diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 3556140f8dc..e856cde8970 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -69,6 +69,7 @@ /packages/iis @elastic/integrations /packages/imperva @elastic/security-external-integrations /packages/infoblox @elastic/security-external-integrations +/packages/infoblox_nios @elastic/security-external-integrations /packages/iptables @elastic/security-external-integrations /packages/journald @elastic/integrations /packages/juniper_junos @elastic/security-external-integrations diff --git a/packages/infoblox_nios/_dev/build/build.yml b/packages/infoblox_nios/_dev/build/build.yml new file mode 100644 index 00000000000..d61527283ec --- /dev/null +++ b/packages/infoblox_nios/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@8.2 diff --git a/packages/infoblox_nios/_dev/build/docs/README.md b/packages/infoblox_nios/_dev/build/docs/README.md new file mode 100644 index 00000000000..2e5f9f5282d --- /dev/null +++ b/packages/infoblox_nios/_dev/build/docs/README.md @@ -0,0 +1,141 @@ +# Infoblox NIOS + +The Infoblox NIOS integration collects and parses DNS, DHCP, and Audit data collected from [Infoblox NIOS](https://www.infoblox.com/products/nios8/) via TCP/UDP. + +## Setup steps +1. Enable the integration with TCP/UDP input. +2. Log in to the NIOS appliance. +3. Configure the NIOS appliance to send messages to a Syslog server using the following steps. For further information, refer to [Using a Syslog Server](https://docs.infoblox.com/display/NAG8/Using+a+Syslog+Server#UsingaSyslogServer-SpecifyingSyslogServers). + 1. From the Grid tab, select the Grid Manager tab -> Members tab, and then navigate to Grid Properties -> Edit -> Monitoring from the Toolbar. + 2. Select **Log to External Syslog Servers** to send messages to a specified Syslog server. + 3. Click the **Add** icon to define a new Syslog server. + 4. Enter the IP **Address** of the Elastic Agent that is running the integration. + 5. Select **Transport** to connect to the external Syslog server. + 6. If you are using Secure TCP transport, upload a self-signed or a CA-signed **Server Certificate**. + 7. From the drop-down list select the **Interface** through which the appliance sends Syslog messages to the Syslog server. + 8. Select **Source** as **Any** so that the appliance sends both internal and external Syslog messages. + 9. From the drop-down list, select **Node ID** i.e. the host or node identification string that identifies the appliance from which Syslog messages are originated. + 10. Enter the **Port** of the Elastic Agent that is running the integration. + 11. Select **Debug** **Severity** so that the appliance sends all Syslog messages to the server. + 12. Select the following **Logging categories** :  + - Common Authentication + - DHCP Process + - DNS Client + - DNSSEC + - DNS General + - DNS Notifies + - DNS Queries + - DNS Query Rewrites + - DNS Resolver + - DNS Responses + - DNS RPZ + - DNS Updates + - Non-system Authentication + - Zone Transfer In + - Zone Transfer Out + 13. Enable **Copy Audit Log Message to Syslog** to include audit log messages it sends to the Syslog server. + 14. Select **Syslog Facility** that determines the processes from which the log messages are generated. + +## Compatibility + +This module has been tested against `Infoblox NIOS version 8.6.1` with the below-given logs pattern. + +## Log samples +Below are the samples logs of the respective category: + +## Audit Logs: +``` +<141>Apr 13 22:14:36 ns1.infoblox.localdomain 10.50.1.227 httpd: 2022-04-13 16:44:36.850Z [user\040name]: Login_Denied - - to=AdminConnector ip=10.50.0.1 info=Local apparently_via=GUI +<29>Mar 21 09:53:51 infoblox.localdomain 10.0.0.1 httpd: 2022-03-21 08:53:51.087Z [service_account_test]: Login_Allowed - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=some-Group apparently_via=API +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 19:48:37.299Z [admin]: Login_Allowed - - to=Serial\040Console apparently_via=Direct auth=Local group=admin-group +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 14:02:32.750Z [admin]: Login_Denied - - to=Serial\040Console apparently_via=Direct error=invalid\040login\040or\040password +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\040first\040login +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 13:07:33.343Z [user]: Password_Reset_Error - - to=AdminConnector auth=LOCALgroup=admin-group apparently_via=GUI +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-21 17:19:02.204Z [admin]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:37:29.261Z [admin]: Created Network 192.168.0.0/24 network_view=default: Set extensible_attributes=[],address="192.168.2.0",auto_create_reversezone=False,cidr=24,comment="",common_properties=[domain_name_servers=[],routers=[]],dhcp_members=[[grid_member=Member:infoblox.localdomain]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False,vlans=[] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 11:46:38.877Z [admin]: Modified MemberDhcp infoblox.localdomain: Changed enable_service:False->True +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 19:29:20.468Z [admin]: Called - RestartService: Args services=["ALL"],parents=[],force=True,mode="GROUPED" +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset Block: Set comment="",disabled=True,name="Block",type="BLACKLIST" +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:28:24.476Z [admin]: Called - TransferTrafficCapture message=Download\040Traffic\040capture\040file: Args message="Download Traffic capture file",members=[Member:infoblox.localdomain] +<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.238Z [service_account_test]: Created HostAddress 10.0.0.1 network_view=default: Set address="10.0.0.1",configure_for_dhcp=False,match_option="MAC_ADDRESS",parent=HostRecord:._default.tld.domain.subdomain.hostrecord +<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.239Z [service_account_test]: Created HostRecord somerecord.subdomain.domain.tld DnsView=default alias=somealias.subdomain.domain.tld address=10.0.0.1: Set extensible_attributes=[[name="NAC-Policy",value="Host"]],addresses=[address="10.0.0.1"],aliases=[HostAlias:._default.tld.domain.subdomain.somealias.._default.tld.domain.subdomain.somehostrecord],fqdn="somerecord.subdomain.domain.tld" +<29>Mar 21 16:08:48 10.0.0.1 httpd: 2022-03-21 15:08:48.455Z [service_account_test]: Deleted HostRecord somerecord.subdomain.domain.tld DnsView=default address=10.0.0.0 +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Deleted CaaRecord somecaarecord.domain.tld DnsView=default +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Created HostAddress 192.168.0.0 network_view=default: Set address="192.168.0.0",configure_for_dhcp=True,mac_address="01:01:01:01:01:01",match_option="MAC_ADDRESS",network=Network:192.168.0.0/24\054network_view\075default,parent=HostRecord:._default.test.test3,reserved_interface=NULL,use_for_ea_inheritance=True +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 12:40:05.241Z [adminuser]: Modified Grid Unibe-DNS-Grid: Changed backup_setting:[password="******",restore_password="******"]->[password="******",restore_password="******"],csp_api_config:[password="******"]->[password="******"],csp_settings:[csp_join_token="******"]->[csp_join_token="******"],download_member_conf:[[interface="ANY",is_online=True,member="Member:Grid Master"]]->[[interface="ANY",is_online=True,member=NULL]],email_setting:[password="******"]->[password="******"],http_proxy_server_setting:NULL->[password="******"],snmp_setting:[snmpv3_queries_users=NULL]->[snmpv3_queries_users=[]],syslog_servers:[[address="10.0.0.2"],[address="10.0.0.3"]]->[[address="10.0.0.4"]] +``` +## DNS Logs: +``` +<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#50565 UDP: query: test.com IN A response: REFUSED - +<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com 28800 IN A 192.168.0.3; +<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED +<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A 192.168.0.2; a1.foo.com 28800 IN A 192.168.0.3; +<30>Mar  9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query failed (REFUSED) for config.nos-avg.cz/IN/TXT at query.c:10288 +<30>Mar  9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query: config.nos-avg.cz IN TXT + (192.168.0.1) +<30>Mar 11 23:51:31 infoblox.localdomain named[27014]: rpz: rpz1.com: reload start +<30>Mar 11 23:51:31 infoblox.localdomain named[29914]: client @0x7ff42c168b50 192.168.0.1#50460 (test.com): rewriting query name 'test.com' to 'query123-10-120-20-93.test.com', type A +<30>Mar 11 23:51:31 infoblox.localdomain named[19204]: client @0x7fec7c11dab0 192.168.0.1#36483: updating zone 'test1.com/IN': adding an RR at 'a6.test1.com' A 192.168.0.2 +<30>Mar 11 23:51:31 infoblox.localdomain named[28468]: CEF:0|Infoblox|NIOS|8.6.2-49634-e88e9df276a8|RPZ-QNAME|NXDOMAIN|7|app=DNS dst=192.168.0.1 src=192.168.0.1 spt=51424 view=_default qtype=A msg="rpz QNAME NXDOMAIN rewrite nxd1.com [A] via nxd1.com.rpz1.com" CAT=RPZ +<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: zone local_7.com/IN: notify from 192.168.0.1#46982: zone is up to date +<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: responses: client @0x7fb550117f90 192.168.0.1#46982: received notify for zone 'local_14.com' +<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer status: success +<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer completed: 1 messages, 9 records, 326 bytes, 0.001 secs (326000 bytes/sec) +<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR started (serial 3) +<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR ended +<30>Mar 11 23:51:31 infoblox.localdomain named[30325]: resolver priming query complete +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'test.com' +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/NSEC: bad cache hit (test.com/DNSKEY) +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating hostrec3.test.com/NSEC: bad cache hit (test.com/DNSKEY) +<30>Apr 14 16:17:20 10.0.0.1 named[2588]: infoblox-responses: 14-Apr-2022 16:17:20.046 client 192.168.0.1#57738: UDP: query: settings-win.data.microsoft.com IN A response: REFUSED - +<30>Apr 14 16:16:05 10.0.0.1 named[2588]: queries: client @0x7f97e40eb500 192.168.0.1#64727 (ocsp.digicert.com): query: ocsp.digicert.com IN A + (192.168.1.10) +<30>Apr 14 16:16:05 10.0.0.1 named[2588]: query-errors: client @0x7f97e40eb500 192.168.0.1#64727 (ocsp.digicert.com): query failed (REFUSED) for ocsp.digicert.com/IN/A at query.c:10288 +``` +## DHCP Logs: +``` +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDISCOVER from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID a76ecf84 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain 10.0.0.1 dhcpd[7024]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID b5e92c59 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 10.0.0.1 dhcpd[2750]: DHCPDISCOVER from 00:50:56:83:d0:f6 via eth1 TransID 6214ab45: network 10.50.0.0/20: no free leases +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPDISCOVER from 00:00:00:00:00:00 (h000000000000) via 192.168.0.2 TransID 01000000 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 119 offered-duration 1800 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 120 offered-duration 1800 +<30>Mar 31 15:30:05 10.0.0.1 dhcpd[15752]: DHCPOFFER on 192.168.0.4 to 26:9a:76:87:8a:06 via eth2 relay 192.168.0.3 lease-duration 1795 uid 01:26:9a:76:87:8a:06 +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPOFFER on 192.168.0.4 to 00:00:00:00:00:00 via eth1 relay 192.168.0.3 lease-duration 43137 offered-duration 43200 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPOFFER on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 120 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54737448 uid 01:00:50:56:83:6c:a0 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 8767dc3c uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54ade258 uid 01:00:50:56:83:6c:a0 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID a18a70a0 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[25637]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:d3:83 via eth1 TransID 3ca1e0b7: unknown lease 192.168.0.4. +<30>Apr 6 10:13:31 infoblox.localdomain dhcpd[22730]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 542900fa uid 01:00:50:56:83:6c:a0: database update failed +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[30827]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:96:03 via eth1 TransID 9cf7c9e9: ignored (not authoritative). +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID 2d422d0c +<30>Mar 31 15:30:06 10.0.0.1 dhcpd[15752]: DHCPREQUEST for 192.168.0.4 from 9a:df:6e:f6:1f:23 via 192.168.0.2 TransID 15ca711f uid 01:9a:df:6e:f6:1f:23 (RENEW) +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:00:00:00:00:00 via 192.168.0.3 TransID 01000000 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[17530]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 (RENEW) uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 +<30>Mar 27 08:32:59 10.0.0.1 dhcpd[15752]: DHCPACK on 192.168.0.4 to 9a:df:6e:f6:1f:23 via eth2 relay 192.168.0.3 lease-duration 7257600 (RENEW) uid 01:9a:df:6e:f6:1f:23 +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPACK on 192.168.0.4 to 00:00:00:00:00:00 (h000000000000) via eth1 relay 192.168.0.3 lease-duration 43200 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPACK on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 43200 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 (found) TransID 0286f3d0 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 (not found) TransID 665fd9f1 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPEXPIRE on 192.168.0.4 to 00:50:56:83:6c:a0 +<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 5713b740 +<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via eth2 TransID 5713b740 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 78563412: not authoritative for subnet 10.0.0.0 +<30>Mar 18 11:44:52 10.0.0.1 dhcpd[32243]: DHCPDECLINE of 192.168.0.4 from 34:29:8f:71:b8:99 via 192.168.0.2 TransID 00000000: not found +<30>Mar 7 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPDECLINE of 192.168.0.4 from 00:c0:dd:07:18:e2 via 192.168.0.2: abandoned\n +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPNAK on 192.168.0.4 to f4:30:b9:17:ab:0e via 192.168.0.2 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPLEASEQUERY from 192.168.0.4: LEASEQUERY not allowed, query ignored +``` + +## Logs + +This is the `log` dataset. + +{{event "log"}} + +{{fields "log"}} diff --git a/packages/infoblox_nios/_dev/deploy/docker/docker-compose.yml b/packages/infoblox_nios/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..7d3c4a209fb --- /dev/null +++ b/packages/infoblox_nios/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,14 @@ +version: '2.3' +services: + infoblox_nios-log-tcp: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9027 -p=tcp /sample_logs/log.log" + infoblox_nios-log-udp: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + entrypoint: /bin/bash + command: -c "/stream log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9028 -p=udp /sample_logs/log.log" diff --git a/packages/infoblox_nios/_dev/deploy/docker/sample_logs/log.log b/packages/infoblox_nios/_dev/deploy/docker/sample_logs/log.log new file mode 100644 index 00000000000..b44aef320b3 --- /dev/null +++ b/packages/infoblox_nios/_dev/deploy/docker/sample_logs/log.log @@ -0,0 +1,94 @@ +<29>Mar 21 09:53:51 infoblox.localdomain 10.0.0.1 httpd: 2022-03-21 08:53:51.087Z [service_account_test]: Login_Allowed - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=some-Group apparently_via=API +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 19:48:37.299Z [admin]: Login_Allowed - - to=Serial\040Console apparently_via=Direct auth=Local group=admin-group +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 14:02:32.750Z [admin]: Login_Denied - - to=Serial\040Console apparently_via=Direct error=invalid\040login\040or\040password +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\040first\040login +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 13:07:33.343Z [user]: Password_Reset_Error - - to=AdminConnector auth=LOCALgroup=admin-group apparently_via=GUI +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-21 17:19:02.204Z [admin]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:37:29.261Z [admin]: Created Network 192.168.0.0/24 network_view=default: Set extensible_attributes=[],address="192.168.2.0",auto_create_reversezone=False,cidr=24,comment="",common_properties=[domain_name_servers=[],routers=[]],dhcp_members=[[grid_member=Member:infoblox.localdomain]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False,vlans=[] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 11:46:38.877Z [admin]: Modified MemberDhcp infoblox.localdomain: Changed enable_service:False->True +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 19:29:20.468Z [admin]: Called - RestartService: Args services=["ALL"],parents=[],force=True,mode="GROUPED" +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset Block: Set comment="",disabled=True,name="Block",type="BLACKLIST" +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:28:24.476Z [admin]: Called - TransferTrafficCapture message=Download\040Traffic\040capture\040file: Args message="Download Traffic capture file",members=[Member:infoblox.localdomain] +<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.238Z [service_account_test]: Created HostAddress 10.0.0.1 network_view=default: Set address="10.0.0.1",configure_for_dhcp=False,match_option="MAC_ADDRESS",parent=HostRecord:._default.tld.domain.subdomain.hostrecord +<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.239Z [service_account_test]: Created HostRecord somerecord.subdomain.domain.tld DnsView=default alias=somealias.subdomain.domain.tld address=10.0.0.1: Set extensible_attributes=[[name="NAC-Policy",value="Host"]],addresses=[address="10.0.0.1"],aliases=[HostAlias:._default.tld.domain.subdomain.somealias.._default.tld.domain.subdomain.somehostrecord],fqdn="somerecord.subdomain.domain.tld" +<29>Mar 21 16:08:48 10.0.0.1 httpd: 2022-03-21 15:08:48.455Z [service_account_test]: Deleted HostRecord somerecord.subdomain.domain.tld DnsView=default address=10.0.0.0 +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Deleted CaaRecord somecaarecord.domain.tld DnsView=default +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Created HostAddress 192.168.0.0 network_view=default: Set address="192.168.0.0",configure_for_dhcp=True,mac_address="01:01:01:01:01:01",match_option="MAC_ADDRESS",network=Network:192.168.0.0/24\054network_view\075default,parent=HostRecord:._default.test.test3,reserved_interface=NULL,use_for_ea_inheritance=True +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 12:40:05.241Z [adminuser]: Modified Grid Unibe-DNS-Grid: Changed backup_setting:[password="******",restore_password="******"]->[password="******",restore_password="******"],csp_api_config:[password="******"]->[password="******"],csp_settings:[csp_join_token="******"]->[csp_join_token="******"],download_member_conf:[[interface="ANY",is_online=True,member="Member:Grid Master"]]->[[interface="ANY",is_online=True,member=NULL]],email_setting:[password="******"]->[password="******"],http_proxy_server_setting:NULL->[password="******"],snmp_setting:[snmpv3_queries_users=NULL]->[snmpv3_queries_users=[]],syslog_servers:[[address="67.43.156.15"],[address="67.43.156.15"]]->[[address="67.43.156.15"]] +<29>Mar 18 13:40:05 10.0.0.1 syslog: any random text +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 19:29:20.468Z [admin]: Called - RestartService +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-21 17:19:02.204Z [admin]: Modified Network +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDISCOVER from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID a76ecf84 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain 10.0.0.1 dhcpd[7024]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID b5e92c59 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 10.0.0.1 dhcpd[2750]: DHCPDISCOVER from 00:50:56:83:d0:f6 via eth1 TransID 6214ab45: network 10.50.0.0/20: no free leases +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPDISCOVER from 00:00:00:00:00:00 (h000000000000) via 192.168.0.2 TransID 01000000 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 119 offered-duration 1800 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 120 offered-duration 1800 +<30>Mar 31 15:30:05 10.0.0.1 dhcpd[15752]: DHCPOFFER on 192.168.0.4 to 26:9a:76:87:8a:06 via eth2 relay 192.168.0.3 lease-duration 1795 uid 01:26:9a:76:87:8a:06 +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPOFFER on 192.168.0.4 to 00:00:00:00:00:00 via eth1 relay 192.168.0.3 lease-duration 43137 offered-duration 43200 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPOFFER on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 120 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54737448 uid 01:00:50:56:83:6c:a0 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 8767dc3c uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54ade258 uid 01:00:50:56:83:6c:a0 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID a18a70a0 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[25637]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:d3:83 via eth1 TransID 3ca1e0b7: unknown lease 192.168.0.4. +<30>Apr 6 10:13:31 infoblox.localdomain dhcpd[22730]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 542900fa uid 01:00:50:56:83:6c:a0: database update failed +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[30827]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:96:03 via eth1 TransID 9cf7c9e9: ignored (not authoritative). +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID 2d422d0c +<30>Mar 31 15:30:06 10.0.0.1 dhcpd[15752]: DHCPREQUEST for 192.168.0.4 from 9a:df:6e:f6:1f:23 via 172.26.0.1 TransID 15ca711f uid 01:9a:df:6e:f6:1f:23 (RENEW) +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:00:00:00:00:00 via 192.168.0.3 TransID 01000000 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[17530]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 (RENEW) uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 +<30>Mar 27 08:32:59 10.0.0.1 dhcpd[15752]: DHCPACK on 192.168.0.4 to 9a:df:6e:f6:1f:23 via eth2 relay 192.168.0.3 lease-duration 7257600 (RENEW) uid 01:9a:df:6e:f6:1f:23 +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPACK on 192.168.0.4 to 00:00:00:00:00:00 (h000000000000) via eth1 relay 192.168.0.3 lease-duration 43200 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPACK on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 43200 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 (found) TransID 0286f3d0 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 (not found) TransID 665fd9f1 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPEXPIRE on 192.168.0.4 to 00:50:56:83:6c:a0 +<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 5713b740 +<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via eth2 TransID 5713b740 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 78563412: not authoritative for subnet 10.0.0.0 +<30>Mar 18 11:44:52 10.0.0.1 dhcpd[32243]: DHCPDECLINE of 192.168.0.4 from 34:29:8f:71:b8:99 via 10.10.4.1 TransID 00000000: not found +<30>Mar 7 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPDECLINE of 192.168.0.4 from 00:c0:dd:07:18:e2 via 192.168.0.2: abandoned\n +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPNAK on 192.168.0.4 to f4:30:b9:17:ab:0e via 192.168.0.2 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPLEASEQUERY from 192.168.0.4: LEASEQUERY not allowed, query ignored +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDISCOVER some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPOFFER some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPREQUEST some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPACK some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPRELEASE some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPEXPIRE some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPINFORM some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDECLINE some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPNAK some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPLEASEQUERY some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: