type: integer +The remaining Time To Live. + + +-- + +*`shorewall.urgp`*:: ++ +-- +type: integer + +The Urgent Pointer allows for urgent, "out of band" data transfer. Unfortunately not all protocol implementations agree, so this facility is hardly ever used. + + +-- + +*`shorewall.window`*:: ++ +-- +type: integer + +The TCP Receive Window size. This may be scaled by bit-shifting left by a number of bits specified in the "Window Scale" TCP option. If the host supports ECN, then the TCP Receive Window size will also be controlled by that. + + -- [[exported-fields-suricata]] diff --git a/x-pack/filebeat/module/shorewall/_meta/fields.yml b/x-pack/filebeat/module/shorewall/_meta/fields.yml index 1164dcba2cc1..5ccad4af6f0e 100644 --- a/x-pack/filebeat/module/shorewall/_meta/fields.yml +++ b/x-pack/filebeat/module/shorewall/_meta/fields.yml @@ -15,8 +15,12 @@ fields: - name: in type: keywork + description: > + Name of the input network interface - name: out type: keyword + description: > + Name of the output network interface - name: action type: group description: > @@ -25,24 +29,49 @@ - name: one type: keywork description: > - Action one + Specifies the action to be taken if the connection request matches + the rule. target must be one of the following values (ACCEPT, ACCEPT+, + ACCEPT!, ADD, AUDIT, A_ACCEPT, A_ACCEPT+, A_ACCEPT!, A_DROP, A_DROP!, + A_REJECT, A_REJECT!, ?COMMENT, CONMARK, CONTINUE, CONTINUE!, COUNT, DEL, + DNAT, DNAT-, DROP, DROP!, HELPER, INLINE, IPTABLES, IP6TABLES, LOG, MACRO, + MARK, NFLOG, NFQUEUE, NONAT, QUEUE, QUEUE!, REJECT, REJECT!, REDIRECT, + REDIRECT-, TARPIT, ULOG. See http://shorewall.net/manpages/shorewall-rules.html - name: two type: keyword description: > Action two - name: frame_type type: keyword + description: > + This field is part of the MAC address in the log. It indicates whether + the ethernet frame carried an IPv4 datagram or not. - name: precedence type: keyword + description: > + Type Of Service, and it's increasingly being replaced by DS and ECN. - name: res type: keyword + description: > + Reserved bits. The ECN flags "CWR" and "ECNE" will show up in the two + least significant bits of this field. - name: time1 type: integer - name: time2 type: integer - name: ttl type: integer + description: > + The remaining Time To Live. - name: urgp type: integer + description: > + The Urgent Pointer allows for urgent, "out of band" data transfer. + Unfortunately not all protocol implementations agree, so this facility + is hardly ever used. - name: window - type: integer \ No newline at end of file + type: integer + description: > + The TCP Receive Window size. This may be scaled by bit-shifting left + by a number of bits specified in the "Window Scale" TCP option. + If the host supports ECN, then the TCP Receive Window size will also + be controlled by that. \ No newline at end of file diff --git a/x-pack/filebeat/module/shorewall/fields.go b/x-pack/filebeat/module/shorewall/fields.go index 2b6e8370dc51..1bdc50202ed6 100644 --- a/x-pack/filebeat/module/shorewall/fields.go +++ b/x-pack/filebeat/module/shorewall/fields.go @@ -19,5 +19,5 @@ func init() { // AssetShorewall returns asset data. // This is the base64 encoded gzipped contents of module/shorewall. func AssetShorewall() string { - return "eJyskcFugzAQRO/+ilHu6Qf4UKmX3nrqFyC8UAvHa9mLEH9fGcWJCSkKUuc4MPt21mcMNGukH440Nc4pQKw40jjdvJMCDKU22iCWvca7AoAvNqMjdBwRmpis7/FdInDco7OO0psCOkvOJL2kzvDNhdbELJkDafSRx3B1niCzPpdh6CJf1rwFlVXjaqQnmTgON/8ZdAecVYD3ftXnR27Ntn5lF/RA88NK9wiPspMxm3pNmzf+l3bXSx1uyZ5errm7SdbH0mczs7Bk4pfOc4RVzyycEKklQ76lzWn/egkRt/nXeqGeovoNAAD//4KB5vc=" + return "eJysVs2S4jYQvs9TfMMlqYqHraRSOXBIioB3QwKG8FN7nBJ221aNLDlSG4qc9kGSl9snSUnGLCxkNtkdXSxare/7Wt0t8YAnOgzgSmNpL5S6A1iyogF6J1vvDsjIpVbWLI0e4Mc7AJiZrFGE3FjUwjqpC6y6LVCmQC4Vuf4dkEtSmRuEXQ/QoqJLRj/4UNMAhTVNfbTcoPTjdQBDbk11yReo/DinO6fUxHtjn072W6TPEPvREX6I72z5Y95zbqkvzB31Ex0+kvQJAX4koiKYHFwSpK4b7iKD1Ew2Fynd1GAafkZE9vkiTMPPq+gUiNTDvUgCOrL/mwij6eUysaoplbkkF46hjQ5ssCWweCIN2R5QarSmdtXSHw05RiU4LS9UH9WUBNso6oOFLYhRNY49oNGn886NUmbvG24nVEMOXw9Ho3ixjtB+v4muYNuF+wjD8TjCcDOeeO/H077Hbudp6n0fx8v5ovve30B9XMa/xqMA0M7uI/w0ms9mcbKOMJons+HytzBZT5JN/GF276cb7zSOp9fA42Tol5Lh+iFCK6KVgF/i6SJeRpgk00kSR5gs1sOfp/HKz37optP5mwiz4Wg5v4ZuFSWvg0/y+vdN7HUl88B4/BU+9xG66E6xLePxZOlNV7DdykOE9XC58Me7mc7f9LEiQslcD169Ot15fU38qhK6FgW5D+YHn3jXL7lSN2uX9+blGnh4rNYzzI4nt6KiR4991arXVM/QrEvp2maEdP6R4K6CZ8MRRJZZcg5SB5MyRR8ThtSZTAWTw74kLsleQHrPYNXErU6kwlpJGYTGZLH7HplgUVhRwVhow/2r8GpLKWWk0y8N71AT5jlWZHcypQhCZ5D8lQ8ptST8k6gO2JLvVEu1Eill2B4wXgXXeJRci7MXd8JnqFqSI7vzRJJdH+uSPBFyJQqH3ujtshfIe/EoiXvYS6X8W7xHU3eZ+LjMFAnHcLLQMpep0Byg21R2Cb4OhGVF316F4t+G4iyn597f/XdvVp/0/URlEixVQmqfm7WsCGuDqdzRdSCNLeovZ9vYgjRjYcLrCOFvcBf+PDVhJULPNKE/tkJnvVDFYCu0y8n2L+A2OjeWGy2Y1MGXuEdDbQ2b1CjIqlZUkWbhtTiIwhJFcOaYLpFKJflwASkdSmEzdQDtyKJxdCOje6kzs//yo1iPFlhSSnJHeBsw4eSf1G/vi0r4loFLhWq7ZSv5wZUyZ58qRfnln5jtAQK6qbZkw+H5ynTHZznrKvr9u7+ORCsP+/7d30GECRIvD3fSXlCl8SXf1LWx7HwDRd7cov2L/raXhHKX3bMNzz9bo47xcCm4f/dPAAAA///CVi2F" } From b178dcfb51ec87668fa5f756fb4d6591a79e7199 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Mon, 20 May 2019 19:17:35 +0200 Subject: [PATCH 32/34] Remove path for Darwin and Windows --- x-pack/filebeat/module/shorewall/log/manifest.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/log/manifest.yml b/x-pack/filebeat/module/shorewall/log/manifest.yml index aa4741544d61..75798d386aea 100644 --- a/x-pack/filebeat/module/shorewall/log/manifest.yml +++ b/x-pack/filebeat/module/shorewall/log/manifest.yml @@ -4,10 +4,6 @@ var: - name: paths default: - /var/log/shorewall.log - os.darwin: - - /usr/local/example/test.log* - os.windows: - - c:/programdata/example/logs/test.log* ingest_pipeline: ingest/pipeline.json input: config/log.yml From 5f84a65ebb816405b3b8d12caa334f17669a32bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Tue, 21 May 2019 11:34:57 +0200 Subject: [PATCH 33/34] Use Shorewall zone fields --- .../module/shorewall/_meta/fields.yml | 44 +- x-pack/filebeat/module/shorewall/fields.go | 2 +- .../module/shorewall/log/ingest/pipeline.json | 2 +- .../log/test/default.log-expected.json | 600 +++++++++--------- 4 files changed, 326 insertions(+), 322 deletions(-) diff --git a/x-pack/filebeat/module/shorewall/_meta/fields.yml b/x-pack/filebeat/module/shorewall/_meta/fields.yml index 5ccad4af6f0e..bea78feba2e8 100644 --- a/x-pack/filebeat/module/shorewall/_meta/fields.yml +++ b/x-pack/filebeat/module/shorewall/_meta/fields.yml @@ -21,30 +21,21 @@ type: keyword description: > Name of the output network interface - - name: action - type: group - description: > - Shorewal network log files - fields: - - name: one - type: keywork - description: > - Specifies the action to be taken if the connection request matches - the rule. target must be one of the following values (ACCEPT, ACCEPT+, - ACCEPT!, ADD, AUDIT, A_ACCEPT, A_ACCEPT+, A_ACCEPT!, A_DROP, A_DROP!, - A_REJECT, A_REJECT!, ?COMMENT, CONMARK, CONTINUE, CONTINUE!, COUNT, DEL, - DNAT, DNAT-, DROP, DROP!, HELPER, INLINE, IPTABLES, IP6TABLES, LOG, MACRO, - MARK, NFLOG, NFQUEUE, NONAT, QUEUE, QUEUE!, REJECT, REJECT!, REDIRECT, - REDIRECT-, TARPIT, ULOG. See http://shorewall.net/manpages/shorewall-rules.html - - name: two - type: keyword - description: > - Action two - name: frame_type type: keyword description: > This field is part of the MAC address in the log. It indicates whether the ethernet frame carried an IPv4 datagram