From 80b2c666b63b79fe0bb506a5143c8c820c5c8c5d Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 10 Jan 2022 11:49:08 +0100 Subject: [PATCH 1/4] System tests: Keep `@timestamp` in documents This restores the `@timestamp` field in Filebeat's module tests, so that it is properly validated. --- filebeat/tests/system/test_modules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 83769d83d1d..96aed80cf15 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -299,7 +299,7 @@ def clean_keys(obj): host_keys.append("host.name") # The create timestamps area always new - time_keys = ["event.created", "event.ingested", "@timestamp"] + time_keys = ["event.created", "event.ingested"] # source path and agent.version can be different for each run other_keys = ["log.file.path", "agent.version"] # ECS versions change for any ECS release, large or small From bcd31853901dd25b321e84d044729129fcc06f96 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 10 Jan 2022 11:50:00 +0100 Subject: [PATCH 2/4] Re-generate all Filebeat modules --- .../error/test/sublevel.log-expected.json | 2 +- .../cisco/asa/test/asa.log-expected.json | 100 ++++++++++++++++++ .../asa/test/hostnames.log-expected.json | 2 + .../cisco/asa/test/not-ip.log-expected.json | 3 + .../cisco/asa/test/sample.log-expected.json | 87 +++++++++++++++ ...lear_users_history_start.log-expected.json | 2 +- ..._clear_users_history_end.log-expected.json | 2 +- ...tor_dr_replication_start.log-expected.json | 2 +- ...nitor_dr_replication_end.log-expected.json | 2 +- ...7_monitor_fw_rules_start.log-expected.json | 2 +- ...358_monitor_fw_rules_end.log-expected.json | 2 +- ...ault_certificate_is_sha1.log-expected.json | 2 +- .../59_clear_safe_history.log-expected.json | 2 +- .../test/88_set_password.log-expected.json | 2 +- .../audit/test/legacysyslog.log-expected.json | 2 +- .../test/AMQERR01_QM1.log-expected.json | 46 ++++---- .../xg/test/anti-spam.log-expected.json | 11 ++ .../xg/test/anti-virus.log-expected.json | 8 ++ .../sophos/xg/test/atp.log-expected.json | 4 + .../sophos/xg/test/cfilter.log-expected.json | 9 ++ .../sophos/xg/test/event.log-expected.json | 19 ++++ .../sophos/xg/test/firewall.log-expected.json | 22 ++++ .../sophos/xg/test/idp.log-expected.json | 5 + .../sophos/xg/test/sandbox.log-expected.json | 6 ++ .../xg/test/system-health.log-expected.json | 5 + .../sophos/xg/test/waf.log-expected.json | 5 + .../sophos/xg/test/wifi.log-expected.json | 2 + 27 files changed, 322 insertions(+), 34 deletions(-) diff --git a/filebeat/module/apache/error/test/sublevel.log-expected.json b/filebeat/module/apache/error/test/sublevel.log-expected.json index 26ad0e27538..43ed49a67c5 100644 --- a/filebeat/module/apache/error/test/sublevel.log-expected.json +++ b/filebeat/module/apache/error/test/sublevel.log-expected.json @@ -18,4 +18,4 @@ "process.thread.id": 140413273032448, "service.type": "apache" } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index ebd653dfbc0..81c80ebf991 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -54,6 +55,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11757", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -114,6 +116,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11749", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -175,6 +178,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11748", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -236,6 +240,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11745", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -297,6 +302,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11744", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -358,6 +364,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11742", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -419,6 +426,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11738", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -480,6 +488,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11739", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -541,6 +550,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11731", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -602,6 +612,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11723", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -663,6 +674,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11715", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -724,6 +736,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11711", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -785,6 +798,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11712", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -846,6 +860,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11708", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -907,6 +922,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11746", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -968,6 +984,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11706", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -1029,6 +1046,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11702", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -1090,6 +1108,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11753", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -1151,6 +1170,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -1205,6 +1225,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11758", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1265,6 +1286,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11758", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -1325,6 +1347,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11759", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1385,6 +1408,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11759", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -1445,6 +1469,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -1499,6 +1524,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11760", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1559,6 +1585,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -1613,6 +1640,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11761", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1673,6 +1701,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11762", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1733,6 +1762,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11763", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -1793,6 +1823,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11762", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -1853,6 +1884,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11763", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -1913,6 +1945,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -1967,6 +2000,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11764", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2027,6 +2061,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -2081,6 +2116,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11772", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2141,6 +2177,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11773", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2201,6 +2238,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11772", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2261,6 +2299,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11773", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2321,6 +2360,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -2375,6 +2415,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11774", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2435,6 +2476,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11775", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2495,6 +2537,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11776", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2555,6 +2598,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11775", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2615,6 +2659,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11776", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2675,6 +2720,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -2729,6 +2775,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11777", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2789,6 +2836,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11777", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -2850,6 +2898,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11779", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -2910,6 +2959,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11778", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2970,6 +3020,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11779", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -3030,6 +3081,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3084,6 +3136,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11780", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3144,6 +3197,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3198,6 +3252,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11781", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3258,6 +3313,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3312,6 +3368,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11782", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3372,6 +3429,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11783", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3432,6 +3490,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11783", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -3492,6 +3551,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3546,6 +3606,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11784", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3606,6 +3667,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3660,6 +3722,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11785", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3720,6 +3783,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11786", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3780,6 +3844,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11784", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -3841,6 +3906,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -3895,6 +3961,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11787", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -3955,6 +4022,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11786", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -4015,6 +4083,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -4069,6 +4138,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11788", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -4129,6 +4199,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4187,6 +4258,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -4241,6 +4313,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11797", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.156.80", @@ -4301,6 +4374,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4359,6 +4433,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4417,6 +4492,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4475,6 +4551,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4533,6 +4610,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4591,6 +4669,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "inside", @@ -4649,6 +4728,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11564", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -4710,6 +4790,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11797", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302014", @@ -4771,6 +4852,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -4825,6 +4907,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11798", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.156.80", @@ -4885,6 +4968,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -4942,6 +5026,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -4999,6 +5084,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5056,6 +5142,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5113,6 +5200,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5170,6 +5258,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5227,6 +5316,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5284,6 +5374,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5341,6 +5432,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5398,6 +5490,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5455,6 +5548,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5512,6 +5606,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5569,6 +5664,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "inbound", @@ -5626,6 +5722,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -5680,6 +5777,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11799", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", @@ -5740,6 +5838,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -5794,6 +5893,7 @@ ] }, { + "@timestamp": "2018-10-10T12:34:56.000-02:00", "cisco.asa.connection_id": "11800", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "172.31.98.44", diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 598cd963c84..e959ed69145 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2019-10-10T10:21:36.000-02:00", "cisco.asa.mapped_source_ip": "10.0.55.66", "cisco.asa.message_id": "302021", "destination.domain": "target.destination.hostname.local", @@ -47,6 +48,7 @@ ] }, { + "@timestamp": "2011-06-04T21:59:52.000-02:00", "cisco.asa.icmp_code": 0, "cisco.asa.icmp_type": 8, "cisco.asa.mapped_source_ip": "192.0.2.134", diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 2301c80480a..09357b0121b 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2019-10-04T15:27:55.000-02:00", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "AL-DMZ-LB-IN", @@ -52,6 +53,7 @@ ] }, { + "@timestamp": "2020-01-01T10:42:53.000-02:00", "cisco.asa.mapped_source_host": "mydomain.example.net", "cisco.asa.message_id": "302021", "destination.address": "172.24.177.29", @@ -100,6 +102,7 @@ ] }, { + "@timestamp": "2020-01-02T11:33:20.000-02:00", "cisco.asa.destination_interface": "wan", "cisco.asa.mapped_destination_host": "www.example.org", "cisco.asa.mapped_destination_port": 80, diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 70dc3befff2..65608c192ee 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2013-04-15T09:36:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_dmz", @@ -50,6 +51,7 @@ ] }, { + "@timestamp": "2013-04-15T09:36:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_dmz", @@ -100,6 +102,7 @@ ] }, { + "@timestamp": "2014-04-15T11:34:34.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -151,6 +154,7 @@ ] }, { + "@timestamp": "2013-04-24T16:00:28.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "inside", @@ -206,6 +210,7 @@ ] }, { + "@timestamp": "2013-04-24T16:00:27.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "inside", @@ -261,6 +266,7 @@ ] }, { + "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "outside", @@ -308,6 +314,7 @@ ] }, { + "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743274", "cisco.asa.destination_interface": "outside", "cisco.asa.mapped_destination_ip": "10.123.3.42", @@ -362,6 +369,7 @@ ] }, { + "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "outside", @@ -409,6 +417,7 @@ ] }, { + "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743275", "cisco.asa.destination_interface": "outside", "cisco.asa.mapped_destination_ip": "10.123.1.35", @@ -465,6 +474,7 @@ ] }, { + "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "outside", @@ -512,6 +522,7 @@ ] }, { + "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743276", "cisco.asa.destination_interface": "outside", "cisco.asa.mapped_destination_ip": "10.123.3.130", @@ -568,6 +579,7 @@ ] }, { + "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743275", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -621,6 +633,7 @@ ] }, { + "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "666", "cisco.asa.destination_interface": "inside", "cisco.asa.destination_username": "user2", @@ -683,6 +696,7 @@ "user.name": "user2" }, { + "@timestamp": "2011-06-04T21:59:52.000-02:00", "cisco.asa.mapped_source_ip": "192.168.132.46", "cisco.asa.message_id": "302021", "destination.address": "172.24.177.29", @@ -731,6 +745,7 @@ ] }, { + "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "305011", "cisco.asa.source_interface": "inside", @@ -778,6 +793,7 @@ ] }, { + "@timestamp": "2013-04-29T12:59:50.000-02:00", "cisco.asa.connection_id": "89743277", "cisco.asa.destination_interface": "inside", "cisco.asa.mapped_destination_ip": "10.0.0.130", @@ -834,6 +850,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:33.000-02:00", "cisco.asa.message_id": "106007", "destination.address": "10.1.2.60", "destination.ip": "10.1.2.60", @@ -881,6 +898,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:38.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -931,6 +949,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:38.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -981,6 +1000,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:39.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1031,6 +1051,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:39.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1081,6 +1102,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:39.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1131,6 +1153,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:40.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1181,6 +1204,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:41.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1231,6 +1255,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:47.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1281,6 +1306,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:48.000-02:00", "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1331,6 +1357,7 @@ ] }, { + "@timestamp": "2013-04-30T09:22:56.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1381,6 +1408,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:02.000-02:00", "cisco.asa.message_id": "106006", "cisco.asa.source_interface": "inside", "destination.address": "10.1.2.42", @@ -1429,6 +1457,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:03.000-02:00", "cisco.asa.message_id": "106007", "destination.address": "10.1.5.60", "destination.ip": "10.1.5.60", @@ -1476,6 +1505,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:06.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1526,6 +1556,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:08.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1576,6 +1607,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:15.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1626,6 +1658,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:24.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1676,6 +1709,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:34.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1726,6 +1760,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:40.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_out", @@ -1776,6 +1811,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:41.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "acl_out", @@ -1826,6 +1862,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:43.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1876,6 +1913,7 @@ ] }, { + "@timestamp": "2013-04-30T09:23:43.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1926,6 +1964,7 @@ ] }, { + "@timestamp": "2018-04-15T11:34:34.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106100", "cisco.asa.rule_name": "acl_in", @@ -1977,6 +2016,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:24.000-02:00", "cisco.asa.connection_id": "447235", "cisco.asa.destination_interface": "identity", "cisco.asa.mapped_destination_ip": "10.0.13.13", @@ -2031,6 +2071,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:24.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "dmz", @@ -2082,6 +2123,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:24.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "dmz", @@ -2133,6 +2175,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:31.000-02:00", "cisco.asa.connection_id": "447236", "cisco.asa.destination_interface": "dmz", "cisco.asa.mapped_destination_host": "OCSP_Server", @@ -2188,6 +2231,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:31.000-02:00", "cisco.asa.connection_id": "447236", "cisco.asa.destination_interface": "dmz", "cisco.asa.mapped_destination_host": "OCSP_Server", @@ -2243,6 +2287,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:31.000-02:00", "cisco.asa.connection_id": "447236", "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", @@ -2298,6 +2343,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.asa.connection_id": "447234", "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", @@ -2353,6 +2399,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.asa.connection_id": "447234", "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", @@ -2408,6 +2455,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.asa.message_id": "106015", "cisco.asa.source_interface": "outside", "destination.address": "192.168.1.34", @@ -2456,6 +2504,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:38.000-02:00", "cisco.asa.message_id": "106015", "cisco.asa.source_interface": "outside", "destination.address": "192.168.1.34", @@ -2504,6 +2553,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:39.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "dmz", @@ -2555,6 +2605,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:53.000-02:00", "cisco.asa.connection_id": "447237", "cisco.asa.destination_interface": "dmz", "cisco.asa.mapped_destination_ip": "192.168.1.34", @@ -2609,6 +2660,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:53.000-02:00", "cisco.asa.connection_id": "447237", "cisco.asa.destination_interface": "dmz", "cisco.asa.mapped_destination_ip": "192.168.1.34", @@ -2663,6 +2715,7 @@ ] }, { + "@timestamp": "2018-12-11T08:01:53.000-02:00", "cisco.asa.connection_id": "447237", "cisco.asa.destination_interface": "dmz", "cisco.asa.message_id": "302014", @@ -2718,6 +2771,7 @@ ] }, { + "@timestamp": "2012-08-15T23:30:09.000-02:00", "cisco.asa.connection_id": "40", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "302016", @@ -2771,6 +2825,7 @@ ] }, { + "@timestamp": "2014-09-12T06:50:53.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.47", @@ -2818,6 +2873,7 @@ ] }, { + "@timestamp": "2014-09-12T06:51:01.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.57", @@ -2865,6 +2921,7 @@ ] }, { + "@timestamp": "2014-09-12T06:51:05.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.47", @@ -2912,6 +2969,7 @@ ] }, { + "@timestamp": "2014-09-12T06:51:05.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.47", @@ -2959,6 +3017,7 @@ ] }, { + "@timestamp": "2014-09-12T06:51:06.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.57", @@ -3006,6 +3065,7 @@ ] }, { + "@timestamp": "2014-09-12T06:51:17.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.88.99.57", @@ -3053,6 +3113,7 @@ ] }, { + "@timestamp": "2014-09-12T06:52:48.