some text +<30>Mar 11 23:51:31 infoblox.localdomain named[11042]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A 192.168.0.2; a1.foo.com 28800 IN A 192.168.0.3; +<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#50565 UDP: query: test.com IN A response: REFUSED - +<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com 28800 IN A 192.168.0.3; +<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED +<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A 192.168.0.2; a1.foo.com 28800 IN A 192.168.0.3; +<30>Mar 9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query failed (REFUSED) for config.nos-avg.cz/IN/TXT at query.c:10288 +<30>Mar 9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query: config.nos-avg.cz IN TXT + (192.168.0.1) +<30>Mar 11 23:51:31 infoblox.localdomain named[27014]: rpz: rpz1.com: reload start +<30>Mar 11 23:51:31 infoblox.localdomain named[29914]: client @0x7ff42c168b50 192.168.0.1#50460 (test.com): rewriting query name 'test.com' to 'query123-10-120-20-93.test.com', type A +<30>Mar 11 23:51:31 infoblox.localdomain named[19204]: client @0x7fec7c11dab0 192.168.0.1#36483: updating zone 'test1.com/IN': adding an RR at 'a6.test1.com' A 192.168.0.2 +<30>Mar 11 23:51:31 infoblox.localdomain named[28468]: CEF:0|Infoblox|NIOS|8.6.2-49634-e88e9df276a8|RPZ-QNAME|NXDOMAIN|7|app=DNS dst=192.168.0.1 src=192.168.0.1 spt=51424 view=_default qtype=A msg="rpz QNAME NXDOMAIN rewrite nxd1.com [A] via nxd1.com.rpz1.com" CAT=RPZ +<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: zone local_7.com/IN: notify from 192.168.0.1#46982: zone is up to date +<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: responses: client @0x7fb550117f90 192.168.0.1#46982: received notify for zone 'local_14.com' +<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer status: success +<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer completed: 1 messages, 9 records, 326 bytes, 0.001 secs (326000 bytes/sec) +<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR started (serial 3) +<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR ended +<30>Mar 11 23:51:31 infoblox.localdomain named[30325]: resolver priming query complete +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'test.com' +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/NSEC: bad cache hit (test.com/DNSKEY) +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating hostrec3.test.com/NSEC: bad cache hit (test.com/DNSKEY) +<30>Apr 14 16:17:20 10.50.1.227 named[2588]: infoblox-responses: 14-Apr-2022 16:17:20.046 client 192.168.1.90#57738: UDP: query: settings-win.data.microsoft.com IN A response: REFUSED - +<30>Apr 14 16:16:05 10.50.1.227 named[2588]: queries: client @0x7f97e40eb500 192.168.1.90#64727 (ocsp.digicert.com): query: ocsp.digicert.com IN A + (192.168.1.10) +<30>Apr 14 16:16:05 10.50.1.227 named[2588]: query-errors: client @0x7f97e40eb500 192.168.1.90#64727 (ocsp.digicert.com): query failed (REFUSED) for ocsp.digicert.com/IN/A at query.c:10288 \ No newline at end of file diff --git a/packages/infoblox_nios/changelog.yml b/packages/infoblox_nios/changelog.yml new file mode 100644 index 00000000000..af71c49ef4d --- /dev/null +++ b/packages/infoblox_nios/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial draft of the package. + type: enhancement + link: https://github.com/elastic/integrations/pull/3129 diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-audit.log b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-audit.log new file mode 100644 index 00000000000..8a875826b94 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-audit.log @@ -0,0 +1,24 @@ +<29>Mar 21 09:53:51 infoblox.localdomain httpd[]: 2022-03-18 13:24:41.705Z [admin]: Logout - - ip=10.50.0.1 group=admin-group trigger_event=Session\040Expiration +<141>Apr 13 22:14:36 ns1.infoblox.localdomain 10.50.1.227 httpd: 2022-04-13 16:44:36.850Z [fefdn\040wdbj]: Login_Denied - - to=AdminConnector ip=10.50.0.1 info=Local apparently_via=GUI +<29>Mar 21 09:53:51 infoblox.localdomain 10.0.0.1 httpd: 2022-03-21 08:53:51.087Z [service_account_test]: Login_Allowed - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=some-Group apparently_via=API +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 19:48:37.299Z [admin]: Login_Allowed - - to=Serial\040Console apparently_via=Direct auth=Local group=admin-group +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 14:02:32.750Z [admin]: Login_Denied - - to=Serial\040Console apparently_via=Direct error=invalid\040login\040or\040password +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\040first\040login +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 13:07:33.343Z [user]: Password_Reset_Error - - to=AdminConnector auth=LOCALgroup=admin-group apparently_via=GUI +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-21 17:19:02.204Z [admin]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:37:29.261Z [admin]: Created Network 192.168.0.0/24 network_view=default: Set extensible_attributes=[],address="192.168.2.0",auto_create_reversezone=False,cidr=24,comment="",common_properties=[domain_name_servers=[],routers=[]],dhcp_members=[[grid_member=Member:infoblox.localdomain]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False,vlans=[] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 11:46:38.877Z [admin]: Modified MemberDhcp infoblox.localdomain: Changed enable_service:False->True +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 19:29:20.468Z [admin]: Called - RestartService: Args services=["ALL"],parents=[],force=True,mode="GROUPED" +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset Block: Set comment="",disabled=True,name="Block",type="BLACKLIST" +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:28:24.476Z [admin]: Called - TransferTrafficCapture message=Download\040Traffic\040capture\040file: Args message="Download Traffic capture file",members=[Member:infoblox.localdomain] +<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.238Z [service_account_test]: Created HostAddress 10.0.0.1 network_view=default: Set address="10.0.0.1",configure_for_dhcp=False,match_option="MAC_ADDRESS",parent=HostRecord:._default.tld.domain.subdomain.hostrecord +<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.239Z [service_account_test]: Created HostRecord somerecord.subdomain.domain.tld DnsView=default alias=somealias.subdomain.domain.tld address=10.0.0.1: Set extensible_attributes=[[name="NAC-Policy",value="Host"]],addresses=[address="10.0.0.1"],aliases=[HostAlias:._default.tld.domain.subdomain.somealias.._default.tld.domain.subdomain.somehostrecord],fqdn="somerecord.subdomain.domain.tld" +<29>Mar 21 16:08:48 10.0.0.1 httpd: 2022-03-21 15:08:48.455Z [service_account_test]: Deleted HostRecord somerecord.subdomain.domain.tld DnsView=default address=10.0.0.0 +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Deleted CaaRecord somecaarecord.domain.tld DnsView=default +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Created HostAddress 192.168.0.0 network_view=default: Set address="192.168.0.0",configure_for_dhcp=True,mac_address="01:01:01:01:01:01",match_option="MAC_ADDRESS",network=Network:192.168.0.0/24\054network_view\075default,parent=HostRecord:._default.test.test3,reserved_interface=NULL,use_for_ea_inheritance=True +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 12:40:05.241Z [adminuser]: Modified Grid Unibe-DNS-Grid: Changed backup_setting:[password="******",restore_password="******"]->[password="******",restore_password="******"],csp_api_config:[password="******"]->[password="******"],csp_settings:[csp_join_token="******"]->[csp_join_token="******"],download_member_conf:[[interface="ANY",is_online=True,member="Member:Grid Master"]]->[[interface="ANY",is_online=True,member=NULL]],email_setting:[password="******"]->[password="******"],http_proxy_server_setting:NULL->[password="******"],snmp_setting:[snmpv3_queries_users=NULL]->[snmpv3_queries_users=[]],syslog_servers:[[address="67.43.156.15"],[address="67.43.156.15"]]->[[address="67.43.156.15"]] +<29>Mar 18 13:40:05 10.0.0.1 syslog: any random text +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 19:29:20.468Z [admin]: Called - RestartService +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-21 17:19:02.204Z [admin]: Modified Network +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset \ No newline at end of file diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-audit.log-expected.json b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-audit.log-expected.json new file mode 100644 index 00000000000..433cc284364 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-audit.log-expected.json @@ -0,0 +1,1136 @@ +{ + "expected": [ + { + "@timestamp": "2022-03-18T13:24:41.705Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "logout", + "category": [ + "authentication" + ], + "created": "2022-03-21T09:53:51.000Z", + "original": "\u003c29\u003eMar 21 09:53:51 infoblox.localdomain httpd[]: 2022-03-18 13:24:41.705Z [admin]: Logout - - ip=10.50.0.1 group=admin-group trigger_event=Session\\040Expiration", + "type": [ + "end" + ] + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "audit": { + "group": "admin-group", + "ip": "10.50.0.1", + "trigger_event": "Session Expiration" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-18 13:24:41.705Z [admin]: Logout - - ip=10.50.0.1 group=admin-group trigger_event=Session\\040Expiration", + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "10.50.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-04-13T16:44:36.850Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "login_denied", + "category": [ + "authentication" + ], + "created": "2022-04-13T22:14:36.000Z", + "original": "\u003c141\u003eApr 13 22:14:36 ns1.infoblox.localdomain 10.50.1.227 httpd: 2022-04-13 16:44:36.850Z [fefdn\\040wdbj]: Login_Denied - - to=AdminConnector ip=10.50.0.1 info=Local apparently_via=GUI", + "outcome": "failure" + }, + "host": { + "domain": "ns1.infoblox.localdomain", + "ip": "10.50.1.227" + }, + "infoblox_nios": { + "log": { + "audit": { + "apparently_via": "GUI", + "info": "Local", + "ip": "10.50.0.1", + "to": "AdminConnector" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 141 + } + }, + "message": "2022-04-13 16:44:36.850Z [fefdn\\040wdbj]: Login_Denied - - to=AdminConnector ip=10.50.0.1 info=Local apparently_via=GUI", + "related": { + "hosts": [ + "ns1.infoblox.localdomain" + ], + "ip": [ + "10.50.0.1", + "10.50.1.227" + ], + "user": [ + "fefdn wdbj" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "fefdn wdbj" + } + }, + { + "@timestamp": "2022-03-21T08:53:51.087Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "login_allowed", + "category": [ + "authentication" + ], + "created": "2022-03-21T09:53:51.000Z", + "original": "\u003c29\u003eMar 21 09:53:51 infoblox.localdomain 10.0.0.1 httpd: 2022-03-21 08:53:51.087Z [service_account_test]: Login_Allowed - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=some-Group apparently_via=API", + "outcome": "success", + "type": [ + "start" + ] + }, + "host": { + "domain": "infoblox.localdomain", + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "apparently_via": "API", + "auth": "LOCAL", + "group": "some-Group", + "ip": "10.0.0.2", + "to": "AdminConnector" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-21 08:53:51.087Z [service_account_test]: Login_Allowed - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=some-Group apparently_via=API", + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "10.0.0.2", + "10.0.0.1" + ], + "user": [ + "service_account_test" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "service_account_test" + } + }, + { + "@timestamp": "2011-10-19T19:48:37.299Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "login_allowed", + "category": [ + "authentication" + ], + "created": "2022-03-22T14:26:54.000Z", + "original": "\u003c29\u003eMar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 19:48:37.299Z [admin]: Login_Allowed - - to=Serial\\040Console apparently_via=Direct auth=Local group=admin-group", + "outcome": "success", + "type": [ + "start" + ] + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "apparently_via": "Direct", + "auth": "Local", + "group": "admin-group", + "to": "Serial Console" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2011-10-19 19:48:37.299Z [admin]: Login_Allowed - - to=Serial\\040Console apparently_via=Direct auth=Local group=admin-group", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2011-10-19T14:02:32.750Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "login_denied", + "category": [ + "authentication" + ], + "created": "2022-03-22T14:26:54.000Z", + "original": "\u003c29\u003eMar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 14:02:32.750Z [admin]: Login_Denied - - to=Serial\\040Console apparently_via=Direct error=invalid\\040login\\040or\\040password", + "outcome": "failure" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "apparently_via": "Direct", + "error": "invalid login or password", + "to": "Serial Console" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2011-10-19 14:02:32.750Z [admin]: Login_Denied - - to=Serial\\040Console apparently_via=Direct error=invalid\\040login\\040or\\040password", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2011-10-19T12:43:47.375Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "first_login", + "created": "2022-03-22T14:26:54.000Z", + "original": "\u003c29\u003eMar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\\040first\\040login" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "apparently_via": "GUI first login", + "auth": "LOCAL", + "group": "admin-group", + "ip": "10.0.0.2", + "to": "AdminConnector" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\\040first\\040login", + "related": { + "ip": [ + "10.0.0.2", + "10.0.0.1" + ], + "user": [ + "user" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "user" + } + }, + { + "@timestamp": "2011-10-19T13:07:33.343Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "password_reset_error", + "created": "2022-03-22T14:26:54.000Z", + "original": "\u003c29\u003eMar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 13:07:33.343Z [user]: Password_Reset_Error - - to=AdminConnector auth=LOCALgroup=admin-group apparently_via=GUI" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "apparently_via": "GUI", + "auth": "LOCALgroup=admin-group", + "to": "AdminConnector" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2011-10-19 13:07:33.343Z [user]: Password_Reset_Error - - to=AdminConnector auth=LOCALgroup=admin-group apparently_via=GUI", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "user" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "user" + } + }, + { + "@timestamp": "2022-03-21T17:19:02.204Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "modified", + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 httpd: 2022-03-21 17:19:02.204Z [admin]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]-\u003e[[grid_member=Member:infoblox.localdomain]]" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "network_view=default: Changed dhcp_members:[]-\u003e[[grid_member=Member:infoblox.localdomain]]", + "object": { + "name": "Network", + "value": "192.168.0.0/24" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-21 17:19:02.204Z [admin]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]-\u003e[[grid_member=Member:infoblox.localdomain]]", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-24T09:37:29.261Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "created", + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:37:29.261Z [admin]: Created Network 192.168.0.0/24 network_view=default: Set extensible_attributes=[],address=\"192.168.2.0\",auto_create_reversezone=False,cidr=24,comment=\"\",common_properties=[domain_name_servers=[],routers=[]],dhcp_members=[[grid_member=Member:infoblox.localdomain]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False,vlans=[]" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "network_view=default: Set extensible_attributes=[],address=\"192.168.2.0\",auto_create_reversezone=False,cidr=24,comment=\"\",common_properties=[domain_name_servers=[],routers=[]],dhcp_members=[[grid_member=Member:infoblox.localdomain]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False,vlans=[]", + "object": { + "name": "Network", + "value": "192.168.0.0/24" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-24 09:37:29.261Z [admin]: Created Network 192.168.0.0/24 network_view=default: Set extensible_attributes=[],address=\"192.168.2.0\",auto_create_reversezone=False,cidr=24,comment=\"\",common_properties=[domain_name_servers=[],routers=[]],dhcp_members=[[grid_member=Member:infoblox.localdomain]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False,vlans=[]", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-18T11:46:38.877Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "modified", + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 11:46:38.877Z [admin]: Modified MemberDhcp infoblox.localdomain: Changed enable_service:False-\u003eTrue" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "Changed enable_service:False-\u003eTrue", + "object": { + "name": "MemberDhcp", + "value": "infoblox.localdomain" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-18 11:46:38.877Z [admin]: Modified MemberDhcp infoblox.localdomain: Changed enable_service:False-\u003eTrue", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-29T19:29:20.468Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "called", + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 19:29:20.468Z [admin]: Called - RestartService: Args services=[\"ALL\"],parents=[],force=True,mode=\"GROUPED\"" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "Args services=[\"ALL\"],parents=[],force=True,mode=\"GROUPED\"", + "object": { + "name": "RestartService" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-29 19:29:20.468Z [admin]: Called - RestartService: Args services=[\"ALL\"],parents=[],force=True,mode=\"GROUPED\"", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-29T18:30:58.656Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "created", + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset Block: Set comment=\"\",disabled=True,name=\"Block\",type=\"BLACKLIST\"" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "Set comment=\"\",disabled=True,name=\"Block\",type=\"BLACKLIST\"", + "object": { + "name": "Ruleset", + "value": "Block" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-29 18:30:58.656Z [admin]: Created Ruleset Block: Set comment=\"\",disabled=True,name=\"Block\",type=\"BLACKLIST\"", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-24T09:28:24.476Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "called", + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:28:24.476Z [admin]: Called - TransferTrafficCapture message=Download\\040Traffic\\040capture\\040file: Args message=\"Download Traffic capture file\",members=[Member:infoblox.localdomain]" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "message=Download\\040Traffic\\040capture\\040file: Args message=\"Download Traffic capture file\",members=[Member:infoblox.localdomain]", + "object": { + "name": "TransferTrafficCapture" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-24 09:28:24.476Z [admin]: Called - TransferTrafficCapture message=Download\\040Traffic\\040capture\\040file: Args message=\"Download Traffic capture file\",members=[Member:infoblox.localdomain]", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-21T15:08:08.238Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "created", + "created": "2022-03-21T16:08:08.000Z", + "original": "\u003c29\u003eMar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.238Z [service_account_test]: Created HostAddress 10.0.0.1 network_view=default: Set address=\"10.0.0.1\",configure_for_dhcp=False,match_option=\"MAC_ADDRESS\",parent=HostRecord:._default.tld.domain.subdomain.hostrecord" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "network_view=default: Set address=\"10.0.0.1\",configure_for_dhcp=False,match_option=\"MAC_ADDRESS\",parent=HostRecord:._default.tld.domain.subdomain.hostrecord", + "object": { + "name": "HostAddress", + "value": "10.0.0.1" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-21 15:08:08.238Z [service_account_test]: Created HostAddress 10.0.0.1 network_view=default: Set address=\"10.0.0.1\",configure_for_dhcp=False,match_option=\"MAC_ADDRESS\",parent=HostRecord:._default.tld.domain.subdomain.hostrecord", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "service_account_test" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "service_account_test" + } + }, + { + "@timestamp": "2022-03-21T15:08:08.239Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "created", + "created": "2022-03-21T16:08:08.000Z", + "original": "\u003c29\u003eMar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.239Z [service_account_test]: Created HostRecord somerecord.subdomain.domain.tld DnsView=default alias=somealias.subdomain.domain.tld address=10.0.0.1: Set extensible_attributes=[[name=\"NAC-Policy\",value=\"Host\"]],addresses=[address=\"10.0.0.1\"],aliases=[HostAlias:._default.tld.domain.subdomain.somealias.._default.tld.domain.subdomain.somehostrecord],fqdn=\"somerecord.subdomain.domain.tld\"" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "DnsView=default alias=somealias.subdomain.domain.tld address=10.0.0.1: Set extensible_attributes=[[name=\"NAC-Policy\",value=\"Host\"]],addresses=[address=\"10.0.0.1\"],aliases=[HostAlias:._default.tld.domain.subdomain.somealias.._default.tld.domain.subdomain.somehostrecord],fqdn=\"somerecord.subdomain.domain.tld\"", + "object": { + "name": "HostRecord", + "value": "somerecord.subdomain.domain.tld" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-21 15:08:08.239Z [service_account_test]: Created HostRecord somerecord.subdomain.domain.tld DnsView=default alias=somealias.subdomain.domain.tld address=10.0.0.1: Set extensible_attributes=[[name=\"NAC-Policy\",value=\"Host\"]],addresses=[address=\"10.0.0.1\"],aliases=[HostAlias:._default.tld.domain.subdomain.somealias.._default.tld.domain.subdomain.somehostrecord],fqdn=\"somerecord.subdomain.domain.tld\"", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "service_account_test" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "service_account_test" + } + }, + { + "@timestamp": "2022-03-21T15:08:48.455Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "deleted", + "created": "2022-03-21T16:08:48.000Z", + "original": "\u003c29\u003eMar 21 16:08:48 10.0.0.1 httpd: 2022-03-21 15:08:48.455Z [service_account_test]: Deleted HostRecord somerecord.subdomain.domain.tld DnsView=default address=10.0.0.0" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "DnsView=default address=10.0.0.0", + "object": { + "name": "HostRecord", + "value": "somerecord.subdomain.domain.tld" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-21 15:08:48.455Z [service_account_test]: Deleted HostRecord somerecord.subdomain.domain.tld DnsView=default address=10.0.0.0", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "service_account_test" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "service_account_test" + } + }, + { + "@timestamp": "2022-03-22T13:26:54.596Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "deleted", + "created": "2022-03-22T14:26:54.000Z", + "original": "\u003c29\u003eMar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Deleted CaaRecord somecaarecord.domain.tld DnsView=default " + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "DnsView=default ", + "object": { + "name": "CaaRecord", + "value": "somecaarecord.domain.tld" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-22 13:26:54.596Z [some_admin_account]: Deleted CaaRecord somecaarecord.domain.tld DnsView=default ", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "some_admin_account" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "some_admin_account" + } + }, + { + "@timestamp": "2022-03-22T13:26:54.596Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "created", + "created": "2022-03-22T14:26:54.000Z", + "original": "\u003c29\u003eMar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Created HostAddress 192.168.0.0 network_view=default: Set address=\"192.168.0.0\",configure_for_dhcp=True,mac_address=\"01:01:01:01:01:01\",match_option=\"MAC_ADDRESS\",network=Network:192.168.0.0/24\\054network_view\\075default,parent=HostRecord:._default.test.test3,reserved_interface=NULL,use_for_ea_inheritance=True" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "network_view=default: Set address=\"192.168.0.0\",configure_for_dhcp=True,mac_address=\"01:01:01:01:01:01\",match_option=\"MAC_ADDRESS\",network=Network:192.168.0.0/24\\054network_view\\075default,parent=HostRecord:._default.test.test3,reserved_interface=NULL,use_for_ea_inheritance=True", + "object": { + "name": "HostAddress", + "value": "192.168.0.0" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-22 13:26:54.596Z [some_admin_account]: Created HostAddress 192.168.0.0 network_view=default: Set address=\"192.168.0.0\",configure_for_dhcp=True,mac_address=\"01:01:01:01:01:01\",match_option=\"MAC_ADDRESS\",network=Network:192.168.0.0/24\\054network_view\\075default,parent=HostRecord:._default.test.test3,reserved_interface=NULL,use_for_ea_inheritance=True", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "some_admin_account" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "some_admin_account" + } + }, + { + "@timestamp": "2022-03-22T13:26:54.596Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "modified", + "created": "2022-03-22T14:26:54.000Z", + "original": "\u003c29\u003eMar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]-\u003e[[grid_member=Member:infoblox.localdomain]]" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "network_view=default: Changed dhcp_members:[]-\u003e[[grid_member=Member:infoblox.localdomain]]", + "object": { + "name": "Network", + "value": "192.168.0.0/24" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-22 13:26:54.596Z [some_admin_account]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]-\u003e[[grid_member=Member:infoblox.localdomain]]", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "some_admin_account" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "some_admin_account" + } + }, + { + "@timestamp": "2022-03-18T12:40:05.241Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "modified", + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 12:40:05.241Z [adminuser]: Modified Grid Unibe-DNS-Grid: Changed backup_setting:[password=\"******\",restore_password=\"******\"]-\u003e[password=\"******\",restore_password=\"******\"],csp_api_config:[password=\"******\"]-\u003e[password=\"******\"],csp_settings:[csp_join_token=\"******\"]-\u003e[csp_join_token=\"******\"],download_member_conf:[[interface=\"ANY\",is_online=True,member=\"Member:Grid Master\"]]-\u003e[[interface=\"ANY\",is_online=True,member=NULL]],email_setting:[password=\"******\"]-\u003e[password=\"******\"],http_proxy_server_setting:NULL-\u003e[password=\"******\"],snmp_setting:[snmpv3_queries_users=NULL]-\u003e[snmpv3_queries_users=[]],syslog_servers:[[address=\"67.43.156.15\"],[address=\"67.43.156.15\"]]-\u003e[[address=\"67.43.156.15\"]]" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "Changed backup_setting:[password=\"******\",restore_password=\"******\"]-\u003e[password=\"******\",restore_password=\"******\"],csp_api_config:[password=\"******\"]-\u003e[password=\"******\"],csp_settings:[csp_join_token=\"******\"]-\u003e[csp_join_token=\"******\"],download_member_conf:[[interface=\"ANY\",is_online=True,member=\"Member:Grid Master\"]]-\u003e[[interface=\"ANY\",is_online=True,member=NULL]],email_setting:[password=\"******\"]-\u003e[password=\"******\"],http_proxy_server_setting:NULL-\u003e[password=\"******\"],snmp_setting:[snmpv3_queries_users=NULL]-\u003e[snmpv3_queries_users=[]],syslog_servers:[[address=\"67.43.156.15\"],[address=\"67.43.156.15\"]]-\u003e[[address=\"67.43.156.15\"]]", + "object": { + "name": "Grid", + "value": "Unibe-DNS-Grid" + } + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-18 12:40:05.241Z [adminuser]: Modified Grid Unibe-DNS-Grid: Changed backup_setting:[password=\"******\",restore_password=\"******\"]-\u003e[password=\"******\",restore_password=\"******\"],csp_api_config:[password=\"******\"]-\u003e[password=\"******\"],csp_settings:[csp_join_token=\"******\"]-\u003e[csp_join_token=\"******\"],download_member_conf:[[interface=\"ANY\",is_online=True,member=\"Member:Grid Master\"]]-\u003e[[interface=\"ANY\",is_online=True,member=NULL]],email_setting:[password=\"******\"]-\u003e[password=\"******\"],http_proxy_server_setting:NULL-\u003e[password=\"******\"],snmp_setting:[snmpv3_queries_users=NULL]-\u003e[snmpv3_queries_users=[]],syslog_servers:[[address=\"67.43.156.15\"],[address=\"67.43.156.15\"]]-\u003e[[address=\"67.43.156.15\"]]", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "adminuser" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "adminuser" + } + }, + { + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 syslog: any random text" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "service_name": "syslog" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "any random text", + "related": { + "ip": [ + "10.0.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-29T19:29:20.468Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "called", + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 19:29:20.468Z [admin]: Called - RestartService" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "RestartService" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-29 19:29:20.468Z [admin]: Called - RestartService", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-21T17:19:02.204Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "modified", + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 httpd: 2022-03-21 17:19:02.204Z [admin]: Modified Network" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "Network" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-21 17:19:02.204Z [admin]: Modified Network", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + }, + { + "@timestamp": "2022-03-29T18:30:58.656Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "created", + "created": "2022-03-18T13:40:05.000Z", + "original": "\u003c29\u003eMar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "message": "Ruleset" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "log": { + "syslog": { + "priority": 29 + } + }, + "message": "2022-03-29 18:30:58.656Z [admin]: Created Ruleset", + "related": { + "ip": [ + "10.0.0.1" + ], + "user": [ + "admin" + ] + }, + "tags": [ + "preserve_original_event" + ], + "user": { + "name": "admin" + } + } + ] +} \ No newline at end of file diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dhcp.log b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dhcp.log new file mode 100644 index 00000000000..635ff064160 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dhcp.log @@ -0,0 +1,50 @@ +<30>Apr 18 05:02:05 10.50.1.227 dhcpd[2301]: DHCPREQUEST for 192.168.0.4 from 00:50:56:81:14:6c via eth3 +<30>Apr 18 05:02:05 10.50.1.227 dhcpd[2301]: DHCPREQUEST for 192.168.0.4 from 00:50:56:81:14:6c via 192.168.0.2 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDISCOVER from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID a76ecf84 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain 10.0.0.1 dhcpd[7024]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID b5e92c59 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 10.0.0.1 dhcpd[2750]: DHCPDISCOVER from 00:50:56:83:d0:f6 via eth1 TransID 6214ab45: network 10.50.0.0/20: no free leases +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPDISCOVER from 00:00:00:00:00:00 (h000000000000) via 192.168.0.2 TransID 01000000 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 119 offered-duration 1800 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 120 offered-duration 1800 +<30>Mar 31 15:30:05 10.0.0.1 dhcpd[15752]: DHCPOFFER on 192.168.0.4 to 26:9a:76:87:8a:06 via eth2 relay 192.168.0.3 lease-duration 1795 uid 01:26:9a:76:87:8a:06 +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPOFFER on 192.168.0.4 to 00:00:00:00:00:00 via eth1 relay 192.168.0.3 lease-duration 43137 offered-duration 43200 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPOFFER on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 120 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54737448 uid 01:00:50:56:83:6c:a0 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 8767dc3c uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54ade258 uid 01:00:50:56:83:6c:a0 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID a18a70a0 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[25637]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:d3:83 via eth1 TransID 3ca1e0b7: unknown lease 192.168.0.4. +<30>Apr 6 10:13:31 infoblox.localdomain dhcpd[22730]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 542900fa uid 01:00:50:56:83:6c:a0: database update failed +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[30827]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:96:03 via eth1 TransID 9cf7c9e9: ignored (not authoritative). +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID 2d422d0c +<30>Mar 31 15:30:06 10.0.0.1 dhcpd[15752]: DHCPREQUEST for 192.168.0.4 from 9a:df:6e:f6:1f:23 via 172.26.0.1 TransID 15ca711f uid 01:9a:df:6e:f6:1f:23 (RENEW) +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:00:00:00:00:00 via 192.168.0.3 TransID 01000000 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[17530]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 (RENEW) uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 +<30>Mar 27 08:32:59 10.0.0.1 dhcpd[15752]: DHCPACK on 192.168.0.4 to 9a:df:6e:f6:1f:23 via eth2 relay 192.168.0.3 lease-duration 7257600 (RENEW) uid 01:9a:df:6e:f6:1f:23 +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPACK on 192.168.0.4 to 00:00:00:00:00:00 (h000000000000) via eth1 relay 192.168.0.3 lease-duration 43200 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPACK on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 43200 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 (found) TransID 0286f3d0 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 (not found) TransID 665fd9f1 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPEXPIRE on 192.168.0.4 to 00:50:56:83:6c:a0 +<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 5713b740 +<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via eth2 TransID 5713b740 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 78563412: not authoritative for subnet 10.0.0.0 +<30>Mar 18 11:44:52 10.0.0.1 dhcpd[32243]: DHCPDECLINE of 192.168.0.4 from 34:29:8f:71:b8:99 via 10.10.4.1 TransID 00000000: not found +<30>Mar 7 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPDECLINE of 192.168.0.4 from 00:c0:dd:07:18:e2 via 192.168.0.2: abandoned\n +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPNAK on 192.168.0.4 to f4:30:b9:17:ab:0e via 192.168.0.2 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPLEASEQUERY from 192.168.0.4: LEASEQUERY not allowed, query ignored +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDISCOVER some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPOFFER some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPREQUEST some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPACK some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPRELEASE some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPEXPIRE some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPINFORM some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDECLINE some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPNAK some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPLEASEQUERY some text +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: some text \ No newline at end of file diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dhcp.log-expected.json b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dhcp.log-expected.json new file mode 100644 index 00000000000..3c5965e53a7 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dhcp.log-expected.json @@ -0,0 +1,2534 @@ +{ + "expected": [ + { + "@timestamp": "2022-04-18T05:02:05.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-81-14-6C" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-04-18T05:02:05.000Z", + "original": "\u003c30\u003eApr 18 05:02:05 10.50.1.227 dhcpd[2301]: DHCPREQUEST for 192.168.0.4 from 00:50:56:81:14:6c via eth3" + }, + "host": { + "ip": "10.50.1.227" + }, + "infoblox_nios": { + "log": { + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 from 00:50:56:81:14:6c via eth3", + "process": { + "pid": 2301 + }, + "related": { + "ip": [ + "192.168.0.4", + "10.50.1.227" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-18T05:02:05.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-81-14-6C" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-04-18T05:02:05.000Z", + "original": "\u003c30\u003eApr 18 05:02:05 10.50.1.227 dhcpd[2301]: DHCPREQUEST for 192.168.0.4 from 00:50:56:81:14:6c via 192.168.0.2" + }, + "host": { + "ip": "10.50.1.227" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "interface": { + "ip": "192.168.0.2" + } + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 from 00:50:56:81:14:6c via 192.168.0.2", + "process": { + "pid": 2301 + }, + "related": { + "ip": [ + "192.168.0.4", + "192.168.0.2", + "10.50.1.227" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpdiscover", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDISCOVER from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID a76ecf84 uid 01:00:50:56:83:6c:a0" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "trans_id": "a76ecf84", + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPDISCOVER from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID a76ecf84 uid 01:00:50:56:83:6c:a0", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpdiscover", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain 10.0.0.1 dhcpd[7024]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID b5e92c59 uid 01:00:50:56:83:6c:a0" + }, + "host": { + "domain": "infoblox.localdomain", + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "trans_id": "b5e92c59", + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID b5e92c59 uid 01:00:50:56:83:6c:a0", + "process": { + "pid": 7024 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "10.0.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "mac": "00-50-56-83-D0-F6" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpdiscover", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 10.0.0.1 dhcpd[2750]: DHCPDISCOVER from 00:50:56:83:d0:f6 via eth1 TransID 6214ab45: network 10.50.0.0/20: no free leases" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "discover": { + "message": "no free leases" + }, + "network": "10.50.0.0/20", + "trans_id": "6214ab45" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth1" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPDISCOVER from 00:50:56:83:d0:f6 via eth1 TransID 6214ab45: network 10.50.0.0/20: no free leases", + "process": { + "pid": 2750 + }, + "related": { + "ip": [ + "10.0.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpdiscover", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "trans_id": "748f30ab" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab", + "process": { + "pid": 21114 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "mac": "00-00-00-00-00-00" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpdiscover", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPDISCOVER from 00:00:00:00:00:00 (h000000000000) via 192.168.0.2 TransID 01000000" + }, + "host": { + "domain": "infoblox_localdomain.com" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "h000000000000", + "interface": { + "ip": "192.168.0.2" + }, + "trans_id": "01000000" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPDISCOVER from 00:00:00:00:00:00 (h000000000000) via 192.168.0.2 TransID 01000000", + "process": { + "pid": 29258 + }, + "related": { + "hosts": [ + "h000000000000", + "infoblox_localdomain.com" + ], + "ip": [ + "192.168.0.2" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpoffer", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 119 offered-duration 1800 uid 01:00:50:56:83:6c:a0" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "lease": { + "duration": 119 + }, + "offered_duration": 1800, + "relay": { + "interface": { + "name": "eth3" + } + }, + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 119 offered-duration 1800 uid 01:00:50:56:83:6c:a0", + "process": { + "pid": 2567 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpoffer", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 120 offered-duration 1800" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "lease": { + "duration": 120 + }, + "offered_duration": 1800, + "relay": { + "interface": { + "name": "eth3" + } + } + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 120 offered-duration 1800", + "process": { + "pid": 21114 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-31T15:30:05.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "26-9A-76-87-8A-06" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpoffer", + "created": "2022-03-31T15:30:05.000Z", + "original": "\u003c30\u003eMar 31 15:30:05 10.0.0.1 dhcpd[15752]: DHCPOFFER on 192.168.0.4 to 26:9a:76:87:8a:06 via eth2 relay 192.168.0.3 lease-duration 1795 uid 01:26:9a:76:87:8a:06" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "lease": { + "duration": 1795 + }, + "relay": { + "interface": { + "ip": "192.168.0.3" + } + }, + "uid": "01:26:9a:76:87:8a:06" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth2" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPOFFER on 192.168.0.4 to 26:9a:76:87:8a:06 via eth2 relay 192.168.0.3 lease-duration 1795 uid 01:26:9a:76:87:8a:06", + "process": { + "pid": 15752 + }, + "related": { + "ip": [ + "192.168.0.4", + "192.168.0.3", + "10.0.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-00-00-00-00-00" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpoffer", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPOFFER on 192.168.0.4 to 00:00:00:00:00:00 via eth1 relay 192.168.0.3 lease-duration 43137 offered-duration 43200" + }, + "host": { + "domain": "infoblox_localdomain.com" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "lease": { + "duration": 43137 + }, + "offered_duration": 43200, + "relay": { + "interface": { + "ip": "192.168.0.3" + } + } + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth1" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPOFFER on 192.168.0.4 to 00:00:00:00:00:00 via eth1 relay 192.168.0.3 lease-duration 43137 offered-duration 43200", + "process": { + "pid": 29258 + }, + "related": { + "hosts": [ + "infoblox_localdomain.com" + ], + "ip": [ + "192.168.0.4", + "192.168.0.3" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "CC-BB-CC-DD-EE-FF" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpoffer", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPOFFER on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 120" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "lease": { + "duration": 120 + }, + "relay": { + "interface": { + "ip": "192.168.0.3" + } + } + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth1" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPOFFER on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 120", + "process": { + "pid": 6939 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4", + "192.168.0.3" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54737448 uid 01:00:50:56:83:6c:a0 (RENEW)" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "lease": { + "message": "RENEW" + }, + "router": { + "ip": "192.168.0.1" + }, + "trans_id": "54737448", + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54737448 uid 01:00:50:56:83:6c:a0 (RENEW)", + "process": { + "pid": 2567 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4", + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 8767dc3c uid 01:00:50:56:83:6c:a0" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "router": { + "ip": "192.168.0.1" + }, + "trans_id": "8767dc3c", + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 8767dc3c uid 01:00:50:56:83:6c:a0", + "process": { + "pid": 2567 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4", + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54ade258 uid 01:00:50:56:83:6c:a0 (RENEW)" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "lease": { + "message": "RENEW" + }, + "trans_id": "54ade258", + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54ade258 uid 01:00:50:56:83:6c:a0 (RENEW)", + "process": { + "pid": 4495 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID a18a70a0 uid 01:00:50:56:83:6c:a0" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "trans_id": "a18a70a0", + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID a18a70a0 uid 01:00:50:56:83:6c:a0", + "process": { + "pid": 4495 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-D3-83" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[25637]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:d3:83 via eth1 TransID 3ca1e0b7: unknown lease 192.168.0.4." + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "request": { + "message": "unknown lease 192.168.0.4." + }, + "router": { + "ip": "192.168.0.1" + }, + "trans_id": "3ca1e0b7" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth1" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:d3:83 via eth1 TransID 3ca1e0b7: unknown lease 192.168.0.4.", + "process": { + "pid": 25637 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4", + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-06T10:13:31.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-04-06T10:13:31.000Z", + "original": "\u003c30\u003eApr 6 10:13:31 infoblox.localdomain dhcpd[22730]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 542900fa uid 01:00:50:56:83:6c:a0: database update failed" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "request": { + "message": "database update failed" + }, + "trans_id": "542900fa", + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 542900fa uid 01:00:50:56:83:6c:a0: database update failed", + "process": { + "pid": 22730 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "router": { + "ip": "192.168.0.1" + }, + "trans_id": "748f30ab" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab", + "process": { + "pid": 21114 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4", + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-96-03" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[30827]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:96:03 via eth1 TransID 9cf7c9e9: ignored (not authoritative)." + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "request": { + "message": "ignored (not authoritative)." + }, + "trans_id": "9cf7c9e9" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth1" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 from 00:50:56:83:96:03 via eth1 TransID 9cf7c9e9: ignored (not authoritative).", + "process": { + "pid": 30827 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID 2d422d0c" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "trans_id": "2d422d0c" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID 2d422d0c", + "process": { + "pid": 21114 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-31T15:30:06.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "9A-DF-6E-F6-1F-23" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-03-31T15:30:06.000Z", + "original": "\u003c30\u003eMar 31 15:30:06 10.0.0.1 dhcpd[15752]: DHCPREQUEST for 192.168.0.4 from 9a:df:6e:f6:1f:23 via 172.26.0.1 TransID 15ca711f uid 01:9a:df:6e:f6:1f:23 (RENEW)" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "interface": { + "ip": "172.26.0.1" + }, + "lease": { + "message": "RENEW" + }, + "trans_id": "15ca711f", + "uid": "01:9a:df:6e:f6:1f:23" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 from 9a:df:6e:f6:1f:23 via 172.26.0.1 TransID 15ca711f uid 01:9a:df:6e:f6:1f:23 (RENEW)", + "process": { + "pid": 15752 + }, + "related": { + "ip": [ + "192.168.0.4", + "172.26.0.1", + "10.0.