[Filebeat] Add Shorewall module

filebeat/docs/fields.asciidoc

@@ -46,6 +46,7 @@ grouped in the following categories:
 * <<exported-fields-rabbitmq>>
 * <<exported-fields-redis>>
 * <<exported-fields-santa>>
+* <<exported-fields-shorewall>>
 * <<exported-fields-suricata>>
 * <<exported-fields-system>>
 * <<exported-fields-traefik>>
@@ -12484,6 +12485,148 @@ type: keyword
 
 Hash of process executable.
 
+--
+
+[[exported-fields-shorewall]]
+== shorewall fields
+
+Module for parsing Shorewall log files.
+
+
+
+[float]
+== shorewall fields
+
+Fields from Shorewall logs.
+
+
+
+[float]
+== network fields
+
+Shorewal log files
+
+
+
+*`shorewall.network.in`*::
++
+--
+type: keywork
+
+Name of the input network interface
+
+
+--
+
+*`shorewall.network.out`*::
++
+--
+type: keyword
+
+Name of the output network interface
+
+
+--
+
+[float]
+== action fields
+
+Shorewal network log files
+
+
+
+*`shorewall.action.one`*::
++
+--
+type: keywork
+
+Specifies the action to be taken if the connection request matches the rule. target must be one of the following values (ACCEPT, ACCEPT+, ACCEPT!, ADD, AUDIT, A_ACCEPT, A_ACCEPT+, A_ACCEPT!, A_DROP, A_DROP!, A_REJECT, A_REJECT!, ?COMMENT, CONMARK, CONTINUE, CONTINUE!, COUNT, DEL, DNAT, DNAT-, DROP, DROP!, HELPER, INLINE, IPTABLES, IP6TABLES, LOG, MACRO, MARK, NFLOG, NFQUEUE, NONAT, QUEUE, QUEUE!, REJECT, REJECT!, REDIRECT, REDIRECT-, TARPIT, ULOG. See http://shorewall.net/manpages/shorewall-rules.html
+
+
+--
+
+*`shorewall.action.two`*::
++
+--
+type: keyword
+
+Action two
+
+
+--
+
+*`shorewall.frame_type`*::
++
+--
+type: keyword
+
+This field is part of the MAC address in the log. It indicates whether the ethernet frame carried an IPv4 datagram or not.
+
+
+--
+
+*`shorewall.precedence`*::
++
+--
+type: keyword
+
+Type Of Service, and it's increasingly being replaced by DS and ECN.
+
+
+--
+
+*`shorewall.res`*::
++
+--
+type: keyword
+
+Reserved bits. The ECN flags "CWR" and "ECNE" will show up in the two least significant bits of this field.
+
+
+--
+
+*`shorewall.time1`*::
++
+--
+type: integer
+
+--
+
+*`shorewall.time2`*::
++
+--
+type: integer
+
+--
+
+*`shorewall.ttl`*::
++
+--
+type: integer
+
+The remaining Time To Live.
+
+
+--
+
+*`shorewall.urgp`*::
++
+--
+type: integer
+
+The Urgent Pointer allows for urgent, "out of band" data transfer. Unfortunately not all protocol implementations agree, so this facility is hardly ever used.
+
+
+--
+
+*`shorewall.window`*::
++
+--
+type: integer
+
+The TCP Receive Window size. This may be scaled by bit-shifting left by a number of bits specified in the "Window Scale" TCP option. If the host supports ECN, then the TCP Receive Window size will also be controlled by that.
+
+
 --
 
 [[exported-fields-suricata]]

filebeat/docs/modules/shorewall.asciidoc

@@ -0,0 +1,60 @@
+////
+This file is generated! See scripts/docs_collector.py
+////
+
+[[filebeat-module-shorewall]]
+:modulename: shorewall
+:has-dashboards: true
+
+== shorewall module
+
+This is the shorewall module.
+
+include::../include/what-happens.asciidoc[]
+
+[float]
+=== Compatibility
+
+TODO: document with what versions of the software is this tested
+
+
+include::../include/running-modules.asciidoc[]
+
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+TODO: include an image of a sample dashboard. If you do not include a dashboard,
+remove this section and set `:has-dashboards: false` at the top of this file.
+
+include::../include/configuring-intro.asciidoc[]
+
+TODO: provide an example configuration
+
+:fileset_ex: {fileset}
+
+include::../include/config-option-intro.asciidoc[]
+
+TODO: document the variables from each fileset. If you're describing a variable
+that's common to other modules, you can reuse shared descriptions by including
+the relevant file. For example:
+
+[float]
+==== `{fileset}` log fileset settings
+
+include::../include/var-paths.asciidoc[]
+
+:has-dashboards!:
+
+:fileset_ex!:
+
+:modulename!:
+
+
+[float]
+=== Fields
+
+For a description of each field in the module, see the
+<<exported-fields-shorewall,exported fields>> section.
+

filebeat/docs/modules_list.asciidoc

@@ -27,6 +27,7 @@ This file is generated! See scripts/docs_collector.py
   * <<filebeat-module-rabbitmq>>
   * <<filebeat-module-redis>>
   * <<filebeat-module-santa>>
+  * <<filebeat-module-shorewall>>
   * <<filebeat-module-suricata>>
   * <<filebeat-module-system>>
   * <<filebeat-module-traefik>>
@@ -60,6 +61,7 @@ include::modules/postgresql.asciidoc[]
 include::modules/rabbitmq.asciidoc[]
 include::modules/redis.asciidoc[]
 include::modules/santa.asciidoc[]
+include::modules/shorewall.asciidoc[]
 include::modules/suricata.asciidoc[]
 include::modules/system.asciidoc[]
 include::modules/traefik.asciidoc[]

x-pack/filebeat/filebeat.reference.yml

@@ -470,6 +470,16 @@ filebeat.modules:
     # Filebeat will choose the the default path.
     #var.paths:
 