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.168.1.255", @@ -3100,6 +3161,7 @@ ] }, { + "@timestamp": "2014-09-12T06:53:00.000-02:00", "cisco.asa.message_id": "106016", "cisco.asa.source_interface": "Mobile_Traffic", "destination.address": "192.168.1.255", @@ -3147,6 +3209,7 @@ ] }, { + "@timestamp": "2014-09-12T06:53:01.000-02:00", "cisco.asa.destination_interface": "inside", "cisco.asa.message_id": "106023", "cisco.asa.rule_name": "PERMIT_IN", @@ -3202,6 +3265,7 @@ ] }, { + "@timestamp": "2014-09-12T06:53:02.000-02:00", "cisco.asa.icmp_code": 3, "cisco.asa.icmp_type": 3, "cisco.asa.message_id": "313001", @@ -3250,6 +3314,7 @@ ] }, { + "@timestamp": "2015-01-14T13:16:13.000-02:00", "cisco.asa.icmp_type": 0, "cisco.asa.message_id": "313004", "cisco.asa.source_interface": "inside", @@ -3296,6 +3361,7 @@ ] }, { + "@timestamp": "2015-01-14T13:16:14.000-02:00", "cisco.asa.destination_interface": "outside", "cisco.asa.mapped_destination_ip": "192.88.99.129", "cisco.asa.mapped_destination_port": 80, @@ -3358,6 +3424,7 @@ ] }, { + "@timestamp": "2015-01-14T13:16:14.000-02:00", "cisco.asa.destination_interface": "outsidet", "cisco.asa.mapped_destination_ip": "192.0.2.223", "cisco.asa.mapped_destination_port": 80, @@ -3415,6 +3482,7 @@ ] }, { + "@timestamp": "2015-01-14T13:16:14.000-02:00", "cisco.asa.destination_interface": "outsidet", "cisco.asa.mapped_destination_ip": "192.0.2.223", "cisco.asa.mapped_destination_port": 80, @@ -3473,6 +3541,7 @@ ] }, { + "@timestamp": "2009-11-16T14:12:35.000-02:00", "cisco.asa.message_id": "304001", "destination.address": "192.0.2.1", "destination.ip": "192.0.2.1", @@ -3515,6 +3584,7 @@ "url.path": "/app" }, { + "@timestamp": "2009-11-16T14:12:36.000-02:00", "cisco.asa.message_id": "304001", "destination.address": "192.0.2.32", "destination.ip": "192.0.2.32", @@ -3559,6 +3629,7 @@ "url.scheme": "http" }, { + "@timestamp": "2009-11-16T14:12:37.000-02:00", "cisco.asa.message_id": "304002", "cisco.asa.source_interface": "inside", "destination.address": "192.0.0.19", @@ -3606,6 +3677,7 @@ "url.scheme": "http" }, { + "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.connection_id": "27215708", "cisco.asa.destination_interface": "vlan-42", "cisco.asa.mapped_destination_ip": "81.2.69.143", @@ -3674,6 +3746,7 @@ ] }, { + "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.message_id": "304001", "destination.address": "172.17.6.211", "destination.ip": "172.17.6.211", @@ -3723,6 +3796,7 @@ "url.scheme": "http" }, { + "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.connection_id": "195207391", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.mapped_destination_ip": "89.160.20.156", @@ -3797,6 +3871,7 @@ ] }, { + "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.connection_id": "195207391", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.mapped_destination_ip": "89.160.20.156", @@ -3875,6 +3950,7 @@ ] }, { + "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.destination_username": "LOCAL\\USER001", "cisco.asa.icmp_code": 3, "cisco.asa.icmp_type": 3, @@ -3939,6 +4015,7 @@ "user.name": "USER001" }, { + "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.destination_username": "LOCAL\\user@domain.tld", "cisco.asa.icmp_code": 3, "cisco.asa.icmp_type": 3, @@ -4008,6 +4085,7 @@ "user.name": "user@domain.tld" }, { + "@timestamp": "2021-01-13T19:12:37.000-02:00", "cisco.asa.destination_username": "AD\\USER002", "cisco.asa.icmp_code": 3, "cisco.asa.icmp_type": 3, @@ -4076,6 +4154,7 @@ "user.name": "USER002" }, { + "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "OUTSIDE", @@ -4134,6 +4213,7 @@ ] }, { + "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.icmp_code": 0, "cisco.asa.icmp_type": 134, "cisco.asa.mapped_source_ip": "fe80::2205:baff:fe9d:f637", @@ -4179,6 +4259,7 @@ ] }, { + "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.connection_id": "251933191", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.mapped_destination_ip": "2a03:2880:f253:cb:face:b00c:0:43fe", @@ -4233,6 +4314,7 @@ ] }, { + "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.message_id": "305012", "cisco.asa.source_interface": "OUTSIDE", @@ -4303,6 +4385,7 @@ ] }, { + "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.connection_id": "261246338", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.message_id": "302014", @@ -4378,6 +4461,7 @@ ] }, { + "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.connection_id": "261311655", "cisco.asa.destination_interface": "INSIDE", "cisco.asa.mapped_destination_ip": "192.168.0.1", @@ -4453,6 +4537,7 @@ ] }, { + "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.connection_id": "261311655", "cisco.asa.destination_interface": "INSIDE", "cisco.asa.message_id": "302016", @@ -4526,6 +4611,7 @@ ] }, { + "@timestamp": "2021-01-15T19:12:37.000-02:00", "cisco.asa.connection_id": "261246338", "cisco.asa.destination_interface": "OUTSIDE", "cisco.asa.mapped_destination_ip": "40.0.0.1", @@ -4601,6 +4687,7 @@ ] }, { + "@timestamp": "2021-07-29T08:35:29.000-02:00", "cisco.asa.message_id": "602304", "cisco.asa.tunnel_type": "LAN-to-LAN", "destination.address": "81.2.69.1452", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json index 0ed48dfb9c0..9cae2c6ba1e 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/288_auto_clear_users_history_start.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2021-03-08T03:00:20.000-02:00", + "@timestamp": "2022-03-08T03:00:20.000-02:00", "cyberarkpas.audit.action": "Auto Clear Users History start", "cyberarkpas.audit.desc": "Auto Clear Users History start", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json index 4476ba0f803..072d75b33f8 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/289_auto_clear_users_history_end.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2021-03-08T03:00:20.000-02:00", + "@timestamp": "2022-03-08T03:00:20.000-02:00", "cyberarkpas.audit.action": "Auto Clear Users History end", "cyberarkpas.audit.desc": "Auto Clear Users History end", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json index 5b958288c53..d5a9961da30 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/310_monitor_dr_replication_start.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2021-03-08T02:48:07.000-02:00", + "@timestamp": "2022-03-08T02:48:07.000-02:00", "cyberarkpas.audit.action": "Monitor DR Replication start", "cyberarkpas.audit.desc": "Monitor DR Replication start", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json index e4999439bea..696e2ea2302 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/311_monitor_dr_replication_end.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2021-03-08T02:48:07.000-02:00", + "@timestamp": "2022-03-08T02:48:07.000-02:00", "cyberarkpas.audit.action": "Monitor DR Replication end", "cyberarkpas.audit.desc": "Monitor DR Replication end", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json index a3b04bd34cf..e04dc95c4b5 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/357_monitor_fw_rules_start.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2021-03-08T02:32:56.000-02:00", + "@timestamp": "2022-03-08T02:32:56.000-02:00", "cyberarkpas.audit.action": "Monitor FW rules start", "cyberarkpas.audit.desc": "Monitor FW rules start", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json index a5af60dcea0..97fcd7a22e8 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/358_monitor_fw_rules_end.log-expected.json @@ -38,7 +38,7 @@ ] }, { - "@timestamp": "2021-03-08T02:32:56.000-02:00", + "@timestamp": "2022-03-08T02:32:56.000-02:00", "cyberarkpas.audit.action": "Monitor FW Rules end", "cyberarkpas.audit.desc": "Monitor FW Rules end", "cyberarkpas.audit.issuer": "Batch", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json index e127969e7f2..78fd1127daf 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/479_security_warning_the_signature_hash_algorithm_of_the_vault_certificate_is_sha1.log-expected.json @@ -39,7 +39,7 @@ ] }, { - "@timestamp": "2021-03-08T07:46:54.000-02:00", + "@timestamp": "2022-03-08T07:46:54.000-02:00", "cyberarkpas.audit.action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", "cyberarkpas.audit.desc": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", "cyberarkpas.audit.issuer": "Builtin", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json index 21d71f71183..65619e9c9d1 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/59_clear_safe_history.log-expected.json @@ -39,7 +39,7 @@ ] }, { - "@timestamp": "2021-03-08T03:10:31.000-02:00", + "@timestamp": "2022-03-08T03:10:31.000-02:00", "cyberarkpas.audit.action": "Clear Safe History", "cyberarkpas.audit.desc": "Clear Safe History", "cyberarkpas.audit.issuer": "PasswordManager", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json index bbc572cd230..60c6a59eca3 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/88_set_password.log-expected.json @@ -76,7 +76,7 @@ ] }, { - "@timestamp": "2021-03-08T02:54:46.000-02:00", + "@timestamp": "2022-03-08T02:54:46.000-02:00", "cyberarkpas.audit.action": "Set Password", "cyberarkpas.audit.desc": "Set Password", "cyberarkpas.audit.issuer": "PVWAGWUser", diff --git a/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json index 14b87c8867c..b71d3ab351e 100644 --- a/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json +++ b/x-pack/filebeat/module/cyberarkpas/audit/test/legacysyslog.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2021-03-08T03:41:01.000-02:00", + "@timestamp": "2022-03-08T03:41:01.000-02:00", "cyberarkpas.audit.action": "Retrieve File", "cyberarkpas.audit.desc": "Retrieve File", "cyberarkpas.audit.file": "Root\\Policies\\Policy-BusinessWebsite.ini", diff --git a/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01_QM1.log-expected.json b/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01_QM1.log-expected.json index 78b92a4d5fd..3f14245d2a3 100644 --- a/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01_QM1.log-expected.json +++ b/x-pack/filebeat/module/ibmmq/errorlog/test/AMQERR01_QM1.log-expected.json @@ -1,6 +1,6 @@ [ { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.012Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -33,7 +33,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.012Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -66,7 +66,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.012Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -99,7 +99,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.012Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -132,7 +132,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.012Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -165,7 +165,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.012Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -198,7 +198,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.012Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -231,7 +231,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -264,7 +264,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -297,7 +297,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -330,7 +330,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -363,7 +363,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -396,7 +396,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.788Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -429,7 +429,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.789Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -462,7 +462,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.789Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -495,7 +495,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.789Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -528,7 +528,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.789Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -561,7 +561,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.789Z", + "@timestamp": "2022-01-10T10:25:59.013Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -594,7 +594,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.789Z", + "@timestamp": "2022-01-10T10:25:59.014Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -627,7 +627,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.789Z", + "@timestamp": "2022-01-10T10:25:59.014Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -660,7 +660,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.789Z", + "@timestamp": "2022-01-10T10:25:59.014Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -693,7 +693,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.789Z", + "@timestamp": "2022-01-10T10:25:59.014Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", @@ -726,7 +726,7 @@ "user.name": "felix" }, { - "@timestamp": "2021-12-03T15:44:37.789Z", + "@timestamp": "2022-01-10T10:25:59.014Z", "event.dataset": "ibmmq.errorlog", "event.kind": "event", "event.module": "ibmmq", diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json index 3a12b85cdc7..d01fd9f6f6a 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-spam.