or not. + - name: packet_action + type: keywork + description: > + Specifies the action to be taken if the connection request matches + the rule. target must be one of the following values (ACCEPT, ACCEPT+, + ACCEPT!, ADD, AUDIT, A_ACCEPT, A_ACCEPT+, A_ACCEPT!, A_DROP, A_DROP!, + A_REJECT, A_REJECT!, ?COMMENT, CONMARK, CONTINUE, CONTINUE!, COUNT, DEL, + DNAT, DNAT-, DROP, DROP!, HELPER, INLINE, IPTABLES, IP6TABLES, LOG, MACRO, + MARK, NFLOG, NFQUEUE, NONAT, QUEUE, QUEUE!, REJECT, REJECT!, REDIRECT, + REDIRECT-, TARPIT, ULOG. See http://shorewall.net/manpages/shorewall-rules.html - name: precedence type: keyword description: > @@ -74,4 +65,17 @@ The TCP Receive Window size. This may be scaled by bit-shifting left by a number of bits specified in the "Window Scale" TCP option. If the host supports ECN, then the TCP Receive Window size will also - be controlled by that. \ No newline at end of file + be controlled by that. + - name: zone + type: group + description: > + Shorewal Zone fields + fields: + - name: device + type: keyword + description: > + Name of the device for the zone + - name: name + type: keywork + description: > + Name of the zone \ No newline at end of file diff --git a/x-pack/filebeat/module/shorewall/fields.go b/x-pack/filebeat/module/shorewall/fields.go index 1bdc50202ed6..23b926940dde 100644 --- a/x-pack/filebeat/module/shorewall/fields.go +++ b/x-pack/filebeat/module/shorewall/fields.go @@ -19,5 +19,5 @@ func init() { // AssetShorewall returns asset data. // This is the base64 encoded gzipped contents of module/shorewall. func AssetShorewall() string { - return "eJysVs2S4jYQvs9TfMMlqYqHraRSOXBIioB3QwKG8FN7nBJ221aNLDlSG4qc9kGSl9snSUnGLCxkNtkdXSxare/7Wt0t8YAnOgzgSmNpL5S6A1iyogF6J1vvDsjIpVbWLI0e4Mc7AJiZrFGE3FjUwjqpC6y6LVCmQC4Vuf4dkEtSmRuEXQ/QoqJLRj/4UNMAhTVNfbTcoPTjdQBDbk11yReo/DinO6fUxHtjn072W6TPEPvREX6I72z5Y95zbqkvzB31Ex0+kvQJAX4koiKYHFwSpK4b7iKD1Ew2Fynd1GAafkZE9vkiTMPPq+gUiNTDvUgCOrL/mwij6eUysaoplbkkF46hjQ5ssCWweCIN2R5QarSmdtXSHw05RiU4LS9UH9WUBNso6oOFLYhRNY49oNGn886NUmbvG24nVEMOXw9Ho3ixjtB+v4muYNuF+wjD8TjCcDOeeO/H077Hbudp6n0fx8v5ovve30B9XMa/xqMA0M7uI/w0ms9mcbKOMJons+HytzBZT5JN/GF276cb7zSOp9fA42Tol5Lh+iFCK6KVgF/i6SJeRpgk00kSR5gs1sOfp/HKz37optP5mwiz4Wg5v4ZuFSWvg0/y+vdN7HUl88B4/BU+9xG66E6xLePxZOlNV7DdykOE9XC58Me7mc7f9LEiQslcD169Ot15fU38qhK6FgW5D+YHn3jXL7lSN2uX9+blGnh4rNYzzI4nt6KiR4991arXVM/QrEvp2maEdP6R4K6CZ8MRRJZZcg5SB5MyRR8ThtSZTAWTw74kLsleQHrPYNXErU6kwlpJGYTGZLH7HplgUVhRwVhow/2r8GpLKWWk0y8N71AT5jlWZHcypQhCZ5D8lQ8ptST8k6gO2JLvVEu1Eill2B4wXgXXeJRci7MXd8JnqFqSI7vzRJJdH+uSPBFyJQqH3ujtshfIe/EoiXvYS6X8W7xHU3eZ+LjMFAnHcLLQMpep0Byg21R2Cb4OhGVF316F4t+G4iyn597f/XdvVp/0/URlEixVQmqfm7WsCGuDqdzRdSCNLeovZ9vYgjRjYcLrCOFvcBf+PDVhJULPNKE/tkJnvVDFYCu0y8n2L+A2OjeWGy2Y1MGXuEdDbQ2b1CjIqlZUkWbhtTiIwhJFcOaYLpFKJflwASkdSmEzdQDtyKJxdCOje6kzs//yo1iPFlhSSnJHeBsw4eSf1G/vi0r4loFLhWq7ZSv5wZUyZ58qRfnln5jtAQK6qbZkw+H5ynTHZznrKvr9u7+ORCsP+/7d30GECRIvD3fSXlCl8SXf1LWx7HwDRd7cov2L/raXhHKX3bMNzz9bo47xcCm4f/dPAAAA///CVi2F" + return "eJy0Vl2P4jYUfZ9fcYaXVmqGVauqD/PQikJ2S8sEyoBW6gsyyU1i4dipfQNif31lh7BkmJ1dzah+wdzY55xr3w/fYUfHe7jSWDoIpW4AlqzoHoOzbXADZORSK2uWRt/j1xsAeDBZowi5saiFdVIXeOy2QJkCuVTkhjdALkll7j7suoMWFfUZ/eBjTfcorGnqk+UZSj/eBzDk1lR9vkDlxyXdJaUmPhi7O9ufI32B2I+O8LN/F5+f8l5yS90zd9Q7Oj6R9BUBfiSiIpgcXBKkrhvuPIPUTDYXKT2rwTT8gojs9SJMwy+r6BTkVlS08axXl3At4gUBq1K69rghnY8+7qQ8jMYQWWbJOUgdTMoUQ0wZUmcyFUwOh5K4JNuD9CuDVRO3OpEKayVlEBrTxf5nZIJFYUUFY6END6/cq0W6I96I1Gv+goe7bwy0mlKZS3JBWIsINtgSWOxIQ7b+pkZrar9a+rchx6gEp2UvMFvvbKNoCBa2IEbVOPZgRp9vMTdKmYNP471QDTl8PxqP48UqQvv7Q9SDbI23EUaTSYTRejL1KzfnPZtu13nq124my/mi+719grhZxn/G47C5nd1G+G08f3iIk1WE8Tx5GC3/CpPVNFnHn2e3frr2iybxrA86SUbenIxWdxFa8pYaf8SzRbyMME1m0ySOMF2sRr/P4kc/+6WbzuYfIh9Uy3kftlWSvA/fk/d/r2OvJ5kHttO/8HMbofPq7NMynkyX3tSD7Kx3EVaj5cIf53o2/zDEIxFK5vr+3btz1Rxq4neV0LUoyH023/lLdsOSK3UdnZZSykinb02+Y02Y53gku5cpRRA6g+TvfMKlloTvBOqILflQslQrkVKG7RGTx7A0HifXqWN7AfsKVUtyZPeeSLIbYlWSJ0KuROEwGH9cDgL5IB4n8QAHqZRvQQc0dVcn+GB6iIqEYzhZaJnLVGgO0G22dOXn2hGWFf145YovicVFxblc/dO3r2b11bVfqZsES5WQ2t/NSlaElcFM7unakcYW9dvZ1rYgzViY0BQgfIlx4c3QhC8RBqYJ1XsrdDYINRZshXY52WEPbq1zY7nRgkkdfQH2aKitYZMaBVnViirSLLwWB1FYogjOnK5LpFJJPvYgpUMpbKaOoD1ZNI6eudGD1Jk5vP0oVuMFlpSS3BM+Bkw4+YmGbTerhE8ZuFSoNlu2ku9cKXP2V6Uo7/fu7RECuqm2ZMPh+ch0p56RdRE9ONE8etBBEGCCvP7BTtv6Xxof7k1dG8vOJ0/kzS3SF7S3eSSU62fONvQltkadfOFSPNMuPxl9XYpe8xj7x3ex9vX1jc+xjHzp+n9eQy12iHH/94mXF89RUb2k4A2PwkD5XwAAAP//kCpJIg==" } diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 3d03d3b5992b..58eade0bd6fe 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -5,7 +5,7 @@ "grok": { "field": "message", "patterns": [ - "(%{SYSLOGTIMESTAMP:timestamp}).*(%{WORD:host.hostname}).*kernel:.*\\[(%{INT:shorewall.time1:int}).(%{INT:shorewall.time2:int})\\].*Shorewall:(%{USERNAME:network.name}):(%{WORD:shorewall.action.one}):(%{WORD:shorewall.action.two})=(%{USERNAME:shorewall.network.in}).*OUT=.*MAC=(%{MAC:destination.mac})?:(%{MAC:source.mac})?:(%{NOTSPACE:shorewall.frame_type})?.*SRC=(%{IPV4:source.ip})?.*DST=(%{IPV4:destination.ip})?.*LEN=(%{INT:network.packets:int})?.*TOS=(%{WORD:service.type})?.*PREC=(%{WORD:shorewall.precedence})?.*TTL=(%{INT:shorewall.ttl:int})?.*ID=(%{INT:event.id:int})?.*PROTO=(%{WORD:network.protocol})?.*SPT=(%{INT:source.port:int})?.*DPT=(%{INT:destination.port:int})?.*(WINDOW=(%{NUMBER:shorewall.window:int}))?.*(RES=(%{WORD:shorewall.res})?)?.*(SYN)?.*(URGP=(%{INT:shorewall.urgp:int})?)?" + "(%{SYSLOGTIMESTAMP:timestamp}).*(%{WORD:host.hostname}).*kernel:.*\\[(%{INT:shorewall.time1:int}).(%{INT:shorewall.time2:int})\\].*Shorewall:(%{USERNAME:shorewall.zone.name}):(%{WORD:shorewall.packet_action}):(%{WORD:shorewall.zone.device})=(%{USERNAME:shorewall.network.in}).*OUT=.*MAC=(%{MAC:destination.mac})?:(%{MAC:source.mac})?:(%{NOTSPACE:shorewall.frame_type})?.*SRC=(%{IPV4:source.ip})?.*DST=(%{IPV4:destination.ip})?.*LEN=(%{INT:network.packets:int})?.*TOS=(%{WORD:service.type})?.*PREC=(%{WORD:shorewall.precedence})?.*TTL=(%{INT:shorewall.ttl:int})?.*ID=(%{INT:event.id:int})?.*PROTO=(%{WORD:network.protocol})?.*SPT=(%{INT:source.port:int})?.*DPT=(%{INT:destination.port:int})?.*(WINDOW=(%{NUMBER:shorewall.window:int}))?.*(RES=(%{WORD:shorewall.res})?)?.*(SYN)?.*(URGP=(%{INT:shorewall.urgp:int})?)?" ], "ignore_missing": false } diff --git a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json index d9d65c7d4883..539735a66ead 100644 --- a/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json +++ b/x-pack/filebeat/module/shorewall/log/test/default.log-expected.json @@ -13,18 +13,18 @@ "input.type": "log", "log.offset": 0, "message": "May 20 06:25:04 myHost kernel: [5665774.433812] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:62:a7:46:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8108 PROTO=TCP SPT=50371 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665774, "shorewall.time2": 433812, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:62:a7:46", "source.port": 50371 @@ -43,18 +43,18 @@ "input.type": "log", "log.offset": 258, "message": "May 20 06:25:07 myHost kernel: [5665777.620517] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=56740 PROTO=UDP SPT=58761 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665777, "shorewall.time2": 620517, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 58761 @@ -73,18 +73,18 @@ "input.type": "log", "log.offset": 502, "message": "May 20 06:25:07 myHost kernel: [5665777.621095] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=411 