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-00-00-00-00-00" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprequest", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:00:00:00:00:00 via 192.168.0.3 TransID 01000000 (RENEW)" + }, + "host": { + "domain": "infoblox_localdomain.com" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "interface": { + "ip": "192.168.0.3" + }, + "lease": { + "message": "RENEW" + }, + "router": { + "ip": "192.168.0.1" + }, + "trans_id": "01000000" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:00:00:00:00:00 via 192.168.0.3 TransID 01000000 (RENEW)", + "process": { + "pid": 29258 + }, + "related": { + "hosts": [ + "infoblox_localdomain.com" + ], + "ip": [ + "192.168.0.4", + "192.168.0.1", + "192.168.0.3" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpack", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[17530]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 (RENEW) uid 01:00:50:56:83:6c:a0" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "lease": { + "duration": 1800, + "message": "RENEW" + }, + "relay": { + "interface": { + "name": "eth3" + } + }, + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 (RENEW) uid 01:00:50:56:83:6c:a0", + "process": { + "pid": 17530 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpack", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 uid 01:00:50:56:83:6c:a0" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "lease": { + "duration": 1800 + }, + "relay": { + "interface": { + "name": "eth3" + } + }, + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 uid 01:00:50:56:83:6c:a0", + "process": { + "pid": 2567 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpack", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "lease": { + "duration": 1800 + }, + "relay": { + "interface": { + "name": "eth3" + } + } + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800", + "process": { + "pid": 21114 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "9A-DF-6E-F6-1F-23" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpack", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 10.0.0.1 dhcpd[15752]: DHCPACK on 192.168.0.4 to 9a:df:6e:f6:1f:23 via eth2 relay 192.168.0.3 lease-duration 7257600 (RENEW) uid 01:9a:df:6e:f6:1f:23" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "lease": { + "duration": 7257600, + "message": "RENEW" + }, + "relay": { + "interface": { + "ip": "192.168.0.3" + } + }, + "uid": "01:9a:df:6e:f6:1f:23" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth2" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPACK on 192.168.0.4 to 9a:df:6e:f6:1f:23 via eth2 relay 192.168.0.3 lease-duration 7257600 (RENEW) uid 01:9a:df:6e:f6:1f:23", + "process": { + "pid": 15752 + }, + "related": { + "ip": [ + "192.168.0.4", + "192.168.0.3", + "10.0.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-00-00-00-00-00" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpack", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPACK on 192.168.0.4 to 00:00:00:00:00:00 (h000000000000) via eth1 relay 192.168.0.3 lease-duration 43200 (RENEW)" + }, + "host": { + "domain": "infoblox_localdomain.com" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "h000000000000", + "lease": { + "duration": 43200, + "message": "RENEW" + }, + "relay": { + "interface": { + "ip": "192.168.0.3" + } + } + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth1" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPACK on 192.168.0.4 to 00:00:00:00:00:00 (h000000000000) via eth1 relay 192.168.0.3 lease-duration 43200 (RENEW)", + "process": { + "pid": 29258 + }, + "related": { + "hosts": [ + "h000000000000", + "infoblox_localdomain.com" + ], + "ip": [ + "192.168.0.4", + "192.168.0.3" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "CC-BB-CC-DD-EE-FF" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpack", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPACK on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 43200" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "lease": { + "duration": 43200 + }, + "relay": { + "interface": { + "ip": "192.168.0.3" + } + } + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth1" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPACK on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 43200", + "process": { + "pid": 6939 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4", + "192.168.0.3" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprelease", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 (found) TransID 0286f3d0 uid 01:00:50:56:83:6c:a0" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "client_hostname": "DESKTOP-ABCD", + "release": { + "info": "found" + }, + "trans_id": "0286f3d0", + "uid": "01:00:50:56:83:6c:a0" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 (found) TransID 0286f3d0 uid 01:00:50:56:83:6c:a0", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "DESKTOP-ABCD", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcprelease", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 (not found) TransID 665fd9f1" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "release": { + "info": "not found" + }, + "trans_id": "665fd9f1" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth3" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 (not found) TransID 665fd9f1", + "process": { + "pid": 21114 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-50-56-83-6C-A0" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpexpire", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPEXPIRE on 192.168.0.4 to 00:50:56:83:6c:a0" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPEXPIRE on 192.168.0.4 to 00:50:56:83:6c:a0", + "process": { + "pid": 20397 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-18T13:35:15.000Z", + "client": { + "ip": "192.168.0.4" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpinform", + "created": "2022-03-18T13:35:15.000Z", + "original": "\u003c30\u003eMar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 5713b740" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "interface": { + "ip": "192.168.0.2" + }, + "trans_id": "5713b740" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 5713b740", + "process": { + "pid": 18078 + }, + "related": { + "ip": [ + "192.168.0.4", + "192.168.0.2", + "10.0.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-18T13:35:15.000Z", + "client": { + "ip": "192.168.0.4" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpinform", + "created": "2022-03-18T13:35:15.000Z", + "original": "\u003c30\u003eMar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via eth2 TransID 5713b740" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "trans_id": "5713b740" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "interface": { + "name": "eth2" + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPINFORM from 192.168.0.4 via eth2 TransID 5713b740", + "process": { + "pid": 18078 + }, + "related": { + "ip": [ + "192.168.0.4", + "10.0.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpinform", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 78563412: not authoritative for subnet 10.0.0.0" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "inform": { + "message": "not authoritative for subnet 10.0.0.0" + }, + "interface": { + "ip": "192.168.0.2" + }, + "trans_id": "78563412" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 78563412: not authoritative for subnet 10.0.0.0", + "process": { + "pid": 6939 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4", + "192.168.0.2" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-18T11:44:52.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "34-29-8F-71-B8-99" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpdecline", + "created": "2022-03-18T11:44:52.000Z", + "original": "\u003c30\u003eMar 18 11:44:52 10.0.0.1 dhcpd[32243]: DHCPDECLINE of 192.168.0.4 from 34:29:8f:71:b8:99 via 10.10.4.1 TransID 00000000: not found" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "decline": { + "message": "not found" + }, + "interface": { + "ip": "10.10.4.1" + }, + "trans_id": "00000000" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPDECLINE of 192.168.0.4 from 34:29:8f:71:b8:99 via 10.10.4.1 TransID 00000000: not found", + "process": { + "pid": 32243 + }, + "related": { + "ip": [ + "192.168.0.4", + "10.10.4.1", + "10.0.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-07T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "00-C0-DD-07-18-E2" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpdecline", + "created": "2022-03-07T08:32:59.000Z", + "original": "\u003c30\u003eMar 7 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPDECLINE of 192.168.0.4 from 00:c0:dd:07:18:e2 via 192.168.0.2: abandoned\\n" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "decline": { + "message": "abandoned\\n" + }, + "interface": { + "ip": "192.168.0.2" + } + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPDECLINE of 192.168.0.4 from 00:c0:dd:07:18:e2 via 192.168.0.2: abandoned\\n", + "process": { + "pid": 20397 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4", + "192.168.0.2" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4", + "mac": "F4-30-B9-17-AB-0E" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpnak", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPNAK on 192.168.0.4 to f4:30:b9:17:ab:0e via 192.168.0.2" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "interface": { + "ip": "192.168.0.2" + } + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPNAK on 192.168.0.4 to f4:30:b9:17:ab:0e via 192.168.0.2", + "process": { + "pid": 20397 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4", + "192.168.0.2" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "client": { + "ip": "192.168.0.4" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "action": "dhcpleasequery", + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPLEASEQUERY from 192.168.0.4: LEASEQUERY not allowed, query ignored" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "lease_query": { + "message": "LEASEQUERY not allowed, query ignored" + } + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPLEASEQUERY from 192.168.0.4: LEASEQUERY not allowed, query ignored", + "process": { + "pid": 6939 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.4" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDISCOVER some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "DHCPDISCOVER some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPDISCOVER some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPOFFER some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "DHCPOFFER some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPOFFER some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPREQUEST some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "DHCPREQUEST some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPREQUEST some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPACK some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "DHCPACK some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPACK some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPRELEASE some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "DHCPRELEASE some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPRELEASE some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPEXPIRE some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "DHCPEXPIRE some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPEXPIRE some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPINFORM some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "DHCPINFORM some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPINFORM some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDECLINE some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "DHCPDECLINE some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPDECLINE some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPNAK some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "DHCPNAK some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPNAK some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPLEASEQUERY some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "DHCPLEASEQUERY some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "DHCPLEASEQUERY some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-03-27T08:32:59.000Z", + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-27T08:32:59.000Z", + "original": "\u003c30\u003eMar 27 08:32:59 infoblox.localdomain dhcpd[1761]: some text" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dhcp": { + "message": "some text" + }, + "service_name": "dhcpd", + "type": "DHCP" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "some text", + "process": { + "pid": 1761 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dns.log b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dns.log new file mode 100644 index 00000000000..1b56179b413 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dns.log @@ -0,0 +1,24 @@ +<30>Mar 11 23:51:31 infoblox.localdomain named[11042]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A foo.com; a1.foo.com 28800 IN A 0.0.0.0; +<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#50565 UDP: query: test.com IN A response: REFUSED - +<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com 28800 IN A 192.168.0.3; +<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED +<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A 192.168.0.2; a1.foo.com 28800 IN A 192.168.0.3; +<30>Mar 9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query failed (REFUSED) for config.nos-avg.cz/IN/TXT at query.c:10288 +<30>Mar 9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query: config.nos-avg.cz IN TXT + (192.168.0.1) +<30>Mar 11 23:51:31 infoblox.localdomain named[27014]: rpz: rpz1.com: reload start +<30>Mar 11 23:51:31 infoblox.localdomain named[29914]: client @0x7ff42c168b50 192.168.0.1#50460 (test.com): rewriting query name 'test.com' to 'query123-10-120-20-93.test.com', type A +<30>Mar 11 23:51:31 infoblox.localdomain named[19204]: client @0x7fec7c11dab0 192.168.0.1#36483: updating zone 'test1.com/IN': adding an RR at 'a6.test1.com' A 192.168.0.2 +<30>Mar 11 23:51:31 infoblox.localdomain named[28468]: CEF:0|Infoblox|NIOS|8.6.2-49634-e88e9df276a8|RPZ-QNAME|NXDOMAIN|7|app=DNS dst=192.168.0.1 src=192.168.0.1 spt=51424 view=_default qtype=A msg="rpz QNAME NXDOMAIN rewrite nxd1.com [A] via nxd1.com.rpz1.com" CAT=RPZ +<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: zone local_7.com/IN: notify from 192.168.0.1#46982: zone is up to date +<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: responses: client @0x7fb550117f90 192.168.0.1#46982: received notify for zone 'local_14.com' +<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer status: success +<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer completed: 1 messages, 9 records, 326 bytes, 0.001 secs (326000 bytes/sec) +<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR started (serial 3) +<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR ended +<30>Mar 11 23:51:31 infoblox.localdomain named[30325]: resolver priming query complete +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'test.com' +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/NSEC: bad cache hit (test.com/DNSKEY) +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating hostrec3.test.com/NSEC: bad cache hit (test.com/DNSKEY) +<30>Apr 14 16:17:20 10.50.1.227 named[2588]: infoblox-responses: 14-Apr-2022 16:17:20.046 client 192.168.1.90#57738: UDP: query: settings-win.data.microsoft.com IN A response: REFUSED - +<30>Apr 14 16:16:05 10.50.1.227 named[2588]: queries: client @0x7f97e40eb500 192.168.1.90#64727 (ocsp.digicert.com): query: ocsp.digicert.com IN A + (192.168.1.10) +<30>Apr 14 16:16:05 10.50.1.227 named[2588]: query-errors: client @0x7f97e40eb500 192.168.1.90#64727 (ocsp.digicert.com): query failed (REFUSED) for ocsp.digicert.com/IN/A at query.c:10288 \ No newline at end of file diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json new file mode 100644 index 00000000000..dbfb5bb2e90 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/_dev/test/pipeline/test-dns.log-expected.json @@ -0,0 +1,1298 @@ +{ + "expected": [ + { + "@timestamp": "2022-04-07T08:08:10.043Z", + "client": { + "ip": "192.168.0.1", + "port": 57398 + }, + "dns": { + "answers": { + "class": [ + "IN", + "IN" + ], + "data": [ + "foo.com", + "0.0.0.0" + ], + "name": [ + "a1.foo.com", + "a1.foo.com" + ], + "ttl": [ + 28800, + 28800 + ], + "type": [ + "A", + "A" + ] + }, + "header_flags": "+ED", + "question": { + "class": "IN", + "name": "a1.foo.com", + "type": "A" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[11042]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A foo.com; a1.foo.com 28800 IN A 0.0.0.0;" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A foo.com; a1.foo.com 28800 IN A 0.0.0.0;", + "network": { + "transport": "udp" + }, + "process": { + "pid": 11042 + }, + "related": { + "hosts": [ + "foo.com", + "a1.foo.com", + "infoblox.localdomain" + ], + "ip": [ + "0.0.0.0", + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-07T08:08:10.043Z", + "client": { + "ip": "192.168.0.1", + "port": 50565 + }, + "dns": { + "header_flags": "-", + "question": { + "class": "IN", + "name": "test.com", + "type": "A" + }, + "response_code": "REFUSED" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c45\u003eMar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#50565 UDP: query: test.com IN A response: REFUSED -" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 45 + } + }, + "message": "07-Apr-2022 08:08:10.043 client 192.168.0.1#50565 UDP: query: test.com IN A response: REFUSED -", + "network": { + "transport": "udp" + }, + "process": { + "pid": 17742 + }, + "related": { + "hosts": [ + "test.com", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-07T08:08:10.043Z", + "client": { + "ip": "192.168.0.1", + "port": 57398 + }, + "dns": { + "answers": { + "class": [ + "IN" + ], + "data": [ + "192.168.0.3" + ], + "name": [ + "a2.foo.com" + ], + "ttl": [ + 28800 + ], + "type": [ + "A" + ] + }, + "header_flags": "+AED", + "question": { + "class": "IN", + "name": "a2.foo.com", + "type": "A" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com 28800 IN A 192.168.0.3;" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com 28800 IN A 192.168.0.3;", + "network": { + "transport": "udp" + }, + "process": { + "pid": 17742 + }, + "related": { + "hosts": [ + "a2.foo.com", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.3", + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-07T08:08:10.043Z", + "client": { + "ip": "192.168.0.1", + "port": 57398 + }, + "dns": { + "header_flags": "+ED", + "question": { + "class": "IN", + "name": "non-exist.foo.com", + "type": "A" + }, + "response_code": "NXDOMAIN" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED", + "network": { + "transport": "udp" + }, + "process": { + "pid": 17742 + }, + "related": { + "hosts": [ + "non-exist.foo.com", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-07T08:08:10.043Z", + "client": { + "ip": "192.168.0.1", + "port": 57398 + }, + "dns": { + "answers": { + "class": [ + "IN", + "IN" + ], + "data": [ + "192.168.0.2", + "192.168.0.3" + ], + "name": [ + "a1.foo.com", + "a1.foo.com" + ], + "ttl": [ + 28800, + 28800 + ], + "type": [ + "A", + "A" + ] + }, + "header_flags": "+ED", + "question": { + "class": "IN", + "name": "a1.foo.com", + "type": "A" + }, + "response_code": "NOERROR" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c45\u003eMar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A 192.168.0.2; a1.foo.com 28800 IN A 192.168.0.3;" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 45 + } + }, + "message": "07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A 192.168.0.2; a1.foo.com 28800 IN A 192.168.0.3;", + "network": { + "transport": "udp" + }, + "process": { + "pid": 17742 + }, + "related": { + "hosts": [ + "a1.foo.com", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.3", + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "domain": "config.nos-avg.cz", + "ip": "192.168.0.1", + "port": 59735 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-09T23:59:59.000Z", + "original": "\u003c30\u003eMar 9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query failed (REFUSED) for config.nos-avg.cz/IN/TXT at query.c:10288" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "(REFUSED) for config.nos-avg.cz/IN/TXT at query.c:10288" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query failed (REFUSED) for config.nos-avg.cz/IN/TXT at query.c:10288", + "process": { + "pid": 17742 + }, + "related": { + "hosts": [ + "config.nos-avg.cz", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "domain": "config.nos-avg.cz", + "ip": "192.168.0.1", + "port": 59735 + }, + "dns": { + "header_flags": "+", + "question": { + "class": "IN", + "name": "config.nos-avg.cz", + "type": "TXT" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-09T23:59:59.000Z", + "original": "\u003c30\u003eMar 9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query: config.nos-avg.cz IN TXT + (192.168.0.1)" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query: config.nos-avg.cz IN TXT + (192.168.0.1)", + "process": { + "pid": 17742 + }, + "related": { + "hosts": [ + "config.nos-avg.cz", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "server": { + "ip": "192.168.0.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[27014]: rpz: rpz1.com: reload start" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "rpz: rpz1.com: reload start" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "rpz: rpz1.com: reload start", + "process": { + "pid": 27014 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "ip": "192.168.0.1", + "port": 50460 + }, + "dns": { + "question": { + "type": "A" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[29914]: client @0x7ff42c168b50 192.168.0.1#50460 (test.com): rewriting query name 'test.com' to 'query123-10-120-20-93.test.com', type A" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "after_query": "query123-10-120-20-93.test.com", + "before_query": "test.com" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "client @0x7ff42c168b50 192.168.0.1#50460 (test.com): rewriting query name 'test.com' to 'query123-10-120-20-93.test.com', type A", + "process": { + "pid": 29914 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "ip": "192.168.0.1", + "port": 36483 + }, + "dns": { + "question": { + "class": "IN", + "name": "test1.com" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[19204]: client @0x7fec7c11dab0 192.168.0.1#36483: updating zone 'test1.com/IN': adding an RR at 'a6.test1.com' A 192.168.0.2" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "adding an RR at 'a6.test1.com' A 192.168.0.2" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "client @0x7fec7c11dab0 192.168.0.1#36483: updating zone 'test1.com/IN': adding an RR at 'a6.test1.com' A 192.168.0.2", + "process": { + "pid": 19204 + }, + "related": { + "hosts": [ + "test1.com", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "ip": "192.168.0.1", + "port": 51424 + }, + "dns": { + "answers": { + "type": "QNAME" + }, + "question": { + "type": "A" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[28468]: CEF:0|Infoblox|NIOS|8.6.2-49634-e88e9df276a8|RPZ-QNAME|NXDOMAIN|7|app=DNS dst=192.168.0.1 src=192.168.0.1 spt=51424 view=_default qtype=A msg=\"rpz QNAME NXDOMAIN rewrite nxd1.com [A] via nxd1.com.rpz1.com\" CAT=RPZ" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "answers_policy": "NXDOMAIN", + "message": "\"rpz QNAME NXDOMAIN rewrite nxd1.com [A] via nxd1.com.rpz1.com\" CAT=RPZ", + "version": "8.6.2-49634-e88e9df276a8", + "view_name": "_default" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "CEF:0|Infoblox|NIOS|8.6.2-49634-e88e9df276a8|RPZ-QNAME|NXDOMAIN|7|app=DNS dst=192.168.0.1 src=192.168.0.1 spt=51424 view=_default qtype=A msg=\"rpz QNAME NXDOMAIN rewrite nxd1.com [A] via nxd1.com.rpz1.com\" CAT=RPZ", + "process": { + "pid": 28468 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "server": { + "ip": "192.168.0.1" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "ip": "192.168.0.1", + "port": 46982 + }, + "dns": { + "question": { + "class": "IN", + "name": "local_7.com" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[7741]: zone local_7.com/IN: notify from 192.168.0.1#46982: zone is up to date" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "zone is up to date" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "zone local_7.com/IN: notify from 192.168.0.1#46982: zone is up to date", + "process": { + "pid": 7741 + }, + "related": { + "hosts": [ + "local_7.com", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "ip": "192.168.0.1", + "port": 46982 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[7741]: responses: client @0x7fb550117f90 192.168.0.1#46982: received notify for zone 'local_14.com'" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "category": "responses", + "message": "received notify for zone 'local_14.com'" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "responses: client @0x7fb550117f90 192.168.0.1#46982: received notify for zone 'local_14.com'", + "process": { + "pid": 7741 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "ip": "192.168.0.1", + "port": 53 + }, + "dns": { + "question": { + "class": "IN", + "name": "test.com" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer status: success" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "Transfer status: success" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "transfer of 'test.com/IN' from 192.168.0.1#53: Transfer status: success", + "process": { + "pid": 15242 + }, + "related": { + "hosts": [ + "test.com", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "ip": "192.168.0.1", + "port": 53 + }, + "dns": { + "question": { + "class": "IN", + "name": "test.com" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer completed: 1 messages, 9 records, 326 bytes, 0.001 secs (326000 bytes/sec)" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "Transfer completed: 1 messages, 9 records, 326 bytes, 0.001 secs (326000 bytes/sec)" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "transfer of 'test.com/IN' from 192.168.0.1#53: Transfer completed: 1 messages, 9 records, 326 bytes, 0.001 secs (326000 bytes/sec)", + "process": { + "pid": 15242 + }, + "related": { + "hosts": [ + "test.com", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "domain": "test.com", + "ip": "192.168.0.1", + "port": 57027 + }, + "dns": { + "question": { + "class": "IN", + "name": "test.com" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR started (serial 3)" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "AXFR started (serial 3)" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR started (serial 3)", + "process": { + "pid": 56199 + }, + "related": { + "hosts": [ + "test.com", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "domain": "test.com", + "ip": "192.168.0.1", + "port": 57027 + }, + "dns": { + "question": { + "class": "IN", + "name": "test.com" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR ended" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "AXFR ended" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR ended", + "process": { + "pid": 56199 + }, + "related": { + "hosts": [ + "test.com", + "infoblox.localdomain" + ], + "ip": [ + "192.168.0.1" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[30325]: resolver priming query complete" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "resolver priming query complete" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "resolver priming query complete", + "process": { + "pid": 30325 + }, + "related": { + "hosts": [ + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "dns": { + "question": { + "name": "test.com", + "type": "DNSKEY" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'test.com'" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'test.com'" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "validating test.com/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'test.com'", + "process": { + "pid": 1127 + }, + "related": { + "hosts": [ + "test.com", + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "dns": { + "question": { + "name": "test.com", + "type": "NSEC" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/NSEC: bad cache hit (test.com/DNSKEY)" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "bad cache hit (test.com/DNSKEY)" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "validating test.com/NSEC: bad cache hit (test.com/DNSKEY)", + "process": { + "pid": 1127 + }, + "related": { + "hosts": [ + "test.com", + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "dns": { + "question": { + "name": "hostrec3.test.com", + "type": "NSEC" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-03-11T23:51:31.000Z", + "original": "\u003c30\u003eMar 11 23:51:31 infoblox.localdomain named[1127]: validating hostrec3.test.com/NSEC: bad cache hit (test.com/DNSKEY)" + }, + "host": { + "domain": "infoblox.localdomain" + }, + "infoblox_nios": { + "log": { + "dns": { + "message": "bad cache hit (test.com/DNSKEY)" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "validating hostrec3.test.com/NSEC: bad cache hit (test.com/DNSKEY)", + "process": { + "pid": 1127 + }, + "related": { + "hosts": [ + "hostrec3.test.com", + "infoblox.localdomain" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2022-04-14T16:17:20.046Z", + "client": { + "ip": "192.168.1.90", + "port": 57738 + }, + "dns": { + "header_flags": "-", + "question": { + "class": "IN", + "name": "settings-win.data.microsoft.com", + "type": "A" + }, + "response_code": "REFUSED" + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-04-14T16:17:20.000Z", + "original": "\u003c30\u003eApr 14 16:17:20 10.50.1.227 named[2588]: infoblox-responses: 14-Apr-2022 16:17:20.046 client 192.168.1.90#57738: UDP: query: settings-win.data.microsoft.com IN A response: REFUSED -" + }, + "host": { + "ip": "10.50.1.227" + }, + "infoblox_nios": { + "log": { + "dns": { + "category": "infoblox-responses" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "infoblox-responses: 14-Apr-2022 16:17:20.046 client 192.168.1.90#57738: UDP: query: settings-win.data.microsoft.com IN A response: REFUSED -", + "network": { + "transport": "udp" + }, + "process": { + "pid": 2588 + }, + "related": { + "hosts": [ + "settings-win.data.microsoft.com" + ], + "ip": [ + "192.168.1.90", + "10.50.1.227" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "domain": "ocsp.digicert.com", + "ip": "192.168.1.90", + "port": 64727 + }, + "dns": { + "header_flags": "+", + "question": { + "class": "IN", + "name": "ocsp.digicert.com", + "type": "A" + } + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-04-14T16:16:05.000Z", + "original": "\u003c30\u003eApr 14 16:16:05 10.50.1.227 named[2588]: queries: client @0x7f97e40eb500 192.168.1.90#64727 (ocsp.digicert.com): query: ocsp.digicert.com IN A + (192.168.1.10)" + }, + "host": { + "ip": "10.50.1.227" + }, + "infoblox_nios": { + "log": { + "dns": { + "category": "queries" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "queries: client @0x7f97e40eb500 192.168.1.90#64727 (ocsp.digicert.com): query: ocsp.digicert.com IN A + (192.168.1.10)", + "process": { + "pid": 2588 + }, + "related": { + "hosts": [ + "ocsp.digicert.com" + ], + "ip": [ + "192.168.1.90", + "192.168.1.10", + "10.50.1.227" + ] + }, + "server": { + "ip": "192.168.1.10" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "client": { + "domain": "ocsp.digicert.com", + "ip": "192.168.1.90", + "port": 64727 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "created": "2022-04-14T16:16:05.000Z", + "original": "\u003c30\u003eApr 14 16:16:05 10.50.1.227 named[2588]: query-errors: client @0x7f97e40eb500 192.168.1.90#64727 (ocsp.digicert.com): query failed (REFUSED) for ocsp.digicert.com/IN/A at query.c:10288" + }, + "host": { + "ip": "10.50.1.227" + }, + "infoblox_nios": { + "log": { + "dns": { + "category": "query-errors", + "message": "(REFUSED) for ocsp.digicert.com/IN/A at query.c:10288" + }, + "service_name": "named", + "type": "DNS" + } + }, + "log": { + "syslog": { + "priority": 30 + } + }, + "message": "query-errors: client @0x7f97e40eb500 192.168.1.90#64727 (ocsp.digicert.com): query failed (REFUSED) for ocsp.digicert.com/IN/A at query.c:10288", + "process": { + "pid": 2588 + }, + "related": { + "hosts": [ + "ocsp.digicert.com" + ], + "ip": [ + "192.168.1.90", + "10.50.1.227" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/system/test-tcp-config.yml b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..bfcaeca6ed8 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,8 @@ +service: infoblox_nios-log-tcp +service_notify_signal: SIGHUP +input: tcp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9027 diff --git a/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-config.yml b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..d933381a067 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/_dev/test/system/test-udp-config.yml @@ -0,0 +1,8 @@ +service: infoblox_nios-log-udp +service_notify_signal: SIGHUP +input: udp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9028 diff --git a/packages/infoblox_nios/data_stream/log/agent/stream/tcp.yml.hbs b/packages/infoblox_nios/data_stream/log/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..bb13c4892cf --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/agent/stream/tcp.yml.hbs @@ -0,0 +1,18 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/infoblox_nios/data_stream/log/agent/stream/udp.yml.hbs b/packages/infoblox_nios/data_stream/log/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..6030fce0e43 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/agent/stream/udp.yml.hbs @@ -0,0 +1,15 @@ +host: "{{listen_address}}:{{listen_port}}" +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..19bb214c9f7 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,94 @@ +--- +description: Pipeline for parsing Infoblox NIOS logs. +processors: + - rename: + field: message + target_field: event.original + ignore_missing: true + - set: + field: ecs.version + value: '8.2.0' + - grok: + field: event.original + patterns: + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\\s+%{NOTSPACE:host.domain}\\s+%{IP:host.ip}\\s+%{DATA:infoblox_nios.log.service_name}\\[?%{NUMBER:process.pid:long}?\\]?:\\s+%{GREEDYDATA:message}$" + - "^<%{NUMBER:log.syslog.priority:long}>%{SYSLOGTIMESTAMP:event.created}\\s+(%{IP:host.ip}|%{NOTSPACE:host.domain})\\s+%{DATA:infoblox_nios.log.service_name}\\[?%{NUMBER:process.pid:long}?\\]?:\\s+%{GREEDYDATA:message}$" + - "^%{GREEDYDATA:message}$" + - date: + field: event.created + target_field: event.created + formats: + - MMM d HH:mm:ss + - MMM dd HH:mm:ss + - MMM d HH:mm:ss + - dd-MMM-yyyy HH:mm:ss.SSS + ignore_failure: true + - set: + field: infoblox_nios.log.type + value: 'DHCP' + if: ctx.infoblox_nios?.log?.service_name == "dhcpd" + - set: + field: infoblox_nios.log.type + value: 'DNS' + if: ctx.infoblox_nios?.log?.service_name == "named" + - set: + field: infoblox_nios.log.type + value: 'AUDIT' + if: ctx.infoblox_nios?.log?.service_name == "httpd" + - pipeline: + name: '{{ IngestPipeline "pipeline_audit" }}' + if: ctx.infoblox_nios?.log?.type == "AUDIT" + - pipeline: + name: '{{ IngestPipeline "pipeline_dhcp" }}' + if: ctx.infoblox_nios?.log?.type == "DHCP" + - pipeline: + name: '{{ IngestPipeline "pipeline_dns" }}' + if: ctx.infoblox_nios?.log?.type == "DNS" + - append: + field: related.ip + value: '{{{host.ip}}}' + if: ctx.host?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{host.domain}}}' + if: ctx.host?.domain != null + allow_duplicates: false + ignore_failure: true + - append: + field: host.ip + value: '{{{host.ip}}}' + if: ctx.host?.ip != null + allow_duplicates: false + ignore_failure: true + - lowercase: + field: event.action + if: ctx.event?.action != null + ignore_failure: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - remove: + field: event.original + if: "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +on_failure: + - set: + field: error.message + value: '{{{_ingest.on_failure_message}}}' diff --git a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml new file mode 100644 index 00000000000..39fec54d87f --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml @@ -0,0 +1,121 @@ +--- +description: Pipeline for parsing Infoblox NIOS Audit logs. +processors: + - grok: + field: message + if: ctx.message.contains("Created") || ctx.message.contains("Modified") || ctx.message.contains("Deleted") + patterns: + - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} %{DATA:infoblox_nios.log.audit.object.name} %{DATA:infoblox_nios.log.audit.object.value}:? %{GREEDYDATA:infoblox_nios.log.audit.message}$" + - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} %{GREEDYDATA:infoblox_nios.log.audit.message}$" + - "^%{GREEDYDATA:infoblox_nios.log.audit.message}$" + - grok: + field: message + if: ctx.message.contains("Called") + patterns: + - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} - %{WORD:infoblox_nios.log.audit.object.name}:? %{GREEDYDATA:infoblox_nios.log.audit.message}$" + - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} - %{GREEDYDATA:infoblox_nios.log.audit.message}$" + - "^%{GREEDYDATA:infoblox_nios.log.audit.message}$" + - grok: + field: message + if: ctx.event?.action == null + patterns: + - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} - - %{GREEDYDATA:details}$" + - "^%{GREEDYDATA:timestamp} \\[%{DATA:user.name}\\]: %{DATA:event.action} %{GREEDYDATA:infoblox_nios.log.audit.message}$" + - "^%{GREEDYDATA:timestamp} %{GREEDYDATA:infoblox_nios.log.audit.message}$" + - "^%{GREEDYDATA:infoblox_nios.log.audit.message}$" + - date: + field: timestamp + target_field: '@timestamp' + formats: + - dd-MMM-yyyy HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSS'Z' + ignore_failure: true + - kv: + field: details + target_field: audit + field_split: ' ' + value_split: '=' + ignore_missing: true + - lowercase: + field: event.action + if: ctx.event?.action != null + ignore_failure: true + - set: + field: event.outcome + if: ctx.event?.action == "login_allowed" + value: 'success' + ignore_failure: true + - append: + field: event.type + if: ctx.event?.action == "login_allowed" + value: 'start' + ignore_failure: true + - append: + field: event.category + if: ctx.event?.action == "login_allowed" + value: 'authentication' + ignore_failure: true + - set: + field: event.outcome + if: ctx.event?.action == "login_denied" + value: 'failure' + ignore_failure: true + - append: + field: event.category + if: ctx.event?.action == "login_denied" + value: 'authentication' + ignore_failure: true + - append: + field: event.type + if: ctx.event?.action == "logout" + value: 'end' + ignore_failure: true + - append: + field: event.category + if: ctx.event?.action == "logout" + value: 'authentication' + ignore_failure: true + - script: + description: Add kv fields under the infoblox_nios.log.audit. + lang: painless + if: ctx.audit != null + source: | + if (ctx.infoblox_nios == null) { + ctx["infoblox_nios"] = new HashMap(); + } + if (ctx.infoblox_nios?.log == null) { + ctx.infoblox_nios["log"] = new HashMap(); + } + if (ctx.infoblox_nios?.log?.audit == null) { + ctx.infoblox_nios.log["audit"] = new HashMap(); + } + for (Map.Entry m : ctx.audit.entrySet()) { + def value = m.getValue(); + if (value instanceof String) { + value = value.replace("\\040", " ") + } + ctx.infoblox_nios.log.audit[m.getKey()] = value; + } + - append: + field: related.ip + value: '{{{infoblox_nios.log.audit.ip}}}' + if: ctx.infoblox_nios?.log?.audit?.ip != null + allow_duplicates: false + ignore_failure: true + - gsub: + field: user.name + ignore_missing: true + pattern: '\\040' + replacement: ' ' + - remove: + field: + - details + - audit + - timestamp + ignore_missing: true + - append: + field: related.user + value: '{{{user.name}}}' + if: ctx.user?.name != null + allow_duplicates: false + ignore_failure: true diff --git a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml new file mode 100644 index 00000000000..71cacc5e803 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml @@ -0,0 +1,141 @@ +--- +description: Pipeline for parsing Infoblox NIOS DHCP logs. +processors: + - grok: + field: message + if: ctx.message.contains("DHCPDISCOVER") + patterns: + - "^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" + - "^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id}: network %{DATA:infoblox_nios.log.dhcp.network}: %{GREEDYDATA:infoblox_nios.log.dhcp.discover.message}$" + - "^%{WORD:event.action} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" + - "^%{WORD:event.action} from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" + - "^%{WORD:event.action} from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - grok: + field: message + if: ctx.message.contains("DHCPOFFER") + patterns: + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} offered-duration %{NUMBER:infoblox_nios.log.dhcp.offered_duration:long} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:infoblox_nios.log.dhcp.offered_duration:long}$" + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} offered-duration %{GREEDYDATA:infoblox_nios.log.dhcp.offered_duration:long}$" + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:infoblox_nios.log.dhcp.lease.duration:long}$" + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - grok: + field: message + if: ctx.message.contains("DHCPREQUEST") + patterns: + - "^%{WORD:event.action} for %{IP:client.ip} \\(%{IP:infoblox_nios.log.dhcp.router.ip}\\) from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{DATA:infoblox_nios.log.dhcp.uid} \\(%{GREEDYDATA:infoblox_nios.log.dhcp.lease.message}\\)$" + - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{DATA:infoblox_nios.log.dhcp.uid} \\(%{GREEDYDATA:infoblox_nios.log.dhcp.lease.message}\\)$" + - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{DATA:infoblox_nios.log.dhcp.uid}: %{GREEDYDATA:infoblox_nios.log.dhcp.request.message}$" + - "^%{WORD:event.action} for %{IP:client.ip} \\(%{IP:infoblox_nios.log.dhcp.router.ip}\\) from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" + - "^%{WORD:event.action} for %{IP:client.ip} \\(%{IP:infoblox_nios.log.dhcp.router.ip}\\) from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} \\(%{GREEDYDATA:infoblox_nios.log.dhcp.lease.message}\\)$" + - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{DATA:infoblox_nios.log.dhcp.uid} \\(%{GREEDYDATA:infoblox_nios.log.dhcp.lease.message}\\)$" + - "^%{WORD:event.action} for %{IP:client.ip} \\(%{IP:infoblox_nios.log.dhcp.router.ip}\\) from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id}: %{GREEDYDATA:infoblox_nios.log.dhcp.request.message}$" + - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id}: %{GREEDYDATA:infoblox_nios.log.dhcp.request.message}$" + - "^%{WORD:event.action} for %{IP:client.ip} \\(%{IP:infoblox_nios.log.dhcp.router.ip}\\) from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" + - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" + - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" + - "^%{WORD:event.action} for %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name})$" + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - grok: + field: message + if: ctx.message.contains("DHCPACK") + patterns: + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} \\(%{DATA:infoblox_nios.log.dhcp.lease.message}\\) uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} \\(%{DATA:infoblox_nios.log.dhcp.lease.message}\\) uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} \\(%{GREEDYDATA:infoblox_nios.log.dhcp.lease.message}\\)$" + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{NUMBER:infoblox_nios.log.dhcp.lease.duration:long} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:infoblox_nios.log.dhcp.lease.duration:long}$" + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) relay (%{IP:infoblox_nios.log.dhcp.relay.interface.ip}|%{WORD:infoblox_nios.log.dhcp.relay.interface.name}) lease-duration %{GREEDYDATA:infoblox_nios.log.dhcp.lease.duration:long}$" + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - grok: + field: message + if: ctx.message.contains("DHCPRELEASE") + patterns: + - "^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} \\(%{DATA:infoblox_nios.log.dhcp.client_hostname}\\) via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) \\(%{DATA:infoblox_nios.log.dhcp.release.info}\\) TransID %{DATA:infoblox_nios.log.dhcp.trans_id} uid %{GREEDYDATA:infoblox_nios.log.dhcp.uid}$" + - "^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) \\(%{DATA:infoblox_nios.log.dhcp.release.info}\\) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - grok: + field: message + if: ctx.message.contains("DHCPEXPIRE") + patterns: + - "^%{WORD:event.action} on %{IP:client.ip} to %{GREEDYDATA:client.mac}$" + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - grok: + field: message + if: ctx.message.contains("DHCPINFORM") + patterns: + - "^%{WORD:event.action} from %{IP:client.ip} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id}: %{GREEDYDATA:infoblox_nios.log.dhcp.inform.message}$" + - "^%{WORD:event.action} from %{IP:client.ip} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{GREEDYDATA:infoblox_nios.log.dhcp.trans_id}$" + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - grok: + field: message + if: ctx.message.contains("DHCPDECLINE") + patterns: + - "^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}) TransID %{DATA:infoblox_nios.log.dhcp.trans_id}: %{GREEDYDATA:infoblox_nios.log.dhcp.decline.message}$" + - "^%{WORD:event.action} of %{IP:client.ip} from %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name}): %{GREEDYDATA:infoblox_nios.log.dhcp.decline.message}$" + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - grok: + field: message + if: ctx.message.contains("DHCPNAK") + patterns: + - "^%{WORD:event.action} on %{IP:client.ip} to %{MAC:client.mac} via (%{IP:infoblox_nios.log.dhcp.interface.ip}|%{WORD:interface.name})$" + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - grok: + field: message + if: ctx.message.contains("DHCPLEASEQUERY") + patterns: + - "^%{WORD:event.action} from %{IP:client.ip}: %{GREEDYDATA:infoblox_nios.log.dhcp.lease_query.message}$" + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - grok: + field: message + if: ctx.event?.action == null + patterns: + - "^%{GREEDYDATA:infoblox_nios.log.dhcp.message}$" + - set: + field: '@timestamp' + value: '{{{event.created}}}' + if: ctx.event?.created != null + - lowercase: + field: event.action + ignore_failure: true + ignore_missing: true + - gsub: + field: client.mac + ignore_missing: true + pattern: '[-:.]' + replacement: '-' + - uppercase: + field: client.mac + ignore_missing: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx.client?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{infoblox_nios.log.dhcp.router.ip}}}' + if: ctx.infoblox_nios?.log?.dhcp?.router?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{infoblox_nios.log.dhcp.interface.ip}}}' + if: ctx.infoblox_nios?.log?.dhcp?.interface?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{infoblox_nios.log.dhcp.relay.interface.ip}}}' + if: ctx.infoblox_nios?.log?.dhcp?.relay?.interface?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{infoblox_nios.log.dhcp.client_hostname}}}' + if: ctx.infoblox_nios?.log?.dhcp?.client_hostname != null + allow_duplicates: false + ignore_failure: true diff --git a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml new file mode 100644 index 00000000000..93d819262ab --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml @@ -0,0 +1,114 @@ +--- +description: Pipeline for parsing Infoblox NIOS DNS logs. +processors: + - grok: + field: message + patterns: + - "^zone %{DATA:dns.question.name}/%{DATA:dns.question.class}: notify from %{IP:client.ip}#%{NUMBER:client.port:long}:? %{GREEDYDATA:infoblox_nios.log.dns.message}$" + - "^transfer of '%{DATA:dns.question.name}/%{DATA:dns.question.class}' from %{IP:client.ip}#%{NUMBER:client.port:long}:? %{GREEDYDATA:infoblox_nios.log.dns.message}$" + - "^validating %{DATA:dns.question.name}/%{WORD:dns.question.type}: %{GREEDYDATA:infoblox_nios.log.dns.message}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? updating zone '%{DATA:dns.question.name}/%{DATA:dns.question.class}': %{GREEDYDATA:infoblox_nios.log.dns.message}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? \\(%{DATA:client.domain}\\): query failed %{GREEDYDATA:infoblox_nios.log.dns.message}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? \\(%{DATA:infoblox_nios.log.dns.before_query}\\): rewriting query name %{DATA} to '%{DATA:infoblox_nios.log.dns.after_query}', type %{DATA:dns.question.type}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? \\(%{DATA:client.domain}\\): query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} %{DATA:dns.header_flags} \\(%{IP:server.ip}\\)$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{IP:client.ip}#%{NUMBER:client.port:long}:? %{DATA:network.transport}: query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} response: %{DATA:dns.response_code} %{DATA:dns.header_flags}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? \\(%{DATA:client.domain}\\): transfer of '%{DATA:dns.question.name}/%{DATA:dns.question.class}': %{GREEDYDATA:infoblox_nios.log.dns.message}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*CEF:0\\|Infoblox\\|NIOS\\|%{GREEDYDATA:infoblox_nios.log.dns.version}\\|RPZ-%{DATA:dns.answers.type}\\|%{DATA:infoblox_nios.log.dns.answers_policy}\\|\\d+\\|app=DNS dst=%{IP:server.ip} src=%{IP:client.ip} spt=%{NUMBER:client.port:long} view=%{DATA:infoblox_nios.log.dns.view_name} qtype=%{WORD:dns.question.type} msg=%{GREEDYDATA:infoblox_nios.log.dns.message}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{GREEDYDATA:timestamp} client %{IP:client.ip}#%{NUMBER:client.port:long}:? %{DATA:network.transport}: query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} response: %{DATA:dns.response_code} %{DATA:dns.header_flags} %{GREEDYDATA:repeat_message}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*%{GREEDYDATA:timestamp} client %{IP:client.ip}#%{NUMBER:client.port:long}:? %{DATA:network.transport}: query: %{DATA:dns.question.name} %{DATA:dns.question.class} %{WORD:dns.question.type} response: %{DATA:dns.response_code} %{DATA:dns.header_flags}$" + - "^(%{NOTSPACE:infoblox_nios.log.dns.category}:)?