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2020-05-18T14:38:48.000-02:00", "client.bytes": 0, "client.port": 0, "destination.bytes": 0, @@ -62,6 +63,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:49.000-02:00", "client.bytes": 0, "client.ip": "89.160.20.156", "client.port": 52742, @@ -140,6 +142,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:50.000-02:00", "client.bytes": 0, "client.ip": "67.43.156.12", "client.port": 51789, @@ -216,6 +219,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:51.000-02:00", "client.bytes": 0, "client.ip": "67.43.156.14", "client.port": 55002, @@ -292,6 +296,7 @@ ] }, { + "@timestamp": "2017-01-31T18:34:41.000-02:00", "client.bytes": 0, "client.ip": "10.198.47.71", "client.port": 22420, @@ -362,6 +367,7 @@ ] }, { + "@timestamp": "2018-06-06T11:10:11.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 58043, @@ -432,6 +438,7 @@ ] }, { + "@timestamp": "2018-06-06T12:50:07.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 60134, @@ -502,6 +509,7 @@ ] }, { + "@timestamp": "2018-06-06T12:51:34.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 60298, @@ -570,6 +578,7 @@ ] }, { + "@timestamp": "2018-06-06T12:53:39.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 60392, @@ -635,6 +644,7 @@ ] }, { + "@timestamp": "2018-06-06T12:56:53.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 60608, @@ -704,6 +714,7 @@ ] }, { + "@timestamp": "2017-01-31T18:31:11.000-02:00", "client.bytes": 0, "client.ip": "10.198.47.71", "client.port": 22333, diff --git a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json index e21ac56d23d..ffbbcf87eb7 100644 --- a/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/anti-virus.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2020-05-18T14:38:33.000-02:00", "client.bytes": 550, "client.ip": "172.16.34.24", "client.port": 57695, @@ -73,6 +74,7 @@ "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" }, { + "@timestamp": "2020-05-18T14:38:34.000-02:00", "client.bytes": 541, "client.ip": "172.16.34.24", "client.port": 57835, @@ -146,6 +148,7 @@ "user_agent.original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" }, { + "@timestamp": "2020-05-18T14:38:35.000-02:00", "client.bytes": 0, "client.ip": "1.128.3.4", "client.port": 56336, @@ -221,6 +224,7 @@ "url.domain": "farasamed.com" }, { + "@timestamp": "2020-05-18T14:38:36.000-02:00", "client.bytes": 0, "client.ip": "216.160.83.61", "client.port": 54693, @@ -303,6 +307,7 @@ "url.domain": "divella.it" }, { + "@timestamp": "2018-06-06T10:51:29.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 56653, @@ -376,6 +381,7 @@ "url.domain": "postman.local" }, { + "@timestamp": "2018-06-06T10:58:29.000-02:00", "client.bytes": 0, "client.ip": "10.198.16.121", "client.port": 56632, @@ -449,6 +455,7 @@ "url.domain": "postman.local" }, { + "@timestamp": "2018-06-21T19:50:23.000-02:00", "client.bytes": 0, "client.ip": "10.146.13.49", "client.port": 39910, @@ -520,6 +527,7 @@ ] }, { + "@timestamp": "2018-06-21T19:50:48.000-02:00", "client.bytes": 0, "client.ip": "10.146.13.49", "client.port": 39936, diff --git a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json index 61f202c8826..16b796d1d50 100644 --- a/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/atp.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2017-01-31T18:44:31.000-02:00", "client.ip": "10.198.47.71", "client.port": 22623, "destination.ip": "46.161.30.47", @@ -64,6 +65,7 @@ "url.original": "46.161.30.47" }, { + "@timestamp": "2020-05-18T14:38:34.000-02:00", "client.ip": "172.16.34.24", "client.port": 57579, "destination.ip": "13.226.155.22", @@ -128,6 +130,7 @@ "url.scheme": "http" }, { + "@timestamp": "2020-05-18T14:38:35.000-02:00", "client.ip": "172.16.34.24", "client.port": 57540, "destination.ip": "13.226.155.22", @@ -192,6 +195,7 @@ "url.scheme": "http" }, { + "@timestamp": "2018-06-05T08:49:00.000-02:00", "client.ip": "10.198.32.89", "client.port": 0, "destination.ip": "82.211.30.202", diff --git a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json index aa00ab04538..9bc411835c7 100644 --- a/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/cfilter.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2017-01-31T14:03:33.000-02:00", "client.ip": "10.198.47.71", "client.port": 9444, "destination.ip": "182.79.221.19", @@ -69,6 +70,7 @@ "url.scheme": "https" }, { + "@timestamp": "2017-02-01T18:20:21.000-02:00", "client.ip": "216.160.83.57", "client.port": 46719, "destination.ip": "216.58.197.44", @@ -144,6 +146,7 @@ "url.scheme": "http" }, { + "@timestamp": "2017-02-01T18:13:29.000-02:00", "client.ip": "216.160.83.57", "client.port": 49128, "destination.ip": "74.125.130.188", @@ -220,6 +223,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:51.000-02:00", "client.ip": "172.17.34.10", "client.port": 62851, "destination.ip": "13.79.168.201", @@ -287,6 +291,7 @@ "url.scheme": "https" }, { + "@timestamp": "2020-05-18T14:38:52.000-02:00", "client.ip": "172.16.34.15", "client.port": 60471, "destination.ip": "40.90.137.127", @@ -356,6 +361,7 @@ "url.scheme": "https" }, { + "@timestamp": "2020-05-18T14:38:53.000-02:00", "client.ip": "1.128.3.4", "client.port": 65391, "destination.ip": "91.228.167.133", @@ -428,6 +434,7 @@ "user_agent.original": "EFSW Update (Windows; U; 64bit; BPC 7.1.12010.0; OS: 10.0.17763 SP 0.0 NT; TDB 45511; CL 1.1.1; x64s; APP efsw; PX 1; PUA 1; CD 1; RA 1; PEV 0; UNS 1; UBR 1158; HVCI 0; SHA256 1; WU 3; HWF: 01009DAA-757A-D666-EFD2-92DD0D501284; PLOC de_de; PCODE 211.0.0; " }, { + "@timestamp": "2016-12-02T18:50:20.000-02:00", "client.ip": "10.108.108.49", "event.action": "alert", "event.category": [ @@ -481,6 +488,7 @@ ] }, { + "@timestamp": "2016-12-02T18:50:20.000-02:00", "client.ip": "192.168.73.220", "client.port": 37832, "destination.ip": "64.233.189.147", @@ -551,6 +559,7 @@ "url.scheme": "http" }, { + "@timestamp": "2016-12-02T18:50:22.000-02:00", "client.ip": "192.168.73.220", "client.port": 46322, "destination.ip": "64.233.188.94", diff --git a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json index 27e381dabce..26d15e9a785 100644 --- a/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/event.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2020-05-18T14:38:57.000-02:00", "client.ip": "172.17.35.116", "event.category": [ "authentication" @@ -56,6 +57,7 @@ "user.name": "elastic.user@elastic.test.com" }, { + "@timestamp": "2020-05-18T14:38:58.000-02:00", "client.ip": "89.160.20.112", "destination.as.number": 721, "destination.as.organization.name": "DoD Network Information Center", @@ -119,6 +121,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:59.000-02:00", "event.code": "062511318057", "event.dataset": "sophos.xg", "event.kind": "event", @@ -155,6 +158,7 @@ ] }, { + "@timestamp": "2020-05-18T14:39:00.000-02:00", "client.ip": "67.43.156.13", "event.category": [ "authentication" @@ -215,6 +219,7 @@ "user.name": "elastic.user@elastic.test.com" }, { + "@timestamp": "2020-05-18T14:39:01.000-02:00", "event.category": [ "host", "malware" @@ -259,6 +264,7 @@ ] }, { + "@timestamp": "2020-05-18T14:39:02.000-02:00", "event.code": "063411660022", "event.dataset": "sophos.xg", "event.kind": "event", @@ -296,6 +302,7 @@ ] }, { + "@timestamp": "2020-05-18T14:39:03.000-02:00", "client.ip": "81.2.69.145", "event.category": [ "authentication" @@ -358,6 +365,7 @@ "user.name": "elastic.user@elastic.test.com" }, { + "@timestamp": "2020-05-20T05:47:46.000-02:00", "client.bytes": 0, "destination.bytes": 0, "event.code": "062811617824", @@ -406,6 +414,7 @@ ] }, { + "@timestamp": "2020-05-18T14:39:05.000-02:00", "client.ip": "1.128.3.4", "event.category": [ "authentication" @@ -459,6 +468,7 @@ "user.name": "hendrikl" }, { + "@timestamp": "2020-05-18T14:39:06.000-02:00", "event.code": "066911518017", "event.dataset": "sophos.xg", "event.kind": "event", @@ -496,6 +506,7 @@ ] }, { + "@timestamp": "2020-05-18T14:39:07.000-02:00", "client.ip": "10.83.234.5", "event.code": "062009617502", "event.dataset": "sophos.xg", @@ -541,6 +552,7 @@ ] }, { + "@timestamp": "2020-05-18T14:39:08.000-02:00", "client.ip": "175.16.199.1", "event.code": "062109517507", "event.dataset": "sophos.xg", @@ -594,6 +606,7 @@ ] }, { + "@timestamp": "2020-05-18T14:39:09.000-02:00", "event.code": "063911517818", "event.dataset": "sophos.xg", "event.kind": "event", @@ -631,6 +644,7 @@ ] }, { + "@timestamp": "2020-05-18T14:39:10.000-02:00", "event.code": "063311617923", "event.dataset": "sophos.xg", "event.kind": "event", @@ -666,6 +680,7 @@ ] }, { + "@timestamp": "2020-06-02T06:29:36.000-02:00", "client.bytes": 0, "client.ip": "10.84.234.38", "destination.bytes": 0, @@ -729,6 +744,7 @@ "user.name": "elastic.user@elastic.test.com" }, { + "@timestamp": "2017-03-16T12:56:01.000-02:00", "client.bytes": 0, "destination.bytes": 0, "event.code": "066811618014", @@ -774,6 +790,7 @@ ] }, { + "@timestamp": "2017-03-16T12:53:27.000-02:00", "client.bytes": 22368, "destination.bytes": 31488, "event.code": "066811618015", @@ -819,6 +836,7 @@ ] }, { + "@timestamp": "2017-03-16T12:46:26.000-02:00", "client.bytes": 0, "destination.bytes": 0, "event.code": "066811618016", @@ -864,6 +882,7 @@ ] }, { + "@timestamp": "2018-06-06T11:12:10.000-02:00", "event.code": "063711517815", "event.dataset": "sophos.xg", "event.kind": "event", diff --git a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json index 4f2f390525c..d6bb070314e 100644 --- a/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/firewall.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2020-05-18T14:38:37.000-02:00", "client.bytes": 459, "client.ip": "1.128.3.4", "client.mac": "00:00:00:00:00:00", @@ -101,6 +102,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:38.000-02:00", "client.bytes": 0, "client.ip": "67.43.156.12", "client.mac": "00:00:00:00:00:00", @@ -206,6 +208,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:39.000-02:00", "client.bytes": 0, "client.ip": "172.17.35.113", "client.mac": "24:01:c7:07:2b:a2", @@ -292,6 +295,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:40.000-02:00", "client.bytes": 0, "client.ip": "10.82.234.6", "client.nat.port": 0, @@ -381,6 +385,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:41.000-02:00", "client.bytes": 0, "client.ip": "67.43.156.12", "client.mac": "c4:f7:d5:b5:47:f4", @@ -472,6 +477,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:42.000-02:00", "client.bytes": 0, "client.ip": "172.17.35.101", "client.mac": "24:01:c7:07:2b:a2", @@ -563,6 +569,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:43.000-02:00", "client.bytes": 0, "client.ip": "172.16.36.105", "client.mac": "34:db:fd:83:d8:09", @@ -649,6 +656,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:44.000-02:00", "client.bytes": 0, "client.ip": "10.82.234.9", "client.nat.port": 0, @@ -732,6 +740,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:45.000-02:00", "client.bytes": 0, "client.ip": "10.84.234.7", "client.mac": "00:00:00:00:00:00", @@ -831,6 +840,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:45.000-02:00", "client.bytes": 0, "client.ip": "192.168.1.254", "client.mac": "34:db:fd:83:d8:09", @@ -917,6 +927,7 @@ ] }, { + "@timestamp": "2020-06-05T12:38:53.000-02:00", "client.bytes": 1802, "client.ip": "172.17.35.119", "client.mac": "00:00:00:00:00:00", @@ -1007,6 +1018,7 @@ ] }, { + "@timestamp": "2018-05-30T13:26:37.000-02:00", "client.bytes": 0, "client.ip": "10.198.32.19", "client.nat.port": 0, @@ -1097,6 +1109,7 @@ ] }, { + "@timestamp": "2018-06-04T17:20:24.000-02:00", "client.bytes": 0, "client.ip": "0.0.0.0", "client.nat.port": 0, @@ -1177,6 +1190,7 @@ ] }, { + "@timestamp": "2018-05-30T14:01:32.000-02:00", "client.bytes": 0, "client.ip": "10.198.38.184", "client.mac": "c8:5b:76:ab:72:d3", @@ -1261,6 +1275,7 @@ ] }, { + "@timestamp": "2018-05-30T14:17:17.000-02:00", "client.bytes": 0, "client.ip": "10.198.32.19", "client.mac": "b8:97:5a:5b:0f:fd", @@ -1346,6 +1361,7 @@ ] }, { + "@timestamp": "2018-06-05T14:30:31.000-02:00", "client.bytes": 0, "client.ip": "10.198.37.23", "client.nat.port": 0, @@ -1425,6 +1441,7 @@ ] }, { + "@timestamp": "2018-05-31T17:05:14.000-02:00", "client.bytes": 0, "client.ip": "10.198.12.19", "client.nat.port": 0, @@ -1515,6 +1532,7 @@ ] }, { + "@timestamp": "2018-05-30T15:09:51.000-02:00", "client.bytes": 0, "client.ip": "fe80::59f5:3ce8:c98e:5062", "client.mac": "1e:3a:5a:5b:23:ab", @@ -1599,6 +1617,7 @@ ] }, { + "@timestamp": "2018-06-01T10:57:55.000-02:00", "client.bytes": 0, "client.ip": "10.198.37.57", "client.mac": "08:00:27:4c:49:e3", @@ -1682,6 +1701,7 @@ ] }, { + "@timestamp": "2018-06-01T10:55:41.000-02:00", "client.bytes": 0, "client.ip": "10.198.37.57", "client.mac": "08:00:27:4c:49:e3", @@ -1766,6 +1786,7 @@ ] }, { + "@timestamp": "2021-02-11T13:12:45.000-02:00", "client.bytes": 0, "client.ip": "1.2.3.4", "client.mac": "11:22:33:44:55:66", @@ -1867,6 +1888,7 @@ ] }, { + "@timestamp": "2020-06-05T03:45:23.000-02:00", "client.bytes": 0, "client.ip": "10.146.13.30", "client.mac": "00:50:56:99:51:94", diff --git a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json index 37b56704bb4..2bfe7cdce63 100644 --- a/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/idp.