TOS=0x00 PREC=0x00 TTL=63 ID=1452 PROTO=UDP SPT=58761 DPT=443 LEN=391 ", - "network.name": "wif-net", "network.packets": 411, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665777, "shorewall.time2": 621095, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 58761 @@ -103,18 +103,18 @@ "input.type": "log", "log.offset": 743, "message": "May 20 06:25:10 myHost kernel: [5665780.629574] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:3e:72:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13568 PROTO=TCP SPT=55651 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665780, "shorewall.time2": 629574, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:68:3e:72", "source.port": 55651 @@ -133,18 +133,18 @@ "input.type": "log", "log.offset": 1002, "message": "May 20 06:25:14 myHost kernel: [5665784.796963] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=3097 DF PROTO=TCP SPT=60391 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 ", - "network.name": "wif-net", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665784, "shorewall.time2": 796963, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 60391 @@ -163,18 +163,18 @@ "input.type": "log", "log.offset": 1271, "message": "May 20 06:25:14 myHost kernel: [5665784.807881] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=12465 DF PROTO=TCP SPT=60525 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665784, "shorewall.time2": 807881, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 60525 @@ -193,18 +193,18 @@ "input.type": "log", "log.offset": 1541, "message": "May 20 06:25:15 myHost kernel: [5665785.711972] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:30:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9741 PROTO=TCP SPT=46896 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665785, "shorewall.time2": 711972, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:68:30:1a", "source.port": 46896 @@ -223,18 +223,18 @@ "input.type": "log", "log.offset": 1799, "message": "May 20 06:25:22 myHost kernel: [5665792.533866] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=29417 PROTO=TCP SPT=41131 DPT=60561 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665792, "shorewall.time2": 533866, "shorewall.ttl": 251, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 41131 @@ -253,18 +253,18 @@ "input.type": "log", "log.offset": 2067, "message": "May 20 06:25:25 myHost kernel: [5665795.346806] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:c9:bc:f0:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4615 PROTO=TCP SPT=60423 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665795, "shorewall.time2": 346806, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "80:2a:a8:c9:bc:f0", "source.port": 60423 @@ -283,18 +283,18 @@ "input.type": "log", "log.offset": 2326, "message": "May 20 06:25:25 myHost kernel: [5665795.391942] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19852 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", - "network.name": "lan-fw", "network.packets": 345, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665795, "shorewall.time2": 391942, "shorewall.ttl": 30, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.44", "source.mac": "ec:22:80:c0:b6:40", "source.port": 62976 @@ -313,18 +313,18 @@ "input.type": "log", "log.offset": 2564, "message": "May 20 06:25:27 myHost kernel: [5665797.609158] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62477 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 64, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665797, "shorewall.time2": 609158, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 62477 @@ -343,18 +343,18 @@ "input.type": "log", "log.offset": 2829, "message": "May 20 06:25:27 myHost kernel: [5665797.609464] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62478 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 64, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665797, "shorewall.time2": 609464, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 62478 @@ -373,18 +373,18 @@ "input.type": "log", "log.offset": 3094, "message": "May 20 06:25:27 myHost kernel: [5665797.801696] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62479 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 64, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665797, "shorewall.time2": 801696, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 62479 @@ -403,18 +403,18 @@ "input.type": "log", "log.offset": 3359, "message": "May 20 06:25:28 myHost kernel: [5665798.736156] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=54649 PROTO=TCP SPT=41131 DPT=61929 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665798, "shorewall.time2": 736156, "shorewall.ttl": 251, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 41131 @@ -433,18 +433,18 @@ "input.type": "log", "log.offset": 3627, "message": "May 20 06:25:29 myHost kernel: [5665799.665870] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=252 ID=60378 DF PROTO=TCP SPT=61113 DPT=8291 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665799, "shorewall.time2": 665870, "shorewall.ttl": 252, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 61113 @@ -463,18 +463,18 @@ "input.type": "log", "log.offset": 3898, "message": "May 20 06:25:32 myHost kernel: [5665802.156520] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=101 TOS=0x00 PREC=0x00 TTL=116 ID=24468 PROTO=UDP SPT=7718 DPT=18377 LEN=81 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 101, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665802, "shorewall.time2": 156520, "shorewall.ttl": 116, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 7718 @@ -493,18 +493,18 @@ "input.type": "log", "log.offset": 4141, "message": "May 20 06:25:34 myHost kernel: [5665804.111364] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:50:b6:3d:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8832 PROTO=TCP SPT=39229 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665804, "shorewall.time2": 111364, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "80:2a:a8:50:b6:3d", "source.port": 39229 @@ -523,18 +523,18 @@ "input.type": "log", "log.offset": 4400, "message": "May 20 06:25:38 myHost kernel: [5665808.647159] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=61638 PROTO=TCP SPT=8080 DPT=33396 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665808, "shorewall.time2": 647159, "shorewall.ttl": 248, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 8080 @@ -553,18 +553,18 @@ "input.type": "log", "log.offset": 4667, "message": "May 20 06:25:40 myHost kernel: [5665810.425471] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28391 DF PROTO=TCP SPT=56642 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665810, "shorewall.time2": 425471, "shorewall.ttl": 121, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 56642 @@ -583,18 +583,18 @@ "input.type": "log", "log.offset": 4938, "message": "May 20 06:25:40 myHost kernel: [5665810.466469] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28398 DF PROTO=TCP SPT=56643 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665810, "shorewall.time2": 466469, "shorewall.ttl": 121, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 56643 @@ -613,18 +613,18 @@ "input.type": "log", "log.offset": 5208, "message": "May 20 06:25:40 myHost kernel: [5665810.492512] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28402 