\\s*client %{DATA} %{IP:client.ip}#%{NUMBER:client.port:long}:? %{GREEDYDATA:infoblox_nios.log.dns.message}$" + - "^%{GREEDYDATA:infoblox_nios.log.dns.message}$" + - date: + field: timestamp + if: ctx.timestamp != null + formats: + - dd-MMM-yyyy HH:mm:ss.SSS + - yyyy-MM-dd HH:mm:ss.SSS'Z' + ignore_failure: true + - split: + field: repeat_message + if: ctx.repeat_message != null + separator: ';' + ignore_missing: true + - trim: + field: repeat_message + ignore_missing: true + ignore_failure: true + - script: + lang: painless + if: ctx.repeat_message != null + source: + Map map = new HashMap(); + def arr = ctx.repeat_message; + map.put("name", new ArrayList()); + map.put("ttl", new ArrayList()); + map.put("class", new ArrayList()); + map.put("type", new ArrayList()); + map.put("data", new ArrayList()); + + for (def i = 0; i < arr?.length; i++) { + def response = arr[i].splitOnToken(" "); + map["name"].add(response[0]); + map["ttl"].add(response[1]); + map["class"].add(response[2]); + map["type"].add(response[3]); + map["data"].add(response[4]); + } + ctx.dns.answers = map; + - convert: + field: dns.answers.ttl + type: long + ignore_missing: true + ignore_failure: true + - lowercase: + field: network.transport + ignore_missing: true + ignore_failure: true + - foreach: + field: dns.answers.data + if: ctx.dns?.answers?.data != null + processor: + grok: + field: '_ingest._value' + patterns: + - "%{IP:related.ip}" + - "%{HOSTNAME:related.hosts}" + ignore_failure: true + - append: + field: related.ip + value: '{{{client.ip}}}' + if: ctx.client?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.ip + value: '{{{server.ip}}}' + if: ctx.server?.ip != null + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{client.domain}}}' + if: ctx.client?.domain != null + allow_duplicates: false + ignore_failure: true + - foreach: + field: dns.answers.name + if: ctx.dns?.answers?.name != null + processor: + append: + field: related.hosts + value: '{{_ingest._value}}' + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{dns.question.name}}}' + if: ctx.dns?.question?.name != null + allow_duplicates: false + ignore_failure: true + - remove: + field: + - timestamp + - repeat_message + ignore_missing: true diff --git a/packages/infoblox_nios/data_stream/log/fields/agent.yml b/packages/infoblox_nios/data_stream/log/fields/agent.yml new file mode 100644 index 00000000000..6639aec94a9 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/fields/agent.yml @@ -0,0 +1,189 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset +- name: log.source.address + type: keyword + description: Log source address diff --git a/packages/infoblox_nios/data_stream/log/fields/base-fields.yml b/packages/infoblox_nios/data_stream/log/fields/base-fields.yml new file mode 100644 index 00000000000..0d1791ffed6 --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/infoblox_nios/data_stream/log/fields/ecs.yml b/packages/infoblox_nios/data_stream/log/fields/ecs.yml new file mode 100644 index 00000000000..f45ce677a6d --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/fields/ecs.yml @@ -0,0 +1,64 @@ +- external: ecs + name: client.domain +- external: ecs + name: client.ip +- external: ecs + name: client.mac +- external: ecs + name: client.port +- external: ecs + name: dns.answers.class +- external: ecs + name: dns.answers.data +- external: ecs + name: dns.answers.name +- external: ecs + name: dns.answers.ttl +- external: ecs + name: dns.answers.type +- external: ecs + name: dns.header_flags +- external: ecs + name: dns.question.class +- external: ecs + name: dns.question.name +- external: ecs + name: dns.question.type +- external: ecs + name: dns.response_code +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.original +- external: ecs + name: event.outcome +- external: ecs + name: event.type +- external: ecs + name: host.ip +- external: ecs + name: interface.name +- external: ecs + name: log.syslog.priority +- external: ecs + name: message +- external: ecs + name: network.transport +- external: ecs + name: process.pid +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: server.ip +- external: ecs + name: tags +- external: ecs + name: user.name diff --git a/packages/infoblox_nios/data_stream/log/fields/fields.yml b/packages/infoblox_nios/data_stream/log/fields/fields.yml new file mode 100644 index 00000000000..3b899604aba --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/fields/fields.yml @@ -0,0 +1,126 @@ +- name: infoblox_nios.log + type: group + fields: + - name: audit + type: group + fields: + - name: apparently_via + type: keyword + - name: auth + type: keyword + - name: error + type: text + - name: group + type: keyword + - name: info + type: text + - name: ip + type: ip + - name: message + type: text + - name: object + type: group + fields: + - name: name + type: keyword + - name: value + type: keyword + - name: to + type: keyword + - name: trigger_event + type: keyword + - name: dhcp + type: group + fields: + - name: client_hostname + type: keyword + - name: decline + type: group + fields: + - name: message + type: keyword + - name: discover + type: group + fields: + - name: message + type: keyword + - name: inform + type: group + fields: + - name: message + type: keyword + - name: interface + type: group + fields: + - name: ip + type: ip + - name: lease + type: group + fields: + - name: duration + type: long + - name: message + type: keyword + - name: lease_query + type: group + fields: + - name: message + type: keyword + - name: message + type: text + - name: network + type: keyword + - name: offered_duration + type: long + - name: relay + type: group + fields: + - name: interface + type: group + fields: + - name: ip + type: ip + - name: name + type: keyword + - name: release + type: group + fields: + - name: info + type: keyword + - name: request + type: group + fields: + - name: message + type: keyword + - name: router + type: group + fields: + - name: ip + type: ip + - name: trans_id + type: keyword + - name: uid + type: keyword + - name: dns + type: group + fields: + - name: after_query + type: text + - name: answers_policy + type: text + - name: before_query + type: text + - name: category + type: text + - name: failed_message + type: text + - name: message + type: text + - name: view_name + type: text + - name: version + type: text + - name: service_name + type: keyword + - name: type + type: keyword diff --git a/packages/infoblox_nios/data_stream/log/manifest.yml b/packages/infoblox_nios/data_stream/log/manifest.yml new file mode 100644 index 00000000000..863d2e38fbc --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/manifest.yml @@ -0,0 +1,63 @@ +title: Infoblox NIOS logs +type: logs +streams: + - input: tcp + title: Infoblox NIOS logs + description: Collect Infoblox NIOS logs via TCP input. + template_path: tcp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - infoblox_nios-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + title: Infoblox NIOS logs + description: Collect Infoblox NIOS logs via UDP input. + template_path: udp.yml.hbs + vars: + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - infoblox_nios-log + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/infoblox_nios/data_stream/log/sample_event.json b/packages/infoblox_nios/data_stream/log/sample_event.json new file mode 100644 index 00000000000..fdfd11ed44f --- /dev/null +++ b/packages/infoblox_nios/data_stream/log/sample_event.json @@ -0,0 +1,74 @@ +{ + "@timestamp": "2011-10-19T12:43:47.375Z", + "agent": { + "ephemeral_id": "e93a1351-1215-4615-87ff-a33eaa5c111f", + "hostname": "docker-fleet-agent", + "id": "0c7b29c0-78ea-4dd2-bbad-4092eeb1ee30", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "infoblox_nios.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "0c7b29c0-78ea-4dd2-bbad-4092eeb1ee30", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "first_login", + "agent_id_status": "verified", + "created": "2022-03-22T14:26:54.000Z", + "dataset": "infoblox_nios.log", + "ingested": "2022-04-18T07:40:58Z" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "apparently_via": "GUI first login", + "auth": "LOCAL", + "group": "admin-group", + "ip": "10.0.0.2", + "to": "AdminConnector" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.80.6:43913" + }, + "syslog": { + "priority": 29 + } + }, + "related": { + "ip": [ + "10.0.0.2", + "10.0.0.1" + ], + "user": [ + "user" + ] + }, + "tags": [ + "forwarded", + "infoblox_nios-log" + ], + "user": { + "name": "user" + } +} \ No newline at end of file diff --git a/packages/infoblox_nios/docs/README.md b/packages/infoblox_nios/docs/README.md new file mode 100644 index 00000000000..0ea4d81aad3 --- /dev/null +++ b/packages/infoblox_nios/docs/README.md @@ -0,0 +1,330 @@ +# Infoblox NIOS + +The Infoblox NIOS integration collects and parses DNS, DHCP, and Audit data collected from [Infoblox NIOS](https://www.infoblox.com/products/nios8/) via TCP/UDP. + +## Setup steps +1. Enable the integration with TCP/UDP input. +2. Log in to the NIOS appliance. +3. Configure the NIOS appliance to send messages to a Syslog server using the following steps. For further information, refer to [Using a Syslog Server](https://docs.infoblox.com/display/NAG8/Using+a+Syslog+Server#UsingaSyslogServer-SpecifyingSyslogServers). + 1. From the Grid tab, select the Grid Manager tab -> Members tab, and then navigate to Grid Properties -> Edit -> Monitoring from the Toolbar. + 2. Select **Log to External Syslog Servers** to send messages to a specified Syslog server. + 3. Click the **Add** icon to define a new Syslog server. + 4. Enter the IP **Address** of the Elastic Agent that is running the integration. + 5. Select **Transport** to connect to the external Syslog server. + 6. If you are using Secure TCP transport, upload a self-signed or a CA-signed **Server Certificate**. + 7. From the drop-down list select the **Interface** through which the appliance sends Syslog messages to the Syslog server. + 8. Select **Source** as **Any** so that the appliance sends both internal and external Syslog messages. + 9. From the drop-down list, select **Node ID** i.e. the host or node identification string that identifies the appliance from which Syslog messages are originated. + 10. Enter the **Port** of the Elastic Agent that is running the integration. + 11. Select **Debug** **Severity** so that the appliance sends all Syslog messages to the server. + 12. Select the following **Logging categories** :  + - Common Authentication + - DHCP Process + - DNS Client + - DNSSEC + - DNS General + - DNS Notifies + - DNS Queries + - DNS Query Rewrites + - DNS Resolver + - DNS Responses + - DNS RPZ + - DNS Updates + - Non-system Authentication + - Zone Transfer In + - Zone Transfer Out + 13. Enable **Copy Audit Log Message to Syslog** to include audit log messages it sends to the Syslog server. + 14. Select **Syslog Facility** that determines the processes from which the log messages are generated. + +## Compatibility + +This module has been tested against `Infoblox NIOS version 8.6.1` with the below-given logs pattern. + +## Log samples +Below are the samples logs of the respective category: + +## Audit Logs: +``` +<141>Apr 13 22:14:36 ns1.infoblox.localdomain 10.50.1.227 httpd: 2022-04-13 16:44:36.850Z [user\040name]: Login_Denied - - to=AdminConnector ip=10.50.0.1 info=Local apparently_via=GUI +<29>Mar 21 09:53:51 infoblox.localdomain 10.0.0.1 httpd: 2022-03-21 08:53:51.087Z [service_account_test]: Login_Allowed - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=some-Group apparently_via=API +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 19:48:37.299Z [admin]: Login_Allowed - - to=Serial\040Console apparently_via=Direct auth=Local group=admin-group +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 14:02:32.750Z [admin]: Login_Denied - - to=Serial\040Console apparently_via=Direct error=invalid\040login\040or\040password +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 12:43:47.375Z [user]: First_Login - - to=AdminConnector ip=10.0.0.2 auth=LOCAL group=admin-group apparently_via=GUI\040first\040login +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2011-10-19 13:07:33.343Z [user]: Password_Reset_Error - - to=AdminConnector auth=LOCALgroup=admin-group apparently_via=GUI +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-21 17:19:02.204Z [admin]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:37:29.261Z [admin]: Created Network 192.168.0.0/24 network_view=default: Set extensible_attributes=[],address="192.168.2.0",auto_create_reversezone=False,cidr=24,comment="",common_properties=[domain_name_servers=[],routers=[]],dhcp_members=[[grid_member=Member:infoblox.localdomain]],disabled=False,discovery_member=NULL,enable_discovery=False,enable_immediate_discovery=False,network_view=NetworkView:default,use_basic_polling_settings=False,use_member_enable_discovery=False,vlans=[] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 11:46:38.877Z [admin]: Modified MemberDhcp infoblox.localdomain: Changed enable_service:False->True +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 19:29:20.468Z [admin]: Called - RestartService: Args services=["ALL"],parents=[],force=True,mode="GROUPED" +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-29 18:30:58.656Z [admin]: Created Ruleset Block: Set comment="",disabled=True,name="Block",type="BLACKLIST" +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-24 09:28:24.476Z [admin]: Called - TransferTrafficCapture message=Download\040Traffic\040capture\040file: Args message="Download Traffic capture file",members=[Member:infoblox.localdomain] +<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.238Z [service_account_test]: Created HostAddress 10.0.0.1 network_view=default: Set address="10.0.0.1",configure_for_dhcp=False,match_option="MAC_ADDRESS",parent=HostRecord:._default.tld.domain.subdomain.hostrecord +<29>Mar 21 16:08:08 10.0.0.1 httpd: 2022-03-21 15:08:08.239Z [service_account_test]: Created HostRecord somerecord.subdomain.domain.tld DnsView=default alias=somealias.subdomain.domain.tld address=10.0.0.1: Set extensible_attributes=[[name="NAC-Policy",value="Host"]],addresses=[address="10.0.0.1"],aliases=[HostAlias:._default.tld.domain.subdomain.somealias.._default.tld.domain.subdomain.somehostrecord],fqdn="somerecord.subdomain.domain.tld" +<29>Mar 21 16:08:48 10.0.0.1 httpd: 2022-03-21 15:08:48.455Z [service_account_test]: Deleted HostRecord somerecord.subdomain.domain.tld DnsView=default address=10.0.0.0 +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Deleted CaaRecord somecaarecord.domain.tld DnsView=default +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Created HostAddress 192.168.0.0 network_view=default: Set address="192.168.0.0",configure_for_dhcp=True,mac_address="01:01:01:01:01:01",match_option="MAC_ADDRESS",network=Network:192.168.0.0/24\054network_view\075default,parent=HostRecord:._default.test.test3,reserved_interface=NULL,use_for_ea_inheritance=True +<29>Mar 22 14:26:54 10.0.0.1 httpd: 2022-03-22 13:26:54.596Z [some_admin_account]: Modified Network 192.168.0.0/24 network_view=default: Changed dhcp_members:[]->[[grid_member=Member:infoblox.localdomain]] +<29>Mar 18 13:40:05 10.0.0.1 httpd: 2022-03-18 12:40:05.241Z [adminuser]: Modified Grid Unibe-DNS-Grid: Changed backup_setting:[password="******",restore_password="******"]->[password="******",restore_password="******"],csp_api_config:[password="******"]->[password="******"],csp_settings:[csp_join_token="******"]->[csp_join_token="******"],download_member_conf:[[interface="ANY",is_online=True,member="Member:Grid Master"]]->[[interface="ANY",is_online=True,member=NULL]],email_setting:[password="******"]->[password="******"],http_proxy_server_setting:NULL->[password="******"],snmp_setting:[snmpv3_queries_users=NULL]->[snmpv3_queries_users=[]],syslog_servers:[[address="10.0.0.2"],[address="10.0.0.3"]]->[[address="10.0.0.4"]] +``` +## DNS Logs: +``` +<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#50565 UDP: query: test.com IN A response: REFUSED - +<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com 28800 IN A 192.168.0.3; +<30>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED +<45>Mar 11 23:51:31 infoblox.localdomain named[17742]: 07-Apr-2022 08:08:10.043 client 192.168.0.1#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com 28800 IN A 192.168.0.2; a1.foo.com 28800 IN A 192.168.0.3; +<30>Mar  9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query failed (REFUSED) for config.nos-avg.cz/IN/TXT at query.c:10288 +<30>Mar  9 23:59:59 infoblox.localdomain named[17742]: client @0x7f1dd4114af0 192.168.0.1#59735 (config.nos-avg.cz): query: config.nos-avg.cz IN TXT + (192.168.0.1) +<30>Mar 11 23:51:31 infoblox.localdomain named[27014]: rpz: rpz1.com: reload start +<30>Mar 11 23:51:31 infoblox.localdomain named[29914]: client @0x7ff42c168b50 192.168.0.1#50460 (test.com): rewriting query name 'test.com' to 'query123-10-120-20-93.test.com', type A +<30>Mar 11 23:51:31 infoblox.localdomain named[19204]: client @0x7fec7c11dab0 192.168.0.1#36483: updating zone 'test1.com/IN': adding an RR at 'a6.test1.com' A 192.168.0.2 +<30>Mar 11 23:51:31 infoblox.localdomain named[28468]: CEF:0|Infoblox|NIOS|8.6.2-49634-e88e9df276a8|RPZ-QNAME|NXDOMAIN|7|app=DNS dst=192.168.0.1 src=192.168.0.1 spt=51424 view=_default qtype=A msg="rpz QNAME NXDOMAIN rewrite nxd1.com [A] via nxd1.com.rpz1.com" CAT=RPZ +<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: zone local_7.com/IN: notify from 192.168.0.1#46982: zone is up to date +<30>Mar 11 23:51:31 infoblox.localdomain named[7741]: responses: client @0x7fb550117f90 192.168.0.1#46982: received notify for zone 'local_14.com' +<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer status: success +<30>Mar 11 23:51:31 infoblox.localdomain named[15242]: transfer of 'test.com/IN' from 192.168.0.1#53: Transfer completed: 1 messages, 9 records, 326 bytes, 0.001 secs (326000 bytes/sec) +<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR started (serial 3) +<30>Mar 11 23:51:31 infoblox.localdomain named[56199]: client @0x7f7e6c2809f0 192.168.0.1#57027 (test.com): transfer of 'test.com/IN': AXFR ended +<30>Mar 11 23:51:31 infoblox.localdomain named[30325]: resolver priming query complete +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'test.com' +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating test.com/NSEC: bad cache hit (test.com/DNSKEY) +<30>Mar 11 23:51:31 infoblox.localdomain named[1127]: validating hostrec3.test.com/NSEC: bad cache hit (test.com/DNSKEY) +<30>Apr 14 16:17:20 10.0.0.1 named[2588]: infoblox-responses: 14-Apr-2022 16:17:20.046 client 192.168.0.1#57738: UDP: query: settings-win.data.microsoft.com IN A response: REFUSED - +<30>Apr 14 16:16:05 10.0.0.1 named[2588]: queries: client @0x7f97e40eb500 192.168.0.1#64727 (ocsp.digicert.com): query: ocsp.digicert.com IN A + (192.168.1.10) +<30>Apr 14 16:16:05 10.0.0.1 named[2588]: query-errors: client @0x7f97e40eb500 192.168.0.1#64727 (ocsp.digicert.com): query failed (REFUSED) for ocsp.digicert.com/IN/A at query.c:10288 +``` +## DHCP Logs: +``` +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPDISCOVER from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID a76ecf84 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain 10.0.0.1 dhcpd[7024]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID b5e92c59 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 10.0.0.1 dhcpd[2750]: DHCPDISCOVER from 00:50:56:83:d0:f6 via eth1 TransID 6214ab45: network 10.50.0.0/20: no free leases +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPDISCOVER from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPDISCOVER from 00:00:00:00:00:00 (h000000000000) via 192.168.0.2 TransID 01000000 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 119 offered-duration 1800 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPOFFER on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 120 offered-duration 1800 +<30>Mar 31 15:30:05 10.0.0.1 dhcpd[15752]: DHCPOFFER on 192.168.0.4 to 26:9a:76:87:8a:06 via eth2 relay 192.168.0.3 lease-duration 1795 uid 01:26:9a:76:87:8a:06 +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPOFFER on 192.168.0.4 to 00:00:00:00:00:00 via eth1 relay 192.168.0.3 lease-duration 43137 offered-duration 43200 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPOFFER on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 120 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54737448 uid 01:00:50:56:83:6c:a0 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 8767dc3c uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 54ade258 uid 01:00:50:56:83:6c:a0 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[4495]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID a18a70a0 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[25637]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:d3:83 via eth1 TransID 3ca1e0b7: unknown lease 192.168.0.4. +<30>Apr 6 10:13:31 infoblox.localdomain dhcpd[22730]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 TransID 542900fa uid 01:00:50:56:83:6c:a0: database update failed +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:50:56:83:6c:a0 via eth3 TransID 748f30ab +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[30827]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:96:03 via eth1 TransID 9cf7c9e9: ignored (not authoritative). +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPREQUEST for 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 TransID 2d422d0c +<30>Mar 31 15:30:06 10.0.0.1 dhcpd[15752]: DHCPREQUEST for 192.168.0.4 from 9a:df:6e:f6:1f:23 via 192.168.0.2 TransID 15ca711f uid 01:9a:df:6e:f6:1f:23 (RENEW) +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPREQUEST for 192.168.0.4 (192.168.0.1) from 00:00:00:00:00:00 via 192.168.0.3 TransID 01000000 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[17530]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 (RENEW) uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[2567]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPACK on 192.168.0.4 to 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 relay eth3 lease-duration 1800 +<30>Mar 27 08:32:59 10.0.0.1 dhcpd[15752]: DHCPACK on 192.168.0.4 to 9a:df:6e:f6:1f:23 via eth2 relay 192.168.0.3 lease-duration 7257600 (RENEW) uid 01:9a:df:6e:f6:1f:23 +<30>Mar 27 08:32:59 infoblox_localdomain.com dhcpd[29258]: DHCPACK on 192.168.0.4 to 00:00:00:00:00:00 (h000000000000) via eth1 relay 192.168.0.3 lease-duration 43200 (RENEW) +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPACK on 192.168.0.4 to cc:bb:cc:dd:ee:ff via eth1 relay 192.168.0.3 lease-duration 43200 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[1761]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 (DESKTOP-ABCD) via eth3 (found) TransID 0286f3d0 uid 01:00:50:56:83:6c:a0 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[21114]: DHCPRELEASE of 192.168.0.4 from 00:50:56:83:6c:a0 via eth3 (not found) TransID 665fd9f1 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPEXPIRE on 192.168.0.4 to 00:50:56:83:6c:a0 +<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 5713b740 +<30>Mar 18 13:35:15 10.0.0.1 dhcpd[18078]: DHCPINFORM from 192.168.0.4 via eth2 TransID 5713b740 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPINFORM from 192.168.0.4 via 192.168.0.2 TransID 78563412: not authoritative for subnet 10.0.0.0 +<30>Mar 18 11:44:52 10.0.0.1 dhcpd[32243]: DHCPDECLINE of 192.168.0.4 from 34:29:8f:71:b8:99 via 192.168.0.2 TransID 00000000: not found +<30>Mar 7 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPDECLINE of 192.168.0.4 from 00:c0:dd:07:18:e2 via 192.168.0.2: abandoned\n +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[20397]: DHCPNAK on 192.168.0.4 to f4:30:b9:17:ab:0e via 192.168.0.2 +<30>Mar 27 08:32:59 infoblox.localdomain dhcpd[6939]: DHCPLEASEQUERY from 192.168.0.4: LEASEQUERY not allowed, query ignored +``` + +## Logs + +This is the `log` dataset. + +An example event for `log` looks as following: + +```json +{ + "@timestamp": "2011-10-19T12:43:47.375Z", + "agent": { + "ephemeral_id": "e93a1351-1215-4615-87ff-a33eaa5c111f", + "hostname": "docker-fleet-agent", + "id": "0c7b29c0-78ea-4dd2-bbad-4092eeb1ee30", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.17.0" + }, + "data_stream": { + "dataset": "infoblox_nios.log", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.2.0" + }, + "elastic_agent": { + "id": "0c7b29c0-78ea-4dd2-bbad-4092eeb1ee30", + "snapshot": false, + "version": "7.17.0" + }, + "event": { + "action": "first_login", + "agent_id_status": "verified", + "created": "2022-03-22T14:26:54.000Z", + "dataset": "infoblox_nios.log", + "ingested": "2022-04-18T07:40:58Z" + }, + "host": { + "ip": "10.0.0.1" + }, + "infoblox_nios": { + "log": { + "audit": { + "apparently_via": "GUI first login", + "auth": "LOCAL", + "group": "admin-group", + "ip": "10.0.0.2", + "to": "AdminConnector" + }, + "service_name": "httpd", + "type": "AUDIT" + } + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.80.6:43913" + }, + "syslog": { + "priority": 29 + } + }, + "related": { + "ip": [ + "10.0.0.2", + "10.0.0.1" + ], + "user": [ + "user" + ] + }, + "tags": [ + "forwarded", + "infoblox_nios-log" + ], + "user": { + "name": "user" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | +| client.ip | IP address of the client (IPv4 or IPv6). | ip | +| client.mac | MAC address of the client. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| client.port | Port of the client. | long | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | +| dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | +| dns.question.class | The class of records being queried. | keyword | +| dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | +| dns.question.type | The type of record being queried. | keyword | +| dns.response_code | The DNS response code. | keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| infoblox_nios.log.audit.apparently_via | | keyword | +| infoblox_nios.log.audit.auth | | keyword | +| infoblox_nios.log.audit.error | | text | +| infoblox_nios.log.audit.group | | keyword | +| infoblox_nios.log.audit.info | | text | +| infoblox_nios.log.audit.ip | | ip | +| infoblox_nios.log.audit.message | | text | +| infoblox_nios.log.audit.object.name | | keyword | +| infoblox_nios.log.audit.object.value | | keyword | +| infoblox_nios.log.audit.to | | keyword | +| infoblox_nios.log.audit.trigger_event | | keyword | +| infoblox_nios.log.dhcp.client_hostname | | keyword | +| infoblox_nios.log.dhcp.decline.message | | keyword | +| infoblox_nios.log.dhcp.discover.message | | keyword | +| infoblox_nios.log.dhcp.inform.message | | keyword | +| infoblox_nios.log.dhcp.interface.ip | | ip | +| infoblox_nios.log.dhcp.lease.duration | | long | +| infoblox_nios.log.dhcp.lease.message | | keyword | +| infoblox_nios.log.dhcp.lease_query.message | | keyword | +| infoblox_nios.log.dhcp.message | | text | +| infoblox_nios.log.dhcp.network | | keyword | +| infoblox_nios.log.dhcp.offered_duration | | long | +| infoblox_nios.log.dhcp.relay.interface.ip | | ip | +| infoblox_nios.log.dhcp.relay.interface.name | | keyword | +| infoblox_nios.log.dhcp.release.info | | keyword | +| infoblox_nios.log.dhcp.request.message | | keyword | +| infoblox_nios.log.dhcp.router.ip | | ip | +| infoblox_nios.log.dhcp.trans_id | | keyword | +| infoblox_nios.log.dhcp.uid | | keyword | +| infoblox_nios.log.dns.after_query | | text | +| infoblox_nios.log.dns.answers_policy | | text | +| infoblox_nios.log.dns.before_query | | text | +| infoblox_nios.log.dns.category | | text | +| infoblox_nios.log.dns.failed_message | | text | +| infoblox_nios.log.dns.message | | text | +| infoblox_nios.log.dns.version | | text | +| infoblox_nios.log.dns.view_name | | text | +| infoblox_nios.log.service_name | | keyword | +| infoblox_nios.log.type | | keyword | +| input.type | Input type | keyword | +| interface.name | Interface name as reported by the system. | keyword | +| log.offset | Log offset | long | +| log.source.address | Log source address | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| process.pid | Process id. | long | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| server.ip | IP address of the server (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | + diff --git a/packages/infoblox_nios/img/infoblox-logo.svg b/packages/infoblox_nios/img/infoblox-logo.svg new file mode 100644 index 00000000000..57b4d23b168 --- /dev/null +++ b/packages/infoblox_nios/img/infoblox-logo.svg @@ -0,0 +1,93 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/infoblox_nios/img/infoblox-nios-screenshot.png b/packages/infoblox_nios/img/infoblox-nios-screenshot.png new file mode 100644 index 00000000000..ea8b7935ca5 Binary files /dev/null and b/packages/infoblox_nios/img/infoblox-nios-screenshot.png differ diff --git a/packages/infoblox_nios/kibana/dashboard/infoblox_nios-27c573b0-b4d8-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/dashboard/infoblox_nios-27c573b0-b4d8-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..2d045527da8 --- /dev/null +++ b/packages/infoblox_nios/kibana/dashboard/infoblox_nios-27c573b0-b4d8-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,224 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "e82ae83d-3d73-4648-9ce6-3dc1fd98830e", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "e82ae83d-3d73-4648-9ce6-3dc1fd98830e", + "panelRefName": "panel_0", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "d0884783-30e6-47ed-bfca-99d4b0b423e9", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "d0884783-30e6-47ed-bfca-99d4b0b423e9", + "panelRefName": "panel_1", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "eb62be57-7cb6-4431-96fd-6b1c7f8ecd8b", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "eb62be57-7cb6-4431-96fd-6b1c7f8ecd8b", + "panelRefName": "panel_2", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "5ab31944-bb04-4fcd-9734-6dd0a050581b", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "5ab31944-bb04-4fcd-9734-6dd0a050581b", + "panelRefName": "panel_3", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e143f9bd-b200-4a66-b58b-e0ecda3bb8b9", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "e143f9bd-b200-4a66-b58b-e0ecda3bb8b9", + "panelRefName": "panel_4", + "title": "Top 10 MAC Address [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2720e747-2fe6-431c-ba1c-ca7f7cb648ba", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "2720e747-2fe6-431c-ba1c-ca7f7cb648ba", + "panelRefName": "panel_5", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "b3562120-30fb-4068-8f51-016a4d463d54", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "b3562120-30fb-4068-8f51-016a4d463d54", + "panelRefName": "panel_6", + "type": "visualization", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "76c2205b-d288-41b8-bd79-33e76a42289a", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "76c2205b-d288-41b8-bd79-33e76a42289a", + "panelRefName": "panel_7", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "76cacd94-5599-43e7-bcde-e1e19c7d8e96", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "76cacd94-5599-43e7-bcde-e1e19c7d8e96", + "panelRefName": "panel_8", + "type": "search", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Infoblox NIOS] DHCP", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-27c573b0-b4d8-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "infoblox_nios-b9dd7a20-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_0", + "type": "visualization" + }, + { + "id": "infoblox_nios-be579090-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "infoblox_nios-c5a9cd40-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "infoblox_nios-71f7a570-b4dd-11ec-80e1-4bd67c5762eb", + "name": "panel_3", + "type": "search" + }, + { + "id": "infoblox_nios-b1504c70-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_4", + "type": "lens" + }, + { + "id": "infoblox_nios-7103abb0-b4e1-11ec-80e1-4bd67c5762eb", + "name": "panel_5", + "type": "search" + }, + { + "id": "infoblox_nios-ce5187d0-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_6", + "type": "visualization" + }, + { + "id": "infoblox_nios-4559ff50-b4e1-11ec-80e1-4bd67c5762eb", + "name": "panel_7", + "type": "search" + }, + { + "id": "infoblox_nios-8d55bb50-b4e1-11ec-80e1-4bd67c5762eb", + "name": "panel_8", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/dashboard/infoblox_nios-c3abc8b0-b4dd-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/dashboard/infoblox_nios-c3abc8b0-b4dd-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..1d946dbc96d --- /dev/null +++ b/packages/infoblox_nios/kibana/dashboard/infoblox_nios-c3abc8b0-b4dd-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,146 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"AUDIT\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "8dbce535-f9f6-45ac-b34a-dcea6e26d7ad", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "8dbce535-f9f6-45ac-b34a-dcea6e26d7ad", + "panelRefName": "panel_0", + "title": "Distribution of Audit Events by Event Action [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "253a71f1-a7c2-4b3e-bf37-89383b11fd76", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "253a71f1-a7c2-4b3e-bf37-89383b11fd76", + "panelRefName": "panel_1", + "title": "Top 10 User Login Failures [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "cfd78a10-0dc4-4062-97e5-9ff83ead6947", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "cfd78a10-0dc4-4062-97e5-9ff83ead6947", + "panelRefName": "panel_2", + "title": "Top 10 Login User Name [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "efab2208-7c53-44d0-ab95-44e4f536b001", + "w": 48, + "x": 0, + "y": 30 + }, + "panelIndex": "efab2208-7c53-44d0-ab95-44e4f536b001", + "panelRefName": "panel_3", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ae1e8f76-fa42-4a6a-8a7e-08a96bd1e58d", + "w": 48, + "x": 0, + "y": 45 + }, + "panelIndex": "ae1e8f76-fa42-4a6a-8a7e-08a96bd1e58d", + "panelRefName": "panel_4", + "title": "Created and Deleted Objects [Logs Infoblox NIOS]", + "type": "search", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Infoblox NIOS] Audit", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-c3abc8b0-b4dd-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "infoblox_nios-ee190f20-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_0", + "type": "lens" + }, + { + "id": "infoblox_nios-5bde4960-bee7-11ec-a230-b1548ff82828", + "name": "panel_1", + "type": "lens" + }, + { + "id": "infoblox_nios-e2809d40-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_2", + "type": "lens" + }, + { + "id": "infoblox_nios-b3b496f0-b4e5-11ec-80e1-4bd67c5762eb", + "name": "panel_3", + "type": "search" + }, + { + "id": "infoblox_nios-854739b0-b735-11ec-8ec2-49017af276c3", + "name": "panel_4", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/dashboard/infoblox_nios-f8d86480-b4c9-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/dashboard/infoblox_nios-f8d86480-b4c9-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..ea56ac8ca91 --- /dev/null +++ b/packages/infoblox_nios/kibana/dashboard/infoblox_nios-f8d86480-b4c9-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,259 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ab55c4cf-b8e2-47e1-b548-ed8db4a5dcc1", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "ab55c4cf-b8e2-47e1-b548-ed8db4a5dcc1", + "panelRefName": "panel_0", + "title": "Distribution of DNS Events by Response Code [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "41ccc6e6-e2f7-4f0f-8e38-806add9d12a5", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "41ccc6e6-e2f7-4f0f-8e38-806add9d12a5", + "panelRefName": "panel_1", + "title": "Distribution of DNS Events by Response Flag [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "7809e922-929c-4836-80d9-1fbd3a9fb8e8", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "7809e922-929c-4836-80d9-1fbd3a9fb8e8", + "panelRefName": "panel_2", + "title": "Distribution of DNS Events by Question Class [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "179440ac-a8bb-4686-8ab1-8ad93b7717fb", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "179440ac-a8bb-4686-8ab1-8ad93b7717fb", + "panelRefName": "panel_3", + "title": "Top 10 IP Used by Client [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "d91a4b30-da3a-402b-a7b7-542680808c83", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "d91a4b30-da3a-402b-a7b7-542680808c83", + "panelRefName": "panel_4", + "title": "Top 10 Port Used by Client [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "820c618a-04ef-4d1d-95e4-76be0a783c03", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "820c618a-04ef-4d1d-95e4-76be0a783c03", + "panelRefName": "panel_5", + "title": "Top 10 Answer Name [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "1129632e-0004-4421-bf56-406d8499a2bb", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "1129632e-0004-4421-bf56-406d8499a2bb", + "panelRefName": "panel_6", + "title": "Top 10 Question Name [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "8c9c23a3-c26e-497a-9b62-99dbcf30c2ca", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "8c9c23a3-c26e-497a-9b62-99dbcf30c2ca", + "panelRefName": "panel_7", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "33030bbb-3670-4b20-ab01-b0eb157ea4e5", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "33030bbb-3670-4b20-ab01-b0eb157ea4e5", + "panelRefName": "panel_8", + "type": "search", + "version": "7.17.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "5a855a3a-e38e-432e-b09a-0960167960cd", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "5a855a3a-e38e-432e-b09a-0960167960cd", + "panelRefName": "panel_9", + "title": "Top 10 Query Type [Logs Infoblox NIOS]", + "type": "lens", + "version": "7.17.0" + } + ], + "timeRestore": false, + "title": "[Logs Infoblox NIOS] DNS", + "version": 1 + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-f8d86480-b4c9-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "dashboard": "7.17.0" + }, + "references": [ + { + "id": "infoblox_nios-52a20470-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_0", + "type": "lens" + }, + { + "id": "infoblox_nios-63ad1d90-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_1", + "type": "lens" + }, + { + "id": "infoblox_nios-69c26d70-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_2", + "type": "lens" + }, + { + "id": "infoblox_nios-4d682070-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_3", + "type": "lens" + }, + { + "id": "infoblox_nios-47a3afb0-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_4", + "type": "lens" + }, + { + "id": "infoblox_nios-710eddc0-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_5", + "type": "lens" + }, + { + "id": "infoblox_nios-771b5400-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_6", + "type": "lens" + }, + { + "id": "infoblox_nios-5cc295e0-b4d6-11ec-80e1-4bd67c5762eb", + "name": "panel_7", + "type": "search" + }, + { + "id": "infoblox_nios-f3899090-b4d7-11ec-80e1-4bd67c5762eb", + "name": "panel_8", + "type": "search" + }, + { + "id": "infoblox_nios-7ce4a6c0-b57a-11ec-80e1-4bd67c5762eb", + "name": "panel_9", + "type": "lens" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-47a3afb0-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-47a3afb0-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..0e6cd96ba54 --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-47a3afb0-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c7c1c1df-9311-48ff-8df3-6c0ac873f606": { + "columnOrder": [ + "24e0ec78-4202-4d4d-9d1d-88df3ac6c639", + "0a304308-6952-4598-a14b-66b0ae5c6fd6" + ], + "columns": { + "0a304308-6952-4598-a14b-66b0ae5c6fd6": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "24e0ec78-4202-4d4d-9d1d-88df3ac6c639": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Client Port", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "client.port" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "24e0ec78-4202-4d4d-9d1d-88df3ac6c639" + }, + { + "alignment": "left", + "colorMode": "none", + "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", + "hidden": false + } + ], + "layerId": "c7c1c1df-9311-48ff-8df3-6c0ac873f606", + "layerType": "data" + } + }, + "title": "Top 10 Port Used by Client [Logs Infoblox NIOS]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-47a3afb0-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c7c1c1df-9311-48ff-8df3-6c0ac873f606", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-4d682070-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-4d682070-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..952f75cf39e --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-4d682070-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c7c1c1df-9311-48ff-8df3-6c0ac873f606": { + "columnOrder": [ + "24e0ec78-4202-4d4d-9d1d-88df3ac6c639", + "0a304308-6952-4598-a14b-66b0ae5c6fd6" + ], + "columns": { + "0a304308-6952-4598-a14b-66b0ae5c6fd6": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "24e0ec78-4202-4d4d-9d1d-88df3ac6c639": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Client IP", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "client.ip" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + }, + "visualization": { + "columns": [ + { + "columnId": "24e0ec78-4202-4d4d-9d1d-88df3ac6c639" + }, + { + "alignment": "left", + "colorMode": "none", + "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", + "hidden": false + } + ], + "layerId": "c7c1c1df-9311-48ff-8df3-6c0ac873f606", + "layerType": "data" + } + }, + "title": "Top 10 IP Used by Client [Logs Infoblox NIOS]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-4d682070-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c7c1c1df-9311-48ff-8df3-6c0ac873f606", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-52a20470-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-52a20470-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..d39fa8c48b1 --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-52a20470-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "362936ac-2262-4cd0-8e06-c28015a829c5": { + "columnOrder": [ + "199ebb9a-2861-4db3-ac9d-d5801b764292", + "d759196e-f983-426d-bdd4-b6fea637f20d" + ], + "columns": { + "199ebb9a-2861-4db3-ac9d-d5801b764292": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Response Code", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d759196e-f983-426d-bdd4-b6fea637f20d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "dns.response_code" + }, + "d759196e-f983-426d-bdd4-b6fea637f20d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "199ebb9a-2861-4db3-ac9d-d5801b764292" + ], + "layerId": "362936ac-2262-4cd0-8e06-c28015a829c5", + "layerType": "data", + "legendDisplay": "show", + "legendMaxLines": 1, + "legendPosition": "right", + "metric": "d759196e-f983-426d-bdd4-b6fea637f20d", + "nestedLegend": false, + "numberDisplay": "percent", + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Distribution of DNS Events by Response Code [Logs Infoblox NIOS]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-52a20470-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-362936ac-2262-4cd0-8e06-c28015a829c5", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-5bde4960-bee7-11ec-a230-b1548ff82828.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-5bde4960-bee7-11ec-a230-b1548ff82828.json new file mode 100644 index 00000000000..3a97290bff6 --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-5bde4960-bee7-11ec-a230-b1548ff82828.json @@ -0,0 +1,163 @@ +{ + "attributes": { + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "3b197aef-e049-44df-a30f-fc807fdb1718": { + "columnOrder": [ + "e9c4594f-2e2d-4750-9b04-eb1632f13753", + "6786ed8f-346e-419e-b8a7-1eea3d76b317", + "fe7f037e-6294-43af-94f9-3d73fe39d2a0", + "4eb788c2-ebce-473d-bfb0-ee0409862740" + ], + "columns": { + "4eb788c2-ebce-473d-bfb0-ee0409862740": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "6786ed8f-346e-419e-b8a7-1eea3d76b317": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Login Failure", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4eb788c2-ebce-473d-bfb0-ee0409862740", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "e9c4594f-2e2d-4750-9b04-eb1632f13753": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "User Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4eb788c2-ebce-473d-bfb0-ee0409862740", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "fe7f037e-6294-43af-94f9-3d73fe39d2a0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Login Via", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4eb788c2-ebce-473d-bfb0-ee0409862740", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "infoblox_nios.log.audit.apparently_via" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "filter-index-pattern-0", + "key": "event.action", + "negate": false, + "params": { + "query": "login_denied" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "login_denied" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"AUDIT\"" + }, + "visualization": { + "columns": [ + { + "columnId": "e9c4594f-2e2d-4750-9b04-eb1632f13753", + "isTransposed": false + }, + { + "columnId": "6786ed8f-346e-419e-b8a7-1eea3d76b317", + "isTransposed": false + }, + { + "columnId": "fe7f037e-6294-43af-94f9-3d73fe39d2a0", + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "4eb788c2-ebce-473d-bfb0-ee0409862740", + "isTransposed": false + } + ], + "layerId": "3b197aef-e049-44df-a30f-fc807fdb1718", + "layerType": "data" + } + }, + "title": "Top 10 User Login Failures [Logs Infoblox NIOS]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-5bde4960-bee7-11ec-a230-b1548ff82828", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3b197aef-e049-44df-a30f-fc807fdb1718", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "filter-index-pattern-0", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-63ad1d90-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-63ad1d90-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..af7022e8da1 --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-63ad1d90-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "362936ac-2262-4cd0-8e06-c28015a829c5": { + "columnOrder": [ + "199ebb9a-2861-4db3-ac9d-d5801b764292", + "d759196e-f983-426d-bdd4-b6fea637f20d" + ], + "columns": { + "199ebb9a-2861-4db3-ac9d-d5801b764292": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Response Flag", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d759196e-f983-426d-bdd4-b6fea637f20d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "dns.header_flags" + }, + "d759196e-f983-426d-bdd4-b6fea637f20d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "199ebb9a-2861-4db3-ac9d-d5801b764292" + ], + "layerId": "362936ac-2262-4cd0-8e06-c28015a829c5", + "layerType": "data", + "legendDisplay": "show", + "legendMaxLines": 1, + "legendPosition": "right", + "metric": "d759196e-f983-426d-bdd4-b6fea637f20d", + "nestedLegend": false, + "numberDisplay": "percent", + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Distribution of DNS Events by Response Flag [Logs Infoblox NIOS]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-63ad1d90-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-362936ac-2262-4cd0-8e06-c28015a829c5", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-69c26d70-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-69c26d70-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..f264ba388f0 --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-69c26d70-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "362936ac-2262-4cd0-8e06-c28015a829c5": { + "columnOrder": [ + "199ebb9a-2861-4db3-ac9d-d5801b764292", + "d759196e-f983-426d-bdd4-b6fea637f20d" + ], + "columns": { + "199ebb9a-2861-4db3-ac9d-d5801b764292": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Question Class", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d759196e-f983-426d-bdd4-b6fea637f20d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "dns.question.class" + }, + "d759196e-f983-426d-bdd4-b6fea637f20d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "199ebb9a-2861-4db3-ac9d-d5801b764292" + ], + "layerId": "362936ac-2262-4cd0-8e06-c28015a829c5", + "layerType": "data", + "legendDisplay": "show", + "legendMaxLines": 1, + "legendPosition": "right", + "metric": "d759196e-f983-426d-bdd4-b6fea637f20d", + "nestedLegend": false, + "numberDisplay": "percent", + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "Distribution of DNS Events by Question Class [Logs Infoblox NIOS]", + "visualizationType": "lnsPie" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-69c26d70-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-362936ac-2262-4cd0-8e06-c28015a829c5", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-710eddc0-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-710eddc0-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..8b7ba150de7 --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-710eddc0-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c7c1c1df-9311-48ff-8df3-6c0ac873f606": { + "columnOrder": [ + "24e0ec78-4202-4d4d-9d1d-88df3ac6c639", + "0a304308-6952-4598-a14b-66b0ae5c6fd6" + ], + "columns": { + "0a304308-6952-4598-a14b-66b0ae5c6fd6": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "24e0ec78-4202-4d4d-9d1d-88df3ac6c639": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Answer Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "dns.answers.