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2020-05-18T14:38:54.000-02:00", "client.ip": "67.43.156.12", "client.port": 41528, "destination.ip": "172.16.68.20", @@ -73,6 +74,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:55.000-02:00", "client.ip": "89.160.20.156", "client.port": 58914, "destination.as.number": 35908, @@ -156,6 +158,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:56.000-02:00", "client.ip": "67.43.156.12", "client.port": 59476, "destination.ip": "172.16.68.20", @@ -229,6 +232,7 @@ ] }, { + "@timestamp": "2018-05-23T16:20:34.000-02:00", "client.ip": "10.0.0.168", "client.port": 28938, "destination.ip": "10.1.1.234", @@ -296,6 +300,7 @@ ] }, { + "@timestamp": "2018-05-23T16:16:43.000-02:00", "client.ip": "10.0.1.31", "client.port": 40140, "destination.ip": "10.1.0.115", diff --git a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json index 15343c1e3e2..21f888b9327 100644 --- a/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/sandbox.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2017-01-31T14:52:11.000-02:00", "event.action": "Allowed", "event.category": [ "network" @@ -45,6 +46,7 @@ ] }, { + "@timestamp": "2017-01-31T14:52:11.000-02:00", "client.ip": "10.198.47.112", "event.action": "Denied", "event.category": [ @@ -106,6 +108,7 @@ ] }, { + "@timestamp": "2017-01-31T15:28:25.000-02:00", "event.action": "Allowed", "event.category": [ "network" @@ -151,6 +154,7 @@ ] }, { + "@timestamp": "2017-01-31T15:28:25.000-02:00", "client.ip": "10.198.47.112", "event.action": "Pending", "event.category": [ @@ -211,6 +215,7 @@ ] }, { + "@timestamp": "2017-01-31T15:28:25.000-02:00", "client.ip": "10.198.47.112", "event.action": "Denied", "event.category": [ @@ -272,6 +277,7 @@ ] }, { + "@timestamp": "2020-05-18T14:38:36.000-02:00", "client.ip": "172.16.34.24", "event.action": "Denied", "event.category": [ diff --git a/x-pack/filebeat/module/sophos/xg/test/system-health.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/system-health.log-expected.json index 9af985b4a36..f3f6f6a4597 100644 --- a/x-pack/filebeat/module/sophos/xg/test/system-health.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/system-health.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2018-06-05T15:10:00.000-02:00", "event.code": "127626618031", "event.dataset": "sophos.xg", "event.kind": "event", @@ -36,6 +37,7 @@ ] }, { + "@timestamp": "2018-06-05T15:10:00.000-02:00", "event.code": "127726618031", "event.dataset": "sophos.xg", "event.kind": "event", @@ -73,6 +75,7 @@ ] }, { + "@timestamp": "2018-06-05T15:10:00.000-02:00", "event.code": "123526618031", "event.dataset": "sophos.xg", "event.kind": "event", @@ -114,6 +117,7 @@ ] }, { + "@timestamp": "2018-06-05T15:10:00.000-02:00", "event.code": "127826618031", "event.dataset": "sophos.xg", "event.kind": "event", @@ -151,6 +155,7 @@ ] }, { + "@timestamp": "2018-06-05T15:10:00.000-02:00", "event.code": "127926618031", "event.dataset": "sophos.xg", "event.kind": "event", diff --git a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json index e944e04898d..0408fb4ab4e 100644 --- a/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/waf.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2020-05-18T14:38:46.000-02:00", "client.bytes": 1419, "client.ip": "216.160.83.61", "destination.bytes": 401, @@ -74,6 +75,7 @@ "user_agent.original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4954; Pro)" }, { + "@timestamp": "2020-05-18T14:38:47.000-02:00", "client.bytes": 1774, "client.ip": "216.160.83.61", "destination.bytes": 200, @@ -149,6 +151,7 @@ "user_agent.original": "Microsoft Office/16.0 (Windows NT 6.2; Microsoft Outlook 16.0.4954; Pro)" }, { + "@timestamp": "2020-05-19T17:20:29.000-02:00", "client.bytes": 510, "client.ip": "10.198.235.254", "destination.bytes": 403, @@ -220,6 +223,7 @@ "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" }, { + "@timestamp": "2020-05-19T18:03:30.000-02:00", "client.bytes": 715, "client.ip": "10.198.235.254", "destination.bytes": 403, @@ -295,6 +299,7 @@ "user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0" }, { + "@timestamp": "2020-05-20T18:03:31.000-02:00", "client.bytes": 295, "client.ip": "89.160.20.112", "destination.bytes": 403, diff --git a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json index d23e1273de3..d934c831d2a 100644 --- a/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json +++ b/x-pack/filebeat/module/sophos/xg/test/wifi.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2017-02-01T14:17:35.000-02:00", "event.code": "106025618011", "event.dataset": "sophos.xg", "event.kind": "event", @@ -37,6 +38,7 @@ ] }, { + "@timestamp": "2017-02-01T14:19:47.000-02:00", "event.code": "106025618011", "event.dataset": "sophos.xg", "event.kind": "event", From d88843a2719e6ab915310a1bc3f1ab01b6211edf Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 10 Jan 2022 12:57:46 +0100 Subject: [PATCH 3/4] Temporary: ignore timestamp in ibmmq.errorlog This fileset is failing to extract the correct timestamp from the logs. This will be fixed in a separate PR. --- filebeat/tests/system/test_modules.py | 1 + 1 file changed, 1 insertion(+) diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 96aed80cf15..aa6bc02048d 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -25,6 +25,7 @@ "f5.bigipafm", "fortinet.clientendpoint", "haproxy.log", + "ibmmq.errorlog", "icinga.startup", "imperva.securesphere", "infoblox.nios", From 4ee80ce310fa6404744bd32a6b287d3472377c89 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Mon, 10 Jan 2022 14:44:00 +0100 Subject: [PATCH 4/4] Re-generate auditd module --- .../test/audit-cent7-node.log-expected.json | 10 ++ .../log/test/audit-rhel6.log-expected.json | 12 +++ .../log/test/audit-rhel7.log-expected.json | 100 ++++++++++++++++++ .../test/audit-ubuntu1604.log-expected.json | 6 ++ .../auditd/log/test/avc.log-expected.json | 3 + .../auditd/log/test/execve.log-expected.json | 91 ++++++++++++++++ .../auditd/log/test/test.log-expected.json | 15 +++ .../auditd/log/test/useradd.log-expected.json | 8 ++ 8 files changed, 245 insertions(+) diff --git a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json index 854ebd16841..b435807ebaa 100644 --- a/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2020-07-06T16:38:34.588Z", "auditd.log.format": "raw", "auditd.log.kernel": "3.10.0-1062.9.1.el7.x86_64", "auditd.log.node": "localhost.localdomain", @@ -32,6 +33,7 @@ "user.id": "0" }, { + "@timestamp": "2020-07-06T16:38:34.707Z", "auditd.log.audit_backlog_limit": "8192", "auditd.log.node": "localhost.localdomain", "auditd.log.old": "64", @@ -61,6 +63,7 @@ "user.audit.id": "4294967295" }, { + "@timestamp": "2020-07-06T16:38:34.707Z", "auditd.log.audit_failure": "1", "auditd.log.node": "localhost.localdomain", "auditd.log.old": "1", @@ -90,6 +93,7 @@ "user.audit.id": "4294967295" }, { + "@timestamp": "2020-07-06T16:38:34.709Z", "auditd.log.node": "localhost.localdomain", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 6, @@ -121,6 +125,7 @@ "user.id": "0" }, { + "@timestamp": "2020-07-06T16:38:34.725Z", "auditd.log.node": "localhost.localdomain", "auditd.log.record_type": "SYSTEM_BOOT", "auditd.log.sequence": 7, @@ -147,6 +152,7 @@ "user.id": "0" }, { + "@timestamp": "2020-07-06T16:38:34.739Z", "auditd.log.node": "localhost.localdomain", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 8, @@ -178,6 +184,7 @@ "user.id": "0" }, { + "@timestamp": "2020-07-06T16:38:34.807Z", "auditd.log.node": "localhost.localdomain", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 9, @@ -209,6 +216,7 @@ "user.id": "0" }, { + "@timestamp": "2020-07-06T16:38:34.843Z", "auditd.log.node": "localhost.localdomain", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 10, @@ -240,6 +248,7 @@ "user.id": "0" }, { + "@timestamp": "2020-07-06T16:38:34.850Z", "auditd.log.node": "localhost.localdomain", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 11, @@ -271,6 +280,7 @@ "user.id": "0" }, { + "@timestamp": "2020-07-06T16:38:34.857Z", "auditd.log.node": "localhost.localdomain", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 12, diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json index 889da77f9e0..13db1f882c4 100644 --- a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2017-03-14T19:20:30.178Z", "auditd.log.op": "PAM:session_close", "auditd.log.record_type": "USER_END", "auditd.log.sequence": 19600327, @@ -31,6 +32,7 @@ "user.name": "root" }, { + "@timestamp": "2017-03-14T19:20:30.178Z", "auditd.log.op": "PAM:setcred", "auditd.log.record_type": "CRED_DISP", "auditd.log.sequence": 19600328, @@ -62,6 +64,7 @@ "user.name": "root" }, { + "@timestamp": "2017-03-14T19:20:56.192Z", "auditd.log.record_type": "USER_CMD", "auditd.log.sequence": 19600329, "auditd.log.ses": "11988", @@ -95,6 +98,7 @@ "user.id": "497" }, { + "@timestamp": "2017-03-14T19:20:56.193Z", "auditd.log.op": "PAM:setcred", "auditd.log.record_type": "CRED_ACQ", "auditd.log.sequence": 19600330, @@ -126,6 +130,7 @@ "user.name": "root" }, { + "@timestamp": "2017-03-14T19:20:56.193Z", "auditd.log.op": "PAM:session_open", "auditd.log.record_type": "USER_START", "auditd.log.sequence": 19600331, @@ -157,6 +162,7 @@ "user.name": "root" }, { + "@timestamp": "2017-03-14T19:23:02.529Z", "auditd.log.dst_prefixlen": 22, "auditd.log.op": "SPD-add", "auditd.log.sequence": 19600354, @@ -178,6 +184,7 @@ "user.audit.id": "4294967295" }, { + "@timestamp": "2017-03-14T19:23:02.529Z", "auditd.log.a0": "9", "auditd.log.a1": "7f564ee6d2a0", "auditd.log.a2": "b8", @@ -221,6 +228,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2017-03-16T04:02:40.072Z", "auditd.log.new_auid": "700", "auditd.log.new_ses": "12286", "auditd.log.old_auid": "700", @@ -250,6 +258,7 @@ "user.id": "700" }, { + "@timestamp": "2017-03-16T04:02:40.070Z", "auditd.log.direction": "both", "auditd.log.kind": "session", "auditd.log.laddr": "107.170.139.210", @@ -296,6 +305,7 @@ "user.saved.id": "74" }, { + "@timestamp": "2017-03-16T04:02:40.072Z", "auditd.log.op": "success", "auditd.log.record_type": "USER_AUTH", "auditd.log.sequence": 19623789, @@ -339,6 +349,7 @@ "user.terminal": "ssh" }, { + "@timestamp": "2017-03-16T04:02:57.804Z", "auditd.log.op": "PAM:authentication", "auditd.log.record_type": "USER_AUTH", "auditd.log.sequence": 19623807, @@ -371,6 +382,7 @@ "user.terminal": "pts/0" }, { + "@timestamp": "2017-03-16T04:02:57.805Z", "auditd.log.op": "PAM:accounting", "auditd.log.record_type": "USER_ACCT", "auditd.log.sequence": 19623808, diff --git a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json index 50ede81ba09..a18b67e2e22 100644 --- a/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-rhel7.