DF PROTO=TCP SPT=56644 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665810, "shorewall.time2": 492512, "shorewall.ttl": 121, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 56644 @@ -643,18 +643,18 @@ "input.type": "log", "log.offset": 5479, "message": "May 20 06:25:40 myHost kernel: [5665810.517875] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=28409 DF PROTO=TCP SPT=56645 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665810, "shorewall.time2": 517875, "shorewall.ttl": 121, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 56645 @@ -673,18 +673,18 @@ "input.type": "log", "log.offset": 5749, "message": "May 20 06:25:41 myHost kernel: [5665811.550988] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:62:a7:46:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8119 PROTO=TCP SPT=50372 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665811, "shorewall.time2": 550988, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:62:a7:46", "source.port": 50372 @@ -703,18 +703,18 @@ "input.type": "log", "log.offset": 6007, "message": "May 20 06:25:42 myHost kernel: [5665812.814869] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=15595 DF PROTO=UDP SPT=58973 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665812, "shorewall.time2": 814869, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 58973 @@ -733,18 +733,18 @@ "input.type": "log", "log.offset": 6255, "message": "May 20 06:25:42 myHost kernel: [5665812.814907] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=386 TOS=0x00 PREC=0x00 TTL=127 ID=15596 DF PROTO=UDP SPT=58973 DPT=443 LEN=366 ", - "network.name": "wif-net", "network.packets": 386, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665812, "shorewall.time2": 814907, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 58973 @@ -763,18 +763,18 @@ "input.type": "log", "log.offset": 6501, "message": "May 20 06:25:43 myHost kernel: [5665813.094960] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=2832 PROTO=TCP SPT=41131 DPT=58772 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665813, "shorewall.time2": 94960, "shorewall.ttl": 251, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 41131 @@ -793,18 +793,18 @@ "input.type": "log", "log.offset": 6768, "message": "May 20 06:25:48 myHost kernel: [5665818.708387] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:3e:72:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13578 PROTO=TCP SPT=35540 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665818, "shorewall.time2": 708387, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:68:3e:72", "source.port": 35540 @@ -823,18 +823,18 @@ "input.type": "log", "log.offset": 7027, "message": "May 20 06:25:53 myHost kernel: [5665823.838331] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:ac:cc:8e:59:43:c4:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=170 DF PROTO=UDP SPT=37876 DPT=123 LEN=56 ", - "network.name": "wif-net", "network.packets": 76, "network.protocol": "UDP", "service.type": "0x10", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665823, "shorewall.time2": 838331, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "ac:cc:8e:59:43:c4", "source.port": 37876 @@ -853,18 +853,18 @@ "input.type": "log", "log.offset": 7268, "message": "May 20 06:25:55 myHost kernel: [5665825.551009] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19854 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", - "network.name": "lan-fw", "network.packets": 345, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665825, "shorewall.time2": 551009, "shorewall.ttl": 30, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.44", "source.mac": "ec:22:80:c0:b6:40", "source.port": 62976 @@ -883,18 +883,18 @@ "input.type": "log", "log.offset": 7506, "message": "May 20 06:25:55 myHost kernel: [5665825.808201] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:30:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9751 PROTO=TCP SPT=46897 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665825, "shorewall.time2": 808201, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:68:30:1a", "source.port": 46897 @@ -913,18 +913,18 @@ "input.type": "log", "log.offset": 7764, "message": "May 20 06:25:59 myHost kernel: [5665829.270149] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f8:32:e4:e3:ae:c5:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=83 TOS=0x00 PREC=0x00 TTL=63 ID=63893 DF PROTO=TCP SPT=48338 DPT=443 WINDOW=1453 RES=0x00 ACK PSH URGP=0 ", - "network.name": "wif-net", "network.packets": 83, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665829, "shorewall.time2": 270149, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f8:32:e4:e3:ae:c5", "source.port": 48338 @@ -943,18 +943,18 @@ "input.type": "log", "log.offset": 8036, "message": "May 20 06:25:59 myHost kernel: [5665829.275316] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f8:32:e4:e3:ae:c5:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=63894 DF PROTO=TCP SPT=48338 DPT=443 WINDOW=1453 RES=0x00 ACK FIN URGP=0 ", - "network.name": "wif-net", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665829, "shorewall.time2": 275316, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f8:32:e4:e3:ae:c5", "source.port": 48338 @@ -973,18 +973,18 @@ "input.type": "log", "log.offset": 8308, "message": "May 20 06:25:59 myHost kernel: [5665829.282743] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f8:32:e4:e3:ae:c5:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=48586 DF PROTO=TCP SPT=59914 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665829, "shorewall.time2": 282743, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f8:32:e4:e3:ae:c5", "source.port": 59914 @@ -1003,18 +1003,18 @@ "input.type": "log", "log.offset": 8577, "message": "May 20 06:26:03 myHost kernel: [5665833.634545] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:c9:bc:f0:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4628 PROTO=TCP SPT=60424 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665833, "shorewall.time2": 634545, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "80:2a:a8:c9:bc:f0", "source.port": 60424 @@ -1033,18 +1033,18 @@ "input.type": "log", "log.offset": 8836, "message": "May 20 06:26:06 myHost kernel: [5665836.622479] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=43325 PROTO=TCP SPT=8080 DPT=4000 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665836, "shorewall.time2": 622479, "shorewall.ttl": 248, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 8080 @@ -1063,18 +1063,18 @@ "input.type": "log", "log.offset": 9102, "message": "May 20 06:26:07 myHost kernel: [5665837.859827] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=36238 PROTO=UDP SPT=61330 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665837, "shorewall.time2": 859827, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 61330 @@ -1093,18 +1093,18 @@ "input.type": "log", "log.offset": 9346, "message": "May 20 06:26:07 myHost kernel: [5665837.860199] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=442 TOS=0x00 PREC=0x00 TTL=63 ID=22277 PROTO=UDP SPT=61330 DPT=443 LEN=422 ", - "network.name": "wif-net", "network.packets": 442, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665837, "shorewall.time2": 860199, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 61330 @@ -1123,18 +1123,18 @@ "input.type": "log", "log.offset": 9588, "message": "May 20 06:26:07 myHost kernel: [5665837.860223] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=150 TOS=0x00 PREC=0x00 TTL=63 ID=8101 PROTO=UDP SPT=61330 DPT=443 LEN=130 ", - "network.name": "wif-net", "network.packets": 150, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665837, "shorewall.time2": 860223, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 61330 @@ -1153,18 +1153,18 @@ "input.type": "log", "log.offset": 9829, "message": "May 20 06:26:09 myHost kernel: [5665839.818545] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=7051 DF PROTO=TCP SPT=60526 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665839, "shorewall.time2": 818545, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 60526 @@ -1183,18 +1183,18 @@ "input.type": "log", "log.offset": 10098, "message": "May 20 06:26:12 myHost kernel: [5665842.372077] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:50:b6:3d:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8844 PROTO=TCP SPT=39230 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665842, "shorewall.time2": 372077, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "80:2a:a8:50:b6:3d", "source.port": 39230 @@ -1213,18 +1213,18 @@ "input.type": "log", "log.offset": 10357, "message": "May 20 06:26:13 myHost kernel: [5665843.902992] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=32586 DF PROTO=UDP SPT=64806 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665843, "shorewall.time2": 902992, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 64806 @@ -1243,18 +1243,18 @@ "input.type": "log", "log.offset": 10605, "message": "May 20 06:26:17 myHost kernel: [5665847.730485] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:62:a7:46:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8129 PROTO=TCP SPT=50373 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665847, "shorewall.time2": 730485, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:62:a7:46", "source.port": 50373 @@ -1273,18 +1273,18 @@ "input.type": "log", "log.offset": 10863, "message": "May 20 06:26:22 myHost kernel: [5665852.790852] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:3e:72:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13588 PROTO=TCP SPT=35541 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665852, "shorewall.time2": 790852, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:68:3e:72", "source.port": 35541 @@ -1303,18 +1303,18 @@ "input.type": "log", "log.offset": 11122, "message": "May 20 06:26:25 myHost kernel: [5665855.713411] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19856 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", - "network.name": "lan-fw", "network.packets": 345, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665855, "shorewall.time2": 713411, "shorewall.ttl": 30, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.44", "source.mac": "ec:22:80:c0:b6:40", "source.port": 62976 @@ -1333,18 +1333,18 @@ "input.type": "log", "log.offset": 11360, "message": "May 20 06:26:30 myHost kernel: [5665860.305453] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=31944 PROTO=TCP SPT=48293 DPT=49495 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665860, "shorewall.time2": 305453, "shorewall.ttl": 246, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 48293 @@ -1363,18 +1363,18 @@ "input.type": "log", "log.offset": 11628, "message": "May 20 06:26:30 myHost kernel: [5665860.904274] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:30:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9761 PROTO=TCP SPT=60773 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665860, "shorewall.time2": 904274, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:68:30:1a", "source.port": 60773 @@ -1393,18 +1393,18 @@ "input.type": "log", "log.offset": 11886, "message": "May 20 06:26:38 myHost kernel: [5665868.905177] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:c9:bc:f0:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4641 PROTO=TCP SPT=60425 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665868, "shorewall.time2": 905177, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "80:2a:a8:c9:bc:f0", "source.port": 60425 @@ -1423,18 +1423,18 @@ "input.type": "log", "log.offset": 12145, "message": "May 20 06:26:44 myHost kernel: [5665874.640128] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:50:b6:3d:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8856 PROTO=TCP SPT=39231 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665874, "shorewall.time2": 640128, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "80:2a:a8:50:b6:3d", "source.port": 39231 @@ -1453,18 +1453,18 @@ "input.type": "log", "log.offset": 12404, "message": "May 20 06:26:50 myHost kernel: [5665880.272050] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:c4:9f:4c:e8:ca:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=1224 DF PROTO=TCP SPT=38769 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665880, "shorewall.time2": 272050, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "c4:9f:4c:e8:ca:1a", "source.port": 38769 @@ -1483,18 +1483,18 @@ "input.type": "log", "log.offset": 12672, "message": "May 20 06:26:50 myHost kernel: [5665880.916295] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=251 ID=31010 PROTO=TCP SPT=41131 DPT=59830 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665880, "shorewall.time2": 916295, "shorewall.ttl": 251, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 41131 @@ -1513,18 +1513,18 @@ "input.type": "log", "log.offset": 12940, "message": "May 20 06:26:52 myHost kernel: [5665882.101246] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:62:a7:46:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8140 PROTO=TCP SPT=50374 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665882, "shorewall.time2": 101246, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:62:a7:46", "source.port": 50374 @@ -1543,18 +1543,18 @@ "input.type": "log", "log.offset": 13198, "message": "May 20 06:26:55 myHost kernel: [5665885.867369] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19858 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", - "network.name": "lan-fw", "network.packets": 345, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665885, "shorewall.time2": 867369, "shorewall.ttl": 30, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.44", "source.mac": "ec:22:80:c0:b6:40", "source.port": 62976 @@ -1573,18 +1573,18 @@ "input.type": "log", "log.offset": 13436, "message": "May 20 06:26:56 myHost kernel: [5665886.872870] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:3e:72:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13598 PROTO=TCP SPT=35542 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665886, "shorewall.time2": 872870, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:68:3e:72", "source.port": 35542 @@ -1603,18 +1603,18 @@ "input.type": "log", "log.offset": 13695, "message": "May 20 06:26:58 myHost kernel: [5665888.837986] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=34778 PROTO=TCP SPT=49514 DPT=3291 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665888, "shorewall.time2": 837986, "shorewall.ttl": 249, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 49514 @@ -1633,18 +1633,18 @@ "input.type": "log", "log.offset": 