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + }, + "visualization": { + "columns": [ + { + "columnId": "24e0ec78-4202-4d4d-9d1d-88df3ac6c639" + }, + { + "alignment": "left", + "colorMode": "none", + "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", + "hidden": false + } + ], + "layerId": "c7c1c1df-9311-48ff-8df3-6c0ac873f606", + "layerType": "data" + } + }, + "title": "Top 10 Answer Name [Logs Infoblox NIOS]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-710eddc0-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c7c1c1df-9311-48ff-8df3-6c0ac873f606", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-771b5400-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-771b5400-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..28023508a40 --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-771b5400-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c7c1c1df-9311-48ff-8df3-6c0ac873f606": { + "columnOrder": [ + "24e0ec78-4202-4d4d-9d1d-88df3ac6c639", + "0a304308-6952-4598-a14b-66b0ae5c6fd6" + ], + "columns": { + "0a304308-6952-4598-a14b-66b0ae5c6fd6": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "24e0ec78-4202-4d4d-9d1d-88df3ac6c639": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Question Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "dns.question.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + }, + "visualization": { + "columns": [ + { + "columnId": "24e0ec78-4202-4d4d-9d1d-88df3ac6c639" + }, + { + "alignment": "left", + "colorMode": "none", + "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", + "hidden": false + } + ], + "layerId": "c7c1c1df-9311-48ff-8df3-6c0ac873f606", + "layerType": "data" + } + }, + "title": "Top 10 Question Name [Logs Infoblox NIOS]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-771b5400-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c7c1c1df-9311-48ff-8df3-6c0ac873f606", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-7ce4a6c0-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-7ce4a6c0-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..eef58c03a35 --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-7ce4a6c0-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c7c1c1df-9311-48ff-8df3-6c0ac873f606": { + "columnOrder": [ + "24e0ec78-4202-4d4d-9d1d-88df3ac6c639", + "0a304308-6952-4598-a14b-66b0ae5c6fd6" + ], + "columns": { + "0a304308-6952-4598-a14b-66b0ae5c6fd6": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "24e0ec78-4202-4d4d-9d1d-88df3ac6c639": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Query Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "dns.question.type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + }, + "visualization": { + "columns": [ + { + "columnId": "24e0ec78-4202-4d4d-9d1d-88df3ac6c639" + }, + { + "alignment": "left", + "colorMode": "none", + "columnId": "0a304308-6952-4598-a14b-66b0ae5c6fd6", + "hidden": false + } + ], + "layerId": "c7c1c1df-9311-48ff-8df3-6c0ac873f606", + "layerType": "data" + } + }, + "title": "Top 10 Query Type [Logs Infoblox NIOS]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-7ce4a6c0-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c7c1c1df-9311-48ff-8df3-6c0ac873f606", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-b1504c70-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-b1504c70-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..6ecfadae96a --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-b1504c70-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "310773ab-50b9-45eb-b84b-d5ac4dd962ff": { + "columnOrder": [ + "24491aaa-9a7c-4f4e-aea5-9621bc64c38a", + "0552e5bb-f6f0-4619-a623-b95cbb3c3561" + ], + "columns": { + "0552e5bb-f6f0-4619-a623-b95cbb3c3561": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "24491aaa-9a7c-4f4e-aea5-9621bc64c38a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "MAC Address", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0552e5bb-f6f0-4619-a623-b95cbb3c3561", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "client.mac" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" + }, + "visualization": { + "columns": [ + { + "columnId": "24491aaa-9a7c-4f4e-aea5-9621bc64c38a", + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "0552e5bb-f6f0-4619-a623-b95cbb3c3561", + "isTransposed": false + } + ], + "layerId": "310773ab-50b9-45eb-b84b-d5ac4dd962ff", + "layerType": "data" + } + }, + "title": "Top 10 MAC Address [Logs Infoblox NIOS]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-b1504c70-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-310773ab-50b9-45eb-b84b-d5ac4dd962ff", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-e2809d40-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-e2809d40-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..c51fe7d5cff --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-e2809d40-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "9688c841-6bb3-4369-8c27-894421c9ea56": { + "columnOrder": [ + "392073ca-09fb-4349-826e-fe44effa2a8e", + "7d1fb2f4-74e5-420a-bf2e-d5bae039d0b8" + ], + "columns": { + "392073ca-09fb-4349-826e-fe44effa2a8e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Login User Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "7d1fb2f4-74e5-420a-bf2e-d5bae039d0b8", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "7d1fb2f4-74e5-420a-bf2e-d5bae039d0b8": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"AUDIT\"" + }, + "visualization": { + "columns": [ + { + "columnId": "392073ca-09fb-4349-826e-fe44effa2a8e", + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "7d1fb2f4-74e5-420a-bf2e-d5bae039d0b8", + "isTransposed": false + } + ], + "layerId": "9688c841-6bb3-4369-8c27-894421c9ea56", + "layerType": "data" + } + }, + "title": "Top 10 Login User Name [Logs Infoblox NIOS]", + "visualizationType": "lnsDatatable" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-e2809d40-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9688c841-6bb3-4369-8c27-894421c9ea56", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/lens/infoblox_nios-ee190f20-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/lens/infoblox_nios-ee190f20-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..9240018521d --- /dev/null +++ b/packages/infoblox_nios/kibana/lens/infoblox_nios-ee190f20-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "description": null, + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b651497c-3650-4eb9-ab9c-e90f27c1fc75": { + "columnOrder": [ + "fcb0dd34-08f1-4b12-a947-66514002a247", + "3c8dadb3-4770-4830-9d0f-3a157d0a0f97" + ], + "columns": { + "3c8dadb3-4770-4830-9d0f-3a157d0a0f97": { + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "scale": "ratio", + "sourceField": "Records" + }, + "fcb0dd34-08f1-4b12-a947-66514002a247": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "3c8dadb3-4770-4830-9d0f-3a157d0a0f97", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"AUDIT\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "3c8dadb3-4770-4830-9d0f-3a157d0a0f97" + ], + "layerId": "b651497c-3650-4eb9-ab9c-e90f27c1fc75", + "layerType": "data", + "seriesType": "bar_horizontal", + "xAccessor": "fcb0dd34-08f1-4b12-a947-66514002a247", + "yConfig": [ + { + "color": "#d36086", + "forAccessor": "3c8dadb3-4770-4830-9d0f-3a157d0a0f97" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right", + "showSingleSeries": false + }, + "preferredSeriesType": "bar_horizontal", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yRightExtent": { + "mode": "full" + } + } + }, + "title": "Distribution of Audit Events by Event Action [Logs Infoblox NIOS]", + "visualizationType": "lnsXY" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-ee190f20-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "lens": "7.16.0" + }, + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b651497c-3650-4eb9-ab9c-e90f27c1fc75", + "type": "index-pattern" + } + ], + "type": "lens" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/search/infoblox_nios-4559ff50-b4e1-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/search/infoblox_nios-4559ff50-b4e1-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..194cba4f293 --- /dev/null +++ b/packages/infoblox_nios/kibana/search/infoblox_nios-4559ff50-b4e1-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "columns": [ + "client.ip", + "client.mac" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.action", + "negate": false, + "params": { + "query": "dhcpdecline" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "dhcpdecline" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Declined Leases [Logs Infoblox NIOS]" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-4559ff50-b4e1-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/search/infoblox_nios-5cc295e0-b4d6-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/search/infoblox_nios-5cc295e0-b4d6-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..40bf1c61341 --- /dev/null +++ b/packages/infoblox_nios/kibana/search/infoblox_nios-5cc295e0-b4d6-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "columns": [ + "dns.response_code", + "dns.answers.name", + "dns.answers.data" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "dns.response_code", + "negate": false, + "params": { + "query": "REFUSED" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "dns.response_code": "REFUSED" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "DNS Decline Response [Logs Infoblox NIOS]" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-5cc295e0-b4d6-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/search/infoblox_nios-7103abb0-b4e1-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/search/infoblox_nios-7103abb0-b4e1-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..2fe10734aad --- /dev/null +++ b/packages/infoblox_nios/kibana/search/infoblox_nios-7103abb0-b4e1-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,94 @@ +{ + "attributes": { + "columns": [ + "client.ip", + "client.mac" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "infoblox_nios.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "infoblox_nios.log" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.action", + "negate": false, + "params": { + "query": "dhcpexpire" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "dhcpexpire" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Expired Leases [Logs Infoblox NIOS]" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-7103abb0-b4e1-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/search/infoblox_nios-71f7a570-b4dd-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/search/infoblox_nios-71f7a570-b4dd-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..929a8c96b01 --- /dev/null +++ b/packages/infoblox_nios/kibana/search/infoblox_nios-71f7a570-b4dd-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "columns": [ + "client.ip", + "client.mac", + "infoblox_nios.log.dhcp.client_hostname" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "infoblox_nios.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "infoblox_nios.log" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "infoblox_nios.log.dhcp.lease.message", + "negate": false, + "params": { + "query": "RENEW" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "infoblox_nios.log.dhcp.lease.message": "RENEW" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "event.action", + "negate": false, + "params": { + "query": "dhcpack" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "dhcpack" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Renewed Leases [Logs Infoblox NIOS]" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-71f7a570-b4dd-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/search/infoblox_nios-854739b0-b735-11ec-8ec2-49017af276c3.json b/packages/infoblox_nios/kibana/search/infoblox_nios-854739b0-b735-11ec-8ec2-49017af276c3.json new file mode 100644 index 00000000000..7960b6547b4 --- /dev/null +++ b/packages/infoblox_nios/kibana/search/infoblox_nios-854739b0-b735-11ec-8ec2-49017af276c3.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "columns": [ + "event.action", + "infoblox_nios.log.service_name", + "infoblox_nios.log.type", + "infoblox_nios.log.audit.message" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.action", + "negate": false, + "params": [ + "created", + "deleted" + ], + "type": "phrases" + }, + "query": { + "bool": { + "minimum_should_match": 1, + "should": [ + { + "match_phrase": { + "event.action": "created" + } + }, + { + "match_phrase": { + "event.action": "deleted" + } + } + ] + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"AUDIT\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Created and Deleted Objects [Logs Infoblox NIOS]" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-854739b0-b735-11ec-8ec2-49017af276c3", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/search/infoblox_nios-8d55bb50-b4e1-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/search/infoblox_nios-8d55bb50-b4e1-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..7add2c1263d --- /dev/null +++ b/packages/infoblox_nios/kibana/search/infoblox_nios-8d55bb50-b4e1-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "columns": [ + "client.ip", + "client.mac", + "infoblox_nios.log.dhcp.client_hostname" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "infoblox_nios.log" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "infoblox_nios.log" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.action", + "negate": false, + "params": { + "query": "dhcprelease" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "dhcprelease" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Released Leases [Logs Infoblox NIOS]" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-8d55bb50-b4e1-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/search/infoblox_nios-b3b496f0-b4e5-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/search/infoblox_nios-b3b496f0-b4e5-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..0b87f58b613 --- /dev/null +++ b/packages/infoblox_nios/kibana/search/infoblox_nios-b3b496f0-b4e5-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "columns": [ + "event.action", + "user.name", + "infoblox_nios.log.audit.auth", + "infoblox_nios.log.audit.ip" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.action", + "negate": false, + "params": { + "query": "login_allowed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.action": "login_allowed" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "infoblox_nios.log.service_name", + "negate": false, + "params": { + "query": "httpd" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "infoblox_nios.log.service_name": "httpd" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"AUDIT\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Login Allowed [Logs Infoblox NIOS]" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-b3b496f0-b4e5-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/search/infoblox_nios-f3899090-b4d7-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/search/infoblox_nios-f3899090-b4d7-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..84e82945bb8 --- /dev/null +++ b/packages/infoblox_nios/kibana/search/infoblox_nios-f3899090-b4d7-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "columns": [ + "dns.question.class", + "dns.question.name", + "dns.question.type" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DNS\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "DNS Query by Class [Logs Infoblox NIOS]" + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-f3899090-b4d7-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/visualization/infoblox_nios-b9dd7a20-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/visualization/infoblox_nios-b9dd7a20-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..d306d420c64 --- /dev/null +++ b/packages/infoblox_nios/kibana/visualization/infoblox_nios-b9dd7a20-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" + } + } + }, + "title": "Count of Leases Renewed Over Time [Logs Infoblox NIOS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "99bb2283-08ad-483a-8912-5039ced3b47e", + "index_pattern_ref_name": "metrics_0_index_pattern", + "interval": "1d", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "d12231fe-9878-4b9f-860f-ff926684e751", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "id": "6bd0749b-2071-4cb9-9287-2e7fe244c469", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_color_mode": null, + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "event.action : \"dhcpack\"" + }, + "id": "53443750-b50b-11ec-b3d6-27b037885c54", + "label": "Count" + } + ], + "split_mode": "filters", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 0, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Count of Leases Renewed Over Time [Logs Infoblox NIOS]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-b9dd7a20-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "metrics_0_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/visualization/infoblox_nios-be579090-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/visualization/infoblox_nios-be579090-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..bea79d71369 --- /dev/null +++ b/packages/infoblox_nios/kibana/visualization/infoblox_nios-be579090-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" + } + } + }, + "title": "Count of Leases Declined Over Time [Logs Infoblox NIOS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "99bb2283-08ad-483a-8912-5039ced3b47e", + "index_pattern_ref_name": "metrics_0_index_pattern", + "interval": "1d", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "d12231fe-9878-4b9f-860f-ff926684e751", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "id": "6bd0749b-2071-4cb9-9287-2e7fe244c469", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_color_mode": null, + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "event.action : \"dhcpdecline\"" + }, + "id": "53443750-b50b-11ec-b3d6-27b037885c54", + "label": "Count" + } + ], + "split_mode": "filters", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 0, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Count of Leases Declined Over Time [Logs Infoblox NIOS]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-be579090-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "metrics_0_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/visualization/infoblox_nios-c5a9cd40-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/visualization/infoblox_nios-c5a9cd40-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..95b23b1cdc1 --- /dev/null +++ b/packages/infoblox_nios/kibana/visualization/infoblox_nios-c5a9cd40-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" + } + } + }, + "title": "Count of Leases Expired Over Time [Logs Infoblox NIOS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "99bb2283-08ad-483a-8912-5039ced3b47e", + "index_pattern_ref_name": "metrics_0_index_pattern", + "interval": "1d", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "d12231fe-9878-4b9f-860f-ff926684e751", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "id": "6bd0749b-2071-4cb9-9287-2e7fe244c469", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_color_mode": null, + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "event.action : \"dhcpexpire\"" + }, + "id": "53443750-b50b-11ec-b3d6-27b037885c54", + "label": "Count" + } + ], + "split_mode": "filters", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 0, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Count of Leases Expired Over Time [Logs Infoblox NIOS]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-c5a9cd40-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "metrics_0_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/infoblox_nios/kibana/visualization/infoblox_nios-ce5187d0-b57a-11ec-80e1-4bd67c5762eb.json b/packages/infoblox_nios/kibana/visualization/infoblox_nios-ce5187d0-b57a-11ec-80e1-4bd67c5762eb.json new file mode 100644 index 00000000000..449fcec5b56 --- /dev/null +++ b/packages/infoblox_nios/kibana/visualization/infoblox_nios-ce5187d0-b57a-11ec-80e1-4bd67c5762eb.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"infoblox_nios.log\" and infoblox_nios.log.type : \"DHCP\"" + } + } + }, + "title": "Count of Leases Released Over Time [Logs Infoblox NIOS]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "drop_last_bucket": 0, + "id": "99bb2283-08ad-483a-8912-5039ced3b47e", + "index_pattern_ref_name": "metrics_0_index_pattern", + "interval": "1d", + "isModelInvalid": false, + "max_lines_legend": 1, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "formatter": "number", + "id": "d12231fe-9878-4b9f-860f-ff926684e751", + "label": "Count", + "line_width": 1, + "metrics": [ + { + "id": "6bd0749b-2071-4cb9-9287-2e7fe244c469", + "type": "count" + } + ], + "override_index_pattern": 0, + "palette": { + "name": "default", + "type": "palette" + }, + "point_size": 1, + "separate_axis": 0, + "series_drop_last_bucket": 0, + "split_color_mode": null, + "split_filters": [ + { + "color": "#68BC00", + "filter": { + "language": "kuery", + "query": "event.action : \"dhcprelease\"" + }, + "id": "53443750-b50b-11ec-b3d6-27b037885c54", + "label": "Count" + } + ], + "split_mode": "filters", + "stacked": "none", + "time_range_mode": "entire_time_range" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "time_range_mode": "entire_time_range", + "tooltip_mode": "show_all", + "truncate_legend": 0, + "type": "timeseries", + "use_kibana_indexes": false + }, + "title": "Count of Leases Released Over Time [Logs Infoblox NIOS]", + "type": "metrics" + } + }, + "coreMigrationVersion": "7.17.0", + "id": "infoblox_nios-ce5187d0-b57a-11ec-80e1-4bd67c5762eb", + "migrationVersion": { + "visualization": "7.17.0" + }, + "references": [ + { + "id": "logs-*", + "name": "metrics_0_index_pattern", + "type": "index-pattern" + } + ], + "type": "visualization" +} \ No newline at end of file diff --git a/packages/infoblox_nios/manifest.yml b/packages/infoblox_nios/manifest.yml new file mode 100644 index 00000000000..def5dd278a5 --- /dev/null +++ b/packages/infoblox_nios/manifest.yml @@ -0,0 +1,98 @@ +format_version: 1.0.0 +name: infoblox_nios +title: Infoblox NIOS +version: 0.1.0 +license: basic +description: Collect logs from Infoblox NIOS with Elastic Agent. +type: integration +categories: + - security +release: beta +conditions: + kibana.version: ^7.17.0 || ^8.0.0 +screenshots: + - src: /img/infoblox-nios-screenshot.png + title: Infoblox NIOS dashboard screenshot + size: 600x600 + type: image/png +icons: + - src: /img/infoblox-logo.svg + title: Infoblox NIOS logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: Infoblox NIOS + title: Infoblox NIOS logs + description: Collect Infoblox NIOS logs. + inputs: + - type: tcp + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9027 + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + title: Collect logs from Infoblox NIOS via TCP input + description: Collecting logs from Infoblox NIOS via TCP input. + - type: udp + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9028 + title: Collect logs from Infoblox NIOS via UDP input + description: Collecting syslog from Infoblox NIOS via UDP input. +owner: + github: elastic/security-external-integrations