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2016-12-07T02:16:23.819Z", "auditd.log.format": "raw", "auditd.log.kernel": "3.10.0-327.36.3.el7.x86_64", "auditd.log.record_type": "DAEMON_START", @@ -28,6 +29,7 @@ "user.audit.id": "4294967295" }, { + "@timestamp": "2016-12-07T02:16:23.864Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 6, "auditd.log.ses": "4294967295", @@ -58,6 +60,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:23.876Z", "auditd.log.record_type": "SYSTEM_BOOT", "auditd.log.sequence": 7, "auditd.log.ses": "4294967295", @@ -83,6 +86,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:23.879Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 8, "auditd.log.ses": "4294967295", @@ -113,6 +117,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.075Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 9, "auditd.log.ses": "4294967295", @@ -143,6 +148,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.088Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 10, "auditd.log.ses": "4294967295", @@ -173,6 +179,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.163Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 11, "auditd.log.ses": "4294967295", @@ -203,6 +210,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.212Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 12, "auditd.log.ses": "4294967295", @@ -233,6 +241,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.521Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 13, "auditd.log.ses": "4294967295", @@ -263,6 +272,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.521Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 14, "auditd.log.ses": "4294967295", @@ -293,6 +303,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.526Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 15, "auditd.log.ses": "4294967295", @@ -323,6 +334,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.534Z", "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 16, "auditd.log.ses": "4294967295", @@ -353,6 +365,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.827Z", "auditd.log.entries": 0, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -377,6 +390,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:24.827Z", "auditd.log.a0": "0", "auditd.log.a1": "41a15c", "auditd.log.a2": "0", @@ -420,6 +434,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.858Z", "auditd.log.entries": 0, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -444,6 +459,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:24.858Z", "auditd.log.a0": "0", "auditd.log.a1": "41a15c", "auditd.log.a2": "0", @@ -487,6 +503,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.870Z", "auditd.log.entries": 0, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -511,6 +528,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:24.870Z", "auditd.log.a0": "0", "auditd.log.a1": "41a15c", "auditd.log.a2": "0", @@ -554,6 +572,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.877Z", "auditd.log.entries": 0, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -578,6 +597,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:24.877Z", "auditd.log.a0": "0", "auditd.log.a1": "41a15c", "auditd.log.a2": "0", @@ -621,6 +641,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.931Z", "auditd.log.entries": 0, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -645,6 +666,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:24.931Z", "auditd.log.a0": "3", "auditd.log.a1": "41a15c", "auditd.log.a2": "0", @@ -688,6 +710,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.939Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 22, "auditd.log.ses": "4294967295", @@ -718,6 +741,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.945Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 23, "auditd.log.ses": "4294967295", @@ -748,6 +772,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.953Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 24, "auditd.log.ses": "4294967295", @@ -778,6 +803,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.954Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 25, "auditd.log.ses": "4294967295", @@ -808,6 +834,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.960Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 26, "auditd.log.ses": "4294967295", @@ -838,6 +865,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:24.982Z", "auditd.log.entries": 0, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -862,6 +890,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:24.982Z", "auditd.log.a0": "0", "auditd.log.a1": "41a15c", "auditd.log.a2": "0", @@ -905,6 +934,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.012Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 28, "auditd.log.ses": "4294967295", @@ -935,6 +965,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.031Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 29, "auditd.log.ses": "4294967295", @@ -965,6 +996,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.043Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 30, "auditd.log.ses": "4294967295", @@ -995,6 +1027,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.044Z", "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 31, "auditd.log.ses": "4294967295", @@ -1025,6 +1058,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.069Z", "auditd.log.entries": 0, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -1049,6 +1083,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.069Z", "auditd.log.a0": "0", "auditd.log.a1": "41a15c", "auditd.log.a2": "0", @@ -1092,6 +1127,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.104Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 33, "auditd.log.ses": "4294967295", @@ -1122,6 +1158,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.099Z", "auditd.log.entries": 0, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -1146,6 +1183,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.099Z", "auditd.log.a0": "0", "auditd.log.a1": "41a15c", "auditd.log.a2": "0", @@ -1189,6 +1227,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.128Z", "auditd.log.entries": 0, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -1213,6 +1252,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.128Z", "auditd.log.a0": "0", "auditd.log.a1": "41a15c", "auditd.log.a2": "0", @@ -1256,6 +1296,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.164Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 36, "auditd.log.ses": "4294967295", @@ -1286,6 +1327,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.166Z", "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 37, "auditd.log.ses": "4294967295", @@ -1316,6 +1358,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.167Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 38, "auditd.log.ses": "4294967295", @@ -1346,6 +1389,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.168Z", "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 39, "auditd.log.ses": "4294967295", @@ -1376,6 +1420,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.170Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 40, "auditd.log.ses": "4294967295", @@ -1406,6 +1451,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.170Z", "auditd.log.record_type": "SERVICE_STOP", "auditd.log.sequence": 41, "auditd.log.ses": "4294967295", @@ -1436,6 +1482,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.180Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 42, "auditd.log.ses": "4294967295", @@ -1466,6 +1513,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.187Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 43, "auditd.log.ses": "4294967295", @@ -1496,6 +1544,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.191Z", "auditd.log.entries": 0, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -1520,6 +1569,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.191Z", "auditd.log.a0": "1", "auditd.log.a1": "41a15c", "auditd.log.a2": "0", @@ -1563,6 +1613,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.511Z", "auditd.log.record_type": "SERVICE_START", "auditd.log.sequence": 45, "auditd.log.ses": "4294967295", @@ -1593,6 +1644,7 @@ "user.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.528Z", "auditd.log.entries": 5, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -1617,6 +1669,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.528Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -1660,6 +1713,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.532Z", "auditd.log.entries": 5, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -1684,6 +1738,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.532Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -1727,6 +1782,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.534Z", "auditd.log.entries": 6, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -1751,6 +1807,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.534Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -1794,6 +1851,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.537Z", "auditd.log.entries": 6, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -1818,6 +1876,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.537Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -1861,6 +1920,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.538Z", "auditd.log.entries": 4, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -1885,6 +1945,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.538Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -1928,6 +1989,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.542Z", "auditd.log.entries": 4, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -1952,6 +2014,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.542Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -1995,6 +2058,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.543Z", "auditd.log.entries": 3, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -2019,6 +2083,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.543Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -2062,6 +2127,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.546Z", "auditd.log.entries": 3, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -2086,6 +2152,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.546Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -2129,6 +2196,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.548Z", "auditd.log.entries": 4, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -2153,6 +2221,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.548Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -2196,6 +2265,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.552Z", "auditd.log.entries": 4, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -2220,6 +2290,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.552Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -2263,6 +2334,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.553Z", "auditd.log.entries": 5, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -2287,6 +2359,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.553Z", "auditd.log.a0": "4", "auditd.log.a1": "29", "auditd.log.a2": "40", @@ -2330,6 +2403,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.556Z", "auditd.log.entries": 5, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -2354,6 +2428,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.556Z", "auditd.log.a0": "4", "auditd.log.a1": "29", "auditd.log.a2": "40", @@ -2397,6 +2472,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.557Z", "auditd.log.entries": 6, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -2421,6 +2497,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.557Z", "auditd.log.a0": "4", "auditd.log.a1": "29", "auditd.log.a2": "40", @@ -2464,6 +2541,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.560Z", "auditd.log.entries": 6, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -2488,6 +2566,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.560Z", "auditd.log.a0": "4", "auditd.log.a1": "29", "auditd.log.a2": "40", @@ -2531,6 +2610,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.562Z", "auditd.log.entries": 4, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -2555,6 +2635,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.562Z", "auditd.log.a0": "4", "auditd.log.a1": "29", "auditd.log.a2": "40", @@ -2598,6 +2679,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.566Z", "auditd.log.entries": 4, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -2622,6 +2704,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.566Z", "auditd.log.a0": "4", "auditd.log.a1": "29", "auditd.log.a2": "40", @@ -2665,6 +2748,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.569Z", "auditd.log.entries": 3, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -2689,6 +2773,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.569Z", "auditd.log.a0": "4", "auditd.log.a1": "29", "auditd.log.a2": "40", @@ -2732,6 +2817,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.573Z", "auditd.log.entries": 3, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -2756,6 +2842,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.573Z", "auditd.log.a0": "4", "auditd.log.a1": "29", "auditd.log.a2": "40", @@ -2799,6 +2886,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.575Z", "auditd.log.entries": 4, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -2823,6 +2911,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.575Z", "auditd.log.a0": "4", "auditd.log.a1": "29", "auditd.log.a2": "40", @@ -2866,6 +2955,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.578Z", "auditd.log.entries": 4, "auditd.log.family": "10", "auditd.log.record_type": "NETFILTER_CFG", @@ -2890,6 +2980,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.578Z", "auditd.log.a0": "4", "auditd.log.a1": "29", "auditd.log.a2": "40", @@ -2933,6 +3024,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.580Z", "auditd.log.entries": 6, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -2957,6 +3049,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.580Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -3000,6 +3093,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.582Z", "auditd.log.entries": 6, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -3024,6 +3118,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.582Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -3067,6 +3162,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.583Z", "auditd.log.entries": 6, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -3091,6 +3187,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.583Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -3134,6 +3231,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.585Z", "auditd.log.entries": 6, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", @@ -3158,6 +3256,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:16:25.585Z", "auditd.log.a0": "4", "auditd.log.a1": "0", "auditd.log.a2": "40", @@ -3201,6 +3300,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2016-12-07T02:16:25.587Z", "auditd.log.entries": 6, "auditd.log.family": "2", "auditd.log.record_type": "NETFILTER_CFG", diff --git a/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json b/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json index d4660c1e419..3c749e10d58 100644 --- a/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json +++ b/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2017-04-21T05:28:40.441Z", "auditd.log.a0": "3", "auditd.log.a1": "7ffd0dc80040", "auditd.log.a2": "7ffd0dc7ffd0", @@ -44,6 +45,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2017-04-21T05:28:40.441Z", "auditd.log.saddr": "0200E31C4853E6640000000000000000", "auditd.log.sequence": 8832, "event.action": "sockaddr", @@ -57,6 +59,7 @@ "service.type": "auditd" }, { + "@timestamp": "2017-04-21T05:28:40.441Z", "auditd.log.proctitle": "(sshd)", "auditd.log.sequence": 8832, "event.action": "proctitle", @@ -70,6 +73,7 @@ "service.type": "auditd" }, { + "@timestamp": "2017-04-21T05:38:27.096Z", "auditd.log.a0": "5", "auditd.log.a1": "7ffc12ac3ab0", "auditd.log.a2": "10", @@ -114,6 +118,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2017-04-21T05:38:27.096Z", "auditd.log.saddr": "02000050A9FEA9FE0000000000000000", "auditd.log.sequence": 9004, "event.action": "sockaddr", @@ -127,6 +132,7 @@ "service.type": "auditd" }, { + "@timestamp": "2017-04-21T05:38:27.096Z", "auditd.log.proctitle": "(g_daemon)", "auditd.log.sequence": 9004, "event.action": "proctitle", diff --git a/filebeat/module/auditd/log/test/avc.log-expected.json b/filebeat/module/auditd/log/test/avc.log-expected.json index bf893021e23..3179d7f8b09 100644 --- a/filebeat/module/auditd/log/test/avc.log-expected.json +++ b/filebeat/module/auditd/log/test/avc.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2008-11-16T22:21:13.147Z", "auditd.log.dev": "dm-0", "auditd.log.ino": "284133", "auditd.log.path": "/var/www/html/file1", @@ -20,6 +21,7 @@ "service.type": "auditd" }, { + "@timestamp": "2018-04-25T13:28:53.080Z", "auditd.log.apparmor": "DENIED", "auditd.log.denied_mask": "trace", "auditd.log.operation": "ptrace", @@ -43,6 +45,7 @@ "service.type": "auditd" }, { + "@timestamp": "2018-04-25T13:28:53.080Z", "auditd.log.record_type": "AVC", "auditd.log.sequence": 61207, "auditd.log.seresult": "1", diff --git a/filebeat/module/auditd/log/test/execve.log-expected.json b/filebeat/module/auditd/log/test/execve.log-expected.json index 0dfcb755fcd..777e188a62c 100644 --- a/filebeat/module/auditd/log/test/execve.log-expected.json +++ b/filebeat/module/auditd/log/test/execve.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2016-12-07T02:20:31.371Z", "auditd.log.sequence": 479, "event.action": "execve", "event.dataset": "auditd.log", @@ -23,6 +24,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:31.372Z", "auditd.log.sequence": 481, "event.action": "execve", "event.dataset": "auditd.log", @@ -42,6 +44,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:32.471Z", "auditd.log.sequence": 485, "event.action": "execve", "event.dataset": "auditd.log", @@ -71,6 +74,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:53.941Z", "auditd.log.sequence": 486, "event.action": "execve", "event.dataset": "auditd.log", @@ -90,6 +94,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.135Z", "auditd.log.sequence": 493, "event.action": "execve", "event.dataset": "auditd.log", @@ -109,6 +114,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.258Z", "auditd.log.sequence": 507, "event.action": "execve", "event.dataset": "auditd.log", @@ -126,6 +132,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.261Z", "auditd.log.sequence": 508, "event.action": "execve", "event.dataset": "auditd.log", @@ -144,6 +151,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.264Z", "auditd.log.sequence": 509, "event.action": "execve", "event.dataset": "auditd.log", @@ -161,6 +169,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.265Z", "auditd.log.sequence": 510, "event.action": "execve", "event.dataset": "auditd.log", @@ -179,6 +188,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.266Z", "auditd.log.sequence": 511, "event.action": "execve", "event.dataset": "auditd.log", @@ -197,6 +207,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.268Z", "auditd.log.sequence": 512, "event.action": "execve", "event.dataset": "auditd.log", @@ -216,6 +227,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.269Z", "auditd.log.sequence": 513, "event.action": "execve", "event.dataset": "auditd.log", @@ -236,6 +248,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.270Z", "auditd.log.sequence": 514, "event.action": "execve", "event.dataset": "auditd.log", @@ -254,6 +267,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.271Z", "auditd.log.sequence": 515, "event.action": "execve", "event.dataset": "auditd.log", @@ -272,6 +286,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.273Z", "auditd.log.sequence": 516, "event.action": "execve", "event.dataset": "auditd.log", @@ -291,6 +306,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.274Z", "auditd.log.sequence": 517, "event.action": "execve", "event.dataset": "auditd.log", @@ -311,6 +327,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:20:54.276Z", "auditd.log.sequence": 518, "event.action": "execve", "event.dataset": "auditd.log", @@ -329,6 +346,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:07.546Z", "auditd.log.sequence": 519, "event.action": "execve", "event.dataset": "auditd.log", @@ -347,6 +365,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:07.553Z", "auditd.log.sequence": 520, "event.action": "execve", "event.dataset": "auditd.log", @@ -365,6 +384,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:07.557Z", "auditd.log.sequence": 521, "event.action": "execve", "event.dataset": "auditd.log", @@ -383,6 +403,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:07.561Z", "auditd.log.sequence": 522, "event.action": "execve", "event.dataset": "auditd.log", @@ -401,6 +422,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:18.176Z", "auditd.log.sequence": 525, "event.action": "execve", "event.dataset": "auditd.log", @@ -419,6 +441,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:32.487Z", "auditd.log.sequence": 528, "event.action": "execve", "event.dataset": "auditd.log", @@ -448,6 +471,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:48.360Z", "auditd.log.sequence": 529, "event.action": "execve", "event.dataset": "auditd.log", @@ -468,6 +492,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:48.371Z", "auditd.log.sequence": 533, "event.action": "execve", "event.dataset": "auditd.log", @@ -487,6 +512,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:48.376Z", "auditd.log.sequence": 534, "event.action": "execve", "event.dataset": "auditd.log", @@ -505,6 +531,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:48.378Z", "auditd.log.sequence": 538, "event.action": "execve", "event.dataset": "auditd.log", @@ -528,6 +555,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:48.379Z", "auditd.log.sequence": 540, "event.action": "execve", "event.dataset": "auditd.log", @@ -547,6 +575,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:21:57.921Z", "auditd.log.sequence": 542, "event.action": "execve", "event.dataset": "auditd.log", @@ -565,6 +594,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:14.297Z", "auditd.log.sequence": 543, "event.action": "execve", "event.dataset": "auditd.log", @@ -583,6 +613,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:14.304Z", "auditd.log.sequence": 547, "event.action": "execve", "event.dataset": "auditd.log", @@ -600,6 +631,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:14.330Z", "auditd.log.sequence": 552, "event.action": "execve", "event.dataset": "auditd.log", @@ -617,6 +649,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:14.334Z", "auditd.log.sequence": 553, "event.action": "execve", "event.dataset": "auditd.log", @@ -636,6 +669,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:14.335Z", "auditd.log.sequence": 554, "event.action": "execve", "event.dataset": "auditd.log", @@ -656,6 +690,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:14.336Z", "auditd.log.sequence": 555, "event.action": "execve", "event.dataset": "auditd.log", @@ -674,6 +709,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:14.337Z", "auditd.log.sequence": 556, "event.action": "execve", "event.dataset": "auditd.log", @@ -692,6 +728,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:14.338Z", "auditd.log.sequence": 557, "event.action": "execve", "event.dataset": "auditd.log", @@ -711,6 +748,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:14.339Z", "auditd.log.sequence": 558, "event.action": "execve", "event.dataset": "auditd.log", @@ -731,6 +769,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:14.341Z", "auditd.log.sequence": 559, "event.action": "execve", "event.dataset": "auditd.log", @@ -749,6 +788,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:16.705Z", "auditd.log.sequence": 560, "event.action": "execve", "event.dataset": "auditd.log", @@ -767,6 +807,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:32.504Z", "auditd.log.sequence": 563, "event.action": "execve", "event.dataset": "auditd.log", @@ -796,6 +837,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:36.580Z", "auditd.log.sequence": 564, "event.action": "execve", "event.dataset": "auditd.log", @@ -814,6 +856,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:36.585Z", "auditd.log.sequence": 565, "event.action": "execve", "event.dataset": "auditd.log", @@ -832,6 +875,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:36.590Z", "auditd.log.sequence": 566, "event.action": "execve", "event.dataset": "auditd.log", @@ -850,6 +894,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:22:36.593Z", "auditd.log.sequence": 567, "event.action": "execve", "event.dataset": "auditd.log", @@ -868,6 +913,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:23:32.521Z", "auditd.log.sequence": 570, "event.action": "execve", "event.dataset": "auditd.log", @@ -897,6 +943,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:24:05.611Z", "auditd.log.sequence": 571, "event.action": "execve", "event.dataset": "auditd.log", @@ -915,6 +962,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:24:05.615Z", "auditd.log.sequence": 572, "event.action": "execve", "event.dataset": "auditd.log", @@ -933,6 +981,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:24:05.619Z", "auditd.log.sequence": 573, "event.action": "execve", "event.dataset": "auditd.log", @@ -951,6 +1000,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:24:05.622Z", "auditd.log.sequence": 574, "event.action": "execve", "event.dataset": "auditd.log", @@ -969,6 +1019,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:24:32.536Z", "auditd.log.sequence": 577, "event.action": "execve", "event.dataset": "auditd.log", @@ -998,6 +1049,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:25:32.552Z", "auditd.log.sequence": 580, "event.action": "execve", "event.dataset": "auditd.log", @@ -1027,6 +1079,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:25:34.641Z", "auditd.log.sequence": 581, "event.action": "execve", "event.dataset": "auditd.log", @@ -1045,6 +1098,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:25:34.645Z", "auditd.log.sequence": 582, "event.action": "execve", "event.dataset": "auditd.log", @@ -1063,6 +1117,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:25:34.648Z", "auditd.log.sequence": 583, "event.action": "execve", "event.dataset": "auditd.log", @@ -1081,6 +1136,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:25:34.652Z", "auditd.log.sequence": 584, "event.action": "execve", "event.dataset": "auditd.log", @@ -1099,6 +1155,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:26:32.568Z", "auditd.log.sequence": 587, "event.action": "execve", "event.dataset": "auditd.log", @@ -1128,6 +1185,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:27:03.670Z", "auditd.log.sequence": 588, "event.action": "execve", "event.dataset": "auditd.log", @@ -1146,6 +1204,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:27:03.674Z", "auditd.log.sequence": 589, "event.action": "execve", "event.dataset": "auditd.log", @@ -1164,6 +1223,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:27:03.678Z", "auditd.log.sequence": 590, "event.action": "execve", "event.dataset": "auditd.log", @@ -1182,6 +1242,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:27:03.681Z", "auditd.log.sequence": 591, "event.action": "execve", "event.dataset": "auditd.log", @@ -1200,6 +1261,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:27:32.585Z", "auditd.log.sequence": 594, "event.action": "execve", "event.dataset": "auditd.log", @@ -1229,6 +1291,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:28:28.279Z", "auditd.log.sequence": 597, "event.action": "execve", "event.dataset": "auditd.log", @@ -1247,6 +1310,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:28:32.602Z", "auditd.log.sequence": 600, "event.action": "execve", "event.dataset": "auditd.log", @@ -1276,6 +1340,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:28:32.699Z", "auditd.log.sequence": 601, "event.action": "execve", "event.dataset": "auditd.log", @@ -1294,6 +1359,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:28:32.703Z", "auditd.log.sequence": 602, "event.action": "execve", "event.dataset": "auditd.log", @@ -1312,6 +1378,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:28:32.707Z", "auditd.log.sequence": 603, "event.action": "execve", "event.dataset": "auditd.log", @@ -1330,6 +1397,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:28:32.710Z", "auditd.log.sequence": 604, "event.action": "execve", "event.dataset": "auditd.log", @@ -1348,6 +1416,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:29:32.619Z", "auditd.log.sequence": 607, "event.action": "execve", "event.dataset": "auditd.log", @@ -1377,6 +1446,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:30:01.729Z", "auditd.log.sequence": 608, "event.action": "execve", "event.dataset": "auditd.log", @@ -1395,6 +1465,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:30:01.733Z", "auditd.log.sequence": 609, "event.action": "execve", "event.dataset": "auditd.log", @@ -1413,6 +1484,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:30:01.737Z", "auditd.log.sequence": 610, "event.action": "execve", "event.dataset": "auditd.log", @@ -1431,6 +1503,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:30:01.740Z", "auditd.log.sequence": 611, "event.action": "execve", "event.dataset": "auditd.log", @@ -1449,6 +1522,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:30:32.635Z", "auditd.log.sequence": 614, "event.action": "execve", "event.dataset": "auditd.log", @@ -1478,6 +1552,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:31:29.545Z", "auditd.log.sequence": 615, "event.action": "execve", "event.dataset": "auditd.log", @@ -1496,6 +1571,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:31:30.759Z", "auditd.log.sequence": 618, "event.action": "execve", "event.dataset": "auditd.log", @@ -1514,6 +1590,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:31:30.765Z", "auditd.log.sequence": 619, "event.action": "execve", "event.dataset": "auditd.log", @@ -1532,6 +1609,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:31:30.769Z", "auditd.log.sequence": 620, "event.action": "execve", "event.dataset": "auditd.log", @@ -1550,6 +1628,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:31:30.772Z", "auditd.log.sequence": 621, "event.action": "execve", "event.dataset": "auditd.log", @@ -1568,6 +1647,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:31:32.652Z", "auditd.log.sequence": 624, "event.action": "execve", "event.dataset": "auditd.log", @@ -1597,6 +1677,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:32:32.668Z", "auditd.log.sequence": 627, "event.action": "execve", "event.dataset": "auditd.log", @@ -1626,6 +1707,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:32:59.791Z", "auditd.log.sequence": 628, "event.action": "execve", "event.dataset": "auditd.log", @@ -1644,6 +1726,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:32:59.795Z", "auditd.log.sequence": 629, "event.action": "execve", "event.dataset": "auditd.log", @@ -1662,6 +1745,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:32:59.799Z", "auditd.log.sequence": 630, "event.action": "execve", "event.dataset": "auditd.log", @@ -1680,6 +1764,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:32:59.802Z", "auditd.log.sequence": 631, "event.action": "execve", "event.dataset": "auditd.log", @@ -1698,6 +1783,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:33:32.684Z", "auditd.log.sequence": 634, "event.action": "execve", "event.dataset": "auditd.log", @@ -1727,6 +1813,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:34:28.821Z", "auditd.log.sequence": 635, "event.action": "execve", "event.dataset": "auditd.log", @@ -1745,6 +1832,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:34:28.825Z", "auditd.log.sequence": 636, "event.action": "execve", "event.dataset": "auditd.log", @@ -1763,6 +1851,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:34:28.829Z", "auditd.log.sequence": 637, "event.action": "execve", "event.dataset": "auditd.log", @@ -1781,6 +1870,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:34:28.832Z", "auditd.log.sequence": 638, "event.action": "execve", "event.dataset": "auditd.log", @@ -1799,6 +1889,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-12-07T02:34:29.999Z", "auditd.log.sequence": 639, "event.action": "execve", "event.dataset": "auditd.log", diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json index af1e33ca542..0e6104f0e46 100644 --- a/filebeat/module/auditd/log/test/test.log-expected.json +++ b/filebeat/module/auditd/log/test/test.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2017-01-31T20:17:14.891Z", "auditd.log.dst_prefixlen": 16, "auditd.log.op": "SPD-delete", "auditd.log.sequence": 18877201, @@ -21,6 +22,7 @@ "user.audit.id": "4294967295" }, { + "@timestamp": "2017-01-31T20:17:14.891Z", "auditd.log.a0": "9", "auditd.log.a1": "7f564b2672a0", "auditd.log.a2": "b8", @@ -64,6 +66,7 @@ "user.saved.id": "0" }, { + "@timestamp": "2017-03-14T19:20:56.192Z", "auditd.log.record_type": "USER_CMD", "auditd.log.sequence": 19600329, "auditd.log.ses": "11988", @@ -97,6 +100,7 @@ "user.id": "497" }, { + "@timestamp": "2016-12-07T02:17:21.515Z", "auditd.log.cipher": "chacha20-poly1305@openssh.com", "auditd.log.direction": "from-server", "auditd.log.ksize": 512, @@ -146,6 +150,7 @@ "user.saved.id": "74" }, { + "@timestamp": "2017-04-11T15:21:03.550Z", "auditd.log.data": "eh^?^?echo test^Mvim /etc/pam.d/password-auth-ac^Mman pam_tty_audit^Mman pam.d^Mvim /etc^Asudo ^E/pamd.sy^?^?^?^?^?.^?m.d/sy^I-a^Ia^?-a^I^Mman pam^Mt^?grep sys^?^?^?/var/lo^Ig/me^Is^I | grep pam_tty^Mgrep pam_tty /var/log/mes^I^M^[[A^Asudo ^Msudo su^M", "auditd.log.major": "136", "auditd.log.minor": "0", @@ -169,6 +174,7 @@ "user.id": "1000" }, { + "@timestamp": "2016-01-03T00:37:51.394Z", "auditd.log.proctitle": "bash", "auditd.log.sequence": 194438, "event.action": "proctitle", @@ -182,6 +188,7 @@ "service.type": "auditd" }, { + "@timestamp": "2016-01-03T00:37:51.394Z", "auditd.log.proctitle": "sshd: burn [priv]", "auditd.log.sequence": 194440, "event.action": "proctitle", @@ -195,6 +202,7 @@ "service.type": "auditd" }, { + "@timestamp": "2019-11-15T19:01:24.309Z", "auditd.log.gpg_res": "1", "auditd.log.key_enforce": "0", "auditd.log.record_type": "SOFTWARE_UPDATE", @@ -229,6 +237,7 @@ "user.id": "0" }, { + "@timestamp": "2019-11-15T19:00:56.144Z", "auditd.log.record_type": "SYSTEM_BOOT", "auditd.log.sequence": 5, "auditd.log.ses": "4294967295", @@ -254,6 +263,7 @@ "user.id": "0" }, { + "@timestamp": "2019-11-15T19:01:57.054Z", "auditd.log.record_type": "SYSTEM_SHUTDOWN", "auditd.log.sequence": 1163, "auditd.log.ses": "4294967295", @@ -279,6 +289,7 @@ "user.id": "0" }, { + "@timestamp": "2020-02-10T21:59:44.206Z", "auditd.log.sequence": 579393, "event.action": "execve", "event.dataset": "auditd.log", @@ -296,6 +307,7 @@ "service.type": "auditd" }, { + "@timestamp": "2020-02-10T21:59:44.206Z", "auditd.log.a0": "0x1fd05c0", "auditd.log.a1": "0x1fd2730", "auditd.log.a2": "0x1fd4640", @@ -338,6 +350,7 @@ "user.saved.id": "vagrant" }, { + "@timestamp": "2020-02-10T21:59:44.206Z", "auditd.log.name": "mymodule", "auditd.log.record_type": "KERN_MODULE", "auditd.log.sequence": 579397, @@ -360,6 +373,7 @@ "service.type": "auditd" }, { + "@timestamp": "2017-12-17T10:44:41.075Z", "auditd.log.op": "create", "auditd.log.reason": "api", "auditd.log.record_type": "VIRT_CONTROL", @@ -387,6 +401,7 @@ "user.name": "root" }, { + "@timestamp": "2016-12-16T15:45:43.572Z", "auditd.log.img-ctx": "system_u:object_r:svirt_image_t:s0:c444,c977", "auditd.log.model": "selinux", "auditd.log.record_type": "VIRT_MACHINE_ID", diff --git a/filebeat/module/auditd/log/test/useradd.log-expected.json b/filebeat/module/auditd/log/test/useradd.log-expected.json index 30d1ad5138c..d76ad1288ad 100644 --- a/filebeat/module/auditd/log/test/useradd.log-expected.json +++ b/filebeat/module/auditd/log/test/useradd.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2021-01-17T17:12:33.686Z", "auditd.log.hostname": "ubuntu-bionic", "auditd.log.id": "1004", "auditd.log.op": "adding group to /etc/group", @@ -37,6 +38,7 @@ "user.terminal": "pts/2" }, { + "@timestamp": "2021-01-17T17:12:33.710Z", "auditd.log.hostname": "ubuntu-bionic", "auditd.log.id": "1004", "auditd.log.op": "adding group to /etc/gshadow", @@ -74,6 +76,7 @@ "user.terminal": "pts/2" }, { + "@timestamp": "2021-01-17T17:12:33.710Z", "auditd.log.hostname": "ubuntu-bionic", "auditd.log.id": "1004", "auditd.log.record_type": "ADD_GROUP", @@ -110,6 +113,7 @@ "user.terminal": "pts/2" }, { + "@timestamp": "2021-01-17T17:12:33.730Z", "auditd.log.hostname": "ubuntu-bionic", "auditd.log.id": "1004", "auditd.log.op": "adding user", @@ -147,6 +151,7 @@ "user.terminal": "pts/2" }, { + "@timestamp": "2021-01-17T17:12:33.814Z", "auditd.log.hostname": "localhost", "auditd.log.record_type": "USER_ACCT", "auditd.log.reset": "0", @@ -183,6 +188,7 @@ "user.terminal": "/dev/pts/2" }, { + "@timestamp": "2021-01-17T17:12:38.174Z", "auditd.log.hostname": "ubuntu-bionic", "auditd.log.op": "PAM:chauthtok", "auditd.log.record_type": "USER_CHAUTHTOK", @@ -220,6 +226,7 @@ "user.terminal": "pts/2" }, { + "@timestamp": "2021-01-17T17:12:38.178Z", "auditd.log.hostname": "ubuntu-bionic", "auditd.log.op": "PAM:authentication", "auditd.log.record_type": "USER_AUTH", @@ -255,6 +262,7 @@ "user.terminal": "pts/2" }, { + "@timestamp": "2021-01-17T17:12:38.178Z", "auditd.log.hostname": "ubuntu-bionic", "auditd.log.op": "PAM:accounting", "auditd.log.record_type": "USER_ACCT",