+#------------------------------ Shorewall Module ------------------------------
+- module: shorewall
+  # All logs
+  {fileset}:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
+
 #------------------------------- Suricata Module -------------------------------
 - module: suricata
   # All logs

x-pack/filebeat/module/shorewall/_meta/config.yml

@@ -0,0 +1,8 @@
+- module: shorewall
+  # All logs
+  {fileset}:
+    enabled: true
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:

x-pack/filebeat/module/shorewall/_meta/docs.asciidoc

@@ -0,0 +1,47 @@
+:modulename: shorewall
+:has-dashboards: true
+
+== shorewall module
+
+This is the shorewall module.
+
+include::../include/what-happens.asciidoc[]
+
+[float]
+=== Compatibility
+
+TODO: document with what versions of the software is this tested
+
+
+include::../include/running-modules.asciidoc[]
+
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+TODO: include an image of a sample dashboard. If you do not include a dashboard,
+remove this section and set `:has-dashboards: false` at the top of this file.
+
+include::../include/configuring-intro.asciidoc[]
+
+TODO: provide an example configuration
+
+:fileset_ex: {fileset}
+
+include::../include/config-option-intro.asciidoc[]
+
+TODO: document the variables from each fileset. If you're describing a variable
+that's common to other modules, you can reuse shared descriptions by including
+the relevant file. For example:
+
+[float]
+==== `{fileset}` log fileset settings
+
+include::../include/var-paths.asciidoc[]
+
+:has-dashboards!:
+
+:fileset_ex!:
+
+:modulename!:

x-pack/filebeat/module/shorewall/_meta/fields.yml

@@ -0,0 +1,81 @@
+- key: shorewall
+  title: "shorewall"
+  description: >
+    Module for parsing Shorewall log files.
+  fields:
+    - name: shorewall
+      type: group
+      description: >
+        Fields from Shorewall logs.
+      fields:
+        - name: network
+          type: group
+          description: >
+            Shorewal log files
+          fields:
+            - name: in
+              type: keywork
+              description: >
+                Name of the input network interface
+            - name: out
+              type: keyword
+              description: >
+                Name of the output network interface
+        - name: frame_type
+          type: keyword
+          description: >
+            This field is part of the MAC address in the log. It indicates whether
+            the ethernet frame carried an IPv4 datagram or not.
+        - name: packet_action
+          type: keywork
+          description: >
+            Specifies the action to be taken if the connection request matches
+            the rule. target must be one of the following values (ACCEPT, ACCEPT+,
+            ACCEPT!, ADD, AUDIT, A_ACCEPT, A_ACCEPT+, A_ACCEPT!, A_DROP, A_DROP!,
+            A_REJECT, A_REJECT!, ?COMMENT, CONMARK, CONTINUE, CONTINUE!, COUNT, DEL,
+            DNAT, DNAT-, DROP, DROP!, HELPER, INLINE, IPTABLES, IP6TABLES, LOG, MACRO,
+            MARK, NFLOG, NFQUEUE, NONAT, QUEUE, QUEUE!, REJECT, REJECT!, REDIRECT,
+            REDIRECT-, TARPIT, ULOG. See http://shorewall.net/manpages/shorewall-rules.html
+        - name: precedence
+          type: keyword
+          description: >
+            Type Of Service, and it's increasingly being replaced by DS and ECN.
+        - name: res
+          type: keyword
+          description: >
+            Reserved bits. The ECN flags "CWR" and "ECNE" will show up in the two
+            least significant bits of this field.
+        - name: time1
+          type: integer
+        - name: time2
+          type: integer
+        - name: ttl
+          type: integer
+          description: >
+            The remaining Time To Live.
+        - name: urgp
+          type: integer
+          description: >
+            The Urgent Pointer allows for urgent, "out of band" data transfer.
+            Unfortunately not all protocol implementations agree, so this facility
+            is hardly ever used.
+        - name: window
+          type: integer
+          description: >
+            The TCP Receive Window size. This may be scaled by bit-shifting left
+            by a number of bits specified in the "Window Scale" TCP option.
+            If the host supports ECN, then the TCP Receive Window size will also
+            be controlled by that.
+        - name: zone
+          type: group
+          description: >
+            Shorewal Zone fields
+          fields:
+            - name: device
+              type: keyword
+              description: >
+                Name of the device for the zone
+            - name: name
+              type: keywork
+              description: >
+                Name of the zone