13962, "message": "May 20 06:26:59 myHost kernel: [5665889.708842] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:94:0e:6b:6f:4d:5b:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60038 DF PROTO=TCP SPT=57121 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665889, "shorewall.time2": 708842, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "94:0e:6b:6f:4d:5b", "source.port": 57121 @@ -1663,18 +1663,18 @@ "input.type": "log", "log.offset": 14230, "message": "May 20 06:27:00 myHost kernel: [5665890.633270] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=44244 PROTO=TCP SPT=48293 DPT=46462 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665890, "shorewall.time2": 633270, "shorewall.ttl": 246, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 48293 @@ -1693,18 +1693,18 @@ "input.type": "log", "log.offset": 14498, "message": "May 20 06:27:04 myHost kernel: [5665895.011208] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:30:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9771 PROTO=TCP SPT=60774 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665895, "shorewall.time2": 11208, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:68:30:1a", "source.port": 60774 @@ -1723,18 +1723,18 @@ "input.type": "log", "log.offset": 14756, "message": "May 20 06:27:05 myHost kernel: [5665895.443186] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62480 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 64, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665895, "shorewall.time2": 443186, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 62480 @@ -1753,18 +1753,18 @@ "input.type": "log", "log.offset": 15021, "message": "May 20 06:27:07 myHost kernel: [5665897.853344] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=2997 DF PROTO=UDP SPT=61074 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665897, "shorewall.time2": 853344, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 61074 @@ -1783,18 +1783,18 @@ "input.type": "log", "log.offset": 15268, "message": "May 20 06:27:07 myHost kernel: [5665897.853903] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=533 TOS=0x00 PREC=0x00 TTL=127 ID=2998 DF PROTO=UDP SPT=61074 DPT=443 LEN=513 ", - "network.name": "wif-net", "network.packets": 533, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665897, "shorewall.time2": 853903, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 61074 @@ -1813,18 +1813,18 @@ "input.type": "log", "log.offset": 15513, "message": "May 20 06:27:07 myHost kernel: [5665897.853924] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=177 TOS=0x00 PREC=0x00 TTL=127 ID=2999 DF PROTO=UDP SPT=61074 DPT=443 LEN=157 ", - "network.name": "wif-net", "network.packets": 177, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665897, "shorewall.time2": 853924, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 61074 @@ -1843,18 +1843,18 @@ "input.type": "log", "log.offset": 15758, "message": "May 20 06:27:08 myHost kernel: [5665898.619970] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=42012 PROTO=UDP SPT=54438 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665898, "shorewall.time2": 619970, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 54438 @@ -1873,18 +1873,18 @@ "input.type": "log", "log.offset": 16002, "message": "May 20 06:27:08 myHost kernel: [5665898.620495] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=412 TOS=0x00 PREC=0x00 TTL=63 ID=25900 PROTO=UDP SPT=54438 DPT=443 LEN=392 ", - "network.name": "wif-net", "network.packets": 412, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665898, "shorewall.time2": 620495, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 54438 @@ -1903,18 +1903,18 @@ "input.type": "log", "log.offset": 16244, "message": "May 20 06:27:13 myHost kernel: [5665903.167952] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:c9:bc:f0:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4654 PROTO=TCP SPT=60426 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665903, "shorewall.time2": 167952, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "80:2a:a8:c9:bc:f0", "source.port": 60426 @@ -1933,18 +1933,18 @@ "input.type": "log", "log.offset": 16503, "message": "May 20 06:27:15 myHost kernel: [5665905.929948] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:ac:cc:8e:59:43:c4:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=54364 DF PROTO=UDP SPT=45541 DPT=123 LEN=56 ", - "network.name": "wif-net", "network.packets": 76, "network.protocol": "UDP", "service.type": "0x10", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665905, "shorewall.time2": 929948, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "ac:cc:8e:59:43:c4", "source.port": 45541 @@ -1963,18 +1963,18 @@ "input.type": "log", "log.offset": 16746, "message": "May 20 06:27:16 myHost kernel: [5665906.191334] Shorewall:net_dnat:DNAT:IN=eth3 OUT= MAC=68:05:ca:08:4a:a2:34:b3:54:dd:cd:92:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=100 ID=14934 PROTO=TCP SPT=46284 DPT=80 WINDOW=62920 RES=0x00 SYN URGP=0 MARK=0x2 ", - "network.name": "net_dnat", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth3", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665906, "shorewall.time2": 191334, "shorewall.ttl": 100, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "34:b3:54:dd:cd:92", "source.port": 46284 @@ -1993,18 +1993,18 @@ "input.type": "log", "log.offset": 17014, "message": "May 20 06:27:19 myHost kernel: [5665909.755990] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f8:95:c7:c2:49:5f:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=38606 DF PROTO=TCP SPT=38240 DPT=443 WINDOW=431 RES=0x00 ACK RST URGP=0 ", - "network.name": "wif-net", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665909, "shorewall.time2": 755990, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f8:95:c7:c2:49:5f", "source.port": 38240 @@ -2023,18 +2023,18 @@ "input.type": "log", "log.offset": 17285, "message": "May 20 06:27:19 myHost kernel: [5665909.911069] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:50:b6:3d:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8868 PROTO=TCP SPT=39232 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665909, "shorewall.time2": 911069, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "80:2a:a8:50:b6:3d", "source.port": 39232 @@ -2053,18 +2053,18 @@ "input.type": "log", "log.offset": 17544, "message": "May 20 06:27:21 myHost kernel: [5665911.686689] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=47360 PROTO=UDP SPT=59192 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665911, "shorewall.time2": 686689, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 59192 @@ -2083,18 +2083,18 @@ "input.type": "log", "log.offset": 17788, "message": "May 20 06:27:21 myHost kernel: [5665911.687076] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=446 TOS=0x00 PREC=0x00 TTL=63 ID=30044 PROTO=UDP SPT=59192 DPT=443 LEN=426 ", - "network.name": "wif-net", "network.packets": 446, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665911, "shorewall.time2": 687076, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 59192 @@ -2113,18 +2113,18 @@ "input.type": "log", "log.offset": 18030, "message": "May 20 06:27:21 myHost kernel: [5665911.806450] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=26478 PROTO=UDP SPT=123 DPT=123 LEN=56 ", - "network.name": "wif-net", "network.packets": 76, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665911, "shorewall.time2": 806450, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 123 @@ -2143,18 +2143,18 @@ "input.type": "log", "log.offset": 18268, "message": "May 20 06:27:21 myHost kernel: [5665911.840839] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=60981 PROTO=UDP SPT=123 DPT=123 LEN=56 ", - "network.name": "wif-net", "network.packets": 76, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665911, "shorewall.time2": 840839, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 123 @@ -2173,18 +2173,18 @@ "input.type": "log", "log.offset": 18506, "message": "May 20 06:27:21 myHost kernel: [5665911.881137] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=44073 PROTO=UDP SPT=123 DPT=123 LEN=56 ", - "network.name": "wif-net", "network.packets": 76, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665911, "shorewall.time2": 881137, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 123 @@ -2203,18 +2203,18 @@ "input.type": "log", "log.offset": 18744, "message": "May 20 06:27:25 myHost kernel: [5665916.048593] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19860 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", - "network.name": "lan-fw", "network.packets": 345, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665916, "shorewall.time2": 48593, "shorewall.ttl": 30, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.44", "source.mac": "ec:22:80:c0:b6:40", "source.port": 62976 @@ -2233,18 +2233,18 @@ "input.type": "log", "log.offset": 18982, "message": "May 20 06:27:27 myHost kernel: [5665917.377574] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:62:a7:46:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8150 PROTO=TCP SPT=50375 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665917, "shorewall.time2": 377574, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:62:a7:46", "source.port": 50375 @@ -2263,18 +2263,18 @@ "input.type": "log", "log.offset": 19240, "message": "May 20 06:27:27 myHost kernel: [5665917.611542] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=62481 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 64, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665917, "shorewall.time2": 611542, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 62481 @@ -2293,18 +2293,18 @@ "input.type": "log", "log.offset": 19505, "message": "May 20 06:27:28 myHost kernel: [5665918.663884] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=6888 DF PROTO=TCP SPT=60527 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665918, "shorewall.time2": 663884, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 60527 @@ -2323,18 +2323,18 @@ "input.type": "log", "log.offset": 19774, "message": "May 20 06:27:36 myHost kernel: [5665926.954899] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:3e:72:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13608 PROTO=TCP SPT=35543 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665926, "shorewall.time2": 954899, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:68:3e:72", "source.port": 35543 @@ -2353,18 +2353,18 @@ "input.type": "log", "log.offset": 20033, "message": "May 20 06:27:41 myHost kernel: [5665931.409341] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=7064 DF PROTO=TCP SPT=60528 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665931, "shorewall.time2": 409341, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 60528 @@ -2383,18 +2383,18 @@ "input.type": "log", "log.offset": 20302, "message": "May 20 06:27:43 myHost kernel: [5665933.108273] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:44:d9:e7:68:30:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9781 PROTO=TCP SPT=60775 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665933, "shorewall.time2": 108273, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "44:d9:e7:68:30:1a", "source.port": 60775 @@ -2413,18 +2413,18 @@ "input.type": "log", "log.offset": 20560, "message": "May 20 06:27:43 myHost kernel: [5665933.843105] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=15608 DF PROTO=UDP SPT=49618 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665933, "shorewall.time2": 843105, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 49618 @@ -2443,18 +2443,18 @@ "input.type": "log", "log.offset": 20808, "message": "May 20 06:27:43 myHost kernel: [5665933.843134] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=386 TOS=0x00 PREC=0x00 TTL=127 ID=15609 DF PROTO=UDP SPT=49618 DPT=443 LEN=366 ", - "network.name": "wif-net", "network.packets": 386, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665933, "shorewall.time2": 843134, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 49618 @@ -2473,18 +2473,18 @@ "input.type": "log", "log.offset": 21054, "message": "May 20 06:27:50 myHost kernel: [5665940.288037] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=41776 PROTO=UDP SPT=63129 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665940, "shorewall.time2": 288037, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 63129 @@ -2503,18 +2503,18 @@ "input.type": "log", "log.offset": 21298, "message": "May 20 06:27:50 myHost kernel: [5665940.391265] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=33504 PROTO=UDP SPT=58864 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665940, "shorewall.time2": 391265, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 58864 @@ -2533,18 +2533,18 @@ "input.type": "log", "log.offset": 21542, "message": "May 20 06:27:50 myHost kernel: [5665940.421000] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:f4:0f:24:2f:71:df:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=1378 TOS=0x00 PREC=0x00 TTL=63 ID=24133 PROTO=UDP SPT=58864 DPT=443 LEN=1358 ", - "network.name": "wif-net", "network.packets": 1378, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665940, "shorewall.time2": 421000, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "f4:0f:24:2f:71:df", "source.port": 58864 @@ -2563,18 +2563,18 @@ "input.type": "log", "log.offset": 21786, "message": "May 20 06:27:50 myHost kernel: [5665940.444005] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:c9:bc:f0:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4667 PROTO=TCP SPT=60427 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665940, "shorewall.time2": 444005, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "80:2a:a8:c9:bc:f0", "source.port": 60427 @@ -2593,18 +2593,18 @@ "input.type": "log", "log.offset": 22045, "message": "May 20 06:27:53 myHost kernel: [5665943.272863] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=17727 DF PROTO=TCP SPT=1991 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x02", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665943, "shorewall.time2": 272863, "shorewall.ttl": 122, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 1991 @@ -2623,18 +2623,18 @@ "input.type": "log", "log.offset": 22322, "message": "May 20 06:27:53 myHost kernel: [5665943.643038] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=27195 DF PROTO=TCP SPT=711 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x02", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665943, "shorewall.time2": 643038, "shorewall.ttl": 122, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 711 @@ -2653,18 +2653,18 @@ "input.type": "log", "log.offset": 22598, "message": "May 20 06:27:53 myHost kernel: [5665943.787828] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=19622 DF PROTO=TCP SPT=1372 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x02", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665943, "shorewall.time2": 787828, "shorewall.ttl": 122, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 1372 @@ -2683,18 +2683,18 @@ "input.type": "log", "log.offset": 22875, "message": "May 20 06:27:54 myHost kernel: [5665944.317910] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=12474 DF PROTO=TCP SPT=60525 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0 ", - "network.name": "wif-net", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665944, "shorewall.time2": 317910, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 60525 @@ -2713,18 +2713,18 @@ "input.type": "log", "log.offset": 23145, "message": "May 20 06:27:54 myHost kernel: [5665944.345621] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=3098 DF PROTO=TCP SPT=60529 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665944, "shorewall.time2": 345621, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 60529 @@ -2743,18 +2743,18 @@ "input.type": "log", "log.offset": 23414, "message": "May 20 06:27:55 myHost kernel: [5665945.223595] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth3 MAC=68:05:ca:42:25:0c:c4:9f:4c:e8:c9:bc:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=37429 DF PROTO=TCP SPT=45640 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665945, "shorewall.time2": 223595, "shorewall.ttl": 63, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "c4:9f:4c:e8:c9:bc", "source.port": 45640 @@ -2773,18 +2773,18 @@ "input.type": "log", "log.offset": 23683, "message": "May 20 06:27:56 myHost kernel: [5665946.204223] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=ff:ff:ff:ff:ff:ff:ec:22:80:c0:b6:40:08:00 SRC=1.2.3.44 DST=1.2.3.4 LEN=345 TOS=0x00 PREC=0x00 TTL=30 ID=19862 PROTO=UDP SPT=62976 DPT=62976 LEN=325 ", - "network.name": "lan-fw", "network.packets": 345, "network.protocol": "UDP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665946, "shorewall.time2": 204223, "shorewall.ttl": 30, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.44", "source.mac": "ec:22:80:c0:b6:40", "source.port": 62976 @@ -2803,18 +2803,18 @@ "input.type": "log", "log.offset": 23921, "message": "May 20 06:27:56 myHost kernel: [5665946.518251] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=23222 DF PROTO=TCP SPT=2017 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x02", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665946, "shorewall.time2": 518251, "shorewall.ttl": 122, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 2017 @@ -2833,18 +2833,18 @@ "input.type": "log", "log.offset": 24198, "message": "May 20 06:27:57 myHost kernel: [5665947.744034] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=25280 DF PROTO=TCP SPT=803 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x02", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665947, "shorewall.time2": 744034, "shorewall.ttl": 122, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 803 @@ -2863,18 +2863,18 @@ "input.type": "log", "log.offset": 24474, "message": "May 20 06:27:57 myHost kernel: [5665948.054796] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=1220 DF PROTO=TCP SPT=2264 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x02", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665948, "shorewall.time2": 54796, "shorewall.ttl": 122, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 2264 @@ -2893,18 +2893,18 @@ "input.type": "log", "log.offset": 24750, "message": "May 20 06:27:58 myHost kernel: [5665949.033645] Shorewall:net_dnat:DNAT:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x02 PREC=0x00 TTL=122 ID=8559 DF PROTO=TCP SPT=2111 DPT=443 WINDOW=200 RES=0x00 CWR ECE SYN URGP=0 MARK=0x3 ", - "network.name": "net_dnat", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x02", - "shorewall.action.one": "DNAT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DNAT", "shorewall.precedence": "0x00", "shorewall.time1": 5665949, "shorewall.time2": 33645, "shorewall.ttl": 122, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net_dnat", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 2111 @@ -2923,18 +2923,18 @@ "input.type": "log", "log.offset": 25026, "message": "May 20 06:27:59 myHost kernel: [5665949.184901] Shorewall:lan-fw:ACCEPT:IN=eth2 OUT= MAC=68:05:ca:42:25:0c:80:2a:a8:50:b6:3d:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=8880 PROTO=TCP SPT=39233 DPT=8080 WINDOW=14600 RES=0x00 SYN URGP=0 ", - "network.name": "lan-fw", "network.packets": 60, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth2", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665949, "shorewall.time2": 184901, "shorewall.ttl": 64, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "lan-fw", "source.ip": "1.2.3.4", "source.mac": "80:2a:a8:50:b6:3d", "source.port": 39233 @@ -2953,18 +2953,18 @@ "input.type": "log", "log.offset": 25285, "message": "May 20 06:28:02 myHost kernel: [5665952.767539] Shorewall:wif-net:ACCEPT:IN=vlan1 OUT=eth5 MAC=68:05:ca:42:25:0c:e4:b3:18:44:92:1a:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=22426 DF PROTO=TCP SPT=60530 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 ", - "network.name": "wif-net", "network.packets": 52, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "ACCEPT", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "vlan1", + "shorewall.packet_action": "ACCEPT", "shorewall.precedence": "0x00", "shorewall.time1": 5665952, "shorewall.time2": 767539, "shorewall.ttl": 127, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "wif-net", "source.ip": "1.2.3.4", "source.mac": "e4:b3:18:44:92:1a", "source.port": 60530 @@ -2983,18 +2983,18 @@ "input.type": "log", "log.offset": 25555, "message": "May 20 06:28:06 myHost kernel: [5665956.741703] Shorewall:net-fw:DROP:IN=eth5 OUT= MAC=6c:b3:11:1b:d9:7a:28:c0:da:b7:eb:3e:08:00 SRC=1.2.3.4 DST=1.2.3.4 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=40105 PROTO=TCP SPT=43212 DPT=1081 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x3 ", - "network.name": "net-fw", "network.packets": 40, "network.protocol": "TCP", "service.type": "0x00", - "shorewall.action.one": "DROP", - "shorewall.action.two": "IN", "shorewall.frame_type": "08:00", "shorewall.network.in": "eth5", + "shorewall.packet_action": "DROP", "shorewall.precedence": "0x00", "shorewall.time1": 5665956, "shorewall.time2": 741703, "shorewall.ttl": 244, + "shorewall.zone.device": "IN", + "shorewall.zone.name": "net-fw", "source.ip": "1.2.3.4", "source.mac": "28:c0:da:b7:eb:3e", "source.port": 43212 From 146485daa82de766c20fe3ae7ccb6e386dd47c96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20de=20la=20Pe=C3=B1a?= Date: Tue, 21 May 2019 11:57:31 +0200 Subject: [PATCH 34/34] Set UTC timezone when configuring @timestamp --- x-pack/filebeat/module/shorewall/log/ingest/pipeline.json | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json index 58eade0bd6fe..a3fdd4c058c7 100644 --- a/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json +++ b/x-pack/filebeat/module/shorewall/log/ingest/pipeline.json @@ -15,6 +15,7 @@ "field": "timestamp", "target_field": "@timestamp", "formats": ["MMM dd HH:mm:ss"], + "timezone": "UTC", "ignore_failure": false } },